Read the enclosed case studies below and discuss the following points in each case:

Case 1

A new start-up SME (small-medium enterprise) based in Luton with an E-government model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are a number of suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate.

The company makes use of a general-purpose business package (OS Commerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full-scale malware/forensic investigation.

As there is increased competition in the hi-tech domain, the company is anxious to ensure that its systems are not being compromised, and they have employed a digital forensic investigator to determine whether any malicious activity has taken place and to ensure that there is no malware within their systems.

Your task is to investigate the teams suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators.

The company uses Windows Server NT for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched.

Deliverables

Discuss how you would approach the following:

Malware investigation

Digital Forensic Investigation

You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant.

You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence

Case 2

Youre investigating a case involving an employee whos allegedly sent inappropriate photos via email in attachments that have been compressed with a zip utility. As you examine the employees hard disk, you find a file named Orkty.zip, which you suspect is a graphics file. When you try to open the file in an image viewer, a message is displayed indicating that the file is corrupt. Write a two-to-three-page report explaining how to recover Orkty.zip for further investigation.

Case 3

You work for a mid-size corporation known for its inventions that does a lot of copyright and patent work. Youre investigating an employee suspected of selling and distributing animations created for your corporation. During your investigation of the suspects drive, you find some files with the unfamiliar extension .xde. The network administrator mentions that other .xde files have been sent through an FTP server to another site. Describe your findings after conducting an Internet search for this file extension.