Forensics Computing for Cyber-Security and Digital Forensics

Question: Discuss about theForensics Computing for Cyber-Security and Digital Forensics. Answer: Introduction In a digital forensics investigation process, employees account for the highest percentage of compromised companys data and information. Critical supervision and occasional forensic auditing is paramount to ensure security and integrity of companys information(Optisnick, 2017). For instance, in this case, ABC bank suspects a potential employee forensic infiltration. Therefore, a thorough forensic investigation is to be carried out on their 15TB servers. The following processes and tools will be used for this operation. Forensics Tools One of the tools essential for this exercise is the Forensics Toolkit(FTK) made by AccesData. This tool is important because it offers a disk imaging tool know as FTP imager, that saves the hard disks image into segments and files which can be reconstructed. Another tool appropriate for this exercise is the Wireshark tool. This tool allows monitoring of the network and data capture from the network. Data capturing provides logs from the firewall and centralized logs that show IP activities and signatures. Lastly, is a tool known as Encase. Encase is used for identification, examination and acquisition of evidence. It is also used to gather information that determine whether further investigation is required. Data Acquisition Using Encase and FTK toolkits, the image of the compromised hard disks are created to allow the forensics exercise to be done outside of a live server environment. This image is made into a read only image to avoid modification of data that would compromise the integrity of the forensics evidence(EC-Council, 2016). The forensics tools are also not installed in a live server environment as this would compromise the security of the servers and make them more susceptible to attacks. During this process, there are two sources of data that are of critical importance in regard with how the data is acquired. Volatile and non-volatile data is acquired differently as it exists in different states. Volatile data is collected from sources such as RAM, login sessions, ARP cache open files and running processes. Non-volatile data requires imaging of the hard disks from the compromised systems(Lech J. Janczewski, Henry B. Wolfe, Sujeet Shenoi, 2013). Diplomatic Strategies with the Network Administrator Following all legal standards and requirements is essential in collecting forensics evidence. Contrary to doing so, it would render all evidence acquired inadmissible in court as it was acquired by illegal means. For instance, if a potential email abuse has been identified as an employee misconduct during investigation, the investigator should consult with the email-server administrator. Where the logs from the email-server are available, the investigator is supposed to request the administrator for the log records and not hack his way through the email-server. Additionally, in a situation where there is an internet abuse case, the investigator should request logs from the proxy server from the network administrator. By working hand in hand with the administrators, the investigators ensure integrity of the investigation process and clarity of the organizations network infrastructure(Bill Nelson, Amelia Phillips, Christopher Steuart, 2014). Privacy Issues with ABCs bank Records Sensitive bank information such as account numbers, billing information and customers names create a greater task in forensics as this information is handled with upmost privacy. Therefore, while preserving privacy during the forensic investigation, selective imaging is carried out, where relevant data is classified into two categories, private and non-private. In case where privacy policies have to be adhered to, the private data is protected through a process of encryption. Where private data is of relevant to the forensic investigation, access to this data is determined by the owner. The investigators and the owner of the data work hand in hand to categories which data is private and that which is not(Aminnezhad, A and Dehghantanha,, 2014). Data Validation The data validation step is critical as it provides the ground to establish the integrity of the evidence acquired in a forensics investigation. Through this process, there are different ways of determining the validity of data. For instance, in the case where the investigator has acquired evidence of a potential internet abuse, the investigator contacts the firewall network administrator to request for the proxy server log of the suspected user. If available, the network administrator confirms whether the logs and maintained and specifies the time to live(TTL) of the IP address of the network in cases of a DHCP server. Thereafter, the investigator compares the log records provided by the network administrator with the evidence from the forensic analysis(Bill Nelson, Amelia Phillips, Christopher Steuart, 2014). Report on Problems Encountered and their Solutions. In the course of the ABCs bank forensic investigation, the following are the expected problems and their solutions. To start with, there is the problem of performing forensics on a live server. To perform effective forensics, online devices must first be taken offline but by doing so to the banks servers, the normal operations would be interrupted, and the loss and the cost will be too high. Therefore, the solution is to narrow down the investigation to the suspected employees misconduct and only interrupt the section where there is a potential crime committed. Secondly, the servers memory of 15TB is too large for forensics to perform a full disk imaging. A full disk imaging would increase the cost and extend the time required for the investigation. The solution is to perform a selective imaging where only the relevant data identified in the forensics analysis is to be accessed and imaged for further investigations. Lastly, there is the problem of privacy issues concerning customers privacy. While liaising with the bank management, the privacy policies of the bank are laid out so that the investigation is carried out under the legal process. That way, the customers privacy is not compromised and at the same time, the policies do not limit quality of the investigation process. However, there are exceptions where if for instance an employee is suspected to have stolen customers bank information, then it is critical that the investigator is given access to the files that were accessed. Partition Manager utilities OS SUPPORTED FILE SYSTEM SUPPORTED MAX PARTITION SIZE SUPPORTED INTERFACE (CLI, GUI) DISKPART Windows FAT, exFAT and NTFS 2TB CLI GPARTED Linux FAT, exFAT, HFS, NTFS, UDF XFS 2TB CLI and GUI Bibliography Aminnezhad, A and Dehghantanha,, 2014. A survey on privacy issues in digital forensics. International Journal of Cyber-Security and Digital Forensics, 3(4), pp. 183-199. Bill Nelson, Amelia Phillips, Christopher Steuart, 2014. Guide to Computer Forensics and Investigations. 5 ed. Boston: Cengage Learning. EC-Council, 2016. Computer Forensics: Investigating Data and Image Files (CHFI). 2, illustrated ed. Boston: Cengage Learning,. Lech J. Janczewski, Henry B. Wolfe, Sujeet Shenoi, 2013. Security and Privacy Protection in Information Processing Systems: 28th IFIP TC 11 International Conference, SEC 2013, Auckland, New Zealand, July 8-10, 2013, Proceedings. illustrated ed. Berlin: Springer,. Optisnick, T. M., 2017. Using Computer Forensics to Investigate Employee Data Theft. [Online] Available at: https://www.lawjournalnewsletters.com/2017/04/01/using-computer-forensics-to-investigate-employee-data-theft/?slreturn=20180305060349 [Accessed 4 April 2018].