More technical detail for mid-large companies with some specialist support
Loading…
Profile and assess the company and its data systems
Identify: list, assess value, assess potential risks and vulnerabilities for:
Data
Systems (hardware, software and infrastructure)
People (users)
Actions for the company to implement, security policies to set up
Actions and policies to manage risk to data
Actions and policies to manage risk related to systems
Actions and policies to manage risk related to people
Digital Forensics
level 4
level 5
df process L5
Describe the aim or purpose of the Digital Forensic process
State the four principles of DF examinations
State which laws are most relevant to DF (in Scotland)
Describe the main activities in carrying out a DF examination
Describe the role of the lead investigator in DF examination
Describe the role of senior investigators in an DF examination
Identify other personnel who might be in the DF examination team
Describe the effect of Laws in carrying out a DF examination
Why are DF processes increasingly important to crime investigation
Describe the factors that might lead to a DF examination being launched
Describe the role of the Investigatory Powers Commission
Why must Digital forensic examinations be carried out within a 'legal framework'?
What are the main offences covered by the Computer Misuse Act?
What is the main ‘human right’ that affects the conduct of a digital forensic examination?
df act (laws and legislation) L5
State the main offences under the Computer Misuse Act
Explain why might an DF investigation team request encryption keys
Explain why the members of the DF teams need to know about how the Computer Misuse Act affects their work
Identify how human rights in Scotland was covered before the Human Rights Act was passed
Explain how the HRA has helped investigations in Scotland
Explain why RIPA allows secret monitoring of ISP customers.
Outline the powers given to investigators under the RIPA law.
Identify the offences defined by the Computer Misuse Act.
Describe the purpose of the Investigatory Powers Commission
Describe how the HRA relates to DF, identify the main feature that is relevant.
Explain why RIPA is needed in addition to Computer Misuse Act.
Explain the developments that led to the passing of the Computer Misuse Act.
Describe the action that should be taken if a DF teams finds evidence that may relate to another crime.
Explain why the members of the DF team need to be aware of the legal framework.
DF seizure L5
Explain the use of “Faraday bags” in DF
Explain why proper training is needed for DF personnel who will be securing digital devices
Explain the meaning of the term “forensic ready” and why it is important for companies to be “forensic ready”
Describe the kinds of evidence that should be captured before removing poser from a digital device
Explain why an investigating DF team may ask for a warrant, explain how this may help the investigation.
Describe the process for obtaining a warrant.
Explain what is meant by a “chain of custody” and how it might be set up.
Explain the role of the owner of a device in giving permission for the devices to be examined.
level 6
From ASP
The types of evidence that you may wish to include are:
files hidden within picture files that contain details of customers, products, usernames, passwords etc
browser history showing sites visited that would produce evidence that might incriminate the suspect, such as visits to courier companies, internet banking websites etc
communication between the employee and unknown customers
spreadsheets showing income and customers of the alleged illicit sales either on
the drive or recently deleted which shows details of the sales of the prototypes
Assessment instructions
You have been employed as a Forensic Examiner on a freelance basis by a company called CyberAssured. CyberAssured is a digital equipment manufacturing company with bases across the globe. They design, develop and build digital equipment for both business and military use.
The Product Development Manager has been made aware that some prototype military equipment technology is being leaked. There is a suspicion that a member of the Product Development team is selling the technology to a third party.
They are looking for a quick, concise resolution to the investigation, they wish to keep this investigation internal to the company and obviously do not wish the suspicious activity to be leaked for fear of bad publicity. To this end, they have asked you to sign a non-disclosure agreement.
You must forensically examine the computer system of the main suspect, this machine has been left switched on. You are looking for evidence that the employee has been illegally selling prototype technologies.
You should keep records of the steps taken during the investigation using the following three forms.
You should select and use a range of relevant forensic tools in order to undertake this task and do so in a forensically sound manner, by preserving acquired data and verifying it to ensure it has been preserved accurately.
In order to fully investigate the incident you should undertake hard disk and network analysis.
The results should be delivered to your assessor by submitting a brief report outlining your procedures, conclusions and findings. The report should be evaluative in nature and should incorporate the three forms.
Evidence
Collection — Completion of pro forma 1
Documentation of securing the crime scene.
Seizing the evidence (PC or Raspberry Pi, pen drive, USB drive etc).
Documentation and qualifications of person(s) undertaking analysis.
Continuity of evidence (bagging tagging evidence).
Examination — Completion of pro forma 2
Examination of the machine under test.
Recording of system specific information.
Copy disk using write blocker or software write blocker.
Analysis — Completion of pro forma 3
Analysis of files copied.
Full contemporaneous notes of the process taken.
Reporting — Written or oral report including pro forma
Report outlining procedures, conclusions and findings, delivered via written or oral means.
A checklist is provided to ensure that each candidate has met the Performance Criteria for Outcomes 2 and 3.
Explain the complex forensics techniques used to acquire data.
Select a range of forensic tools to acquire data.
Use a range of relevant forensic tools to acquire data.
Preserve acquired data.
Verify acquired data.
Identify system specific information.
Perform hard disk analysis.
Perform network analysis.
Record the findings of the process.
Evaluate the results of the digital forensic examination.
Communicate the evaluation results of the forensic examination.
GBLOKE
Forensic image of a HD and an image of a USB stick.
On the USB stick, Auntie Mary, Poems and Holidays are all lists of banned drugs. Their file extensions have been changed to disguise them but they are all openable with Notepad++ or similar.
There is a jpg photo of his cohort, some pills and a beach scene, all of which might be relevant
And a couple of web pages showing interesting related items
The laptop hard drive will give you some emails (openable with Notepad++) and some text files, you don't have to hunt too hard, if I remember correctly there is an Excel file as well, all of these are on the desktop or My Documents. The user account name ties the laptop to the suspect. The students will have fun trawling through the E01 files looking for clues.
We basically used the ASP but split it up into 4 parts to make marking easier, because you don't want everything coming in at once (probably too late for you now this year, sorry, but you'll know for next time). We did part 1 after 4 weeks, part 2 after 8 weeks, part 3 I think was week 9/10 and part 4 week 12. Mark as you go, then for the final case report, I gave them a template where they can just copy/paste their answers and any corrections into a nice report. I make my level 5s do a properly formatted report with front cover etc, appendices, screenshots etc but they have already collected all the content by doing parts 1 to 4. They submit final reports through SafeAssign or Turnitin and there is hardly any marking to do at that point.
We put our 4 parts on the VLE so it's not copied over very well, but you should get the idea. Some questions make reference to OSF so you'll have to amend those depending on what you are using. Our 5's get HexBrowser, FTK Imager, OSF (an older free version) and I can give you a link to those tools if you need it.
The zip files show the questions on the VLE - if you are using Blackboard I can try and send export files, there's our in-house Chain of Custody form, the final report template and the ASP.
Download GBLOKE.e01.001, 002, 003 and 004 and put them in a folder along with the GBLOKE.e01.txt file.
Download FFJS, install and run it.
Choose "join", point it to GBLOKE.e01.001 and run (it is OK to delete the split parts). You should now have an E01 file of about 3.8 GB in size.
Download the zip file and extract it. You should now have a folder called Frenergy USB. This is a copy of the suspect's Hello Kitty USB. You should now use FTK Imager to make an E01 file from this folder, this is the second piece of evidence. Also keep the text file that will be auto-generated.
You can now mount both E01 files in whatever Forensics suite you are using as this will be part of your assessment evidence.