StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Organizations Digital Investigation Process - Essay Example

Cite this document
Summary
From the paper "Organizations Digital Investigation Process" it is clear that preservation is continuous in the collection, examination and analysis stages. This implies that such activity as imaging, custody and time synchronization are important in the entire period of investigation…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER93.5% of users find it useful
Organizations Digital Investigation Process
Read Text Preview

Extract of sample "Organizations Digital Investigation Process"

?Organization’s digital investigation process Number Digital investigation is the process of preserving, collecting, validating, identifying, analyzing, interpreting, documenting, and presenting of digital evidence from digital sources. The evidence may be used to facilitate the construction of events deemed to be criminal or in contrast with the laid down procedures. Digital investigations for an organization differ to digital investigation for law enforcement because of the procedure adopted. Different models of operation used depend on the complexity of the situation (Marshall, 2009). Digital investigations arise as a result of an occurrence suspected, attempted or actual in an organization. The occurrences can be triggered by internal and external factors and can cause considerable damage or loss to an organization directly or indirectly. For instance a. Abuse of the organizations resources such as internet b. Fraud and distortion c. Unauthorized access by employees d. Sexual harassment or display of indecent or pornographic material e. Breach of contracts f. Departmental misuse g. Security breach A contingency plan should be devised to mitigate such incidences. A framework formulated will prepare for both low frequency/high impact as well as high frequency/low impact events in the organization. This paper details investigation procedure at Salford university school of computing science and Engineering. Our case study will focus on server intrusion in the university school department. An incident of server intrusion to the university system occurred, and a contingency plan formulated to authenticate the suspicion, respond and analyze the incident. Due to the delicate nature of digital evidence improper handling may lead to damaged or compromised data. The idea of having to start an investigation in this department can lead to a crisis. Proper procedures need to be laid down to manage the crisis. There are general questions, which the CFA will need to address in order to carry out the investigation successfully. a) Who should the initial suspicions or observations be reported? b) Access of quality evidence? c) Identification and acquisition of relevant digital evidence? d) How the university can operate effectively during the period of investigation without creating a crisis which might be worse than the one investigated? e) The legal obligations of the university needed during the investigation and association with external law enforcement agencies f) The role of management in determining the direction of the investigation and the possible incidence of biasness. A digital investigation divided into different stages according to the model adopted. Researchers at the U. S. Air Force studied various models and came up with common characteristics that characterize these models. They then incorporated them in a single model known as Abstract Process Model. It contains different phases; this model has 17 phases classified into 5 major groups (Gilbert Peterson, 2009). a. Preparation b. Deployment c. Physical crime scene d. Digital crime scene e. Analysis The data flow diagram above show a simplified process of forensic investigation. The first stage involves a number of activities. First, the computer or the system to be investigated should be on. If the student uses password, then the CFA has to look for a way to open it. There is a universal password that opens locked computers without tempering with the files. The second stage involves application of different forensic tools to retrieve data from the computer memory. The tools used should enable the CFA to retrieve deleted data from the recycle bin. During this process, the computer being investigated should be cordoned. The third stage involves application of different physical investigation models to the computer. These include taking the finger prints on the keyboard and mouse. Any other information that may help the CFA is taken. Before the information is analyzed, the forensic expert should check the accuracy, integrity and authenticity of the information. If it does not meet the standards, the process has to be restarted. If it meets the threshold requirement, the analysis is done. After analysis, the validity of the information is check before presentation in court. This is a very crucial part because any lapse in validation process can render the information discarded. The readiness operation phase involved the development of response mechanisms, operational infrastructure and hiring of a CFA. The school sent its system administrator personnel to training. Times on all servers are synchronized with NTP. Identification- The investigation prompted by reports to the head system administrator that the school's website was offline and servers were vulnerable to a SSH attack. The reporter indicated the suspects IP address which happened to be the primary public IP address. Verification of the incident involved locating the affected DNS server and plugging a laptop into the network so that a scan could identify the opened port (Casey, 2009). The administrator inserted a CD-ROM of the incident response tools into the system and logged in order to copy data relating to running processes and open ports. All the data saved in his laptop was presented to the school director to confirm an intrusion. Approach Strategy: Entails the development of a mechanism that allows the collecting evidence and minimizing the association with the suspect. The school director ordered a rebuild of the primary DNS server once it realized that the secondary DNS server is not compromised. Physical crime scene investigation yielded negative results for a physical evidence thus the possibility of an insider ruled out. During physical documentation, server configurations and serial numbers documented. Digital collection and Preservation: Once the source of evidence is known, it is important to secure it to reduce contamination and distortion. Preservation aims at maintaining the integrity of evidence during the investigation process and ensures that the availability and quality of evidence is not compromised. The digital data obtained in the crime scene is copied and saved in laptop using the trusted tools from the CD. The CFA determined the MD5 value of the disc and duplicated the data on disk over the network. Verification of the hash of the forensic image on the laptop was done. Digital Analysis: It’s analysis of the collected data. It’s the most complex and time consuming of all phases. It serves to confirm or refute the allegations of existence of a crime. The data collected is surveyed and reconstructed to manageable quantities to be used to form an opinion of the occurrence and give answers to questions asked. A CFA come up with working copies and note the processes that change the data (Bill Nelson, 2009). An image obtained above was analyzed using analysis software. The MD5 hash system binaries compared with the database of server's fingerprint determines the altered files. Logs analyzed determine suspicious logins. The digital survey phase found a root kit, an SSH installed and executable files. Further scrutiny identified the file modification timeline at the time of root kit installation. Reconstruction stage analyzed the evidence and concluded that the attack was as a result of vulnerable version of the SSH server. The attacker gained remote control of the system through the suspicious open port which used a custom protocol. However, no university sensitive information was accessed. Presentation- At this phase, a summary highlighting the explanation of relevant findings presented to the management, legal personnel and law enforcement agencies. A written detailed technical report was presented to the university management with recommendations to patch all systems and remain on high alert for some time. Closure- Critical reviews of the entire tasks done to effect the decisions arrived at and apply the lessons learned. Evidence is finally returned to the school of computing science and engineering and all the information relating to the incident preserved Preparation Preservation Collection Examination Analysis Presentation Crime detection Evidence management preservation preservation preservation presentation Operation infrastructure imaging Survey Tracing and search Witness testimony Detection of profile custody documentation documentation statistical Clarification Detection Time synchronization Hardware and software search filtering protocols Impact assessment complaints Legal advice Pattern matching data counter System monitoring Data loss compression Pres Presentation Discovery of hidden data Statistical interpretation Audit analysis sampling Reconstruction links Recovery Simplified Digital investigation framework The table above shows different activities done in every stage of digital investigation. The framework highlights the repetition of some important stages. Preservation is continuous in the collection, examination and analysis stages. This implies that such activity as imaging, custody and time synchronization are important in the entire period of investigation. It can be concluded that this model allows the interaction of physical and digital investigations applied to corporate institutions. Because of the challenge faced with digital investigations alone physical investigation would add credibility to digital evidence in order to sustain a case in court. References Bill Nelson, A. P. C. S., 2009. Guide to computer forensics and investigations. s.l., Cengage Learning,. Casey, E., 2009. The handbook of digital forensics and investigation. s.l.:Academic Press. Gilbert Peterson, S. S., 2009. Advances in digital forensics V:Fifth IFIP WG 11.., Springer. Marshall, A. M., 2009. Digital forensics. s.l.:John Wiley & Sons. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Digital investigation in the organisation Essay”, n.d.)
Digital investigation in the organisation Essay. Retrieved from https://studentshare.org/information-technology/1462057-digital-investigation-in-the-organisation
(Digital Investigation in the Organisation Essay)
Digital Investigation in the Organisation Essay. https://studentshare.org/information-technology/1462057-digital-investigation-in-the-organisation.
“Digital Investigation in the Organisation Essay”, n.d. https://studentshare.org/information-technology/1462057-digital-investigation-in-the-organisation.
  • Cited: 0 times

CHECK THESE SAMPLES OF Organizations Digital Investigation Process

Reports of Digital Investigations to Management

Following a brief overview of the type of information which digital investigation Reports are expected to contain, this essay will examine the question of what organizational managers expect to see in these reports and why.... ones, Bejtlich and Rose (2005) explain that there are several types of digital investigation reports and the structure and content of each is ultimately determined by the person they were written for.... digital investigation reports which are forwarded to the organization's Legal Department are similar to those composed for the Finance and Accounting departments (Jones, Bejtlich and Rose, 2005)....
4 Pages (1000 words) Essay

Digital investigation in the organization

In the paper 'digital investigation in the organization' the author focuses on digital investigations as a continuous basis that ensures data and information to be always safe and secure and the processes that are employed to present this information.... The author of the paper states that the digital investigation for law enforcement yields digital evidence, the evidence however may involve the use of enhanced system and staff monitoring, physical and procedural ways of securing data to a standard to be accepted as evidence and considered admissible....
5 Pages (1250 words) Essay

A Hierarchical, Objectives-Based Framework for the Digital Investigations Process

The paper "A Hierarchical, Objectives-Based Framework for the Digital Investigations process" wanted to find out what kind of information is available to police officers in ferreting out and solving crimes, and how well or how poorly such available information is collected.... The sample data is taken from existing studies, in this case, a study from the National Crime Panel that details the determination of available data from mapped an unmapped information sources in crime investigation settings....
11 Pages (2750 words) Research Paper

Digital Forensics Project

In the technical aspects of the investigation, digital forensics has several sub-branches that relate to the digital devices that have been in use.... The files for investigation are true images retrieved from the hard drive of the computer (Marcella & Guillossou, 2012).... Three files are available for investigation namely, Thumb drive.... The paper "digital Forensics Project" highlights that protecting the integrity of the evidence collected is vital for law enforcement....
8 Pages (2000 words) Essay

How Important is the Media in the Investigation of Serious Crime

Criminal investigation process involves initial descriptive steps where the investigator gives an in-depth description of the things and people that are present in the crime scene without making inferences concerning the crime or the person present.... On the other hand, a criminal investigation is a process of ascertaining, collecting, organizing, identifying.... This paper highlights that an investigation refers to the patient, procedural inquiry or scrutiny....
12 Pages (3000 words) Research Paper

The Knowledge of the Investigating Officer for the Success of the Investigation Process

According to McKemmish , (1999) “Cyber forensics is the process of extracting information and data from a computer storage media, analyzing and presenting digital evidence in a manner that is legally acceptable via the application of computer technology to the investigation of computer based crime”.... This science might be traced back to the year 1984 when the United States of America's federal investigation bureau laboratory and other law enforcement agencies started to develop programs to examine evidence from computers....
15 Pages (3750 words) Essay

Corporate Digital Forensic Investigations

igital forensic is defined as the process of identification, collection, and analysis of data that encompasses the preservation of the integrity of information and maintenance of the chain of custody of the data (Al-Sadi 21).... "Corporate digital Forensic Investigations" paper explores the impact of cloud computing on digital forensic investigations by analyzing the problems associated with cloud technology.... When such crimes are committed, law enforcement agencies use digital forensic techniques to gather and collect evidence that is used to identify and prosecute the perpetrators of the crimes....
6 Pages (1500 words) Essay

Cybercrime - Investigating High-Technology Computer Crime

For instance, the process of unauthorized entry into a computer system is referred to as hacking.... Maras (2012) states that the process is facilitated through software tools and tutorials that are readily available on the internet for all.... The rate of crime has been accelerated further since the rollout of advanced technologies, such as smartphones and personal digital assistants.... The destruction may be aimed at sabotaging organizations through criminal intents such as a denial of service....
17 Pages (4250 words) Literature review
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us