Reference no: EM132998677

Project

Purpose

The purpose of this project is to provide an opportunity for students to apply forensic investigation competencies gained throughout this course.

Deliverables
Please choose FOUR OPTIONS Out of the SIX (OPTION 1 is mandatory) from the following six options and complete the report for your chosen four options.
Option 1: Preparing for a Forensic Investigation
Option 2: Analyzing an E-mail Archive for an Electronic Discovery Investigation
Option 3: Analyzing Evidence from Mac OS X
Option 4: Private Investigation Firms Offering Digital Forensics Services
Option 5: State-of-the-art Equipment for Digital Forensics Lab
Option 6: Data Recovery Plan
The following tools and resources will be needed to complete this project (They are found in the virtual lab access that accompanies the textbook)
• Course textbook
• Internet access
• Computer with Paraben P2 Commander/E3 installed
• Outlook.pst (an e-mail archive file)
• JSmith.img (Mac OS image file)

Option 1: Preparing for a Forensic Investigation
Scenario
You are an employee at D&B Investigations, a firm that contracts with individuals, companies, and government agencies to conduct computer forensics investigations. D&B employees are expected to observe the following tenets, which the company views as the foundation for its success:
• Give concerted attention to clients' needs and concerns.
• Follow proper procedures and stay informed about legal issues.
• Maintain the necessary skill set to apply effective investigative techniques using the latest technologies.
Your manager has just scheduled a meeting with an important prospective client, and she has asked you to be part of the team that is preparing for the meeting. The prospective client is Brendan Oliver, a well-known celebrity. Last night, Mr. Oliver's public relations team discovered that someone obtained three photos that were shot on his smartphone, and tried to sell the photos to the media. Due to the sensitive nature of the photos, Mr. Oliver and his team have not yet contacted law enforcement. They would like to know if D&B can provide any guidance or support related to the investigation-or, at the very least, if D&B can help them prevent similar incidents from occurring in the future. At this time, they do not know how the photos were acquired. The public relations team is wondering if a friend, family member, or employee could have gained direct access to Mr. Oliver's phone and obtained the photos that way, although the phone is usually locked with a passcode when Mr. Oliver is not using it. In addition, Mr. Oliver e-mailed the photos to one other person several months ago; he has not spoken with that person in the last few weeks, but he does not believe that person would have shared the photos with anyone else.
Your manager plans to use this initial meeting with Mr. Oliver and his public relations team to establish rapport, learn more about the case, and demonstrate the firm's expertise. The company sees this as an opportunity to build future business, regardless of whether they are retained to help with the investigation of this case.

Tasks
To help the team prepare for the meeting, your manager asks you (and your colleagues) to consider and record your responses the following questions:
• What is the nature of the alleged crime, and how does the nature of the crime influence a prospective investigation?
• Based on the limited information provided in the scenario, what is the rationale for launching an investigation that uses computer forensic activities? Would D&B and/or law enforcement need additional information in order to determine if they should proceed with an investigation? Why or why not?
• What would you share with the client about how investigators prepare for and conduct a computer forensics investigation? Identify three to five key points that are most relevant to this case.
• What sources of evidence would investigators likely examine in this case? Provide concrete examples and explain your rationale.
• What should the client, investigators, and others do-or not do-to ensure that evidence could be used in a court of law? Using layman's terms, explain laws and legal concepts that should be taken into account during the collection, analysis, and presentation of evidence.
• What questions and concerns do you think the client will have?
• What questions should the team ask the client to learn more about the case and determine the next steps?

Option 2: Analyzing an E-mail Archive for an Electronic Discovery Investigation
Scenario
D&B is conducting a very large electronic discovery (eDiscovery) investigation for a major client. This case is so large that dozens of investigators and analysts are working on specific portions of the evidence in parallel to save time and improve efficiency.
Since this is the first time you will be working on this type of investigation for D&B, your manager gives you a "test" (a sample e-mail archive) so she can assess whether you need additional training before you begin working with the rest of the team on the eDiscovery case. Your manager tells you that this archive was extracted from a hard drive image marked "suspect," but at present nothing more is known about the user. She expects you to examine the archive and document all findings that might be of interest to a forensic investigator. She explains that she will use your report to evaluate your investigation skills, logic and reasoning abilities, and reporting methods.

Tasks
• Review the information about e-mail forensics and the Paraben P2 Commander/E3 E-mail Examiner feature in the chapter titled "E-mail Forensics" in the course textbook.
• Using the P2 Commander/E3 E-mail Examiner, create a case file, select Add Evidence, and import the e-mail archive (filename: Outlook.pst). P2 Commander/E3 will automatically begin sorting and indexing if you choose that option.
• Search for information about the user; your goal is to learn as much as possible about who the user is and what he or she has been doing. You may find evidence in the inbox or other mailboxes. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting attachments.
• Write a report in which you:
o Document your investigation methods.
o Document your findings. Explain what you found that may be of interest to a forensic investigator, and provide your rationale for including each selection.

Option 3: Analyzing Evidence from Mac OS X
Scenario
Two weeks ago, D&B Investigations was hired to conduct an incident response for a major oil company in North Dakota. The company's senior management had reason to suspect that one or more company employees were looking to commit corporate espionage. The incident response team went on-site, began monitoring the network, and isolated several suspects. They captured forensic images from the machines the suspects used. Now, your team leader has asked you to examine a forensic image captured from a suspect's computer, which runs the Mac OS X operating system. The suspect's name is John Smith, and he is one of the company's research engineers.

Tasks
• Review the information on the Mac OS X file structure provided in the chapter titled "Macintosh Forensics" in the course textbook.
• Using Paraben P2 Commander/E3, create a case file and add the image the incident response team captured (filename: Mac OS JSmith.img).
• Sort and review the various directories within the Mac OS X image. Look for evidence or indicators that John Smith was or was not committing corporate espionage. This may include direct evidence that John Smith took corporate property, as well as indirect evidence or indicators about who the suspect is and what his activities were during work hours. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting files.
• Write a report in which you:
o Document your investigation methods.
o Document your findings. Explain what you found that may be relevant to the case, and provide your rationale for each item you have identified as an indicator or evidence that John Smith was or was not committing corporate espionage.
o Analyze the potential implications of these findings for the company and for a legal case.

Option 4: Private Investigation Firms Offering Digital Forensics Services
Scenario
There was a time that if you wanted to work in digital forensics you had to work for the FBI Crime Lab. There are many more options now. A number of private investigation firms offer digital forensics services, each with different focuses and varying qualifications.

Tasks:
• Research three private investigation firms that offer digital forensics services.
• Describe each company.
• Describe the services each one provides.
• Describe each firm's clients.
• Describe the qualifications/certifications each firm holds.

Option 5: State-of-the-art Equipment for Digital Forensics Lab
Scenario
You have been working for the DigiFirm Investigation Company for several months. The company has a new initiative to continually improve its processes.
Technology changes quickly. Therefore, companies need to change their procedures frequently to stay abreast of new developments. Organizations such as the National Institute of Justice and the FBI offer up-to-date recommendations on best practices.
There is a meeting scheduled for next week to talk about best practices in collecting digital evidence using state-of-the-art equipment in forensics lab.

Tasks:
• Choose three examples of software or state-of-the-art equipment that would benefit the forensics lab and write a proposal that covers:
o Your three choices.
o The reasons for choosing them.
o The benefits and limitations (if any) of each choice.
o Best practices in collecting digital evidence

Option 6: Data Recovery Plan
Scenario
You are an employee of DigiFirm Investigation Company. You received a call from Bill, an engineer at Skyscraper, Inc., a large commercial construction company. Bill reported that a disgruntled employee reformatted a hard disk that contained valuable blueprints for a current job. The computer is an ordinary laptop that was running Windows 7. No backup is available, and Bill wants the data to be recovered.
You can use a few built-in tools to recover deleted files from a Windows 7 operating system. There are also third-party tools that might be helpful. Before beginning any data recovery endeavor, it's a good idea to research your options and plan your approach.

Tasks:
• Research, identify, and list the appropriate steps for recovering data from a reformatted hard disk.
• Write a report that includes a data recovery plan outline, listing the steps to be performed in recovering the data in the order of importance.

Attachment:- Forensic project Report.rar