Lab #10 Case Study in Computer Forensics: Pharmaceutical Company Introduction During a criminal investigation, police might confiscate an object they believe was involved in a crime, such as a weapon or an article of clothing. They confiscate the object, document details about it, and keep it safe. It’s important how the police handle the object in case the object is used as evidence for a trial. For a trial, it’s important for the legal prosecutor to show the object is indeed the same object confiscated by the police. Police document their handling of evidence with what’s known as a chain of custody. And the requirement is the same for electronic evidence as it is for physical evidence. In this lab, you will look at the chain of custody procedures for digital evidence, review a computer forensics case study, and create a security incident response form to capture the steps needed to maintain chain of custody. Learning Objectives Upon completing this lab, you will be able to: Identify the key steps in maintaining chain of custody for digital evidence used in a court of law. Review a computer forensics case study and identify how and what evidence was captured. Relate chain of custody to a computer forensics case study for using digital evidence in a court of law. Create a security incident response form capturing the steps needed to maintain chain of custody integrity when responding to a security breach. 72 Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 73 Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor: 1. Lab Report file; 2. Lab Assessments file. Instructor Demo The Instructor will present the instructions for this lab. This will start with a general discussion about the proper methods for handling physical evidence when trying to find digital evidence used as legal evidence. The Instructor will then present an overview of the pharmaceutical company case study. Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 74 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company Hands-On Steps Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files. 1. On your local computer, create the lab deliverable files. 2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps. 3. Review the following computer forensics case study of a pharmaceutical company. The text for this case study originated at: http://www.evestigate.com/Case_Studies/Case%20Study%20Prescription%20Drug%20Diver sion%20Brand%20Protection.pdf. This case study can be freely distributed if no portion of it has been changed, including the following contact information: Toll Free: 1-800-868-8189; Int. Phone: Phone 727287-6000; http://www.evestigate.com. (Global Digital Forensics—GDF—is a computer forensics consulting firm that is referenced throughout the case study below.) Global Digital Forensics Case Study Drug Diversion Case Type: Prescription Drug Diversion, Anti-Counterfeit, Brand Protection, and International Computer Forensics Environment: On-Site Seizure at Several Locations throughout the United States and Canada Industry: Pharmaceutical Systems Involved: Desktops, Laptops, E-mail, and Handheld Devices Case Background A pharmaceutical company began receiving complaints from its representatives in certain geographical areas that sales of normally high-volume drugs were slowing down considerably. The company’s internal security department as well as the security departments of its major distributors began an investigation. The results of the investigation led the security professionals to believe a significant amount of the company’s product was being diverted from foreign countries into the United States and sold through smaller distributors who specialized in sales to locally, privately owned pharmacies and dispensaries in nursing homes. The diversion activities were immediately reported to the local authorities in the regions as well as to the FDA. Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 75 An investigation was immediately launched and millions of dollars of diverted drugs and repackaging equipment was seized from several locations, including the warehouses of fully licensed pharmaceutical distributors. Along with the diverted product, the computers and other electronic equipment were also seized. The seizure went smoothly and the company was satisfied as were investigators from the FDA and local law enforcement. However, the case was severely hindered by the fact that the majority of communications between the principals of the distribution companies (foreign nationals) and the foreign suppliers was conducted by e-mail. There were also no significant paper records on site. While the local authorities and the FDA had access to computer forensic labs, both faced similar roadblocks in their investigations. The labs were severely backlogged and the systems were encrypted, fairly complex, and recorded in a foreign language. It became obvious that the investigation would be delayed until one of the labs cleared some high-priority cases and could dedicate the time required to forensically analyze the computers from the seizure. Time was of the essence. Everyone knew that the computer forensics had to begin immediately if the diversion was to cease and the case successfully prosecuted. Because the suspects claimed they were reshipping the drugs outside the U.S. (a legal practice) and had shipping bills that appeared to back this statement up, documentation from the computers was essential. If computer forensic analysis was delayed, it was almost assured that the U.S. Attorney’s Office would drop the charges. GDF Involvement The company called in GDF and, working in cooperation with the local authorities as well as with the FDA and U.S. Attorney’s Office, GDF was able to commence computer forensic analysis of the computers seized at the pharmaceutical warehouses and provide the information and artifacts recovered during the computer forensic analysis to the U.S. Attorney’s Office. GDF dispatched a Mobile Computer Forensics Lab and, along with investigators from the U.S Attorney’s Office, created forensically sound copies of the hard drives seized from the warehouses to be used to conduct the computer forensic analysis. Strict chain of custody was maintained and the computer forensics was conducted under the supervision of the U.S. Attorney’s Office following all accepted computer forensic methodologies. The Findings GDF Computer Forensic Specialists were able to decrypt and extract a wealth of information from the systems that were forensically analyzed. By conducting a complete computer forensic analysis of all the data the hard disks contained, GDF was able to provide documentation showing that the diverted drugs were being purchased from distributors in Europe and Canada and being shipped to the U.S. in what appeared to be legitimate transactions. The computer forensic analysis also showed that the distributor Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 76 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company had purchased equipment to unwrap the foreign drugs as well as repackaging equipment, all signs of a legitimate drug repackaging and exporting company. GDF’s computer forensic analysts were also able to extract documents showing that the owners of the distributors also controlled several pharmacies in the area as well as several nursing homes and ACLF facilities, all of which appeared to purchase drugs from the distributors. There were also many invoices for custom vitamins shipped to another distributor just two buildings away that appeared to be controlled by the suspects. The Outcome Using the digital evidence the computer forensic specialists gathered, along with the physical evidence, the United States Attorney was able to prove: 1. The distributor was purchasing drugs from foreign sources to be sold within the United States 2. The distributors were engaged in drug diversion for over 10 years 3. The distributor was repackaging vitamins manufactured to appear the same as the prescription drugs and selling and shipping them to Asia 4. The distributor was operating unlicensed pharmacies and nursing homes The primary pharmaceutical company sustained over 13 million dollars a year in lost revenue. In addition, the suspects distributed millions of dollars in counterfeit drugs throughout Asia, potentially endangering the lives of hundreds of innocent people. The suspects were convicted and sentenced in the United States and were being investigated in five other countries. 4. On your local computer, open a new Internet browser window. 5. Using your favorite search engine, search for the phrase chain of custody for digital evidence. 6. In your Lab Report file, define the phrase chain of custody. Note: Mishandling evidence or improperly documenting the chain of custody can mean the difference between winning a court trial or the judge declaring a mistrial, and losing the case and legal costs. 7. Next, in your Lab Report file, paraphrase what you found for your search of chain of custody for digital evidence. 8. Using your favorite search engine, search for security incident response form to find examples of how and what data needs to be captured from one step or task to the next to follow the proper chain of custody that includes sequencing and time/date stamp logging. Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 77 Note: How well your team utilizes your security incident response form will determine how quickly the company can detect, respond, and recover from future incidents. One of the most important steps in security incident handling is the last step, which is “lessons learned.” 9. In your Lab Report file and using the following table, create a security incident response form that captures the chain of custody procedures for the workstations, laptops, e-mail, and handheld devices for each individual in the case study. To follow chain of custody procedures, in the form, address the individual identity or user of the equipment, model, make, serial number, operating systems, applications, and so on. To follow chain of custody procedures, the form should also answer the following questions (each of these should be accompanied with a time/date stamp):       What is the evidence? How did you get it? When was it collected? Who has handled it? Why did that person handle it? Where has it traveled, and where was it ultimately stored? Security Incident Response Forensics Checklist Note: This form or checklist can be used for workstations and servers and other IT assets (for example, switches, routers, firewalls, and other assets) that have been affected by a security incident or breach. {Example “Activities” are listed in the table.} Initials Date Time Activity Wipe, Partition, and Format TARGET Media Serial Number: Software: Partition Notes: Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 78 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company Initials Date Time Activity Create Forensic Boot Disk Notes: Initials Date Time Activity Verify Software License License Information: Notes: Initials Date Time Activity Physical Examination of SOURCE Computer Location: Make & Model: Serial #: Condition (On/Off, Damage): Owner/User: Notes: Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 79 Initials Date Time Activity Source CMOS Examined Clock: Notes: Initials Date Time Activity Hard Disk(s) Removed (Unplugged/Prevents Booting from Source) Notes: Initials Date Time Activity Hard Disk Information (how many?) Number of Drives: Make: Capacity: Serial #: Bagged (Antistatic/Evidence Tape): Name of Custodian: Storage Location: Notes: Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 80 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company Initials Date Time Activity Description of Collection System From/To Imaging Notes: Initials Date Time Activity Image Made Software: Details of Evidence Report: Number of Images: Notes: Initials Date Time Activity File Listing Notes: Initials Date Time Activity Deleted File Recovery Notes: Note: This completes the lab. Close the Web browser, if you have not already done so. Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 81 Evaluation Criteria and Rubrics The following are the evaluation criteria for this lab that students must perform: 1. Identify the key steps in maintaining chain of custody for digital evidence used in a court of law. – [25%] 2. Review a computer forensics case study and identify how and what evidence was captured. – [25%] 3. Relate chain of custody to a computer forensics case study for using digital evidence in a court of law. – [25%] 4. Create a security incident response form capturing the steps needed to maintain chain of custody integrity when responding to a security breach. – [25%] Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 82 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company Lab #10 - Assessment Worksheet Case Study in Computer Forensics: Pharmaceutical Company Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________ Overview In this lab, you looked at the chain of custody procedures for digital evidence, reviewed a computer forensics case study, and created a security incident response form to capture the steps needed to maintain chain of custody. Lab Assessment Questions & Answers 1. List the steps in maintaining chain of custody for digital evidence. 2. Why is it important to follow the chain of custody when gathering evidence? 3. For the computer forensics case, identify what evidence the forensics experts were able to gather. 4. Name two of the things the United States attorney was able to prove in the computer forensics case. 5. What important questions should the security incident response form answer? Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 83 6. Why is it important to include a time/date stamp in the security incident response form? Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved. 84 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
Purchase answer to see full attachment