Professional Documents
Culture Documents
DF Assessment-1 Final
DF Assessment-1 Final
DIGITAL FORENSICS
CSE4004
Lab Assessment-1
TOPIC: Personal Data Theft and Cyber Extortion
TEAM DETAILS:
IDENTIFICATION
Initially we decided to state and list out all the details, goals and the evidence to be gathered
with respect to the given scenario. This information includes the personnel involved in the
given scenario, from the perpetrators to the victims.
Secondly, we move to gather the time and place of the crime and what exactly took place
according to the time stamps. This will make our task of tracing back steps of the crime a little
easier.
As we move further into our process, our team will use the various tools and gather information
on how the crime occurred, the weak links in the company (technically or people wise). This
will give us a better idea on how to navigate our case in a more efficient manner. Moreover,
collecting all the evidence will be crucial.
Initial survey of the crime scene and the FIR registered revealed the following:
COLLECTION
Our cybercrime will not only contain physical evidence but also digital devices in the scenario
that were used by the perpetrators. We initially make sure the crime and scene and the devices
used are not touched and all the information is properly documented.
With the help of our team's prime investigator, we then need to analyse the intricacies of our
crime scene- digital devices used, what kind of tools were involved and what operating systems
they used etc. As noted during the identification step, we must recover detailed information
from IP addresses of email senders to location and timestamps on emails along with email send
and receive logs. Company data stolen must be probed in the hard drives of the devices
recovered and traces of other data that could possibly broaden the scope of the investigation
must be collected.
PRESERVATION
To not face complexities in the latter stages of our investigation, we as a team will make sure
all the physical, online and logical evidence is carefully and safely preserved. This guarantees
that the evidence will not be modified and thus no one can manipulate the investigation process.
This requires quick preservation of data and documentation of all the physical evidence as well.
Electronic Safety bags are used to make sure that no electronics are damaged while touching
due to static electricity. Using labels to mark evidence along with a short description will help
sort evidence and make sure delicate pieces of evidence are well preserved and sorted according
to their categories.
EXAMINATION
The collected evidence and other details regarding the crime scene, modus operandi of the
operation is to be thoroughly examined. The collected evidence is to be probed in order to
recover details such as IP addresses, location, send and receive logs, timestamps and email ids
of the sender of extortion emails. Examination of the type and the amount of personal data
stolen from the company database must be carried out.
ANALYSIS
Evidence and facts collected and documented properly pave the way for a smooth analysis of
the case. It is evident here that the extortion of company employees was possible using stolen
data from the company database that was carried out using blackmailing and self-destructing
emails.
The case files along with evidence is to be presented to the court so that proper sentence hearing
can be carried out. The team must prepare and present a report that lists out the order of events
that occurred, crimes and violations at each step and the evidence regarding the same to the
court. The evidence must be tagged and labelled according to the accepted norm.
TOOLS
A) For data loss prevention (DLP): These tools help in forensic analysis however these
need to be installed on the system before the incident occurs. These prevent the
occurrence of a data leakage or data breach incident. They have combined tools to
monitor data and archive data collectively either on cloud storage or local storage. They
are also necessary for companies and businesses to employ in their work environment
to monitor any possible malicious or unintended and accidental threat activity.
2) CoSoSys Endpoint Protector: This is also a tool which helps with the DLP
solutions and preventions in a work environment and specializes in the
application of storage on the cloud.
3) Symantec Data Loss Prevention: This tool enforces policies and rules which
enhance threat protection and data encryption.
4) Comodo MyDLP: This tool provides detailed predefined access control rules
along with detailed DLP solutions.
B) For Data Recovery and Incident Analysis: These Tools help in the digital forensics after
the incident (Data breach/Leakage) has occurred. Some of these tools act as FTKs (Forensic
Toolkits) which contain many modules required for a thorough cyber forensic analysis,
however, they usually specialize in one aspect more than the others which let them be ideal in
certain situations. Suppose in this case Oxygen Forensic Tool is an exceedingly popular mobile
and smartphone data analysis tool which is required in this case to identify and extract evidence
from smartphones.
1) EnCase: This is a powerful forensics tool which helps in the collection of evidence from
a wide range of device types and with high detail of files and registers on that device
for further analysis.
2) Bulk Extractor: This is an extremely popular and powerful tool to assess and analyse
the storage for all types of critical files, registers and much more in detail. This tool
paired with Encase can help contain and nullify the data breach and prevent further
breaches quickly.
3) SolarWinds MSP Mail Assure: Cloud based email security storage of all incoming and
outgoing mails in a company environment. This tool archives all the emails including
self-destructing ones when opened as it includes real time monitoring of the activities
of the employee devices.
4) Oxygen Forensic Tool: This is a powerful mobile forensic tool with built-in analytics
and cloud extractor. Helps gather evidence from smart mobile phones and even from
their cloud recovery and back up storage. It supports a very user-friendly interface for
the extraction of required evidence from analysis of data on smartphones.
5) Autopsy: A tool to provide all modules necessary for a thorough digital forensic
analysis and Data Recovery. This is the graphical interface (GUI) for utilizing the
Sleuth Kit for forensic analysis. It is used by law enforcement, military, and corporate
examiners to investigate what happened on a computer.
6) Xplico: This cyber forensic tool helps in the identification of any traffic over the
internet. This tool also can extract the necessary details and credentials required from
an email and track and trace the IP address and even the geographical locational
coordinates where the email originated when paired with some external modules.
Among the tools that will be useful for our investigation, we can further classify them as
follows:
With regards to our case scenario, the roles of the tools will be as follows:
Xplico and SolarWinds MSP Mail assure: to trace and track the blackmailing emails which
were sent. These even though they were self-destructive, once opened, SolarWinds captures
and archives the data.
Bulk Extractor, Autopsy: used for data extraction and deep analysis to find any data which
has been leaked and to recover it. We can use this with regards to the laptop obtained as
evidence.
Oxygen Forensic tool: in a similar manner as Bulk extractor and Autopsy, this tool is
specialized towards the smartphones and to gather evidence from it. As we have gathered 2
mobile phones, these tools will be useful.
INVESTIGATION FORM