XYZ Company Tasking

The plan for processing the potential crime/incident scene depends upon maintaining the integrity of the scene as well as the integrity of the data. That means the first step is to prevent the scene from contamination. Preparing for the search is an important step, therefore, in this process.

The team should have the legal authority to proceed with the seizure of evidence and this should be shown upon arrival. Likewise, the team should use safety equipment when arriving on the scene to ensure that nothing is jeopardized (U.S. Department of Justice, 2008).

To prepare for the search, the team will first document the condition and state of the scene. Before anything is moved, the team should photograph and record screen info of all the workstations involved. It is important to assess the current state of the system before any investigative work is begun. Computers should remain on if they have not yet been turned off, as this will allow for any connections established via illegal actions to remain open (they could be lost should computers be powered off). However, if software is being run on the computer that is damaging the computer/network, the device may be shut off promptly. Back-up servers should be in place to maintain the organization's workflow, in case the servers under scrutiny need to be disconnected for inspection. A continuity of operations plan should be in place and ready to be implemented before the team begins collecting data.

The team will identify potential digital evidence by understanding that digital evidence contains fingerprints, so to speak -- DNA-types of information that are left behind whenever a process is changed. However, evidenced can be easily lost or changed without anyone noticing; therefore, time is of the essence, and as soon as the team arrives it should seek to corral Internet-based evidence, computer-based evidence, and mobile device evidence if at all discerned to be applicable from the accounts of what happened according to participants (National Forensic Science Technology Center, 2015a).

Once data is collected it needs to remain free from contamination. Digital evidence can be lost or damaged in the process of recovery or transference; therefore, it is essential that a copy/image of the data is produced for back-up. This means that the device(s) in question need to be copied onto a separate medium that is clean (i.e., that has not been used before). It is important that the backup medium be free of all data because any information that may be on the medium could potentially end up being examined by the investigation team. Thus, even if a drive has been erased, it should not be used as a backup because unless it has been wiped, content may still exist on the drive and interfere with the investigation.

All digital evidence should be labeled and identified with information regarding where it came from, its purpose in the facility, its precise location when found, and why it was collected. This evidence should then be packaged and shipped in a manner that is secure. Secure transfer should include signing out and signing in packages and ensuring that all data is transferred and monitored via checkpoint processes when delivering and taking delivery.

To ensure that proper storage and chain of evidence is conducted, logs will be kept and maintained of all individuals taking and handing over custody of evidence, from the crime scene investigators to team members in the laboratory where the evidence will be scrutinized. Without a proper chain of evidence, data can be lost; or it could be altered -- and if there is no indication of who handled the evidence last, it becomes an issue of accountability and responsibility.

Approaching the Computer

The next step is to install onto the suspect device(s) software that blocks any changing (i.e., write-blocking software) (National Forensic Science Technology Center, 2015). The potential malware that may exist on the system has the capacity to harm the system further so it is important to destabilize it and/or contain it. A software application could be installed and run in the computer's safe mode to search for malware if the computer has been turned off. This will ensure that the malware is not re-activated when the computer is turned on, as safe mode allows the computer to only run basic operations. Malwarebytes is one such application that can be utilized in this situation to search, scan and detect malware...

Likewise, an Internet Relay Chat (IRC) can be utilized to allow the malware attack to remain disguised from the user. It can quickly escalate into a full-blown attack, which can completely disrupt an organization's IS.
The steps to image the drive will involve using a program like DriveImage XML, which allows the team to duplicate the drive and store it on a separate medium. Windows XP does not have the same image drive option as Windows 7 and thus this software will need to be used. Other alternatives include Norton Ghost or HDClone. It requires installing a new drive, setting the source drive, identifying the destination drive.

The areas on her system that will be analyzed for potential evidence of infection and/or modification will be those particularly susceptible to attack. Malware essentially creates holes in the program which need to be patched so it is important to identify these holes and the location where the malware is stored.

Entering into safe mode by tapping the F8 key repeatedly upon turning on the computer will ensure that the malware is not activated. The computer will allow you to enter into safe mode as an option for booting. Safe mode does not appear the same as normal computer mode but this is because it is not operating in the fullest sense of the word. A virus scan should then be run but this step can be made more quickly if temporary files are deleted first. A disk cleanup is therefore the next step in the process and this can be selected from the program system tools under Accessories.

Malware scanning software should then be utilized, and as malware is constantly being upgraded and made new, it is important that this software is current and updated. There are a variety of options that can be utilized here, such as Malwarebytes and Kaspersky.

Another process would be, since this is a Windows XP operating system on the computer, to go directly to the registry, click run and type regedit.exe. This will open the registry editor. By expanding HKEY_CURRENT_USER and then the Software file, the team can open the Windows OS and see which programs launch upon startup. Viruses can be identified by the "location of the application" which they are calling (Londis, 2007). If the location is the Application Data folder, the virus is able to re-launch every time a computer reboots -- so this is the place to look. The title given the virus by the programmer should also be identifiable. The place where the virus resides should also be noted. For example, if it is in the All Users Application Data folder, a right click on the registry key will allow the team to delete it. Of course, this simply deletes the call that allows the virus to be launched -- it has not deleted the virus. To ensure full safety, the file system should also be deleted. This can be done by going to the Application Data folder. An attempt to delete the file will likely not work because it is running in the computer's memory. What the team can do, however, is rename the file and rid the .exe portion of the name. You can put a .delete tag on it just so it is easier to find when you reboot the computer. Rebooting will not cause the file to launch because the call has already be deleted. A quick search for the file which the team has renamed will bring it up and now it can be right-clicked and deleted because it is not running in the computer's memory.

Approaching the Database Server

A Microsoft Windows 2003 Server running Microsoft SQL Server 2008 is a server that has already been upgraded and therefore the infrastructure should be able to implement a server backup. This is the path that will be chosen to image the server's database. It is vital to copy the records on the database as these are important to the organization. These files can be imaged view a cloud-computing software and stored in the cloud or they can be saved via the application of the Windows Server Backukp, which contains a MMC (Microsoft Management Console) with snap-in and command-line qualities that can allow the team to fully back up the server or just the records if that is all the organization deems as important. For full safety it is deemed best to back up the full server (TechNet, 2013).

The approach is direct: login through the Administrator. A separated, clean disk will…