IT Security Policy Analysis and Recommendations
VerifiedAdded on 2020/03/28
|20
|4292
|53
AI Summary
This assignment tasks the reader with analyzing a provided IT security policy document. The analysis should focus on identifying weaknesses, such as outdated security measures and insufficient user policies. The document also calls for recommendations to strengthen the institution's security posture, emphasizing the need for regular software updates, robust intrusion detection systems, and comprehensive user training.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Forensics Preparation Report
[Name]
[Institution]
[Name]
[Institution]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Executive Summary
Forensic investigation plays a critical role in identifying and analyzing evidence relating to cyber
crimes. Challenges in digital forensics are increasingly becoming more and more difficult, as
technology advances, and use of mobile smart phones becomes more widespread.
In the case under review, the focus is on identifying how a competitor got hold of email accounts
of students and staff at UniCareer Pty. Ltd. The investigation also seeks to determine if indeed
one of the company’s staff has possession of child pornography, as reported. Applying a
computer forensics methodology to this investigation will encourage a complete and rigorous
investigation, reduce chances of error and ensure proper handling of evidence and analysis.
X-Ways Forensics and SIFT –SANS Investigative Forensics Toolkit will be used in the
investigation, as they contains all tools and technology necessary in evidence acquisition and
analysis.
The plan for the investigation will cover the following steps:
Data acquisition: Process incident scene, Seize physical computer evidence, Collect data
from live system for the e-mail server, Collect special content data such as emails and
graphics
Data validation & verification: Integrity of data collected will be verified by making hash
values and checksums for both the image and the original data and comparing them.
Forensic Analysis Steps: Preparation, creating copies of evidence for analysis, Data
extraction, Timeframe analysis, Data hiding analysis, Application, files and email
analysis
The report also proposes a security policy document for the company, which includes policies on
use of the company IT resources such as emails and computers, policy on updates and patching
of software, policy on vulnerability assessment on the company’s network infrastructure.
Forensic investigation plays a critical role in identifying and analyzing evidence relating to cyber
crimes. Challenges in digital forensics are increasingly becoming more and more difficult, as
technology advances, and use of mobile smart phones becomes more widespread.
In the case under review, the focus is on identifying how a competitor got hold of email accounts
of students and staff at UniCareer Pty. Ltd. The investigation also seeks to determine if indeed
one of the company’s staff has possession of child pornography, as reported. Applying a
computer forensics methodology to this investigation will encourage a complete and rigorous
investigation, reduce chances of error and ensure proper handling of evidence and analysis.
X-Ways Forensics and SIFT –SANS Investigative Forensics Toolkit will be used in the
investigation, as they contains all tools and technology necessary in evidence acquisition and
analysis.
The plan for the investigation will cover the following steps:
Data acquisition: Process incident scene, Seize physical computer evidence, Collect data
from live system for the e-mail server, Collect special content data such as emails and
graphics
Data validation & verification: Integrity of data collected will be verified by making hash
values and checksums for both the image and the original data and comparing them.
Forensic Analysis Steps: Preparation, creating copies of evidence for analysis, Data
extraction, Timeframe analysis, Data hiding analysis, Application, files and email
analysis
The report also proposes a security policy document for the company, which includes policies on
use of the company IT resources such as emails and computers, policy on updates and patching
of software, policy on vulnerability assessment on the company’s network infrastructure.
Table of Contents
Executive Summary.....................................................................................................................................2
1.0 Introduction.....................................................................................................................................5
2.0 Justification.....................................................................................................................................5
3.0 Resources necessary for evidence gathering....................................................................................7
4.0 Approach for data acquisition..........................................................................................................7
4.1 Process incident scene.................................................................................................................8
4.2 Seize physical computer evidence...............................................................................................9
4.3 Collect data from live system.....................................................................................................10
4.4 Collect special content data.......................................................................................................10
4.4.1 E-mail content....................................................................................................................10
4.4.2 Graphics or photographic images......................................................................................11
5.0 Type of data acquisition tools needed............................................................................................11
5.1 X-WAYS FORENSICS.............................................................................................................11
5.2 SIFT –SANS Investigative Forensics Toolkit............................................................................11
6.0 Data validation & verification procedures.....................................................................................12
7.0 Forensic Analysis Steps.................................................................................................................12
7.1 Step 1: Preparation.....................................................................................................................12
7.2 Step 2: Extraction......................................................................................................................13
7.2.1 Physical extraction.............................................................................................................13
7.2.2 Logical extraction...............................................................................................................13
7.3 Step: Analysis of extracted data.................................................................................................14
7.3.1 Timeframe analysis............................................................................................................14
7.3.2 Data hiding analysis...........................................................................................................15
7.3.3 Application, files and email analysis...................................................................................15
8.0 Security policies for the Company.................................................................................................16
8.1 Risk assessment policy..............................................................................................................16
8.2 Internet DMZ Equipment Policy................................................................................................16
8.3 Monitoring and Filtering Policy.................................................................................................17
8.3.1 The Internet Use Filtering System......................................................................................17
8.3.2 The Filtering Rule Changes for Internet Use......................................................................17
Executive Summary.....................................................................................................................................2
1.0 Introduction.....................................................................................................................................5
2.0 Justification.....................................................................................................................................5
3.0 Resources necessary for evidence gathering....................................................................................7
4.0 Approach for data acquisition..........................................................................................................7
4.1 Process incident scene.................................................................................................................8
4.2 Seize physical computer evidence...............................................................................................9
4.3 Collect data from live system.....................................................................................................10
4.4 Collect special content data.......................................................................................................10
4.4.1 E-mail content....................................................................................................................10
4.4.2 Graphics or photographic images......................................................................................11
5.0 Type of data acquisition tools needed............................................................................................11
5.1 X-WAYS FORENSICS.............................................................................................................11
5.2 SIFT –SANS Investigative Forensics Toolkit............................................................................11
6.0 Data validation & verification procedures.....................................................................................12
7.0 Forensic Analysis Steps.................................................................................................................12
7.1 Step 1: Preparation.....................................................................................................................12
7.2 Step 2: Extraction......................................................................................................................13
7.2.1 Physical extraction.............................................................................................................13
7.2.2 Logical extraction...............................................................................................................13
7.3 Step: Analysis of extracted data.................................................................................................14
7.3.1 Timeframe analysis............................................................................................................14
7.3.2 Data hiding analysis...........................................................................................................15
7.3.3 Application, files and email analysis...................................................................................15
8.0 Security policies for the Company.................................................................................................16
8.1 Risk assessment policy..............................................................................................................16
8.2 Internet DMZ Equipment Policy................................................................................................16
8.3 Monitoring and Filtering Policy.................................................................................................17
8.3.1 The Internet Use Filtering System......................................................................................17
8.3.2 The Filtering Rule Changes for Internet Use......................................................................17
8.4 Acceptable Use Policy...............................................................................................................17
8.5 The activities with strict prohibitions and without exceptions include:-....................................18
8.6 Policy relating to use of company’s issued email addresses......................................................18
8.6.1 Prohibited Use...................................................................................................................18
8.7 Security policy relating to software Updates, routers and IDS...................................................19
9.0 Recommendations.........................................................................................................................19
References.................................................................................................................................................19
8.5 The activities with strict prohibitions and without exceptions include:-....................................18
8.6 Policy relating to use of company’s issued email addresses......................................................18
8.6.1 Prohibited Use...................................................................................................................18
8.7 Security policy relating to software Updates, routers and IDS...................................................19
9.0 Recommendations.........................................................................................................................19
References.................................................................................................................................................19
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1.0 Introduction
Over the last one decade, there has been a tremendous technological change in the field of
computing. Organizations, business enterprises and even government have become more reliant
on IT for day-to-day business operations. The uptake of computing devices, Internet and the
heavy reliance on IT for business has, in turn, seen an exponential surge in cybercrime. The
nature of cybercrimes has also widened, to include; electronic vandalism, terrorism, extortion,
financial fraud, denial of service to malicious use of hacked computing resources to launch
attacks on other computers.
Forensic investigation plays a critical role in identifying and analyzing evidence relating to
reported and suspected incidences of information systems compromise. Challenges in digital
forensics are increasingly becoming more and more difficult, as technology advances, and use of
mobile smart phones becomes more prolific.
This report presents a plan for carrying out a forensics investigation on the IT systems at
UniCareer Pty. Ltd. The investigation seeks to identify if a competitor compromised the system
to acquire email addresses of students and staff. The investigation also seeks to identify if one of
the staff members has possession of child pornography on his work and personal computer.
2.0 Justification
For this investigation, use of a computer forensics methodology is critical. The methodology will
direct the investigation and help the team focus on the key points of identifying evidence, using
appropriate analysis to evaluate, trace evidence and understand the case under review (Abdalla,
Hazem and Hashem, 2013). A proper forensics methodology will serve as a vital reference point
on the progress and state of the investigation. It will act as a blueprint that will direct the steps to
Over the last one decade, there has been a tremendous technological change in the field of
computing. Organizations, business enterprises and even government have become more reliant
on IT for day-to-day business operations. The uptake of computing devices, Internet and the
heavy reliance on IT for business has, in turn, seen an exponential surge in cybercrime. The
nature of cybercrimes has also widened, to include; electronic vandalism, terrorism, extortion,
financial fraud, denial of service to malicious use of hacked computing resources to launch
attacks on other computers.
Forensic investigation plays a critical role in identifying and analyzing evidence relating to
reported and suspected incidences of information systems compromise. Challenges in digital
forensics are increasingly becoming more and more difficult, as technology advances, and use of
mobile smart phones becomes more prolific.
This report presents a plan for carrying out a forensics investigation on the IT systems at
UniCareer Pty. Ltd. The investigation seeks to identify if a competitor compromised the system
to acquire email addresses of students and staff. The investigation also seeks to identify if one of
the staff members has possession of child pornography on his work and personal computer.
2.0 Justification
For this investigation, use of a computer forensics methodology is critical. The methodology will
direct the investigation and help the team focus on the key points of identifying evidence, using
appropriate analysis to evaluate, trace evidence and understand the case under review (Abdalla,
Hazem and Hashem, 2013). A proper forensics methodology will serve as a vital reference point
on the progress and state of the investigation. It will act as a blueprint that will direct the steps to
be taken at every phase of the forensic investigation cycle (Reith, Carr and Gunsch, 2012).
Proper use of a methodology in this case will not only give clear guideline to the investigators,
but will also be used to ensure the investigation is performed in an approach that benchmarks the
generally accepted practices (Abdalla, Hazem and Hashem, 2013).
Since computer forensics entails uncovering hidden information, and analyzing the information
to understand if a crime was committed, investigations should be thorough. Applying a computer
forensics methodology to this investigation will encourage a complete and rigorous investigation,
reduce chances of error and ensure proper handling of evidence and analysis. A third reason as
to why a methodology is justified in this case is that it will help in refining our understanding of
the basic constituents of a complete and comprehensive investigation, that is independent of any
particular technology. This is because convectional forensic methodologies are designed and
refined to include appropriate steps for identifying evidence, analyzing and applying technology
to uncover hidden or deleted evidence that can unearth a digital crime (Abdalla, Hazem and
Hashem, 2013).
For this case, use of an appropriate methodology will aid in the investigation of how competitors
got hold of email accounts of staff and students, as well as get evidence of the alleged crime of
watching child pornography against one of the staff members. Using a convectional
methodology will facilitate a comprehensive assessment to uncover any crimes committed.
3.0 Resources necessary for evidence gathering
A Comprehensive Forensic Toolkit: here two frameworks and toolkits have been chosen. The
frameworks includes X-WAYS FORENSICS and SIFT –SANS Investigative Forensics Toolkit.
X-way will be used on windows systems and will play a critical role in email analysis. Its main
features includes; disk cloning, detecting deleted or lost hard disk partitions, activity logging, and
Proper use of a methodology in this case will not only give clear guideline to the investigators,
but will also be used to ensure the investigation is performed in an approach that benchmarks the
generally accepted practices (Abdalla, Hazem and Hashem, 2013).
Since computer forensics entails uncovering hidden information, and analyzing the information
to understand if a crime was committed, investigations should be thorough. Applying a computer
forensics methodology to this investigation will encourage a complete and rigorous investigation,
reduce chances of error and ensure proper handling of evidence and analysis. A third reason as
to why a methodology is justified in this case is that it will help in refining our understanding of
the basic constituents of a complete and comprehensive investigation, that is independent of any
particular technology. This is because convectional forensic methodologies are designed and
refined to include appropriate steps for identifying evidence, analyzing and applying technology
to uncover hidden or deleted evidence that can unearth a digital crime (Abdalla, Hazem and
Hashem, 2013).
For this case, use of an appropriate methodology will aid in the investigation of how competitors
got hold of email accounts of staff and students, as well as get evidence of the alleged crime of
watching child pornography against one of the staff members. Using a convectional
methodology will facilitate a comprehensive assessment to uncover any crimes committed.
3.0 Resources necessary for evidence gathering
A Comprehensive Forensic Toolkit: here two frameworks and toolkits have been chosen. The
frameworks includes X-WAYS FORENSICS and SIFT –SANS Investigative Forensics Toolkit.
X-way will be used on windows systems and will play a critical role in email analysis. Its main
features includes; disk cloning, detecting deleted or lost hard disk partitions, activity logging, and
verifying the authenticity of data sets (Popescu and Farid, 2014). Moreover, the toolkit can
extract metadata from file types, and even retrieve emails from a wide range email clients
(Popescu and Farid, 2014). The SIFT Toolkit will mainly be used for the macOS systems as it
supports a wide range of file systems, including windows and macOS file systems (Popescu and
Farid, 2014).
Other resources will include;
Evidence collection and packaging materials and equipment
Necessary hardware and supporting software for collecting and analyzing evidence.
Highly experienced individuals in the area of digital forensics.
4.0 Approach for data acquisition
Digital evidence should be handled with the utmost care, as it is naturally fragile and can easily
be destroyed, damaged or altered if handled inappropriately (Casey, 2011). Failure to handle the
evidence properly may result in inaccurate conclusion after analysis (Casey, 2011).
Evidence acquisition for this case will focus on acquiring original digital evidence, while
protecting and preserving the evidence (Richard and Roussev, 2006). For data acquisition, the
process will start with onsite examination, which will include;
Surveying the IT infrastructure and the server room housing the mail servers for the
company (Richard and Roussev, 2006).
At the office of the suspected individual viewing pornographic, the personal computer
and the company’s computer will be seized; although appropriate court order will have
to be sort in order to take control of the user’s personal computer.
The following basic steps will be followed to acquire evidence;
extract metadata from file types, and even retrieve emails from a wide range email clients
(Popescu and Farid, 2014). The SIFT Toolkit will mainly be used for the macOS systems as it
supports a wide range of file systems, including windows and macOS file systems (Popescu and
Farid, 2014).
Other resources will include;
Evidence collection and packaging materials and equipment
Necessary hardware and supporting software for collecting and analyzing evidence.
Highly experienced individuals in the area of digital forensics.
4.0 Approach for data acquisition
Digital evidence should be handled with the utmost care, as it is naturally fragile and can easily
be destroyed, damaged or altered if handled inappropriately (Casey, 2011). Failure to handle the
evidence properly may result in inaccurate conclusion after analysis (Casey, 2011).
Evidence acquisition for this case will focus on acquiring original digital evidence, while
protecting and preserving the evidence (Richard and Roussev, 2006). For data acquisition, the
process will start with onsite examination, which will include;
Surveying the IT infrastructure and the server room housing the mail servers for the
company (Richard and Roussev, 2006).
At the office of the suspected individual viewing pornographic, the personal computer
and the company’s computer will be seized; although appropriate court order will have
to be sort in order to take control of the user’s personal computer.
The following basic steps will be followed to acquire evidence;
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4.1 Process incident scene
Here we assume the company has a server room for mail servers – and that evidence for John
Pickering’s case will be collected from his office. The aim will be to collect all the physical and
non-technical evidence (Garfinkel, 2010). One of the examiners will designated as the Evidence
Custodian, who will record any item collected in an Evidence Form (Garfinkel, 2010).
o At the company’s server room, an examiner will identify the type and number of
computers that will require assessment
o Carry out an initial interview with the systems administrator
o Identify and document data storage systems at the company’s servers
o The focus of the investigation will be the mail server, so the examiner will focus
on the specific server housing the mail server as well as server hosting staff and
student’s details.
o Identify offsite and remote storage, backup options (Richard and Roussev, 2006)
o Identify software in use on the servers (Richard and Roussev, 2006).
Step two is to secure the digital evidence, by establishing a clear chain of custody.
Ensure the examiner’s computer is adequately prepared and configure for data
acquisition.
4.2 Seize physical computer evidence
Seize all computers from John Pickering’s office; this will require a court order in order
to take hold of the personal computer.
Open up the computers seized at John Pickering’s office, access the storage devices and
remove them.
Here we assume the company has a server room for mail servers – and that evidence for John
Pickering’s case will be collected from his office. The aim will be to collect all the physical and
non-technical evidence (Garfinkel, 2010). One of the examiners will designated as the Evidence
Custodian, who will record any item collected in an Evidence Form (Garfinkel, 2010).
o At the company’s server room, an examiner will identify the type and number of
computers that will require assessment
o Carry out an initial interview with the systems administrator
o Identify and document data storage systems at the company’s servers
o The focus of the investigation will be the mail server, so the examiner will focus
on the specific server housing the mail server as well as server hosting staff and
student’s details.
o Identify offsite and remote storage, backup options (Richard and Roussev, 2006)
o Identify software in use on the servers (Richard and Roussev, 2006).
Step two is to secure the digital evidence, by establishing a clear chain of custody.
Ensure the examiner’s computer is adequately prepared and configure for data
acquisition.
4.2 Seize physical computer evidence
Seize all computers from John Pickering’s office; this will require a court order in order
to take hold of the personal computer.
Open up the computers seized at John Pickering’s office, access the storage devices and
remove them.
o While opening the computers, ensure proper care to avoid magnetic field and
static electricity from damaging the storage drives and other components (Casey,
2009).
o Take photographs of the interior configuration of the hardware after opening the
computers.
o Document condition of the drives
o Disconnect the storage devices from the motherboard to prevent data alteration
Document the evidence by capturing the serial number of the devices
Where necessary use a forensics boot disk to boot the suspect computer and collect
evidence (Casey, 2011). This will also be used to test the working of the storage drives
and collecting evidence from laptops.
For removed hard drives, the examiners computer should be used to acquire evidence
from the drives.
Imaging of the hard-drive will be made using a forensic analysis software suite
For verification purposes, Create harsh for the original data and the image of the drive.
4.3 Collect data from live system.
Since it would not be possible to take or shutdown mail servers, evidence will be collected by
imaging the live system. The entire system should be imaged; together with all email data
contained in it.
All volatile digital evidence will be collected first; including; memory dump, process listing,
network connections (Casey, Blitz and Steuart, 2014).
Collecting data on live system will follow the following steps;
static electricity from damaging the storage drives and other components (Casey,
2009).
o Take photographs of the interior configuration of the hardware after opening the
computers.
o Document condition of the drives
o Disconnect the storage devices from the motherboard to prevent data alteration
Document the evidence by capturing the serial number of the devices
Where necessary use a forensics boot disk to boot the suspect computer and collect
evidence (Casey, 2011). This will also be used to test the working of the storage drives
and collecting evidence from laptops.
For removed hard drives, the examiners computer should be used to acquire evidence
from the drives.
Imaging of the hard-drive will be made using a forensic analysis software suite
For verification purposes, Create harsh for the original data and the image of the drive.
4.3 Collect data from live system.
Since it would not be possible to take or shutdown mail servers, evidence will be collected by
imaging the live system. The entire system should be imaged; together with all email data
contained in it.
All volatile digital evidence will be collected first; including; memory dump, process listing,
network connections (Casey, Blitz and Steuart, 2014).
Collecting data on live system will follow the following steps;
i. Access the live system and collect volatile data; data on running processes, cache
data, open sockets and ports, logged in users, applications listening on open sockets,
registry entries, memory. Etc (Casey, Blitz and Steuart, 2014).
i. Collect data on Process table, ARP cache and temporary internet files.
ii. Collect log files
iii. Logs from intrusion detection systems and firewalls, routers and network servers.
iv. Physical configuration, network topology.
v. Use a write blocker and writer protector to before starting the system imagining
process (Garfinkel, 2010).
vi. Prepare Chain of custody
4.4 Collect special content data
Special content data will include graphic pictures, emails and any other document. Proper
methods for unearthing hidden and deleted files will also be used to get the data (Garfinkel,
2010).
4.4.1 E-mail content
Collect archived e-mails, backups of the mail server, transactions logs from the mail
server and e-mail traffic. This will include all emails for all accounts hosted on the mail
servers of the company.
4.4.2 Graphics or photographic images
Graphic images will be collected; Proper safeguards will be used by the evidence
custodian in case of Child Pornography to protect the victims.
data, open sockets and ports, logged in users, applications listening on open sockets,
registry entries, memory. Etc (Casey, Blitz and Steuart, 2014).
i. Collect data on Process table, ARP cache and temporary internet files.
ii. Collect log files
iii. Logs from intrusion detection systems and firewalls, routers and network servers.
iv. Physical configuration, network topology.
v. Use a write blocker and writer protector to before starting the system imagining
process (Garfinkel, 2010).
vi. Prepare Chain of custody
4.4 Collect special content data
Special content data will include graphic pictures, emails and any other document. Proper
methods for unearthing hidden and deleted files will also be used to get the data (Garfinkel,
2010).
4.4.1 E-mail content
Collect archived e-mails, backups of the mail server, transactions logs from the mail
server and e-mail traffic. This will include all emails for all accounts hosted on the mail
servers of the company.
4.4.2 Graphics or photographic images
Graphic images will be collected; Proper safeguards will be used by the evidence
custodian in case of Child Pornography to protect the victims.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
5.0 Type of data acquisition tools needed
Due to the fact that this investigation will be performed on both windows and MacOS systems,
two forensics analysis toolkits will be used for purposes of data acquisition and validation. The
tools are;
5.1 X-WAYS FORENSICS
X-Ways Forensics is a forensic framework that includes a wide range of tools and methods to be
used by cybercrime units. This platform is designed to run on Windows OS and provides
comprehensive and efficient results. Its main features includes; disk cloning, detecting deleted or
lost hard disk partitions, activity logging, and verifying the authenticity of data sets (Popescu and
Farid, 2014). Moreover, the toolkit can extract metadata from file types, and even retrieve emails
from a wide range email clients (Popescu and Farid, 2014).
5.2 SIFT –SANS Investigative Forensics Toolkit
The SANS Investigative Forensic Toolkit (“SIFT”) is a computer forensics VMware appliance.
SIFT is Linux based, and comes pre-configured on a VMware, to include a wide range of
software tools and technologies, essential for a comprehensive digital forensics investigation
(Popescu and Farid, 2014). The key competencies of this toolkit include;
Ability to examine raw disks
Ability to analyze a wide range of file systems and evidence formats
Supports Windows, Linux, Solaris and MacOS file systems.
“Places strict guidelines on how evidence is examined, verifying that the evidence has not
changed” (Popescu and Farid, 2014).
Due to the fact that this investigation will be performed on both windows and MacOS systems,
two forensics analysis toolkits will be used for purposes of data acquisition and validation. The
tools are;
5.1 X-WAYS FORENSICS
X-Ways Forensics is a forensic framework that includes a wide range of tools and methods to be
used by cybercrime units. This platform is designed to run on Windows OS and provides
comprehensive and efficient results. Its main features includes; disk cloning, detecting deleted or
lost hard disk partitions, activity logging, and verifying the authenticity of data sets (Popescu and
Farid, 2014). Moreover, the toolkit can extract metadata from file types, and even retrieve emails
from a wide range email clients (Popescu and Farid, 2014).
5.2 SIFT –SANS Investigative Forensics Toolkit
The SANS Investigative Forensic Toolkit (“SIFT”) is a computer forensics VMware appliance.
SIFT is Linux based, and comes pre-configured on a VMware, to include a wide range of
software tools and technologies, essential for a comprehensive digital forensics investigation
(Popescu and Farid, 2014). The key competencies of this toolkit include;
Ability to examine raw disks
Ability to analyze a wide range of file systems and evidence formats
Supports Windows, Linux, Solaris and MacOS file systems.
“Places strict guidelines on how evidence is examined, verifying that the evidence has not
changed” (Popescu and Farid, 2014).
6.0 Data validation & verification procedures
Verification and validation of evidence collected is critical in ensuring that information collected
is accurate (Shanmugam, 2011). The overall validation and verification process will seek to
verify the source and reliability of items and data collected.
The procedure for verifying and validating data will be
For seized computers, serial numbers will be used to verify if they are the original
computers issued to the individual (Delp, Memon and Wu, 2009).
For collected data, and OS images the Integrity of data collected will be verified by
making hash values and checksums for both the image and the original data and
comparing them (Shanmugam, 2011).
7.0 Forensic Analysis Steps
7.1 Step 1: Preparation
This step will entail preparing directories on a designated separate storage media, where data and
files will be recovered into or extracted to (Franke and Axelsson, 2017).
7.2 Step 2: Extraction
7.2.1 Physical extraction
This step will entails extracting data from the seized hard drives, a physical level, without regard
for the underlying file system of the drive (Delp, Memon and Wu, 2009). The methods to be
used will include;
Verification and validation of evidence collected is critical in ensuring that information collected
is accurate (Shanmugam, 2011). The overall validation and verification process will seek to
verify the source and reliability of items and data collected.
The procedure for verifying and validating data will be
For seized computers, serial numbers will be used to verify if they are the original
computers issued to the individual (Delp, Memon and Wu, 2009).
For collected data, and OS images the Integrity of data collected will be verified by
making hash values and checksums for both the image and the original data and
comparing them (Shanmugam, 2011).
7.0 Forensic Analysis Steps
7.1 Step 1: Preparation
This step will entail preparing directories on a designated separate storage media, where data and
files will be recovered into or extracted to (Franke and Axelsson, 2017).
7.2 Step 2: Extraction
7.2.1 Physical extraction
This step will entails extracting data from the seized hard drives, a physical level, without regard
for the underlying file system of the drive (Delp, Memon and Wu, 2009). The methods to be
used will include;
Keyword search
Searching across the drive with the aim of extracting data that may not be accounted for the file
system or operating system (Franke and Axelsson, 2017)
File carving
Will involve running carving applications on the disks to extract useable data files that may
otherwise not be possible to extract from the operating system (Franke and Axelsson, 2017)
Examine the disk
Examine partition structure of the disk, including unused space and partition table (Franke and
Axelsson, 2017).
7.2.2 Logical extraction
This stage entails extracting data from the hard drives, based on the underlying file system of the
drive, including extraction of deleted files and files slack (Hart, Ashcroft and Daniels, 2004)
Steps will include;
Extract information about the file system, with the aim of revealing the characteristics
such as files location, size of files, date and time stamps, names of files, file attributes and
directory structures (Hart, Ashcroft and Daniels, 2004).
Data Reduction: with the aim of eliminating common files, this will be done by
comparing harsh values to known authenticated hash values.
Extract files important to the investigation; this will be based on file header, file
extension and file location
Recover deleted files
Searching across the drive with the aim of extracting data that may not be accounted for the file
system or operating system (Franke and Axelsson, 2017)
File carving
Will involve running carving applications on the disks to extract useable data files that may
otherwise not be possible to extract from the operating system (Franke and Axelsson, 2017)
Examine the disk
Examine partition structure of the disk, including unused space and partition table (Franke and
Axelsson, 2017).
7.2.2 Logical extraction
This stage entails extracting data from the hard drives, based on the underlying file system of the
drive, including extraction of deleted files and files slack (Hart, Ashcroft and Daniels, 2004)
Steps will include;
Extract information about the file system, with the aim of revealing the characteristics
such as files location, size of files, date and time stamps, names of files, file attributes and
directory structures (Hart, Ashcroft and Daniels, 2004).
Data Reduction: with the aim of eliminating common files, this will be done by
comparing harsh values to known authenticated hash values.
Extract files important to the investigation; this will be based on file header, file
extension and file location
Recover deleted files
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Extract compressed , encrypted and password-protected data
Extract file slack
7.3 Step: Analysis of extracted data
The aim here will be to interpret extracted data to determine significance of the data to the
investigation (Franke and Axelsson, 2017). The analysis will include; file ownership, possession,
application and file analysis, data hiding and timeframe analysis (Hart, Ashcroft and Daniels,
2004).
7.3.1 Timeframe analysis
This will be done to reveal when particular events occurred, and associate the event to the
persons who were using the computer at the time of the occurrence of the event (Franke and
Axelsson, 2017). Two methods will be used;
Review date and time stamps from file system metadata, such as file creation, last
accessed, last modified - with the aim of linking files of interest to the timeframes
relevant to the investigation (Franke and Axelsson, 2017).
Review network logs, applications and systems. The logs to be reviewed will include
security logs, connection logs, installation logs and error logs (Franke and Axelsson,
2017).
Extract file slack
7.3 Step: Analysis of extracted data
The aim here will be to interpret extracted data to determine significance of the data to the
investigation (Franke and Axelsson, 2017). The analysis will include; file ownership, possession,
application and file analysis, data hiding and timeframe analysis (Hart, Ashcroft and Daniels,
2004).
7.3.1 Timeframe analysis
This will be done to reveal when particular events occurred, and associate the event to the
persons who were using the computer at the time of the occurrence of the event (Franke and
Axelsson, 2017). Two methods will be used;
Review date and time stamps from file system metadata, such as file creation, last
accessed, last modified - with the aim of linking files of interest to the timeframes
relevant to the investigation (Franke and Axelsson, 2017).
Review network logs, applications and systems. The logs to be reviewed will include
security logs, connection logs, installation logs and error logs (Franke and Axelsson,
2017).
7.3.2 Data hiding analysis
This will be performed to detect and recover any hidden data. The methods to be used will
include;
Correlating file extensions to file headers, with the aim of identifying any mismatch; any
mismatch may be an indicator of intentional data hiding attempts by the user (Hart,
Ashcroft and Daniels, 2004).
Accessing compressed, encrypted and password-protected files
Accessing host-protected area (HPA); if data is present in HPA, it may indicate an
attempt to conceal data (Hart, Ashcroft and Daniels, 2004).
Steganography
7.3.3 Application, files and email analysis
An overall file and email analysis, focusing on;
Review files, file names and patterns for relevance
Correlating files relationships such email attachments to email files and cache files to
internet history (Hart, Ashcroft and Daniels, 2004).
Examining content of files, including content of unknown file types
Analyzing file contents and metadata of user-created files (Hart, Ashcroft and Daniels,
2004).
Keyword search and filtering emails
Tracking email connection between multiple users
Extraction of pornographic images and video using Skin Tone Analysis technology
This will be performed to detect and recover any hidden data. The methods to be used will
include;
Correlating file extensions to file headers, with the aim of identifying any mismatch; any
mismatch may be an indicator of intentional data hiding attempts by the user (Hart,
Ashcroft and Daniels, 2004).
Accessing compressed, encrypted and password-protected files
Accessing host-protected area (HPA); if data is present in HPA, it may indicate an
attempt to conceal data (Hart, Ashcroft and Daniels, 2004).
Steganography
7.3.3 Application, files and email analysis
An overall file and email analysis, focusing on;
Review files, file names and patterns for relevance
Correlating files relationships such email attachments to email files and cache files to
internet history (Hart, Ashcroft and Daniels, 2004).
Examining content of files, including content of unknown file types
Analyzing file contents and metadata of user-created files (Hart, Ashcroft and Daniels,
2004).
Keyword search and filtering emails
Tracking email connection between multiple users
Extraction of pornographic images and video using Skin Tone Analysis technology
8.0 Security policies for the Company
This section presents a proposed set of security policies, which should be included in the security
policy document of the company.
8.1 Risk assessment policy
The IT department is tasked with carrying out periodic risk assessment on the IT
infrastructure of the company.
8.2 Internet DMZ Equipment Policy
Intrusion detection systems, routers and firewalls must be checked on a bi-weekly basis;
any software updates recommended by the manufacturer should be performed as soon as
possible.
Patches and Security fixes on OS, equipment or systems, which is recommended by the
vendor, must be installed within the shortest time possible from the time of release.
8.3 Monitoring and Filtering Policy
8.3.1 The Internet Use Filtering System
A filtering system shall be put in place to block access to websites and internet protocols deemed
inappropriate from within the corporate network. The blocked contents will include;
Peer-to-Peer file sharing protocols [torrents]
Dating websites
Access to deep-web.
Pornographic sites
Gambling sites
This section presents a proposed set of security policies, which should be included in the security
policy document of the company.
8.1 Risk assessment policy
The IT department is tasked with carrying out periodic risk assessment on the IT
infrastructure of the company.
8.2 Internet DMZ Equipment Policy
Intrusion detection systems, routers and firewalls must be checked on a bi-weekly basis;
any software updates recommended by the manufacturer should be performed as soon as
possible.
Patches and Security fixes on OS, equipment or systems, which is recommended by the
vendor, must be installed within the shortest time possible from the time of release.
8.3 Monitoring and Filtering Policy
8.3.1 The Internet Use Filtering System
A filtering system shall be put in place to block access to websites and internet protocols deemed
inappropriate from within the corporate network. The blocked contents will include;
Peer-to-Peer file sharing protocols [torrents]
Dating websites
Access to deep-web.
Pornographic sites
Gambling sites
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
8.3.2 The Filtering Rule Changes for Internet Use
The IT departments shall, from time to time, appraisal and recommend alterations to the web
filtering and protocols rules. In conjunction with the HR department, the IT department shall
stipulate punishment for violations of the internet use policies.
8.4 Acceptable Use Policy
Employees can use the company’s internet to access personal emails and social media;
however, the employees should exercise sound judgment on the reasonableness of
personal use.
In spite of the provisions of privacy by the network administration, data created by users
on corporate systems will remain the property of the company. The management does not
guarantee information confidentiality on the company’s network devices due to the need
for protecting the network.
8.5 The activities with strict prohibitions and without exceptions include:-
a) Revealing user account details and allowing use of account by unauthorized persons,
including family members.
b) Use of the UniCareer’s computing assets in procuring or transmit of material that
violates laws on sexual harassment in the local jurisdiction of the user.
c) Circumventing the user authentication or the host security, and the network or the
account.
The IT departments shall, from time to time, appraisal and recommend alterations to the web
filtering and protocols rules. In conjunction with the HR department, the IT department shall
stipulate punishment for violations of the internet use policies.
8.4 Acceptable Use Policy
Employees can use the company’s internet to access personal emails and social media;
however, the employees should exercise sound judgment on the reasonableness of
personal use.
In spite of the provisions of privacy by the network administration, data created by users
on corporate systems will remain the property of the company. The management does not
guarantee information confidentiality on the company’s network devices due to the need
for protecting the network.
8.5 The activities with strict prohibitions and without exceptions include:-
a) Revealing user account details and allowing use of account by unauthorized persons,
including family members.
b) Use of the UniCareer’s computing assets in procuring or transmit of material that
violates laws on sexual harassment in the local jurisdiction of the user.
c) Circumventing the user authentication or the host security, and the network or the
account.
8.6 Policy relating to use of company’s issued email addresses
UniCareer prohibits illegal use of the company’s name and email system. It is forbidden to use
the company’s issued Email account to create or distribute any offensive or disruptive messages;
such as pornography, abuses and political messages.
8.6.1 Prohibited Use
Distribution of protected works since this violates copy right laws that protect various
authors and peoples’ ideas.
Faking identity when sending various messages such as emails. This can only be done
in an exceptional case when authorized by administrators.
Forwarding or sending emails messages or attachments that are likely to contain
various computer viruses is prohibited.
Any email sent though the company email shall not be confidential. Administrators
have the authority to go though emails sent or received in the company email system
without notifying the employees.
8.7 Security policy relating to software Updates, routers and IDS
Security updates on OS, equipments and other systems should be done as soon as the
vendor releases the updates.
Intrusion detection systems and firewalls must be updated periodically.
9.0 Recommendations
We recommend a thorough re-evaluation of the security posture of the institution. It’s noted that
the current security devices have not been updated for some time and there seems to be no proper
documentation of IT security policy document at the institution. We therefore recommend the
institution to focus on putting in place proper user policies that should be known to all the staff
and students of the institution.
UniCareer prohibits illegal use of the company’s name and email system. It is forbidden to use
the company’s issued Email account to create or distribute any offensive or disruptive messages;
such as pornography, abuses and political messages.
8.6.1 Prohibited Use
Distribution of protected works since this violates copy right laws that protect various
authors and peoples’ ideas.
Faking identity when sending various messages such as emails. This can only be done
in an exceptional case when authorized by administrators.
Forwarding or sending emails messages or attachments that are likely to contain
various computer viruses is prohibited.
Any email sent though the company email shall not be confidential. Administrators
have the authority to go though emails sent or received in the company email system
without notifying the employees.
8.7 Security policy relating to software Updates, routers and IDS
Security updates on OS, equipments and other systems should be done as soon as the
vendor releases the updates.
Intrusion detection systems and firewalls must be updated periodically.
9.0 Recommendations
We recommend a thorough re-evaluation of the security posture of the institution. It’s noted that
the current security devices have not been updated for some time and there seems to be no proper
documentation of IT security policy document at the institution. We therefore recommend the
institution to focus on putting in place proper user policies that should be known to all the staff
and students of the institution.
References
Abdalla, S., Hazem, S. and Hashem, S., 2013. Guideline model for digital forensic investigation,
In Proceedings of the Conference on Digital Forensics, Security and Law (p. 55) Association of
Digital Forensics, Security and Law
Casey, E., 2011. Digital evidence and computer crime: Forensic science, computers, and the
internet. Academic press.
Casey, E., 2009. Handbook of digital forensics and investigation. Academic Press.
Casey, E., Blitz, A. and Steuart, C., 2014. Digital evidence and computer crime. Vancouver
Garfinkel, S.L., 2010. Digital forensics research: The next 10 years. digital investigation, 7,
pp.S64-S73.
Delp, E., Memon, N. and Wu, M., 2009. Digital forensics. IEEE Signal Processing
Magazine, 26(2), pp.14-15.
Franke, K. and Axelsson, S., 2017. The Digital Forensics Process. Digital Forensics, pp.13-49.
Hart, S.V., Ashcroft, J. and Daniels, D.J., 2014. Forensic examination of digital evidence: a
guide for law enforcement. National Institute of Justice NIJ-US, Washington DC, USA, Tech.
Rep. NCJ, 199408.
Popescu, A.C. and Farid, H., 2004, May. Statistical Tools for Digital Forensics. In Information
Hiding (Vol. 3200, pp. 395-407).
Reith, M., Carr, C. and Gunsch, G., 2002. An examination of digital forensic
models. International Journal of Digital Evidence, 1(3), pp.1-12.
Richard III, G.G. and Roussev, V., 2006. Next-generation digital forensics. Communications of
the ACM, 49(2), pp.76-80.
Abdalla, S., Hazem, S. and Hashem, S., 2013. Guideline model for digital forensic investigation,
In Proceedings of the Conference on Digital Forensics, Security and Law (p. 55) Association of
Digital Forensics, Security and Law
Casey, E., 2011. Digital evidence and computer crime: Forensic science, computers, and the
internet. Academic press.
Casey, E., 2009. Handbook of digital forensics and investigation. Academic Press.
Casey, E., Blitz, A. and Steuart, C., 2014. Digital evidence and computer crime. Vancouver
Garfinkel, S.L., 2010. Digital forensics research: The next 10 years. digital investigation, 7,
pp.S64-S73.
Delp, E., Memon, N. and Wu, M., 2009. Digital forensics. IEEE Signal Processing
Magazine, 26(2), pp.14-15.
Franke, K. and Axelsson, S., 2017. The Digital Forensics Process. Digital Forensics, pp.13-49.
Hart, S.V., Ashcroft, J. and Daniels, D.J., 2014. Forensic examination of digital evidence: a
guide for law enforcement. National Institute of Justice NIJ-US, Washington DC, USA, Tech.
Rep. NCJ, 199408.
Popescu, A.C. and Farid, H., 2004, May. Statistical Tools for Digital Forensics. In Information
Hiding (Vol. 3200, pp. 395-407).
Reith, M., Carr, C. and Gunsch, G., 2002. An examination of digital forensic
models. International Journal of Digital Evidence, 1(3), pp.1-12.
Richard III, G.G. and Roussev, V., 2006. Next-generation digital forensics. Communications of
the ACM, 49(2), pp.76-80.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Shanmugam, K., 2011. Validating digital forensic evidence(Doctoral dissertation, Brunel
University School of Engineering and Design PhD Theses).
University School of Engineering and Design PhD Theses).
1 out of 20
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.