No directly quoted material may be used in this project paper. Resources should be summarized or paraphrased with appropriate in-text and Resource page citations.
For the purpose of this Project, you are still the InfoSec Specialist for the Greenwood Company. Consider this project a continuation of the work you performed in Project 1. In this portion of the investigation, you are ONLY collecting the physical evidence. You will NOT be handling the digital data during this stage of the investigation. (This step will be discussed in the Final Project.) You should limit your "care and handling" of each piece of evidence to the physical handling of the digital container.
With the scenario in mind, you are to wrte a report to your supervisor, thoroughly providing a response to the following questions (in paragraph format, properly citing outside research, where appropriate) to both parts of the project:
Part I: Overview/Case Summary
Part II: Physical Evidence Acquisition:
2. Look at the photo of Mr. McBride's work area. (See file attachment Work_Area.jpg) Identify three (3) potential items of digital evidence you see in the photo.
3. Look at the photo of Mr. McBride's work area. (See file attachment Work_Area.jpg) Identify three (3) potential items of non-digital evidence you see in the photo.
4. Detail in your report how you secured the collection of evidence after removing it from the original scene (the desk) and prior to sending it for analysis. Describe the security procedures in place as well as any environmental protections (specific to computer/digital devices) that are in place within the storage area.
5. Look at the Evidence Custody Document (See file attachment Evidence Custody Document.doc) and item photographs (Items-seized (pics).pptx). Read the Evidence Custody Document prepared by one of your co-workers in which he is attempting to document the seizure of the three (3) items pictured in the accompanying photos. Did your co-worker adequately describe each item? What could you add to the descriptions, and for which items (based on what you see in the photos) to make them more complte and serve as an example to your co-worker of what they SHOULD look like (how they should be described)?
CCJS 321 Digital Forensics in the Criminal Justice System
March 4, 2017
1.The laboratory has asked you to write a short summary of what information you want them to look for on the submitted thumb drive. Identify, for the lab, what digital evidence you would like them to look for and explain why that evidence would be important to the case.
2.Because you are the most familiar with the investigation, Mr. Jenkins is asking you to brain storm all the locations outside of Mr. McBride's immediate work space where pertinent digital evidence might be found to help with your intellectual property theft case. Identify all of these locations, including places where police would have to be involved to search. Identify what places are eligible for company search, and which ones would require police involvement. Support your inclusion of each location with a short description of what type of evidence might be found there.
3.After taking the thumb drive out of storage, you, as the digital forensics analyst, sit down to examine the data. (Presume all personal protective equipment is already in place.) Prior to looking through the data contained on the device, you have to make a forensic image. Document what step you take prior to making the image and why this step is important to your overall case. Explain your actions and reasoning thoroughly.
4. Write a response to the following email that you have received:
To: You, Greenwood Company Digital Forensics Examiner
From: H. Jenkins, HR Management
This case has made Greenwood Company upper management recognize the importance of forensic readiness. They have asked that you nominate three (3) forensic examination/analysis (software) tools for them to keep in their budget for the following year. They also state that they want to make sure that the tools nominated are ones that would meet criminal justice-level standards and evidentiary requirements under the Daubert Standard. In your response, please list the tool name, manufacturer, the capabilities of the tool, and how the three tools meet the standards of Daubert. (Management specifically wants tools that can examine/analyze the digital data inside the devices and is not interested in your input on additional tools that write protect or image devices at this time.)
5.You, as the digital forensics examiner, used hash values to help locate the source code on the thumb drive. Using verbiage that would be appropriate to communicate to a judge and jury that may not understand computer technology at all, detail the following: What is a hash value? How did you use it in this case to determine that Mr. McBride’s thumb drive contains copies of the source code? Explain an additional use of hash values in the context of digital forensics.
6.Do you recommend reporting the crime to law enforcement? Why or why not? Are private companies required to report crimes to law enforcement?
7.What is the significance of you being qualified as an expert witness? How is it different from being a simple fact witness? Explain thoroughly.
8.The prosecutor in this case calls you and brings up the fact that you write a personal blog about digital forensics in your off-time, from which it appears you are a staunch supporter of law enforcement. She is concerned that it will look like you are biased in support of law enforcement and that you only had your company’s bottom line in mind. She asks you to prepare for trial by practicing answering the following questions - respond to the prosecutor by typing up a transcript for your response. “How do we know you are not biased in this case, choosing to report only what would help law enforcement and your company's bottom-line? How can I know from your work that your analysis should be accepted?”
Prosecutor: “How do we know you are not biased in this case, choosing to report only what would help law enforcement and your company's bottom-line?
Prosecutor: “How can I know from your work that your analysis should be accepted?”
Preview of Project-3.docx
Preview of Project-2.-Investigative-Collection-of-Evidence.docx