Digital Forensic Incident Response - Case Study Example

Section/# Digital Forensics Introduction: Whereas IT hardware and software is oftentimes quite complex, the determinants of this particular assignment will require a relatively low tech approach to the issues at hand. Even though a low-tech approach is advocated, the need to thoroughly outline the steps necessary, discuss the tools and materials that will be needed, and understand the compliment parts of the investigation are nonetheless paramount to effectively completing the assignment that has been provided by the court. As a function of this, the following analysis will seek to provide the reader with a more detailed understanding the way in which an IT firm could seek to abide by the instructions and determinants of the job at hand; all the while protecting themselves from further legal entanglement and seeking to provide a high quality output so that the case in question can be determined based upon its own merits and not biased by any degree of overlooked or misinformed information gathering. Essentially, the approach that will be utilized as a means of gaining the affected information will be twofold. The first will be contingent upon engaging with mobile phone providers and email providers as a function of retaining the information in question, within the date range in question, and between the people in question. The second will be contingent upon a more high tech approach in which individual laptops, company computers, and mobile phones will be subpoenaed by the court for further analysis by the IT firm. In this way a level of double certainty can be provided that any and all communication between interested individuals can be represented. Approach: In tandem with the low-tech approach that has been stipulated, the majority of data analysis and retrieval will not be conducted by the IT firm itself; instead, this information will be provided to the IT firm by mobile phone providers and email providers related to the case in question. Essentially, once a verifiable war it has been presented to the stakeholders, the information will need to be categorized and represented based upon the timeframe that the case is specifically interested in. Although this is a fairly simple aspect of the process that is being defined within this analysis, it is absolutely essential to ensure that further litigation against the IT firm does not take place. This is due to the fact that the court has only appointed a specific range and time for these email and text message conversations to be analyzed. Specifically, the court has indicated that text messages and emails between the parties in question should be analyzed over the course of one month’s time (Ariffen et al., 2012). Whereas it might be tempting to receive the information from the email providers and/or the mobile phone service providers and assume that is inclusive of the big question without any mistakes, it is absolutely essential to review this information once received and ensure that it ascribes to the determinants of the period of time that the court has specified. This can be accomplished relatively easily; utilizing a variety of tools within Excel or a similar software spreadsheet that can assist in focusing upon a specific date and time stamp and excluding all others that do not fall within these parameters. Once again, returning to the issue of a low-tech approach, it is the understanding of this particular analyst that Microsoft Excel would be the most effective means of tabulating and generating specified reports in question. The underlying belief with regard to why this particular software packages the most rational to use is based on the fact that it provides a litany of different statistical analysis will that can be utilized as a function of ensuring that a correct date range is represented, ensuring that affected exchange of information between the parties in question is included, and otherwise providing a stable platform in which cross comparison and analysis can be provided. Essentially, rather than using a more advanced statistical package and data analysis tool and then having to convert it to a format which individuals involved in discovery would find it amenable, utilizing Excel from the very beginning is a far more reasonable approach to the specific case at hand and the determinants in question. The very first steps that will be taken with respect to addressing the requirements of the court is to attempt to understand the way in which the information will be received from the email providers and mobile phone providers. A cursory level of research either on the Internet or via a private discussion with industry leaders can provide insight with regard to how the information received and how it can effectively be tabulated format that is thus far been defined. Once this is understood, the process can continue immediately towards informing both the mobile phone service providers and email providers that information within the specific dates in question is being subpoenaed and should be provided within a given timeframe. Confirmation and signature receipt of this should of course be stored; both as a form of providing verification that the process has been conducted accordingly as well as providing a level of security for the IT firm from counter litigation; based upon a belief that the firm had conducted the investigation and an improper or incomplete manner (Bulbul et al., 2013). Likewise, with the low tech portion of the analysis described and essentially performed by third parties, it will also be necessary to analyze the mobile devices and computing platforms of the affected individuals. This will be more complex and will require the use of forensic technology in order to restore deleted items, cookies, and deleted text messages. The function of this particular approach is to ensure that the information can be cross referenced with the information that is coming from email and mobile phone providers to be absolutely certain that none of the information has been overlooked by either the email provider or the mobile phone providers. Essentially, the forensic tools that the IT firm will be reliant upon with respect to the task at hand will be a Windows based “Forensic Explorer” (also commonly referred to as FEX). This particular tool is an integral software application that IT forensic analysts use to piece information together and look deeper than the operating system and files themselves to reveal what might have been sent, changer, or deleted with respect to internet email communication that is ultimately stored in various files located deep within the hard drive. In tandem with this, Elcomsoft will be utilized in terms of the subpoenaed mobile phone devices that have been required as part of the court order. Within this particular Windows based software suite, the application itself plugs directly into mobile phones and retrieves a litany of SMS information; dependent upon the variables and time frame or contact lists that the IT professional is looking for. Steps: Step I: Determine the type of mobile phones and computer operating systems that will be analyzed. Although Elcomsoft is capable of analyzing a litany of different mobile devices that run on different software platforms, the operating system of a computer that will be analyzed is more complex and could necessarily require a more specific software package as a function of reviewing the contents of the hard drive (Karie & Venter, 2014). As such, packages exist that specialize in Linux based operating systems as well as Apple OS; depending upon the type of software application that the individual might be using on a computer system, a different forensic tool will be required. Likewise, determining which one is most salient is an essential component of effectively administering the correct approach. Step 2: It is necessary to immediately perform research based upon what types of statistical packages and software format the information is received from the mobile phone providers and/or email providers in. This will fundamentally assist the overall tabulation of relevant data as the recipient can be duly aware of how the information will be arranged and how the skills of their IT professionals can address any gaps in presentation and comprehension of the information that might be represented. Additionally, the output for both Elcomsoft and FEX should be understood so that the receipts that will be generated from these can be combined with the receipts that will be generated by the mobile phone providers and the email providers (Garfinkel, 2013). Step 3: Provide the court order to all parties that are involved in the investigation; alerting them as to the nature of the investigation, legal power of search, and authority to act as intermediary for the court in the mode of discovery. Within this step, it will be necessary for the recipient of the court order to confirm receipt and agree to the compliance with the terms that have been stipulated; specifically within a certain period of time. Agreement and understanding of the court order also delineates the fact that the respondent (in the case email and phone service providers agree to provide the records within the dates in question by a certain pre-determined period of time). Step 4: Receipt of the information will likely take place within a relatively short period of time. Because of this fact, it is necessary for the relevant database to be ready to accept the information, categorize it, and exclude any and all extraneous information; or information that might not be included with respect to the court order in question. As the information comes in, special attention should necessarily be paid to the date range; ensuring that no mistake has been made on the email or phone service provider’s side and that any and all information of a personal nature and/or unrelated to the numbers and email addresses that were included in the court order should be removed and deleted forever from the record. Step 5: The fifth step will involve reviewing the reports that have been generated, both by the mobile and email service providers as well as the forensic tools that the IT firm has utilized. Once this has been conducted, a final review and audit should be conducted to ensure that each and every output matches the terms of the court order, is in line with the date range in question, and does not include any type of personal correspondence that falls outside of the information that the court is specifically interested in (Mouhtaropoulos et al., 2014). Although each and every step in this entire process is Step 6: The final step is the provision of the report to interested parties as specified by the court order. At this stage, the work by the IT firm has been completed and the final provision of the report has taken place. In the event of any addendums, the court will be required to provide requisite time in order for such additions to be completed; as long as they are still in the scope of capability for the IT firm. Conclusion: What has been described within this analysis is a provisional framework for the way in which forensic digital investigation should take place. Essentially, there are many ways that the process can be engaged; based upon the scope of the investigation and the overall level of resources that might be available to the parties in question. However, one profound similarity must be recognized between all these aforementioned differentials; namely the fact that overlap, cross referencing, and careful and methodical analysis underlies the process and emphasizes the need to take the steps slowly and in an organized manner. Whereas this is true of all types of investigation, not merely the digital kind, the reliance upon third parties and the need to cross reference the information they provide and ensure that it complies with the court order and determinants of the investigation is an essential part of completing the investigation successfully as well as ensuring that any further legal responsibility is shifted away from the IT firm and provided back to the recipient. References Ariffin, A., Slay, J., & Jazri, H. (2012). DIGITAL FORENSICS INSTITUTE IN MALAYSIA: THE WAY FORWARD. Digital Evidence & Electronic Signature Law Review, 951-57. Bulbul, H., Yavuzcan, H., & Ozel, M. (2013). Digital forensics: An Analytical Crime Scene Procedure Model (ACSPM). Forensic Science International, 233(1-3), 244-256. doi:10.1016/j.forsciint.2013.09.007 Garfinkel, S. L. (2013). Digital Forensics. American Scientist, 101(5), 370-377. Karie, N. M., & Venter, H. S. (2014). Toward a General Ontology for Digital Forensic Disciplines. Journal Of Forensic Sciences (Wiley-Blackwell), 59(5), 1231-1241. doi:10.1111/1556-4029.12511 Mouhtaropoulos, A., Chang-Tsun, L., & Grobler, M. (2014). Digital Forensic Readiness: Are We There Yet?. Journal Of International Commercial Law & Technology, 9(3), 173-179. Read More