FINAL PROJECT – Investigative Conclusion and Testimony
- No directly quoted material may be used in this project paper.
- Resources should be summarized or paraphrased with appropriate in-text and Resource page citations.
***Read the parts of each section of this project carefullyas you are being asked to answer questions assuming different roles fordifferent questions.
In the course of this investigation you, as the Information SecurityAnalyst for Provincial Worldwide, have or will need to interview (orperhaps “interrogate”) several people to provide context for theevidence you have collected as well as the rational for your searches.Ms. McPherson and Provincial Worldwide management are asking foreverything to be documented and would like you to provide them responsesto the following pieces of information:
- Provide a list of people you believe should be interviewed for thisinvestigation and how they relate to the investigation. Whatinformation could they possibly supply?
- Provide a narrative description of the interview setting and theintended process, before, during, and following the interview (rememberthat depending on the type of interview, the setting may be different).
- Explain to the management why these stages are important to a successful interview and investigation.
For the purpose of the first part of this Section, you are still theInformation Security Analyst for the company. Consider this project acontinuation of the work you performed in Projects #1 and #2.
After seeing you search Mr. Belcamp’s work area and takeseveral pieces of evidence, Ms. Victoria Evans who works in the officeacross the hall, comes forward with an odd story. Ms. Evans states thatshe is Mr. Belcamp’s girlfriend, but lately things in their relationshiphad begun to sour. She produces a thumb drive she says Mr. Belcamp gaveher earlier that day. She tells you Mr. Belcamp told her to “keep itsafe” and asked her to take it home with her at the end of the day. Ms.Evans tells you she really likes her job at Provincial Worldwide and hasno interest in being wrapped up in whatever Mr. Belcamp has done toinvite negative attention.
1. The laboratory has asked you to write a short summary of whatinformation you want them to look for on the submitted thumb drive.Identify, for the lab, what digital or non-digital evidence you wouldlike them to look for and explain why that evidence would be importantto the case.
2. Because you are the most familiar with the investigation, Ms.McPherson is asking you to brain storm all the locations outside of Mr.Belcamp’s immediate work space where pertinent digital evidence might befound to help with your case. Identify all of these locations,including places where police would have to be involved to search.Identify what places are legal for the company to search, and which oneswould require police involvement. Support your inclusion of eachlocation with a short description of what type of evidence might befound there.
Now, please assume a different character for the purposeof this next segment of the assessment… You are a forensic examiner atthe above mentioned Provincial Worldwide lab. Mr. Stephen Bishop, anewly promoted Regional Security Operations Manager, sent an email toMs. McPherson who has forwarded it to respond.
3. Write a response to the following email that you have received:
To: You, Provincial Worldwide, Digital Forensics Examiner
From: Ms. Carol McPherson
This case has made Provincial Worldwide upper management recognizethe importance of forensic readiness. They have asked that you nominatethree (3) forensic examination/analysis (software) tools for them tokeep in their budget for the following year. They also state that theywant to make sure that the tools nominated are ones that would meetcriminal justice-level standards and evidentiary requirements under theDaubert Standard. Please construct a table (chart) that identifies thetool name and their manufacturer, and the capabilities of the tools.Since these tools must meet the Daubert standard, please provide anexplanation of how the three tools meet the standards of Daubert.(Management specifically wants tools that can examine/analyze thedigital data inside the devices and is not interested in your input onadditional tools that write protect or image devices at this time.)
After receiving the package from the Data Security Analystin the field, you sign the chain of custody form and get set to beginyour examination.
4. After taking the thumb drive out of storage, you, as the digitalforensics analyst, sit down to examine the data. (Presume all personalprotective equipment discussed in the course readings is already inplace.) Prior to looking through the data contained on the device, youhave to make a forensic image. Document what step you take prior tomaking the image and why this step is important to your overall case.Explain your actions and reasoning thoroughly.
Fortunately, the Information Security Analyst was onhis/her game, and ALSO sent you copies of several files, reported to bethe source code of “Product X”.
5. You, as the digital forensics examiner, used hash values to helplocate the source code on the thumb drive. Using verbiage that would beappropriate to communicate to a judge and jury that may not understandcomputer technology at all, detail and explain the following:
You complete your laboratory examination and return theevidence, with your report, back to the Information Security Analyst atthe field office.
Now, reverting back to your role as the InformationSecurity Analyst back at the field office (a.k.a., you), you receive thereport from the Lab which shows that the complete “Product X” sourcecode was found on Mr. Belcamp’s thumb drive. In addition, while theevidence was at the lab for examination, you determined it is alsolikely that Mr. Belcamp emailed copies of the source code to hispersonal email address.
6. Do you recommend reporting the crime to law enforcement? Why orwhy not? Are private companies required to report crimes to lawenforcement?
7. Explain what additional steps you could take to prove that the source code had been sent to his personal email address.
The decision is ultimately made to report the theft to lawenforcement and, using primarily the evidence that you developed duringyour investigation, Mr. Belcamp is brought to trial for the crime. You(now as the forensic examiner from the Lab) are qualified as an expertwitness at the trial and called to testify.
8. What is the significance of you being qualified as an expertwitness? How is it different from being a simple fact witness? Explainthoroughly.
9. Mr. Belcamp’s attorney in this case calls you to the stand andbrings up the fact that you write a personal blog about digitalforensics in your off-time, from which it appears you are a staunchsupporter of law enforcement. She believes you are biased in support oflaw enforcement and that you only had your company’s bottom line inmind. The company’s attorney however, prepared you for these types ofquestions and had you prepare for trial by practicing answering thefollowing questions – respond to Mr. Belcamp’s attorney by typing up atranscript for your response (You may use first-person grammar, I, me,my, etc., in your response for this question).
“How do we know you are not biased in this case, choosing to reportonly what would help law enforcement and your company’s bottom-line? Howcan we know from your work that your analysis should be accepted by thecourt?”