• Each questions should be answered with a minimum of 1-2 paragraphs, so do your research, be specific, be detailed, and demonstrate a thorough understanding.
• Answers to the above questions should be submitted in a single document (.DOC/.DOCX, .RTF, or .PDF), with answers separated so as to make it clear which question is being answered;
• Format: 12-point font, double-space, one-inch margins
For the purposes of this project, imagine you are an Information Security (InfoSec) Specialist, an employee of the Makestuff Company, assigned to the company’s Incident Response Team.
In this case, you have been notified by Mr. Hirum Andfirum, Human Resources Director for the Makestuff Company, that the company has just terminated Mr. Got Yourprop, a former engineer in the company’s New Products Division, for cause. Mr. Andfirum tells you that at Mr. Yourprop’s exit interview earlier that day, the terminated employee made several statements to the effect of “it is okay because I have a new job already and they were VERY happy to have me come from Makestuff, with ALL I have to offer.” Mr. Yourprop’s statements made Mr. Andfirum fear he might be taking Makestuff’s intellectual property with him to his new employer (undoubtedly a Makestuff competitor). In particular, Mr. Andfirum is worried about the loss of the source code for “Product X,” which the company is counting on to earn millions in revenue over the next three years. Mr. Andfirum provides you a copy of the source code to use in your investigation. Lastly, Mr. Andfirum tells you to remember that the Company wants to retain the option to refer the investigation to law enforcement in the future, so anything you do should be with thought about later potential admissibility in court.
The 4th Amendment to the U.S. Constitution reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” While the 4th Amendment is most commonly interpreted to only affect/restrict governmental power (e.g., law enforcement), the fact that a formal criminal investigation is a possibility (and the Company has no desire to be named in a civil lawsuit) means you must consider its effect your actions.
With the above scenario in mind, thoroughly answer the following questions (in paragraph format, properly citing outside research, where appropriate).
1. Can you (or Mr. Yourprop’s supervisor) search Yourprop’s personal vehicle currently parked in the Company parking lot for digital evidence? Support your answer.
2. If evidence of this theft of intellectual property can be found, Makestuff Company may seek to pursue criminal prosecution. Can Mr. Yourprop’s supervisor direct local police investigators to search his personal vehicle which is parked on the Company parking lot? Support your answer.
3. Can (or Mr. Yourprop’s supervisor) search Yourprop’s assigned locker in the Company’s on-site gym for digital evidence? Support your answer.
4. Can (or Mr. Yourprop’s supervisor) use a master key to search Yourprop’s locked desk after he has left the premises for digital evidence? Support your answer.
5. There is a page in the Company’s “Employee Handbook” that states that anything brought onto the Company’s property, including the employees themselves, is subject to random search for items belonging to the Company. There is a space for the employee to acknowledge receipt of this notice. Mr. Yourprop has a copy of the handbook but never signed the page. Does that matter? Explain.
6. Makestuff Company uses a security checkpoint at the entrance to the building. A sign adjacent to the checkpoint states that the purpose of the checkpoint is for security staff to check for weapons or other materials that may be detrimental to the working environment or employee safety. Screening is casual and usually consists of verification of an employee’s Company ID card. Can security staff at this checkpoint be directed to open Mr. Yourprop’s briefcase and seize any potential digital evidence? Support your answer.
With the scenario in mind, thoroughly answer the following questions (in paragraph format, properly citing outside research, where appropriate):
1. What permissions/authorities should you have before you search Mr. Yourprop’s former Company work area, and how would you document that authority?
2. (Looking at the photo of Mr. Yourprop’s work area, provided for Project 2 in the Course Content area) Identify three (3) potential items of digital evidence you see in the photo. For EACH item of digital evidence you identified, explain what potential use that item would be to your investigation (e.g., what type of data that item might hold) AND how you would collect that item as evidence (with emphasis on your care and handling of that item consistent with digital forensic best practices described in your textbook).
3. (Looking at the photo of Mr. Yourprop’s work area, provided for Project 2 in the Course Content area) Identify three (3) potential items of non-digital evidence you see in the photo. For EACH item of non-digital evidence you identified, explain what potential use that item would be to your investigation AND how you would collect that item as evidence.
4. (Looking at the Evidence Custody Document and item photographs, provided for Project 2 in the Course Content area) Read the Evidence Custody Document prepared by one of your co-workers, in which he is attempting to seize the three items pictured in the accompanying photos. Did your co-worker adequately describe each item? What could you add to the descriptions, and for which items (based on what you see in the photos), to make them more complete and serve as an example to your co-worker of what they SHOULD look like?
5. How should the items you collected as evidence be stored in your evidence room. Describe any environmental conditions or concerns for your evidence room (digital evidence can require some unique considerations!), as well any security procedures that should be in place.
After seeing you search Mr. Yourprop’s work area and take several pieces of evidence, Ms. Maria Friend, who works in the office across the hall, comes forward with an odd story. Ms. Friend states that she is Mr. Yourprop’s fiancé, but lately things in their relationship had begun to sour. She produces a thumb drive she says Mr. Yourprop gave her earlier that day. She tells you Mr. Yourprop told her to “keep it safe” and asked her to bring it home with her at the end of the day. Ms. Friend tells you she really likes her job and has no interest in being wrapped up in whatever Mr. Yourprop has done to invite negative attention.
1. How would you package the thumb drive for shipment to the lab? Be specific as to what materials you would use, and why?
2. What would you ask the lab to look for on the submitted thumb drive, and why?
3. Are there any locations outside of Mr. Yourprop’s immediate workspace where pertinent digital evidence might be found to help with your intellectual property theft case? Explain thoroughly.
Now, please assume a different character for the purpose of this next segment of the assessment… You are a forensic examiner at the above mentioned Makestuff Company lab. After receiving the package from the InfoSec Specialist in the field, you sign the chain of custody form and get set to begin your examination.
4. How would you protect this thumb drive prior to creating a forensic image for examination? Why is this protection important to your overall case? Explain thoroughly.
5. Discuss at least three forensic examination/analysis tools that could be used by you or Makestuff Company’s other digital forensic analysts to process/analyze the thumb drive you received (be specific), ensuring you include the manufacturer of each tool and each tool’s capabilities.
Fortunately, the InfoSec Specialist was on his/her game, and ALSO sent you copies of several files, reported to be the source code of “Product X”.
6. What is hashing, and how could you take advantage of it in this case to attempt to determine if Mr. Yourprop’s thumb drive contains copies of the source code? Explain thoroughly.
You complete your laboratory examination and return the evidence, with your report, back to the InfoSec Specialist at the field office.
Now, back at the field office, the InfoSec Specialist (a.k.a., you) receives the report from the Makestuff Lab, which shows that the complete “Product X” source code was found on Mr. Yourprop’s thumb drive. In addition, while the evidence was at the lab for examination, you determined it is also likely that Mr. Yourprop emailed copies of the source code to his personal email address.
7. Do you recommend reporting the crime to law enforcement? Why or why not? Are private companies required to report crimes to law enforcement?
The decision is ultimately made to report the theft to law enforcement and, using primarily the evidence you developed during your investigation, Mr. Yourprop is brought to trial for the crime. You (as the forensic examiner from the Makestuff Lab) are qualified as an expert witness and called to testify.
8. What is the significance of you being qualified as an expert witness? How is it different from being a simple fact witness? Explain thoroughly.
9. While you are on the stand, the defense asks you the following question based on the fact that you write a personal blog about digital forensics in your off-time, from which it appears you are a staunch supporter of law enforcement. “How do we know you were not just a “police hack” in this case, choosing to report only what would help law enforcement and your company’s bottom-line in this case?”