Computer Forensic Investigation Plan, Research Paper Example

Company X suspected an employee had copied files from the company intranet for unauthorized purposes. Upon searching the employee’s purse, the department manager found a flash drive which he believed may contain the unauthorized files. The following is an overview of the plan to conduct a forensic analysis of the drive. The forensics plan is divided up into several steps, or phases, each with its own set of criteria. While each forensics analysis is different, there are some basic components to any analysis that are present in most cases.

Initial Steps

Before beginning a forensic analysis, there are a number of concerns that must be addressed. It is important to determine the legal cope of the investigation, which likely includes the need to obtain search warrants and to make other legal arrangements. The scene itself must be processed, including indentifying the computers that may have been compromised, and photographs and other documentation of the scene should be collected. Computer systems should be imaged to ensure that during the analysis the activity and user information is preserved and available. In most cases, the analysis will be conducted on working copy of the imaged device(s).

Beginning the Analysis

Using certified forensic computer equipment, the first step of the analysis is the acquisition of the data on the digital source –in this case, the flash drive that is suspected of containing unauthorized files. After connecting the digital source to the forensic interface, the data is retrieved using an acquisition tool; this data is then saved to the destination object as a clone of the original data. The most important considerations during the acquisition process are completeness and accuracy; simply put, it is necessary to ensure that all of the information is acquired, and that it was done so correctly.

Creating Lists

Generally speaking, the forensic analysis process involves the creation of several lists; as the process continues, one list feeds into the next, leading to the conclusion of the process. The first list is the “Search Lead List.” This list is based on the information that has been identified as the object of the search, as well as additional possibilities that arise during a cursory examination of the retrieved data. At this stage, the Search Lead List will be indentified as “Search for Company Files.” As data is examined and processed, it is transferred to the second list, the “Extracted data List.”

The next stage in the process is Identification, wherein the retrieved data is examined and indentified to determine whether or not it is relevant to the search. Each piece of data is indentified by file type or other appropriate identifier, and once a determination of relevancy is made, the data is then transferred to the Relevant Data List, or if it is simply marked as processed so investigators can move on to the next bit of data.

During this stage, it is possible to find other incriminating data or other information; if such data is found, it is typically best to halt all activity while a legal determination is made. As is the case with many types of searches, it may be necessary to broaden the scope of the search warrant, or to acquire a new warrant. Forensic analysis is a dynamic process, and investigators must be flexible and prepared to respond to new or unexpected information as it arises. For example, the search of the flash drive found in the employee’s purse may also contain email addresses or other information that indicates the employee shared, or planned to share, the unauthorized information. An expanded investigation might include getting a subpoena for emails sent to or received from the addresses found in the flash drive. New information that is discovered at this stage is transferred to a New Source of Data List; this list may then be used to refine or expand the Search Lead List, thus continuing he process until all sources of information are exhausted.

Initial Determinations

Depending on the complexity of the data, the amount of data retrieved, and the implications of the uncovered data, it may be possible to end the analysis at this point. If the evidence of guilt is overwhelming (for example if the flash drive found in the employee’s purse contains a significant amount of unauthorized company files), a prosecutor or other legal authority may decide that he or she has enough evidence to move forward with a legal case. In the event that legal proceedings are deemed unnecessary, it may still be possible at this point to make a determination about how the company will handle the matter in terms of punishment or termination. If the data is inconclusive or insufficient to make a determination about how to deal with the employee, further analysis may be needed.

Analysis

In this instance, it is unlikely that a complex analysis of the Relevant Data List will be needed; if the flash drive contains unauthorized files, that is most likely all that will be needed to determine whether to proceed with punitive or legal action against the employee. In a more complex case, it may be necessary to further examine the evidence. Analysts will look for information that will help to determine such things as who accessed particular files, when those files were accessed, and what sort of timeline can be determined based on the available evidence.

Even in a seemingly straightforward case such as this one, it is possible that the analysis will uncover information that is not expected. It is possible, for example that the analysis will determine that the suspected employee with the flash drive was not the only person who gained unauthorized access to sensitive materials. Such possibilities reinforce the notion that forensic analyses are dynamic by nature; the discovery of new information may serve to further expand the scope of the investigation, necessitating a return to the process of developing and refining the Search Lead List and the subsequent lists used to analyze the data.

Conclusion

Once the analysis is complete, a final list, the Analysis Results List, is prepared for presentation. In this instance, the information is fairly straightforward: the flash rive has been determined to contain unauthorized files and a list of all the relevant data found on the drive is presented. The conclusion of this analysis will present all of the information available about when and how the employee accessed and downloaded the information. A more complex case would also lay out all of the information about anyone else who may have been involved in accessing the unauthorized information, along with any appropriate charts or other tools that connected the dots among those involved, how the information was transmitted and stored, and any other relevant information.

Further Considerations

Did the manager have a legal right to search the employee’s purse? Explain.

While workers have a reasonable expectation of privacy, there are some circumstances under which it is acceptable to search an employee’s belongings.  The standard is more restrictive for government and public organizations; it is less so for private organizations. Ultimately a judge may determine whether the search was legally permissible; it is best for an employer to make an effort to determine the need for a search through oher means, such as surveillance footage that shows an employee stealing, for example. In this instance, the suspected employee may have left an electronic record of her unauthorized activity, which may serve as the basis for a reasonable search.

Does the alleged activity constitute a crime? Explain.

This is a difficult area of determination. The company’s AUP did not prohibit personal use of company files, but it did prohibit their removal from the promises. The employee was not found to have removed the files from the premises, so technically she did not violate the AUP. Data theft is, however, still a crime, and it is likely that the employee could be prosecuted, especially if further investigation determined that she had taken files off premises at other times.

Assuming that a crime may have been committed, what steps should be taken in initiating the investigation?

In this instance, the manager may have acted inappropriately by conducting a search of the employee’s purse without permission.  According to the available information, however the company did then contact law enforcement, which would be the appropriate next step.

What are the critical considerations in assembling the body of evidence?

The primary consideration in this investigation was to acquire the flash drive containing the unauthorized files. The forensic report will contain the bulk of the necessary evidence, as it will demonstrate how and when the employee accessed the information, as well as information about who else may have acted in a similar fashion.

What are your legal and ethical responsibilities as a system forensics professional and expert witness?

The computer forensic analyst has an ethical duty to correctly identify and document the incident in question. He or she must adhere to standards of accuracy and authenticity, and must be well-versed in the expertise needed to conduct forensic analyses. Forensic equipment must be properly maintained and used, and proper documentation of all steps of the process must be carried out.

Analyze and explain the employment of any and all computer forensics tools used in your investigation.

In this investigation, the primary tools used were in the process of creating the digital image of the original flash drive and the forensic interface used to analyze the data. It was a fairly simple examination, where the main consideration was simply to determine if unauthorized files existed on the flash drive.

References

Carroll, Ovie et al. Computer Forensics: Digital Forensic Analysis Methodology. Computer Forensics 56(1). January 2008 http://www.justice.gov/usao/eousa/foia_reading_room/usab5601.pdf

Digital Data Acquisition Tool Specification, NIST.http://www.cftt.nist.gov/Pub-Draft-1-DDA-Require.pdf

Guerin, Lisa. Workplace Searches: Dos and Don’ts. http://www.nolo.com/legal-encyclopedia/workplace-searches-dos-donts-29770.html