NAME: MASCULINO, JESSA KRIS R.

TOPIC: DIGITAL FORENSICS DATE: May 8, 9, and 10, 2024

TASK 1: Investigating Data Theft
Suppose a large company, ABC has hired you as an external consultant to investigate a
potential violation of corporate policy and data theft. You have been informed that an employee
may have been using corporate email to send confidential corporate information to one or more
personal email accounts, which may or may not belong to him. You have been told that this
action has been happening for almost a month and the employee is unaware of any suspicion.
Write a report in which you:
1. Explain, in detail, the initial actions you would take based on the provided information
including formal plans to preserve the crime scene(s) and eventual transportation of
evidence to a lab.

ABC has a potential data theft case on its hands. Here's how I'd initiate the investigation,
prioritizing evidence preservation:

1. Securing the Crime Scene - The Employee's Computer:

 Isolation: This is paramount. Disconnect the network cable and disable Wi-Fi to prevent
further data transmission or alteration.
 Power Down: Shutting down the computer minimizes the risk of data loss due to
overwriting during normal operations.
 Forensic Imaging: Acquire a forensic image of the entire hard drive using specialized
software. This creates a pristine copy, preserving the original state for later analysis.

2. Analyze the places where you would look for potential evidence on the suspects
computer(s) and / or network servers.

Hard Drive Image: Forensically analyze the image for:

Sent emails, even deleted ones.
Drafts and archived emails.
Web browsing history, including visited websites and downloaded files.
Installed software – tools used for data extraction or encryption might be present.
User folders: Documents, downloads, and email client folders might contain relevant
files.
Temporary files: These can hold remnants of deleted emails.
 Network Servers:
Email Server Logs: Analyze logs for email activity, including sender, recipient, time, size,
and
attachments.
 Network Access Logs: These can reveal unauthorized access attempts and potential
accomplices.
 3. Describe, in detail, how you proceed with the email investigation, including the review of
email and tracing.

● Review Sent Emails: Analyze all sent emails from the suspect's account, focusing on:
Recipients: Identify personal email addresses used, possible accomplices, or external
entities.
● Subject Lines & Content: Look for keywords indicating confidential information or data
exfiltration.
Attachments: Check for sensitive documents sent via email.
● Deleted Email Recovery: Utilize data recovery software on the forensic image to
recover
deleted emails and deleted drafts.
Email Tracing: If email headers contain sufficient information (often limited), attempt to
trace the email back to its origin or identify forwarding addresses.
4. Recovering Deleted Data
4. Describe the processes that would be utilized in order to recover data that may have been
deleted from the suspects computer(s).

To recover potentially deleted data from the suspect's computer, a two-pronged approach is
used:

1. Data Recovery Software: Specialized software can scan the suspect's computer for
traces of deleted files and emails. These tools exploit the fact that even after deletion,
data might still reside on the storage device until overwritten by new information. The
software can identify these remnants and attempt to reconstruct the deleted files.
2. Undelete Techniques: Forensic techniques go beyond software and analyze the unused
space on the hard drive. This space might hold fragments of deleted data before being
overwritten. Through advanced methods, forensic specialists can attempt to recover
these fragments and potentially piece together deleted files.

The success of data recovery depends on various factors. The type of data, deletion method,
and how much of the drive has been overwritten all play a role. Early action in securing the
computer and minimizing further data writes significantly increases the chances of successful
recovery.

TASK 2: Research Work

1. Research on the five Digital Forensics methodology / Steps of Computer Forensics.
2. Site three (3) types of Forensics and explain.
3. What are the prerequisites of a computer forensic examiner?
Answer:
1. Five Digital Forensics Methodologies / Steps of Computer Forensics:
Digital forensics follows a structured approach to investigate and analyze digital evidence. Here
are the five key stages:

1. Acquisition: This phase involves securing and collecting potential digital evidence while
preserving its integrity. Techniques include creating forensic images of storage devices,
isolating volatile memory (data in RAM), and documenting the collection process with
chain of custody forms.
2. Examination: In this phase, the examiner analyzes the collected evidence using
specialized tools and techniques. This includes identifying relevant data, extracting files
and artifacts (digital traces), and searching for deleted information. Tools like file
viewers, hex editors, and forensic software are used.
3. Analysis: The examiner interprets the extracted data, piecing together a timeline of
events and identifying potential culprits. This involves analyzing file timestamps,
metadata (data about data), internet history, and other digital footprints.
4. Reporting: The examiner creates a comprehensive report documenting the investigation
process, findings, and conclusions. This report should be clear, concise, and admissible
as evidence in court. It should include details about the methodology, chain of custody,
and analysis results.
5. Presentation: The examiner may be required to present their findings in court or to
stakeholders. This involves explaining complex technical concepts in a way that is
understandable to a non-technical audience. They need to be able to effectively
communicate the significance of the evidence and its implications for the case.

2. Three Types of Forensics:

The field of forensics encompasses various specializations that focus on different types of
evidence. Here are three common types:

1. Computer Forensics: This field focuses on recovering and analyzing digital evidence
from computers and other electronic devices. It's used in cases of cybercrime, data
breaches, and employee misconduct. It leverages the five methodologies mentioned
above to investigate digital evidence.
2. Network Forensics: This field investigates network traffic to identify unauthorized access,
security breaches, and malicious activity. Network logs, firewall logs, and intrusion
detection system (IDS) data are analyzed to identify suspicious network activity and
potential attackers.
3. Mobile Device Forensics: As mobile devices become increasingly sophisticated, the
need to recover evidence from them has grown. This field focuses on extracting data
from smartphones, tablets, and other mobile devices. Similar to computer forensics, it
uses specialized techniques to recover deleted data, analyze usage patterns, and
identify potential criminal activity.

3. Prerequisites of a Computer Forensic Examiner:

A successful career in computer forensics requires a combination of technical skills, analytical

abilities, and soft skills. Here are some key prerequisites:

 Technical Skills: A strong understanding of computer hardware, operating systems, and

file systems is essential. Familiarity with digital forensics tools and techniques for data
acquisition, analysis, and recovery is crucial.
 Analytical Skills: The ability to analyze complex data sets, identify patterns, and draw
logical conclusions is essential for drawing insights from digital evidence. They need to
be able to interpret technical data and translate it into meaningful findings.
 Communication Skills: The examiner needs to be able to communicate technical findings
in a clear, concise, and understandable way to both technical and non-technical
audiences. They should be able to explain complex concepts in a way that is easy to
grasp for a judge, jury, or company executives.
 Attention to Detail: Meticulous attention to detail is critical to ensure the integrity of
evidence and avoid overlooking crucial information. Every step of the investigation
needs to be documented thoroughly.
 Legal Knowledge: Understanding relevant laws and regulations regarding data privacy,
electronic discovery, and chain of custody is important for handling evidence in a legally
sound manner. This ensures the admissibility of evidence in court.
 Professional Certifications: While not always mandatory, obtaining certifications like
Certified Forensic Computer Examiner (CFCE) or GIAC Computer Hacking Forensic
Investigator (GCFA) demonstrates expertise and enhances career prospects. These
certifications showcase a commitment to professional development and adherence to
ethical standards.