Type would be disadvantageous for the company due to

Type of Operation & Method of Operation

 

On the
facts, the local SME logistics company – ACE Transportation Pte Ltd stated “ACE
required that investigations must be carried out such that the suspected staff
will not be aroused with suspicion as there is no evidential proof yet, and it may cause morale issues later if the claims are unfounded.”

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

A covert operation is an operation which
is intended to conceal the identity of the parties in the investigation. This
means the operation must be done secretly and sometimes this includes not knowing
that the operation even occurred (clandestine operation). An overt operation is conducted openly,
without any concealment. Since openly investigating the suspect would be
disadvantageous for the company due to not have any evidential proof and may
lead to morale issues, a covert
operation should thus be carried out.

Firstly, to properly carry out a covert operation, a profile for
the case should be created. This means that Brandon (forensics investigator
tasked on this case) should first identify the suspect and get more information
on the investigation to have a better understanding of what he is doing and to
decide on an effective procedure to follow. This includes finding out the
suspect’s schedule so as to not bump into the suspect while investigating etc. Secondly, to guarantee the
confidentiality of the investigation, it would be an advantage to sign a
non-disclosure agreement. This means that no information about the
investigation can be leaked out to a third party; not even other forensic
investigators under DFS Talent Pte Ltd (Brandon’s company).

Thirdly, preparation work is important to not mess up the
investigation on the site itself. Brandon should prepare a list of equipment
and any peripherals needed to carry out his investigation. The equipment needed
can range from evidence bags to external USB devices or portable hard drives to
any acquisition tools to get the evidence image. Preparation work can also
include Brandon familiarizing himself with the company’s office. In the case
where Brandon sees an unexpected employee at the office, he needs to be able to
move around the office to conceal his presence. Also, a contingency plan might
be advantageous. The plan can consist of anything to help Brandon complete his
investigation, ranging from alternative software and hardware tools to other
methods of approaching the investigation e.g. Brandon should make two images of
the digital evidence with different imaging tools if time permits.

Lastly, after
obtaining all the information needed and preparing for the investigation,
Brandon can liaise with Mr Kenneth (ACE Company Director) to get a final green
light to conduct his investigation. This is to prevent any sort of
miscommunication which can lead to bigger issues between the client company and
the investigation company.

 

    

 

 

DI Process Model

 

Preparation is coming
up with a plan to first decide how to conduct an effective digital
investigation and to prepare a list of equipment needed. For this preparation
phase, Brandon should put a decent amount of time as planning is crucial in
digital investigations. As mentioned in the previous question, Brandon should
familiarise himself with the investigation site to ensure he is well-prepared
to react to any unexpected situation(s). He should also be aware on how to do
acquisition for different types of digital devices. Once Brandon enters the
investigation site, he will not have time to slowly figure out the steps for
each type of acquisition. By listing down what can be expected from the
investigation site – such as the uses of the systems and whether or not a
network is involved, Brandon will be able to prepare the necessary tools and
knowledge which will save a lot of time. Some of the more common equipment
usually needed are evidence bags, tags, digital camera – document scene and
evidences, hard drives – to store acquired data, write-blockers and a toolkit
which includes smaller peripherals such as flashlight and screwdrivers.

 

Survey/Identification refers to
looking for potential digital evidence from various sources and identifying
them by tagging. Surveying can be linked to the crime scene itself or the
hardware involved and digital evidences. Brandon should survey the crime scene, which consists of 1) recognition – finding
all potential evidences and 2) distinguish – making reasonable decisions on
which evidence to preserve. Brandon should also keep in mind to first identify
and protect any temporary physical evidence and to document the physical conditions
of the investigation site along with his movements. He should also do surveying of hardware which means to
look out for other types of digital devices which are not as common like USBs
or desktop hard disks but instead devices like gaming systems or CCTVs.  Finally, Brandon should also do surveying of digital evidences as
different types of evidences will be present according to the type of crime
committed which also includes the operating systems and computer programs
involved. This survey is then used as identification
for the point of view of forensic science.

 

Preservation means
preventing any changes to the digital evidences which is an ongoing process
throughout the whole procedure. Brandon would need to resort to various ways to
keep the data integrity of the evidences which may include isolating the system on the network, securing the relevant log
files and/or collecting any volatile
data which will be gone once the system is shut down. Thus, Brandon should
also be knowledgeable on when to ‘pull the plug’ and when not to. In this case,
in terms of preserving the digital evidence, Brandon should acquire everything
from the suspect’s computer and storage media as he does not have the leisure
to analyse the hard disk and extract only the information needed relating to
the crime due to the investigation being a covert operation. Whenever Brandon
is doing acquisition, it will be best if he keeps in mind the two empirical
laws of data acquisition which are “#1: If you only make one copy of digital
evidence, that evidence will be damaged or completely lost.” and “#2: A
forensic acquisition should contain at least the data that is accessible to a
regular user of the computer.”

 

 

 

Examination/Analysis is the
fourth step where Brandon should examine the digital evidences which means
imaging the evidence and making sure the evidence is viewable for analysis.
Once the evidence is ready, Brandon needs to think critically, logically and
scientifically so as to not raise doubts on his results later on. He should
keep in mind the 5W1H – Who, What, When, Where, Why and How. A forensic examination consists of three
levels; survey/triage forensic
inspections – reviewing all media for useful evidences, preliminary forensic examination –
examine the useful evidences found for further information and in-depth forensic examination –
comprehensive examination of evidences that requires it. There are three types of analysis for
reconstructing a digital investigation. They are functional analysis – which finds out how the activities of the
suspect happened and figures out other relating factors, relational analysis – correlation between the suspect and crime
scene to create a bigger picture of the crime and combine the many different
clues to become more logical and temporal
analysis – creating a timeline to keep track of the sequence of events. 

 

Presentation
refers
to making a report consisting of all findings relating to the investigation.
The report should be presented in a way that is acceptable in various areas
such as legally, corporately or militarily. In this case, since Brandon was
hired privately by Mr Kenneth, it would be best to follow the corporate way of
presentation. Brandon should present the report in a detailed manner. Brandon
can also choose to follow a sample report structure which consists on an introduction – case number/parties
involved/evidences found, evidence
summary – on evidences analysed/hash values/condition of evidences, examination summary – on tools used for
analysing evidences/how the important data were recovered/how irrelevant ones
were eliminated, file system examination
– details such as path names, date-timestamps, hash values of the important
files, directories and recovered data, analysis
– functional/relational/temporal/timeline, conclusion
– summary of the whole report with flow from each sections and good reference
from the evidences. Lastly, glossary of
terms – to explain technical terms used as well as appendix of supporting exhibits – evidences used to reach the
conclusion/labelled for reference to content of the report.

 Forensic Tools for Analysing

 

When
analysing a forensic image, Brandon would not be able to compare and find out
if there are any differences in data or if the image is corrupted if he only
uses one forensic tool to analyse the forensic image. If Brandon uses two
different tools to analyse the image, he can compare the test results to make
sure the results are credible.

 

According
to National Institute of Standards and Technology (NIST), test results must be
repeatable and reproducible to be considered admissible as electronic evidence.
This means that Brandon should get the same results when analysing the same
forensic image using the same forensic tool multiple times and another
investigator should also get the same results when analysing the same forensic
image using a different forensic tool. Therefore, Brandon should use at least two different tools to analyse
the forensic image; the two forensic tools chosen are EnCase and Autopsy. An
advantage of using forensic tools with data recovery functions is that
investigators do not need to know how the e-mail server or e-mail client
operates to extract data from these computers. Data recovery tools do the work
for them and allows investigators to view evidence on the computer.

Firstly, EnCase is a commercial software which
can examine data from forensic images of hard disks, removable media and even
Personal Digital Assistants (PDAs). Many law enforcement parties throughout the
world uses EnCase which is one of the important factors when there is a
possibility that the investigation needs to be handed over to the police or
used in court. EnCase has a broad range of functions e.g. an eScript scripting
language which allows Brandon to write small scripts to perform customized
searching and filtering of the imaged data. In addition, there is a built-in
support for bitlocker which is important in protecting the data from any
attacks by using encryption.

 

Secondly, Autopsy is an open-source tool
which will allow Brandon to effectively analyze hard drives of the staff.
Autopsy is easy to use, extensible, fast and also cost effective. Since Brandon
is a newbie investigator, there are a few features in Autopsy that might make
it easier for him to conduct his analysis. Those features are wizards – guides to help Brandon
through common steps, history is
maintained – Brandon can use the back/forward button to backtrack if he
needs to review and saved previous
settings –  Brandon can easily use
the same tool for analyzing another image with the same settings. Autopsy also
provides modules such as timeline
analysis – viewing events graphically, hash
filtering – flags bad files to alert Brandon, keyword search – to find files with a specific keyword, web artifacts – to extract history/ bookmarks/cookie from web
browsers, data carving – recover
deleted files.

 

With
this, whether or not a forensic tool has been proven in court is not as
important as the digital evidences being forensically sound. It is more
important for Brandon to have the technical background and knowledge to support
the results of his investigation. Brandon should also be able to defend his
interpretation of the evidences to prove that he understands what the forensic
tools are actually doing. In addition, Brandon should also ensure that the evidences
he gathered are verified in a sound manner such that the integrity is
maintained.

 

Singapore Law on Use & Misuse of Wireless Connections

 

There are two possible scenarios of
Brandon downloading questionable images using the company’s computer – either
Brandon truly was the offender or not. If Brandon did not download those
questionable images, a hacker might have remotely accessed Brandon’s office
computer to do the act.

 

According to Computer Misuse and
Cybersecurity Act, S6(1)(a) states that “any person who knowingly secures
access without authority to any computer for the purpose of obtaining, directly
or indirectly, any computer service”. This refers to the act of hacking which
is to gain unauthorized access to a computer system or network. This is also
known as piggybacking which holds a punishment of up to 3 years imprisonment, a
$10,000 fine or both. A case in Singapore on piggybacking is when this person
used his neighbour’s unsecured wireless network to post a bomb hoax online. He
was also charged for repeatedly accessing the wireless networks of nine people
in his neighbourhood. He was punished with 3 months imprisonment and a $4,000
fine. In this case, a hacker might have secured unauthorized access to
Brandon’s laptop and downloaded those questionable images to make it seem like
Brandon was the culprit. 

 

 

 

However, if Brandon was the one who
downloaded those questionable images, according to Computer Misuse and
Cybersecurity Act, S6(1)(c) states that “any person who knowingly uses or
causes to be used, directly or indirectly, the computer or any other device for
the purpose of committing an offence under paragraph (a) or (b)”. This means
that the staff who abused the company’s computer resources for personal gains
violated the law when he accessed the company’s network to download his
personal stuff which are unauthorized. In addition, if upon investigation, the
staff is found to have downloaded images which are unlawful, he can be charged for
violating another separate law – e.g. if he downloaded photos of child
pornography.

 

Browser Tracking Tools

 

There are many open source tools
e.g. Pasco, Web Historian, Browser History Viewer and commercial tools e.g.
NetAnalysis, Magnet Forensics used today. These browser tracking tools help to
identify the web sites visited, search histories, date-timestamps and download
activity etc. Upon researching, I narrowed down to two useful browser tracking
tools for Brandon to use in his investigation.

 

Firstly,
Magnet Internet Evidence Finder (IEF) is a forensic tool for internet-related
evidence. IEF can recover data from many areas such as social networking
communications, instant messenger chat histories, popular webmail applications,
web browsing history, and online communication. Some advantages of IEF are; finds more evidence as the tool
searches in more places – unallocated space, deleted space, selected files,
live RAM capture, network PCAP file and entire user-selected folders and
sub-folders. IEF also saves time as
the tool finds more relevant and accurate data – single search for more than 50
artifacts and can customize searches by artifact(s) or locations. IEF is easy to use – the user interface makes
it easier for every investigator of any level to find evidences for their
cases. In addition, IEF is designed to
work with other popular forensic tools like EnCase and FTK. When combined,
these tools can lead to finding more digital evidence.           

 

Secondly, Browser History Viewer
(BHV) is another forensic tool to extract and analyse internet history from
Google Chrome, Firefox, Internet Explorer and Microsoft Edge web browsers. Some
features of BHV are a timeline on the website
activity, cached image and web page viewer, time zone configuration and filtering
are available. Since Brandon wants to focus browser usage on Internet Explorer,
BHV allows him to change the options such as the web browser and the history
duration e.g. past 10 days so that he can only view the relevant details on
Internet Explorer only. The website activities are displayed using an
interactive graph which shows the visit counts on the specific duration which
is useful in identifying the suspicious peaks on Internet Explorer. Cache image
viewer allows Brandon to easily view the images stored in the browser’s cache
in the computer’s gallery. Cache web page viewer reconstructs the URLs stored
in the browser’s cache for easier viewing.

 

As mentioned above, there are many
other tracking tools and similar to other forensic analysis tools, these browser
tracking tools should be forensically sound as well.