The information at hand does not conclusively determine if a crime has been committed or not. It is thus important to secure the scene of crime.
The plan for include developing the infrastructure to determine if an attack really happened and what are the extent. This will ascertain the validity of claims of breach and if confirmed take appropriate steps to retrieve reliable digital evidence that can be used sufficiently to sustain a case at the court of law. Before the start of digital investigation, time on all the servers was synchronized with NTP.
Verification of suspected crime will be carried out. Verification of the incident involves locating the affected workstation and plugging a laptop into the network so that a scan could identify the opened port. The forensic expert will insert a CD-ROM of the incident response tools into the system and logged in in order to copy data relating to running processes and open ports.
In the meantime, it is not known if the employee was sharing information with other external parties. Thus, there are two options. One, the network to his computers can be shut down to disconnect the other collaborating users from tampering with evidence and prevent more damage or the network can be left open for more monitoring and tracing of the intruders. In this case, it is essential to keep monitoring the computer systems including log in and authentication. Any user logging in to the system without relevant authentication is likely to be in collaboration with the arrested employee.
. The intruder is pursued by gathering more information through covert monitoring of insurance database and file access functionalities. The monitoring leads to a determination of compromised data in the system realized through irregular patterns.
When collecting data for a computer forensic investigation, the most volatile data that can be lost the quickest should be collected. The order of data volatility is determined to enable to allow the collection of more volatile data first.
The order can be represented as follows;
- Memory contents
- Swap files
- Network responses
- System processes
- Raw disk blocks
Once the source of evidence had been known, it is important to secure it to reduce contamination and distortion. Preservation aims at maintaining the integrity of evidence during the investigation process and ensures that the availability and quality of evidence is not compromised. The digital data obtained in the crime scene was copied and saved in laptop using the trusted tools from the CD. The team lead by CFA determined the MD5 value of the disc and duplicated the data on disk over the network. A verification of the hash of the forensic image on the laptop was done.
Other processes performed to guarantee the admissibility of forensic evidence gathered include data analysis and presentation. The data collected is surveyed and reconstructed to manageable quantities to be used to form an opinion of the occurrence and give answers to questions asked.
A comparison of the MD5 hash system binaries was made with the servers fingerprint database to determine the altered files. Logs were analyzed to determine suspicious logins. Finally presentation and reporting becomes the last stage of the investigation.
References
Bill Nelson, A. P. (2009). Guide to Computer Forensics and Investigations. Cengage Learning,.
Cameron H. Malin, E. C. (2008). Malware Forensics:Investigating and Analyzing Malicious Code. Syngress.
Finklea, K. M. (2010). Identity Theft: Trends and Issues. DIANE Publishing.