Case Study:Famous Financial Corporation As head of the Information Protection Department of Famous Corporation, you have just received a call from the Senior Vice President of Human Resources...

Forensic Analysis
I. Introduction
The present report gives a clear analysis about the incident and shows the set of tools, techniques and legal information to be used to perform a deep and secret forensic investigation about the unauthorized money transfer happened during the last four days. As head of the Information Protection Department, I have to secretly conduct an investigation as demanded by my hierarchical superiors. My objective is to identify the person responsible of this act or the intervening parts which have contributed together to perform the internal attack. Generally, a forensic analysis is the practice of lawfully establishing facts and evidence that need to be collected, analyzed and then presented in a court of law. The term “forensic investigation” is adopted to be nearly used for several crime situations, ranging from financial fraud like our case to murder.
II. Order of volatility
The forensic analysis of the organization’s information system consists of data gathering, processing, identifying, recovering, preserving, analyzing and illustrating the set of facts, collected digital proofs, investigation results about the unauthorized act and personal opinions. The more complete and accurate the gathered data, the more comprehensive and the better the evaluation can be. In practice, the original information has to be safeguarded in its pristine state and any investigation should be performed on the copy of the original’s data to avoid tampering data and destroying the evidence and to be able to preserve the whole crime’s environment. In practice, it is very hard to make an exact copy of the entire systems due to many roadblocks that prevent this.
When data is being collected other programs and users using the system may cause modifications in the global state or erase important evidence. Miscreants or intruders may set intelligent programs as electronic mines that might also destroy data if agitated by someone and will disturb the computer's data and state as it loads and runs.
Due to these sorts of issues, traditional and standard forensic analysis suggests to analyze data from systems that aren’t running at all. It is better to shutdown the computer systems and to carefully copy an image of the needed data such the access dates and times, the system configuration file’s content, the system logs and the application logs. The investigation is then conducted on the copy of the original data to be able to give as a result non-repudiable chain of logic. Gathering data should be performed from an isolated running system. The information system should be isolated from the network when we start to collect information. In practice, it is better to collect information according to its lifespan.
    Registers, peripheral memory, caches, etc.
    Nanoseconds
    Main Memory
    Nanoseconds
    Network state
    Milliseconds
    Running processes
    Seconds
    Disk
    Minutes
    Floppies, backup media, etc.
    Years
    CD-ROMs, printouts, etc.
    tens of years
Data’s lifespan
Respecting this order of volatility guarantees greater chance to keep the more ephemeral details that the gathering operation can destroy. It also enables to collect data about the incident in question. In practice, computer information systems are subject to the treachery of images. The content of the screen is not a physical computer file; it is simply an image (set of pixels) shows at the screen. These pixels that you see are generated by layer upon layer of software and hardware. When a malicious user gets access to the information system, any of those layers could be tampered with. Any software application, operating system kernels or even the firmware inside hard disk drives can lie.
File systems store the files as sets of bytes. The files are hierarchically organized in directories. A directory is a special file. Directories and files have names, contents, permissions, modification’s time and ownership and other details. All these details can be used to conduct the investigation. The inspection of directories and files with their attributes is one of the illusions that computer information systems give for us. It is just similar to the illusion of metadata blocks (inode) and data blocks.
III. Digital forensic process overview
The first step of the forensic process consists of obtaining and imaging the forensic data and then sending a forensic request. The following step consists of the preparation of the environment to be inspected then identification of intervening parts in the crime scene. The third step is about to analyze the collected data and to elaborate and a forensic report as shown in Figure 1.
Figure 1. Forensic process
The first step of preparation and extraction should start with analyzing the request to check and verify if it contains sufficient information about the crime otherwise the requester should provide further information about the incident. Then, we should setup and validate the forensic software and hardware and create the system configuration as needed. The integrity and the authenticity of the forensic data should be verified. If the integrity is not confirmed then we should come back to the requester to inform him. A set of technical tools have to be used to organize and refine the forensic request to be able to view the incident with more clarity (see Figure 2). This step should be followed by the identification of the intervening parts and objects.
Figure 2. Preparation and extraction
The identification step consists of the identification of items and objects which are relevant to the forensic request. If an item is judged as relevant then it must be well documented including its attributes and its mete-data. It is possible that an item leads to new data search and new relevant items. In this context, we should come back to the Preparation and extraction step. So, this recursive process should end with a concrete list of relevant items that may help in clearly describing the crime scene.
Figure 3. Identification
The forensic analysis step should help the investigator to be able to determine who is the person? or what is the application responsible of creating, editing, modifying, sending, receiving and causing the crime to happen. The analysis step should then identify which items are related to the identified ones. The analysis should also help in determining where the crime was occurred to be able to collect more relevant information. The date and time of creation, access, view, update, and modification are important to describe the event. At the same range of time, other processes may be executed, so the investigation analysis should clearly identify them. The forensic analysis should be able to answer the How request to be able to identify the manner adopted to commit the crime. The analysis step can lead to new data search in order to be able to determine new relevant items which can help in the investigation process.
Figure 3. Forensic analysis
Data search leads
Generally this task includes opening a case file in the used forensic tool and importing forensic image file. This could also involve regenerating a similar information system environment to mimic the original context of the incident. Data Search Leads may include but are not limited to the following:
· Collect, identify and extract all email and erased items.
· Configure and load data from seized database for data mining.
· Recover all deleted directories and files and index drive for review by the used forensic examiner.
Extracted data
Prepared / Extracted Data List is a set of items that are arranged and prepared to enable the identification of the...