Digital Evidence: Plan of Action
Introduction
This paper outlines the approach for examining digital evidence related to a suspected violation of company policy. It presents senior management with a plan for collecting and maximizing evidence in the case of John Smith, accused of digital IP theft. The methods described are grounded in forensic best practices and standards.
Strategy for Maximizing Evidence Collection and Minimizing Impact
Based on the standards of ISO/IEC 27037 and National Institute of Standards and Technology (NIST) Special Publication 800-86, the strategy should begin with an initial assessment and containment. First, there needs to be a clear understanding of the scope of the potential breach. That means knowing exactly what John Smith did and how he did it.
The first step, in accordance with ISO/IEC 27037:2012 (regarding identification, collection, and preservation of evidence), then is to discreetly monitor John Smith's digital activities and pinpoint the devices he uses or has used. This stage of the investigation should be kept strictly confidential, and involve only key personnel, so as to prevent the suspect from becoming alarmed or attempting to hide his tracks (Ajijola et al., 2014).
Second, an important component of our strategy is maintaining a rigorous chain of custody, in accordance with the same standard (Ajijola et al., 2014). Every piece of evidence that is collected should be documented, with information on who handled it, when it was handled, the location, and the purpose. Documentation of the chain of custody helps to maintain the integrity of the evidence, which will be of crucial importance when it comes to admissibility in court.
Tools and Techniques for Evidence Gathering, Preparation, and Analysis
Again, drawing from the NIST Special Publication 800-86 and this time ISO/IEC 27041:2015 (pertaining to selection of the right digital forensic tools and approaches), the team will use a range of specialized tools and techniques, including disk imaging tools, such as FTK Imager or EnCase (Shah et al., 2017). These tools can create bit-by-bit copies of the suspect's hard drivesthat way, the original data remains untouched. As for capturing data from a system that is already currently running, tools such as Memoryze can be used (Dykstra & Sherman, 2012). Likewise, Splunk can be used to analyze logs from different systems to trace unauthorized access or where data transfers have taken place (helpful in showing digital footsteps of wrongdoing) (Barath, 2016). In instances where there is a need to recover deleted files and analyze them for evidence, Autopsy will be of use (Kolla, 2022). Lastly, if data exfiltration is suspected, network monitoring tools like Wireshark should be used to dissect network traffic (Burschka & Dupasquier, 2016)
Collection and Preservation of Evidence
Adhering to the standards set by ISO/IEC 27037:2012, the collection and preservation of evidence should be approached with tremendous caution and...
…it would show that the conclusions of the investigation are not solely based on the team's perspective but that they have also been vetted and verified by an independent third party.Presentation to Senior Management
When it comes to presenting the case details and conclusions to senior management, clarity and relevance are paramount. The presentation should begin with an executive summary, succinctly highlighting the key findings and conclusions, enabling senior management to quickly understand the investigation's core. This should be followed by a detailed chronological account of the entire investigation. The point here is to make it all as easy as possible to follow. It should be devoid of excessive technical jargon. Based on the findings, the presentation should also include recommendations, which could touch on potential legal actions, policy modifications, or security enhancements that the company might want to consider implementing so as to deter future theft of this kind. Concluding the presentation, a question and answer session could be accommodated, so as to give senior management a chance to obtain clarifications about the case or explore specific areas of interest further.
Conclusion
In the process of examining seized evidence, drawing informed conclusions, and strategizing the presentation to senior management, the emphasis should be on accuracy, transparency, and adherence to best practices. The approach described in this paper should help an investigation by giving senior management the guidelines needed to make informed…
References
Ajijola, A., Zavarsky, P., & Ruhl, R. (2014, December). A review and comparative evaluation offorensics guidelines of NIST SP 800-101 Rev. 1: 2014 and ISO/IEC 27037: 2012. In World Congress on Internet Security (WorldCIS-2014) (pp. 66-73). IEEE.
Baráth, J. (2016). Monitoring of department network–administrator view. Science & MilitaryJournal, 11(1), 56.
Burschka, S., & Dupasquier, B. (2016, December). Tranalyzer: Versatile high performancenetwork traffic analyser. In 2016 IEEE symposium series on computational intelligence (SSCI) (pp. 1-8). IEEE.
Dykstra, J., & Sherman, A. T. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9, S90-S98.
Jansen, W., & Ayers, R. (2007). Guidelines on cell phone forensics. NIST Specialpublication, 800(101), 800-101.
Kolla, V. R. K. (2022). A Comparative Analysis of OS Forensics Tools. International Journal ofResearch in IT and Management (IJRIM), 12(4).
Shah, M. S. M. B., Saleem, S., & Zulqarnain, R. (2017). Protecting digital evidence integrity andpreserving chain of custody. Journal of Digital Forensics, Security and Law, 12(2), 12.
Wilson-Wilde, L. (2018). The international development of forensic science standards—areview. Forensic science international, 288, 1-9.
Digital forensic can be described as a branch of forensic science surrounding the recovery as well as investigation of materials which are found within digital devices, in many occasion regarding computer crime. Originally the term was always used as a synonym for computer forensics; however it has spread out to be used in investigations of the entire devices with capability of storing digital data. Having its grounds in the personal
The rapid development of predictive routing algorithms that seek to anticipate security breaches are also becoming more commonplace (Erickson, 2009). Evidence acquisition through digital forensics seeks to also define preservation of all patterns of potential crime, regardless of the origination point (Irons, 2006). The collaboration that occurs in the open source forensic software industry acts as a catalyst of creativity specifically on this point. There are online communities that
Hash Values in Digital Forensics Introduction Hash values denote condensed representations of digitized or binary content within digital material; however, they offer no additional information pertaining to the contents of any material interpretable by an individual. Moreover, the hash function is algorithms that convert variable-sized text quantities into hash values (which are fixed-sized outputs). Also called “cryptographic hash functions,” they facilitate the development of digital signatures, short textual condensations, and hash tables
Digital Forensics in Criminal JusticeThere are several recovery techniques digital forensic practitioners can use when they encounter broken or damaged devices with deleted files (Daniel, 2011). File carving involves searching for specific patterns of data that match known file formats within the raw data from the disk. Even if the file system information is missing, file carving can effectively recover files. Or, data imaging can capture an exact copy of
Digital Forensics to Capture Data Sources Network Intrusion Prioritizing Data Sources Account Auditing Live System Data Intrusion Detection System Event Log Analysis Malware Installation Prioritizing data sources Activity Monitoring Integrity Checking Data Mining Insider File Deletion Prioritizing data sources Use of Uneraser program Recovers the Deleted Data Network Storage A recent advance in information technology has brought about both benefits and threats to business organizations. While businesses have been able to achieve competitive market advantages through the internet technology, the hackers are also using the opportunities
This means that no deeper view into the system and its underlying infrastructure is provided to the customer." The constant flow of information makes compiling a forensics report on any given item very difficult. Legal issues may also hamper digital forensics in dealing with cloud issues. Cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence and its subsequent forensic analysis. When a savvy and
Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.
Get Started Now