Security

CASE ASSIGNMENT – Homicide Investigation

Write a forensic report to include the following sections:

Synopsis – this is an overall narrative of the facts of the case. It should answer the who, what, when, why, and how of the investigation.

Two days ago, Nancy Thomas was found dead at her residence; an autopsy showed high levels of rat poison in her system. The main suspect in the murder investigation is Thomas Browne, the deceased’s boyfriend. To gather evidence in this case, I, the forensic investigator, will be collecting and analyzing the laptop located at Thoman Browne’s residence, as well as the two PC’s and a thumb drive found at his place at work. Additionally, I will be, with assistance from Thomas Browne’s superior and director of IT, collect and analyze server log, VoIP, and surveillance data from Thomas Browne’s place of work.

Suspect(s) Identified – This should have all the identifying information for the suspect.

Name: Thomas Browne

DOB: 09/01/1960

Home Address: 123 Main St, Ralson NE 68111

Work Address (if known): Unknown

Height (approx.): 5’ 10”

Weight (approx.): 175 lbs

Hair color: Brown

Eye color: Brown

Identification features (scars, tattoos ,etc.): Suspect is showing signs of losing his hair.

Witnesses Identified – A witness is a person who makes a statement in a court about what he or she knows or has seen.  This should include the same information for each witness that processed the forensic evidence.

Include one or two sentences that identifies what they can testify to.

Nancy Thomas’ Neighbor 1: Jane and Bob Alexander- As Nancy Thomas’ neighbors, they can testify to their knowledge of the deceased and suspect’s relationship- anything from loud fights, general attitude, or any odd behavior.

Nancy Thomas’ Neighbor 2: Jack Smith- As Nancy Thomas’ neighbor, they can testify to their knowledge of the deceased and suspect’s relationship- anything from loud fights, general attitude, or any odd behavior.

Thomas Browne’s boss: Michael Adams- As Thomas Browne’s boss, Michael can testify to his knowledge of Thomas Browne’s recent work ethic, notable occurrences, odd behavior, any missed work, as well as grant access to the search and seizure of Thomas Browne’s workstations and data. Michael can also provide additional witnesses, such as any work-friends of Thomas Browne.

Thomas’ Director of IT: Jim Nelson- As Thomas Browne’s director of IT as his place of work, Jim can testify to his knowledge of Thomas Browne’s recent work ethic, notable occurrences, odd behavior, any missed work, as well as grant access to the search and seizure of Thomas Browne’s workstations and data. Michael can also provide additional witnesses, such as any work-friends of Thomas Browne. As the director of IT, Mr. Nelson shall be a valuable resource for the acquisition of all digital data relevant to the case, including server logs, browsing history, and tracking down other devices used (past and present) by Thomas Browne.

Lead Digital Forensic Investigator: William Donaldson. Mr. Donaldson (myself) will be in charge of collecting all devices and data used by Thomas Browne, as well as analyzing it all while searching for evidence pertaining to the case.

Case narrative – This is the meat of the case report.  It describes your methodology and what you found for evidence.  Be thorough, but remember it needs to be technical yet understandable to someone non-technical.

In this investigation, I, William Donaldson, was made aware of the contents of the search of Thomas Browne’s home, specifically a Dell Latitude E6510 laptop. At Thomas Browne’s place of work, Thomas Browne has two identical Dell OptiPlex 760 desktop computers. Furthermore, a SanDisk 8GB USB thumb drive was found at his desk.

For my investigation, I will be in close contact with local law enforcement and both Michael Adams (Thomas Browne’s boss) and Jim Nelson (Director of IT at Thomas Browne’s place of work), to ensure (with a warrant) the data and devices at both Thomas Browne’s home and place of work are collected securely, and the data is retrieved in the proper manner.

Per Thomas Browne’s company, as well as with the permission from local police, I will, as outlined in what they allow me to do, perform backups on all drives and computers/laptops at a secure location (after removing them from their original position). I will contact Jim Nelson, Thomas Browne’s director of IT at his work, and (with his permission and per the warrant) perform analysis on server logs, collect and save video surveillance, VoIP call logs, as well as any entry/exit data (keypad data logs, receptionist/security staff records). If applicable, I will search for any video surveillance around both Thomas Browne and Nancy Thomas’s residences. Finally, if possible, I will examine both Thomas Browne and Nancy Thomas’s home Internet networks for signs of one or the other accessing the network (the time they entered the residence, the time they left, etc.)

The final item is the evidence list.  This should include all items you processed. Each item should be identified by:

Home Laptop

Make: Dell

Model: Latitude E6510

Specs: 2nd Generation Intel Core i7 M640 @ 2.80GHz, 4GB DDR3, 500GB

HDD, DVDRW, PCI video card, internal sound card, internal 100Mb network interface, a modem interface, and three internal USB ports.

OS: Windows 7 Professional 32-bit

BIOS: Make- Dell Inc, A05

Date-8/10/2010

Serial Number- F127845

Serial Number of the device (this includes individual hard drive located in a PC): 581-23912-092

Removable media: None present.

2 Work Desktops (Identical)

Make: Dell

Model: OptiPlex 760’s

Specs: – Intel® Core 2 Duo CPU E8400 @ 3.00GHz, 2GB DDR3, 500GB HDD, DVDRW, PCI video card, internal sound card, internal 100Mb network interface, a modem interface, and three internal USB ports.

BIOS: Make- Dell Inc, A03

Date- 4/29/2009

Serial Number- PC1: GU284153 & PC2: GU324519

Serial Number of the device (this includes individual hard drive located in a PC): PC1: 582-23312-012 and PC2: 581-53311-089

Removable media: SanDisk 8GB USB thumb drive

Serial Number of the device (this includes individual hard drive located in a PC): PC1: 582-23312-012 and PC2: 581-53311-089

Removable media: SanDisk 8GB USB thumb drive

Due to the legal and technical complexity of this investigation, there will be a significant amount of legal processes involved; due to this, proper warrants and documentation needs to be gained and kept active throughout the case. Navigating the company’s servers and devices need to be carefully performed, through assistance from the local police department and managerial staff of the company.

Due to several complicated legal ramifications involved in this case, consulting with lawyers throughout the investigation is recommended.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s