ABC Corporation Cyber Breach Legal Restrictions
ABC Corporation has experienced a security breach on the company network and hired Cyber Forensics INC. CFI was chosen to conduct the investigation into and produce the Expert report detailing all of the tests conducted and provided with expert testimony when all of the evidence is provided to ABC Corporation and ready for trial.
Cyber Forensics Incorporation will be conducting the preliminary investigation for ABC Corporation. The investigation will include the approach that the computer forensic investigators will take that will include an incident review, collection requirements and how to acquire and authenticate evidence while maintaining a chain of custody to ensure the continuity of the evidence throughout the investigation. Conducting the investigation will include information needed for an expert report and the necessary legal restrictions that exist in the main campus of ABC Corp the intent of the investigation and the scope of the breached network.
The cyber forensic investigator will include all known facts of the incident and write out all procedures that were used to conduct the investigation into the ABC Corp breach. Once all of the investigation is conducted CFI will include the expert report to ABC Corporation that includes all the necessary evidence in an easy to read report that our expert investigator will be available for expert testimony during all trials and pretrial meetings with the defense team.
Identification and Collection
The first step the investigator will start off the investigation with an analysis report this will guide how the investigator will approach each specific crime scene. The analysis report for ABC Corporation needs to take into account the evidence the data analysis plan will start with the generic versions that CFI uses for all cases and will be customized for ABC Corporation to define the following items; How to gather evidence, how to ensure that the evidence is not changed or destroyed, the most appropriate tools necessary to conduct the investigation based on the types of systems used at ABC Corp., and lastly whether this is a state or federal case (Easttom, 2017).
CFI will look at the information quickly to assess the three main data collection considerations. The first and second considerations are the life p of the data and CFI investigators will create a list of data volatility to aid in collecting the data quickly and efficiently to preserve as much evidence as possible (Easttom, 2017). The collection will start with the most volatile data and work to the least volatile some examples are: registers and cache, routing tables, ARP cache, process tables, Kernel statistics modules, main memory etc, this order will be established for ABC Corporation once the investigator knows exactly what has gone and ensure that collection of the data is efficient and collected quickly to preserve the necessary evidence (Easttom, 2017).
The third consideration is the collecting the data at the 1s and 0s and is the bit level collection and aids in the ability of the tools that will be used to conduct the investigation of ABC Corporation and allow the investigator to rebuild potential deleted data (Easttom, 2017).
When an investigator is on site once the crime scene is protected and ensured safe the investigator will start to look at the initial state and look for different types of physical evidence that can lead to clues as to what the person launching cyber-attacks using the laptop left behind at ABC Corporations headquarters in New York. CFI follows the Scientific Working Group (SWGDE) on Digital Evidence Framework to conduct their investigations that processes in four stages: collect, Preserve, Examine, and Transfer and the last step is any time data is moved from the lab to court or returning evidence when no longer needed (Easttom, 2017).
CFI also relies on rule 902 that declares that certain evidence is self-authenticating and require not extrinsic evidence to be admitted in a trial (Law.cornell.edu 2, n.d.). For the legal portions of the case CFI will ensure the proper steps to isolate evidence so it is useable in court, preserve the evidence so it is not lost as the data is fragile, and lastly the data will be prepared for use in a trial and stand up to judicial scrutiny to ensure that the data is the same as it was found based on the analysis report and the frameworks put in place for this data as the end goal is for ABC Corporation to be able to use the evidence gathered by CFI in court against the individual that conducted cyber-attacks from the ABC Corp network and infrastructure using the laptop left on scene (Easttom, 2017).
Wireless communication will be disabled at the crime scene to ensure that nothing comes in or leaves the scene through unintended means by CFI. At the lab CFI will make multiple copies of the data and ensure that it is all authenticated with MD5 hash to ensure that the copies remain unchanged. (Easttom, 2017)
Evidence must be tagged to ensure continuity and aid in the Chain of custody therefore CFI will ensure that all data is tagged and collected properly (Olzak, 2007). The tags used at CFI include a sticker that contains the following information: date, time, control number, and the name or initials of the investigator on the case (Olzak, 2007). CFI will tag the following evidence for chain of custody and keeping track of all evidence items: Removable media found on the scene, Cables will be photographed for reproduction in the lab and tagged, All computer equipment will be tagged and photographed for lab reproduction, any items found in the trash where the attack Laptop was found, and any miscellaneous items found at the crime scene such as notes (Olzak, 2007).
CFI will also add all evidence into sealable bags and initiate the chain of custody software to ensure that each investigator handled the information and why there was a change of possession and how the evidence was safeguarded (Olzak, 2007). These steps are important as if there is any failure to capture a change of possession this could make the data excluded in the legal case and administrative proceedings for ABC Corporations case against the known cyber-attacker (Olzak, 2007).
Legal Restrictions Intent and Scope
ABC corporation is located in New York and CFI will adhere to legal restrictions that exist in New York State and will list the restrictions. Overhauls in New York laws now dictate what evidence must be turned over to defendants in the discovery phase for criminal cases like the one ABC corporation will be going for after in this case (Schwartzapfel, 2019). CFI follows all rules to ensure that all evidence is identified and classified as evidence in this case CFI follows rules created by Cornell Law School, for authenticating evidence CFI will follow rule 901 to authenticate and identify evidence and Wigmore describes authentication as an inherent logical necessity (Law.cornell.edu 1, n.d.). CFI also relies on rule 902 that declares that certain evidence is self-authenticating and require not extrinsic evidence to be admitted in a trial (Law.cornell.edu 2, n.d.).
The intent of this discovery is to produce proper evidence and present the evidence in this criminal case using an expert report with expert testimony. CFI will produce evidence that is useable and pertinent to the criminal case against the known cyber actor that is conducting terrorist from the ABC Corporation network and laptop left on the scene of the crime. CFI will give ABC corporation the most accurate evidence with a highly monitored chain of custody containing the results of tests conducted to ensure that all evidence can be authenticated, collected properly and use in court without the risk of evidence being excluded.
The scope of this case will include the Laptop left on the scene of ABC Corp and the network devices that were used to launch the cyber-attack and exfiltrate ABC Corp’s financial records in an attempt to make the company look bad in the media. This will drive the necessary tools needed and procedures to gather data from the laptop that is Windows 10 Professional, the Cisco network switches and the areas of the network that the Person conducting the attack used to exfil financial data to hopefully track where this data was sold. Any physical data that was left behind and notes taken on the laptop will be evaluated and stored and photographed. The Switch running configurations and ACL’s will be captured to ensure that all transactions will be caught. The Security Information and Event Management SIEM pulls all logs and stores them encrypted will be imaged and copied to evaluate back at CFI’s lab to see what data traverse the network while the cyber breach was taking place.
The known facts of the case entail what CFI knows based on the quick look and information gathered from discussions with personnel on scene and from the network staff that originally alerted their management. CFI will need to capture some initial information such as date and time when the incident was first identified, what flagged the incident, users that were logged in during the event, information for how long the suspect worked at ABC Corp, and if there were any cameras that captured the suspect entering and exiting the facility on the day of the event. Known facts of the cyber breach will allow CFI to launch the proper procedures during the Lab investigation at CFI.
There are five main known facts of this case that will aid CFI in the investigation and evidence gathering and the collection at CFI labs to help conduct the correct tools and procedures. The first known fact is that ABC Corporation is a large corporation located in New York and the IT staff has been notified through their SIEM tool that a terrorist has breached the network on May 2, 2020. The second fact is the cyber terrorist left behind a Laptop with hand written notes at the crime scene at ABC Corporation. The third fact is the last person to use the Laptop is a known international terrorist. The fourth fact is the SIEM notified the IT staff that the breach occurred on May 2, 2020. The fifth and final fact shows that the terrorist accessed financial data and exfiltrated the data using a USB drive and that the suspect also deleted some financial data showing transfers to an external bank account.
CFI procedures ensure that logical and physical protections preserve data to make sure that it is untouched and uncorrupted for use in the trial against the suspect in this criminal case. Physical preservation will take into account transmission of the information to protect against excessive shock, and Electrostatic Discharge to protect the data from potential loss (Easttom, 2017). The second procedure CFI follows the logical data that will protect the data from changing while CFI looks for evidence in the forensics lab, this includes that at the bit level the data never changes when investigators are seizing, analyzing, and storing the data and accomplished this via write blockers used at the forensics lab at CFI (Easttom, 2017)
CFI investigators are well equipped to ensure that all evidence gathered for ABC Corporation and provide an Expert Report and Expert Testimony for use in court in ABC Corp vs Known cyber-terrorist. CFI conducted the initial report of the crime scene and identified all places where the evidence will be collected and Identified for the laptop and specific items that the cyber terrorist left behind at ABC Corporation. All logs of the event were captured and kept on CFI hard drives and encrypted with MD5 hashes, all evidence that was obtained from the imaged drive of the laptop and copies were properly controlled in evidence bags and tagged accordingly and also hashed with MD5 and added and controlled with the Chain of custody document.
CFI investigated the legal restrictions that exist in New York where the headquarters of ABC Corporation exist and specific rules regarding Authentication of data that exists governing evidence and self-authenticating evidence that exists within this case and does not require extrinsic evidence to be added to this court case. CFI scoped the investigation to cover all items that were touched by the cyber-terrorist which includes the Laptop left on the scene, the Firewall, and Cisco switches used to exfiltrate the financial data from ABC Corporation.
CFI laid out the known facts of the case that will be used to scope the forensic investigation back at CFI’s lab. CFI described the procedures used to ensure the protection of the data to ensure that it is hashed and imaged to ensure that bits are not changed when tools are used to investigate the data and produce evidence for ABC Corporation to have a strong case against the know cyber-terrorist. CFI implements write blockers whenever a hard drive is seized and imaged to ensure that the original data is never changed and all tests and procedures used including tools are documented and provided in the Expert Report for this criminal case.