Question 1

As a forensic expert, you receive a phone call from the CEO detailing his situation. What advice would you give the CEO on the call at this point?

1. Case Documentation

Case documentation begins when the Client initiates contact with the Forensic Investigator, even if an investigator or agency chooses not to accept a case it may later become necessary to explain why the case did not progress. Any information recorded during the case is discoverable. To be discoverable means that opposing counsel has the right to examine and analyse data collected during the process. If an investigator takes written notes or uses a digital voice recorder to make verbal observations, copies of the notes and audio files must be made available

Open a Case file (Appendix II), record the name and contact information for the organisation. Each Communication during the investigation must be recorded. The following items should be recorded

• What is the name and contact information for the organisation involved in the incident? Record every individual contacted during the investigation, that person’s role in the process, and when, where, and how he or she was contacted.
• When was the investigator notified? Dates and time.
• A description of the incident, both in technical terms and in lay terms.
• When was the incident discovered?
• Who discovered the incident?
• To whom was the incident reported?
• What systems, information, or resources were impacted by the event? This includes hardware, organisational entities,
• Is there any preliminary information that suggests how the offending actions were accomplished?
• What is the impact of the incident on the individual or organization affected? This includes financial impact, impact on the systems involved, and any effect it may have had on the health or mental welfare of individuals involved.
• What actions were taken between discovery of the incident and reporting it to authorities? This means everything that was done, including simple files searches.
• Who are the stakeholders as they are identified?

1.1.           Introduction

During our opening conversation with the potential client we would address 3  important issues in relation to a Digital Investigation

1. In most circumstance evidence can be recovered  – reassure the client that digital activity leaves footprints and that it is highly lightly that an investigation will recover evidence from which actions and intentions can be inferred and relied upon which will support the suspicion of theft.
2. The two most immediate critical considerations for the organisation are –
   • Certainty that there can be no further breech of information e.g. all access to company data by the two suspects has been disabled.

• Imperative that any sources of potential evidence are secured so as to preserve in a forensically sound manner. Digital evidence is often highly volatile and can potentially be easily compromised by poor handling. Successful recovery of evidence, which can be relied upon, depends heavily on the immediate actions in relation to the sources of evidence. The entire scope of evidence need to be secured and protected to maintain integrity workstations, hard drives, network logs, network backups, CCTV video, physical access logs, and cell phones. In dealing with the evidence there should be minimal handling.

3. The evidence must be collected by trained personnel, a digital Forensic Investigator will take, where possible, an exact reproduction of the evidence and authenticate. Even minor attempts to recover information by untrained personnel may overwrite or destroy evidence. The earlier a forensic image can be taken of the computer, the more success in obtaining evidence.

1.2.           Incident Scope and Impact

1. Get Client to Outline the incident, what system is the customer list kept on i.e. is the data on a file on the server or is this data also on a CRMERP systems
2. What are the Data Governance policy, have we details on Customer Data artefacts in the organisation
3. Ascertain if the organisation has an established Incident Response Team, if not then we would ascertain what has been established in relation to the incident; HowWhen and whom first detected the incident, build a timeline of events and list individuals involved
4. Establish what actions have taken place since detection and explain that as Mr Lopez had used Mr Wayne’s desktop that some evidence may inadvertently have been changed due to these actions. Has re-used any of the devices belonging to the suspects, have these devices been restored to factory reset or has media or backups been wiped.  If this is the case it is exceptionally unlikely data can be recovered from these sources.
5. Explain that it is possible to use specialist tools which can take a mirror image of the data on the phones and desktops which we can then examine for evidence.
6. Have personnel from ITHRSecurity been involved in the investigation (unless there is suspicion of collusion).  Have employment contracts been reviewed, has company policy in relation to access to personal mobile phone data been clarified. Fortunately, it was established that it was company policy that in exchange for the employer paying for the monthly mobile SIM plan on employee’s personal plan each employee had signed an acknowledgement and waiver of privacy rights. What was the findings of their evaluations
7. What steps were taken to contain and mitigate the incident? (This includes, but is not limited to, retaining suspect computers, changing passwords, turning off remote access, acquiring log files, disconnecting infected systems from network, disabling employee access)
8.  What tools were deployed or system commands executed within the affected environment and on affected systems as part of the initial investigation? Is there supporting documentation?
9. What logs were reviewed? If reviewed, what were the suspicious entries? What other unusual event or state information exists?
10.            Has the company contacted their legal representatives, If the event caused substantial financial impact management may want to consider reporting the incident to law enforcement agencies.
11.            We would discuss the fact that due to the nature of the data stolen, the suspects could potentially have taken this information via desktop, mobile, email, cloud accounts and unauthorized access to the server(s)/other workstations so the Investigation will include the following elements

This investigation would include the following elemnts

• Computer devices and peripherals (Computer Forensics)
• IT systems (Network Forensics)
• Mobile and social networks (Mobile Forensics)

12.            Consideration must be given to the fact that individuals engaging in this type of activity may have employed sophisticated methods to masquerade their activities such as encryption, steganography, anonymous email accounts or spoofed IPMAC addresses
13. What are the company’s obligations in relation to Data breeches, if the organisation has Data breech reporting obligations have these been met ?.
14. Understand the Individual suspect employee system details (what type of network and application access had the employees and confirm that all access has been disabled)
15. We would need to establish a preliminary understanding of what action the client is lightly to want to pursue if evidence of wrong doing can be proved e.g. seeks  an injunction restraining the former employees from using the confidential information
16. Has the company spoken to any customers, if so what information have these customers given the client. How likely would it be that the customers would be agreeable to be interviewed as part of the investigation
17. How do the company plan to respond publicly to their customers
18. We would email details of the types of evidence which can be established under an investigation – outlined in Appendix I.
19. We would recommend that Management should
    • Nominate an incident Point of Contact (POC) with appropriate skills, knowledge and desecration for the investigation
    • We will provide an Incident Response Template (See Appendix IV) – The POC should complete a summary of known incident facts and information, along with a basic timeline of incident events, personnel with knowledge of the event and a description of what information they possess.
      •  How as the Breech detected
      •  Type of Intellectual Property
      •  What system(s) the Data is located on
      •  Has the system been secured
      •  Is this Data used by any Trusted Parties

This summary should also consider whether the full scope has been established, could other parties be involved and could this information be used by parties other than the two suspects.

• The POC should prepare a contact list of those who possess information relevant to the investigation (Appendix III). This person and the summary would form the basis of the PID (Preliminary Investigation Discussion) should the client decide to progress with an Investigation.

2.         Format of a Forensic Investigation

We outlined the stages to a Forensic Investigation

1. Preliminary Investigation Discussion (PID)

• The Forensic Investigator collates their version of the incident based on the information received to date and arranges a PID meeting on site
• Meet the POCManagement and additional personnel to review the information which the client has gathered on the incident.
• Investigator outlines the understanding of the facts with the POC and completes an analysis report. Management and the Forensics Team should verify enough information about the incident so that the actual response will be appropriate to determine the extent of the Investigation
• Forensic Team and Management will agree the scope and desired outcomes of the investigation, the requirements for the investigation may expand if additional information is established.
• During the PID the type of legal investigation is decided upon (non-liturgical, liturgical or criminal) and type of activity to investigate.
• The investigator would provide an initial estimate of the amount of resources (time, equipment, personnel and cost) to complete the investigation. Depending upon the estimated cost and type of legal investigation, management may decide to not pursue the investigation
• If Management decide to proceed with an Investigation the Forensics Team with meet with HR and IT (and Legal if required)

2. The Forensics Consultant will secure and acquire any relevant digital evidence associated with potential or actual Information in a standard, best practices based forensically sound methodology using recognised digital forensics toolsets to preserve all relevant evidence in accordance with ACPO guidelines
3. Evidence Acquisition and Analysis – Investigate acquired evidence to determine, the “if, what, when, how and whom” of the Information Security incident. All processes applied to evidence use industry standard tools
4. Provide digital forensic reports with objective conclusions, supported by the evidence acquired and investigated
5. Work with your legal, financial or criminal advisors in providing digital forensics expertise, evidence and objective expert conclusions.
6. Provide expert witness testimony where appropriate.
7. Provide mitigation advise and solutions to help prevent further Information Security issues arising in the future
   3.         Rules of Evidence

We outlined the rules of evidence as follows:

• Admissible – the evidence must be able to be used in court.
• Authentic –  ability to prove evidence relates to the incident
• Complete – Consider and Evaluate all information available e.g. how without doubt that the employee was responsible for copying files and that it could not have been another employee using the login credentials, this is called Exculpatory.
• Reliable – Evidence gathering and an analysis procedures must support authenticity
• Clarity – Evidence should be clear and easy to understand
• Identifying – What evidence is present, where and how it is stored, and which operating system is being used. From this information the Investigator identifies appropriate recovery methodologies, and tools which will be required.
• Preserving – This is the process of preserving the integrity of the digital evidence, ensuring the chain of custody is not broken.
• Documentation – All steps taken to capture the data must be documented. Any changes to the evidence must also be documented, including what the change was and the reason for the change.

4.         Principles of Digital Evidence

Best Practice principals which apply to a Forensic Investigation

• Principle 1: No action taken in obtaining the evidence should change data held on a computer or storage media which may subsequently be relied upon in court.
• Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
• Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
• Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to

5.         General advice in relation to current Data and IT Security issues

It is vital that some basic system security arrangements are immediately put into place

• Restrict access to the server cabinet
• Consider moving the server to a secure location that is fire proof
• Put restrictions on desktops on removable media
• Firewall should restrict Internet Access to certain sites e.g. cloud based storage sites
• Data is an Asset. Management has a responsibility to ensure that the organisations Data Governance policies and implementation is robust to ensure s security and policies assess and manage risk and deter data threats.

APPENDIX I

Nature of Investigation and types of Evidence likely to be secured

During the Data collection phase the Investigation team will collect ComputerNetwork and Mobile evidence which may be located in Emails, Files on the network, System logs, Configuration files and Internet activity logs. The challenge of data acquisition is often the volume of imaged data and the investigations of multiuser environments (servers with multiple user settings/data).

The investigation team will examine

• Files and folders in good standing
• Deleted but recoverable files
• Deleted but partially overwritten files
• References to files that are no longer there
• Logs, Internet Histories, Cookies, configuration settings, etc..

Examples of what potential might be retrieved would include the following

•    File Carving – Recover Deleted documents and fragments of documents
  • Email analysis – Webmail traces on hard drive, deleted mails
  • Document analysis – Timestamps, Metadata Information, MD5 Hashing
•    Key word searches run across a device
•    Password cracking
  • Internet usage – Evidence of Internet history, sites visited, user search terms – both active or deleted
• Analyse file fragments in unallocated space or file slack
• Analyse data by using date-ranges
• File type searches

• Printing docs, Log-in logs to Networks, Internet histories, Application Traces, Accessing Documents, Link files,
  • Deleted Data – whether data has been deleted and information about that deleted data, including in certain cases the deleted data itself;
  • Information about USB connectivity (in other words whether or not memory sticks have been inserted into a device, which can indicate if files of relevance were copied to them), identify the make, model and serial number of the removable storage device, when it was first connected and the last time it was used.
• Installation and or use of unauthorised applications or software
• Web based chat messenger and email communications i.e. Hotmail/Gmail and whether these have been used to send emails of potential relevance
• Web based storage applications (Dropbox) – whether data has been sent to these locations and information about when, what etc
• File recovery and its metadata – were the files opened on an external device?
• Mobile devices – files which can be recovered include all voicemails that were ever left on the phone, all emails ever sent or received, and data users often believe is deleted but can be recovered – including text messages, contacts, call logs and pictures.  The blending of modern smart phones with GPS technology can also pinpoint a departing employee’s location at a particular date and time.

APPENDIX II

Cyber Security Incident Report