Lab #10 Case Study in Computer Forensics:
Pharmaceutical Company
Introduction
During a criminal investigation, police might confiscate an object they believe was involved in a
crime, such as a weapon or an article of clothing. They confiscate the object, document details
about it, and keep it safe. It’s important how the police handle the object in case the object is
used as evidence for a trial. For a trial, it’s important for the legal prosecutor to show the object
is indeed the same object confiscated by the police. Police document their handling of evidence
with what’s known as a chain of custody. And the requirement is the same for electronic
evidence as it is for physical evidence.
In this lab, you will look at the chain of custody procedures for digital evidence, review a
computer forensics case study, and create a security incident response form to capture the steps
needed to maintain chain of custody.
Learning Objectives
Upon completing this lab, you will be able to:
Identify the key steps in maintaining chain of custody for digital evidence used in a court of
law.
Review a computer forensics case study and identify how and what evidence was captured.
Relate chain of custody to a computer forensics case study for using digital evidence in a
court of law.
Create a security incident response form capturing the steps needed to maintain chain of
custody integrity when responding to a security breach.
72
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
73
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
Instructor Demo
The Instructor will present the instructions for this lab. This will start with a general discussion
about the proper methods for handling physical evidence when trying to find digital evidence used
as legal evidence. The Instructor will then present an overview of the pharmaceutical company
case study.
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
74 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company
Hands-On Steps
Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find answers to these questions as you
proceed through the lab steps.
3. Review the following computer forensics case study of a pharmaceutical company. The
text for this case study originated at:
http://www.evestigate.com/Case_Studies/Case%20Study%20Prescription%20Drug%20Diver
sion%20Brand%20Protection.pdf.
This case study can be freely distributed if no portion of it has been changed, including
the following contact information: Toll Free: 1-800-868-8189; Int. Phone: Phone 727287-6000; http://www.evestigate.com.
(Global Digital Forensics—GDF—is a computer forensics consulting firm that is
referenced throughout the case study below.)
Global Digital Forensics Case Study Drug Diversion
Case Type: Prescription Drug Diversion, Anti-Counterfeit, Brand Protection, and
International Computer Forensics
Environment: On-Site Seizure at Several Locations throughout the United States and
Canada
Industry: Pharmaceutical
Systems Involved: Desktops, Laptops, E-mail, and Handheld Devices
Case Background
A pharmaceutical company began receiving complaints from its representatives in certain
geographical areas that sales of normally high-volume drugs were slowing down
considerably. The company’s internal security department as well as the security
departments of its major distributors began an investigation. The results of the
investigation led the security professionals to believe a significant amount of the
company’s product was being diverted from foreign countries into the United States and
sold through smaller distributors who specialized in sales to locally, privately owned
pharmacies and dispensaries in nursing homes. The diversion activities were immediately
reported to the local authorities in the regions as well as to the FDA.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
75
An investigation was immediately launched and millions of dollars of diverted drugs and
repackaging equipment was seized from several locations, including the warehouses of
fully licensed pharmaceutical distributors. Along with the diverted product, the computers
and other electronic equipment were also seized.
The seizure went smoothly and the company was satisfied as were investigators from the
FDA and local law enforcement. However, the case was severely hindered by the fact that
the majority of communications between the principals of the distribution companies
(foreign nationals) and the foreign suppliers was conducted by e-mail. There were also no
significant paper records on site. While the local authorities and the FDA had access to
computer forensic labs, both faced similar roadblocks in their investigations. The labs
were severely backlogged and the systems were encrypted, fairly complex, and recorded
in a foreign language.
It became obvious that the investigation would be delayed until one of the labs cleared
some high-priority cases and could dedicate the time required to forensically analyze the
computers from the seizure. Time was of the essence. Everyone knew that the computer
forensics had to begin immediately if the diversion was to cease and the case successfully
prosecuted. Because the suspects claimed they were reshipping the drugs outside the U.S.
(a legal practice) and had shipping bills that appeared to back this statement up,
documentation from the computers was essential. If computer forensic analysis was
delayed, it was almost assured that the U.S. Attorney’s Office would drop the charges.
GDF Involvement
The company called in GDF and, working in cooperation with the local authorities as
well as with the FDA and U.S. Attorney’s Office, GDF was able to commence computer
forensic analysis of the computers seized at the pharmaceutical warehouses and provide
the information and artifacts recovered during the computer forensic analysis to the U.S.
Attorney’s Office.
GDF dispatched a Mobile Computer Forensics Lab and, along with investigators from the
U.S Attorney’s Office, created forensically sound copies of the hard drives seized from
the warehouses to be used to conduct the computer forensic analysis. Strict chain of
custody was maintained and the computer forensics was conducted under the supervision
of the U.S. Attorney’s Office following all accepted computer forensic methodologies.
The Findings
GDF Computer Forensic Specialists were able to decrypt and extract a wealth of
information from the systems that were forensically analyzed. By conducting a complete
computer forensic analysis of all the data the hard disks contained, GDF was able to
provide documentation showing that the diverted drugs were being purchased from
distributors in Europe and Canada and being shipped to the U.S. in what appeared to be
legitimate transactions. The computer forensic analysis also showed that the distributor
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
76 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company
had purchased equipment to unwrap the foreign drugs as well as repackaging equipment,
all signs of a legitimate drug repackaging and exporting company.
GDF’s computer forensic analysts were also able to extract documents showing that the
owners of the distributors also controlled several pharmacies in the area as well as several
nursing homes and ACLF facilities, all of which appeared to purchase drugs from the
distributors. There were also many invoices for custom vitamins shipped to another
distributor just two buildings away that appeared to be controlled by the suspects.
The Outcome
Using the digital evidence the computer forensic specialists gathered, along with the
physical evidence, the United States Attorney was able to prove:
1. The distributor was purchasing drugs from foreign sources to be sold within the United
States
2. The distributors were engaged in drug diversion for over 10 years
3. The distributor was repackaging vitamins manufactured to appear the same as the
prescription drugs and selling and shipping them to Asia
4. The distributor was operating unlicensed pharmacies and nursing homes
The primary pharmaceutical company sustained over 13 million dollars a year in lost
revenue. In addition, the suspects distributed millions of dollars in counterfeit drugs
throughout Asia, potentially endangering the lives of hundreds of innocent people.
The suspects were convicted and sentenced in the United States and were being
investigated in five other countries.
4. On your local computer, open a new Internet browser window.
5. Using your favorite search engine, search for the phrase chain of custody for digital
evidence.
6. In your Lab Report file, define the phrase chain of custody.
Note:
Mishandling evidence or improperly documenting the chain of custody can mean the difference between winning a
court trial or the judge declaring a mistrial, and losing the case and legal costs.
7. Next, in your Lab Report file, paraphrase what you found for your search of chain of
custody for digital evidence.
8. Using your favorite search engine, search for security incident response form to find
examples of how and what data needs to be captured from one step or task to the next to
follow the proper chain of custody that includes sequencing and time/date stamp logging.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
77
Note:
How well your team utilizes your security incident response form will determine how quickly the company can
detect, respond, and recover from future incidents. One of the most important steps in security incident handling is
the last step, which is “lessons learned.”
9. In your Lab Report file and using the following table, create a security incident response
form that captures the chain of custody procedures for the workstations, laptops, e-mail,
and handheld devices for each individual in the case study. To follow chain of custody
procedures, in the form, address the individual identity or user of the equipment, model,
make, serial number, operating systems, applications, and so on. To follow chain of
custody procedures, the form should also answer the following questions (each of these
should be accompanied with a time/date stamp):
What is the evidence?
How did you get it?
When was it collected?
Who has handled it?
Why did that person handle it?
Where has it traveled, and where was it ultimately stored?
Security Incident Response Forensics Checklist
Note:
This form or checklist can be used for workstations and servers and other IT assets (for example, switches, routers,
firewalls, and other assets) that have been affected by a security incident or breach.
{Example “Activities” are listed in the table.}
Initials
Date
Time
Activity
Wipe, Partition, and Format TARGET
Media
Serial Number:
Software:
Partition Notes:
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
78 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company
Initials
Date
Time
Activity
Create Forensic Boot Disk
Notes:
Initials
Date
Time
Activity
Verify Software License
License Information:
Notes:
Initials
Date
Time
Activity
Physical Examination of SOURCE
Computer
Location:
Make & Model:
Serial #:
Condition (On/Off, Damage):
Owner/User:
Notes:
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
79
Initials
Date
Time
Activity
Source CMOS Examined
Clock:
Notes:
Initials
Date
Time
Activity
Hard Disk(s) Removed
(Unplugged/Prevents Booting from
Source)
Notes:
Initials
Date
Time
Activity
Hard Disk Information (how many?)
Number of Drives:
Make:
Capacity:
Serial #:
Bagged (Antistatic/Evidence Tape):
Name of Custodian:
Storage Location:
Notes:
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
80 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company
Initials
Date
Time
Activity
Description of Collection System
From/To Imaging
Notes:
Initials
Date
Time
Activity
Image Made
Software:
Details of Evidence Report:
Number of Images:
Notes:
Initials
Date
Time
Activity
File Listing
Notes:
Initials
Date
Time
Activity
Deleted File Recovery
Notes:
Note:
This completes the lab. Close the Web browser, if you have not already done so.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
81
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that students must perform:
1. Identify the key steps in maintaining chain of custody for digital evidence used in a court
of law. – [25%]
2. Review a computer forensics case study and identify how and what evidence was
captured. – [25%]
3. Relate chain of custody to a computer forensics case study for using digital evidence in a
court of law. – [25%]
4. Create a security incident response form capturing the steps needed to maintain chain of
custody integrity when responding to a security breach. – [25%]
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
82 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company
Lab #10 - Assessment Worksheet
Case Study in Computer Forensics: Pharmaceutical Company
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you looked at the chain of custody procedures for digital evidence, reviewed a
computer forensics case study, and created a security incident response form to capture the steps
needed to maintain chain of custody.
Lab Assessment Questions & Answers
1. List the steps in maintaining chain of custody for digital evidence.
2. Why is it important to follow the chain of custody when gathering evidence?
3. For the computer forensics case, identify what evidence the forensics experts were able to gather.
4. Name two of the things the United States attorney was able to prove in the computer forensics
case.
5. What important questions should the security incident response form answer?
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
83
6. Why is it important to include a time/date stamp in the security incident response form?
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
84 | LAB #10 Case Study in Computer Forensics: Pharmaceutical Company
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company - All Rights Reserved.
Purchase answer to see full
attachment