Task 1: Reflection on Hands-On Projects
Hands-On Project 1-1
The following are some of the companies that have made major strides in providing digital forensics services to both corporate and government institutions. Forensicon, now a QDiscovery company(IT service management company) is one of the companies that has worked throughout the United States of America and testified in several county, state and federal courts with regard to computer forensics. They have undertaken projects such as investigations of company data theft, investigations of wrongful activities from the employees, employment and commercial litigation, expert witness testimonies on computer forensics and supplied affidavits together with reports on computer forensics. Their core clients include law firms, software firms, financial service institutions, non-profit organizations as well as the government (FORENSICON, 2018).
SS8 Networks, Inc. is another company that has provided forensics solutions in the cyber security industry. Founded in 1994, the company has made major leaps over the years creating a proven track record that has made it a company to be reckoned with. In the year 2016, they launched one of their major creation that lies in the introduction of what is known as SS8 BreachDetect, a time machine that allows breach detection by going back and identifying the devices-of-interest in a quest to find breaches, tracking and stopping them. Additionally, the company makes use of SS8 sensors in monitoring flaws in high speed communication, thereby producing High-Definition Records from the found flaws. By conducting monitoring and interception, they can extract the metadata, reconstruct and analyze both voice and data with utmost accuracy. Their sophistication in quality and capabilities has become the foundation for some of the largest intelligence and law enforcement agencies that has helped the agencies apprehend suspects-of-interest(SOI) in the communication service environment (SS8, 2018).
Last in the list is a company known as AccessData. AccessData is a forensics company founded in 1987 that has worked on providing forensics solutions for a long time in largescale. The company has provided forensic solutions to government agencies, law firms and corporations by understanding their collection and analysis needs of data. The company offers a range of products and services from forensic toolkits to providing mobile solutions. One of their products, MPE+ together with nFIELD allows the collection of phone contact information, call history, location and recovery of deleted messages. With their revolutionary products, they are able to perform duties such as risk compliance, collection and analysis and digital forensics. All these are done at a cost-effective consideration (AcessData, 2018).
Task 2: Case Project
Similarities of the Aforementioned Forensics Companies
To start with, the three companies have depicted similarities in terms of the services they provide. All of them are highly concerned with digital forensics solutions for their clients. All of them take deep interest in risk compliance with the purpose of detecting and wiping out threats before they occur. Secondly all the companies are similar with the type of frequent clients they get, whom mostly are law firms, corporates and governments. Thirdly, all the companies appear to have a widespread scale of operation. Lastly, at the end of their operations, they all deliver a detailed analysis, reports and affidavits where applicable.
Differences in the Aforementioned Companies
The Forensicon company is inclined on providing witness testimonies and affidavits for commercial and employment litigations on the person of interest. On the other hand, SS8 Networks are focused on providing monitoring methods for large communication service providers. Whereas AccessData are keen on providing products that their clients use for their forensics purposes.
Hands-On Project 1-2
In 1995, the Australian government enacted offences regarding the wrong use of computers and communication systems and online sexual abuse of children provided in the Criminal Code Act 1995 under the criminal law. This law has been used in several cases. For example, on July 2017 Nicholas Hunter(fictitious name) pleaded guilty to child pornography offences and was sentenced in a county court in Melbourne (Common Director of Public Prosecutions, 2017).w
Additionally, the Cybercrime Act 2001 was enacted under the criminal law. The law introduced computer related offences into the Criminal Code Act 1995. Some of the offences include denial of service, hacking and malware intrusion. A case example is given by (Moor, 2014) where an organized crime gang form Russia had hacked into Australian companies by placing malware in several Australian companies that enabled them to acquire online banking information and credentials thereby gaining power to move money to other accounts unauthorized. It is alleged that the gang got away with $570 million.
One of the recent of the laws passed concerning computer crimes is one of identity fraud offence. On 23 February 2009, the House of Representatives passed the law identity crimes and other measures. These fraud offences are introduced into a part of the criminal code. Moreover, the law contains a provision that allows the victim of a fraud offence to apply for a certificate from the magistrate to show that their identity information has been misused, whom purpose is to clear with financial institutions by removing fraudulent transaction history. One case that really caught the eye was one of Nicholas Gaskin on August 2016. The accused was found guilty of tax fraud, attempted credit card fraud and forgery. The accused pleaded guilty and was sentenced to three years in jail (Common Director of Public Prosecutions, 2017).
Task 3: Research Project
Hands-On Project 1-3
Maintaining a contact list of experts in the forensics professional is paramount for getting solutions during difficult situations. To find such professions, one needs to join computer user groups where you meet different experts in the forensics field, such as in computing, investigations and network. Groups such as the High Technology Crime Investigation Association exchanges information on computer investigations and techniques related to security. According to (Bill Nelson, Amelia Phillips, Christopher Steuart, 2014) newsgroups and electronic mailing lists creates a pool of experts that offer advice to computer forensics investigations. One can approach and maintain contact with these experts via email and develop great relationships. Such relationships with people spread across the digital industry are vital in finding solutions to critical and obscure information.
Hands-On Project 1-4
Similarities between Section 8 of the Canadian Charter of Rights and Freedom and The Fourth Amendment in the United States
As stipulated in their respective constitutions, both laws propagate the same idea, that is, security from unreasonable search and seizure. Both laws agree on the terms defining search and seizure. In both countries, a search has occurred when the government uses an investigatory technique on a person, his house and his possessions with intention of gaining information. A seizure in both countries includes the process of obtaining property, or a person so that they can be used as evidence in a litigation process. Both laws also protect unreasonable search and seizure of an individual by the government. However, there are exceptions to the exclusionary rule relating to search and seizure. For example, a police officer can perform a search and seizure without a warrant during the following scenarios. A search incident on the streets, items in plain view, abandoned property, during exigent circumstances such as reports of presence of a bomb or shots from a building, when the individual of interest gives consent, border searches and obtaining blood tests or samples (James B. Kelly, Christopher P. Manfredi, 2010).
Differences between Section 8 of the Canadian Charter of Rights and Freedom and The Fourth Amendment in the United States
In the United States, the 4th amendment clearly stipulates that people should be secure against unreasonable searches and seizures and no warrants shall issue but upon probable cause whereas the Canadian section 8 charter of rights does not include the mandatory provision of a warrant. The Canadians only talk about reasonable expectation of privacy which is not explicitly defined but it is left to the discretion of the police and government bodies. Additionally, there is the matter of admissible evidence. In the USA, items seized without a warrant or those that were not described in the warrant are inadmissible in court and are considered null and void for that case. However, in Canada, there is no rule that excludes the use of evidence that has been obtained illegally. If the seized items are relevant and probative to the case, then they are admissible. Additionally, to this rule, in the USA, the illegally seized evidence is however admissible on subsequent cases (McLachlin, 2007).
Forensics Companies
In a nutshell, the 4th amendment was introduced a long time ago, and has made major developments that the Canadians are yet to realize. However, both countries have a similar concept of security to unreasonable searches and seizures.
Hands-On Project 1-5
The first case is that of a 45-year-old manager of a Chicago cell Sonya Martin. Martin was involved in one of the most sophisticated computer hacking and organized cash-out schemes ever carried out. In 2008, a gang of hackers obtained access to WorldPay US, Inc., computer network. WorldPay is a payment processor located in Atlanta. The hackers managed to compromise and crack the encryption that was used by the company to protect information on payroll debit cards. These debit cards enable employees to withdraw salaries from an ATM and make purchases. With a compromised system, the hackers increased the withdrawal limit on the ATMs and placed people with 44 debit cards on the compromised ATMs and withdrew amount totaling $9 million from all over the major cities of the world within a span of 12 hours.
The hackers monitored the cash-out process in real time from the compromised network systems of WorldPay. After completing the withdrawals, the hackers destroyed the data stored on the network in a bid to conceal their tracks on their illegal activity. WorldPay later discovered the breach from the anomalies they received and immediately reported to the concerned authorities. The accused Sonya Martin played the role of making counterfeit debit cards from the information she received from the hackers. She also had a team of recruits that were used to withdraw an approximate amount of $80,000 in the early morning in Chicago area. Investigations were carried out by the Federal Bureau of Investigations together with other law enforcement institutions who tracked the culprits and finally three years later arrested Sonya Martin who got a sentencing of two years and six months in prison followed by an $89,120.25 restitution.
The second case that really caught the eye, was that of TJX hacker Albert Gonzalez. Mr. Gonzalez led a group of cyberthieves hacked TJX and other retailers and stole 90 million debit and credit card numbers. Gonzalez used a packet sniffer and installed it on TJX network that allowed him to siphon data on credit cards and debit cards. Gonzalez stored his stolen data in servers he had leased in Ukraine and Latvia. The data was the passed to a Ukrainian card dealer who sold them in the black market hence accepting currencies by legal means. The dealer was caught in 2007 in Turkey and was sentenced to 30 years in prison. The government predicted that banks, companies and insurers lost close to $200 million in the Gonzalez’s syndicate. Gonzalez was later sentenced to 20 years in prison and a fine of $25000.
Similarities of the Aforementioned Forensics Companies
Deliverables:
On hands-on project 1-1, shows how important it is for a forensic student to familiarize himself with the real working industrial environment. The purpose of this activity is to gain insight on how the real world of forensics operate, the problems encountered and the solutions that are given to solve those problems. Additionally, it is important to identify the target clients, so as to get familiarized with their processes, needs and expectations. With this information, it becomes easier to come up with products and solutions that address specific requirements of each client.
Hands-on project 1-2, emphasizes on the need to get acquainted with the laws under which the forensics team operate. With the digital world evolving at a fast pace, the laws provided do not suffice the emerging technology. In such cases is best to learn on the alternatives with which the computer crimes laws are used. For example, case law may be used in scenarios where regulations and statutes do not exist. The law allows previous cases almost similar to the current one to address the ambiguity.
Hands-on 1-3 provided the idea of the importance of maintaining a contact list of experts in the forensic industry to create a pool of ideas and solutions that are not known. The digital world is broad and as much as an individual can try, it is impossible to learn everything. With that in mind, it becomes essential to have partners that are more specialized in different fields than you are for the purpose of sharing ideas and offering assistance to problematic situations. Additionally, the partners can offer legal counsel and advice.
Hands-on 1-4 focused on the laws which are of high importance to a forensic expert. The 4th amendment and the section 8 of charter of rights and freedom are laws that regulate the forensic industry and stipulates under which conditions certain operations are to be carried out. The search and seizure operations engulf the whole operations of a forensic expert. These are the basic day to day services carried out in the forensic world. Therefore, the above laws are meant to protect the human rights of individuals from misuse of these operations by the forensics professions.
Hands-on 1-5 looked at computer crime prosecutions. This activity is meant to detail the processes and ways in which the hackers perform their attacks and at the same time show how the authorities did to fight these hackers. This section enables one to think both like a hacker and a forensics expert who is after the hacker.
Differences in the Aforementioned Companies
Hands-On Project 4-3 the M57 Case
In this project, we looked at a powerful tool in Linux called fdisk. fdisk was used in this case to modify non-Linux file systems. The task that was undertaken was to format and partition a Microsoft FAT drive from Linux. The objective was to allow one to prepare a FAT target disk without having to switch operating systems or computers. The following steps were undertaken.
- Logging in to a Linux distribution and opening a shell window with root privileges.
- Typed fdisk-l to list all the connected devices in that computer.
- Selecting device sda1 to partition as FAT
- Created a new partition and changed the newly created partition to Windows95 FAT32 by pressing command t.
- Listed all available files with their codes by typing command l.
- Finally by typing command c we changed the newly created partition to Windows95 FAT32.
Regarding the case of patents, the fdisk tool does not infringe any patent rules by a different proprietor. Linux is an open source distribution under the GNU license and so the usage of the tools provided is left under the discretion of the user as long as it does not bring harm to others.
Research Project
A proper investigation plan must follow the accepted procedures for seizing, safeguarding and analyzing data. The following are steps describe how to organize an investigation plan for a potential forensic case.
According to (Rowlingson Ph.D, 2004) the first step is to define the scenarios that need digital evidence. In most cases, forensic investigations are done as a response method to an incident that has occurred. In this stage, the scope of the incident is accessed, the magnitude of the damage and the nature of the incident. This step serves as a preliminary for determining the characteristic of the incident that help in defining the best method to identify, collect and preserve evidence. Sometimes it might serve as an advice to the company to take their systems offline.
The second step is to identify the different types of evidences and their sources. In this step the organization determines the available sources of evidence or those that could be generated by the systems. here is where the collection of both volatile and non-volatile data is done. Volatile data may include login sessions, contents of RAM, running processes and open files. The non-volatile data is also collected. After the acquisition of data, the data should be verified for integrity. In this case MD-5 checksum is used. An MD-5 checksum is made by using an algorithm and passing 1s and 0s of a file hence producing a result. The result can tell if the file has been altered with. Finally, a description should be written of how the evidence was handled (Rowlingson Ph.D, 2004).
The third step is to conduct a time analysis. A time analysis is important because it shows information on when the files were accessed, modified and created in human readable format. The goal of this time analysis is to rewind on the activities that took place on the system and therefore pinpoint the source of your investigation (EC-Council, 2016).
Hands-On Project 1-2
The fourth step involves the analysis of media and artifact data. This is the step that answers are found. Questions such as, which files were downloaded, clicked, opened, deleted and what programs were executed should be clearer. Another key area that should be highly considered in this step is memory analysis. Memory analysis helps to identify rogue processes, examine network connections and shows if there was any code injection (EC-Council, 2016).
The sixth step consists of data recovery processes. There are programs that analyze the data layer, the file system and the metadata layer. The slack space and the unallocated space is anylyzed with a view to locate deleted files and target files.
The last step is used for reporting results. A clear analysis report is made, the results of the analysis are also laid down. The actions that were performed are described and hence determine the course of action. Recommendations are offered from a technical point of view on issues such as upgrades, policies, guidelines and tools for the forensic processes (EC-Council, 2016).
Deliverable
Standard Investigation Management and Validation Methods
The management of investigations is crucial because it is the key to a successful digital forensic. The standards of investigation management refer to the procedures and rules that are laid out to be followed when conducting an investigation. On the other hand, validation methods allow for analysis of data to determine its integrity. Possible integrity issues are such as modification of data, unauthorized transfer and data and unauthorized access of data. There are several validation methods that can be used to check the integrity of data.
Directory and volume validation. If there occurs a directory and volume corruption, the organization of the disk drive is bad.
The integrity of the storage media is a good method of data validation. This technique involves checking bad sectors of the drive.
Proprietary file integrity involves testing the file or the media of any corruption within its data. A basic file conversion is a simple test to confirm the integrity of the media. If the file converts successfully, the media is structurally sound.
Visual inspection consists of going through the images or the media one by one and checking for any anomaly. This method can be time consuming as one has to archive thousands of pictures.
References
AcessData. (2018). AccessData. Retrieved from accessdata.com: https://accessdata.com/products-services/mobile-solutions
Bill Nelson, Amelia Phillips, Christopher Steuart. (2014). Guide to Computer Forensics and Investigations. Boston: Cengage Learning.
Common Director of Public Prosecutions. (2017). Australia Federal Prosecution Service. Retrieved from cdpp.gov.au/: https://www.cdpp.gov.au/case-reports/filter?field_category_tid=8
EC-Council. ( 2016). Computer Forensics: Investigation Procedures and Response (CHFI). Boston: Cengage Learning,.
FORENSICON. (2018). Forensicon-Computer Forensics Consulting Company . Retrieved from forensicon.com: https://www.forensicon.com/
James B. Kelly, Christopher P. Manfredi. (2010). Contested Constitutionalism: Reflections on the Canadian Charter of Rights and Freedoms. Vancouver: UBC Press.
McLachlin, B. (2007). The Charter 25 Years Later: The Good, the Bad and the Challenges . Osgoode Hall Law Journal, 365-377.
Moor, K. (2014, July 23). Herald Sun. Retrieved from heraldsun.com.au: https://www.heraldsun.com.au/news/law-order/true-crime-scene/australian-federal-police-foil-russian-crime-gangs-570m-cyber-theft-bid-as-nation-loses-46-billionayear-to-computer-crime/news-story/6ede13d25f63a4c8c922cbe44037553d
Rowlingson Ph.D, R. (2004). A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence.
SS8. (2018). We Are Network Intelligence. Retrieved from ss8.com: https://www.ss8.com