Scenario You are a digital forensics intern at AAA Computer Forensics, a privately owned forensics investigations and data recovery firm.

Scenario

You are a digital forensics intern at AAA Computer Forensics, a privately owned forensics investigations and data recovery firm. It's a Friday morning and your manager calls you with good news. He tells you that he is very happy with your performance and has a big task lined up for you.

AAA Computer Forensics is working with Corporation Techs, a company that has been struggling to maintain its customer base due to fierce competition with rival firm NetTech24x7. A disgruntled former employee of NetTech24x7 approached the owner of Corporation Techs with a tip that Corporation Techs' internal strategy memos, customer lists, and other sensitive documents were being passed along to a NetTech24x7's sales manager. The former employee of NetTech24x7 claims that the files were being downloaded from Corporation Techs' Web site, but she did not know which specific folder was being accessed. Corporation Techs is now concerned that sensitive internal documents might be accessible to its competitor. It is also possible the disgruntled former employee is lying and only wants to learn about potential security holes in the Corporation Techs network. Therefore, the CEO of Corporation Techs has hired AAA Computer Forensics to conduct an informal investigation before involving law enforcement or regulatory agencies.

A thorough search of the Web site has been conducted, and no files were found beyond the static HTML Web pages expected. Three workstations are used to update content on the Web site, and a network packet trace has been captured for traffic between the workstations and the internal FTP upload site for posting data to the Web server. This packet trace is available for your use.

Once you understand the situation, your manager tells you to divide the investigation into four parts. The first part requires you to develop a summary of the background leading up to your investigation, a plan of action and the outline of your report. The second part involves the use of NetWitness Investigator to identify user credentials, correlate source host address(s), and evaluate network traffic for unusual activity that might provide a starting point for your system forensic investigation. In the third part, you will use a forensic tool to examine a forensic system image and evaluate files, communications, and applications, which could be items of potential evidentiary value in this investigation. In the fourth and final part, you need to document your results along with the investigative process and any indicators you discovered that led to additional actions on your part. The investigation must be limited to the scope identified by these indicators, and all investigative actions should be supportable if you are called as an expert witness in later proceedings.

Part 1: PreparationTasksPerform the following steps:1.    Review the scenario information provided in this handout.2.    Create the outline of your report, which should have the following sections:

• Executive Summary
• Background
• Investigative Plan
• Network Forensic Examination Results
• Workstation Forensic Examination Results
• Evidence and Chain of Custody
• Conclusions
• Appendices

1. Using the information provided in the scenario, write the Background section of the report that summarizes the events leading up to your company being hired to perform this investigation.
2. Using the steps provided by your manager in the scenario, write the Investigative Plan section of the report outlining the process you will follow to conduct your investigation. This section should include the actual dates that you will conduct the work and report your results.