Digital Forensic Incident Response for American Marketing Systems - Case Study Example

Topic: Digital Forensic Incident Response for American Marketing Systems Introduction In the current digital world, incidences in computer use continue to bear high probability to affect financial reports. The risks and uncertainties in compromise are increasing in volatility. There are high chances of making away with sensitive company information. Both the private and the public sectors have suffered massive loss in frauds, software compromise, online share frauds and other resources. They have experienced massive loss even after spending so much in putting up expensive system. As these threats increases, there is a need to bridge the gaps in system management as a way of reducing the effects. Digital forensic investigation is important for productive prosecution of the criminals who engage in digital crimes. It is also useful in recovery of misappropriated resources such as finances, important information and others. The investigators should therefore make sure that they obtain quality forensic evidence which the courts of law require in administering justice. As put forth by Selamat et.al (2008), digital forensic investigation is distinct from digital investigation in that the techniques and procedures that the investigator will use allow the output to be applied in a court of law. In this regard, the researcher ought to consider significant steps to carry out a successful forensic investigation. Our evidence is well hidden in images, codes, encrypted files, missing folders and files among others that need to be cracked so as to reveal the misappropriation. The investigator will collect information on: system sabotage; information related on attacks; hijacks on email; sensitive information; selective information on organized and unorganized crimes; cracking and hacking and other important information (International Journal of Advance Research, 2013). The fact that American Marketing Systems have suspected that there is something odd happening in the company provides the platform for investigation to verify the basis of these allegations, establish the culprits and reveal the procedures they are using to skim. In this paper, the investigator presents an extensive report of the existence of the skimming, the culprits and the procedure they use. The investigator will perform information analysis, network intrusion, examine malicious file. He will also use tools which have the ability to crack encrypted files and passwords. Planning for the Digital Forensic Investigation Most of forensic audit failure is as a result of lack of proper prior planning. Bearing this in mind, the investigator will spend quality time in planning on the devices which he will conduct investigation on, devices that he will use for the investigation, procedure for investigation, the history of my investigation and the procedure of fining the culprits. There is a need for planning on devices that the investigator will use for preserving, recovering and examining the data from the investigation. The information that the investigation is searching for, is hidden in different places almost everywhere. The biggest problem is locating the devices bearing the information that is the investigator is looking for. This requires adequate planning and use of quality tools. Some of the devices that the investigator will consider are majorly the American Marketing Systems’ computers. He will look for evidence in the memory: hard drives; system logs; the company’s intrusion detection systems; email servers and network servers among other. Other assets for consideration are the external storage devices such as the flash disk, external hard drives, DVDS and CDs. The computer hard drives may bear much information that requires forensic audits. Some files giving the evidence might be deleted or hidden (Köhn et al, 2006). From the network and system logs, the investigator will be looking for information about possible resource transfer or hidden files which he will use to prove the existence of skimming, the culprits and the procedure the culprits use in skimming. The American Marketing Systems company has given the investigator a chance to work as an administrator within the company. This makes it possible for the investigator to work on all the available computers without raising any issue from the workers or blowing his cover. There are various tools that the investigator will use in conducting his investigation. One of these tools is the SAN SIFT which is majorly an Ubuntu founded live CD. It includes all the tools that the investigator need in conducting an extensive forensic research. The investigator will use this tool to generate timelines from system logs, file carving, and examine the recycle bins. Another tool that the administrator will use is the ProDiscover Basi which is a tool that gives room for analyzing the images and reporting on evidence from the hard drives. The investigator will also use the Volatility to scan the memory for response on incidences. This tool extracts digital artefacts from the random Access Memory. The investigator will get access to open network connections and sockets. He will also extract information from process IDs, the cached registry and DLLs. By using the Sleuth Kit, the investigator will carry out an extensive analysis of numerous file systems (Garfinkel, 2010). The investigator will use the FTK Imager to preview the data and images in hard drives, DVDs and CDs, network drives. He will also use this tool for recovery of files that the culprits might have deleted on the process of covering the tail. The investigator will conduct a systematic review of every asset that is available for investigation. The investigator will do data recovery to find out the deleted files from the hard drives and other storage devices. He will do this as a way of finding out whether these devices adhere to the company procedures and standard policy. He will also review the network through the ProDiscover to make find any anomalies in the security of the network (Casey, 2009).The investigator will go back to 3 months before the current time as the appropriate time from which the investigation will start. He arrives at this through the advice of the company heads that that is when they started detecting the anomalies and that is when the company started having a downward spiral in their profits. Another reason for selecting this period is the fact that most of the reports were given at this time of the financial here. These reports will form the background of review into the case of anomalies and the culprits. The investigator will analyze the evidence through use of the evidence analyses which will define the possession. This is whereby he will establish the between the evidence and the suspected workers. He will also analyze the evidence of accessing of the evidence by the suspect. Lastly, he will analyze the evidence that defines the knowledge of the evidence. The investigator will use this to establish that the knowledge of the suspect as far as the evidence is concerned (Garfinkel, 2010). Project Plan Having done the prior planning of the devices for consideration, use in the investigation and the time where the investigation will be back-traced; the investigator has paved way for planning of the actual investigation. Here, the investigator gives the step by step procedure in the investigation procedure. He also gives the time estimate for each of the task to be carried. The investigator also discusses the potential risks and challenges to the investigation and the ways he will overcome these challenges. The investigator uses an incident respond and computer forensic model to give a step by step discussion of the project plan (Garfinkel, 2010). Forensic experts have divided the model in to five stages: the pre-incident preparation; pre-analysis; analysis and post analysis (Selamat et al, 2008). The pre-analysis stage involves all activities and steps the investigator will perform prior to the actual analysis. On the other hand the post analysis stages give steps and activities that the investigator will perform after the actual analysis such as the final report. There is interdependency between and among these stages as some of the activities in one stage are the prerequisites for the next activities. This may lead to redundancies .The investigator merges and groups similar activities to distinct but appropriate stages to avert the challenges of repetition and redundancy in the forensic activities. He does this through a forensic mapping with the sole purpose of balancing the process in the achievement of the overriding objective that can lead to solid investigation evidence. In designing the mapping process the investigator will use three steps; identification of the framework that exists; construction of the name of the stage and process mapping. In the identification of the existing framework the investigator analyses the stage, timeline, activities and the result for the framework. On the construction of the name, the investigator constructs a name on the basis of the activities and result that he had analyzed earlier on in the first step. The third step; the process of mapping involves analyzing and putting in a chart. The investigator summarizes these steps in the following table that he adopted from Garfinkel, 2010). Table A: A Summary of the Project Plan Stage Time Line Stage Name Activities Results 1. the first week preparation The investigator monitors the authorization and the support of the management. He also obtains authority in to companies system so as to carry out the investigation. He also ensure that the operation and the basic structure of the company’s system can support the investigation The investigator provides the mechanism for detection and confirmation of the incident. The investigator then identifies the usefulness of the investigation He then plans the way of carrying out the investigation He also identifies the previous investigation, the policies and procedure Informing the relevant authority of the commencement of the investigation Planning, seeking for authority, seeking notification and confirmation 2. The second week Collection and preservation of information Determination of the source of information Determination of the location of the evidence Translating the media into useful information Ascertaining authenticity and integrity of the evidence Safeguarding the data Recording the physical scene Duplicating the investigation evidence and encoring it integrity and validity for use in the later days Existence of skimming, source of evidence, analyses of the media and events 3. The third week Examination and analysis Examining the data from the investigation Examining the techniques that the investigator used for interpreting important data Recovering hidden and deleted information Recognizing digital evidence and the level of expertise of the culprits Transformation of data into form and size that can be easily managed Assessing and looking for evidence Constructing extensive documents for analysis Establish the significant of the evidence Documentation of the output Files, events log, information and data 4. The forth week Presentation and reporting Preparation and presentation of the evidence Determination of the relevance of the evidence Interpretation of the statistics Clarification of the evidence Provide a summary of the evidence Provide the prove of the result and their validity Communication of the relevant evidence to the relevant authority Report and evidence 5. The fifth week Case dissemination Returning the management of the assets back to the respective company experts Determining how the to seal the loopholes Close the case. Explanation of the evidence, setting new policies, new procedures for investigation and closing of the investigation Potential Risks and Challenges Facing the Investigation and how the Investigator Solved Them. The process of investigator is both tedious and has the potential of flopping at any time in case of compromise by the culprits. One of the risks in the investigation is blowing the cover that the management personnel provided the investigator. Although I worked as an administrator, there is a potential of some of the employees in the field discovering what is going on. The investigator avoided this by being as discrete as possible. Another problem is that the increase of gadgets such as personal smart phones which are a source of evidence has increased in the company. It is difficult to access this information. However, the investigator uses sophisticated technology by a customized phone technology through a game-like phone application that connects the phone to the investigators device without the knowledge of the user. Another problem is the availability of more effective software that can be used to wipe the evidence from the computer almost without leaving a trace. Other challenges that the investigator faced are; sophisticated malware, the fact that most of the available tools and skills center on the platform of Windows. The investigator had to go out of the box and acquire other tools for other operating system. These tools are expensive and difficult to work with and therefore, the investigator had to communicate this to the relevant authority in the pricing. Identifying the Culprits of Skimming After analyzing all the evidence that the investigator got from his sources, he is faced with the task of identifying the location of the culprits, the procedure of skimming and the size of skimming that has already taken place. The first task is discovering the culprits that are within the AMS employees’ bracket. The investigator goes through each of the employees’ records and files and then matches the finding of the investigation with the skill level of the employee. The investigator documented the facts and carried out a trail for every event or each piece of evidence. On finding the anomalies in the files in certain areas in the company, the investigator went forth to recover and screen the available evidence. Then he established a link between the evidence and the employee in question. The investigators drew a link to be able to establish the cartel that is involved in the skimming. The investigator identifies the employee with most of the anomalies like missing files, discrepancies among the daily records and other links. Also the investigator looks for unusual differences in records, differences in the inventory shrinkage, the size and the excess records for write-off. He will also look for short-time activities of skimming whereby the culprits has extra cash unaccounted for in one of the files. The investigator conducts a monitoring and evaluation of the suspect’s daily activities. At the end of this he will have discovered a trail in skimming and evidence linking the individual or group of employees. After that he checks the employee’s knowledge so as to match the evidence with the culprits. Also this can be done through the elimination method where the investigator eliminates all the possible. The investigator will use the information from closed-circuit television the employee who might have behaved suspiciously. After this, he will countercheck his evidence with the suspects detail and build up a link. Also, the investigator checked for employees who might have sent external emails which are suspicious. These emails will be used in establishing a link between the employees and the skimming. The skimmers may also be external whereby there is a loophole in the company administrative or accounting system. The first step in detecting an outward source of skimming is detecting the loophole in the system. This is whereby the investigator makes an extensive monitoring and evaluation accounting systems. Some skimmers might be using ATM to rob the company. Therefore, the investigator should check the accounts frequently for any skimming. After this, he monitors the credit cards and checking accounts over the network and immediately reports the suspicious activity to the banking institution. The institution will help in detecting the suspects. The investigator will also check the origin of malicious files which are likely to cause bleach to the safety of the company’s systems. The investigator also uses information from the security cameras to find out the external skimmers who might have found some of the hardware or software that was installed into the company’s computers. By checking the recovered sent emails, the investigator discovers that there were some suspicious emails sent to certain address. A follow up to this address will lead to establishment of a potential skimming activity from outside. This skimming might have been facilitated by internal employees and therefore the investigator had an open mind for an internal skimmer. Handling Potential Evidence Every piece of the potential evidence should be handling with a lot of care to avoid compromise to the process of investigation. The fragile nature of digital evidence make it easy to alter, damage or destroy incase of mishandling. Therefore, there is a need for examination on a copy of the original information which was collected in a manner which ensured its integrity and validity. This information will be collected and stored in other devices waiting for screening and analysis. The investigator will make sure that the evidence will not be leaked to any of the workers or to the management before the final investigation report is prepared. Chain of Custody and Preservation The investigator keenly takes into consideration the evidentiary procedures. He performs an extensive investigation at the same time as adhering to the highest evidence standards and proof that is legally admissible. He will provide the best chain of custody which involves only the agreed upon personnel. The opportunity of working under a cover as the system administrator, the investigator is able to work comfortably without creating any tension in the company by confiscating materials or the investigation assets. The investigator will make copies of storage devices from the original so as to reduce the cases of loss of evidence in case of a compromise. Some of the storage devices used by the investigators are external hard disks, flash disk, DVDs and CDs. The custody of the assets required for investigation are easily in his hands and therefore, he can work to the best of his knowledge However incase of high chance for discovering the suspect, he will use wise ways such as taking the custodian of the device in question for alleged repair. Through this, he will be able to carry out the investigation without raising any eyebrow. Once he recovers files and useful evidence, the investigators saves them in independent devices (Selamat et al, 2008). The investigator will use administrator generated passwords to safeguard the devices to avoid raising any suspicion incase the workers find out there are extra files recovered from his or her computer Analysis and Reporting The investigator will analyze the evidence through use of the evidence analyses which will define the possession. This is whereby he will establish the link between the evidence and the suspected workers. The primary aim of the investigator is to establish internal and external skimmers. Through analyzing the evidence possession, he will be able to create trail which he uses to find the real criminals, the procedure and the accomplices. He will also analyze the evidence of accessing of the evidence by the suspect. Lastly, he will analyze the evidence that defines the knowledge of the evidence. The investigator will document every action and observation throughout the process of forensic investigation (Selamat et al, 2008). The investigator will use this to establish that the knowledge of the suspects as far as the evidence is concerned .The investigator will prepare a detailed final report which will show the evidence of the investigation. The report will give reveal the existence of skimming culprits and the skimming procedure. It will also provide recommendation in sealing the routes open for skimming and the procedure for subsequent investigations. The report will be easy to understand and will be given to the specific personnel the investigator agreed to work with (Selamat 2008). References Casey, E. (2009). Handbook of digital forensics and investigation. Academic Press. Dixon, P. D. (2005). An overview of computer forensics. Potentials, IEEE, 24(5), 7-10. Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital Investigation, 7, S64-S73. Köhn, M., Olivier, M. S., & Eloff, J. H. (2006, July). Framework for a Digital Forensic Investigation. In ISSA (pp. 1-7). Reyes, A., Brittson, R., OShea, K., & Steele, J. (2011). Cyber crime investigations: bridging the gaps between security professionals, law enforcement, and prosecutors. Syngress. Selamat, S. R., Yusof, R., & Sahib, S. (2008). Mapping process of digital forensic investigation framework. International Journal of Computer Science and Network Security, 8(10), 163-169. Read More