Identify the requirements for acquiring and authenticating evidence
Q1: (5 points) Identify the requirements for acquiring and authenticating evidence. Different kinds of cases go through different processes. It is important that the investigator manage e-evidence throughout this process. Consider the do’s and don’ts of managing eevidence and respond to the following: • Explain how to manage e-evidence throughout the life-cycle of a case so that it is admissible in court or that it can be used for legal action. List two reasons why e-evidence might be inadmissible. Q2: (5 points) Discuss at least 3 methods that can be used to hide data and three approaches to recovering that hidden data. Q3: (5 points). Discuss some of the content found within an email header that can be useful in an investigation. Q4: (5 points) Discuss at least 3 challenges associated with performing a forensics investigation on a mobile device. Q5: (5 points) Discuss the role that volatility plays in a digital forensics investigation. What would be the most volatile data? Q6: (15 points) Read the following scenario and respond to the questions below: As a digital forensics examiner, you have been called to the scene of a kidnapping. Several witnesses have told the investigator that the victim was very excited about a new person they met online. Your job at the scene as a digital forensics examiner is to recommend to the investigating officer a course of action as to what digital evidence may or may not be needed to investigate this crime. • Provide a list of potential digital evidence that the investigator is going to want to seize for possible forensic examination. Be thorough, as the lead investigator in this case is not computer savvy. • What additional sources of evidence might there be besides the digital equipment and media that would have been seized? How would you gain access to this evidence? • Describe how you will maintain the collected evidence. • What will you do to prepare for presenting this evidence in court? Q7: (15 points) In August 2008, 11 people were charged with the theft of more than 40 million credit and debit card numbers from T.J. Maxx, Marshall’s, Barnes & Noble, OfficeMax, and other major retailers. Masterminded by computer hacker Albert Gonzalez, the case remains one of the largest frauds of credit card information in history. The Heartland case was similar to the TJX case. Between 2007 and 2009, the data breach involved the Heartland Payment Systems, the fifth largest credit card processor in the United States. During that time, Gonzalez and co-conspirators gained access to information associated with millions of credit cards by exploiting a network vulnerability. Both cases—Heartland and TJX—involved the theft of over 130 million credit and debit card numbers, making it the biggest computer crime case ever prosecuted in the United States. Question: you are the CISO of a Fortune 500 company here in the U.S. Your company uses customer credit card information to process millions or orders every year, both online and via traditional marketplace venues. you have information that based on recent Equifax breaches, your secure database has been breached and customer credit card data may have been stolen. You are meeting with a Digital Forensics investigator who has been hired to access incidents and report back to you with their findings. Detail the following: 1. Needs for the DF investigation — why did you bring in the investigator? 2. The forensic process you want followed, including data collection (detail possible sources of data), examination, analysis, and reporting. 3. List and describe the type(s) of information and it’s relevance to this case from each of the following: data and data files, Operating Systems (Windows 10, WIN Server ’12, and Ubuntu Linux), network traffic, applications, and eMail and services. *include all resources used as well as referencing the TJX and Heartland cases* Q8: (15 points) In August 2017, a Wisconsin woman captured after living under an alias for 16 years was sentenced Tuesday to 14 years in prison for kidnapping an Allen Park woman in 2000. FBI agents mining social media discovered Kimberly Lee Johns last year in Marathon County, Wis., where she was living under the name Kim McGuire. She had escaped a halfway house in 2000 while awaiting trial in federal court in Detroit. During the trial, defense attorneys requested to submit numerous emails (dated between 1999-2000), that they contained personal, intimate, and sexual details of the couple’s relationship, and therefore showed a consensual relationship between the parties. The Government challenged their admissibility on the basis of authenticity, hearsay, relevancy, and Fed. R. Evid. 403. Question: the conviction has been appealed, and you are a Digital Forensic investigator who has been hired by John’s attorney to provide a report that can be submitted to the Federal court that details the tools and techniques that can be used to authenticate email messages from the time period. Provide two possible situations; with or without legal subpoena to access data from the email providers. Keep in mind that this is a Federal criminal case, and therefore your report needs to be professionally written and note any legal protocols or cases that might impact this appeal. Reference: https://www.leagle.com/decision/infdco20170314e33 Q9: (15 points) In December 2013, a serial con artist plead guilty to Bank Fraud and Identity Theft. According to the plea agreement, the ‘con artist’ committed crimes from at least as early as July 2011 through May 2013, when she was finally arrested. Over a period of two years, and at least 58 times, the criminal defrauded banks and individuals. As part of her scheme she would approach people, usually at ATMs, and give them a sad story about her need to cash a check and her inability to deposit the check into her bank account. She would convince her victims to deposit the checks, which were worthless, into their own account and then withdraw funds, sometimes giving them $100 for their trouble. The fake checks were generally drawn on closed accounts, because the checks had been stolen or were from the accounts of deceased individuals. When she was arrested for failure to appear warrants in May 2013, some of the items recovered included a checkbook, stolen from a purse at a local mall, along with the victim’s Driver’s License, Social Security card, a Visa card, and a bank debit card. Question: you are a Digital Forensic investigator who has been hired by the attorney for the convicted party. The attorney tells you that the case is under appeal based on the argument that the ‘con artist’ was coerced to confess. The attorney also gives you a cellphone belonging to his party and asks you to run a thorough examination of the mobile device to extract any data that may be important to this case. Detail the steps you would take in your investigation, starting with taking possession of the mobile device. Reference: https://www.justice.gov/usao-mdfl/pr/serial-con-artist-pleads-guilty-bank-fraud-andaggravated-identity-theft Q10: (15 points) Your best friend from college just contacted you, asking for help based on your knowledge and skills in Digital Forensics. Your friend tells you that their Sony PlayStation (PSN) account has been hacked and all funds in their PSN wallet are gone. In addition to having had over $100 in gift card funds in their PSN wallet, he tells you that he also had saved his credit card information on his system and is fearful that more money may be stolen. After talking to your friend, you discover that he did have a unique password for this account, did not share his account information with anyone, and does play multi-player games with friends online. He tells you that he became aware of the intrusion when he received emails from Sony confirming purchases (he did not make). When he looked at his system following the emails, he found that his consoles/devices had been removed from the account and others were added. Upon contacting Sony, this was their response: “In relation to the transactions you recently flagged as unauthorized, ou
r investigation concluded that the serial number of the console on which these transactions were made does not match the serial number of the console you provided to us on your original call. Regrettably, as stated in the PlayStation Network Terms of Service, we are unable to offer a refund for purchases made on PlayStation Store unless the content is found to be defective. We have taken the appropriate action against the console which made the purchase but unfortunately we cannot share the details of this console with you for security purposes.” Question: provide a detailed description of the steps you would take to help your friend. Approach the scenario like a DF investigator and identify any possible sources of relevant information as well as how you would go about retrieving and analyzing the data.
Leave a Reply
Want to join the discussion?Feel free to contribute!