CYBI 4319 - DIGITIAL FORENSICS REPORT

.docx

School

University of Texas, Rio Grande Valley *

*We aren’t endorsed by this school

Course

4365

Subject

Information Systems

Date

Apr 29, 2024

Type

docx

Pages

14

Uploaded by JusticeSalamanderMaster1075 on coursehero.com

Digital Forensics MBR/GPT/Acquisition analysis of Collected Evidence USB External Storage Analysis for Case #1628 By: Mia Garcia (DES) Submitted to: Dr. Mahmoud Qwuieder, Attorney at UTRGV Law Offices Date: March 11, 2024 1
Table of Contents Executive Summary ............................................................................................................... Evidence Collection ............................................................................................................... Chain of Custody .................................................................................................................. Physical Evidence ............................................................................................................................... Hashes ................................................................................................................................................. Evidence Analysis .................................................................................................................. Cross-Validation of Hashes ..................................................................................................................... Disk Signature .......................................................................................................................................... Partition 1 ................................................................................................................................................. Partition 2 ................................................................................................................................................. Parition 3 ............................................................................................................................................. Overall Analysis ..................................................................................................................... Conclusion ............................................................................................................................. Reference ............................................................................................................................... Appendix ............................................................................................................................... 2
Executive Summary On March 1st, 2024, an incident was reported regarding potential unauthorized access to sensitive data stored on company systems. This incident triggered an investigation led by Digital Evidence Specialist (DES) Mia Garcia. The initial findings suggested that a USB external storage device may have been used to access and potentially extract data from the company's systems without proper authorization. As a part of the investigation, a USB external storage device was seized for analysis. This device was connected to a company workstation suspected of being involved in the unauthorized access. The analysis of this external storage device is crucial in determining the extent of the breach and identifying potential perpetrators. This is the Analytical Approach: 1. Disk Signature Analysis: We began the investigation by examining the disk signature of the external storage device. This will involve identifying unique identifiers embedded within the device's storage structure to determine its origin and potential connection to company systems. 2. Partition Analysis: We conduct a detailed scrutiny of the device's partitions to uncover any hidden or encrypted sections that may contain concealed data or malicious software used for unauthorized access. 3. Boot Indications: As part of the investigation, we analyzed any boot records or indications of bootable partitions on the external storage device. This will help determine if the device was used to execute unauthorized operations directly on company systems. The Investigation Process: 1. Forensic Imaging: To ensure the preservation of evidence and enable thorough analysis without altering the original data, the external storage device will undergo forensic imaging to create a replica of its contents. 2. Data Carving: Advanced techniques, such as data carving, will be employed to recover deleted or obscured files from the device. This process may unveil additional evidence pertinent to the investigation. 3. Timeline Reconstruction: By using timestamps and access logs, a timeline of events will be reconstructed to trace the sequence of actions involving the external storage device. This chronological analysis aids in identifying the entry point and scope of the breach. In conclusion, conducting a detailed analysis of the USB external storage device is of paramount importance in unraveling the details surrounding the reported incident of unauthorized data access. The process involves a methodical examination of disk signatures, partitions, and boot indications utilizing rigorous investigative methodologies. The ultimate 3
objective of DES Mia Garcia is to shed light on the circumstances leading to the breach, identify potential perpetrators, and implement necessary remedial measures to fortify the integrity and security of our company's data. Evidence Collection Upon discovering the suspicious activity or upon receiving reports of unauthorized access, we promptly identified the relevant digital evidence, in this case, the USB external storage device. The device is isolated from the network and any connected systems to prevent further tampering or data loss. Meticulously, documents the chain of custody, recording details such as the date, time, location, and individuals involved in the discovery and handling of the evidence. This documentation establishes a clear trail of accountability and ensures admissibility in legal proceedings. 4
Chain of Custody To uphold the admissibility and reliability of evidence in legal proceedings, it is essential to safeguard its integrity and establish a clear chain of custody. By doing so, we ensure that the evidence is preserved with the utmost care and diligence, and can be presented in a manner that is consistent with legal requirements and best practices. The following are the steps taken to ensure reliability: 1. Immediate Isolation. Upon discovering the USB external storage device suspected of unauthorized access, immediate action was taken to isolate the device from the network and any connected systems to prevent further tampering or alteration of evidence. 2. Physical Seizure. The device was seized with proper tools and procedures to maintain its integrity while handling it carefully to avoid damage or contamination. 3. Documentation of Discovery. DEFR documented the device discovery, noting the date, time, location, and seizure circumstances. This starts the chain of custody. 4. Chain of Custody. A chain of custody document details who handles evidence from seizure, including names, signatures, dates, and transfer times. 5. Secure Storage. Evidence is stored securely and only authorized personnel can access it. 6. Regular Monitoring. Evidence is regularly monitored to maintain integrity. Any deviations from established protocols are documented and addressed promptly. 7. Documentation of Access. Any access to the evidence, whether for analysis, examination, or transfer, is meticulously documented in the chain of custody records. 8. Final Deposition. Upon conclusion of the investigation or legal proceedings, the final disposition of the evidence is documented, noting whether it was returned to the owner, retained for further use, or disposed of according to legal requirements. Physical Evidence 5
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help