Meanwhile, our company will need to implement the full back up safeguard all our data. Under the full recovery model, the first step is to back up the transaction log. Combination of full back-up with log back ups is equivalent of full database back up. Starting the back up from the log transaction is the best practice to perform a full database back-up. The illustration in Fig 2 reveals the strategy to implement a full back up. As being revealed in the Fig 2, the back up starts from the transaction logs and the next step is to schedule the full database back up and file backups at subsequent interval to satisfy our company requirements. From the illustrations in the Fig 2, the backup (a, C, B, a) is the order in which file back-ups are carried out to satisfy the business requirements. The next step is to place the data back up in separate devises to enhance business continuity.
Fig 2: Data Restore and Back-up Strategy for Our Company
1.4. Create a Detailed Checklist
This section provides detailed checklists t to safeguard our data from the hostile IP address.
Steps
Details Description
First Step
Identification of the Hostile IP address. The identification will include the country origin, and the website associated with IP address.
Second Step
The next step is to block the IP address from communicating with our systems. We will need to install IP address management software to achieve this objective. The strategy will assist our systems to stop exporting data to the hostile IP address.
Next Step
The next step is to recover our lost data as well as implementing the full back up strategy. The SQL Server 2008 R2 is effective in restoring our lost data.
Next Step
The next step is to put the recovered data at a separate devices
Next Step
Inspect the recovered data whether all the data are intact.
Next Step
Other step is to install the IPS to prevent unauthorized network into our systems.
Final Step
Final step is to install firewall to block all the unwanted traffic from our systems.
1.5. Determine the Resources Needed
Both financial resources and human resources will be needed to carry out the project. Typically, the company will need to set aside minimum of $30,000 dollars to carry out the task. The company could use an in-house staff or third part providers to carry out the tasks. To safeguard the data integrity, it is critical to use the in-house employees. The following resources will be needed for the project implementation:
Purchase of Forensic tool to recover the lost data exported to the hostile IP address,
Installation of SQL Server 2008 for the data backup,
Installation AutoShun technology or other IP Trace technology to block the hostile IP address getting access to our data,
Set aside skilled manpower in association with a forensic expert to implement the project.
1.6. Establishing the Chain of Custody.
The purpose of this chain of custody is to establish the electronic evidence that leads to the export of data to an identified IP address.
On 25 June 2013, Mr. James Anderson, a forensic expert in our organization collects the evidence that a hostile IP address has corrupted our system leading all our system to export data to the hostile IP address. Our intrusion detection system has notified us that our systems are exporting data to the hostile IP addresses.
The IP address is 58.1456.1246.1 hosted by a company having the major objective to commit criminal activities. The documented evidence reveals the file paths of the data lost from our systems to the hostile IP address.
The evidence of the data theft is from our hard drives and revealed as follows: We have made:
All the image copy of the data restored and data freshly wiped from our system.
Image copy of our operating system logs.
Typically, data are lost from the following systems to the hostile IP:
Data are lost from our server,
Data are lost from our database
Data are lost all from the hard disks of our computer systems,
Data are lost from all software,
Data are lost from all our storage devices, which include tapes, USB, and other storage devices that we use in storing our data.
The type of the data stolen from our system to the hostile IP address is as follows:
Credit card information of our clients,
Sensitive data such as SSN, health information, bank accounts, email, phone number, and addresses of our clients.
The strategy that we use to trace the hostile IP address is as follows:
Using of tracing tools include that include Netscan Pro and Neotrace.
We also Use IDS logs.
With the assistance of our computer forensic expert, the following professionals also assist in the investigation:
Incident team and corporate security,
Security investigator,
Emergency response core team,
Application owner,
Application developer,
1.7. Obtaining and copying an evidence disk drive.
The report identifies that much of the evidence needed to support our forensic investigation is in the disks, hard drives and other storage devices in our systems. We have used forensic tool kits to locate the sample of this evidence. To collect the sample of evidence, our company will need to make the back up of all the data systematically restored. We also make the copy of all the following in the course of our investigation:
We make a copy of all our windows especially the Registry because it contains a wealth of information.
We also make a copy of our password files, the filesystem, and the shell,
We make copy of hard drive as an evidence disk drive,
From the hard drive, we make a copy of restore image and freshly wiped data.
We also make a copy of our operating system logs.
1.8. Analyzing and recovering the digital evidence.
Analysis phase involves gathering all data recovered in a central location for interpretation purpose. The data are recovered from the following:
data files, email, music files, application files,
Internet history files,
Hard disks web activity files, and the analysis of the recovered data revealed that the complete data are restored. The following file are recovered and data inside them are complete:
Serial Number
Files Recovered
Data in the application files are recovered
Operating systems
Hard disk drive
Card reader
Disk storage
USB mass storage device class
Network-attached storage?
Optical computer storage
Punched card?
flash drives smart cards, re-writable CDs and DVDs
1.9. Investigating the Data Recovered
The report uses the FTK recovery application to investigate the data recovered from the target drive. The application displayed the file recovered and the file recovered displayed a complete reconstruction of the data restored. Based on the investigation, it is revealed that there are noticeable evidence of the original file and data recovered. Typically, the structure of the files in the FAT 32 and NFST drives are different from the original data.
Despite the difference in the data structure of the original file and data recovered, the contents of the data are still the same. Thus, our company is able to retrieve all the data, which include:
credit card information of our client,
Bank account number,
Social security number of our client,
Email,
Address,
Health information,
Telephone number.
1.10. Completing the Case Report
The report carries out the incident response and computer forensic investigation that occurs in our systems. The detailed work carried out is adhered to the rigorous professional practice protocols in digital forensic handling. The forensic computer investigation carried our revealed that our systems are exporting data to a hostile IP address. Upon the investigation, the report has identified that the IP address is owned a company with the objective to carry out the criminal activities. The intension of the owner of the IP address is to steal sensitive information from our systems.
The report has used several forensic tools to stop our systems from exporting data to the hostile IP address, and communicating with the IP address. The AutoShun technology is used to block the IP address from communicating with our systems. Moreover, the report has taken step to recover the data exported to the IP address. Despite that many of the data that have been exported have been deleted from our systems, the report uses different forensic tools to recover the data, and the complete data are recovered.
Thus, the report uses a comprehensive approach to discover the evidence and store the digital evidence to assist our organization to track the criminals. The report also uses a standard digital evidence recovery procedure to restore the lost data exported to the hostile IP address. The evidence of the data captured is from the media source, hard drive, and discs, and the report verifies that the data recovered are not altered.
1.11. Critique of the Case
The report has compiled the evidences that a penetrator has used a hostile IP address to communicate with our systems in order to steal sensitive information. Despite the nature of the evidence collected, the evidence collected are virtual evidence and we have not been able to have access to the physical evidence. Thus, we will still require a good legal practitioner to prove in the court of law that this IP address has really stolen data from our systems. In the digital business environment, virtual evidences face challenges to convince the jury that a penetrator has actually committed an offense. Thus, the next battle that we are going to face is the strategy…
Computer Forensic Tools: The use of computers in homes, schools, offices, and other places has increased in the past few years due to technological developments. As computers have become important components of modern communication, their increased use has also led to the emergence of computer crimes. Computer crimes basically involve the use of a computer system to carry out an illegal activity. In attempts to lessen the frequency and impact of
Specialized forensic tools will be necessary to retrieve and analyze deleted, renamed and encrypted data that search tools will overlook. Further, forensic tools will help with complex information correlation. For example, to construct a timeline of events it may be necessary to tie network log stamps and data together with database access and usage logs. Reporting is the final phase of forensic investigation. Here, the article is weak, only recommending
Such information is collected using packet sniffers which are programs that can access all information passing through a computer, and not only information particularly sent to the computer. The packet sniffer can either pick all the information, or just selected what is needed, and at the specific time when the information passed through the computer. This is then copied into a given memory. However, for the packet sniffers to
burgeoning field of computer or digital forensics has multiple applications. As Carroll, Brannon & Song (2008a) point out, the two primary functions of computer forensics include data extraction and data analysis. As with other areas of forensics, methodologies in computer forensics include scientific methods of data collection, data preservation, and data analysis with ultimate goals of documentation or presentation in accordance with the needs and demands of the investigative
DIBS Forensic Workstation - Complete solution for problems faced by investigator of computer crimes; FREDDIE - Forensic recovery of evidence deice diminutive interrogation equipment; EnCASE - Fully integrated forensic application for Windows; and ProDiscover DFT - completely integrated Windows ™ application for the collection, analysis, management and reporting of computer disk evidence. Designed specifically to meet NIST (National Institute of Standards and Technology) standards. (Timberline Technologies, 2005) Harris (2005) states that if anti-forensic
It is thus that technologies which work to yield that crucial data from the memory store of any such device have become so valuable to law enforcement in the age of terrorism. According to the Computer Forensics Tool Testing Program (CFTT), "a cellular forensic tool shall have the ability to logically acquire all application supported data elements present in internal memory without modification" (Ayers, 15) This is to indicate that
Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.
Get Started Now