Case Study: Sub Contractor Investigation

 

Case

Jonathan Simpson owns a construction company. One day a subcontractor calls him, saying that he needs a replacement check for the job he completed at 1437 West Maple Avenue. Jonathan looks up the job on his accounting program and agrees to reissue the check for $12,750. The subcontractor says that the original check was for only $10,750. Jonathan looks around the office but can’t find the company check book or ledger. Only one other person has access to the accounting program. Jonathan calls you to investigate. How would you proceed? Write a report detailing the steps Jonathan needs to take to gather the necessary evidence and protect his company.

DigitalInvestigation

Investigation

  1. An investigation has to be completed for a variety of reasons. Reason one, there was a job put in at $12,750 when it only costs $10,750 which means that there is a missing $2,000 that is unaccounted for. Reason two, the check book and the ledger are missing and the only other person that has access is nowhere to be found. As an investigator, the first thing I would do would be to make an initial assessment. During the initial assessment, it is at that time that I would have to determine whether the crime committed was a computer-based crime. During the stage of my initial investigation, I would also speak with others involved in the case, such as law enforcement officials to determine if any devices were seized. Was a computer used to commit the crime or is there evidence in the computer that could help with my investigation?
  2. The next thing that I would do is determine how I should approach the case. Because it is a financial case, it’s a strong possibility that the suspect involved could be laundering money by masking it as a job that was paid for. At this point, I would determine when I can seize any computers or devices the employee uses, and if other law enforcement individuals have gathered any useful information that could help with my investigation. Because this manner will need to be resolved in an efficient amount of time, it would be in my best interest to detail a step-by-step timeline with the maximum amount of time that I should spend on each step. During this time, I would also determine the resources that are needed to complete the investigation. Resources can include any programs that will be used or any other expertise that I need to get the investigation done.
  3. The next step in my investigation would be to obtain and copy an evidence drive. I would have to determine whether multiple devices were used, but because the company seems like a small business, a USB forensic copy of the disks should be sufficient. Next, I would have to identify the risks. I would identify the problems associated with this kind of case and determine whether the suspect is computer savvy and could throw a wrench into the investigation by setting up a scheme that overrides the hard drive. After identifying the risks, I would have to mitigate the risks. The best way to mitigate the risks is to make multiple copies of the original content before digging into my investigation so that if anything gets destroyed, I can start over.
  4. Following mitigating the risk, I would test my design for the investigation. I would go over the decisions I have made and the steps I have completed so far. I would also compare the original media with hash values found in the files of the evidence. Next, I would analyse and recover evidence using any software or other information that I have gathered. After the analysis, I would investigate the data that I have recovered. I would look at existing files, deleted files, e-mails, and wire transfers. It is in my interest to organize the information found so that it is elevated to the case.
  5. Once my investigation is complete, I would write my report with details on steps taken and evidence found that either proves the guilt or innocence of the suspect. Finally, I would critique myself and determine how I can improve my performance and determine what I could do differently or if I could have spent less time on a step. Though there are many steps to creating an investigation, there are also mishaps. A contingency plan would be ideal in the event that I would need different software to use, or I would have to approach the investigation in a different manner.

Comments

Post a Comment

Popular posts from this blog

Basics Forensics Imaging with dd, dcfldd, and dc3dd

Image
  Linux Data acquiring commands DD (Data Dump) dd is use in Linux or Unix operating systems for cloning or converting the files. dd can create bit-by-bit copy of physical drive to generate the image. This image can be used by most of the forensics purposes. Some practical examples on dd command: To backup the entire hard disk:  To backup a complete copy of a hard disc to a different hard disc connected to the identical system, execute the dd command as shown.      # dd if=/dev/sda of=/dev/sdb      'if ' referred as input file, and of referred as output fie. We must be mentioned input and output file carefully. To copy, drive to drive using dd command as shown below, sync option allows you to replicate everything using synchronized input/output.     # dd if=/dev/sda of=/dev/sdb conv=noerror, sync To backup a Partition: You can use the device name of a partition in the input data file, and into the output data either you will be able ...
Read more

Understanding and Demonstrating working of Jumplists

Image
  To understand and demonstrate working of jumplists from data forensic perspective by using jumplists view tool. Jump Lists basically created for providing the quick access to the recently opened documents for respective application. Which is first introduced in the Windows 7. For data forensic perspective, By using Jumplists forensic investigator can analyse the suspect's activity like tracking recently opened application, when the file or application opened or closed, etc. Jumplists provide the Most Recently Used and Most Frequently Used list for respective application which is helpful for data forensic. There are two sets created for storing jumplists in windows: AutomaticDestinations This is automatically generated by Operating System when any file or application opened. The files stored in it, has  .automaticDesinations-ms  extension. To access this file we need to go through the following path. C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinat...
Read more

Study and install Pro-discover and Encase free version

Image
  Pro-discover Pro-discover is a software in a digital forensics that helps investigators to acquire the evidence from computer device. Pro-discover is mostly used in digital forensics and incident response. By using Pro-discover tool, we can create a image of any disk drive or storage drive to analyse, discover the data for investigation. Some key features of Pro-discover includes: Preview and Image Disks Investigate all filesystems Analyse email artifacts and web Report generation (hash value or automatic) View Internet History You need to install first Pro-Discover basic software which is available freely. After that opening it, we will see the following launch dialog for creating a new project. Mention the project number and project file name on it and click open button. Standard format of Project Number is like  '001-HDD-1-27-07-2022'  and Project File Name is  'SampleDemo-001-HDD-1-27-07-2022'. Then click on the Capture and Add Image which is in the left h...
Read more