15 Aug Windows Forensics Aritifacts
Identify and (thoroughly) discuss two specific Windows forensic artifacts (other than in the Registry) that would likely be found on Mr. Informants assigned OOO workstation, which you believe could contain key evidence (related to the data leakage case scenario). Refer back to your Week 5 and Week 6 readings, if you are stumped!( locate it at the buttom of the question)
At a minimum, detail the names of the artifacts, the form and nature of the data they contain, where they would or could be found on Mr. Informants workstation, and provide specific examples of information you might find in this case (given the scenario) via examination of those artifacts that would be potentially inculpatory (i.e., tending to incriminate the suspect or indicate he perpetrated the alleged actions – in this case, theft of intellectual property) or exculpatory (i.e., tending to support or indicate the subject did not perpetrate the alleged actions).
WEEK 5 READINGS: As you sit at your desk in the OOO IT Security Office, one of your fellow digital forensic investigators approaches you and says that she found what appears to be Mr. Informants login and password for his personal Dropbox account during her examination of one of his OOO-owned work computers. She asks you whether she should use his credentials to log onto Mr. Informants personal Dropbox account to search for OOO intellectual property.
DATA LAKE SCENARIO:
Mr. Iaman Informant was working as a manager of the Technology Development Division for famous international company OOO, which develops state-of-the-art technologies and gadgets.
One day, at a place that Mr. Informant visited on business, he received an offer from Spy Conspirator, an employee of a rival company, to leak sensitive information related to OOOs newest technology. Mr. Informant decided to accept the offer in exchange for large amounts of money, and he began working on a detailed plan to leak the desired data.
Mr. Informant made a deliberate effort to hide his actions and prevent his plan from being uncovered. He discussed it with Mr. Conspirator via e-mail, pretending like they had a legitimate business relationship. He also sent samples of confidential information through his personal cloud storage service. After receiving the samples, Mr. Conspirator asked for direct delivery of storage devices containing the remaining (large volume of) data.
OOOs information security policies include the following:
- Confidential electronic files should only be stored on authorized external storage devices and secured network drives.
- Confidential paper documents and electronic files may only be accessed within an allowed time range (from 10:00 AM to 4:00 PM) and with the appropriate permissions.
- Unauthorized electronic devices (such as laptops, portable storage, and smart devices) may not be carried onto the company.
- All employees are required to pass through the Security Checkpoint system upon entering or exiting the building.
- Possession of any storage devices (such as HDDs, SSDs, USB memory sticks, and CD/DVDs) is forbidden under the Security Checkpoint rules.
In addition, although the company managed separate internal and external networks, and used DRM (Digital Rights Management) / DLP (Data Loss Prevention) solutions in their information security infrastructure, Mr. Informant had sufficient privileges to bypass them. He was also very interested in IT (Information Technology), generally, and had some knowledge of digital forensics.
Despite the risk, Mr. Informant attempted to leave the building with storage devices in his possession, but he and his devices were detected at the security checkpoint, leading to suspicion that he may have been trying to steal OOO data.
The devices in Mr. Informants possession (a USB thumb drive and a CD-R) were briefly reviewed at the security checkpoint (protected with portable write blockers), but there was no obvious evidence of any leakage. As such, the devices were subsequently transferred to the digital forensics laboratory for further analysis.
