Updated Digital Forensics WGU D431 Task 1
A1.
Before anything else is done, the investigation team will hold a meeting with
relevant management of the oil company and members of the legal
department to discuss the situation at hand and gather any information they
have that will help the case move forward smoothly. Investigators will
request information on the suspected violator, John Smith, and what his role
should look like with expected access rights and typical job functions as a
baseline for anomaly analysis. Background on the company and proprietary
information will be collected and used to assist in keyword discovery. Legal
will be asked to explain the policies that are suspected of being violated.
Once the scope of the investigation is clear, investigators will proceed with
photographing and documenting the original state of the workspace(s) in
question. They will implement proper chain of custody procedures as they
work. Around this time, the IT department will be asked to provide any logs
available from company servers that may have interacted with the
workstation being investigated.
After completing the initial documentation of the workspace, investigators
will begin capturing volatile data from the workstation(s) used by John
Smith. This will be done with the Volatility tool. The team will then use FTK
Imager to create a bit-by-bit copy of the workstation’s hard drive. Finally,
investigators will conduct an analysis of network traffic with Wireshark and
check for any suspicious connections that will need to be included in the
investigation.
The workstation(s) will be documented with chain of custody and secured for
the duration of the investigation.
A2.
Investigators will use the following tools (Poston, 2021) to collect and analyze
evidence:
Camera – Investigators will document the original state of the workspace
with photographic evidence.
Volatility – This tool will be used to capture the volatile memory of the
workstation(s) used by John Smith.
FTK Imager – Investigators will create a complete bit-by-bit copy of the
workstation(s) used by John Smith so that the original data remains
untouched.
Autopsy – This tool will be used to analyze the image of the workstation(s)
, created with the imager. Zit will help investigators discover the contents of
the drive(s) including deleted data.
Wireshark – Wireshark will be used early on to investigate the connections
on the original set-up of the workstation(s) to see if any active connections
are suspicious. It will later be used to analyze network log files to discover
past activity.
A1.
Before anything else is done, the investigation team will hold a meeting with
relevant management of the oil company and members of the legal
department to discuss the situation at hand and gather any information they
have that will help the case move forward smoothly. Investigators will
request information on the suspected violator, John Smith, and what his role
should look like with expected access rights and typical job functions as a
baseline for anomaly analysis. Background on the company and proprietary
information will be collected and used to assist in keyword discovery. Legal
will be asked to explain the policies that are suspected of being violated.
Once the scope of the investigation is clear, investigators will proceed with
photographing and documenting the original state of the workspace(s) in
question. They will implement proper chain of custody procedures as they
work. Around this time, the IT department will be asked to provide any logs
available from company servers that may have interacted with the
workstation being investigated.
After completing the initial documentation of the workspace, investigators
will begin capturing volatile data from the workstation(s) used by John
Smith. This will be done with the Volatility tool. The team will then use FTK
Imager to create a bit-by-bit copy of the workstation’s hard drive. Finally,
investigators will conduct an analysis of network traffic with Wireshark and
check for any suspicious connections that will need to be included in the
investigation.
The workstation(s) will be documented with chain of custody and secured for
the duration of the investigation.
A2.
Investigators will use the following tools (Poston, 2021) to collect and analyze
evidence:
Camera – Investigators will document the original state of the workspace
with photographic evidence.
Volatility – This tool will be used to capture the volatile memory of the
workstation(s) used by John Smith.
FTK Imager – Investigators will create a complete bit-by-bit copy of the
workstation(s) used by John Smith so that the original data remains
untouched.
Autopsy – This tool will be used to analyze the image of the workstation(s)
, created with the imager. Zit will help investigators discover the contents of
the drive(s) including deleted data.
Wireshark – Wireshark will be used early on to investigate the connections
on the original set-up of the workstation(s) to see if any active connections
are suspicious. It will later be used to analyze network log files to discover
past activity.
