Task2 - Forensic Investigation

docx

School

Western Governors University *

*We aren’t endorsed by this school

Course

D431

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

7

Uploaded by CorporalArmadillo3991

Report
D431: Digital Forensics in Cybersecurity Task 2: Forensic Investigation Western Governor’s University Susan Crowe 3/7/2024
A1. Describe all steps taken in Autopsy to create the forensic system case file. Provide screenshots of these steps. To begin the process of creating a forensic system case file, I opened the Autopsy application within the lab environment. I selected “New Case” from the menu option once the application opened and created a new case with the Case Name: JohnSmith. The Base Directory chosen was an existing folder on the desktop labeled “Evidence Files”. I created the case number as 381876355 (my student number). I also listed myself as the examiner and included the necessary contact information in the applicable fields. The following screenshot was left as the default settings.
The next screen requires a selection of the Data Source type. I selected the “Disk Image or VM File option” highlighted in the screenshot below. The next requirement within the application is to select the Data source. For this, I browsed to the Evidence Files folder and selected “JSmith_Q1.001” from the menu of available files.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The remaining options on the screen were left as default options, then clicked next to get to the next step in the creation process. The next screen option requires a selection for the Configure Ingest modules. For this section, I left all settings as the pre-selected default settings and clicked next. The Autopsy application loaded the data source JSmith_Q1.001 and performed an initial analysis process automatically. The application leveraged the selections from the Configure Ingest screen to execute the automated analysis.
This concludes the loading process for the case created for John Smith. A2. Describe all steps taken in Autopsy to identify potential evidence including data files, deleted data files, directories, or drive partitions. Provide screenshots of these steps. The image has been loaded into the Autopsy application at this point. The first thing that I conduct is a view of the tree on the left window pane to see what the program has detection and loaded. This allows me to get a high-level understanding of the types of files and images that were discovered and are ready to be fully analyzed and scrutinized to determine what should be considered into evidence for this case. Some specific areas of interest include the deleted files that were identified, which is displayed below. There are suspicious files that could be considered proprietary within the deleted files section. This will need to be reviewed with the legal team and the company leadership to determine if this is classified as proprietary.
The below image is loaded in the preview to show that the violator is accessing restricted files that are marked confidential and restricted. These are also found in the deleted files section which may have been intended to be removed so they were not found on the device it should not have been accessed on. Another discovery which will require deeper analysis is within the Data Artifacts. There is a Metadata selection which shows details (artifacts) about the files that are questionable in this case. For example, there is a document titled ‘the best way to hide something, is in plain sight’. The metadata option shows additional information that could lead to who owns the original file, where it was accessed, and who accessed the file to be added into solid evidence. A3. Summarize the findings you identified during your investigation and the conclusions you made regarding the suspect and the collected evidence. Provide screenshots from Autopsy or reports to support your findings and conclusions. The process of the forensics investigation have identified multiple pieces of evidence that can be leveraged as evidence to prove that John Smith was accessing confidential and proprietary information that he should not have been accessing. The application and analysis process was able to provide proof that these restricted files were in fact deleted from the user’s device. These devices are specifically labeled as “Confidential” and “Restricted”. These documents provide direct evidence that they are proprietary and contain sensitive company information on
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
processes and techniques used within the organization. The outcome of this analysis determines that John Smith has violated his rights and access permissions in accessing sensitive and proprietary data and likely knowingly reviewed these documents. Another concerning point that should be included in the findings summary is that there is additional evidence that John Smith was looking up bitcoin transaction processes which could be indicative of an intention to share the data with another party. This would need to be further analyzed to validate the connection, however it does raise suspicion and cause for further analysis.

Related Documents

DAD 220 4-1 Quiz.docx
5-2 Milestone.docx
Mitchell McCullough_CYB 260 Project One Milestone Template.docx
Assignment2 of Unix.docx
Task 2 - WLAN and Mobile Security Plan.docx
Task1 - Investigative Plan of Action.docx
Task 2 - Addressing Ethical Issues in Cybersecurity.docx
TASK 1 - LEGAL ANALYSIS.docx
Strategy Mid Term.pdf
Final assessment BAS51 A 15 Nov.docx
ASSESSMENT 3 BAS51.docx
Assignment 3.docx