Reference no: EM132870765

CTEC3424 Network Forensics - De Montfort University

Network Forensic Report

Learning outcome 1: Apply research based approach to forensic analysis;

Learning outcome 2: Analyse and interpret digital evidence from a variety of sources;

Learning outcome 3: Present findings to both executive and technical audiences;

Tasks to be undertaken:

In this coursework you are expected to:

1. Ensure evidence is preserved at all times - and prove it has been;

2. Analyse the artifacts to extract the evidence which can be used in the court to prove the incident.

3. Go through the evidence and write a report to explain what was happening at the time the evidence was being captured;

4. Propose a plan to mitigate issues in the future;

5. Express the technical details in such a way that the non-technical executives can easily understand what has happened and the reasons behind the recommendations you make to ensure they can make an informed decision about the next actions to take to prevent future issues;

Background:
Yoh have been hired by a local company to investigate an incident involving their computer network. Recently, the network admin of IT department reported anomaly activities in the company's network but his team are unable to internally investigate the network because they don't have expert staff in network forensic. You will be working as a Network Forensic Investigator for the duration of the assignment.

The network admin has been able to obtain a .pcap file for you to analyse. They have not been very help with the issues they are having, but they have found some strange files whilst they were looking around the network to try and workout what was going on, and have also provided them for you to analyse.

Initially the company plans to keep this entire matter internal, however if there is evidence discovered of a criminal nature during the course of the investigation, then they are fully willing to take the matter to court, they therefore expect you to undertake the investigation from the beginning with the due care and attention that you would with a case presented to you as a criminal case from the start.

This means that you will need to keep everything confidential and you should not disclose anything to do with the investigation to anyone except the network admin, in particular they have mentioned that as they are unsure if the issues are internal or external, you should not speak to anyone else within the company or building.

Notes:

1. You must write the report so that the executives of the company can understand what the issue is, or the issues are, and how they relate to the company problems they are experiencing. As the network executives are not as technical as we are, they will need items introduced then explained in clear non-technical UK English;

2. You will need to use the provided template for the report, any specific proof should also be attached and indicated as such, however that should not be in the main part of the report as the network executive will hand that over to their lawyers and technical experts to deal with;

3. You will need to make sure you include enough detail so that should the investigation go to court, another specialist could follow your report and share the same findings as you did;

4. Don't forget you will still need to use Harvard referencing, make use of appendices, and MAKE SURE you are using UK English spellings throughout;

Case Description:
CheckThatItem is a local consultant agency to help customers in checking the quality of the items before they buy. Over the past couple of weeks, the network of this agency has been experiencing several suspicious activities including attempts of illegal access and bringing its services down. The company executives have asked you to assist them with investigating the issues because they are not sure if there is something going on from inside the network or if it is actually outside the network as they have been receiving confusing and sometimes conflicting information from the IT team and some of the details are so technical it is hard to work out which bit is the problem or the solution - even when they have asked for clarification.

Suzan, the executive in charge of the IT team reported the following issues:

"We are having a lot of strange issues; however, the problems seem to be intermittent. The IT team maintain that they have no issues flagging up and the services are all up and running fine at their end. There also seems to be some file problems, items have been slow to open, or the files will not open at all."

CheckThatItem has requested your services in order to ascertain:

1. If there has been some sort of intrusion to their network;
a. If there has, did they get in to the network;
b. What did they do if anything once inside - did they take anything or leave anything;

2. If there has been an inside incident, what has been done and who is involved;

3. A timeline of events;

4. If it looks like there is or has been any criminal activity or UK laws have been broken, the CheckThatItem executives will cooperate fully with the police on the matter, so they wish to be informed if this is the case, any proof of this activity will need to be collected and preserved as per usual guidelines.

5. If there is anything the company can do to help prevent future issues, particularly staff training and any software that you would recommend;

Attachment:- Network Forensics.rar