Question 1As a forensic expert, you receive a phone call from the CEO detailing his situation. What advice would you give the CEO on the call at this point?Case DocumentationCase documentation begins when the Client initiates contact with the Forensic Investigator, even if an investigator or agency chooses not to accept a case it may later become necessary to explain why the case did not progress. Any information recorded during the case is discoverable. To be discoverable means that opposing counsel has the right to examine and analyse data collected during the process. If an investigator takes written notes or uses a digital voice recorder to make verbal observations, copies of the notes and audio files must be made availableOpen a Case file (Appendix II), record the name and contact information for the organisation. Each Communication during the investigation must be recorded. The following items should be recordedWhat is the name and contact information for the organisation involved in the incident? Record every individual contacted during the investigation, that persons role in the process, and when, where, and how he or she was contacted.When was the investigator notified? Dates and time.A description of the incident, both in technical terms and in lay terms.When was the incident discovered?Who discovered the incident?To whom was the incident reported?What systems, information, or resources were impacted by the event? This includes hardware, organisational entities,Is there any preliminary information that suggests how the offending actions were accomplished?What is the impact of the incident on the individual or organization affected? This includes financial impact, impact on the systems involved, and any effect it may have had on the health or mental welfare of individuals involved.What actions were taken between discovery of the incident and reporting it to authorities? This means everything that was done, including simple files searches.Who are the stakeholders as they are identified? 1.1. IntroductionDuring our opening conversation with the potential client we would address 3 important issues in relation to a Digital InvestigationIn most circumstance evidence can be recovered reassure the client that digital activity leaves footprints and that it is highly lightly that an investigation will recover evidence from which actions and intentions can be inferred and relied upon which will support the suspicion of theft.The two most immediate critical considerations for the organisation are Certainty that there can be no further breech of information e.g. all access to company data by the two suspects has been disabled.Imperative that any sources of potential evidence are secured so as to preserve in a forensically sound manner. Digital evidence is often highly volatile and can potentially be easily compromised by poor handling. Successful recovery of evidence, which can be relied upon, depends heavily on the immediate actions in relation to the sources of evidence. The entire scope of evidence need to be secured and protected to maintain integrity workstations, hard drives, network logs, network backups, CCTV video, physical access logs, and cell phones. In dealing with the evidence there should be minimal handling.The evidence must be collected by trained personnel, a digital Forensic Investigator will take, where possible, an exact reproduction of the evidence and authenticate. Even minor attempts to recover information by untrained personnel may overwrite or destroy evidence. The earlier a forensic image can be taken of the computer, the more success in obtaining evidence.1.2. Incident Scope and ImpactGet Client to Outline the incident, what system is the customer list kept on i.e. is the data on a file on the server or is this data also on a CRMERP systemsWhat are the Data Governance policy, have we details on Customer Data artefacts in the organisationAscertain if the organisation has an established Incident Response Team, if not then we would ascertain what has been established in relation to the incident; HowWhen and whom first detected the incident, build a timeline of events and list individuals involvedEstablish what actions have taken place since detection and explain that as Mr Lopez had used Mr Waynes desktop that some evidence may inadvertently have been changed due to these actions. Has re-used any of the devices belonging to the suspects, have these devices been restored to factory reset or has media or backups been wiped. If this is the case it is exceptionally unlikely data can be recovered from these sources.Explain that it is possible to use specialist tools which can take a mirror image of the data on the phones and desktops which we can then examine for evidence.Have personnel from ITHRSecurity been involved in the investigation (unless there is suspicion of collusion). Have employment contracts been reviewed, has company policy in relation to access to personal mobile phone data been clarified. Fortunately, it was established that it was company policy that in exchange for the employer paying for the monthly mobile SIM plan on employees personal plan each employee had signed an acknowledgement and waiver of privacy rights. What was the findings of their evaluationsWhat steps were taken to contain and mitigate the incident? (This includes, but is not limited to, retaining suspect computers, changing passwords, turning off remote access, acquiring log files, disconnecting infected systems from network, disabling employee access) What tools were deployed or system commands executed within the affected environment and on affected systems as part of the initial investigation? Is there supporting documentation?What logs were reviewed? If reviewed, what were the suspicious entries? What other unusual event or state information exists? Has the company contacted their legal representatives, If the event caused substantial financial impact management may want to consider reporting the incident to law enforcement agencies. We would discuss the fact that due to the nature of the data stolen, the suspects could potentially have taken this information via desktop, mobile, email, cloud accounts and unauthorized access to the server(s)/other workstations so the Investigation will include the following elementsThis investigation would include the following elemntsComputer devices and peripherals (Computer Forensics)IT systems (Network Forensics)Mobile and social networks (Mobile Forensics) Consideration must be given to the fact that individuals engaging in this type of activity may have employed sophisticated methods to masquerade their activities such as encryption, steganography, anonymous email accounts or spoofed IPMAC addressesWhat are the companys obligations in relation to Data breeches, if the organisation has Data breech reporting obligations have these been met ?.Understand the Individual suspect employee system details (what type of network and application access had the employees and confirm that all access has been disabled)We would need to establish a preliminary understanding of what action the client is lightly to want to pursue if evidence of wrong doing can be proved e.g. seeks an injunction restraining the former employees from using the confidential informationHas the company spoken to any customers, if so what information have these customers given the client. How likely would it be that the customers would be agreeable to be interviewed as part of the investigationHow do the company plan to respond publicly to their customersWe would email details of the types of evidence which can be established under an investigation outlined in Appendix I.We would recommend that Management shouldNominate an incident Point of Contact (POC) with appropriate skills, knowledge and desecration for the investigationWe will provide an Incident Response Template (See Appendix IV) The POC should complete a summary of known incident facts and information, along with a basic timeline of incident events, personnel with knowledge of the event and a description of what information they possess. How as the Breech detected Type of Intellectual Property What system(s) the Data is located on Has the system been secured Is this Data used by any Trusted PartiesThis summary should also consider whether the full scope has been established, could other parties be involved and could this information be used by parties other than the two suspects.The POC should prepare a contact list of those who possess information relevant to the investigation (Appendix III). This person and the summary would form the basis of the PID (Preliminary Investigation Discussion) should the client decide to progress with an Investigation. Format of a Forensic InvestigationWe outlined the stages to a Forensic InvestigationPreliminary Investigation Discussion (PID)The Forensic Investigator collates their version of the incident based on the information received to date and arranges a PID meeting on siteMeet the POCManagement and additional personnel to review the information which the client has gathered on the incident.Investigator outlines the understanding of the facts with the POC and completes an analysis report. Management and the Forensics Team should verify enough information about the incident so that the actual response will be appropriate to determine the extent of the InvestigationForensic Team and Management will agree the scope and desired outcomes of the investigation, the requirements for the investigation may expand if additional information is established.During the PID the type of legal investigation is decided upon (non-liturgical, liturgical or criminal) and type of activity to investigate.The investigator would provide an initial estimate of the amount of resources (time, equipment, personnel and cost) to complete the investigation. Depending upon the estimated cost and type of legal investigation, management may decide to not pursue the investigationIf Management decide to proceed with an Investigation the Forensics Team with meet with HR and IT (and Legal if required)The Forensics Consultant will secure and acquire any relevant digital evidence associated with potential or actual Information in a standard, best practices based forensically sound methodology using recognised digital forensics toolsets to preserve all relevant evidence in accordance with ACPO guidelinesEvidence Acquisition and Analysis Investigate acquired evidence to determine, the if, what, when, how and whom of the Information Security incident. All processes applied to evidence use industry standard toolsProvide digital forensic reports with objective conclusions, supported by the evidence acquired and investigatedWork with your legal, financial or criminal advisors in providing digital forensics expertise, evidence and objective expert conclusions.Provide expert witness testimony where appropriate.Provide mitigation advise and solutions to help prevent further Information Security issues arising in the future Rules of EvidenceWe outlined the rules of evidence as follows:Admissible the evidence must be able to be used in court.Authentic ability to prove evidence relates to the incidentComplete Consider and Evaluate all information available e.g. how without doubt that the employee was responsible for copying files and that it could not have been another employee using the login credentials, this is called Exculpatory.Reliable Evidence gathering and an analysis procedures must support authenticityClarity Evidence should be clear and easy to understandIdentifying What evidence is present, where and how it is stored, and which operating system is being used. From this information the Investigator identifies appropriate recovery methodologies, and tools which will be required.Preserving This is the process of preserving the integrity of the digital evidence, ensuring the chain of custody is not broken.Documentation All steps taken to capture the data must be documented. Any changes to the evidence must also be documented, including what the change was and the reason for the change. Principles of Digital EvidenceBest Practice principals which apply to a Forensic InvestigationPrinciple 1: No action taken in obtaining the evidence should change data held on a computer or storage media which may subsequently be relied upon in court.Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to General advice in relation to current Data and IT Security issuesIt is vital that some basic system security arrangements are immediately put into placeRestrict access to the server cabinetConsider moving the server to a secure location that is fire proofPut restrictions on desktops on removable mediaFirewall should restrict Internet Access to certain sites e.g. cloud based storage sitesData is an Asset. Management has a responsibility to ensure that the organisations Data Governance policies and implementation is robust to ensure s security and policies assess and manage risk and deter data threats.APPENDIX INature of Investigation and types of Evidence likely to be securedDuring the Data collection phase the Investigation team will collect ComputerNetwork and Mobile evidence which may be located in Emails, Files on the network, System logs, Configuration files and Internet activity logs. The challenge of data acquisition is often the volume of imaged data and the investigations of multiuser environments (servers with multiple user settings/data).The investigation team will examineFiles and folders in good standingDeleted but recoverable filesDeleted but partially overwritten filesReferences to files that are no longer thereLogs, Internet Histories, Cookies, configuration settings, etc..Examples of what potential might be retrieved would include the following File Carving Recover Deleted documents and fragments of documentsEmail analysis Webmail traces on hard drive, deleted mailsDocument analysis Timestamps, Metadata Information, MD5 Hashing Key word searches run across a device Password crackingInternet usage Evidence of Internet history, sites visited, user search terms both active or deletedAnalyse file fragments in unallocated space or file slackAnalyse data by using date-rangesFile type searchesPrinting docs, Log-in logs to Networks, Internet histories, Application Traces, Accessing Documents, Link files,Deleted Data whether data has been deleted and information about that deleted data, including in certain cases the deleted data itself;Information about USB connectivity (in other words whether or not memory sticks have been inserted into a device, which can indicate if files of relevance were copied to them), identify the make, model and serial number of the removable storage device, when it was first connected and the last time it was used.Installation and or use of unauthorised applications or softwareWeb based chat messenger and email communications i.e. Hotmail/Gmail and whether these have been used to send emails of potential relevanceWeb based storage applications (Dropbox) whether data has been sent to these locations and information about when, what etcFile recovery and its metadata were the files opened on an external device?Mobile devices files which can be recovered include all voicemails that were ever left on the phone, all emails ever sent or received, and data users often believe is deleted but can be recovered including text messages, contacts, call logs and pictures. The blending of modern smart phones with GPS technology can also pinpoint a departing employees location at a particular date and time.APPENDIX IICyber Security Incident Report Reported By: Phone No. Email: Date Reported: Agency: Device Type: Name of Individual Affected: Location/Address of Problem: User Description of Problem: Electronic User Compromise Compromised/Stolen/Altered Data Theft and use of Others IDs Personal Identifying Information (PII) OtherIf Other Please Explain:Physical Unauthorized Access Access Control Avoidance Equipment Stolen or Damaged OtherIf Other Please Explain:Misuse of Resources Unauthorized Use of Remote Control Unauthorized Use of Software Inappropriate Use of Email Inappropriate Use of State Resources Inappropriate Use of Internet Unauthorized Solicitation Illegal Log-in Attempt Hoaxes Storage and/or Distribution of illegal Software OtherIf Other Please Explain:Malicious Code Activity Virus Scan Engine Version _____________ DAT Version _____________ Date of Last Virus Scan ___________ EPO Agent Installed Spam OtherIf Other Please Explain: An Alert was sent to: Administrative & Program Support BranchUser description of problem: Incident TypeInvestigated by: Evidence Collected (choose) YES NO Number of Intruders: Number of Hosts: Incident Source: Analysis of Findings:Recommended Action: Additional Comments: APPENDIX III INTELLECTUAL PROPERTY INCIDENT HANDLING FORMS PAGE __ OF __ CASE REF: _____________ INCIDENT CONTACT LIST DATE :_____________Intellectual Property (IP) Owner ContactsCorporate Officer: Corporate Incident Handling, CPO: Name:___ _________________ Name:________________________________Title: __________________________________ Title: _________________________________ Phone:___________ Alt. Phone: ____________ Phone:____________ Alt. Phone: __________Mobile: __________ Pager:_______________ Mobile: ______________ Pager:___________ Fax:_________________ Alt. Fax:___________ Fax:______________ Alt. Fax:_____________ E-mail: ________________________________ E-mail: ________________________________ Address: _______________________________ Address: ______________________________CIO or Information Systems Security Manager: Corporate HR Officer:Name:___Mr Lopez____________________ Name:________________________________Title: __________________________________ Title: _________________________________ Phone:___________ Alt. Phone: ____________ Phone:____________ Alt. Phone: __________Mobile: __________ Pager:_______________ Mobile: ______________ Pager:___________ Fax:_________________ Alt. Fax:___________ Fax:______________ Alt. Fax:_____________ E-mail: ________________________________ E-mail: ________________________________ Address: _______________________________ Address: ______________________________ APPENDIX IIIINCIDENT REPORT1. Contact InformationFull name:Job title:Division or office:Work phone:Mobile phone:E-mail address:Additional Contact Information:2. Type of Incident (Insert X on all that apply)Account Compromise (e.g., Lost Password)Denial-of-Service (Including Distributed)Malicious Code (e.g., Virus, Worm, Trojan)Misuse of Systems (e.g., Acceptable Use)Reconnaissance (e.g., Scanning, Probing)Social Engineering (e.g., Phishing, Scams)Technical Vulnerability (e.g., 0-day Attacks)Theft/Loss of Equipment or MediaUnauthorized Access (e.g., Systems, Devices)Description of Incident:3. Scope of Incident (Insert X on all that apply)Critical (e.g., Affects State-Wide Information Resources)High (e.g., Affects Agency Entire Network or Critical Business or Mission Systems)Medium (e.g., Affects Agency Network Infrastructure, Servers, or Admin Accounts)Low (e.g., Affects Agency Workstations or User Accounts Only)Unknown/Other (Please Describe Below)Estimated Quantity of Systems Affected:Estimated Quantity of Users Affected:Third Parties Involved or Affected:(e.g., Vendors, Contractors, Partners)Additional Scope Information:4. Impact of Incident (Insert X on all that apply)Loss of Access to ServicesLoss of ProductivityLoss of ReputationLoss of RevenuePropagation to Other NetworksUnauthorized Disclosure of InformationUnauthorized Modification of InformationUnknown/Other (Please describe below)Estimated Total Cost Incurred:(e.g., Cost to Contain Incident, Restore Systems, Notify Data Owners)Additional Impact Information:5. Sensitivity of Affected Data/Information (Insert X on all that apply)Critical InformationNon-Critical InformationPublicly Available InformationFinancial InformationPersonally Identifiable Information (PII)Intellectual/Copyrighted InformationCritical Infrastructure/Key ResourcesUnknown/Other (Please Describe Below)Data Encrypted?Quantity of Information Affected:(e.g., File Sizes, Number of Records)Additional Affected Data Information:6. Systems Affected by Incident (Provide as much detail as possible)Attack Sources (e.g., IP Address, Port):Attack Destinations (e.g., IP address, Port):IP Addresses of Affected Systems:Domain Names of Affected Systems:Primary Functions of Affected Systems:(e.g., Web Server, Domain Controller)Operating Systems of Affected Systems:(e.g., Version, Service Pack, Configuration)Patch Level of Affected Systems:(e.g., Latest Patches Loaded, Hotfixes)Security Software Loaded on Affected Systems:(e.g., Anti-Virus, Anti-Spyware, Firewall, Versions, Date of Latest Definitions)Physical Location of Affected Systems:(e.g., State, City, Building, Room, Desk)Additional System Details:7. Users Affected by Incident (Provide as much detail as possible)Names and Job Titles of Affected Users:System Access Levels or Rights of Affected Users: (e.g., regular User, Domain Administrator, Root)Additional User Details:8. Timeline of Incident (Provide as much detail as possible)a. Date and Time When Agency First Detected, Discovered, or Was Notified About the Incident:b. Date and Time When the Actual Incident Occurred:(Estimate If Exact Date and Time Unknown)c. Date and Time When The Incident Was Contained or When All Affected Systems or Functions Were Restored:(Use Latest Date and Time)Elapsed Time Between the Incident and Discovery:(e.g., Difference Between a. and b. Above)Elapsed Time Between the Discovery and Restoration:(e.g., Difference Between a. and c. Above)Detailed Incident Timeline:9. Remediation of Incident (Provide as much detail as possible)Actions Taken To Identify Affected Resources:Actions Taken to Remediate Incident:Actions Planned to Prevent Similar Incidents:Additional Remediation Details: APPENDIX IVReferencehttps://digital-forensics.sans.org/community/papers/gcfa/safe-home_283itsecurity@sfa.eduQuestion 2You are expected to attend an interview with CEO, a HR representative and a member of the Karsean Technologies IT Department. Detail what questions you would ask the CEO, HR and IT Department staffOutlined below are the issues which should be covered as part of the Preliminary Investigation Discussion (PID). This is the first stage of incident handling procedures, which must be applied before handling any investigation, the purpose of this stage is to determine whether the Client organisation operation and infrastructure can support the investigation. Preparation phase is divided into Pre-preparation, Case evaluation, Preparation of detailed design for the case, Preparation of investigation plan and Determination of required resources.The Forensic Investigation team will outline the information which they establish during the initial contact with the CEO, this will be supplemented by the Information completed on the Incident Report by the POC. The PID will establish known information of an incident. The investigator will normally conduct interviews with ManagementIT and HR. Information obtained during these interviews will establish the basic reference points of the investigation.The PID will specifically determine the following general issues which will be documentation as part of the Incident Response QuestionnaireClient expectations from the investigation clients can have misconceptions of what information can accurately be determined. The investigator must insure that the clients expectations are realistic within the established resource framework and timeframe.Other illegal activities which may be uncovered Management should be mindful of the fact that what begins as a collection of evidence for violation of administrative policy, the case may escalate into collection of evidence for more serious issues that are subject to civil and/or criminal penalties.Limits to the investigators authority The investigator should insure that the client has a clear understanding of the type of investigation, activity covered under the investigation and limits of the Investigators authority.Determine legal restrictions what is the legal position of the company in relation to the employees who have left the company. Has the client contacted their appropriate legal counsel concerning the event and informed counsel of the desire to conduct a forensic investigation.We would use the Questionnaire below to establish key detailsIncident Response QuestionnaireInformation gathering with the Management Team Complete Appendix I INTELLECTUAL PROPERTY INCIDENT HANDLING FORMComplete Appendix II INCIDENT CONTAINMENT FORMReview of Incident Response Template completed by Point of Contact See Appendix IV from Question 1Who within the organisation is aware of the incidentWhat process(es) did the user perform in order to get IP Data out of the building?Has the Financial impact been assessedDid Mr Lopez take Mr WaynesMr Woodsons building access key on departureWhat system (s) holds the Customer masterdata and Renewal information or was the detail held on a file and if so what format.Has the organisation insurance cover for Cyber RiskDoes the breech pose any risk to other organisationsWhat type of phones did the employees haveWas there a BYOD policy for laptop use in conjunction with the DesktopWe need to established whether the employees have used (a) cloud based email accounts (s)?What level of IT skills would the suspects have?Did the employees use a cloud based file-storage account ?Did the employees perform file transfers to a home computer via remote access ?Did the employees use a USB Flash DriveDid the suspect perform mass deletionsDid the person use a wiping program to cover their tracksEstablish whether Management has concerns the other employees may be working with or have continued links with the former employees Questions for IT PersonnelServerApplicationsLogsEmailUser AccountsPhysical HardwareWhere are the affected IT infrastructure components physically located?, Where is the Network Server located, what type of file servers are in use? Is there Guest and remote access?What logs currently exist for the IT infrastructure? Have we got the back-up logs, Are logs backed up or overwritten? If so, what frequency?We need logs prior to Mr Waynes departure plus logs for the period between Mr Waynes and Mr Woodson left the company to view Mr Woodsons activity.Is there a diagram or illustration of the affected networks topology and system architecture? Is there supporting documentation?Is any of the organizations IT infrastructure hosted by third-parties?What IT infrastructure components (servers, websites, networks, etc.) are directly affected by the incident?What applications and data processes are suspected to have been used for the theftHas IT prepared an analysis of networkapplication activity which they can supply to the team. What commands or tools were executed on the affected systemsReview of all logging NetworkFirewalRouters logz and Wireless Access Points File Servers (e.g. internal access of data)BackupsRemote access to network Internet AccessDatabase logWeb proxies logs Printers logs)If logs were reviewed, what suspicious entries were found?Look at network configuration details and connections; note anomalous settings, sessions or ports.What are the network restrictions for employee-users and other parties who had access?Task IT with identifying names/ details concerning: o Internet or hosted service providers o Internal IP ranges and external facing IP ranges o Naming conventions for organizations networked computers/ serversWhat e-mail systems and application are used by organization? What is the configuration? What is the security policy for email? Is there remote access? (This includes attachments scanned, dumpster set for deleted email recovery, and archived retention of all email.)What are password policies/ employee account audits? IT/ HR should begin compiling documentation showing organisations password policies..Wireless Access Point Security type including authentication, encryption, etc.?Confirm that ALL infrastructure access been disabled for both employeesDid any of the employees have Administrator rights on their desktopsLook at the list of users for accounts, anything unusual noted should have been disabled.Is there an IT asset inventory report for all infrastructure components related to the incident e.g. Mobile phonesdesktopsAccess to a company laptop? (If none in use, is there a current inventory of IT assets related to the incident? The report should contain hard and software information such as MAC Address and OS, network identification information such as host name and network address, and other system details.)Physical Logs Automated building entry/ exit systems ii. Sign-in sheets iii. Video surveillance iv. Lists of key assignments or room access to servers or IT equipmentQuestions for HRHR representative should be present at the PID to order to establish and discuss the organisations Acceptable Use Policies (AUPs), corporate monitoring policies and restrictive covenants associated with employment contract arrangements with both employees. We had previously established that the employer is entitled to seek phone records as the employees has waved their rights when then agreed to allow the employer to pay for their SIM planAUP employee privacy issues employee use of company assets employee conduct at work company policies concerning the event or incident as appropriate access to mobile phone recordsAccess, if any, an employee has to the data storage areas of the network, as well as rules pertaining to removing it from the networkAUPs which addresses the deletion/destruction of filesConnection of external devices to the computer. Are employees allowed to use their USB thumb drives on any computer in the network? USB drives with malicious programming that will open a back door into the network.changes or modification on their computerEmployee duties on restrictions on competition were either employee a directorAll employees are under a duty of good faith to their employer, we would ask HR about the terms of the employee contracts in relation to restrictions.Does the contract have a clause covering preparation to compete i,e, during employment the employee must not set up in competition with his employer as there is evidence in this case that both employees are in breechrestrictions on other business activities, whether within or outside working hoursrestraints on the use and disclosure of confidential informationduties akin to fiduciary duties, to act always in the best interests of the employer and incorporating expressly the statutory duties on directors imposed by theconfidential information which comes to his knowledge during the course of his employment trade secrets will be protected by the equitable duty of confidence.The duty of confidentiality survives the end of employment in relation to trade secrets.No conflict rule -A fiduciary employee must avoid any conflict between the duties owed to the employer and his own interests.The disclosure rule A fiduciary employee must disclose his own wrongdoing, as well as matters which are of wider interest to his e
