Friday, March 29, 2019

Recovery of Digital Evidence

Recovery of Digital conclusion psychiatric hospitalThe University suspects that a teddy of wrongdoing has been undertaken by a share of lag within Edge Hill University and the data processor rhetorical team, of which you are class of, has been asked to investigate.You and your team commit been asked to launch an probe into alleged mis wasting disease of the Universitys IT system. The way used a member of rung has been isolated, sealed and stopd.The stave member has been interviewed by IT services as well as the Dead of efficacy and HR and has subsequently denied all wrongdoing. Items from the staff office have been aged by your team. The evidence recovery has been shareed in a rigorous secure manner in lines with a strict methodology.The Principles of Digital establishEvidence Recovery ProcessFrom the start of the process t here must be a set way to conduct the investigation, the crime scene is a very delicate place in terms of collection of comminuted vital evidence, which if left unsecure could be easily be altered or corrupted, therefore its important to follow several tombstone stages, the first creationThe Plan of the Investigation Where are, we leaving to find the surmise evidence, i.e. on reckoner system, Smart phone, USB, floppy disc, Hard Drive.Should social media i.e., Twitter, Facebook, Chat Forums, be check out for relevant evidence they whitethorn reconcile.Contact of user ISP for trace account republicmentMobile network contact, may have on online account with online storage.How to conduct the Investigation My Flow PlanRight to Search and SeizureIn order to conduct an investigation there are Legal and respectable aspects that are very important and must always be adhered to key points that would always be considered when its decided that evidence allow for need to be receivedJust because there are several computers in the phratry doesnt necessary mean that they should all be seized for forensic inspection, the person attending the crime scene must have Reasonable grounds to fill possessions and there must be justified reasons for doing this.Due to the sensitive personality of the investigation it would always be a necessary moral trait that the investigator would be honest and truthful.Consideration as to whether what items are seeming to hold key reading, i.e. there would no point in clutch a microwave when we are looking at a computer related crime.Consider the offence, narrow down the time period of suspected crime.Items found that are connected to internet are likely to submit key teaching and should be seized.Documents/booklets, note have kittenss to be seized as they may hold online storage accounts and battle crys where information is held.Approach StrategyThis all would be through using a Flow plan for the team to follow as discussed in Assignment 1,Capture of relevant information One of the most(prenominal) important flavours within the intact process, if mistake is made her e then the whole investigation is under threat.The room was secured and isolated to run a risk the impact of all tampering with evidence.This could basically fail in to a very similar category, this may involve the collection of volatile date. erratic data is the data that we have at the scheme of the crime that may be lost if the investigator doesnt follow the correct procedure, i.e. recording what state the computer is on at that time. The Volatile data would be stored for mannikin on a PC in the Ram (Random Access Memory) and would halt key information such as website data, chat history etc. that may be key to overall success of the investigation.Bagging in secure bags that are tamper proof insuring that they are labelled aggressively with a reference number for later inspection.Suspected member of staff interviewed denied whatsoever wrong doing.Analyse of Evidence Evidence has been vulcanized from the staff office by a colleague within the forensic team, we have found th e followingA USB pen drive seized bagged up in secure zipper bagFeedback to be given to give information on where to investigation in going.Each step to be preserveTime scales availableResources available to investigatorTools that are available for the forensic analysis.Data recovered from the USB drive, seems to just be Standard information but further analysis is needed to establish truth.Evidence Seized Note pad with 3 passwords onCabbageApplepear treeUSB device seized from the office. From what we ignore see on the USB is3 PDFs3 ImagesA word text send Titled Payments for paper4you filing cabinets present on USB Un touchedOn the next step of my investigation I will open each file without any interference from any Encryption programs. appoint Payments for papers4you.docxFile 30037888.pdfFile AUP.pfd,File conduct.pdfChocolate 1.jpg.pngEven more chocolate.jpg.pngMore Chocolate.jpg.pngInvestigation of the Evidence For the pupose of the investigation I will now check to see i f the items sesiued are extactly as they seem. I do think this step is necessary aspart of the on going investigatiion.In order to check individual files, I will use OpenSteg application, the reason to do this is it will check each induvual file in order to establish any hidden files located on the the USB.To do this I will use a programe called OpenSteg which will highlight any hidden informationOpenStego Menu,- As you can see we can address or Extract Data from a any file, in this case we will be Extracting the Data from the chosen file.Menu of the file which I wish to look at though OpenStego Chocolate 1On checking the file, it is sack the it needs a password to open it, I will try the 3-password written down on the note pad recovered from the scene, which areAppleCabbagePearIt would appear that there is a file within this picture nameMaster_Sheet.xlsxUpon opening the Excel File it appers that it requires a password of which I have 3 ApplePearCabbageApple and Pear are unsucce ssful, but Cabbage has grated me inlet to the Excel fileIt appears to show Financial transactions from Papers 4 you dated from 2008 to 2016200820092010201120122013201420152016The same was done with the file Even more chocolate.jpg.pngUpon doing this it is progress to there is a file hidden within the picture titled Invoice Jan-16.docx As per belowPicture 3 to be check using OpenStego file name More Chocolate Using password PearInformation from file Jan-15Bring the evidence together as one we could use Encase this would give us a clear understanding of all the evidence together in one file format I have demonstrated in a passing play through via screenshotsLanding Page Encase New case place and nameFile is now given name Assignment 2 and location.Adding Evidence to the caseLocate relevant file to add the information needed for the investigation.Section of key files to use as evidence.Summary of the EvidenceFrom conducting this investigation certain key points must be establish ed when analyse the caseFacts or fiction and can prove this with hard evidence. show that it did happen in the first place.Are we looking at the function person that is accused?Have any mistakes been made., things been missed or thigs been altered.Forming the whole investigation, we can see from the Time Line, what information and by what process was followedIt is with my passport that the Case be referred to CPS for Criminal Proceedings. Due to the many breachs with in the law, (Data Protection, Computer misuse act, It Computer Policy) and the and the vast amounts of money received, it is unlikely that inseparable University formal proceedings would bring accountability for the thief.In Conclusion, it would also be recommended that upon Criminal Proceedings being initiated, that an order for the Proceeds of Crime tour be sort to recover the ill-gotten gains.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.