Computer Forensics


 

Question 6.

 

Read the following scenario and respond to the questions below:

As a digital forensics examiner, you have been called to the scene of a kidnapping. Several witnesses have told the investigator that the victim was very excited about a new person they met online. Your job at the scene as a digital forensics examiner is to recommend to the investigating officer a course of action as to what digital evidence may or may not be needed to investigate this crime.

– Provide a list of potential digital evidence that the investigator is going to want to seize for possible forensic examination. Be thorough, as the lead investigator in this case is not computer savvy.

– What additional sources of evidence might there be besides the digital equipment and media that would have been seized? How would you gain access to this evidence?

– Describe how you will maintain the collected evidence.

– What will you do to prepare for presenting this evidence in court?

 

Question 7

 

In August 2008, 11 people were charged with the theft of more than 40 million credit and debit card numbers from T.J. Maxx, Marshall’s, Barnes & Noble, OfficeMax, and other major retailers. Masterminded by computer hacker Albert Gonzalez, the case remains one of the largest frauds of credit card information in history.

The Heartland case was similar to the TJX case. Between 2007 and 2009, the data breach involved the Heartland Payment Systems, the fifth largest credit card processor in the United States. During that time, Gonzalez and co-conspirators gained access to information associated with millions of credit cards by exploiting a network vulnerability.

Both cases—Heartland and TJX—involved the theft of over 130 million credit and debit card numbers, making it the biggest computer crime case ever prosecuted in the United States.

Question:

You are the CISO of a Fortune 500 company here in the U.S. Your company uses customer credit card information to process millions or orders every year, both online and via traditional marketplace venues. You have information that, based on the Equifax breaches, your secure database has been breached and customer credit card data may have been stolen.

You are meeting with a Digital Forensics investigator who has been hired to access incidents and report back to you with their findings. Detail the following:

  1. Needs for the DF investigation — why did you bring in the investigator?
  2. The forensic process you want followed, including data collection (detail possible sources of data), examination, analysis, and reporting.
  3. List and describe the type(s) of information and its relevance to this case from each of the following: data and data files, Operating Systems (Windows 10, Win Server, and Ubuntu Linux), network traffic, applications, and eMail and services.

 

Question 8

 

In August 2017, a Wisconsin woman captured after living under an alias for 16 years was sentenced Tuesday to 14 years in prison for kidnapping an Allen Park woman in 2000.

FBI agents mining social media discovered Kimberly Lee Johns last year in Marathon County, WI, where she was living under the name Kim McGuire. She had escaped a halfway house in 2000 while awaiting trial in federal court in Detroit.

During the trial, defense attorneys requested to submit numerous emails (dated between 1999-2000), that they contained personal, intimate, and sexual details of the couple’s relationship, and therefore showed a consensual relationship between the parties. The Government challenged their admissibility on the basis of authenticity, hearsay, relevancy, and Fed. R. Evid. 403.

Question:

The conviction has been appealed, and you are a Digital Forensic investigator who has been hired by John’s attorney to provide a report that can be submitted to the Federal court that details the tools and techniques that can be used to authenticate email messages from the time period.

Provide two possible situation with or without legal subpoena to access data from the email providers. Keep in mind that this is a Federal criminal case, and therefore your report needs to be professionally written and note any legal protocols or cases that might impact this appeal.

Reference: https://www.leagle.com/decision/infdco20170314e33

 

Question 10

 

The head of the HR department and General Counsel called you into a confidential meeting with no notice. They have a report of an insider risk, where a co-worker was stealing financial documents prior to the company’s IPO.

A report from an anonymous co-worker said the actor appeared to have uploaded company financial files to DropBox or via email within the last 48 hours. Your company does not use DropBox and it is not installed on the workstations.

The accused co-worker is claiming innocence, has been placed on administrative leave, and is threatening to sue the company.

The Head of HR and the GC have asked you to:

  1. Outline everything you need to perform a forensic examination to determine if the accusation is true.
  2. Identify the data that will appear as a result of your examination.
  3. Identify what you need to appear at a deposition (and possibly go to court) as an expert witness.

Think about the various concepts we have covered throughout this course, including the labs and Discussion Board activity. Prepare an outlined response for the Head of HR and the GC’s requests.