Digital Forensic Case Study Analysis

Question : As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following: 1.justify why use of the digital forensic methodology and approach is warranted including procedures for corporate investigation. 2.describe the resources required to conduct a digital forensic investigation, including team member skill sets and required tools. 3.outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence. 4.outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Microsoft Windows-based computer. 5.create a table of contents for the investigative plan describing what the primary focus of the report would be. Answer : Executive Summary Global Finance is larger finance company, existing in Australia. Its services include investment, retirement and superannuation in the finance sectors, providing to individuals to corporate. Information technology support is taken and the company has grown globally and further challenge of information security has been a concern to achieved by the audit team in its branch office. Introduction Global Finance Company has been suspected of a compromise, in one of its branches. The case study is all about the digital forensic investigation performed by the enforced audit team and to submit the report to the information security office in the head office. Global Finance Company Global Finance Company suffers from a information in one of its branches. So, the important points of consideration about, are the following. 1. Global Finance has over 10,000 employees working in the world, in many finance sectors of interest. 2. The company stands to be an international player, globally with its finance products of investment, retirement and superannuation, provided to the individuals, larger corporate and superannuation fund investors. 3. Investment management expertise is spread to multiple sectors, property, private equity, global shares, fixed interest, credit and infrastructure. Concern of Global Finance 1. Global finance is spread its services throughout the world through information technology and misses the updates of application and update infrastructure after the year 2000. 2. The child organizations have no restrictions in terms of authorized access to access the data from the other child organization and network segmentation and firewall are poorly implemented. 3. Through there are detection implementation for intrusion and logging, these are seldom used. 4. The servers and workstations in all of its branches are Microsoft Windows based. 5. Head office in Melbourne consists of advanced technology and infrastructure to conduct forensic investigation capabilities. 6. One of its branches in Brisbane, has been suspected of a compromise of its managers computer. 7. Information security office, present in the head office has enforced an audit team for reviewing paper based documents of the branch and digital forensic. investigation in the Brisbane branch. Need for Digital Forensic Methodology The suspect of compromise can be happened for any reason, like deletion of the files, breach through network, unauthorized access or anything. So, data recovery, data forensic and network forensic along cannot suffice for complete investigation of the compromise. So, digital forensic, which consists of all these branches as sub branches methodology, is needed to applied to find the source of the compromise. Resources Digital forensic is a major task, which needs many tools and skills to perform the investigation of the source of compromise in the branch office. Apart from these skills and tools, the audit team must also have to follow certain principles towards integrity and security of the information. The following are to be understood and followed by the team. 1. Each of the members should have enough expertise to safely handle the data retrieved from the Global Finance branch office, for the investigation purpose. 2. Data retrieved from the workstations and servers should not be altered and the original has to be preserved, as is. 3. Data from each and every process must be well preserved to submit in the report. 4. All the result of the investigation is accountable by the team. Scope The scope of the investigation is the following Malicious activities identification. Security lap identification. Digital evidence identification. Impact analysis, if the compromise is true. Legal procedure identification, if the compromise is due to illegal reasons. Decision of actions after the identification of the source. Digital Forensic Approach For the Global Finance information security compromise, the approach to be followed is FSFP or Four Step Forensic Process. Figure 1: FSFP A Digital Forensic Model Need of regular evidence of document and its preservation is represented by the arrow. Preparation Process Digital forensic investigation process is executed in different phases. Phase 1 - Collection 1. Collection process is the identification of data, followed by labeling the data then recording it. 2. Forensic tool identification to collect and gather all the digital forensic data. 3. Gather all possible information from the emails, files of MS-Word, Spreadsheets, Outlook, etc. 4. Information access from routers, switches, firewalls, topology of the network, servers and diagrams of the network. 5. Network information through the live network traffic, through various tools like netmon tool, etc. 6. The managers computer must be accessed through LAN connection, so that more information can be accessed through the network traffic. 7. Microsoft Windows based tools, like cryptcat tools are useful so that the server can be accessed and heard. 8. During the data collection, the target computer should not be shut down, and keep running. Volatile Data Capture Volatile data like RAM, log data, Windows registry information and many other user account details are explored to collect the potential data from the targeted managers computer. Clipboard data is also potential data for the investigation. Managers workstation is accessed through LAN and the server port can be heard through the tool, cryptcat and the command to be executed is, cryptcat 6543 k key To capture data from the target workstation, the give the command. cryptcat -1 p 6543 k key Andd other graphical user interface tools used are, Process Explorer Rootkit Revealer Tcpview Other Windows tools to collect the data from target computers in the regional office are, HBGrays fastDump for physical local memory HBGrays F-Response for remote physical memory Ipconfig - to collect the details of subject system Netusers and qusers for identifying information about users, who are logged in Doskey - to collect command history Netfile - identifying the present services and drivers Using the combination of the above tools, the following volatile data is accessed. Running processes Network connection from running system memory Network data Forensic Imaging Non volatile data is collected from the hard drive, CD, DVD, Flash drives, USB or memory cards, portable hard drives, etc. Other non volatile data has to be collected from the sources of, Web server logs Application logs Database logs Antivirus logs Windows event log Domain controller logs Firewall logs IDS logs Forensic imaging is the copying process of non volatile data, without alterations, by using write protect or write blockers. It needs the tools like FTK, EnCase and ProDiscover. The collection of data should involve both the offline and online data collection. The above data collection is the offline data collection. And for the online data collection, ethereal and Wireshrk tools are used. After the data collection, the data must be made read only, by using the tools like, SANS, etc. Phase 2: Examination Examination of the collected information must be done using the forensic investigation tools. File System Examination Since the managers computer is Windows based system, NTFS file system has to be thoroughly examined for MFT metadata. To store Data stream file, c: echo text_mass file1.txt:file2.txt to retrieve the file c:more file1.txt:file2.txt. Windows Registry Examination Windows Registry data can reveal the time related alterations lastwrite and many more precise data about the user applications, hardware device references, in the managers computer. Windows registry has the structure with the following hives. HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_CURRENT_CONFIG HKEY_USERS HKEY_CLASSES_ROOT The keys and values like autostart, user activity, Most recent Used List from the registry are the potential investigated data for the audit team. Network Forensic Examination Since the managers computer is connected to the server in the branch office and the same branch office is connected to the other child organizations of the company, network forensic examination plays vital role about compromise, through unauthorized access of the data from his computer. Network forensic is done by the team through security related as well as the forensic data related to the laws related to the cyber crimes, enabled in Australia. Packet forensic is tracked to track the network traffic through browsing details, queries, mails, etc. Other network forensic data such as registry information, service listing, process listing, network connections, system information, registered user information and binary dump of memory are explored and examined. Packet sniffers help out the team to explore and investigate the web services, email communication, identification, mapping, fingerprinting, etc. Examination of Database Forensic Database forensic examination is done using queries for identification, preservation and analysis of the database. Data Modification Language and Data Definition Language are to be explored for identifying the transaction happened prior and after the suspect of the compromise. Customized configuration file is also used to execute DMW and DBCC commands for database forensic examination. Phase 3 - Analysis Once the examination phase is completed, all the examined data is analyzed in detail. The analysis of the data includes many of the activities done by the audit team. The activities to list out are, Unusual application request analysis Unusual and hidden file analysis and if exists, unusual open socket analysis is to be followed Analysis of unusual accounts Analysis of malicious activities during some period before and after the suspect of the compromise Updated level analysis Patching level system analysis Complete timeline activities analysis Complete file system analysis Complete memory analysis Detailed malware analysis, both in static and dynamic methods through prefetch, registry, log examinations and analysis After the detailed analysis is done, all the findings are to be clearly noted with all the necessary digital evidences. The team has to summarize the analysis points, as follows. Identification of the source of the compromise Identification of the targeted, which is managers computer, through remote access persistently by the attacker or hacker Suspected malware and its activities for compromise Patches for the operating system, in case are not installed in the target computer The source or the process of the hacker or attacker to access the data from the managers computer. Phase 4 Report By this phase, all the collection, examination and analysis of the data from the workstations and servers are done. The options of the sources of the compromise are narrowed down to find the exact source of compromise. After determining the exact source, the team has to draft and prepare the final report. The report can be made in many of the ways. Here in this case study, the report has to be created clearly as a written report. Finally, the report is submitted to the office of information security, located in the head office. Final Report Purpose The purpose of the report is digital forensic investigation to explore and submit the compromise source, if happened in the target computer. Author Audit Teams Incident Summary The compromise source is investigated through the digital forensic investigation performed in the regional branch, on all of its computers. Evidence All of the digital data is submitted, in the form of volatile and non volatile data files. Analysis The managers computer is compromised from the source1, source2, source3, etc. Conclusion Digital Forensic Investigation is performed and the sources are submitted in the report. Submitted supporting documents Supporting documents submitted in the form of Volatile and non- volatile data, registry info, network traffic report, packet sniffer report, log info, registry info and the tool generated reports and so on. Conclusion Global Finance Companys regional branch has been investigated digital forensically, to investigate the suspected sources of the compromise has been happened to the targeted managers computer from the same branch. The final report is submitted to the head offices the information security office, present in Melbourne. References Aquilina, M.J., (2003), Malware Forensics, Investigating and Analyzing Malicious Code, Syngress, Carvey, H., (2005), Windows Forensics and Incident Recovery, Boston: Pearson Education Inc. Cyber Forensic Investigation Plan, International Journal of Advance Research (2008), UOAR.org, Volume 1, Issue 1, accessed on 9 January, 2015, https://www.academia.edu/3827683/Cyber_Forensic_Investigation_Plan US-CERT, (2012), Computer Forensics, Available at https://www.us-cert.gov/reading-room/forensics.pdf, accessed on 30th December 2013. Siti Rahayu Selamat, Robiah Yusof, Shahrin Sahib (2008), Mapping Process of Digital Forensic Investigation Framework, JCSNS International Journal of Computer Science and Network Securit, Vol 8. Shiner, D.L.D., and Cross, M., (2002), Scene of the Cybercrime, 2nd edn, Syncress: Burlington. Kenneth J. Zahn (2013), Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise, GIAC (FREM) Gold Certification John Ashcroft (2001), Electronic Crime Scene Investigation, A guide for First Responders, NIJ Guide M Reith, C Carr, G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence Richard Brian Adams (2012), The Advanced Data Acquisition Model (ADAM): A Process Model for Digital Forensic Practice Agarwal, A., Gupta, M., Gupta, S., Gupta, S. C. (2011). Systematic Digital Forensic Investigation Model, International Journal of Computer Science and Security, 5(1), 118-130. Armstrong, C. (2003), Mastering Computer Forensics. In C. Irvine H. Armstrong, Security Education and Critical Infrastructures Kluwer Academic Publishers.