Digital Forensic Investigation-103697

Case Study of Impact Financial Services Australia (IFSA)

IFSA

Executive Summary:

 The technical issue of the Impact Financial Services Australia (IFSA) is recognized in this report which can cause harm to the organization if not prevented. For this reason, a Digital Forensic Investigation plan is conducted by the organization to find out that, where and when have done this fraud with the company. The actionable information that deals with the issue that arises in IFSA can be analysis with the help of digital forensics methodology. SANS methodology is used in this case. The 8 steps are performed very carefully in SANS methodology. The major professional Digital Forensic plan for investigating the above-mentioned issue can be done b following the below-given plan in an appropriate manner. At last some recommendation is given to improve the situation in a better way.

Table of Contents

1. Introduction: 4

2. Digital Forensics Methodologies: 4

3. Professional Digital Forensic Plan: 7

3.1 Resources required conducting a Digital Forensic Investigation: 8

3.2 Evidence/ Data occurred: 9

3.3 Forensic Analysis Procedures depending on the nature of the Evidence: 10

4. Recommendation: 10

5. Conclusion: 11

6. Reference List: 12

1. Introduction:

Impact Financial Services Australia (IFSA) is a provider of high-quality consumer finance services for all the customers. It has more than 1500 employees worldwide. More than 5 million customers are being served by IFSA. This company has many branches in the major cities of Australia, but it has its main office at Melbourne.

The information technology system of IFSA manages all the global business operations. The workstations and servers of the company are basically UNIX/LINUX based. The network environment of the company is flat and unrestricted as the access of servers and systems from one office to another office can be achieved. The network segment and firewall are poorly implemented in the company (Aziz, 2014). The issue that arises in this company is that one system in an office of the organization is accessed by the other system in another office of the same organization. To stop the reoccurrence of such an issue, a Digital Forensic Investigation Plan is conducted by the organization.

In this report, the issues regarding information security are investigated. Appropriate digital forensic methodology is used for corporate investigations for such type of issues. The resources that are required for conducting a digital forensic investigation is described in this paper. The data/ evidence is recognized in this process. Some useful recommendation for the company to take action against this offender is also mentioned in this paper.

2. Digital Forensics Methodologies:

Digital Forensic Methodology is required to properly analyze the size, determine and safeguard what happen. The actionable information that deals with the issue that arises in IFSA can be analysis with the help of digital forensics methodology. As the servers of the company are basically UNIX/LINUX based, SANS methodology is used in this case. It is an 8 step methodology. It is very useful in the investigation to remain in the right track and it gives the appropriate presentation of the data or evidence for the security issued that has risen in IFSA. Moreover, it is a good practice for achieving the responsible knowledge of forensic principles, procedures, techniques, and tools (Case et al., 2010).

The detail of the all 8 digital forensic investigation steps is given below:

1. Verification:

The digital forensics investigation is done as a major part of the response incident scenario. The first step must be verified that the above issues have taken place. By identifying the scope and breadth of the incident, the above case can be accessed. What is the nature of the case, what is the situation and the specifics of the case are determined by this step. This first step is very important because the characteristics of the incident can be determined by this step. It is the best approach to recognizing, identify, collect and preserve the evidence (Venema, 2011).

2. Description of the System:

System description follows the steps where the data have gathered about this specific incident. The investigation must start with describing the system that are going to analyze and taking notes. What is the role of the system in the network and organization, where is the system acquired is also determined by this step. It analyzes the operating system, the general configuration of the disk of the system and location of evidence along with the size of the RAM (Casey, 2011).

3. Acquisition of the Evidence:

Reorganization of possible sources of data, volatile and non-volatile data, ensure the custody chain and verify the data that are integrated all are done in this step. If there is confusion about what should be collect that will be on the safe side it is much better to collect a large volume of data. While performing this step, it is also important to give priority to the evidence collection and the owners of the business for determining the impact and execution of the chosen approach (Tenth annual DFRWS conference, 2010). As the volatile data can be changed over the time so the order of the data collection is also very important. The volatile data should be collected in login sessions, open files, contains RAM etc. When these volatile data are collected then the next step must be to collect non-volatile data like the hard drive. After collecting all the data, the integrity of the data must be verified. It must be also clearly described the way of finding the evidence, how it has handled and everything that happens with it (Casey, 2010).

4. Analysis of Timeline:

After collecting the data, the evidence which are received are therefore analysis and investigation of those data in the forensic lab must be done. This should be done by doing a timing analysis. This step is very useful as it involves the information like the modification of the file, accessed off the file and creates it in a human readable format etc. The data is collected with various types of tools and it is extracted from the Meta layer of the file system and after that it will be sorted for analyzing the data. Timelines of the memory factors are also ver useful for reconstructing of what had happened (Casey, Katz and Lewthwaite, 2013).

5. Artifact and Media Analysis:

In this step, the amount of information must be overwhelmed with the information. The programs which were executed, the files which are downloaded, the files which are clicked on and the directories which were opened etc can also be determined with the help of this step. Memory analysis is the other important analysis step for examining the network connection, rogue processes, evidence of code, user handles and many other. One must be alert from the anti-forensic techniques like data alteration or stenography that will negatively impact the analysis, investigation, and conclusion (Shanableh, 2013).

6. Byte or String Search:

This step includes the use of the tools that will helpful for searching the images of low level. If it is known that what are the main contain the search then this method can be used to find it. This step uses the tools and techniques that will search for byte signatures are known as magic cookies. The string or byte signature that is being searched is the relevant to the above-mentioned case (Chivers, 2014).

7. Recovery of Data:

In this step, the recoveries of the data from the file system can be done. The tools that are used in this step are very useful for analyzing the metadata layer, file system, and data layer. Analyzing the unallocated space is the part of this step for finding the files of interest.

8. Reporting the Results:

The final step must include the result of the above done analysis that include the description of the performed actions, reorganization of the other actions to be performed and the recommendation of the improvement policy, procedure, guideline, tools and other aspect of the digital forensic process for this case. The report must be written in such a manner that can be used for the administrative purpose (Casey, 2013).

3. Professional Digital Forensic Plan:

The major professional Digital Forensic plan for investigating the above-mentioned issue can be done b following the below-given plan in an appropriate manner. Various types of an incident can be handled more effectively and efficiently when the forensic considerations are incorporated into the life cycle of the information system. As the servers of the company are basically UNIX/LINUX based, the plan for achieving the investigation of the above mentioned issue in a proper manner the steps of the digital forensic plan is given: collection of data, examination of the data, analysis of the data and reporting the result of the analysis (Roussev, Ahmed and Sires, 2014).

1. While collecting the data which is related to the above-mentioned case is first identified, labeled, recorded and then collected, make sure that the integrity of the data still remains the same.

2. In the second step the examinations of the forensic techniques and tools that are relevant to the types of data collected must be executed to identify and eliminate the information that are relevant to the data collected while its integrity must be protected. This process includes the use of the combination of the tools and processes.

3. The third step that is analysis involves the analysis of the result of the examination to address the useful information that points to the questions that are arises for performing the collection and examination of the data (Flaglien et al. 2011).

4.The final step of the planning involves the result of the analysis step that can include the description of the action are performed, determine the other actions that are required to be performed, recommendation for improving the policy, procedures, tools and other aspects.

Digital Forensic Process Plan

3.1 Resources required conducting a Digital Forensic Investigation:

The resources that are required to conduct a digital Forensic in the above-mentioned case is given as follows:

Effective Network and Computer Forensics:

An effective network and computer Forensics are required for performing various kind of work within the company, these tasks includes troubleshooting operational problems, investigating inappropriate behavior and crimes, supporting due diligence to maintain audit record, recovering from the accidental damage etc. Without such type of capability, any organization will face difficulties for determining the incident occurred within the system and network of the company (Kerrigan, 2013).

The team of incident handling must have robust forensic capabilities:

The team which handling the incident must have more than one member who will be able to perform each type of forensic activity. IT and Hands-on exercises including training courses of forensic are very helpful for creating and maintaining the skills as they can demonstrate the new technologies and tools.

The policies of the organization must contain the forensic consideration:

The policies should be applied to the person who is authorized for monitoring the network and system and perform the investigation process for the above-mentioned case under favorable circumstances. The company also must have the separate forensic policy for the persons who handle the incident investigation. The policy must clearly define the responsibility and role of each person who took part in the investigation process of the incident. The organization’s policy must explain what action should be performed under different situations and must address the utilization of the anti-forensic techniques and tools (Khan, Iqbal and Baig, 2010).

Tools required for conducting the Forensic Investigation plan within the Organization:

The tools that are required to conduct the digital forensic investigation for the above mentioned case are Tool dd with Linux Kernel 2.4 and drive of an odd number of sectors and must omits the last sector of 512 bytes. Apart from that Tool EnCase verson 3 which uses BIOS access on the hard disk with certain geometry and with the help of a computer with specific BIOS, this will omit the last 5020 sectors. Both EnCase and SafeBack uses the direct access will not omit any sector.

3.2 Evidence/ Data occurred:

The use of digital technology for both personal and professional purposes will lead abundance to the source of the data as the servers of the company are basically UNIX/LINUX based. The most common and obvious sources of data are servers, desktop computers, laptops and network storage devices etc. The example of the external storage forms of data includes the flash card, memory, thumb drives, magnetic disks, optical disks etc. The standard computer system also has volatile data that can be available temporarily. Many types of computer related devices such as audio players, digital recorders and digital camera for the digital forensic investigation process (Marshall, 2011).

The data are stored at some other places, for example, there are various sources of the data within the organization regarding application usage and network activity. The data can be stored by some organizations for activities like Internet Service Provider (ISP). The analyst should be thinking about the owner of the each and every data source. The other method from which data can be collected can be achieved by monitoring the behavior of the user. The example of such type od data collection method is monitoring the keystroke that keep the record of the use of a keyboard in a particular system. The authority that performs such type of monitoring must be discussed with the advisor and then documented very clearly in the policy of the organization (Quach, 2014).

3.3 Forensic Analysis Procedures depending on the nature of the Evidence:

When the potential of the data source is identified then the analyst required acquiring the data from the source. The forensic analysis procedures must be performed using three step processes. The first one is to develop a plan for acquiring the information. After data have acquired, verification of the integrity of the data must be checked. Acquiring and verifying  integrity of the OS data, data files, application data and network traffic data is explained in more detailed way (Pilli, Joshi and Niyogi, 2010).

The first step is to develop a plan because there are various types of data sources within the organization. A plan must be created which give priority to the source and establishment of the order of acquiring the data. If the security tools have not acquired the data then there is a need for acquiring the data with the help of forensic tools, these data can be volatile and non volatile. Data acquisition can be done on the network or locally. In the case when data are acquired from the network then the decision must be made according to the type of the data which are to be stored and the effort to use it. For example, it is compulsory to collect the records from various kind of system across different type of network connection. At last the verification of the collected data must be done to check the integrity of the data (Prelim i – Editorial Board, 2010).

4. Recommendation:

There is some recommendation is given for the company to deal with the above-mentioned problem.

The organization must determine which party will take care of each part of the forensic investigation:

Many organization depend on the combination of the external parties which performed the forensic investigation and the own staff of the organization. The organization must take care of the fact that which party will handle which task according to their ability and skill, data sensitivity, cost, response time.

The organization must create the meaningful procedures and guidelines to perform the forensic task:

The guidelines for performing the forensic task includes explaining the methodologies which are used in the forensic investigation and procedures must be explained how to perform the task in given time and in a proper sequence. As the logs and other kind of information can be changed hence the organization must be prepared with the help of its guidelines, policies and procedures for demonstrating the integrity and reliability of the records. The procedures and guidelines must be maintained and reviewed regularly for ensuring that they are accurate or not.

The organization must involve many teams to participate in the forensic investigation:

Each person who performs the forensic tasks must be reach to individual and other teams in the organization according to the requirement. The teams which can provide help in this case include management, IT professional, legal advisor, physical security staff, and human resources personnel.

5. Conclusion:

From this report, the technical issue of the Impact Financial Services Australia (IFSA) is recognized which can cause harm to the organization if not prevented. For this reason, a Digital Forensic Investigation plan is conducted by the organization to find out that, where and when have done this fraud with the company. The methodology to implement the digital forensic investigation is described in this report which will help to corporate with the investigation. The resources that are required to conduct this forensic investigation plan is also mentioned which plays a very important role for achieving this investigation. At last some recommendation is given to improve the situation in a better way.

6. Reference List:

Aziz, B. (2014). Modelling and refinement of forensic data acquisition specifications. Digital Investigation, 11(2), pp.90-101.

Case, A., Marziale, L., Neckar, C. and Richard, G. (2010). Treasure and tragedy in kmem_cache mining for live forensics investigation. Digital Investigation, 7, pp.S41-S47.

Casey, E. (2010). Digital investigations, security and privacy. Digital Investigation, 7(1-2), pp.1-2.

Casey, E. (2011). A unified voice: The need for an international digital forensic convention. Digital Investigation, 8(2), pp.89-91.

Casey, E. (2011). The increasing need for automation and validation in digital forensics. Digital Investigation, 7(3-4), pp.103-104.

Casey, E. (2013). Experimental design challenges in digital forensics. Digital Investigation, 9(3-4), pp.167-169.

Casey, E. (2013). New developments in digital & multimedia forensics. Digital Investigation, 10(3), pp.205-206.

Casey, E., Katz, G. and Lewthwaite, J. (2013). Honing digital forensic processes. Digital Investigation, 10(2), pp.138-147.

Chivers, H. (2014). Private browsing: A window of forensic opportunity. Digital Investigation, 11(1), pp.20-29.

Flaglien, A., Mallasvik, A., Mustorp, M. and Ã…rnes, A. (2011). Storage and exchange formats for digital evidence. Digital Investigation, 8(2), pp.122-128.

Kerrigan, M. (2013). A capability maturity model for digital investigations. Digital Investigation, 10(1), pp.19-33.

Khan, L., Iqbal, F. and Baig, M. (2010). Speaker verification from partially encrypted compressed speech for forensic investigation. Digital Investigation, 7(1-2), pp.74-80.

Marshall, A. (2011). Standards, regulation & quality in digital investigations: The state we are in. Digital Investigation, 8(2), pp.141-144.

Pilli, E., Joshi, R. and Niyogi, R. (2010). Network forensic frameworks: Survey and research challenges. Digital Investigation, 7(1-2), pp.14-27.

Prelim i – Editorial Board. (2010). Digital Investigation, 7, p.i.

Prelim i – Editorial Board. (2011). Digital Investigation, 8, p.i.

Quach, T. (2014). Extracting hidden messages in steganographic images. Digital Investigation, 11, pp.S40-S45.

Roussev, V., Ahmed, I. and Sires, T. (2014). Image-based kernel fingerprinting. Digital Investigation, 11, pp.S13-S21.

Shanableh, T. (2013). Detection of frame deletion for digital video forensics. Digital Investigation, 10(4), pp.350-360.

Tenth annual DFRWS conference. (2010). Digital Investigation, 7, pp.S1-S2.

Venema, W. (2011). Eleventh Annual DFRWS Conference. Digital Investigation, 8, pp.S1-S2.

Assessment item 2—Case study

Due date: 11:45pm AEST, Friday, Week 11

ASSESSMENT

Weighting: 30%

2

Length: 2000-2500 words excluding references

 Objectives

This assessment item relates to the course learning outcome 1 to 9 as stated on page 1 of the course profile.

Enabling objectives

  1. Apply the digital forensics methodologies.
  2. Write an analysis of a case study.
  3. Prepare an outline of a professional digital forensic plan.

Instructions

The Case – A Digital Forensic Investigation Plan

Summary:

Impact Financial Services Australia (IFSA) is a specialist provider of high quality, consumer finance services to a global network of customers. It has been operating since 1990 and employs more than 1500 employees worldwide.  IFSA serves more than 5 million customers globally. The company’s main office is situated in Melbourne with other branch offices located in all major cities in Australia.

IFSA has invested heavily in information technology for supporting its global business operations and achieving competitive advantages over its competitors. Major investments were made by the company in 2001 but management has lost focus in updating the networks and application infrastructure that supports the business operation in recent years. The network environment between all of IFSA offices is flat and relatively unrestricted. Users from one office can access systems and servers from another office. Workstations and servers are typically UNIX/LINUX-based. Firewalls and network segmentation are implemented poorly throughout the environment. Intrusion detection and logging exist on systems but they are not effectively used.

Last week, one of the employees Richard at the Sydney office went in to work early and when he got connected to his computer, he found that someone was already connected to his computer with several windows opened. As he stared at it, his computer system got disconnected. He then tried to get connected again, but he was logged out. He called the IT manager, who followed a plan for such incidents. This includes disabling Richard’s account and examining the server security logs. The IT manager found that the IP address of the computer that was connected to John’s computer belongs to a computer used to run a data projector at the Melbourne office. He quickly rang the Melbourne office to check who has used the computer and requested the logs of people who have swiped into the building. He found out that even that machine was compromised. An urgent meeting with the management concluded that security breach has occurred and Forensic team will be set up to investigate this matter and stop reoccurrence of such issues.   As an information security officer, you are asked by the management to investigate to find out the extent of this security breach and Richard’s activities, if others are involved, who is affected and whether criminal charges need to be laid.

Requirements:

Your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are UNIX/LINUX based, this plan should detail following:

  • justify why use of the digital forensic methodology and approach is warranted including appropriate procedures for corporate investigations such as this.
  • describe the resources required to conduct a digital forensic investigation, including skill sets and required tools of the team members.
  • outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence.
  • outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a UNIX/LINUX-based computer.
  • make a recommendation on the action that the company needs to take against the offender.

43

Tips for preparing your digital forensics investigative plan

In writing the digital forensics investigative plan, students need to address following points. Do note that points listed below are not exhaustive and need to be considered as helpful tips.

  • Justify a need for digital forensics methodology and consider scope of the case including nature of alleged misconduct leading to consideration of how electronic and digital evidence may support the investigation. The plan should consider how digital forensics differs from other techniques (such as network forensics, data recovery) and detail the overall steps for the systematic digital forensics approach.
  • Consider the required resources and include details regarding preparation plan for evidence gathering (such as evidence forms, types, storage media and containers), forensics workstation and peripherals needed, software/tools for analysis depending on the type of evidence to be gathered including rationale for selected tools, and consideration of team member skills in digital analysis (such as OS knowledge, skills for interviewing, consultation, working as per the needs of the auditing team and understanding of law and corporate policies).
  • Detail the approach for data acquisition including the different types of evidence that can be gathered and their source depending upon the nature of the case and scope of investigation, develop a plan for data acquisition including rationale for selected plan and contingency planning, detail type of data acquisition tools needed including rationale and an outline for the data validation & verification procedures.
  • Provide an outline of the forensic analysis procedures/steps depending upon the nature of evidence to be collected, and detail the validation approach. This can include techniques to counter data hiding, recovering deleted files, procedures for network and e-mail analysis.
  • Prepare a recommendation on the action that the company needs to take against the offender.
  • Table of contents for the investigative plan should consider what to include in report, structure of report, focus or scope of the report including supporting material to be provided and references. This table of contents should include headings and sub-headings pertaining to the aspects addressed in the above dot points.

Prepare a professional report with an Executive Summary, a Word generated table of contents, an Introduction, a body of report with proper headings and sub-headings, and a Conclusion.

Assessment criteria