Task1 - Investigative Plan of Action

docx

School

Western Governors University *

*We aren’t endorsed by this school

Course

D431

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

3

Uploaded by CorporalArmadillo3991

Report
D431: Digital Forensics in Cybersecurity Task 1: Investigative Plan of Action Western Governor’s University Susan Crowe 3/7/2024
A1. Discuss the strategy that your team will use to both maximize the collection of evidence and minimize the impact on the organization. At the beginning of a potential incident requiring a Forensics investigation, a key team would be engaged at a high level to develop a plan of action. This meeting would include relevant management from the oil company, members from the legal team, possibly the compliance team, and the cybersecurity investigation team to start. The following objectives will be executed to maintain minimal exposure as well as ensuring using personnel time as efficiently and briefly as possible. Involving the right stakeholders would be essential to discuss the situation and gather any initial known information to help determine the specific data gathering needs. Initial information regarding the violator’s position, responsibilities, expected access levels, typical job functions, etc. to help create a boundary of expected actions vs. inappropriate actions. Additional information would also include written policy document collection to help identify any actions that violate documented acceptable and unacceptable actions. A2. Describe the tools and techniques your team will use in evidence gathering, preparation, and analysis. The process of collecting evidence will require multiple techniques as well as tools to extract information and ensure the integrity of the data is maintained as carefully as possible. There may be a requirement to attempt to recover deleted files, also known as data carving or file carving. This would require a forensics analyst or specialist to search a computer system and it’s memory for fragments of files that were deleted at some point but left traces on the machine. If available, tools would be leveraged to create exact copies of the media for testing and investigation. This would ensure that the original disk is left intact and the user would likely have no knowledge of the investigation in progress. In order to execute a task like this, FTK and EnCase would be leveraged to enable the ability to copy the data for later analysis . ( Cloudian, n.d.) Log collection devices including a Security Information and Event Manager (SIEM) would be used to pull activity log details for all systems that John Smith had access to, not just his workstation. This would give insight into the activity and specific files that may have been accessed or even where the data was transported electronically. ( Christopher, E., 2021 ) A3. Describe how your team will collect and preserve required evidence using standardized and accepted procedures. Once the overarching issue is better understood based on the roles and responsibilities of the violator in question, evidence gathering can begin. This will be done by collecting data and logs from network and endpoint devices that do not interrupt business operations in any way. This would include collecting logs and leveraging any other cybersecurity tools available within the oil company’s environment. If there are data loss prevention tools for example, information would be gathered to try and monitor and track the data movement to verify what actions the user took. This would all be done by the forensics team with available log archives and tools without much intervention from the organization resources themselves. Initial steps would be conducted without taking control of the violator’s workstation so it would not impact any operational efforts going on within the workplace. Security footage will be another key evidence collection process. If there is security footage available from video surveillance cameras, this information would be collected and reviewed to determine if there is any physical evidence of the violator’s movements in collecting data with evidence of the intent to share, or the actual process of sharing the proprietary data. This could include removable media being plugged into his workstation or devices containing proprietary data or the physical interaction of handing over the information to another party. The initial collection process would be geared towards collecting data and log evidence of events that have already occurred, assuming that this activity was already conducted. Additional protection measures would also be put into place once initial evidence is collected and a chain of custody has been established to maintain the integrity of the data. New protections would be put into place to monitor access attempts as well as prevent further compromise of proprietary data sharing. Physical protections could include implementing a USB block to disallow any external device/media from being attached to the workstation or devices containing the proprietary data that John Smith may have access to. Additional measures may include installing wireshark to run packet captures on the machine during his daily activities. (Henry P., 2009) A4. Describe how your team will examine the seized evidence to determine which items are related to the suspected violation of company policy. Once all known evidence has been collected and a chain of custody process in place, the team would then begin to conduct the investigation to identify any behaviors or evidence that would validate the suspicion of John
Smith’s activities. This would be based on the Daubert Standard to look for any proprietary information that was accessed and how it was used. ( Robinson, J., 2023 ) There will be specific focus on evidence collected from the systems from previous activities initially. It may be imperative to ensure someone is monitoring real-time activities for the user’s activities by monitoring the wireshark feeds, surveillance videos, and any attempts to gather and export data. The team may also put alerts in place on the SIEM or email security tools to be alerted of any attempts to transmit sensitive data outside the organization during the investigation. ( Novak, M., 2018 ) A5. Discuss an approach that your team will use to draw conclusions based on the digital evidence that supports the claim of a policy violation. The forensics team would assess all collected data to look for specific keywords, files, or activities involving the access, saving, extracting, or sending of any proprietary data by the user by various means. If data is identified to indicate that John Smith did access proprietary data, the team would investigate to try and resolve how it was accessed and how it was used. All findings would be collected and detailed in reports and evidence logging to provide back to the legal and compliance teams as well as the business leaders to determine the necessary course of action against the violator. ( Novak, M., 2018 ) A6. Discuss how the case details and conclusions should be presented to senior management. A final findings report will be drafted to include a description of the actions taken during the investigation, an explanation of how the tools and procedures were used and how it was determined what tools to leverage during the investigation, as well as any other specific actions or examinations conducted. This report would provide the findings that specifically focus on the issue in question, as to whether or not the evidence was able to prove that John Smith obtained and shared proprietary data to another source that he was not permitted to share data with. This report would be presented as part of a discussion from the investigation leader to the Legal team, the company leadership, and the compliance team involved. ( Forensic Focus, 2021 ) References 1. Cloudian (n.d.) Understanding Digital Forensics: Process, Techniques, and Tools . Retrieved on March 7, 2024, from https://www.bluevoyant.com/knowledge-center/understanding-digital-forensics-process- techniques-and-tools 2. Christopher, E. (2021, March 7 ) Looking at the digital footprints: Forensic analysis in SIEM . Retrieved on March 7, 2024 from https://www.manageengine.com/log-management/cyber-security/forensic-analysis-in- SIEM.html 3. Henry, P. (2009, September 12) Best Practices in Digital Evidence Collection . Retrieved on March 7, 2024, from https://www.sans.org/blog/best-practices-in-digital-evidence-collection/ 4. Robinson, J. (2023 August) Daubert Standard . Retrieved on March 7, 2024, from https://www.law.cornell.edu/wex/daubert_standard#:~:text=The%20%E2%80%9CDaubert%20Standard %E2%80%9D%20provides%20a,is%20presented%20to%20a%20jury . 5. Novak, M. (2018, October 7) New Approaches to Digital Evidence Acquistion and Analysis. Retrieved on March 7, 2024 from https://nij.ojp.gov/topics/articles/new-approaches-digital-evidence-acquisition-and- analysis . 6. Forensic Focus (2021, February 4) Writing DFIR Reports: A Primer. Retrieved on March 7, 2024 from https://www.forensicfocus.com/articles/writing-dfir-reports-a-primer/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Assignment 1 updated.docx
DAD 220 4-1 Quiz.docx
5-2 Milestone.docx
Mitchell McCullough_CYB 260 Project One Milestone Template.docx
Assignment2 of Unix.docx
Task 2 - WLAN and Mobile Security Plan.docx
Task2 - Forensic Investigation.docx
Task 2 - Addressing Ethical Issues in Cybersecurity.docx
TASK 1 - LEGAL ANALYSIS.docx
Strategy Mid Term.pdf
Final assessment BAS51 A 15 Nov.docx
ASSESSMENT 3 BAS51.docx