Security

Scenario: Fair Use Computer Policy- Violation

Summary

In this scenario, Adam Smith, a business analyst for RBC corporation, has been accused of violating his company’s fair use computer policy; this occurred due to human resources discovering that Mr. Smith had allegedly sent numerous inappropriate/harassing images via email to a female coworker. Mr. Smith allegedly sent the emails using his work computer. If Mr. Smith’s actions are found to be validated, he will be terminated from RBC Corporation.

In this scenario, we have the following individuals involved:

Adam Smith- Business Analyst for RBC Corporation.

Female Victim- Name not disclosed due to privacy concerns.

Tina Brady- HR Manager for RBC Corporation

Erin Jones- IT Manager for RBC Corporation

Derek- Senior Forensic Analyst for RBC Corporation

William Donaldson- Forensic Analyst Team Member for RBC Corporation

I, William Donaldson, and Derek (henceforth identified as solely William Donaldson for the purposes of the assignment) have been made aware of this situation. We have been provided hard copies of the incriminating emails.

The hardware involved in the case are the following:

Adam Smith’s PC: Dell OptiPlex 760 – Intel® Core 2 Duo CPU E8400 @ 3.00GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 7 Professional 32-bit, Dell Inc. BIOS, A03, with a date of 4/29/2009. PC’s S/N: GU253841.

Adam Smith’s Desk Contents: 2GB USB Thumb Drive, Imation DVD-Rs with Mr. Smith’s name handwritten on them, and the following S/Ns: 6207G19216458LHD6 and 6207G19216458LHD5, Logitech MK270 920-004536 wireless keyboard and mouse combo, with eight function keys, USB 2.0, and RF.

Female Victim’s PC:  Dell OptiPlex 760 – Intel® Core 2 Duo CPU E8400 @ 3.00GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 7 Professional 32-bit, Dell Inc. BIOS, A03, with a date of 4/29/2009. PC’s S/N: GU321945.

(Exchange Server) Dell PowerEdge R610 Rack Server: Intel® Xeon® X5647 2.93GHz, 12M Cache, 5.86 GT/s QPI, 4C. S/N: CHSDY9371654322. This device is a production server (cannot be taken off-line for evidence collection).

(Active Directory) Dell PowerEdge R610 Rack Server: Intel® Xeon® X5647 2.93GHz, 12M Cache, 5.86 GT/s QPI, 4C. S/N: DFHSP312027931. This device is a production server (cannot be taken off-line for evidence collection).

(File Share) Dell PowerEdge R610 Rack Server: Intel® Xeon® X5647 2.93GHz, 12M Cache, 5.86 GT/s QPI, 4C. S/N: FRPQN497027855. This device is a production server (cannot be taken off-line for evidence collection).

At this current time, there is not enough evidence to accurately support RBC Corporation’s allegations against Adam Smith, so additional investigative steps shall be performed. As with all investigations, the suspect is innocent until proven guilty; due to this, we must respect the privacy of Mr. Smith and all those involved. As to limit the possibility of Mr. Smith’s destruction, removal, or tampering with evidence, as well as due to each of the three server’s status of production servers, the investigation will be mostly comprised on live analyses (servers), the removal of the female victim’s PC, as well as Mr. Smith’s PC and the hardware/devices found at Mr. Smith’s desk for further examination.

My first action would be to interview both Erin Jones (IT) and Tina Brady (HR) to further produce the specifics of the case, including relevant keywords I could use in searching emails and such, as well as determining the timeframe I am allotted to complete my work. Next, I would contact the IT manager, Erin Jones, to temporarily suspend Mr. Smith’s access to each server, system, and device he uses (this will ensure he can’t log in to a different computer to deter any evidence tampering or removal. Next, I would remove both Mr. Smith and the female victim’s PCs and transfer them to a secure location while completing the necessary documentation and adhering to the proper chain of evidence procedures. Once in the secure site, I would begin to analyze Mr. Smith’s PC by utilizing a forensic laptop, hardware/software write block tool, and FTK Imager to examine the contents of his computer; in this process, I would make a copy of the hard drive.

Due to this investigation’s reliance on inappropriate emails, I would examine the .ost file in Microsoft Exchange, which stores IMAP and Outlook information. I would also perform some keyword searches (based on relevant data pertaining to my interviews with both Erin Jones (IT manager) and Tina Brady (HR) on both the PC itself, as well as Microsoft Exchange. I would also use Belkasoft Live RAM Capturer and WinHex to perform a live RAM capture. We would make a copy of the data (if we found any incriminating evidence). I would perform the same procedures as I used on Mr. Smith’s PC on the female victim’s PC.

 Any incriminating evidence I find would be documented and saved on a secure, separate hard drive, as well as a secure server in my forensic lab. If evidence is found, such as an incriminating email, I would have to ensure the authenticity of the email by extracting the email headers to WinHex to verify where/who the email came from, at what time, was it edited, and who it was sent to. I also could examine both user’s social media accounts, phone records, and other email accounts (if incriminating evidence is found), but I would have to communicate with RBC Corporation (and possibly local law enforcement) to determine if I was authorized to do so and if the situation required it.

For Mr. Smith’s other devices found at his desk, the 2GB USB Thumb Drive and 2 Imation DVD-Rs, I would utilize my forensic laptop to examine and make a copy of the contents, while searching for any evidence of incriminatory files. Next, I would have to perform live analysis on each server without disrupting their operations as they are production servers; to accomplish this, I would use FTK Imager Lite to examine server logs, specifically on the Exchange server, to look for evidence that the incriminatory emails came from Mr. Smith. If incriminatory evidence were indeed found, I would notify RBC Corporation of the contents, ensuring that I can prove their authenticity. If no evidence were found that Mr. Smith sent those emails, I would have to prove that he didn’t do it by providing the actual sender’s IP address and other evidence proving Mr. Smith’s innocence.

Reference

Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s