Digital Forensics Investigative Plan For Global Finance Company

Justification for Digital Forensic Methodology

As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. Assuming all systems are Windows based, this plan should detail following:

(1) Justify why use of the digital forensic methodology and approach is warranted including procedures for corporate investigation.(Apply with the case study)

(2) Describe the resources required to conduct a digital forensic investigation, including team member skill sets and required tools. .(Apply with the case study)

(3) Outline an approach for data/evidence identification and acquisition that would occur in order to prepare the auditors for review of the digital evidence. (Apply with the case study)

(4) Outline an approach and steps to be taken during the analysis phase making the assumption the computer system is a Microsoft Windows-based computer. .(Apply with the case study)

(5) Create a table of contents for the investigative plan describing what the primary focus of the report would be. .(Apply with the case study)

Global Finance Company is one of the largest companies in Australia with 10,000 employees placed in all over the world, in its branches. The company has multiple sectors of interest that include investment, superannuation and retirement services. The clients of the company start from individuals to larger corporate and superannuation fund investors. The expertise of the company includes fixed interest, property, fixed interest, private equity, infrastructure and global shares. Company has initiated the global business in the year 2000, with the assistance and support of Information Technology. Information security has become a concern, over the years after setting the IT infrastructure. Company realizing the security of the information after a suspicion of compromise happened in one of its regional branch, enforces a digital forensic audit team to explore the sources of compromise with the vision of applying securing practices throughout all its branches in the world.

A concern has been raised Queensland branch, in one of its regional branches by a suspicion of compromise of computer of a manager. Information security officer, at head office, who is accountable to the incident, has enforced an audit team to investigate the source of compromise and to submit the report to the officer. The case study includes the complete digital forensic process done by the audit team.

Global Finance Company and the Concern 

Global Finance Company is an international player in the financial market with 10,000 employees working throughout the world. The company actively provides financial services both in Australia and outside Australia. The company has introduced computerization and network communication among all the branches by setting up information technology infrastructure worldwide, in the year 2000. Right from then, security of the information has not been taken as the priority and no such actions were taken accordingly.

Recently a concern was raised by one of the managers from the regional branches, regarding the security of the information, as the manager suspected that the computer used had been compromised. Having no active supervision of the information and its security with poor implementation of the network segmentation and firewall, the information security officer believed the suspicion and enforced a digital forensic audit team to investigate the security concern and provide the report to the same officer. The investigation proposed was to be done over the data present in the manager’s computer, like MS-Word, Spreadsheets, Outlook and also deleted files.

Resources Required for Digital Forensic Investigation

The information security officer has understood that the computers and network over the regional branches are not enough secured as the firewalls and network segmentation were poor. So, the officer has proposed a macro level investigation, digital forensic methodology, which includes many of sub-methodologies like computer forensic, mobile forensic, data recovery.
Whatever the digital forensic methodology applied and followed by the audit team, the team has to be abide the following principles, which are for the private company investigation.

1.The data present in the targeted computers must be preserved as is and should not be modified, as the same data has to be presented as a reference in the report.
2. The audit team member must be have enough expertise, so that the original data can be handled safely, as the data is the precious and significant resource of the company.
3. The audit trial and relevant documentation that is involved in the entire process must be well preserved.
4. Information security officer is the whole and sole responsible for the audit and security of the information of the company. 

The scope of the investigation involves the following.
1. To identify all possible malicious activities explored with 5Ws or why, where, what, when and who, caused for the compromise of the manager’s computer
2. To identify the security lapse
3. To identify all possible digital evidences from every computer and associated network present in the Queensland branch office
4. To find and analyze the impact of the compromise to the branch
5. To identify the relevant legal procedure, when illegal or alleged misconduct activity is found
6. To submit the detailed final report to the chief, the information security officer, located in the head office, who takes the consequent actions to be performed to secure the information in all the branches of Global Finace.

Figure 1: FSFP Digital Forensic Model Digital Forensic

FSFP Digital forensic investigation process is conducted in phases. The phases are,

PHASE 1 – COLLECTION OF REQUIRED RESOURCES 

Collection is the acquisition of the data after identifying, labeling and recording it from all the computing devices in the Queensland branch. Data collection is done in two ways, volatile data collection and non-volatile data collection. While the data is got ready for the collection, the impact of investigation also has to be made, in terms of down time and productivity of the company. Manager’s computer should not shut down as the running system can give crucial information, about the compromise.

Volatile Data Acquisition 

The manager’s computer, which is the targeted computer must be accessed through the LAN connection. Here the servers and workstations are run on Microsoft Windows and the same OS based. ‘cryptcat’ tool can used to hear from the server of the network. A tool set that is trusted to be used and record through cmd.exe file. Then the commands have to be executed.

Cryptcat 6543 – k key

Cryptcat -1 –p 6543 –k key >>

Graphical user interface tools also are to be used like RootKit Revealer, Tcpview and Process explorer for collection potential hidden data of the system. other Windows based tools that are to be used on the Windows based systems are,

Data/Evidence Identification and Acquisition Approach

HBGray’s fastDump to aquire the local physical memory

HBGray’s F-Response to acquire remote physical memory

Ipconfig for collecting the subject system details

Netusers and qusers for  identifying logged in user information

Doskey or history for collecting command history

Netfile for identifying the drivers and services

Volatile data acquisition is done from various computing resources.

1. RAM or Random Access Memory, Cache memory and registry
2. Information from firewalls, network diagrams, servers, switches, routers, implemented networking devices like routers, etc.
3. Data from clipboard is very significant and potential source for the forensic investigation
4. Network connection, network data, running processes

Non Volatile Data Acquisition 

Non volatile data is collected from the permanent storage devices. Copying the non volatile data from the regional office is done and this process is called forensic imaging. All t

1. Permanent storage data from Hard Disc, pen drives, DVDs, CDs, pen drives, flash drives and remote computer.
2. Online data like database logs, application logs, web server logs, Windows event logs, firewall logs, IDs logs, antivirus logs and domain controller logs

All the non volatile data is collected from the target manager’s computer. The data has to be preserved without doing any modifications. Forensic imaging can be accomplished by various tools like, FTK, ProDiscover and EnCase. The data is copied as the read only memory by the audit team, using the write blocker. This process is different from the hard disc cloning, as it cannot give integrated data including the metadata. 
Apart from the volatile and non volatile data acquisition, online and offline data acquisition is also performed by the audit team. Online tools used for tracking online information are Wireshrk or ethereal tool.
Once the audit team collects all the digital evidences, these evidences are to be well documented right from beginning to the end so that the integrity can be maintained. The entire media is made to be read only, till the report is submitted to the information security officer. 

PHASE 2: EXAMINATION

After the digital evidence collection, the team does thorough examination with the help of many forensic investigation tools. The examination is conducted for the following.

 File System Examination

NTFS or New Technology File System disc is a configuration file, and it contains MFT or Master File Table. MFT carries the important information regarding the discs and files in the operating system in the form of records of metadata. MFT carries residential and non residential files.
The data stream file is stored as

c: echo text_mass > file1.txt:file2.txt

The above can be accomplished from the command,

c:more <file1.txt:file2.txt

Windows Registry Examination 

Team considers the Windows registry to be a critical source from its crutial log file, as these logs can reveal potential information about modifications done to the file, lastwrites attempted.

The windows registry structure, in terms of its hives are,

HKEY_CLASSES_ROOT

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_LOCAL_MACHINE

Autostart : it is a part of registry, which is launched without the user initiation.

Most Recent Used List or MRU: It shows all the current activities.

User Activity: actions and activities performed by the user on taget computer can be investigated through the hive, HKEY_CURRENT_USER

Audit team can gather several other clues from UserAssist, Wireless SSIDs, USB Removable Storage, and many others. Audit team gathers much important evidences from the past data history of the target computer. 

Database Forensic Examination 

          The database stored in the manager’s computer is well tracked by the team, in terms of data identification, preservation and analysis. The remote connections, IP addresses for the possibilities of authorized and unauthorized access of the target computer. They use Data Definition Language or DDL, Data Manipulation Language or DML for database transactions. Customized configuration file can be used by the team to execute Distributed Management Views and Database Consistency Checker.

Network Forensic Examination 

Packet forensic or mining is to be tracked by the team through the network to track the network traffic for browsing data, queries, mails, etc. Network forensic is done two ways like security related data and law enforcement related data. Audit team can further grab the system information, process listing, service listing, logged on users, registry data, system information, network connection, binary dump into the memory. Packet sniffers are also used to identify, mapping, email communication, fingerprinting and many others. 

PHASE 3 – ANALYSIS 

After each and every piece of data is examined for potential unauthorized sources, the analysis is done by the team, as,

1. Gather the unusual or hidden files
2. For unusually opened sockets

• Unusual accounts

1. Unusual application requests
2. Malicious activities
3. Complete file systems analysis

• Complete memory analysis
• Patching level system and updated levels

1. Malicious activities
2. Complete timeline analysis
3. Malware analysis

• Complete event correlation analysis

Malware analysis is deeply analyzed as it is the potential source of compromise and it includes the sub tasks like prefetch examination, registry examination. Audit team may use either static analysis or dynamic analysis for the malware analysis. 

PHASE 4 – FINDINGS 

The findings are then considered to be listed by the audit team and are summarized as follows,

1. Identification of the computer of the manager by the attacker through remote access
2. OS patches, in case not done in the target computer
3. Identification of the source of compromise of the computer
4. Suspected malware

PHASE 5 – REPORT 

Audit team finally generates the final report in any of the format, like verbal report, formal report, examination plan or written report. In this case a formal and written report is generated to submit to the information security officer in the head office.

Purpose of the Report	The report is submitted for the formal digitally investigated information about every source of compromise happened to the manager’s computer, and the rest of the computers in the regional office.
Author of the Report	Information Security Officer
Incident Summary	The source of the compromise explored from the manager’s computer is caused from x1, x2 and x3 reasons
evidence	Every log file and every important digital evidences tracked in the investigation
analysis	Analysis of the unauthorized sources, done from the sources x, y and z
conclusion	The manager’s computer and every other computing device in the regional office are thoroughly digitally investigated and finally the sources of compromise are found
supporting documents	Supporting documents include Volatile and non- volatile data, registry info, log info, every reports generated from the analysis tools and so on.

The manager’s computer, which is suspected for the compromise and the rest of the computing devices present in the same regional office are thoroughly and successfully examined for the potential authorized and unauthorized sources and the source of compromise has been explored and found. The final report is being submitted to the accountable person, the information security officer.

1. Kenneth J. Zahn (2013), “Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise”, GIAC (FREM) Gold Certification
2. John Ashcroft (2001), “Electronic Crime Scene Investigation, A guide for First Responders”, NIJ Guide
3. M Reith, C Carr, G Gunsch (2002). “An examination of digital forensic models”. International Journal of Digital Evidence
4. Richard Brian Adams (2012), “The Advanced Data Acquisition Model (ADAM): A Process Model for Digital Forensic Practice”
5. Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). “Systematic Digital Forensic Investigation Model”, International Journal of Computer Science and Security, 5(1), 118-130.
6. Armstrong, C. (2003), “Mastering Computer Forensics. In C. Irvine & H. Armstrong”, Security Education and Critical Infrastructures Kluwer Academic Publishers.