Portfolio Assignment
pmk530
PortfolioAssignment.docxPortfolio Assignment
You will be using FTK, Autopsy and OS Forensics, each member of the group will perform the following lab and submit a lab report with screenshots using each of the three tools. Everyone will be submitting 3 reports each. Perform the following lab and answer the questions in a lab report with screenshots to support your answers. If your full screen screenshots do NOT have your name matching the answers, you will not get credit for the lab. Please do your own work.
‘Iaman Informant’ was working as a manager of the technology development division at a famous international company OOO that developed state-of-the-art technologies and gadgets.
One day, at a place which ‘Mr. Informant’ visited on business, he received an offer from ‘Spy Conspirator’ to leak of sensitive information related to the newest technology. Actually, ‘Mr. Conspirator’ was an employee of a rival company, and ‘Mr. Informant’ decided to accept the offer for large amounts of money, and began establishing a detailed leakage plan.
‘Mr. Informant’ made a deliberate effort to hide the leakage plan. He discussed it with ‘Mr. Conspirator’ using an e-mail service like a business relationship. He also sent samples of confidential information though personal cloud storage.
After receiving the sample data, ‘Mr. Conspirator’ asked for the direct delivery of storage devices that stored the remaining (large amounts of) data. Eventually, ‘Mr. Informant’ tried to take his storage devices away, but he and his devices were detected at the security checkpoint of the company. And he was suspected of leaking the company data.
At the security checkpoint, although his devices (a USB memory stick and a CD) were briefly checked (protected with portable write blockers), there was no evidence of any leakage. And then, they were immediately transferred to the digital forensics laboratory for further analysis.
The information security policies in the company include the following:
1. Confidential electronic files should be stored and kept in the authorized external storage devices and the secured network drives.
2. Confidential paper documents and electronic files can be accessed only within the allowed time range from 10:00 AM to 16:00 PM with the appropriate permissions.
3. Non-authorized electronic devices such as laptops, portable storages, and smart devices cannot be carried onto the company.
4. All employees are required to pass through the ‘Security Checkpoint’ system.
5. All storage devices such as HDD, SSD, USB memory stick, and CD/DVD are forbidden under the ‘Security Checkpoint’ rules.
In addition, although the company managed separate internal and external networks and used DRM (Digital Rights Management) / DLP (Data Loss Prevention) solutions for their information security, ‘Mr. Informant’ had sufficient authority to bypass them. He was also very interested in IT (Information Technology), and had a slight knowledge of digital forensics.
In this scenario, find any evidence of the data leakage, and any data that might have been generated from the suspect’s electronic devices.
Answer the following questions each one supported with ascreenshot.
1. Explain installed OS information in detail. (OS name, install date, registered owner…)
2. What is the timezone setting?
3. What is the computer name?
4. Who was the last user to logon into PC?
5. When was the last recorded shutdown date/time?
6. What applications were installed by the suspect after installing OS?
7. What web browsers were used?
8. What websites were the suspect accessing?
9. List all search keywords using web browsers.
10. What application was used for e-mail communication?
11. What was the e-mail account used by the suspect?
12. List external storage devices attached to PC.
13. Examine ‘Recycle Bin’ data in PC.
14. What actions were performed for anti-forensics on PC at the last day '2015-03-25'?
Download the following files into one folder which you will use to do this lab by clicking on the link below and scrolling down to Acquired Data Information , Personal Computer (PC) - Encase Image and download all 4 E01., E02, E03 and E04 links and save into one folder.
https://cfreds-archive.nist.gov/data_leakage_case/data-leakage-case.html
