You work for CCL Group as a forensic investigator and have been asked to contact a local company who suspect an employee of breaching company policies. You visit the company and meet with the system administrator and manager who explain that an employee appears to have used a P2P program to download full length movies onto their work computer. It is thought that they have also downloaded a Trojan virus which has resulted in not only the employee's computer system failing to boot, but also caused issues with the entire network. The employee has been suspended pending the investigation and you will be provided with full access to the computer system and network. The system administrator and manager have confirmed that the employee's computer system has been left 'in situ' and not tampered with, but that the network issue had to be resolved due to the business needing to function as normal. You are required to plan and carry out an investigation of the employee's computer system and present your findings as a report for the system administrator and manager. You have a timescale of two weeks to plan and conduct your investigation, completing all relevant documentation as well as preparing the final report.

Tasks 1 You are required to produce a documented plan of how you are going to approach your computer forensic investigation, which will be approved by your supervisor. The plan must include the following: A documented plan for the computer forensic investigation of the employee's system to include: a An annotated diagram of the evidence lifecycle b An explanation of the admissibility of evidence providing four examples of good practice c Identification of the types of evidence that could be gathered for this investigation including a justification of the types of evidence to be collected d Explanation of the precautions that will be taken to preserve the state of each type of evidence e Identification of the hardware and software tools that will be selected to analyse the evidence with a justification of the tools selected f Explanation of the importance of the chain of custody process g Explanation of the evidence handling procedures that will be used. 2 After your supervisor approves your plan, you can now carry out your computer forensic investigation of the employee's computer system. Ensure that you document the investigation process thoroughly to include: a date and time of action b activity type c personnel collecting/accessing evidence d computer description information e disk drive descriptive information f handling procedure g complete description of action: procedure followed tools used step-by-step description of analysis and results h reasons for action taken i notes j collection of evidence k review of evidence l analysis and interpretation of evidence m documentation of evidence (printouts, photographs etc) and Chain of Custody record.