Forensics Assignment (Main)

8/7/2019 Forensics Assignment (Main)

1/31

1

CHAPTER 1

INTRODUCTION

The advent and growth of Information Technology has made digital espionage a real and

potential danger of great magnitude. The effect of digital espionage due to the ignorance of the

average computer user has been enormous. Corporations and government agencies have been

the most hit.

A survey conducted by PricewaterhouseCoopers and the American Society for Industrial

Security (ASIS) revealed Fortune 1000 companies lost more than $45 billion in 1999 due to theft

of their proprietary information alone. These losses, the survey contends, hit the manufacturingindustries particularly hard.

What is perhaps more alarming than these statistics is the cumbersome response of companies.

The report concludes The majority of companies responding to the survey have not effectively

met the challenge of providing a framework in which to safeguard proprietary information.

They are failing to address the threat.

This report describes in details, the steps taken to investigate the case of employee

unauthorized access to sensitive company data.It outlines the forensically sound tools used

and makes appropriate security recommendations to prevent a reoccurrence.


2/31

2

CHAPTER 2

EXECUTIVE SUMMARY

On the 24th of May, 2009, the Systems Administrator ofTT Bank, Mr. Ali, with employee

number TT102 (herein referred to as ALI), was alerted of a possible unauthorized access to the

HR file server (evidence No. P001) containing employee payroll. ALI in turn, made an official

complaint to the Management, with Mr. Mike Brown, a member of staff at the loans

department, with employee number TT201 (herein referred to as MIKE) fingered as the possible

culprit.

According to Section 1a Of the Banks acceptable use policy (see Appendix), unauthorized accessto and distribution of confidential payroll information would be grounds for termination.

Further punitive measures (if any) are to be taken after due consultation with the banks

internal legal team, who in turn are to check existing laws to determine what policies exist with

regards to unauthorized access to computers by employees.

2.1 RISK ANALYSIS

Risk analysis, within the scope of this report, involves the identification and comprehensive

assessment of the impact of an insecure logical access control system on TT Bank as evident in

the given scenario and what kind of material or immaterial losses would potentially result from

such a security breach.

One major means through which MIKE could have had access to the Human Resource Payroll

files was by elevating his privilege to that of the Administrator.

2.1.1 Privilege Escalation

Privilege escalation means gaining privileges without being authorized to do so. If unauthorized

personnel are not able to gain privileges immediately when they access a system, they next


3/31

3

usually attempt to escalate privileges by running programs that exploit vulnerabilities. When

the intruder becomes a superuser, that person has complete control of the victim system (in

most operating systems). Worse yet, if trusted access mechanisms between hosts are in place,

the intruder might now be able to easily gain superuser access to other systems that trust the

original victim system.

The term loss, as defined in the U.S Senate Bill S2448, is any reasonable cost to any victim,

including the cost of responding to an offense, conducting a damage assessment, and restoring

the data, program, system, or information to its condition prior to the offense, and any revenue

lost, cost incurred, or other consequential damages incurred because of interruption of service;

Sources of estimated losses associated with the breach include:

ySabotage of major network components

yLoss of employee confidence

yLoss of company proprietary information to competitors

yNetwork and User Downtime

A qualitative risk analysis as adopted from the an approach outlined by the National Institute of

Standard and Technology (NIST SP 800-30) and implemented in determining the associated

risks is shown in table 2.1.


4/31

4

Table 2.1 Risk Analysis

Source Risk Type Risk Level Description

Sabotage of major

network components

Tangible Medium An intruder with administrative privilege can

prevent other users from carrying out their

legitimate functions, or outrightly cause significant

damage to the Server machine or its associated

components. This threat is considered a high risk

one since organizational operations and assets can

be adversely affected.

Loss of employee

confidence

Intangible Medium Employees might lose confidence in the capability

of the company to protect their private details and

this can affect productivity in the long run. This

threat-source is however considered medium

since controls are in place that may impede

successful exercise of the vulnerability.

Loss of company

proprietary

information to

competitors

Tangible High Vital data such as a proposed financial solution can

be leaked to competitors. The impact can be quite

high as it can bring about major financial losses in

the form of funds expended in research and

development, and a severe degradation in or loss

of mission capability.

Network and User

Downtime

Intangible Medium A significant amount of time might be spent by all

staff in cleaning up the damage to systems in the

affected area (e.g., analyzing what has occurred,

re-installing the operating system, restoring

installed programs and data files, etc.)


5/31

5

2.2 Legal Warrants

On the 26th

of May, 2008 at 115:00 GMT, the legal department ofTT Bank, headed by Mr.

Anderson Smith, completed and handed in a Service Request Form (SRF) and a letter of

authorization for investigation to be carried out on the affected computer systems (see

Appendix) with a view to making recommendations on a framework to protect company

sensitive data in the future. The SRF and letter of authorization can be found in the Appendix.

2.3 Assumptions Made

1.TT Bank has an acceptable use policy which has been duly signed by all

members of staff including Mr. Mike Brown

2.There is a backup File Server of same configuration as the main centralized File

Server.

3.Centralized File Server has been configured for audit log capability.


6/31

6

CHAPTER 3

EVIDENCE IDENTIFICATION

3.1 NETWORK ARCHITECTURE

The network topology documentation was obtained from the Systems Administrator on the

26th of May, 2008 at 14:00GMT. The following were identified as systems/devices of interest:

Date/TIme Item of Interest Serial Number Evidence

Number

Location State as at time of arriv

26/05/2009 /

15:00GMT

DELL Optiplex PC D0012322OP TT001PC Loans Dept. Running

26/05/2009 /

15:00GMT

Cisco 1200 Series

Router

C00231234I TT003RT Server Room Running

26/05/2009 /

15:00GMT

DELL Power Edge

T100 Centralized

File Server

D324453R TT002FS Server Room Running

Table 2.1 Items of Interest

The TT BANK Network involves a screening router that lies on the perimeter of the network to

filter packets from the Internet before they are delivered to the Local Area Network. The hosts

on the internal LAN are protected from compromise by an intruder. When a packet that claims

to be a response to a packet that was sent out from the local network is received, the packet

filter checks its tables to see that the packet is indeed a response to a request that was

previously sent out. Thus, making it difficult for a potential intruder to get a packet through that

contains forged addressing information. The second router, which connects the LAN to the

screened network segment, provides additional security because all traffic that flows between

the LAN clients and the server must first go through it.


7/31

7

The file server runs Windows Server 2003, which is part of a Windows Domain. The domain

controller runs the Active Directory service which acts as a repository for directory objects.

Among these objects are user accounts. Further discussion with the Systems Administrator

revealed that employee payroll files were prepared in .xls format and stored in a folder called

HumanResources\records\emp_payroll. The only group with read or write permissions to the

folder is the HR_ADMIN group to which MIKE does not belong. It was therefore important to

determine the possibility and means of gaining access to the payroll files.

Server

Administration

InternetScreening Router

Router

Sales and Marketing

Human ResourcesCorporate Services

Loans

Centralized File Server

Switch

Fig 1.0 TT Bank Network Architecture

Areas in yellow are identified areas of interest.


8/31

8

3.2 Chain of Custody

A chain of custody document was prepared to keep track of evidence from the time the investigator

gained possession of the item until it was released back to the owner. This document contains the basic

information about the client, details about the media such as brand, type, serial number and other basic

information. The form also kept track of each person who touched the media for such items as

collection, imaging and return of property. A new line entry was made each time it was removed from a

media safe. Refer to Appendix for chain of custody document.


9/31

9

CHAPTER 4

EVIDENCE ACQUISITION

Evidence gathering was carried out according to RFC 3227 standard, Guidelines for Evidence

Collection and Archiving, which stipulates that evidence acquisition is supposed to be carried

out in an order of volatility proceeding from the volatile to the less volatile as shown below:

yRegister, cache

yRouting table, ARP cache, process table, kernel statistics

yMemory

y

Temporary filesystems

yDisk

yRemote logging and monitoring data that is relevant to the system in question

yPhysical configuration, network topology

yArchival media

4.1 Live Data Acquisition

Date: 27th

of May, 2009

Time: 13:00 GMT

In order to gain a snapshot of the state of the file server (P002) at the time of arrival, certain

data considered to be volatile (lost on turning off the machine) were captured. They include:

ySystem date and time

yCurrent network connections

yCurrent open ports and applications listening on those ports

yApplications currently running

The above information was gathered using the Netcat tool. Netcat is a utility that is able to

write and read data across TCP and UDP network connections. It was important to ensure that


10/31

10

the process of acquiring the evidence did not have any impact on the data of the system and so

a reliable TCP connection between the file Server (TT002FS) and a forensic workstation was

created (See Figure 3.1).

Fig 4.1 Connecting the Forensic Workstation to the File Server

Data was transferred across the network to the forensics laptop (as shown in figure 4.1)

because it not only minimized the impact on the victim machine itself, but it also lowered the

chance of compromising the forensics laptop. Using a USB drive for example, would have forced

the system to load drivers, altering the kernel by adding an entry to the setupapi.log file and

the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Storage\RemovableMedia

registry key.

The following steps were taken:

1.An MD5 sum file, c:\TT_Bank\Tools, with the checksums of each tool to be used was

created as shown below:

Command: md5sum b c:\TT_Bank\Tools> tools.md5

Start Time Tool MD 5 Sum Comments16:00 GMT Netcat 636DA7022B926A6483F033BE0D3290DA

16:10 GMT NTLast 526EB8033C037B7594E033BE0D32821EB

16:15 GMT Dumpel 414EB6132C817B6483F033FE0B32190EA

16:20 GMT MD5sum 526EB8033C037B7594E033BE0D32821EB


11/31

11

2.A Netcat listener was initiated on the forensic workstation and all incoming traffic were

directed to a file c:\TT_Bank\network_data. Figure 3.2 illustrates the forensic

workstation listening for incoming connections on port 2222. Information received on

port 2222 were written to the specified file.

Command: nc v l p 2222> c:\TT_Bank\network_data.txt

Fig 4.2 Setting up the Netcat listener on the forensic Workstation

3.Date /t & time /t - This was to correlate the system logs, as well as to mark the times at

which the response was performed. The time and date commands are a part of the

cmd.exe application. Figure 3.3 illustrates the execution of the date command,

redirecting the output to a file called c:\TT_Bank\date.txt on the forensic workstation.

The second command in the figure uses the append operator (>>) to add the output to

the time command to the c:\TT_Bank\date.txt file.

Fig 4.3 Obtaining System Date and Time

4.Current and Recent Connections - Netstat was used to determine current connections

and the remote IP addresses of those current connections, and to view recent

connections

Command: netstat an

5.LOGIN ATTEMPTS

Since we were dealing with a case of unauthorized file access, it was important to first examine

what user privileges were configured by the Systems Administrator on the HR file server

(TT002FS).


12/31

12

Event logs of the file server were viewed using the NTLast tool. With the NTLast tool, successful

and failed logon attempts were monitored with the servers logon and logoff auditing turned on.

Commands Used

yC:\NTLast>ntlast /f Used to enumerate failed console logon attempts.

yC:\NTLast>ntlast /r Used to track all successful logon attempts from remote systems

yC:\NTLast>ntlast /f /r Used to enumerate failed remote logon attempts.

yC:\NTLast>ntlast m\\server-file c:\log\sec.evt Used to copy security audit events

from HR file server

yC:\NTLast>ntlast -file \\server\log\sec.evt

Fig 4.4 Successful Logons

Fig 4.5 Failed Logons

Results show that on the 23rd of February at 10:31:54am, 10:31:49am and 12:05:25am a

Mike_Brown attempted to login as administrator but failed (Assumption).

6.The dumpel tool was used to retrieve the logs for offline analysis. Dump Event Log is a

command-line tool that dumps an event log for a local system or a remote system into a

tab-separated text file. This tool can also be used to filter for or filter out certain event


13/31

13

types. The retrieved logs were saved in the c:\TT_Bank\network_data file in the remote

forensic machine.

Command Used

ydumpel l security t dumps the entire Security log, with tabs as delimiters, to

any file you specify.

7.MD5 cryptographic checksum of collated information was carried out to ensure the

integrity

MD5 cryptographic hashes of the identified files were made to ensure their integrity. An MD5 hash

consists of a 128-bit (16-byte) checksum -- also known as a "digest" -- that is generated cryptographically

by using the contents of the file. Table shows the collected files and their MD5 sums.

4.2 Disk Imaging

Date: 28th

May, 2009

Time: 13:00 GMT

Creating a bit stream image of the disks was to ensure that the data on the original devices

were not altered during the analysis. It was therefore necessary to isolate the original infected

computer from the disk image in order to extract the evidence that could be found on the

electronic storage device.

Disk imaging was carried out in line with the U.S Federal Rules of Evidence (FRE) 1001-3:

yFRE 1001-3, Definitions and Duplicates: If data are stored by computer or similar

device, any printout or other output readable by sight, shown to reflect the data

accurately is an original.


14/31

14

yFRE 1003, Admissibility of Duplicates: A duplicate is admissible to the same extent as an

original unless (1) a genuine question is raised as to the authenticity of the original or (2)

in the circumstances it would be unfair to admit the duplicate in lieu of the original.

Conducting investigations on the disk image was to enable the following:

1.Preservation of the digital crime-scene,

2.Obtaining of the information in slack space,

3.Access to unallocated space, free space, and used space

4.Recovery of file fragments, hidden or deleted files and directories

5.Viewing the partition structure and

6.Getting date-stamp and ownership of files and folders.

Images of the following hard disks were obtained:

File Server (Evidence tag number: TT002HDD) and MIKEs computer hard disk (Evidence tag

number: TT001HDD). A controlled boot disk was placed in the computers CD Rom drive. The

computer was powered on, and the BIOS setup program was entered.

The BIOS information was documented, and the system time was compared to a trusted time

source and documented. The boot sequence was checked and documented; the system was

already set to boot from the CD-ROM drive first. The desktop computer was powered off

without making any changes to the BIOS.

The following information regarding the disk was taken:

yMake: Seagate

yModel: BarracudaXT

ySerial Number: SB1002342XT

yEvidence Tag number: TT001HDD

yCapacity: 160GB

y Physical Location: DELL Latitutde desktop PC with evidence number: TT002PC (MIKEs PC)


15/31

15

yMake: Seagate

yModel: BarracudaXT

ySerial Number: SB2113442XT

y

Evidence Tag number: TT002

HDDyCapacity:200GB

y Physical Location: DELL Power Edge T100 Centralized File Server: TT002FS (MIKEs PC)

Acquisition of a forensic duplicate of the disk was carried out using the following:

1.A read-only Firewire-to-IDE module

2.A read-write Firewire-to-IDE module

3.An external power supply

4.Power cables

5.Two power switches

6.Firewire cables

7.2.5 to 3.5 laptop drive IDE converter

8.PCMCIA firewire card for acquisition with forensic laptop

The storage location of the disk image was wiped in a forensically sound manner using Active@

KillDisk software. This was in accordance with U.S Department of Defense clearing and

sanitizing standard DoD 5220.22-M which recommends the approach "Overwrite all

addressable locations with a character, its complement, then a random character and verify"

for clearing and sanitizing information on a writable media.

After assembling the apparatus, the evidence drive was connected to the read-only module.

This was to ensure that no data is written to it. The storage drive was connected to the read-

write module and the jumpers were set to Master. The forensic workstation was booted up

and FTK was started.


16/31

16

4.2.1 Acquiring Disk Image Using FTK

FTK acquires forensic duplication in three formats:

yEnCase Evidence Files (.E01)

yRaw Disk Image (dd)

ySMART format

The evidence drive (TT001HDD) was duplicated in the dd format. This was because using the dd

format makes it possible for the image to be in nearly any forensic toolkit. The screenshots

below shows details.

Fig 4.1 Evidence Acquired using FTK Imager

4.3 Ensuring Evidential Integrity

For security consideration, internal verification was carried out. This was to verify the imaging

procedures and to check if there were any changes during the imaging process. FTK imager


17/31

17

generated a log file which contains all records of the parameter of the process such as disk

geometry, interface health and packet checksums, case details such as date and time.

Cryptographic checksums (MD5 and SHA1 hash) were also carried out on both disks

(TT001HDD and TT002HDD) as way of checking the validity of the copy from the original drive.

A cryptographic checksum applies mathematical algorithms to the information stored and the

output gives a unique output. BY having the same checksums between the original and

duplicate, we can confirm that an exact copy was produced


18/31

18

CHAPTER 5

EVIDENCE ANALYSISEvidence TT001HDD (from MIKEs PC) and evidence TT002HDD (from File Server) were added to

FTK. Details as obtained from the case log as show below:

5.1ADDING EVIDENCE TT002HDD TO FTK

Name/Number: File Server Disk / TT002HDD

Location: C:\Documents and Settings\All Users\Documents\File Server Image\HR_Server.001

Display name: HR_Server\Part_1\NONAME-NTFS

Type: Raw Drive Image, Partition, NTFS

Comment: None

Evidence-specific Case Refinement Settings: Add all files

Evidence-specific Index Refinement Settings: Index all files

05/27/2009 9:21:06 PM -- Starting to add evidence items...

05/27/2009 9:44:06 PM -- Successfully created HTML file listing during case pre-processing.

05/27/2009 9:44:07 PM -- Loading case

05/27/2009 9:44:07 PM -- Updating Overview Cache

05/27/2009 9:44:07 PM -- Filtering file list

05/27/2009:44:07 PM -- Initializing thumbnail view

05/27/2009 9:44:08 PM -- Resetting search terms list

05/27/2009 9:44:08 PM -- Building the indexed search results tree...

05/27/2009 9:44:08 PM -- Building the live search results tree...

05/27/2009 9:44:08 PM -- Building the bookmark tree

05/27/2009 12:55:40 AM -- Opened case: C:\Documents and Settings\Sword\Desktop\TT Bank\ using FTK

version 1.50 build 04.08.23

5.2ADDING EVIDENCE TT001HDD TO FTK

Name/Number: MIKE PC Disk Image/ TT001HDD


19/31

19

Location: C:\Documents and Settings\All Users\Documents\File Server Image\Mike_PC Img.001

Display name: Mike_PC\Part_1\NONAME-NTFS

Type: Raw Drive Image, Partition, NTFS

Comment: None

Evidence-specific Case Refinement Settings: Add all files

Evidence-specific Index Refinement Settings: Index all files

05/27/2009 9:21:06 PM -- Starting to add evidence items...

05/27/2009 9:44:06 PM -- Successfully created HTML file listing during case pre-processing.

05/27/2009 9:44:07 PM -- Loading case

05/27

/2

009 9:44:07

PM -- Updating Overview Cache05/27/2009 9:44:07 PM -- Filtering file list

05/27/2009 9:44:07 PM -- Initializing thumbnail view

05/27/2009 9:44:08 PM -- Resetting search terms list

05/27/2009 9:44:08 PM -- Building the indexed search results tree...

05/27/2009 9:44:08 PM -- Building the live search results tree...

05/27/2009 9:44:08 PM -- Building the bookmark tree

05/27/2009 12:55:40 AM -- Opened case: C:\Documents and Settings\Sword\Desktop\TT Bank\ using FTK

version 1.50 build 04.08.23

5.3RECOVERING DELETED AND HIDDEN FILES

5.3.1Deleted Files

To avoid having a duplication of analysis steps, deleted files were first recovered. This

was however done automatically by FTK on adding the raw image to the case. The

screenshot below shows all deleted files including their creation date, last modification,

category etc.


20/31

20

Recovered Files From Evidence Number TT001HDD (MIKE PC Disk Image).

The following recovered files were considered to be of evidential value were found:

C:\Documents and Settings\All Users\Documents\File Server Image\HR_Server.001




Fig 5.1 D l t il s

5.3.2Alternate Data Streams (ADS)

In addition to deleted files, hidden files from Alternate Data Streams were also checked.

The Ads spy tool was used. Ads spy is a tool used to list view or delete Alternate Data

Streams (ADS) on Windows machines with NTFS file systems. It was used to run a search

on all the folders in the root directory of the evidence files and the following results were

obtained:


21/31

21

ADS Found in Evidence Number TT001HDD (MIKE PC Disk Image).

31 hits were obtained from evidence number Files and fragments of evidential value

were documented. The image file was therefore searched for files containing or having

the filename Payroll.

7 hits were received, showing 7 .xls files as shown below in table 5.1.

The MD5 values of the files found were made and the files were saved in the

c:\TT_Bank\Evidence folder.

Fi s s scr s t f t r s lt

Fig 5.2 c r lt r t D t tr s ( IKE P )


22/31

22

ADS Found in Evidence Number TT002HDD (File Server Disk Image)

Searching for Alternate Data Streams in the file server image was particularly important because of the

possibilities of malicious files or applications being hidden in unsuspicious files. It gave an insight into

the method of compromise.

Results obtained using the Ads Spy utility shows 8 hidden files in c:\Windows\System32\calc.exe

directory.

Fig 5.3 Rec ered lter te D t treams (Fileerer)

The following files were found to be hidden in c:\Windows\System32\calc.exe directory.

6 Genhash.exe

7 Iam.exe

8 Iamdll.dll

9 Iam-alt.exe

10Pth.dll


23/31

23

11Whosthere.exe

12Whosthere-alt.exe

Further analysis revealed that the recovered Alternate Data Streams are file components of the

Pass-the-hash toolkit.

5.3.3 Server Log Analysis

Date: 28th May, 2009

Time: 14:00 GMT

Event logs of the File Server were reviewed since the Network Administrator had earlier

configured auditing on Windows Server 2003 running on the machine. Reviewing the logs was

particularly important as it enabled the tracking of access failures and successes.

The directory c:\Windows\System32\config\SecEvent.evt was exported from the TT002HDD

(File Server) image file to the c:\TT_Bank\evidence folder and reviewed using event viewer

for Windows Server 2003. It was discovered that a Mike_Brown account accessed the folders

below. Fig 5.4 shows successful and failed access attempts.

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll1.xlsx

C:\Documents and Settings\All Users\Documents\File Server Image\Payroll2

.xlsx







24/31

24

Fig 5.4 E ent f TT002 DD (Fileerer)

Table 5.1 Computed Hash Values of Recovered Files of Interest

File Name Creati n Date ast dified D5 as

C:\Documents and Settings\All

Users\Documents\File Server

Image\Payroll1.xlsx

13/04/2008

13:00 G T

17/04/2008

14:00 G T

636DA7022B926A6483F033BE0D3290DA

C:\D c ments andettings\ ll

Users\D c ments\Fileerer

Image\Payr ll2.xlsx

13/04/2008

13:30 G T

17/04/2008

14:00 G T

427EB61339937B6483F033BA1E3290EB

C:\D c ments andettings\ ll

Users\D c ments\Fileerer

Image\Payr ll3.xlsx

13/04/2008

13:35 G T

17/04/2008

14:00 G T

547AB6235A714E6483F033BE0D3290AB


25/31


26/31


27/31

27

CHAPTER 6

CONCLUSION

1.The recovered files on MIKEs PC revealed a possible security breach since only the Admin and members

of the payroll department had access rights to those documents.

2.The Pass-The-Hash Toolkit recovered using Ads Spy utility raised further insight as to

the possible mode of compromise. This is because the toolkit contains utilities to

manipulate the Windows Logon Sessions maintained by the LSA (Local Security

Authority) component. These tools allow the intruder to list the current logon sessions

with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote

Desktop/Terminal Services), and also change in runtime the current username, domain

name, and NTLM hashes.

It is suspected that this toolkit was used to gain administrator privilege while the

Network administrator was logged in via remote desktop which gave unfettered access

to the HR payroll files.

3.The event logs obtained also shows that a MIKE_Brown account had administrator privilege at various

times (as shown in Fig 5.4). This account, according to the Banks Systems administrator, Mr. Ali (TT102)

was originally set to user.

6.1 RECOMMENDATIONS

In order to mitigate the the possibility of any of the systems being compromised, the

administrator should severely limit who has Administrative or elevated privileges to computers

in the trusted domains and forests, and to minimize the chances that any of those privileged

accounts will be logged on. The level of success, regarding this, is dependent on well

architected computer management strategies.

The following are some characteristics of good management strategies.


28/31

28

y Management tools that run agents locally on each managed workstation/server should be

used to minimize the need for accounts that have elevated privileges to a large number of

computers. (These agents would typically run under system or network service, would

therefore have elevated privileges only to that computer, and would occasionally contact a

central management server for instructions on what to do.)

y The Network Administrator must ensure that services never run under administrator

accounts

y Least privileges should always be used in delegation.

y Domain admin accounts should logon, directly, only to domain controllers.

y Local admin password should be unique for every managed computer.

y Activities such as browsing the web, or reading emails or other internet activities should not

be done using administrator accounts.

y Make sure to use antivirus/antimalware protection, and stay updated on security

patches for all software.

y Minimize the use of administrator accounts.


29/31

29

APPENDIX A

CHAIN OF CUSTODY FORM

Evidencedescription/number

Acquisitiondate

Acquisitionlocation

Acquired from Acquired from(signature)

Storage location

Seagate

BarracudaXT,

Serial Number:

SB1002342XT

/ TT001HDD

26/05/2009 ansDepartment,TT Bank

r. I (TT102) ans Department, TTBank

Transferdate

Transferred to(location)

Now in custody of Now in custodyof (signature)

Storage location

26/05/2009 Platinumab nt ny I uagwu,ead Investigat r

Platinumab

Evidencedescription/number

Acquisitiondate

Acquisitionlocation

Acquisitionmethod

Acquired from Acquiredfrom(signature)

Storage location

Seagate

BarracudaXT,

Serial Number:

SB2113442XT

/ TT002HDD

26/05/2009 erverRoom,TT Bank

egalWarrant

r. I (TT102) oans DepartmenTT Bank

Transferdate

Transferred to(location)

Transferreason

Now in custodyof

Now incustody of(signature)

Storage location

26/05/2009 Platinumab ForensicInvestigation

nt ony Iwuagwu,ead Investigator

Platinumab


30/31

30

APPENDIX B

PLATINUM SECURITY INC.

SERVICE REQUEST FORM

Company Name : TT Bank

Contact Name: Mr. Ali

Mailing Address: TT Bank Bhd, 57000, Bukit Jalil

City: Kuala Lumpur State: Selangor

Phone: 0172132323 Country: Malaysia

E-Mail: [email protected] Fax: 09022344

Description of Needs and Comments

Investigation into an alleged unauthorized access to Human Resource files and folders by TT Bank

Employee.

Signature:_____________________________________________________

Date:_________________________________________________________


31/31

REFERENCES

Keith J.Jones et al (2006), Real Digital Forensics, Computer Security and Incident

Response,Prentice Hall

Kevin Mandia et al (2005), Incident Response and Computer Forensics, McGraw Hill

Harlan Carvey (2004), Windows Forensics and Incident Recovery, Addison Wesley

Basic Principles of Information Protection: A consideration surrounding the study of protection

[Online], http://web.mit.edu/Saltzer/www/publications/protection/Basic.html[Accessed 13thAugust, 2008]

A Systems Approach to Security Design: Adopting an Inclusive View [Online] http://transit-

safety.volpe.dot.gov/security/SecurityInitiatives/DesignConsiderations/CD/sec2.htm[Accessed13th August, 2008]

Tab Systems Inc.Controlling your business [Online] .http://www.tab-systems.com/attendance.php [Accessed 13th August, 2008]

National Industrial Security Program, Clearing and Sanitizing matrix [Online]

http://www.dtic.mil/whs/directives/corres/html/522022m.htm[Accessed 28th September, 2009]

Forensics Assignment (Main)

Documents

Transcript of Forensics Assignment (Main)