Investigating Data Theft: Analyzing USB Evidence and Suspect's Intent

Verified

Added on 2024/05/29

AI Summary

This case study delves into a data theft investigation, examining evidence related to the copying of company secrets onto a USB pen drive and exploring the suspect's attempts to hide data. It analyzes potential motives for the theft, including financial gain, intelligence gathering, personal grudges, and reputation. The investigation outlines further evidence needed, such as examining the suspect's computer, implementing backup technology, and direct communication with the suspect, to support the discovered facts and strengthen the case. The study references real-world examples and forensic techniques to provide a comprehensive overview of the investigation process. Desklib provides students access to similar solved assignments and study resources.

Question 1 – Is there any evidence to suggest that the company secrets have been copied
onto the USB pen?
Answer: USB is a storage device that stores the information. It is a small device so
employees can easily steal the data without knowledge of any person. Barclays bank is an
example where data is stolen through the USB pen drive (Drinkwater, 2015). There are
possibilities to steal the company important information through the USB pen drive.
 Organization authorities checked the file last accessed into system and USB pen and
confirmed that data are copied onto the USB pen.
 Company system has monitored through the USB Block actively which manage and
monitor all activities such as illegal and legal activities of the organization. When
the attacker attempts the system then there will be saved the system access time and
data. It is also stored all activities of attacker during the system access such number
of time password, wrong password, file information which was accessed by the
hacker etc. it will be given the evidence the system data have been copied.
 Company system needs a password during the USB portable access. When attacker
or hacker access the system with USB Drive, there are need a password with OTP.
It gives the information that someone accesses information system through USB
device. Organization authorities know that that files are accessed by someone and
will be able the action against the suspects.
 The company contains the number of sensitive information that is shared with their
employs according to their needs. company track all system activity on a different
central system. When employs copied the information in the USB, at the same time
central system records their activity that gives information that files are copied on
the USB.
 USB pen drive can be stored data hidden format. Organization authorities can check
pen drive for the confirmation that pen drive contained hidden data or not. So
Organization authorities have visible all data of the pen drive and check all files and
confirmed that files are related company sensitive data or not.
 If there are no hidden files, organization authorities have checked the encrypted files
in the USB pen drive. Encrypted files may WinRAR format with password protection.
These files are decrypted through the decryption algorithm. After the decryption
process, Organization authorities have checked all files and confirmed that files are
copies or not.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 USB may be protected data through Cryptainer LE and as TrueCrypt which is not
allowed the data access. Organization authorities have checked the USB Data and find
out files are protected with help of Cryptainer LE and as TrueCrypt or not. So
Organization authorities will use proper encryption key for the execution and after
execution, read the data. During the data reading process, Organization authorities
have checked data are copied or not (ROBIN, 2015).
Organization authorities will be used above process to find the evidence against the hacker
which copied data on his USB pen drive. The same process may be used by the Vamos
Solutions” organization employs to copy the data.
Question 2 – Is there any evidence to suggest that the suspect has tried to hide any data?
Answer:
Medicare cards organization data are hidden by its employs in 2014. Suspect of Medicare
cards has tried to hide his activity on the system otherwise he will be caught by the company
authorities. He makes his activity untraceable on the computer system. Removing or Hiding
processes are done by the Suspect for his safety. There are the following process used by the
Suspect of Medicare cards for hiding the data such as
 Suspect of Medicare cards can be used the Encrypt Keystrokes during the system
access which will be given the protection from keyloggers and offers the information.
Suspect copy the data into the USB drive and after that, he will delete the history and
all log file which are need for tracking process of the company. He will successfully
get the data and hide their activity in the system
 Suspect of Medicare cards disables the Windows Hibernation on computer system
RAM which protected the hacker and their activities on the system hard drive. He can
easily access hard drive without monitoring process. The monitoring process is able to
track the activity but after the disabling Windows Hibernation, it is not possible that
give suspect information.
 For the safety, Suspect of Medicare cards disables and delete the USB Logs activity.
After this process, the organization is not able to track the Suspect and their activities.
 Suspect of Medicare cards is disabling time stamps because forensic experts use the
digital timeline to get the evidence. But Suspect has deleted the access files and last
access log files.

 The suspect also uses Windows Security Miscellaneous and Online Anonymity for
hiding the data.
 Suspect of Medicare cards can be also used steganography, Encryption, covert
channels, Windows ADS and file renaming for the data hiding process in the
organization (Sanford, 2016).
So I can say that “Vamos Solutions” organization employs maybe hide the data such as
Encrypt Keystrokes, disable the Windows Hibernation, disables and delete the USB Logs,
Online Anonymity, and Windows Security Miscellaneous.
Question 3 – Any evidence to suggest the reason why the suspect has attempted to steal
this data?
Answer:
TJX Company, Inc. data are stolen by its employee. Suspects of TJX Company has stolen
the organization data that may be many reasons such as
 Financial Reason: Most of the cyber-attacks reason is make money. Because
Attackers sell the organization data in the black market and extract money from the
third party which needs the data. For the data stolen, he makes fake e-commerce sites
and collects the information about the credit card and make large fraud. His motive is
not only gain money but also make professional criminals using hacking techniques.
 Intelligence: Some time Attackers are less interested in money but they want to know
the secrets of an organization such as geopolitical strategy, trade secrets, and R&D
data which are sensitive information of the organization.
 FIG reason: FIG referred the Fun, Ideology, Grudge. Some attacker did the hacking
for their personal or political reason with the victim. Through the hacking process,
attackers mess their computer system.
 Due to Asperger syndrome: Some hacker may be suffered from Asperger syndrome
disease. They have no social circle. They are easily manipulated by any person so
they performed hacking other personal benefits.
 Reputation: Some hackers make their Prestige in the social circle so they attacked the
high-profile system and sites such as banking system, e-commerce website.
 To get sensitive information: Attacker wants to use organization system and get the
sensitive information. So they have used Internet Relay Chat (IRC) server ( for the

discussion of their activities) Storage for Illicit Material, and DDoS Attack ( for the
Victim system access)
 Ethical/ Experiment/ Knowledge: Some hackers’ analysis the computer system to
search out security weaknesses.
 Other reason: there are some others reason that gives information about why hacker
stole the data from the organization such as
1. Intellectual Challenge
2. Curiosity
3. For excitement and thrill
4. For the rivals form family members, friends, enemy, or business organization
(Crucial Paradigm, 2014)
So I can say that “Vamos Solutions” organization employs may be data stolen some reason
such as Financial, Intelligence, FIG reason, Reputation, Ethical/ Experiment/ Knowledge, or
To get sensitive information.
Question 4 – What further evidence may be needed by the investigation team to support
any of the facts discovered during your investigation?
As a forensic investigator, I will be more investigation and discovered facts which will help
in a future investigation such as
 Suspect’s office computer: I will be checked the suspect’s system which is provided
by the organization that help in the investigation because I will be able to track their
activity in the organization and recognized his actives that are against the
organization. Through the system, I will be check which data are accessed by the
suspect that is sensitive information or not.
 Backup technology: I will be installed the backup technology on the system to
retrieve the information which is deleted by the Suspect. For this information, I will
able to know which information is stolen by the suspect for their personal, Financial,
or rivals reason. I will be able to protect the organization through this information
because the organization will know which sensitive information is stolen. The
organization will be taken steps for the security.
 Communication with the Suspect: I will be communicated with the Suspect and try to
find out the reason behind the data-stealing reason.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Reference:
 Crucial Paradigm. (2014). Hacking Attacks - How and Why. [online] Available at:
http://www.crucialp.com/resources/tutorials/website-web-page-site-optimization/
hacking-attacks-how-and-why/ [Accessed 5 May 2018].
 Drinkwater, D. (2015). Barclays pays compensation to 2,000 customers after USB
data loss. [online] SC Media UK. Available at:
https://www.scmagazineuk.com/barclays-pays-compensation-to-2000-customers-
after-usb-data-loss/article/534361/ [Accessed 5 May 2018].
 ROBIN, E. (2015). How to Prevent Data Leaks from USB Drives & Block
Unauthorized Devices from Hacking Confidential Files on Your PC. [online]
WonderHowTo. Available at:
https://operating-systems.wonderhowto.com/forum/prevent-data-leaks-from-usb-
drives-block-unauthorized-devices-from-hacking-confidential-files-your-pc-0161621/
[Accessed 5 May 2018].
 Sanford (2016). How to remove traces. [online] Hackingloops. Available at:
https://www.hackingloops.com/how-to-remove-traces-make-your-computer-
untraceable/ [Accessed 5 May 2018].