Cybercrime Investigation and Digital Forensics - Assignment Example

Cybercrime Investigation and Digital Forensics An Assignment Submitted by Fall Cybercrime Investigation and Digital Forensics Digital identities of people are being threatened by various cyber threats that are becoming more sophisticated day by day. Healthcare sector is not an exemption to this issue. Healthcare industries are transforming due to the increasing advances in technology with maintenance of electronic health records becoming mandatory for improving patient privacy, reducing cost, providing collaborative care, and ensuring high quality of healthcare services (Trobough, 2014). Internet enabled patient monitoring tactics are being introduced by healthcare providers to facilitate easier and better communication between physicians and patients. At the same time, this provides backdoors for hackers to intrude into the healthcare information systems and get access to highly confidential information like patient medical reports, lab results, and other potentially lucrative information like insurance details. When a healthcare industry’s data is being breached, it not only results in financial and reputation crisis to the industry and the specific organization but also causes dramatic effects to the patients depending on the nature of the disclosed data. When such incidents happen, digital forensics renders a helping hand in investigating the potential crime scene with evidences that can be presented for prosecution. This report provides a detailed description about the investigation procedure from a perspective of a cyber forensic company’s lead forensics investigator which would help in identifying and prosecuting a potential breach incident that happened in a healthcare company. Task A To begin with, it would be more appropriate to explain our company’s approach in providing the overall plan for processing the potential crime incident that has occurred in a healthcare company. Our investigation team comprises of security and digital forensic professionals who work in close coherence with highly experienced corporate investigators and well trained background verification team (“Investigating a data breach,” n. d). Whenever data breach incidents happen, our response team would provide complete guidance regarding the post incident proceedings and provide services highly specific to the requirement of the healthcare industry. Our overall planning process comprises of collecting and securing the digital evidences, visualizing indications for data breach using a triage approach, rigorous analysis of evidences, presenting the investigation results for prosecution, and providing remediation for preventing future reoccurrences (Nelson, Phillips & Steuart, 2009). The instant incidence response launched by our company would comprise of briefing and reviewing the facts reported by the members of the security operations center of the healthcare company. Based on this review, we would conduct an interview with the pertinent staff of the healthcare company in order to identify the potential sources digital evidences for the data breach (Nelson, Phillips & Steuart, 2009). The sources of evidence may be database systems, servers, call logs or mobile devices. Extreme care is taken for the preservation of the evidences complying with international standards. Evidences of data breach is collected by highly expertise forensic professional of our company so that it would minimize the risk of data contamination and reinforce the legal acceptability of the evidences collected (“Investigating a data breach,” n. d). Once the evidences are collected, visualizing tools can help to precede a triage based assessment which could help in rapid identification of suspicious activities (“Investigating a data breach,” n. d). The visualizing tools provide information like quantity of documents sent and their file types, time period of access, nature of websites frequently accessed, details of peripheral and mass storage devices attached to the healthcare information system, and others (“Investigating a data breach,” n. d). This approach helps us to prioritize our investigation procedure by facilitating our investigating team to acquire additional information like identifying devices that have accessed the compromised data source recently or devices that transmitted or copied files with analogous data profile. During the triage phase, the investigation team of our company would develop an analysis strategy which would clearly predefine the tools and techniques that would be employed to reveal the evidences related to the data breach incident of the healthcare company. The digital forensic experts would suggest other complimentary exploratory techniques like data mining, investigative interviewing, and others to enhance the accuracy of the investigation procedure (Yusoff, Ismail & Hassan, 2011). Once the evidences confirm the data breach, the healthcare company would approach the court for prosecution of the accused and our company is committed to render full support during the expert testimony for the court requirements. The end reports generated by our investigation procedure can be utilized to act in response to the secure injunctions (“Investigating a data breach,” n. d). The ultimate aim of any investigation procedure is not only to discover the evidences of the scene of crime but also to prevent its future occurrence. Our investigation procedure would clearly identify the potential loop holes of the healthcare company’s network security infrastructure. Though it may not be possible to provide absolute assurance for data security, our security professionals would render expert advice to minimize the future risk of such data breach incidents to the maximum possible extent. Our team’s overall concentration will be on the network flow information, geological locations of IP addresses, user entitlements, and their access levels (Wojno, n. d). This would help us to investigate how the breach incident happened, what systems were involved in the breach process, who are the affected users, what sensitive data was compromised by the breach process, and how to preserve the forensic purity of the evidences collected (Wojno, n. d). Task B In this case of the healthcare company, we were informed that the database administrator of the healthcare company received a strange e-mail from the HR containing a benefits attachment. She reported strange behavior of her system after opening the attachment which was actually blank. So, it is evident that she has received a phishing email with a motive of infecting her system. She has been operating on a Microsoft Windows XP workstation so we can begin the investigation process by imaging her drive which would provide valuable evidences that would help our investigation team to correlate the event data and network flow data. Before beginning the imaging process it is very important to make sure that important files are being backed up because the imaging process should not result in loss of valuable data (Dowler, 2014). In the imaging process, we have to install the new drive into which the database administrator’s drive has to be imaged. We have exclusive software available for the imaging process and it is necessary to install this imaging software to perform the imaging process. We have to carefully select the source drive which has to be imaged and the destination drive to which the source drive information has to be copied (Dowler, 2014). Before the imaging process starts, we can ensure whether all selections are accurately done by verifying the summary report generated by the imaging software (Dowler, 2014). Once the check is over, we can start the run process which would reboot the system enabling the imaging software to run in the disk operating system. Depending on the amount of data to be imaged, the imaging process would take a variable amount of time (Dowler, 2014). After performing repair install of Windows XP, the new drive containing the image of the old drive can be processed for further investigation. Several graphic user interface (GUI) tools like ‘Rootkit Revealer’, ’Tcpview’,’ Process Explorer’, and others can help in further investigation process as they provide information regarding the date and time of system access, stored information in the system memory, users log in details, processes running in the system, open port information, and network connections (Gurjar, 2014). We are using windows based GUI tools because the healthcare company works on windows platform. These tools would greatly help to analyze for potential evidence of infection and modification in the database administrator’s system. We use New Technology File System (NTFS) that consists of the Master File Table (MFT) which maintains records called metadata (Yusoff, Ismail & Hassan, 2011). Metadata provides details about the data. The details about the suspicious attachment file opened from mail by the database administrator can be collected using NTFS. Our investigation team performs windows registry examination to retrieve information about the “Lastwrite” time that provides information about the file modification time in the database administrator’s system (Gurjar, 2014). Next, we examine the ‘autostart’ location which is a location in the windows registry, using which applications can be launched automatically without any authentication process initiated by the user. With the help of the ‘autostart’ function malwares can modify and breach information stored in the system without the knowledge of the system user (Gurjar, 2014). So investigating the windows registry can provide vital source of evidences like redirected web pages, IP addresses of the devices connected to the database administrator’s system, and others which would be very much significant for forensic investigators. Task C Our next phase of investigation includes analysis for potential evidence of infection or modification in the database server of the healthcare company. The database server is the actual location where all the patient related information is stored and maintained. Investigating the database server requires knowledge of database forensics combined network forensics, which is the area of expertise of our company. Network forensics helps to monitor for suspicious traffic and intrusion into the database server (Gurjar, 2014). It is always possible for an intruder to delete all the log related files from the database administrator’s system. So, network based evidence is very essential for forensic analysis. Network analysis also helps to gather information related to data transfer across the network, email communication details, and others (Yusoff, Ismail & Hassan, 2011). Database forensics helps to precede investigations related to the database of the healthcare company because they are the target for the intruders from where they could breach the sensitive data and personal information regarding the patients. We concentrate our investigation on identifying, preserving, and analyzing the data retrieved from the server. Any data retrieval from the database server demands authentication and authorization from the server (Gurjar, 2014). We investigators verify the database’s audit logs that would contain details of the users who were granted permission to access the server earlier. This process would reveal the IP address of the remotely connected systems which have got chances for breaching the data from the server (Gurjar, 2014). Database forensic investigation is the most crucial part of the entire investigation procedure because it facilitates forensic investigators like us to evidently prove or disapprove instances of data breach. The Data Definition Language and Data Managing Language are used for data management within the server (Gurjar, 2014). With the help of specialized tools like Windows forensic tool v1.0.03, we can retrace the operations of the above mentioned languages by customizing the configuration files through implementation of the Database Consistency Checker and Distributed Management View commands (Gurjar, 2014). These commands will gather evidences to prove the data breach of medical records that has happened in the database server of the healthcare company. Task D Our investigation procedure would obviously reveal the intruder’s persistent access to the healthcare company’s database server. Our forensic analysis would explore the weaknesses in the healthcare company’s digital security infrastructure. It also identifies the systems that have been compromised by the intruders attack, identifies details of the sensitive data that has been breached, and identifies the malware that was responsible for the data breach. Once all the details of the crime scene are revealed, one may consider that the role of forensic investigations is over. This does not hold true for our company. We are committed to support all expert testimony court requirements of the healthcare company. We also provide documentation support to record the remediation activities undertaken by the healthcare company in the event of legal proceedings. The forensic report generated by our company’s professionals will answer the following questions. ‘What is the purpose of the report?’, ‘who prepared the report?’, ‘what is the incident summary?’, ‘what are the evidences?’, ‘What analysis methods were used?’, ‘What conclusions were derived?’ and ‘what are the supporting documents?’ (Gurjar, 2014). This report would highlight the evidences in the court and facilitate to collect more relevant and admissible evidences that can be produced in the court during hearings. The report clearly explains the scope of investigation. Our company’s forensic investigators are very well aware of the various types of forensic reporting like verbal report, formal report, written report, and examination plan as per the requirement of jurisdiction needed by the healthcare company (Laykin, 2013). Our investigation reports presented in the court would contain the evidences and facts indicating the data breach that has occurred in the healthcare company and a declaration that would ensure the ethical responsibility of our company. In addition to the evidences presented, our investigators would provide additional documentation that would support the notions of the investigators when we are expected to justify our evidences (Laykin, 2013). So, we can prepare our team to be expert witnesses for the data breach occurred in the healthcare company and thereby rendering support and cooperation in the process of prosecution. Conclusion Health care industries are on the brink of a prospective cyber security nightmare. With the drastic emergence of internet, criminals are provided with a comfortable platform to perpetrate crimes anonymously. Healthcare industries and their security teams face huge vulnerabilities owing to the large number of users, devices, and applications connected to their network. Despite various regulations and network security features incorporated, healthcare industries are struggling hard to protect the integrity of their systems and intellectual properties. So, healthcare industries must embrace a holistic approach towards cyber security, which in way would help them to bridge the gaps in their security infrastructure. This would help them to acquire a contextual insight of various activities that are prevailing on their networks in real time so that they could act swiftly in identifying and preventing threats of data breach thereby building a reliable, cost effectual, and secure healthcare organization. References Dowler, M. (2008, December 23). Beginners guides: cloning WindowsXP. Retrieved from: http://www.pcstats.com/articleview.cfm?articleid=418&page=7 Gurjar, C. (2014). Computer forensics investigation – a case study. Retrieved from: http://resources.infosecinstitute.com/computer-forensics-investigation- case-study/ “Investigating a data breach – IT forensic services.” (n. d). In EY. Retrieved from: http://www.ey.com/Publication/vwLUAssets/EY-Investigating-a-data- breach/$FILE/EY-Investigating-a-data-breach.pdf Laykin, E. (2013). Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives. John Wiley & Sons. Nelson, B., Phillips, A & Steuart, C. (2009). Guide to Computer Forensics and Investigations. Cengage Learning Trobough, J. (2014, November 4). Why cyber security breaches are on rise for Healthcare. Retrieved from: http://healthitsecurity.com/2014/11/04/cybersecurity-breaches-rise-healthcare/ Wojno, J. (n. d). Investigate data breaches. In McAfee. Retrieved from: http://www.mcafee.com/in/resources/technology-blueprints/tb-investigate- data-breaches.pdf Yusoff, Y., Ismail, R & Hassan, Z. (2011). Common Phases of Computer Forensics Investigation Models. International Journal of Computer Science & Information Technology (IJCSIT), 3 (3), 17-31. Read More