Background

ACME is a multinational corporation with offices in the US, Europe and Malaysia. The company provides a multitude of services and products which include electronics, chemicals and medical equipment. Additionally, the company has several contracts with the US department of defense and department of energy, however any service or products provided to DoD/DoE are not listed in the companys public records.

As a forensic examiner for ACME you are tasked from time to time to support corporate investigations. Last week you received the paperwork to complete the remote acquisition of a system belonging to Mr. Ocho Pelota and to retrieve any evidence regarding the possible exfiltration of company data. Based on corporate policy all computer systems are setup with a standard image, which includes a remote acquisition agent, and a locked down configuration of the operating system so that employees cannot install or store any type of information on their boot drive, including any browser data. All digital work products are stored on network file servers which will be examined by a different team. However, there are no countermeasures in place to prevent employees from accessing their systems USB interfaces and connect keys or external drives to the system. Next time Mr. Pelotas system accesses an external USB device you will be notified to retrieve any evidence attached to his system.

Deliverables

Your final report is to be addressed the companys legal counsel office and will include:

An executive report of your findings no longer than 2 pages.

To meet the digital forensics standard of reproducibility of results, provide a timeline (step by step) document which catalogues the process you applied in your examination. The document should be organized by day and time displaying which activities were conducted at what time and what the outcomes were. Another forensics examiner must be able to follow your instructions and produce the same results, thus your instructions must be clear and easy to follow. Additionally, consider that the more detail you include in your instructions the better the likelihood of successfully supporting your findings during trial several months from now. Any information regarding the validity of the evidence must be included in this document (hashes). Do not include screen captures (points will be deducted if you do), rather be descriptive and detailed in the steps you took.

If you choose to, you can add an appendix section for all detailed reports generated by the applications you used. These should not be included in your timeline document as they will easily clutter your instructions for reproducibility of results.

An archive of all digital evidence found, mostly files and any additional data about those files.