cyber and digital forensics Case study.pptx

Q:1 A patient with a heart ailment was transported to a hospital where an angiogram was performed . The patient later had a stint inserted into an artery, along with a second angiogram , but died shortly thereafter. A third angiogram was performed immediately after the patient’s death. Images of the angiogram procedures were purportedly stored on computer hard drives. The day following the patient’s death, hospital staff were able to locate images for the first and third angiograms but could not find any images of the second procedure. The hospital and doctor were sued for medical malpractice and wrongful death. The plaintiffs also claimed the defendants had deliberately deleted the images of the second angiogram that allegedly proved the wrongful death claim. A CFS team ( CFST ) was engaged by the doctor’s insurance company to locate images of the second angiogram on the computer hard drive. Explain the possible actions that the CFST took to locate the images.

Ans. : This case study is related to Discovery of Electronic Evidence. No evidence could be found that the second angiogram images had ever been stored on the computers, or that the images had been deleted . Through inquiries of hospital staff , The CFST learned that the system was prone to problems and periodically “crashed.” The CFST requested that the hospital perform a test case on the system, and it was observed that the system malfunctioned; in the test case, no images were recorded. At the same time, the hospital replaced this system with a new system because of the periodic crashes that occurred. A CFST examiner testified at the court trial that system crashes may have caused the images to not be stored on the computer hard drives and that team had personally observed the system crashing. The plaintiff ’s attorneys countered that the manufacturer examined the system the day after the patient’s death and could not find any problems. CFST’s examiner countered that the system had been replaced by the hospital because of system malfunctions. Team further explained that because the system was functioning normally on the day the manufacturer examined the system, did not mean that it was functioning on the day of the second angiogram procedure. The best outcome that the insurance company expected was elimination of any penalties for deliberate deletion of the images. Court ruled that no monetary damages would have to be paid to the plaintiffs.

Q:2 A parent was concerned that her son was accessing unwanted Web sites from his computer . Each time the computer was checked by a technician, no evidence was found . How would a CFS go about investigating this incident? Ans. : A computer forensics team was contracted to assist in an investigation for computer that suspected her son using PC. The team visited the site and, using correct forensic procedures , created an image of the hard drive of the suspect PC. The team was then able to recover a large amount of inappropriate material from the PC in a forensically sound manner , including files that had been deleted, renamed, and hidden in an attempt to disguise their true nature.

Role of computer forensics professional is to collect evidence from a suspect's desktop and determine whether the suspect committed a crime or despoiled a company policy. If the evidence shows that crime or company policy violation happens then case is prepared against suspect. It contains collection of all evidence and investigator shows to the court or at a corporate inquiry. Chain of custody : Route the evidence takes from the time you find it until the case is closed or goes to court

Taking a Systematic Approach Steps for problem solving 1. Make an initial assessment about the type of case you are investigating 2. Determine a preliminary design or approach to the case 3. Prepare detailed checklist 4. Find out resources which require for investigation 5. Obtain and copy an evidence disk drive 6. Find the possible risks 7. Try to minimize the risks 8. Test the design 9. Digital evidence is analysis and if possible recovers. 10. Investigate the information which recover 11. Prepare the case report 12. Evaluation the case

Assessing the Case Following factors are consider for case details Situation Nature of the case Specifics of the case 4. Evidence type 5 . Operating system 6 . Known disk format 7. Evidence location

Guides for securing digital evidence at the scene. 1. Photograph all items before they are moved or disconnected. 2. Disconnect the power supply and the modem connection. Secure the computer as evidence i . If computer is “OFF”, do not turn “ON”. ii. If computer is “ON”

For Stand-alone computer i . Photograph screen, then disconnect all power sources; unplug from the wall AND the back of the computer. ii. Place evidence tape over each drive slot. iii. Photograph/diagram and label back of computer components with existing connections . iv. If the screen is active, photograph the item that appears on the screen. v. Label all connectors/cable end to allow reassembly as needed. vi. If transport is required, package components and transport/store components as fragile cargo . vii. Keep away from magnets, radio transmitters and otherwise hostile environments. viii. Do not do normal shut down procedures. Windows 95, 98x, NT, 2000, XP computers can be shut down by unplugging power plug from behind system.

Networked or business computers i . Consult a computer specialist for further assistance ii. If specialist is not available Seize all software and hardware manuals : These are often needed by the forensic technician for technical reference during the examination. Be sure to record their location in reference to the computer. Seize notes, scribbles, and notebooks : Notes may have references to software passwords and other computer accounts the suspect uses. Suspects who dial into other computers often use different passwords on the various systems they access. They have been known to keep notebooks listing the computer accounts they access and their login and passwords.