FINAL PROJECT 6
When packaging the thumb drive, I would put the thumb drive in a yellow manila shipping package or a similar material that is not transparent. I would then put the package in a bubble wrap protected with anti-static material. Next would be to seal the bag with evidence tape to make sure the package is not tampered with and marker it as EVIDENCE. Next would be to attach a custody sheet to the package in order to be a proof of custody chain.
Despite its small size, a thumb drive can contain a lot of valuable information. The thumb drive can have the capacity to hold operating systems which can be used for malicious activities if the individual has knowledge of these systems with one such operating system being Kali Linux.
Consequently,I would instruct the lab look for Kali Linux or similar operatingsystems. Moreover, I would ask them to look for software or programsthat are used in pen testing or exploiting a network. If such arefound, they could be valuable criminal evidence as it raisesquestions as to why the individual had such software and programs.The lab should also look for any hidden files and folders and unhidethem. Encrypted files and folders should also be decrypted and antdeleted files recovered.
As a forensics investigator apart from Mr. Yourprop`s immediate workspace I would look for the evidence in the copier and fax room. Mr. Yourprop may have produced hard copies of the intellectual property or even faxed it elsewhere. Next would be to investigate anybody who had direct and constant contact with Mr. Yourprop. For instance, one person to be investigated would be his girlfriend.
Herworkplace should be thoroughly checked as evidence could have beenplanted there either knowingly or unknowingly. Her workplace couldinclude evidence such as external hard disks, chats, emails and eventlogs. Some of the specific things to look out for would be any formof remote connection in the past, unauthorized software, encrypted orhidden files and folder. Attentions should be paid to the emails,chats and any other form of correspondence exchanged between the twoparties as it may detail what they were communicating about and maybeprove that the perpetrator had an accomplice(s) as it is only fair toprosecute all the perpetrators.
In order to safeguard the thumb drive before creating a forensic image, it is essential to first secure it by controlling who has access to it. The best approach to securing the evidence is by storing in a security vault with video cameras and as well as manned perimeter doors. The thumb drive should be stored in a controlled location protected from outside environment to avoid things such as water damage or a magnetic which could otherwise compromise the evidence. Only authorized personnel should have access to the drive and even so they must log in as to who accessed it and at what time.
Itis very important to protect evidence as any tampering with theevidence would not only compromise or destroy the integrity of theevidence which can jeopardize the whole case. The court can easilydismiss the evidence, the charges or even the entire case is there isany proof the evidence was tampered with. Evidence should be closelymonitored and documented in order to form some sort of physicalcustody
For the investigation, one of the forensic toolkits that would be particularly be of great use is the “Image MASSter Forensic Toolkit”. The toolkit contains a variety of other useful tools but I would specifically use tools meant for USB forensics. In this case, I would use SysTools Pen Drive Recovery software. This particular software scan will be used to scan the USB device for any deleted files which would be helpful in the recovery of the same. Another important toll to be used would be the X-Way Forensics. This toolkit has many abilities the most pertinent with this investigation being the ability to scan multiple HDDs and thumb drives for different formats styles among them FAT32 and NTFS.
Thethird useful forensics toolkit is the PlainSight which is specific toUSB. This toolkit has the ability of scanning USBs to check for USBusage data, collect hard disk and partition information in additionto helping in viewing the internet history. If a forensics expertruns into a situation where malicious files were sent to themdirectly to make it appear they were in on the act as well, then itwould be wise to bring in an additional investigator to validate theintegrity of the investigation.
In digital forensics, hashing is important as it is used to uphold the integrity of forensic evidence so that it can be admissible as evidence in court. Computer forensics use the MD5 and SHA-1 hash to secure evidence based on the premise that if the hash has not been changed the data cannot be changed and therefore the evidence cannot be tampered with due to the security of hash values. If two files have the same hash value, it means that they are exactly the same and have not been tampered with. Hashing can be used to establish whether or not the source code is a match to the original source code.
As a digital forensics investigator, it is my responsibility to report any and all legitimate crimes to the client and all affected by the criminal act. Despite the fact each case is unique in one way or another, if any law is broken, then the case should be reported. Due to their severity I would recommend that the crime be reported as required by law.
Legally, a qualified expert witness in digital forensics is a person who has the knowledge, expertise, training and experience in digital forensics. In this case, as an expert witness, I am trained to conduct a methodical and detailed in their investigation in addition to being prepared to answer all questions asked to challenge or validate the case and the evidence. Training and experience is what differentiate a simple fact witness from an expert witness.
The question about being a "police hack" questions my integrity and credibility as a forensic investigator. Consequently, it is important to respond to the in a professional and unbiased manner. Therefore, first I would state that the evidence was collected professionally, stored professionally, it has not been tampered with and that it contains all the necessary paperwork. I would then substantiate these claims by presenting proof of hash algorithms in order to confirm the authenticity and integrity of the evidence. It would also be essential to clearly state that I am a professional and that I maintain my integrity by basing my reasoning strictly on the science of digital forensics and never on speculation.
Packaging,Transportation, and Storage of Digital Evidence.(2016). ForensicMagazine.Retrieved 25 March 2016, fromhttp://www.forensicmag.com/articles/2010/09/packaging-transportation-and-storage-digital-evidence
Franklin,C. (2006). Theinvestigator`s guide to computer crime.Springfield, Ill.: Charles C. Thomas.
EvidencePackaging Manual.(2016). Dci.sd.gov.Retrieved 25 March 2016, fromhttp://dci.sd.gov/ForensicLab/EvidencePackagingManual.aspx
ForensicToolkit (FTK).(2016). AccessData.Retrieved 25 March 2016, fromhttp://accessdata.com/solutions/digital-forensics/forensic-toolkit-ftk