Case Study Assignment

profilejustjeepin
CaseStudyJustJeeping.docx

Case Study

This case study provides the opportunity to walk through the cyber forensics investigation.

process. Through this exercise, the goal is to outline how to execute the investigative plan,

determine tools needed to conduct the forensics analysis, and conduct a basic computer

forensics investigation. See the Assignment Requirements section on the last page for details

on what is needed to do for this final case study.

Company background information

ACE Consulting has approximately 500 employees in six cities in a regional area (Memphis,

TN; Knoxville, Atlanta, GA; Paducah, KY; Little Rock AR; and Mobile, AL. The main office is

in Nashville TN, which houses 200 of the employees. The main office is located in a suburb

neighborhood where physical security is not considered a concern.

Their IT infrastructure is as follows:

· They use a mix of Microsoft and Linux servers and PCs with a number of Mac

computers used for the various consulting they do. They use Active Directory, have an

Apache Web Server for the Internet web site, four servers used as file storage (one in

each office), four servers housing applications used for various consulting activities, a

training server, five MS SQL database servers, and Office 365 for email.

· There are 20 Windows 2008 servers in the main office, twelve of which are

virtualized on three physical servers.

· There are 15 Linux servers all virtualized.

· System updates and patches are run from the main office. Most systems get

Microsoft updates once a month, but some are missed. Also, most third party

products (e.g., Adobe PDF & Flash) are not kept up to date.

· Each satellite office has 3-4 servers for storing files and running local applications.

o Each office has its own, decentralized wireless network connected to the

production network.

· Some employees has a desktop or laptop PC running Windows 10. While others

are using Macbook Pro with OSx 10. HR personnel have laptops for conducting

interviews as well as posting job openings and conducting research for the

owners.

· The network sits behind a gateway router and firewall. Antivirus is in use, but is not

automatically updated across the company. Employees often work remotely and only

use their login and password to gain access to the corporate systems.

Case Scenario

Last month, a number of clients reported having their proprietary information and research

and development showing up in competitor’s hands. Additionally, some employees have

noted they have noticed unusual activities in personal accounts and personal email. You

have been hired by ACE Consulting Chief Operations Officer (COO), Brad Richards as an

independent investigator to look into some company owned computers and devices to

determine if there is a leak or an insider in the company. All formal reports will go directly to

him.

There are two primary targets:

1. James Brown is a project manager who has worked at the main office for ten years.

He has worked his way up through the organization and has access to all systems,

since he’s the “go-to” guy to help with any consulting issues. He’s also been known

to be disgruntled about senior leaders and has been open about his feelings. Brown

reports to the Projects Manager, Nathan Brim. He uses a laptop computer at the

office and remotely. It is described below:

a. Dell Latitude 3793 Core i7 M640, 16GB, 500GB HDD, Windows 10

Professional 64-bit

b. The BIOS Make is Dell Inc, and Serial Number is H127845

c. There is a PCI Video card, internal sound card, internal network interface,

and two internal USB ports.

d. You found a SanDisk 8GB USB flash drive on his desk along with numerous

data DVDs.

e. He has a personal Google mail (Gmail) account, which he accesses regularly

from his laptop, as well as Google Drive.

f. In reviewing the PC’s hard drive, it is noticed that 400GB can be seen or

accessed and it is suspected it may contain a hidden drive/partition since it

has VersaCrypt installed.

2. Sam Abrams is a new member on the IT support team, having started at ACE six

months ago. He supports project managers with the general computer operations

and troubleshoots issues they have. He has full access to the projects tracking

system and database in order to support remote users. He reports to Jane Sims, the

manager of IT. He uses a company standard desktop PC.

a. Dell OptiPlex 760 – Intel® Core 2 Duo CPU E8400, 8GB, 500GB HDD,

DVDRW, Windows 10 Professional 64-bit

b. The BIOS Make is Dell Inc, A03, date is , and Serial Number is UF284153.

c. There is a PCI Video card, internal sound card, internal 100Mb network

interface, and three internal USB ports.

d. In addition to his corporate email account, he also has a Yahoo account that

he accesses from his PC. From his IE7 browser history, you can also tell he

uses Facebook, Craigslist, and Dropbox.

Other Personnel:

• Jack Lewis is the IT Director for ACE. He is responsible for maintaining all of the

servers and network equipment.

• Shelly Johnson is the HR Director and is responsible for all personnel matters.

Assignment requirements:

In a formal investigative report, address all of the following. Remember, your audience is

COO. Give proper attention to wording, grammar, spelling, punctuation, structure and use

APA (American Psychological Association) for citing sources used in the report. Be sure you

show where source are used in the report with in-text citing. Make sure you’re covering the

case in sufficient detail and are answering any potential questions he may ask. Lastly,

remember to put your name on your paper as the chief investigator.

1. Provide an executive summary of the case.

2. Document any assumptions for this case.

3. Provide any jurisdictional issues between the locations.

4. Provide a background synopsis of the case. This is an overall narrative of the facts of the

case. It should answer the who, what, when, why, and how of the investigation.

5. Document how the investigation would be carried out. This is a description of the

process to take for this investigation.

a. Include whether or not a search warrant will be needed and any other legal

aspects to consider.

b. Who would need to be interviewed and need to have involved? What role(s)

would each play?

c. What computer or network systems would need to have access to for analysis?

What information could each provide?

d. Would this be a “live” or “dead” acquisition of the data?

e. How would the evidence be collected and stored? What tools would be needed

for the specific platforms? Include how to ensure the chain of custody to preserve

its integrity.

f. What other information would need to be looked for in this case?

g. How would you prove innocence or guilt in this case?

6. List the tools you would need for this investigation.

a. This includes both hardware and software in your forensics “toolkit.”

b. How would each tool be used in your investigation?

7. The final item is the evidence list. This should include all items you processed. Each

item should be identified by:

a. Make:

b. Model:

c. Serial Number of the device (this includes individual hard drive located in a PC):

d. Removable media

e. Operating System

f. Install application(s)

g. Other identifying information associated with the asset.