2 You have been tasked with the seizure, acquisition and analysis of a workstation computer (Windows...

Question

2 You have been tasked with the seizure, acquisition and analysis of a workstation computer (Windows 7, 1 TB Hard Drive, 16GB RAM, connected to a corporate network, in a Windows Domain). The acquired evidence will be transported to a remote, secure facility for analysis. The workstation is currently powered on. A 500 GB external hard drive and 5 DVDs are also visible next to the workstation. A staff member is suspected of being in breach of acceptable use policy and has been misusing company resources to run his home based web design business during work hours (9am - 5pm, Monday to Friday). Logs are available from a proxy server. Task: Fully detail, explain and justify the steps you would take before conducting the actual seizure of the computer and attached devices. Consider planning, preparation, obtaining appropriate authorizations and other legal considerations. Provide brief definitions of forensic terminology used in the answer. Marking Key: Criteria Score Planning /2 Preparation /2 Authorizations /2 Legal considerations /2 Forensic terminology defined /4 Referencing /1 Presentation /2

Document Preview:

You have been tasked with the seizure, acquisition and analysis of a workstation computer (Windows 7, 1 TB Hard Drive, 16GB RAM, connected to a corporate network, in a Windows Domain). The acquired evidence will be transported to a remote, secure facility for analysis. The workstation is currently powered on. A 500 GB external hard drive and 5 DVDs are also visible next to the workstation. A staff member is suspected of being in breach of acceptable use policy and has been misusing company resources to run his home based web design business during work hours (9am - 5pm, Monday to Friday). Logs are available from a proxy server. Task: Fully detail, explain and justify the steps you would take before conducting the actual seizure of the computer and attached devices. Consider planning, preparation, obtaining appropriate authorizations and other legal considerations. Provide brief definitions of forensic terminology used in the answer. Marking Key: CriteriaScorePlanning /2Preparation/2Authorizations/2Legal considerations/2Forensic terminology defined/4Referencing/1Presentation/2

005_70gjbjo-ztcbrgm3.docx

Robert · Accepted Answer

Running Head: COMPUTER FORENSIC INVESTIGATION PROCESS 1 
Computer Forensic Investigation Process 
Name of the Student 
Name of the University 
Name of the Course
Computer Forensic Investigation Process
Submitted to: 
Professor: Name of your professor 
Date: Sep 9, 2013
COMPUTER FORENSIC INVESTIGATION PROCESS 2 
2 
 
Abstract 
The negative impact of the growth of Information Technology is the increasing rate of 
cybercrimes. Cybercrimes works with the digital data and the digital evidence are required to 
prove the incident. Forensic Investigation executed in a planned and accurate way is essential to 
testify the cybercrime in the courtroom. This paper will present an effective approach that one 
should follow as a forensic expert to prove the cybercrime incident. The report describes the 
complete process, starting from creating a plan for processing the potential crime/incident scene. 
Fully detailed explanation is given regarding the steps that need to be taken before conducting 
the actual seizure of the computer and attached devices.
COMPUTER FORENSIC INVESTIGATION PROCESS 3 
3 
 
Computer Forensic Investigation Process 
Introduction 
The reason for this paper is to show you how to seize a machine from a wrongdoing scene. With 
computers, things get a bit trickier. You have to secure the information on the machine, not the 
physical equipment.  
Information on workstations is unstable. It updates continuously. Basically clicking the mouse at 
the wrong point could close a window, deleting confirmation of what the client was doing. 
Closing down a framework could actuate a script composed by the suspect that erases all the 
suspect's implicating indexes. This paper will show you the correct strategies to take after to 
escape any issues.  
Information on workstations is likewise hidden. It's not evident or obvious. The user feels that all 
the information is deleted but this is not true. It may not be gone. Indeed, erased indexes can 
regularly be recuperated.  
Computer Forensic science is all in all astonishing. It can uncover evidently undetectable 
information. Notwithstanding, for this to be conceivable, the agent who seizes the workstation 
from a wrongdoing scene must be exceptionally cautious not to crush any information. 
Chain of Custody  
A Chain of Custody is required to store all the information related to the computer data. The 
expression "chain of custody" alludes to documentation that recognizes all updates in the control, 
taking care of ownership, possession, or guardianship. You have to have the ability to follow the 
COMPUTER FORENSIC INVESTIGATION PROCESS 4 
4 
 
track that proof takes from the minute you gather it until the time it is exhibited in court or at a 
corporate preparation.  
The point when seizing equipment, the machine is tagged with a proof tag that records the date 
and time, name, case number, where you discovered the thing, different actualities significant to 
the case, and other data relying upon the arrangements and strategies of your examination group. 
After you tag the confirmation, you will then pack the proof and offer it to a confirmation 
caretaker. A few specialists call this process "bagging and tagging."   
NOTE: A proof caretaker is a person who is responsible for archiving, transporting, and saving 
all confirmation. The proof caretaker guarantees that confirmation is securely transported to a 
proof locker, a bolted archive for things identified with pending cases.  
Lawfully Seizing Computer Evidence  
For proof to be acceptable in a court of law it must be lawfully acquired. In the U.S., 
don't seize workstation unless you have a search warrant. Forensic Investigator can seize 
the digital evidence with the help of law (Oppenheimer). Therefore it requires a proper 
warrant to seize the digital evidence.  
Ahmad (2002) proposes a forensic chain-of-evidence model that covers the various 
aspects including access control logs, source operating system event logs, network 
application logs, network traffic logs, and the target’s operating system log (Ahmad).  
Log files and system registries should be used to check for the suspicious activities. Log 
files stores all the activities like who accessed the file, at what time and the changes done 
in the file, etc.

2 You have been tasked with the seizure, acquisition and analysis of a workstation computer (Windows 7, 1 TB Hard Drive, 16GB RAM, connected to a corporate network, in a Windows Domain). The acquired...

Answer To: 2 You have been tasked with the seizure, acquisition and analysis of a workstation computer (Windows...

Answer To This Question Is Available To Download

Related Questions & Answers

Submit New Assignment