This case study provides you with the opportunity to walk through the cyber forensics investigation process. Through this exercise, youll get to prepare your investigative plan, determine tools you could use to conduct the forensics analysis, and conduct a basic computer forensics investigation. See the Assignment Requirements section on the last page for details on what you need to do for this final case study.

Company background information

Woeson Books with approximately 250 employees in four cities in a regional area. The main office is in Syracuse, NY, which houses 100 of the employees. The main office is located in a suburb neighborhood where physical security is not considered a concern.

Their IT infrastructure is as follows:

o They primarily use Microsoft servers and PCs with a number of Mac computers used to perform design work. They use Active Directory, have an IIS Web Server for their Internet web site, four servers used as file shares (one in each office), four servers housing their architecture applications, a training server, five MS SQL database servers, and two Microsoft Exchange servers for email.

o There are 20 Windows 2008 servers in the main office, twelve of which are virtualized on three physical servers.

o System updates and patches are run from the main office. Most systems get Microsoft updates once a month, but some are missed. Also, most third party products (e.g., Adobe PDF & Flash) are not kept up to date.

o Each satellite office has 3-4 servers for storing files and running local applications.

o Each office has its own, decentralized wireless network connected to the production network.

o Each employee has a desktop or laptop PC running Windows 7. HR personnel have laptops for conducting interviews.

o The network sits behind a gateway router and firewall. Antivirus is in use, but is not automatically updated across the company. Employees often work remotely and only use their login and password to gain access to the corporate systems.

Case Scenario

Last month, a number of customers reported having their credit cards misused after purchasing items from Woeson Books. There were six official complaints, but it appears that there could be more. You have been hired by Woeson Books VP of Operations, Rick Brady as an independent investigator. Your reports will go directly to him.

There are two primary suspects:

1. Thomas Browne is a sales manager who has worked at Woeson Books main office for eight years. He has worked his way up through the organization and has access to all systems, since hes the go-to guy to help with any sales issues. Hes also been known to be disgruntled about Woesons environment. Thomas reports to the VP of Sales, Dave Smith. He uses a laptop computer at the office and remotely. It is described below:

a. Dell Latitude E6510 - 2nd Generation Intel Core i7 M640 @ 2.80GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 7 Professional 32-bit

b. The BIOS Make is Dell Inc, A05, Date is 8/10/2010, and Serial Number is F127845

c. There is a PCI Video card, internal sound card, internal 100Mb network interface, a modem interface, and two internal USB ports.

d. You found a SanDisk 8GB USB flash drive on his desk along with numerous data CDs.

e. He has a personal Google mail account, which he accesses regularly from his laptop, as well as Google Drive.

f. In reviewing the PCs hard drive, you notice that you can only see 300GB and you suspect that it may contain a hidden drive/partition since it has TrueCrypt installed.

2. Michael Adams is a new member on the help desk, having started at Woeson three months ago. He answers customers questions and addresses their complaints. He has full access to the client order system and database in order to rectify any issues they may be having. He reports to Jane Alexander, the manager of the Help Desk. He uses a company standard desktop PC.

a. Dell OptiPlex 760 Intel Core 2 Duo CPU E8400 @ 3.00GHz, 2GB DDR3, 500GB HDD, DVDRW, Windows 7 Professional 32-bit

b. The BIOS Make is Dell Inc, A03, date is 4/29/2009, and Serial Number is GU284153.

c. There is a PCI Video card, internal sound card, internal 100Mb network interface, and three internal USB ports.

d. In addition to his corporate email account, he also has a Hotmail account that he accesses from his PC. From his IE7 browser history, you can also tell he uses Facebook, Craigslist, and Dropbox.

Other Personnel:

Jack Levy is the IT Director for Woeson books. He is responsible for maintaining all of the servers and network equipment.

Shelly Johnson is the HR Director and is responsible for all personnel matters.

Assignment requirements

In a single Word document, address all of the following. Remember, your audience is Rick Brady, Woeson Books VP of Operations. Give proper attention to your wording, grammar, spelling, punctuation, etc. Make sure youre covering the case in sufficient detail and are answering any potential questions he may ask. Lastly, remember to put your name on your paper as the chief investigator.

1. Provide a background synopsis of the case. This is an overall narrative of the facts of the case. It should answer the who, what, when, why, and how of the investigation.

2. Document your plan for conducting the forensics investigation. This is a description of the process you would take for this investigation.

a. Include whether or not a search warrant is required and any other legal aspects you would need to consider.

b. Who would you interview and need to have involved? What role(s) would each play?

c. What computer or network systems would you want to investigate? What information could each provide?

d. Would this be a live or dead acquisition of the data?

e. How would you collect and store the evidence? Include how you would ensure the chain of custody to preserve its integrity.

f. What other information would you look for in this case?

g. How would you prove innocence or guilt in this case?

3. List the tools you would need for this investigation.

a. This includes both hardware and software in your forensics toolkit.

b. How would each tool be used in your investigation?

4. The final item is the evidence list. This should include all items you processed. Each item should be identified by:

a. Make:

b. Model:

c. Serial Number of the device (this includes individual hard drive located in a PC):

d. Removable media

e. Operating System

f. Install application(s)

g. Other identifying information associated with the asset