ITDI 372 AIU Fakery Fakerson Contacted the Office Cybercrime Essay

User Generated

pureelep515928

Computer Science

ITDI 372

American InterContinental University

ITDI

Description

This Unit’s individual project requires you to complete an actual digital forensics report on a case you will create and execute.

To get to the digital forensics report needed for the assignment, download the "Digital Forensics Report Template" from the "Digital Investigations" section of the School of Information Technology’s LibGuide. After going to the Libguide at this location, click on BSIT, then under ITDI: Digital Investigations, open the 4th file down called "Digital Forensics Report Template."

The template includes four sections. 

You can review already existing cybercrimes or create an example cybercrime in need of an investigation and report. Your report should follow the format below and as illustrated in the uploaded "Digital Forensics" report:

Cover Page (Not counted in page count): Agency Case # – Enter ITDI372U5.

Cover page (Not counted in page count): Investigator Name – Enter your name.

Overview/Case Summary (Page 1-2; 2 paragraphs) – Example, "On today’s date John Doe contacted my office regarding the illegal transfers of Intellectual Property information across Windows 10, using Internet Explorer. Etc. This section can vary in length but must involve enough info for others to understand what led you to start and investigate this case.

  1. Forensic Acquisition & Examination (Page 2-3; 2-3 paragraphs): Provide the details you performed as an investigator from photographing the evidence through acquisition and examination steps.
  2. Findings & Report (Page 3-4; 2-3 paragraphs): Provide details of what an investigator might enter to show what tools were used for the analysis and what was found in the Internet History search.

Unformatted Attachment Preview

1.0 Overview/Case Summary Example: 1. On today's date, John Doe contacted my office in regards to imaging a stolen laptop computer running Windows® XP Professional that had been recovered. Doe is requesting a forensic examination to see what company documents may have been stolen by the suspect(s) and is requesting a full forensic examination and report for possible criminal charges & civil litigation. This section will vary in length. You will include any relevant information regarding what led to you as the forensic examiner/analyst becoming involved with the digital evidence. You may be just receiving the forensic image and someone else conducted the forensic acquisition and this is a good place to document that as this will correlate with your chain of custody information that you immediately started once you came into contact with the digital evidence. Remember, this is an overview and a summary of how the case was initialized and where you as the examiner/analyst became involved. 2.0 Forensic Acquisition & Exam Preparation Example: 1. On today's date I began the forensic acquisition/imaging process of the stolen laptop. Prior to imaging the stolen laptop, I photographed the laptop, documenting any identifiers (e.g., make, model, serial #), unique markings, visible damage, etc. while maintaining chain of custody. 2. Using a sterile storage media (examination medium) that had been previously forensically wiped and verified by this examiner (MD5 hash value: ed6be165b631918f3cca01eccad378dd) using ABC tool version 1.0. The MD5 hash value for the examination medium yielded the same MD5 hash value as previous forensic wipes to sterilize this media. 3. At this point, I removed the hard drive from the stolen laptop and connected it to my hardware write-blocker, which is running the most recent firmware and has been verified by this examiner. After connecting the hardware write blocker to the suspect hard drive, I connected the hardware write blocker via USB 2.0 to my forensic examination machine to begin the forensic imaging process? 4. Etc, etc. This section is very important, as you must detail your interaction with the digital evidence and the steps taken to preserve and forensically acquire the evidence. Any additional steps that you take (e.g. forensically wiping storage/examination media, etc.) should be notated in this section of your report. Remember, this section of your report is usually where you as the examiner/analyst came into contact with the digital evidence and thoroughly documenting what you have done is very important to the integrity of the digital evidence and your chain of custody. Examiner's Tip: You should have a digital camera in your forensic toolkit. Take a picture of the evidence and document each step of the forensic acquisition and preparation process. Regardless, if you include the picture in your report or as an exhibit, this picture is a perfect field note for you as the examiner to reference when completing your report. • • You will also need to include that you verified your forensic image and notate the hash values (e.g., MD5, SHA-1). You will also need to briefly describe the process you used when making a working copy from the forensic image of the original evidence. 3.0 Findings and Report (Forensic Analysis) Example: 1. After completing the forensic acquisition of the stolen laptop I began analyzing the forensic image of the stolen laptop with Forensic Tool 2. I used the following tools for forensic analysis, which are licensed to this examiner: o Guidance® Software's EnCase® 6.17 o SANS Investigative Forensic Toolkit (SIFT) Version 2.0 o Internet Evidence Finder v3.3 o RegRipper by Harlan Carvey o Microsoft® Excel 2007 3. A review of the Internet history using Internet Evidence Finder, the following data was recovered from sector 117004, which shows a Facebook email between John Doe and Jane Doe. Further analysis shows that a John Doe logged into his Google Mail account. See screenshots below: John Doe logging into Google Mail account. John Doe logging into Google Mail account. This is the most detailed section of your investigation. You will include all artifacts that you find during your analysis relating to the case. Examiner's Tip: A very good practice when you are including your evidence into your report is to include hyperlinks within your report to link to pictures, documents, etc. Make sure you test and validate that the hyperlinks work properly so when your report is being reviewed, the reader can navigate easily to the evidence that you are including in your report. 4.0 Conclusion In this section, you are basing your conclusion off the forensic evidence. Remember, the goal of the forensic examination is to report the facts, regardless if the evidence is inculpatory or exculpatory in nature. Ref: https://www.sans.org/blog/intro-to-report-writing-for-digital-forensics/ 2021 Digital Forensic Report AGENCY CASE # ITDI372U5 INVESTIGATOR RACHAEL CAMPBELL Case Overview & Summary On 12/04/2021, Fakey Fakerson contacted the office with questions on how to acquire and document the information on a stolen laptop computer running Windows® 8 Home edition that had been recovered. Fakerson is now requesting a full forensic examination to recover any information on what company the suspects may have stolen documents. Then requested a complete forensic examination and report for possible criminal charges and civil litigation that may follow. Fakerson then brought the recovered laptop to the office. The time was 6:45 pm on 12/04/2021, when Mr.Fakey Fakerson acquired full access to the recovered laptop. At this time, the Imaging process was started on the recovered laptop. The previous finding will also be listed in the findings of this report. The laptop that will be imaged was recovered. It had been stolen from the highly notarized company HomeLife Software Development. The laptop was left in one of their prgrammers, and it is thought to have unreleased new software demographics and applications. To which are highly valuable. Mr Fakey Fakerson is seeking our services to image the laptop for information on what and other information the thieves could have acquired. 2.0 Forensic Acquisition & Exam Preparation On 2/05/2021, photographs of the laptop before imaging the stolen laptop,documenting any identifiers HP Notebook Product Serial # Born on Date 6DBD8UA#AB CND9225BYQ 10/25/2019 The laptop had visible marks where stickers had been removed and visible wear on the mouse pad and right and left pad buttons. While maintaining chain of custody at this time, 6:45 pm on 12/05/2021, The acquisition/imaging process was started using FTK. Using ABC tool version 1.0 on a sterile storage device (examination medium) that had previously been forensically cleaned and confirmed by this examiner (MD5 hash value: ed6be165b631918f3cca01eccad378dd). The MD5 hash value for the examination medium was the same as the MD5 hash value obtained from earlier forensic wipes used to sterilize this media. This examiner then removed the stolen laptop's hard disk and linked it to the hardware write-blocker, which had been updated to the most recent firmware. It began the forensic imaging procedure by connecting the hardware write blocker to the suspect hard disk and then through USB 2.0 to the forensic examination workstation. This section is critical, as you must detail your interaction with the digital evidence and the steps taken to preserve and forensically acquire the evidence. Any additional steps that you take (e.g. forensically wiping storage/examination media, etc.) should be notated in this section of your report. Remember, this section of your report is usually where you as the examiner/analyst came into contact with the digital evidence and thoroughly documenting what you have done is very important to the integrity of the digital evidence and your chain of custody. Examiner's Tip: You should have a digital camera in your forensic toolkit. Take a picture of the evidence and document each step of the forensic acquisition and preparation process. Regardless, if you include the picture in your report or as an exhibit, this picture is a perfect field note for you as the examiner to reference when completing your report. • • You will also need to include that you verified your forensic image and notate the hash values (e.g., MD5, SHA-1). You will also need to briefly describe the process you used when making a working copy from the forensic image of the original evidence. 3.0 Findings and Report (Forensic Analysis) Example: 1. After completing the forensic acquisition of the stolen laptop I began analyzing the forensic image of the stolen laptop with Forensic Tool 2. I used the following tools for forensic analysis, which are licensed to this examiner: o Guidance® Software's EnCase® 6.17 o SANS Investigative Forensic Toolkit (SIFT) Version 2.0 o Internet Evidence Finder v3.3 o RegRipper by Harlan Carvey o Microsoft® Excel 2007 3. A review of the Internet history using Internet Evidence Finder, the following data was recovered from sector 117004, which shows a Facebook email between John Doe and Jane Doe. Further analysis shows that a John Doe logged into his Google Mail account. See screenshots below: John Doe logging into Google Mail account. John Doe logging into Google Mail account. This is the most detailed section of your investigation. You will include all artifacts that you find during your analysis relating to the case. Examiner's Tip: A very good practice when you are including your evidence into your report is to include hyperlinks within your report to link to pictures, documents, etc. Make sure you test and validate that the hyperlinks work properly so when your report is being reviewed, the reader can navigate easily to the evidence that you are including in your report. 4.0 Conclusion In this section, you are basing your conclusion off the forensic evidence. Remember, the goal of the forensic examination is to report the facts, regardless if the evidence is inculpatory or exculpatory in nature. Ref: https://www.sans.org/blog/intro-to-report-writing-for-digital-forensics/
Purchase answer to see full attachment
Explanation & Answer:
4 pages
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

View attached explanation and answer. Let me know if you have any questions.

Digital Forensic Report Outline
1.0 Case Overview & Summary


The need to have a forensic investigation process was possible when Fakery Fakerson
contacted the office. On April 4, 2021, he asked questions on the possibility of
acquiring and documenting the information on a recovered Windows 8 Home edition
computer that had been stolen.



The contact was meant to assist him in having a complete forensic examination on the
computer to recover important information—the information to be recovered focused
on identifying the company that had lost its documents to the suspects.



Fakerson also requested a complete forensic examination and report for possible
criminal charges and civil litigation to follow the process.

2.0 Forensic Acquisition & Exam Preparation


Since Mr. Fakey Fakerson has abundant faith in our offices, we promised him that we
would come up with the right information concerning the issue with the case. Several
considerations had to be undertaken during the investigation period:

I.

The first issue included the growing nature of the computer forensics field. Therefore,
it was important to remain focused on identifying the hidden issues surrounding the
nature of the suspects acquiring the sensitive information.

II.

The second consideration included knowing if the laptop was connected to the
internet when the suspects were stealing documents. Through this, one can track how
the movement of the laptop and the methodologies such as phishing, manual
information access, and malware used to steal the information.

III.

The third consideration is the position of the suspects and theft associated with the
laptop. It becomes crucial to identify their objective in uncovering premeditated
criminal intent to prevent future cybercrimes (Umar et al., 2018).
3.0 Findings and Report (Forensic Analysis)


The conclusion of the forensic acquisition process associated with the stolen laptop
influenced a need to focus on a possible way to undertake a forensic analysis.



The forensic analysis had to be thoroug...


Anonymous
Awesome! Made my life easier.

Studypool
4.7
Indeed
4.5
Sitejabber
4.4

Related Tags