I work as an information security specialist for the Greenwood Company. Mr. McBride, a former engineer in the New Product division, was recently fired due to his persistent tardiness and absenteeism. In an interview with Mr. Hubert, Greenwood's human resource manager, he claimed that he was actually okay with leaving the position because he had already found a new one, and that his new coworkers were delighted since he had been hired. From his statement, Mr. Hubert developed fears that Mr. McBride might have been taking property that belonged to Greenwood to his new employer who was likely supposed to be a Greenwood competitor. He is worried that that the source code for a particular product," X", that the company is banking on to earn millions over the next 3 years and is undoubtly the major source of revenue for the company at the time might actually be lost.
He hands me a copy of the source code of the product to use while carrying out the investigation and since this is a major case that concerns major company resources, legal enforcement is included and my decisions and investigation have to be clear and have sufficient evidence. This is a particularly hard case to handle since the provisions of the constitution after the 4th amendment state that: the rights of the people to be secure in their houses, papers, effects, and effects, against unreasonable searches and seizures, shall not be violated and no warrants shall issue , but upon probable cause, supported by oath of affirmation , and particularly describing the place to be searches and the persons or things to be seized, however, according to Mr. Jenkins instructions, I was supposed to violate the constitution provision and work with my supervisor to search the areas where Mr. McBride had access to within the building including his assigned locker in the Company's on site gym for the digital evidence. There is a master key in the company that can be used to open the locked desk belonging to Mr. McBride so this actually poses a dilemma since the evidence could actually be contained in the locker, however, breaking in without his permission could call for legal enforcement for code violation.
The company also has an employee's handbook that states that anything that is brought onto the company's property including the employees themselves is subject to random searches for items that belong to the company. However, it provides that there is space for the employee to acknowledge the receipt of the random search notice. Mr. McBride has a copy of the book but never signed the page which creates another bigger problem in this search. Greenwood uses a security checkpoint when entering the building and a sign that is placed adjacent to the checkpoint displays the purpose of the checkpoint which is for security staff to check for weapons and other materials that may offer insecurity in the workplace. Screening is done casually and involves verification of employee's company ID card. A question is left open whether the security staff here can use their position to check Mr. McBride's briefcase and if anything that could give or led to any evidence regarding product "X's" loss to be retrieved.
Part II: Physical evidence acquisition
From the photo of Mr. McBride's work area as shown in the appendix, the following links could lead to digital evidence of the loss. The hard disc that is paced between the desktop computer and the laptop, the flash disc and the CD reader that is on the table next to the Keyboard. All these items are used to store or read soft copy data that Mr. Mc Bride could have used to obtain the source code of product "X" and store or transfer the data somewhere else. To prevent alteration of the digital evidence, I took a photograph of Mr. McBride's workplace showing all the digital evidence that could be needed in court then moved the mouse to determine if there was any evidence in the computer but I was careful not to press any button so as to not tamper with any evidence. His monitor however had only a picture of cartoon as shown in the picture, therefore I left it and embarked on the other digital sources which I took to the forensic laboratory for further investigation. For analysis purposes, I ensured that the analyst working on it did not contaminate the storage media. A clan copy of the original information in the hard disc was kept in a CD. Write blocking devices were also installed to prevent change of data on the media. After the copy was made, an extraction method was selected that determined the model and the make of the device then I submitted the original media for traditional evidence since the analyst could now work without the digital devices. The information obtained from the flash disc and the hard disc drive would be used to determine any information regarding the source code of product "X" that Mr. McBride may have used, accessed, tampered with or transferred somewhere else (Casey, 2010). The CD reader would give information on any CD's that he might have accessed over the period and possibly the data that may have been contained in the CD. I finally proceeded with the investigation
The non- digital evidences I found in the workplace were: the stick paper notes on the desktop computer and the other places in the work place, a NASA writing pad and papers under the printer. The non- digital evidence was manageable to handle compared to the digital evidences. Like in the case of the digital source, I took a photograph showing the exact location of each evidence then I took the evidence to the lab analyst too who gathered all the information he needed for the analysis and then returned the evidence back to the source. the stick on paper notes contained information such as source disks and target discs which could be used to determine the location of data in the system, the writing pad on the other hand provided evidence on leading factors on the case suck as people who were contacted, and information collected from different people that were contacted for assistance and other relevant information. The papers under the printer, however, were contained general information on engineering and the company that was not very helpful in the search.
To secure the collection after removing it from the original source, before sending it for analysis, I took a Photograph that displayed the work environment of the place and all the items that were present before removing the evidence, I also documented the activities in the workspace that included the all the components present and activities that might have been ongoing (Altheide, & Carvey, 2011). I then measured the exact location of the sources before removing them then returned them on their specific location using the information I had secured.
Looking at the evidence custody documents prepared by one of my co-workers, as shown in fig. 2 in the appendix, he manages to capture the three main seizure items: voice recorder that is small and silver in color. A western Digital, 1 TB, that is silver and black in color with a green label and is roughly rectangular and is affixed with a torn sticker on the front and the third item being a thumb drive, USB, PNY- brand, 64 GB in size but the serial number is unknown but it is grey and black in color with approximate measurements of 1" *2.5" *0.5" and is made of metal and plastic with "PNY… 64 GB" prints on and a small hole inside. His documentation actually covers most part of the evidence of the original items however, he failed to capture the 1 TB hard disc drive serial number which is very important an is S/N: WMAZA020291, its date of manufacture, and its settings, for the voice receiver, he fails to capture the manufacturing website which is www.mineroff.com and the operating components of the device. He does not also include the type of USB used and the port size which should have been necessary in the compilation.
Final project
Section 1
After carrying out background check on the case, I finally realized that investigation of people was crucial before making any conclusions and analysis. The people I decided to interview was Mr. McBride assistant who was the technician in charge of the engineering aspects in the firm, the intern who worked under Mr. McBride and performed most of his tasks including documentation, the company secretary and the chief security officer. The setting of the interview was informal: I took the intern out for lunch and asked him some information on a friendly note regarding his former supervisor which he responded to greatly, I interviewed the secretary in the morning as I reported to work as a casual talk on the whereabouts of Mr. McBride which gave me sufficient evidence too. The technician and the security guard I interviewed in their workplace during their normal work time. I preferred an informal setting to ensure that the interviewees felt comfortable to give sufficient evidence of the information required. The setting was also good for the interview since the interviewees had no reason to feel insecure after providing the information. For a successful interview, a proper setting is required depending on the amount of evidence you require and the delicacy of the issue in regard to how the interviewees view you and whether the information they provide will get them in trouble or not. The success of the interview contributes greatly to the investigation process. If sufficient information is gathered then the investigation will be simplified, however, if little or no information is gathered, the investigation process is made even more complex since loop holes required to carry out the investigation or give leading rails to the investigation will not be present.
Section II
After seizing the thumb drive, I submitted it to the lab to determine the digital data contained in the drive. Some of the evidence I needed retrieved from the drive included: any information that regarded product X or any research done on the product and the exact dates that the research was done, any information transferred or deleted on the thumb drive, any information that concerning Mr. McBride's new employer company and the products that they dealt with and any possible contacts that McBride had with the company while he was still working for Greenwood. The information regarding the products the new company dealt with would give a lead on whether they needed the source code of Greenwood's product X to activate their similar products or create new ones using the code. Any contact information between Mr. McBride and the new employee company would give evidence on what degree of damage would have been done on the code by the time of investigation and any other information regarding Product X would give leads on evidence that Mr. McBride had actually been in possession of the source code and performed a violation of the work conduct with regard to submitting the source code to the competitor company.
Owing to my familiarity in the case investigation, Mr. Jenkins assigns me with the task to determine possible evidences of the case outside his workplaces. The first place I figured was Ms. Maria's work location since according to the stick note evidences, she was involved with safekeeping and her work place may actually contain some of the data that Mr. McBride might have asked her to keep and any other physical digital evidences. Another place I would search was Bob's place since he might have been in close contact with Mr. McBride concerning widgets and according to the writing pad, they were supposed to meet on Tuesday which therefore presented a need for prompt search of his workplace.
As the Digital forensic analyst, the top 3 forensic examination software tools I would nominate for analysis owing to their capabilities include: Digital forensic framework which is a tool that has open source and comes under GPL License and is beneficial to the forensic professionals since it can be used for digital chain custody to access remote or local devices and was developed for windows and Linux OS by Fredric Beguelin, Solal Jacob and Jeremy Mounier (Blackledge & Wiley InterScience, 2007). Open computer Forensic architecture is the next software tool I would nominate due to is popular distribution of open source computer forensic framework and was built on Linux platform and uses PostgreSQL database for storing data and was built by the Dutch National Police Agency. The third software is registry Recon that extracts registry information from the evidence then builds the registry representation from either current or previous windows installation and costs about $399 and was developed by Smart glasses, Wearable computers.
What is a hash value?
A hash value is a tool that is useful in examination, discovery and authentication of electronic evidence and is a numerical identifier that's can be assigned to a group of files or some specific files based on the mathematical algorithm to be applied on the files which is determined by the characteristics of the data of the group set. In most cases, the hash value uses MD5 and SHA algorithms to generate numerical values such that they can distinguish two sets of data that have the same hash value regardless of the similarity between them. Hashing is used to show that the original data set is authentic and can also be used as a digital stamp for digital documents in digital data production and are used during different phases concerning electronic evidence.
I used the modulo arithmetic hash value to show that Mr. McBride's thumb drive had copies of the source code in the following way. I created a harsh table containing all the items stored in the thumb drive. Creation of the table makes it easier to find data later. With different positions of the hash table which are called the slots that are named by integers starting from 0. I then implemented the hash table using a list with each element of the table initialized to the specific python value. I then mapped the items on the slots where the items belonged in the table and the algorithm automatically took any item in the table and returned it to the range of the slot names. The copies containing product X in the hash table were separated in the different slot names.
The additional use of Hash values in the digital forensic include: it is used as an important tool in examining electronic evidence, it is also used as a digital stamp for digital data, i.e., once data has been examined and found to be authentic, the hash value can place a digital stamp on the data or the digital evidence showing that it is original and not counterfeit. Hash values may also be used in the discovery process for example in courts to discover protocol as an issue to discuss at the FED. They are used to authenticate evidence introduced in court, the evidence majorly being the digital evidence that have distinctive means (Wood, Leiter & Turley, 2007).
As the information specialist when given the report from the Greenwood lab, the evidence clearly shows that Mr. McBride's thumb drive had product X source code and at the same time, it is probable that he may have emailed some of the copies to his personal email address, to handle this situation, since the information is not only in his thumb drive but also in his personal email address, and he may have already passed the same information to his new employer and if he had not already passed the information to him, he would probably do that sooner or later, it was therefore necessary to involve legal processes at this stage since this is a criminal offence and a breach of employee trust with regard to company property. The law provides that private companies can report crimes that the management can't handle to the law for proper enforcement.
In the trial against Mr. McBride, being a qualified expert witness owing to the evidence I gathered while investigating Mr. McBride's theft, the significant role I play is providing factual evidence and proof that I gathered that can be undisputed unlike the witness of a simple fact witness since they do not necessarily have evidence such as the digital evidence that could show that he was actually guilty (Wall, 2009).
The insight of being an expert witness involves writing reports. My role as a forensic examiner of the company involved facts obtained beyond personal observation and knowledge and provided certain threshold qualifications that were met by specialized expertise that provided testimony that was broader and potentially more significant than that of a simple fact witness.
In response to the prosecutor's call, to determine whether or not I am biased in this case, the evidence and other leading evidence point out that Mr. McBride is guilty. Evidences from the thumb drive showed that he had copies of product X and at the same time, the IP address he last used showed that he had emailed some of the copies of the source code to his personal email address. To show that the analysis should be accepted, the forensic lab team members could bear witness of the analysis process to show that the data processing and analysis had no degree of corruption whatsoever. The photograph's taken before; during and after the data analysis also provided sufficient evidence of the same.
References
Altheide, C., & Carvey, H. A. (2011). Digital forensics with open source tools: Using open source platform tools for performing computer forensics on target systems: Windows, Mac, Linux, UNIX, etc. Burlington, MA: Syngress.
Blackledge, R. D., & Wiley InterScience (Online service). (2007). Forensic analysis on the cutting edge: New methods for trace evidence analysis. Hoboken, NJ: J. Wiley & Sons.
Casey, E. (2010). Digital evidence and computer crime: Forensic science, computers and the Internet. London: Academic.
Meyers, M., & Rogers, M. (2004). Computer forensics: the need for standardization and certification. International Journal of Digital Evidence.
National Institute of Justice (2001). Electronic Crime Scene Investigation: A Guide for First
Responders, Second Edition
Wall, W. J. (2009). Forensic science in court: The role of the expert witness. Chichester, West Sussex, U.K: Wiley-Blackwell.
Wood, D., Leiter, C., & Turley, P. (2007). Beginning SQL server 2005 administration. Indianapolis, IN: Wrox-Wiley Pub.
Appendix
fig.1
Appendix 2
EVIDENCE/PROPERTYCUSTODYDOCUMENT
The proponent agencyfor this documentis OHMR-PM L
REPORTCROSS-REFERENCENUMBER
RECEIVINGAGENCY
Makestuff IT Security LOCATION
Makestuff Remote Office #4
NAME, GRADE ANDTITLEOF PERSONFROMWHOM RECEIVEDOWNER Former work area of Mr. YOURPROP
OTHER S sP
LOCATION FROM WHEREOBTAINED
Desk near west wall of office N TIME /DATEOBTAINED
1430, 04/01/2014
ITEM N F
e , l, ,dy l sr
1
2
3
--------- 1
1
1
-------------- Voice recorder, small, silver, Olympus.
Western Digital, 1TB, silver and black with a green label, roughly rectangular, affixed with a torn sticker on the front.
Thumb drive, USB, PNY-brand, 64GB in size, unknown serial number, grey and black in color, approximately 1" x 2.5" x 0.5", metal and plastic-type construction, printed with "PNY… 64GB", with small hole on the side (which appears to be for a lanyard.
--------------------------///LAST ITEM///---------------------------------------------------------------
NF
ITEM
DATE
D
D
E F OFCUSTODY
1-3
04/01/2014 SIGNATURE
CRIME SCENE SIGNATURE
///original signed/// Evaluation as evidence
,, .,
SIGNATURE SIGNATURE
,, .,
SIGNATURE SIGNATURE
,, .,
SIGNATURE SIGNATURE
,, .,
,, .,
SIGNATURE SIGNATURE
R M 7 frontl
