Organizations digital investigation process - Essay Example

Organization’s digital investigation process Digital investigation is the process of preserving, collecting, validating, identifying, analyzing, interpreting, documenting, and presenting of digital evidence from digital sources. The evidence may be used to facilitate the construction of events deemed to be criminal or in contrast with the laid down procedures. Digital investigations for an organization differ to digital investigation for law enforcement because of the procedure adopted. Different models of operation used depend on the complexity of the situation (Marshall, 2009). Digital investigations arise as a result of an occurrence suspected, attempted or actual in an organization. The occurrences can be triggered by internal and external factors and can cause considerable damage or loss to an organization directly or indirectly. For instance a. Abuse of the organizations resources such as internet b. Fraud and distortion c. Unauthorized access by employees d. Sexual harassment or display of indecent or pornographic material e. Breach of contracts f. Departmental misuse g. Security breach A contingency plan should be devised to mitigate such incidences. A framework formulated will prepare for both low frequency/high impact as well as high frequency/low impact events in the organization. This paper details investigation procedure at Salford university school of computing science and Engineering. Our case study will focus on server intrusion in the university school department. An incident of server intrusion to the university system occurred, and a contingency plan formulated to authenticate the suspicion, respond and analyze the incident. Due to the delicate nature of digital evidence improper handling may lead to damaged or compromised data. The idea of having to start an investigation in this department can lead to a crisis. Proper procedures need to be laid down to manage the crisis. There are general questions, which the CFA will need to address in order to carry out the investigation successfully. a) Who should the initial suspicions or observations be reported? b) Access of quality evidence? c) Identification and acquisition of relevant digital evidence? d) How the university can operate effectively during the period of investigation without creating a crisis which might be worse than the one investigated? e) The legal obligations of the university needed during the investigation and association with external law enforcement agencies f) The role of management in determining the direction of the investigation and the possible incidence of biasness. A digital investigation divided into different stages according to the model adopted. Researchers at the U. S. Air Force studied various models and came up with common characteristics that characterize these models. They then incorporated them in a single model known as Abstract Process Model. It contains different phases; this model has 17 phases classified into 5 major groups (Gilbert Peterson, 2009). a. Preparation b. Deployment c. Physical crime scene d. Digital crime scene e. Analysis The data flow diagram above show a simplified process of forensic investigation. The first stage involves a number of activities. First, the computer or the system to be investigated should be on. If the student uses password, then the CFA has to look for a way to open it. There is a universal password that opens locked computers without tempering with the files. The second stage involves application of different forensic tools to retrieve data from the computer memory. The tools used should enable the CFA to retrieve deleted data from the recycle bin. During this process, the computer being investigated should be cordoned. The third stage involves application of different physical investigation models to the computer. These include taking the finger prints on the keyboard and mouse. Any other information that may help the CFA is taken. Before the information is analyzed, the forensic expert should check the accuracy, integrity and authenticity of the information. If it does not meet the standards, the process has to be restarted. If it meets the threshold requirement, the analysis is done. After analysis, the validity of the information is check before presentation in court. This is a very crucial part because any lapse in validation process can render the information discarded. The readiness operation phase involved the development of response mechanisms, operational infrastructure and hiring of a CFA. The school sent its system administrator personnel to training. Times on all servers are synchronized with NTP. Identification- The investigation prompted by reports to the head system administrator that the school's website was offline and servers were vulnerable to a SSH attack. The reporter indicated the suspects IP address which happened to be the primary public IP address. Verification of the incident involved locating the affected DNS server and plugging a laptop into the network so that a scan could identify the opened port (Casey, 2009). The administrator inserted a CD-ROM of the incident response tools into the system and logged in order to copy data relating to running processes and open ports. All the data saved in his laptop was presented to the school director to confirm an intrusion. Approach Strategy: Entails the development of a mechanism that allows the collecting evidence and minimizing the association with the suspect. The school director ordered a rebuild of the primary DNS server once it realized that the secondary DNS server is not compromised. Physical crime scene investigation yielded negative results for a physical evidence thus the possibility of an insider ruled out. During physical documentation, server configurations and serial numbers documented. Digital collection and Preservation: Once the source of evidence is known, it is important to secure it to reduce contamination and distortion. Preservation aims at maintaining the integrity of evidence during the investigation process and ensures that the availability and quality of evidence is not compromised. The digital data obtained in the crime scene is copied and saved in laptop using the trusted tools from the CD. The CFA determined the MD5 value of the disc and duplicated the data on disk over the network. Verification of the hash of the forensic image on the laptop was done. Digital Analysis: It’s analysis of the collected data. It’s the most complex and time consuming of all phases. It serves to confirm or refute the allegations of existence of a crime. The data collected is surveyed and reconstructed to manageable quantities to be used to form an opinion of the occurrence and give answers to questions asked. A CFA come up with working copies and note the processes that change the data (Bill Nelson, 2009). An image obtained above was analyzed using analysis software. The MD5 hash system binaries compared with the database of server's fingerprint determines the altered files. Logs analyzed determine suspicious logins. The digital survey phase found a root kit, an SSH installed and executable files. Further scrutiny identified the file modification timeline at the time of root kit installation. Reconstruction stage analyzed the evidence and concluded that the attack was as a result of vulnerable version of the SSH server. The attacker gained remote control of the system through the suspicious open port which used a custom protocol. However, no university sensitive information was accessed. Presentation- At this phase, a summary highlighting the explanation of relevant findings presented to the management, legal personnel and law enforcement agencies. A written detailed technical report was presented to the university management with recommendations to patch all systems and remain on high alert for some time. Closure- Critical reviews of the entire tasks done to effect the decisions arrived at and apply the lessons learned. Evidence is finally returned to the school of computing science and engineering and all the information relating to the incident preserved Preparation Preservation Collection Examination Analysis Presentation Crime detection Evidence management preservation preservation preservation presentation Operation infrastructure imaging Survey Tracing and search Witness testimony Detection of profile custody documentation documentation statistical Clarification Detection Time synchronization Hardware and software search filtering protocols Impact assessment complaints Legal advice Pattern matching data counter System monitoring Data loss compression Pres Presentation Discovery of hidden data Statistical interpretation Audit analysis sampling Reconstruction links Recovery Simplified Digital investigation framework The table above shows different activities done in every stage of digital investigation. The framework highlights the repetition of some important stages. Preservation is continuous in the collection, examination and analysis stages. This implies that such activity as imaging, custody and time synchronization are important in the entire period of investigation. It can be concluded that this model allows the interaction of physical and digital investigations applied to corporate institutions. Because of the challenge faced with digital investigations alone physical investigation would add credibility to digital evidence in order to sustain a case in court. References Bill Nelson, A. P. C. S., 2009. Guide to computer forensics and investigations. s.l., Cengage Learning,. Casey, E., 2009. The handbook of digital forensics and investigation. s.l.:Academic Press. Gilbert Peterson, S. S., 2009. Advances in digital forensics V:Fifth IFIP WG 11.., Springer. Marshall, A. M., 2009. Digital forensics. s.l.:John Wiley & Sons. Read More