Table of Contents
Abstract
ABC corporation has experienced a security breach on the company network and hired Cyber Forensics INC. to investigate and provide insight to how CFI does a network breach investigation and retrieval of forensic data to help capture and charge the criminals that breached the network in the court of law.
Introduction
In order for forensic data to be admissible in the court of law collected in the aftermath of a cyber breach the team at CyberFornsics INC. requires careful steps to follow to keep the integrity of the data. CFI follows the typical steps involved to provide full cyber breach investigation and forensic consisting of Collection of the data for forensic analysis and investigation that follows proper procedures for collecting evidence, Analysis of the data that was collected and a description of what the data means and what happened during the Cyber-terrorist breach discovered at ABC corporation, and the Presentation of the data for use in a court of law that is provided after all collection, analysis has ben done following all rules and guidelines(Easttom, 2017).
CFI will be investigating the Breach on ABC Corporation’s network and the laptop left on the scene that belongs to a person with the expertise to launch large scale attack of this nature. Once the investigation is complete CFI will provide ABC Corporation with an expert report that shows all test conducted and conclusions formed by the knowledge and data collected during the investigation (Easttom, 2017). Also included with the expert report is a Curriculum Vitae or (CV) which shows the experience and work experience of the forensic investigators employed by CFI, along with the CV every test provided in the expert report will include thorough investigations and the references to support claims from reputable sources (Easttom, 2017).
Cyber-terrorist Security Breach
Cyber-terrorism specific to this case involves suspected Cyber Espionage used by the laptop left at the scene, and this investigation will collect data specific to the laptop. Cyber-terrorism is the act of using the internet by a terrorist organization to conduct premeditated attacks against information that are politically motivated against computer systems, programs and data held on these systems and designed to cause physical harm (Rouse, 2019). According to Rouse, 2019 many organizations and experts show data that many less harmful attacks that are an attempt to further the attacker’s political stance can also be considered an act of cyberterrorism.
Typical examples of Cyberterrorism are; Global terror networks that disrupt major websites and create public nuisances and prevent traffic to networks that the group disagrees with, terrorist groups that disable or modify signals that control military technology, and targeting critical infrastructure like power grids that would disrupt major cities (Rouse, 2019). Security breaches at ABC Corporation can include APT actions where the adversary has maintained a presence, Malware that may have been injected into ABC Corp’s network during the cyber breach, Ransomware that may have been planted, the initial attack that allowed network access like Phishing via e-mail systems, and potential data extraction from ABC Corporations network (Rouse, 2019).
CFI will be looking for many facets that were involved in the evidence presented on this case and some of the following areas of the domains of typical IT Infrastructure like workstation domain, LAN domain and LAN to WAN domain, potential use of the Remote Access Domain and portions of the system/application domain to see what information was attempted to be accessed, extracted, or deleted.
The current state of the network will be investigated and while the Laptop is currently on a snapshot will be taken to preserve the current “live state” and then a full disk image will be taken to do a further offsite and offline investigation of the laptop. CFI excels at ensuring chain of custody of information gathered to ensure that ABC corporation will be able to prosecute to the full extent of the law. Below is a picture of the Seven typical domains that CFI will be investigating.
Evidence
CFI collects many different types of evidence during the investigation and ensures the chain of custody of the data with a rigorous tool called XebiaLabs, and a rigorous process that involves using the XebiaLabs tool and a second paper trail chain of custody to ensure that there are two identical records during the investigation stage back at CFI’s Forensic lab and the mobile forensic lab that is brought with during the on scene collection (XebiaLabs, n.d.).
Typically courts deal with four different types of evidence and CFI will use these types to produce the expert report provided to ABC Corp. for use during the trial (Easttom, 2017). The first type of evidence CFI will be looking at is the Real evidence this will include the Laptop left on the scene, the notes that were left around the laptop and the USB drives that were attached to the laptop on the scene, this also includes the fingerprints on items the Cyber-terrorist may have touched while on scene (Easttom, 2017).
The second evidence CFI will be working with is the Documentary evidence and will involve the data stored into written matter such as the notes left with the laptop and electronic files that are written to the laptop (Easttom, 2017). Files stored on the laptop that would qualify as evidence would include; e-mails that may be sent or received, logs of items accessed, databases kept on the laptop, and photographs contained on the laptop, all of these documentary evidence will be authenticated by CFI investigators (Easttom, 2017). The third type of evidence is Testimonial evidence and will entail the expertise of CFI investigators to show that the fingerprints left on the laptop and surrounding evidence are those of the cyber-terrorist suspected of attacking ABC Corporation (Easttom, 2017).
The Testimonial evidence will also look into access controls to show that the person suspected was the logged in participant and took the steps to attack the ABC Corp. network (Easttom, 2017). The fourth type of evidence is Demonstrative evidence and is used to explain the different types of evidence in a way that the judge and jury will understand, CFI has many technology writers that can aid in providing pictures and charts to explain the evidence in layman terms (Easttom, 2017).
This demonstrative evidence will help show and explain how the investigator maintained chain of custody and that they based their conclusion on reasonable interpretation of the information gathered during CFI investigation and that the report is free from technical jargon and complex written examples as both the judge and jury are not technical experts in this field and must be provided with useable evidence in the court of law (Easttom, 2017). CFI understands that companies are geographically separated and has the ability to send forensic investigators to locations when necessary to gather evidence, and ensure that all evidence is captured on
CFI will ensure that the data remains in well documented Chain of custody, the suspect drive will only be touched to create a live state and an image created so the investigators can interact with the system, all steps and tests will be documented and all evidence is encrypted and hashed to ensure that the evidence is not tampered with (Easttom, 2017).
E-Discovery Methodology
The field of Computer Forensics requires a knowledge base in computers and networking to ensure that information that is gathered during the E-discovery is collected properly and ensures that the forensic investigator has an understanding of the systems to successfully examine the crime scene (Easttom, 2017). CFI has multiple Cyber forensic experts that cover many expertise IT domains and will be used to do the investigation when needed for different software and hardware categories for the process of collecting, preserving, reviewing, and exchanging this data in an electronic format that will be used for evidence in this case (George, n.d.).
The typical E-Discovery process is broken down into the following steps starting with Step 1 which involves creating and retaining Electronically stored Information or (ESI) and follows the Electronics Records Management tool XebiaLabs (XebiaLabs, n.d.) to enforce an electronic records policy for retention (George, n.d.). The second step would be to identify relevant ESI and to preserve this data so it cannot be altered or destroyed (George, n.d.). The third step would be to further process the ESI data to remove useless data and duplicates to reduce the volume of data and reduce retention costs (George, n.d.).
The fourth step the ESI is analyzed and reviewed and the fifth step involves specific formatting of the data necessary for the case after it is reviewed and assigned privilege in step 4 (George, n.d.). The sixth step involves getting the ESI approved by the court and includes a “clawback” agreement that is part of the court order, if the case is not settled then the E-discovery is taken to trial in the seventh step of the E-discovery process (George, n.d.).
These steps allow both sides a Pretrial right where each side uses this time to discover how each opponent to review information regarding the position, methods, and conclusions that each side has and are required to answer honestly, but not to volunteer more information than what is asked. (Easttom, 2017). Tools that can be used to facilitate the data capture need to be vetted procedures that follow the Daubert Standard to be admissible in the court of law (Easttom, 2017). The Tools that can help gather vary by operating system and some live options include ping, ipconfig, tracert that can be used to gather information in Windows (Easttom, 2017).
These steps will require challenges such as containing Large volumes of data that the forensics investigators will have to work through and maintaining the chain of custody will be costly to control all of this data during the trial period to retain data and will require diligent backup and image retention to ensure that ABC Corporation has the full ability to get to trial (George, n.d.). All tool techniques will follow scientific procedures that are vetted and supported by industry to meet the Daubert Standard for scientific data to ensure that all data collected and techniques to provide evidence follows known standards that are supported by known forensic leaders in the field and can be used in the court of law.
Conclusion
CFI will ensure that all proper Chain of custody is followed and all information is provided in an Expert Report detailing all data collected and analyzed during the investigation and that all procedures are followed and detailed in the Expert report to ensure ABC corporation can have all needed information to testify in the court of law. All evidence will be collected and retained within the chain of custody tool XebiaLabs (XebiaLabs, n.d.) that CFI uses to help build reports and retain chain of custody during the investigation process that is detailed in the Expert Report during the trial that will be provided for the Expert Testimony when the case goes to trial.
The E-discovery phase will ensure that CFI is on track for the investigation and can defend against the processes used to identify relevant ESI and to preserve this data so it cannot be altered or destroyed and can be presented in the trial (George, n.d.). All tools will be vetted and will be known processes and procedures accepted in the community of computer forensics to meet the Daubert Standard and accepted at this trial to ensure ABC Corporation can be successful in their case against the cyber-terrorist that launched an attack against ABC Corp.
References
- Easttom, C. (2017). System Forensics, Investigation, and Response (Information Systems Security & Assurance). Jones & Bartlett Learning.
- George, H. (n.d.) E-Discovery and computer forensics – how are they different? Retrieved from: https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/computer-forensics-investigations/e-discovery/#gref
- Rouse, M. (2019 May). Cyberterrorism. Retrieved from: https://searchsecurity.techtarget.com/definition/cyberterrorism
- XebiaLabs. (N.D.). Software chain of custody. Retrieved from: https://xebialabs.com/products/software-chain-of-custody/