WGU Digital Forensics in Cybersecurity D431
Task 1 and 2 Already Passed 100%
wiseman lOMoARcPSD|5967629
lOMoARcPSD|5967629
WGU Digital Forensics in
Cybersecurity D431
Task 1 and 2 Already Passed 100%
Western Governors University Digital Forensics in
Cybersecurity D431
NAME
BFN1 Task 1: Investigative Plan of Action
You are a member of the investigative team that has been asked to develop an investigative plan of action. Create an investigative plan of action based on forensic best practices or standards
that your team will implement.
Discuss the strategy that your team will use to maximize the evidence collection and minimize the impact on the organization.
The first step in this process is to assemble an investigative team. After the team has been created and understands the task at hand, we would begin our investigation by meeting with heads of various organizations within the oil company (IT department, Human Resources, the legal team, any relevant senior management, and any other stakeholders with appropriate need to help the investigation). These individuals would need a clear understanding of the risks to the company caused by Mr. Smith’s actions, as he has been accused of stealing proprietary information, which lOMoARcPSD|5967629
is in direct violation of the NDA (Non-Disclosure Agreement) and AUP (Appropriate Use Policy)
documents he signed. The investigative team will need to know Mr.
Smith’s duties within the company and what information he was allowed to access. Next, understanding what Mr. Smith stole from the company will be the first step to pinpointing Mr. Smith’s network access scope. This will maximize the collection of evidence.
Describe the tools and techniques your team will use in evidence gathering, preparation, and analysis.
After the scope of the damage caused by Mr. Smith has been determined, our team will then proceed to collect evidence. Some of the tools used to gather evidence may include:
A camera to photograph and document the state of the workstation.
Imaging tools such as FTK Imager or Clonezilla (both resources are open-source programs needed to make a bit-level copy of a disk. Investigators can work from this copy without the risk of harming evidence on the original disk).
Volatility open-source software to acquire and analyze the data stored in RAM (Olatona, n.d.).
Log analysis tools to parse through data to search for suspicious server activity.
Wireshark (another open-source tool) is used to capture network traffic.
We will work with the physical security team to review camera footage of when and where Mr. Smith was within the building; from there, we can fully determine which workstations/servers he accessed and when. Those areas where he was recorded will be thoroughly photographed. What does the workstation look like? Were the devices left on or powered down? Are any devices plugged into the workstation? What kind of devices and how many? Once these questions have been answered and documented, we will move along the chain of custody.
Describe how your team will collect and preserve required evidence using standardized and
accepted procedures.
The investigative team should follow ISO/IEC 27037 guidelines and best digital forensics practices (Packetlabs, 2021). This outlines the procedure to identify, collect, acquire, and preserve digital evidence.
Before disturbing anything on or around the workstation, photograph and document everything visible. Take note of any devices/cables plugged into the computer, whether the computer was powered on, and a physical picture of what was running on the device.
Take a picture of what is running on Task Manager on the computer.
Capture the volatile system memory using the application Volatility.
Anything that must be removed and taken to a lab for analysis should be documented and secured based on the Chain of Custody standards.
Make a bit-level image of the system.
Store hard drives or other sensitive media/devices in anti-static bags.
Describe how your team will examine the seized evidence to determine which items relate to the suspected company policy violation.
Task 1 and 2 Already Passed 100%
wiseman lOMoARcPSD|5967629
lOMoARcPSD|5967629
WGU Digital Forensics in
Cybersecurity D431
Task 1 and 2 Already Passed 100%
Western Governors University Digital Forensics in
Cybersecurity D431
NAME
BFN1 Task 1: Investigative Plan of Action
You are a member of the investigative team that has been asked to develop an investigative plan of action. Create an investigative plan of action based on forensic best practices or standards
that your team will implement.
Discuss the strategy that your team will use to maximize the evidence collection and minimize the impact on the organization.
The first step in this process is to assemble an investigative team. After the team has been created and understands the task at hand, we would begin our investigation by meeting with heads of various organizations within the oil company (IT department, Human Resources, the legal team, any relevant senior management, and any other stakeholders with appropriate need to help the investigation). These individuals would need a clear understanding of the risks to the company caused by Mr. Smith’s actions, as he has been accused of stealing proprietary information, which lOMoARcPSD|5967629
is in direct violation of the NDA (Non-Disclosure Agreement) and AUP (Appropriate Use Policy)
documents he signed. The investigative team will need to know Mr.
Smith’s duties within the company and what information he was allowed to access. Next, understanding what Mr. Smith stole from the company will be the first step to pinpointing Mr. Smith’s network access scope. This will maximize the collection of evidence.
Describe the tools and techniques your team will use in evidence gathering, preparation, and analysis.
After the scope of the damage caused by Mr. Smith has been determined, our team will then proceed to collect evidence. Some of the tools used to gather evidence may include:
A camera to photograph and document the state of the workstation.
Imaging tools such as FTK Imager or Clonezilla (both resources are open-source programs needed to make a bit-level copy of a disk. Investigators can work from this copy without the risk of harming evidence on the original disk).
Volatility open-source software to acquire and analyze the data stored in RAM (Olatona, n.d.).
Log analysis tools to parse through data to search for suspicious server activity.
Wireshark (another open-source tool) is used to capture network traffic.
We will work with the physical security team to review camera footage of when and where Mr. Smith was within the building; from there, we can fully determine which workstations/servers he accessed and when. Those areas where he was recorded will be thoroughly photographed. What does the workstation look like? Were the devices left on or powered down? Are any devices plugged into the workstation? What kind of devices and how many? Once these questions have been answered and documented, we will move along the chain of custody.
Describe how your team will collect and preserve required evidence using standardized and
accepted procedures.
The investigative team should follow ISO/IEC 27037 guidelines and best digital forensics practices (Packetlabs, 2021). This outlines the procedure to identify, collect, acquire, and preserve digital evidence.
Before disturbing anything on or around the workstation, photograph and document everything visible. Take note of any devices/cables plugged into the computer, whether the computer was powered on, and a physical picture of what was running on the device.
Take a picture of what is running on Task Manager on the computer.
Capture the volatile system memory using the application Volatility.
Anything that must be removed and taken to a lab for analysis should be documented and secured based on the Chain of Custody standards.
Make a bit-level image of the system.
Store hard drives or other sensitive media/devices in anti-static bags.
Describe how your team will examine the seized evidence to determine which items relate to the suspected company policy violation.
