CF601_Assignment2_Martins_15527769

Curtin University of Technology - CBS | Introduction 1

Computer Forensics Report Process Framework and Procedural Manual for Excellor Pty Ltd.

2012

Pedro Martins - 15527769

Curtin University of Technology - CBS 4/27/2012

ABSTRACT:

The following report proposes a comprehensive process framework, guidelines

and procedures that Excellor should consider for applying within its operations

and business. It highlights main aspects and considerations that the company

should be aware of when restructuring its polices and procedures for

managing digital evidences categorised as “secure classified information

transmissions” and “operational duties” conducted using smart phone and

social media tools and applications.

Curtin Business School

SCHOOL OF INFORMATION SYSTEMS

Cover Sheet – BIC601 Assignment 1

Semester 1 , 20 12

Name Pedro Martins 15527769 given names surname/family name Student ID No

Unit Name Computer Forensics 601 (CF601) (in full)

Name of Tutor Dr Collin James Armstrong Day & Time of Tutorial Friday,9:00 am

Assignment Number and/or Name CF601 Assignment 1

Due Date 4th May, 2012 5PM Date Submitted 4th March 2012 If the given name by which your tutor knows you differs from your name on University records, you should indicate BOTH names above. Your assignment should meet the following requirements. Please confirm this (by ticking boxes) before submitting your assignment. Assignment is presented on A4 size paper and is neatly collated

Above details are fully completed and legible Pages have been firmly stapled

A copy and backup of disk(s) has been retained by me Diskette is included, if appropriate

Declaration below is complete All forms of plagiarism, cheating and unauthorised collusion are regarded seriously by the University and could result in penalties including failure in the course and possible exclusion from the University. If you are in doubt, please contact your lecturer or the Course Coordinator. Declaration Except where I have indicated, the work I am submitting in this assignment is my own work and has not been submitted for assessment in another unit or course

Signature of Student

OFFICE USE O NLY Date Received

Marked By Date Marked

Marks/Grades

Table of Contents

1. Introduction .................................................................................................................................... 1

2. Excellor Forensic Policy Considerations .......................................................................................... 2

3. Process Framework ......................................................................................................................... 2

3.1. Preparation Phase ................................................................................................................... 4

3.2. Incident Response Phase ........................................................................................................ 5

3.3. Data Collection Phase ............................................................................................................. 5

i. Establish where all sought evidences can be found ............................................................... 5

ii. Create Order of Volatility ........................................................................................................ 5

iii. Collect the Evidence ................................................................................................................ 6

iv. Find Relevant Evidence ......................................................................................................... 10

v. Document Everything ........................................................................................................... 10

3.4. Data Analysis Phase .............................................................................................................. 10

3.5. Findings Presentation Phase ................................................................................................. 10

3.6. Incident Closure Phase .......................................................................................................... 10

4. Guidelines and Procedures ........................................................................................................... 10

4.1. Procedural Manual ................................................................................................................ 11

5. Recommendations ........................................................................................................................ 13

6. References .................................................................................................................................... 14

APPENDIX B – Anonymized Social Interaction Graph using Picture Tags ........................................ 16

APPENDIX C - Anonymized Example Timeline for 24-hour period .................................................. 17

APPENDIX C – FireSheep Graphic User Interface ............................................................................. 18

Table of Figures

Figure 1 - The three components for managing Digital Evidence………………………………….......................3

Figure 2- ProDF layers………………………………………………………………………………………………………………………..3

Figure 3- Unique Incident Investigation…………………………………………………………………………………………….4

Figure 4 - Social Interaction Graph using Direct Messages…………………………………………………………………7

Figure 5 - Anonymized Social Interconnection Graph using Picture Tags……………………………………………8

Figure 6 - Anonymized Example Timeline for 24-hour period. …………………………………………………………..8

Figure 7 – Twitter metadata.…………………………………………………………………………………..…………………………9

Figure 8 - Facebook metadata. .………………………………………………………………………………………………………...9

1 Introduction | Curtin University of Technology - CBS

1. Introduction In light of the increasing number of cyber-attacks occurred in the year of 2011 (e.g. Anonymous, HB

Gary, Sony, and Wikileaks), Excellor Pty Ltd. has contracted the services of a forensic expert to elaborate

and propose aspects such as, process framework for managing digital evidences, considerations for

developing a procedural manual, considerations for developing the company’s policy, guidelines and

procedures towards Forensics’ activities, and more.

However, the current growing usage of smartphones (e.g. iPhone) and social networks (such as Facebook,

LinkedIn, etc.) have been a major concern in computer Forensics, since it became another communication

channel that links the internal environment of a company to the outside world. What is more, the

significant increasing of various functionalities added to smartphones result in many challenges to a

forensic investigator, since they are constantly changing its Operational Systems (Adams 2010).

Current smartphones are capable of storing a large volume of data and, therefore, they became one of the

main targets for collecting relevant digital evidence1 while conducting an investigation. Data frequently

found on smartphones are:

Application Data

Call History

eBooks

Maps Email

Photos

Text Messaging

Video

Web History

Audio

After digital evidences are collected and analysed, they can be used throughout many different

departments within an organisation for various reasons. For example, the Human Resources

department might need evidence to confirm misbehaviour of a staff member. Similarly, auditors and

managers can use data evidence to prove dishonest transactions and to monitor and control if data

flow is in accordance to governance regulations, respectively (CP Grobler & CP Louwrens 2010).

The following report has the purpose of assisting and instructing Excellor’s senior management, such

as the Chief Officer and Chief Executive Officer, on taking specifics measures in the occurrence of

misuse of company’s data categorised as “classified” on corporate smartphone devices and social

media. Furthermore, this document serves as a guide relating important activities that must be

considered in case of inappropriate use of company’s data.

Hence, the facts researched and discussed in this document will assist relevant parts on managing digital

evidences and take effective and efficient actions, helping Excellor to minimise the effects caused by any

internal or external digital incident2 that significantly affects the company’s business.

1 For the purpose of this assignment, it is considered digital evidence all corporate data that is categorised as “secure classified information transmissions” and “operational duties” conducted using smartphones, social media tools and applications.

2 Excellor Forensic Policy Considerations | Curtin University of Technology - CBS

2. Excellor Forensic Policy Considerations All major forensic concerns present in the company’s policies should be addressed in clear statements

which will help authorised personnel to monitor systems and networks, in order to take immediately

measures in response to an incident (Kent, et al. 2006).

Any sort of investigation should be kept confidential, especially when dealing with staff members of a

business environment, unless case is taken to court. If case details are spread throughout the company

or any unrelated part, the investigation loses its credibility and leads Excellor to violate contractual

agreements made between the company and the employee (Nelson, Phillips and Steuart 2010).

Although technology can be used for many beneficial reasons, it can also be accidentally or

intentionally misused for giving unauthorised access to corporate data and information, modifying,

destroying or stealing information, including digital evidence of an incident. Hence, in order to ensure

that the forensic tools are used appropriately, it is a sound strategy to specify within Excellor’s policy

which forensic actions should and should not be performed for different types of incident.

In short, Excellor’s Forensic Policies should consider, but not be limited to:

Outline the roles and responsibilities of all stakeholders (internal and external) involved in the

organization’s forensic activities and clearly indicate who should be assigned for which type of

event.

Give explanation about what forensic procedures should and should not be executed during

normal and special conditions. Not only that, it should address the use of anti-forensic tools

and techniques.

Entitle authorised people to carry out investigation of corporate issued smartphones for

justifiable reasons, under the appropriate conditions.

Implementation of forensic concerns when planning and developing information system life

cycle, possibly leading to a more efficient and effective management of different types of

incidents.

Storage of data collected by forensics tools does not violate the company’s privacy or data

custody policies.

Monitoring of networks and informative messages on systems that communicate to users that

activity might be monitored. The policies should consider reasonable expectations of user

privacy.

3. Process Framework In the occurrence of a cyber-crime within Excellor environment, it is important to follow a process

framework that gives investigators an appropriate approach to respond to the incident. Therefore, it

was identified two types of existents framework which can be applied into Excellor’s business for

managing Digital Forensics (DF) evidence.

According to Grobler et al. (2010), a company should be aware and prepare itself from possible

cyber-attacks, and take the appropriate measures to either avoid or minimise the damages caused

within its business. Therefore, the authors have identified three different components that should work

together, and not in isolation. They are: Proactive, Active and Reactive DF.

2 It is considered an incident the misuse of any corporate data, leading to violation of company’s regulations and State laws (e.g. criminal, civil and statute).

3 Process Framework | Curtin University of Technology - CBS

Proactive DF (ProDF) relates to any measures that a company can take to foresee or prevent

digital incidents by ensuring that it possesses enough technology, processes and procedures

capable of minimising disruption if business in the event of a digital crime.

Active or ‘live’ DF (ActDF) is the capability of an organisation to collect relevant and live

comprehensive digital evidence in order to minimise the effect of the incident during an

ongoing incident.

Reactive or ‘dead’ (ReDF) is the stage in which a company implements its analytical and

investigative techniques in order to preserve, identify, extract, document, analyse, and

interpret the digital evidences.

The following graphic simply correlates the three components and when they should be applied.

Figure 1 - The three components for managing Digital Evidence (Grobler, Louwrens and Solms 2010)

Furthermore, there are some critical factors to be considered when adopting proactive measures

against potential digital incidents. Excellor’s policies, processes, technologies and people are the

foundation for effective business governance, which must be in accordance to the local laws and

regulations. The figure below is an illustration of sub-components that must be considered when

adopting Proactive DF measures within Excellor and self-explains what each sub-component

involves.

Figure 2- ProDF layers (Grobler, Louwrens and Solms 2010)


The following framework displays a detailed order of processes and activities that should be

undertaken in case of a digital crime. When analysing the next graphic, it is possible to notice that

each process output serves as an input to the next one, thus creating a pattern when responding to

incidents.

This process framework is based on the proposal concept of Nicole Beebe and Jan Clark (2005). In

comparison to other existing models, none of them provided sufficient details to enable all members

of the digital forensics to take efficient measures in response to digital incidents (Beebe and Clark

2005). Hence, this model is an extension of the one proposed by the authors Grobler, Louwrens and

Solms (2010) and presents the most suitable framework to be incorporated within Excellor's

information security environment.

Figure 3- Unique Incident Investigation (Beebe and Clark 2005)

3.1. Preparation Phase This phase contains proactive measures that Excellor should perform to minimise damages in the

occurrence of cyber-attacks. According to Tcek et al. (2010), every company should adapt its

systems (whether is computerised or not) to collect and preserve potential digital evidence in a

structured way.

Additionally, during the Preparation phase some activities (related later in this document) should

be executed in order to maximize digital evidence availability in support of investigation and

prosecution, associated to computer security incidents. Different cases have distinct

characteristics, and, therefore, Preparation Phase might vary according to each individual

scenario, though following a common pattern.

Nevertheless, there are tools that can be used in order to control users’ access to social media

within Excellor’s premises. For example, FireSheep (http://codebutler.com/firesheep) is a free

open source software capable of capturing any insecure website known to the program, including

social media. So as soon as someone visits these types of websites the name and photo are

displayed. Appendix D shows snapshots of the software interface.

However, before adopting any similar measure, it is crucial to create a new policy that permits

Excellor’s authorities to execute this action.

http://codebutler.com/firesheep


3.2. Incident Response Phase The phase basically consists of detecting and initiating a pre-investigation response to a computer

or mobile device that is suspected for being involved in an incident, such as data theft, uploading

or downloading inappropriate/illegal contents from the Internet, breach of computer security, and

so on.

3.3. Data Collection Phase Although information and data of a given incident is gathered during the Incident Response

Phase, Data Collection has the purpose of collecting digital evidence that will support the

response and investigative plan.

When managing evidence, it is important to have in mind that not all information will be

evidence, and that evidence must be identified proactively.

It is considered digital evidence, the information that is:

Admissible

Must contain information that is

reasonable enough to be used in

court.

Authentic

An evidence is connected to the

investigated incident.

Complete

Exculpatory evidence for alternative

suspects.

Reliable

The authenticity and veracity of evidence must

be indubitable.

Believable

Clear, easy to understand, and believable by a

jury.

There are a series of steps that should be undertaken when collecting digital evidence:

i. Establish where all sought evidences can be found

Prior to responding to any incident, a trained team should be structured and acknowledged

of all available facts, plans and objectives in order to carry out the plan for collecting and

analysing data. So, assigning trained investigators for gathering data helps to collect crucial

evidences for an incident, which is also known as Comprehensive Digital Evidence (CDE)

(CP Grobler & CP Louwrens 2010). In other words, the team will be able to collect relevant

and sufficient information determining the origins of the incident, linking the perpetrator to

the event.

ii. Create Order of Volatility

Taking into consideration that digital evidence is volatile and, therefore, it can be easily lost

and corrupted, it is reasonable to assume that data collection must be rapidly done, in order

to acquire more accurately information about the evidence. Delayed responses might result

in the loss of crucial information for the case (Nelson, Phillips and Steuart 2010). Therefore,

it should be created a plan to decide the most effective way of gathering data, determining

what and where to collect evidence from.


iii. Collect the Evidence

With the purpose of capturing volatile evidences, if an incident is discovered, it is crucial

that the suspect computer or mobile device stay connected to the network and must not be

rebooted, until relevant data is captured. Hence, unplugging the computer from the network

or not keeping the mobile device powered up may spoil the investigation, since critical

volatile data will be destroyed.

Throughout this stage, the investigation team must collect as much evidence as they possibly

can and get it at the first time they see it. In some cases, volatile data (those that are kept in

memory, such as running process, network connections, clipboard contents) might be lost

due to delay on the incident response or unprofessional execution of this process.

The following tools are usually used to provide important data for assisting on forensics’

investigations, mainly in desktops and/or laptops. However, those same tools can only be

applied in smartphones if they are connected to the company’s network and, consequently,

they will behave and work as a regular computer. Hence, Excellor can make use of various

sources in order to collect the maximum amount of relevant digital evidence for possible

incidents, such as:

- Command

- Netstat

- Psloglist

- Netcat

- Pslist

- Netusers

- Net (user, session)

- Pulist

- ListDLLs

- Handle

- Tlist

- Tasklist

- PS

- IPConfig

- NBTStat

- Fport

- Openports

- DOSKEY

- GPList

- Time

- Date

- Route

Many of the tools listed above contain similar information types (such as IP address, MAC

address, tasks performed by a computer or connected smartphone, ports used between

source and destination machines, websites recently visited, processes and their identification

number, date and time of various operations, and more). Yet, each one provides specific

detailed information that the other one lacks.

One of the biggest constraints that forensics face with mobile phones is the capacity of being

used anywhere else besides the company’s premises. Although it is possible for

investigators to collect information in smartphones that is leaked via text messages,

upload/download of files, or social networks, it might be an extremely hard task to detect

and gather suspicious activities if information is sent via a phone call. Therefore, despite

calling history is recorded in the device, the contents of a conversation becomes difficult to

track, unless the phone is tapped.

As for social media, when searching for digital evidence, it becomes even more complicated

since information is stored at the social network’s operator and cannot be found on the

suspect’s computer’s hard drive.


So there are different procedures that can be done in order to collect data from social

networks. Acquire the server’s hard drives is one, although it is not feasible in most cases.

Another alternative is to contact the social media operator for sending crucial data to the

investigator. However, this measure contradicts the rules for evidence gathering due to the

investigator’s inability of proving that the evidence is complete, reliable and authentic

(Mulazzani, Huber and Weippl 2011). Hence, those two options should be discarded at first,

and data gathering should be relied mainly on the investigation capacities of the forensics

examiner.

According to Mulazzani, Huber and Weippl (2011), even though social medias have distinct

features and architectures, there are commun data sources that can provide forensic

investigators with crucial information on those type of medias, as follow:

The social footprint: relate the user’s social circle and relationships, defining who

he/she is connected to and what are his/her interests.

Communications pattern: establish the methods in which the media is used to

communicate, how it is used, and who is the user communicating to. So, in order to

graphically present this information, it is possible to apply the Social Interaction Graph

using Direct Messages (Mulazzani, Huber and Weippl 2011), as shown in Figure 4

(please refer to Appendix A for figure in larger scale).

Figure 4 - Social Interaction Graph using Direct Messages (Mulazzani, Huber and Weippl 2011).

Pictures and videos: define what pictures and videos have the user uploaded to the

social network and those that he/ahe was tagged on other people’s picture. So, as

shown in Figure 5, the “Anonymized Social InteractionAnonymised Social

Interconnection Graph using Picture Tags” (Mulazzani, Huber and Weippl 2011) can

be applied, in order to track the suspects closest connections (please refer to Appendix

B for figure in larger scale). The graph is created using the following steps:

i. Starting from the suspect account, it is gathered all the pictures from all

suspect’s “friends”.

ii. It is ignored those who are tagged in the pictures and are not in the suspect’s

“friend” list.

iii. If the tagged person is also the suspect’s “friend”, then an edge is added

between the two nodes, pointing from the profile that uploaded the picture to

the profile that was tagged.


Figure 5 - Anonymized Social InteractionAnonymised Social Interconnection Graph using Picture Tags

(Mulazzani, Huber and Weippl 2011).

Times of activity: identify the time when a specific user has joined or connected to

the social media and when exaclty an unique activity took place. Therefore, a timeline

is a reasonable strategy to be adoptded, giving a chronological order to the events, as

suggested by Mulazzani, Huber and Weippl (2011). Figure 6 is an example of the

timeline (please refer to Appendix C for figure in larger scale).

Figure 6 - Anonymized Example Timeline for 24-hour period (Mulazzani, Huber and Weippl 2011).

Apps: define and make a list of the apps that the user may be making use of, and the

purpose for using them.

As stated by Patzakis (2012), it is possible to extract relevant data from each user. This can

be achieved by using metadata fields, which contain important infomation to establish

authenticity of the data collected.

The two figures below relate useful tools for gathering relevant information on Twitter and

Facebook, as an example of social medias.


Figure 7 – Twitter metadata (Patzakis 2012).

Figure 8 - Facebook metadata (Patzakis 2012).

10 Guidelines and Procedures | Curtin University of Technology - CBS

iv. Find Relevant Evidence

Organise the findings and identify the ones that are relevant to the investigation. Hence,

investigators should be capable of recognizing and filtering which piece of information is

relevant to a given case.

v. Document Everything

In order to keep reliable records and integrity of the collected information, every finding

should own a hashed value, timestamps, signed statements, digital signatures, witness

statements, etc.

3.4. Data Analysis Phase This phase aims to structure and give a meaning of the data collected in the previous phase. It is

usually the most complex and time consuming stage, since every relevant evidence extracted is

analysed and reconstructed in an organised way, in order to confirm or refute allegations of

suspicious activities.

3.5. Findings Presentation Phase After data have been analysed, it is important to bear in mind the different types of audience that

the analysis report will be presented to. Therefore, a report should communicate relevant findings

accordingly to the level of computer literacy of its audience, whether it is addressed to managers,

technical personnel, legal personnel, or law enforcement professionals.

Additionally, the presentation(s) can be written, oral or a combination of both. It attempts to

provide a brief and detailed reconstruction of the facts analysed during the Data Analysis Phase.

3.6. Incident Closure Phase As the name suggests, during this phase the investigation must be closed out and actions should

be taken upon any decisions related to it. Not only that, any new knowledge gained with a case

should be preserved for being used as future reference.

4. Guidelines and Procedures Given that electronic records and data can be easily changed and altered, it is important that Excellor

specifies guidelines and procedures that facilitate further forensic actions towards incidents that may

lead to prosecution or internal disciplinary measures. It is important that Excellor’s forensic

guidelines and procedures are consistent with its policies and other applicable laws.

In order to outline the guidelines and procedures at the upmost level of quality, Excellor should

include technical experts and legal advisors during its development. Additionally, the participation of

managers is also relevant since they can determine whether the guidelines and procedures proposed

are aligned with the company’s requirements, goals and objectives.

Moreover, taking into consideration that each incident requires different methods for handling it,

developing complete guidelines and procedures to every possible situation is not usually practicable.

Therefore, organisations should develop a procedure manual for carrying out all routine activities in


PREPARATION PHASE

the protection, collection, examination and analysis, and reporting of digital evidence found on

smartphones and social media. The document should be developed in a forensically sound manner,

suitable for legal prosecution or disciplinary actions. It is crucial that the guidelines and procedures

support the admissibility of digital evidence into legal measures, including:

seizing and handling evidence correctly;

managing the chain of custody;

storing the digital evidence appropriately;

establishing and preserving the genuineness of forensic tools and equipment;

capability of demonstrating the authenticity of any electronic records, case files, and logs.

Excellor should constantly be aware of significant changes in smartphone technology, and social

media functionalities and architectures that might affect the company’s guidelines and procedures.

4.1. Procedural Manual The company’s procedural manual has the purpose of describing the procedures and policies in

which Excellor’s employees and managers need to carry out in the occurrence of a digital

incident.

The manual has been developed from concepts and definitions in the process framework proposed

in this document. This topic consists of outlining a series of activities from each of the phases

previously mentioned, in order to avoid/minimise and control the effects caused by the incident.

Risk assessment related to Excellor’s vulnerabilities, loss/exposure, threats, weaknesses, etc.

Build up an Incident Response Plan, including staff assignments, procedures, policies and regulations.

Develop a document relating the company’s technical capabilities (e.g. response toolkits).

Train a satisfactory number of staff to conduct investigation in the occurrence of a digital incident.

Define and document the company’s standards for handling and preserving evidence integrity.

Identify unauthorised or suspicious activities executed by Excellor’s staff members.

Report identified or suspected unauthorised activity to the CIO or CEO, depending on the circumstances.

Confirm the incident.

Develop a suitable plan to control, eliminate, recover, and investigate digital evidence, taking into

account business’ technical, political, and legal factors.

Prepare the Investigation Plan for data collection and analysis.

INCIDENT RESPONSE PHASE

FOUNDATION FOR EXCELLOR’S PROCEDURAL MANUAL ACTIVITIES


Conclude data gathering which began during the Incident Response Phase.

Acquire network-based incriminating evidence from applicable sources, such as log servers, firewalls,

routers, intrusion detection systems, etc.

Obtain host-based evidence from relevant sources, such as system date/time information, volatile data,

storage drives, etc.

Acquire removable media evidence from suspect computer, such as CD-ROMs, USB devices, and so on.

Collect information present on social media used by suspect, searching throughout the five common data

sources beforehand mentioned.

Create hash keys to ensure the integrity and authenticity of the digital evidence.

Ensure that people accountable for packaging, transporting and storing the digital evidence have signed

off relevant documentation acknowledging their “Dos and Don’ts”.

Summarize large amount of data collected throughout Data Collection and elaborate an analysis

report for helping investigators to better understand relevant evidences.

Assess analysis report and search for relevant information that is relevant to the case.

Study, analyse, and reconstruct the data to respond to crucial investigative inquiries.

Assess the audience, which material will be presented to.

Determine most effective way to communicate to the respective audience.

Summarize relevant findings.

Prepare and present the findings.

Oversee the entire investigation and document a critical review and lessons learned with it.

Take decisions based on the results of the findings presentation, and act upon them.

Evidence disposal (e.g. destroy, return to owner).

Collect and protect all information linked to the incident.

It is relevant to mention that the activities above can be executed in a sequential and/or iterated

manner, though they should always respect the order in the graphic proposed by Nicole Beebe and

Jan Clark (2005).

DATA COLLECTION PHASE

DATA ANALYSIS PHASE

FINDINGS PRESENTATION PHASE

INCIDENT CLOSURE PHASE

SE

13 Recommendations | Curtin University of Technology - CBS

5. Recommendations After doing an in depth research about the various types of methods applied to manage forensics

activities, it is recommended to use a combination of both frameworks previously proposed. They can

be adapted to complement each other due to their different approaches.

It can be seen then that, the framework developed by Grobler et al. (2010) relates how the company

should react towards an incident, depending whether the incident is happening or not. This structure

acknowledges that the company (in this case Excellor) should be aware and prepare itself for the

occurrence of any potential incident. Moreover, it breakdown and displays how evidences and

incidents are related to Excellor’s governance and policies, showing that the former should

proactively be considered when outlining the company’s policies. However, this framework lacks in

defining procedures that a company should follow for responding to an incident.

Consequently, the framework proposed by Nicole Beebe and Jan Clark (2005) should be implemented

within Excellor's operations, since it aims to provide a more effective approach when responding to a

given incident. The six interrelated phases provides to the company a series of interrelated activities to

be carried out, in case of a cyber-incident. Not only that, it ensures iteration between the phases,

maximising the results obtained during management of digital evidence.

Capture digital evidences prior to compromising the company’s operations is considered a major

priority and should be adopted and included within Excellor’s policies. Therefore, acting proactively

can help Excellor to achieve two main goals (Trcek, et al. 2010):

i. Minimise costs when responding to incidents

ii. Maximise the company’s capability of collecting digital evidence

For that reason, Excellor should be constantly managing corporate data and gathering potential

evidence, such as telephone records, log files, e-mails, and network traffic records, prior to

involvement in an investigation (Trcek, et al. 2010).

With the intention of doing frequent monitoring of data traffic, Excellor can make use of appropriate

software - such as WireShark and/or FireSheep - in order to monitor data flow within its network.

Consequently, it will maximise the probability of capturing suspicious behaviour from computers in

that same network and, thereafter, take the appropriate actions.

In regards to the company’s policies, it is crucial that top managers and relevant parts include clauses

that allow frequent monitoring of any device issued by the organisation and employees’ behaviour

towards social media. In accordance, the implementation of those new policies will allow

management to guide operations without constant interventions, since they significantly help to align

the company’s goals to its objectives.

Hence, it is believed that if all the appropriate measures and actions related in this document are

applied within Excellor’s business, it is more likely that the company will not have to interrupt its

operations, due to planning solutions and counter-action against cyber-attacks or any other digital

occurrence.

14 References | Curtin University of Technology - CBS

6. References

Adams, Rob. Articles: Challenges of Smart Phone Forensics. 2010.

http://www.forensicfocus.com/challenges-of-smart-phone-forensics (accessed May 1,

2012).

American Academy - Forensic Sciences. “Policy and Procedure Manual.” The American Academy of

Forensic Sciences, 2011: 1-195.

Beebe, Nicole Lang, and Jan Guynes Clark. “A hierarchical, objectives-based framework.” Elsevier,

2005: 21.

Cohen, Frederick B. Fundamentals of Digital forensic Evidence. Professional Report, California:

California Sciences Institute, 2008.

CP Grobler & CP Louwrens. Digital Evidence Management Plan. Johannesburg: University of

Johannesburg & Nedbank, 2010.

Grobler, CP, CP Louwrens, and SH Solms. “A framework to guide the implementation of Proactice

Forensics in Organizations.” International Conference, 2010: 6.

Kent, Karen, Suzanne Chevalier, Tim Grance, and Hung Dang. “Guide to Integrating Forensic

Techniques into Incident Response.” U.S. Department of Comemrce, 2006: 1-121.

Mulazzani, Martin, Markus Huber, and Edgar Weippl. Social Network Forensics: Tapping the Data

Pool of Social Networks. Professional Research, Sba-Research.org, 2011.

Nelson, Bill, Amelia Phillips, and Christopher Steuart. Guide to Computer Forensics and

Investigations. Boston: Course Technology, Cengage Learning, 2010.

Patzakis, John. Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware

of. Professional Report, Forensic Focus, 2012.

Rogers, Marcus K. Cyber Forensics: Evidence Collection, Management and Handling. Indiana, 5 March

2009.

Security Transcends Technology. Cyber Forensics: Evidence Collection, Management and Handling.

San Antonio, 5 March 2009.

Trcek, Denis, Habtamu Abie, Asmund Skomedal, and Iztoc Stark. “Advanced Framework for Digital

Forensic Technologies and Procedures.” Journal of Forensic Sciences 55 (November 2010):

1471-1479.

15 References | Curtin University of Technology - CBS

APPENDIX A - Social Interaction Graph using Direct

Message

16 APPENDIX B – Anonymized Social Interaction Graph using Picture Tags | Curtin University of Technology - CBS

APPENDIX B – Anonymized Social Interaction Graph using Picture Tags

17 APPENDIX C - Anonymized Example Timeline for 24-hour period | Curtin University of Technology - CBS

APPENDIX C - Anonymized Example Timeline for 24-hour period

18 APPENDIX D – FireSheep Graphic User Interface | Curtin University of Technology - CBS

APPENDIX D – FireSheep Graphic User Interface

Date post:	12-Apr-2017
Category:	Documents
Upload:	pedro-martins
View:	582 times
Download:	1 times

CF601_Assignment2_Martins_15527769

Documents