• Properly process and handle evidence for a case and perform other case management functions
• Select and use appropriate digital forensics tools
• Prepare and annotate an inventory of files present on an evidence drive
• Triage an evidence drive using a forensic tool to view and analyze partitions, folders, and files to:
o Identify and properly address the presence (if any) of contraband (adult and child pornography, evidence related to narcotics)
o Identify and properly address the presence of evidence related to violations of an employment agreement or violations of company policy
• Evaluate an assessment (formal or informal) performed by another party and provide a formal response (“equivocal assessment”) in which you address the other party’s procedures and findings
• Write a reasonably professional and comprehensive AssessmentReport for a forensic examination
Required Deliverables:
1. Assessment Report (75% of grade)
2. Annotated Inventory of Forensically Interesting Files (25% of grade)
Scenario for Forensic Report #1
James Randell, president and owner of Practical Applied Gaming Solutions, Inc. (PAGS), has contacted you to request assistance in handling a sensitive matter regarding the unexpected resignation of his company’s Assistant Chief Security Officer, George Dean. PAGS is a contractor to several state gaming (gambling) commissions. The company and its employees are required to maintain high ethical standards and are not allowed to participate in any forms of gaming or gambling, including lotteries,due to their involvement as security consultants to the gaming commissioners. The unexpected resignation and disappearance of a senior staff member is a reportable security incident under the terms of several of the company’s contracts with state gaming commissions. Thus, Mr. Randell needs an independent, outside assessment of the facts and evidence pertaining to Mr. Dean’s resignation.
Background (Information Obtained During Client Interview)
Mr. Randell became concerned about Mr. Dean’s activities after his Human Resources Officer, Norbert Singh, reported that Mr. Dean left a voice mail tendering his resignation effective immediately.Mr. Singh also reported that Mr. Dean’s supervisor (Ms. Betty Mayne, the Chief Security Officer) had opened Mr. Dean’s locked office, at Mr. Singh’s request, and noted that it was unusually tidy and that the computer workstation and a company issued laptop were both missing. Mr. Randell asked Mr. Singh and Ms. Maynes to investigate further and report back to him. During the second meeting, Mr. Randell was informed of the following:
• Mr. Dean’s workstation was one of three company computers taken to the IT Service Center earlier in the week to be wiped and reimaged due to infection by a particularly nasty rootkit.The computers are due back in the office next Friday by 10:00 AM.
• Ms. Mayne contacted the IT service center and requested that they stop all work and immediately return the three computer systems to the company.
• Mr. Dean was using a company issued laptop in the office as a temporary replacement for his workstation. The company issued laptop was not found in the office but, an empty laptop case was found under the desk.
• During their search of the office, Mr. Singh and Ms. Mayne found single 2GB USB drive that had been left in the laptop case. Ms. Mayne and her staff examined the contents of the USB Drive and reported to Mr. Randell that it contained files pertaining to Mr. Dean’s duties as Assistant Chief Security Officer. There were no indications of any involvement in activities contrary to the company’s best interests.Note: This paragraph provides you with the “previous examination” results that you will address in the “Assessment of Previous Investigation” section in your Assessment Report.
Request for Forensic Services (Tasking)
Mr. Randell has requested that you examine the recovered USB drive and tell him what you find. He also asked that you provide an assessment as to the accuracy and validity of the findings from the PAGS CSO’s staff examination of the contents of the USB (“equivocal assessment”). Your deliverables will include an assessment report and an annotated inventory listing all files and information of forensic interest which were recovered from the drive.
The burning questions of the moment are:
1. What was George Dean up to before he resigned?
2. Why did he resign so suddenly?
Notes for the Student:
1. You may encounter contraband, e.g. images depicting adult or child pornography, during your examination of the provided forensic image. If this occurs, you are to proceed as though you had legally authorized permission to continue your examination and prepare a report which includes information about the contraband. For training purposes, Adult pornography is depicted using images of canines (dogs or puppies). Child pornography is depicted using images of felines (cats or kittens). Images of child pornography (cats or kittens) should not be included in a forensic report and should not be extracted from the forensic image.
2. For training purposes, pictures of flowers are used to denote narcotics and related contraband.
3. The referenced employment agreement is understood to include prohibitions against participating in any/all illegal activities on company premises or while using company IT resources. This prohibition includes receipt and transmission of illegal forms of pornography (as defined by the State of Maryland and the US Federal Government) and engaging in any/all forms of drug trafficking.
4. For the purposes of this assignment, you (the student) are acting in the role of “forensic examiner.” In the grading rubric, actions attributed to “the examiner” are actions that you should (or should not) have taken.
Acquisition / Forensic Imaging Report (USB)
Forensically sterile media was created using Sumuri Paladin and then used for the imaging operation as the target media. The sterile state was verified using DCFLDD’s verify file command (sudo dcfldd vf=/dev/sdx pattern=00 where sdx is the drive designator for the USB).
Imaging operation was performed using FTK Imager.
Image: PAGS01_06132014.E01
Created By AccessData® FTK® Imager 2.6.0.49 090505
Case Information: Forensic Report #1 CMIT 424 Fall 2014
Case Number: PAGS01
Evidence Number: PAGS01
Unique description: Lexar Jump Drive
Examiner: Instructor
————————————————————–
Information for PAGS01_06132014:
Physical Evidentiary Item (Source) Information:
[Drive Geometry]
Cylinders: 63
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 1,014,784
[Physical Drive Information]
Drive Model: LEXAR JUMPDRIVE USB Device
Drive Serial Number: 8KRZ24B
Drive Interface Type: USB
Source data size: 495 MB
Sector count: 1014784
[Computed Hashes]
MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e
SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1
Image Information:
Acquisition started: Fri Jun 13 21:59:00 2014
Acquisition finished: Fri Jun 13 22:00:53 2014
Segment list: PAGS01_06132014.E01
Image Verification Results:
Verification started: Fri Jun 13 22:00:53 2014
Verification finished: Fri Jun 13 22:00:56 2014
MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e : verified
SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1 : verified
Examination of the Evidence (Procedure) for Forensic Report #1
Compelling correspondence is essential to the achievement all things considered but since of the changing idea of the present working environments, successful correspondence turns out to be more troublesome, and because of the numerous impediments that will permit beneficiaries to acknowledge the plan of the sender It is restricted. Misguided judgments.In spite of the fact that correspondence inside the association is rarely completely open, numerous straightforward arrangements can be executed to advance the effect of these hindrances.
Concerning specific contextual analysis, two significant correspondence standards, correspondence channel determination and commotion are self-evident. This course presents the standards of correspondence, the act of general correspondence, and different speculations to all the more likely comprehend the correspondence exchanges experienced in regular daily existence. The standards and practices that you learn in this course give the premise to additionally learning and correspondence.
This course starts with an outline of the correspondence cycle, the method of reasoning and hypothesis. In resulting modules of the course, we will look at explicit use of relational connections in close to home and expert life. These incorporate relational correspondence, bunch correspondence and dynamic, authoritative correspondence in the work environment or relational correspondence. Rule of Business Communication In request to make correspondence viable, it is important to follow a few rules and standards. Seven of them are fundamental and applicable, and these are clear, finished, brief, obliging, right, thought to be, concrete. These standards are frequently called 7C for business correspondence. The subtleties of these correspondence standards are examined underneath: Politeness Principle: When conveying, we should build up a cordial relationship with every individual who sends data to us.
To be inviting and polite is indistinguishable, and politeness requires an insightful and amicable activity against others. Axioms are notable that gracious “pay of graciousness is the main thing to win everything”. Correspondence staff ought to consistently remember this. The accompanying standards may assist with improving courtesy:Preliminary considering correspondence with family All glad families have the mystery of progress. This achievement originates from a strong establishment of closeness and closeness. Indeed, through private correspondence these cozy family connections become all the more intently. Correspondence is the foundation of different affiliations, building solid partners of obedient devotion, improving family way of life, and assisting with accomplishing satisfaction (Gosche, p. 1). In any case, so as to keep up an amicable relationship, a few families experienced tumultuous encounters. Correspondence in the family is an intricate and alluring marvel. Correspondence between families isn’t restricted to single messages between families or verbal correspondence.
It is a unique cycle that oversees force, closeness and limits, cohesiveness and flexibility of route frameworks, and makes pictures, topics, stories, ceremonies, rules, jobs, making implications, making a feeling of family life An intelligent cycle that makes a model. This model has passed ages. Notwithstanding the view as a family and family automatic framework, one of the greatest exploration establishments in between family correspondence centers around a family correspondence model. Family correspondence model (FCP) hypothesis clarifies why families impart in their own specific manner dependent on one another ‘s psychological direction. Early FCP research established in media research is keen on how families handle broad communications data. Family correspondence was perceived as an exceptional scholastic exploration field by the National Communications Association in 1989. Family correspondence researchers were at first impacted by family research, social brain science, and relational hypothesis, before long built up the hypothesis and began research in a family framework zeroed in on a significant job. Until 2001, the primary issue of the Family Communication Research Journal, Family Communication Magazine, was given. Family correspondence is more than the field of correspondence analysts in the family. Examination on family correspondence is normally done by individuals in brain science, humanism, and family research, to give some examples models. However, as the popular family correspondence researcher Leslie Baxter stated, it is the focal point of this intelligent semantic creation measure making the grant of family correspondence special. In the field of in-home correspondence, correspondence is normally not founded on autonomous messages from one sender to one beneficiary, yet dependent on the dynamic interdependency of data shared among families It is conceptualized. The focal point of this methodology is on the shared trait of semantic development inside family frameworks. As such, producing doesn’t happen in vacuum, however it happens in a wide scope of ages and social exchange.
Standards are rules end up being followed when performing work to agree to a given objective. Hierarchical achievement relies significantly upon compelling correspondence. So as to successfully impart, it is important to follow a few standards and rules. Coming up next are rules to guarantee powerful correspondence: clearness: lucidity of data is a significant guideline of correspondence. For beneficiaries to know the message plainly, the messages ought to be sorted out in a basic language. To guarantee that beneficiaries can without much of a stretch comprehend the importance of the message, the sender needs to impart unmistakably and unhesitatingly so the beneficiary can plainly and unquestionably comprehend the data.>