issc 351 discussion response 1

/in /by

Need at least a 100 word response to the students discussion that will be posted below. Also below in bold are the questions that we’re asked.

Questions:

You are a computer forensics investigator for a law firm. The firm acquired a new client, a young woman who was fired from her job for inappropriate files discovered on her computer. She swears she never accessed the files.

1. What questions should you ask and how should you proceed?

2. What is chain of custody and why must it be followed in investigations?


Student one-

In order to help her prove her innocence you’d need to think about the circumstances. If she’s telling the truth, which being hired by her law firm, you must presume the goal is to believe her side and prove her innocence. So, if she didn’t actually access the files the forensic investigators goal is to prove that there is reasonable doubt that she didn’t do it. If she didn’t do it then how did the files get there? I’d ask her if she had a habit of leaving her computer unlocked and left unattended. I’d also want to know if she had ever shared her login information with anyone. These two things could easily allow another person access. I’d want to know what kind of protection the company had on their computers, like antivirus and what not. Knowing if anyone she worked with might have a reason to frame her would also be pertinent information. Without more information on the situation I don’t really know how to proceed. Im guessing the computer belongs to the company she was fired from so the woman lawyers wouldn’t have access to them nor would the forensics investigator.

Chain of custody is the documentation of every step and movement made with evidence. If the evidence is physical every time it changes hands it has to be written down. With digital forensics evidence every move you make on the machine or device needs to be accounted for. Being able to retrace every movement made will help prevent the evidence from being rendered inadmissible in court proceedings. (Eastom, C.)

Easttom, C. System Forensics, Investigation, and Response PDF VitalBook. [VitalSource]. Retrieved from https://online.vitalsource.com/#/books/97812840383…

-Rebecca

Student two:

As an investigator, I would ask the following questions:

1. Do you have your password written in a location that other personnel know of?

2. Do you leave your machine unlocked when away?

3. Does your company allow you to remote in to your network or give remote access to your computer?

4. Do you have any administrative permissions to your machine or network? If so, have you disabled any anti-virus protection or firewall?

5. What activities have you conducted on your machine? (website access, social media access, streaming sites)

6. Has anyone prompted you or inquired as to your account information, stating they were from IT or the networking department to conduct updates or other various activities?

7. Do you know the individual who worked at the client prior to you and when they left?

After asking the client that was fired those questions, I would then ask to see the standard processes that the company takes for all users. How many have privileged access, what type of training is given to the users to determine if the users understand their responsibilities on the network, how often the company conducts updates to it’s network, if they have a type of IDS/IPS (if they do, how do they manage it), what kind of peripheral devices are on the network and the topology of the network (to include any VPN connections or remote access allowed). I would also ask the company who worked at the machine prior and if there are any requirements to validate computers efore other users access them. Once I have an idea as to how the company conducts their daily buisiness, I can then work the affected machine, utilizing various tools to copy the HDD and verify the files accessed and by whom they could have been accessed or created by.

2. Chain of Custody is the process of maintaining the exact location of evidence at all times. This is to include where is is located, in whoms possession and what type of modifications or work that has been done to it. With computers or electonic media, you don’t want to change the specific data on the machin, which is why you make a bit by bit copy of the data in order to analyze it. Failure to account for Chain of Custody would null your investigative points for that peice of evidence and would not be allowed in the court.

-James