Project3
CCJS 321
HW 3
Insert Name
Insert DateHow would you package the thumb drive for shipment to the lab? Be specific as to what materials you would use, and why?
According to Ballou (2010) in the book, Electronic crime scene investigation: A guide for first responders, states that in the package of the thumb drive, critical and utter most care need to be undertaken so as not to lose any digital evidence along the process. As a good rule of thumb, it is important to treat the thumb drive as if it were a fragile piece of glass that is sensitive so as to impact the most minimum damage on the material. First, a sealable bag is required. The sealable bag would be essential to prevent entry of materials such as moisture and dust (Ballou, 2010).
The bag used in the packaging process should also be anti-static. An anti-static bag would be prudent to prevent the formation of any electrostatic charges that would distort the information in the thumb drive. It is also prudent that the thumb drive should be packed in a cushion material that is collapsible to prevent hard damage on the thumb drive.
In the packaging for shipment, it is very essential that materials are labeled as “fragile” or handle with caution so as to prevent any damages during the handling during the shipping process. This are all essential steps that need to be followed in the packaging of the thumb drive during shipment.
What would you ask the lab to look for on the submitted thumb drive, and why?
There are many types of information that can be stored in a thumb drive. Particular for Mr. Yourprop’s case, it would be important to ask the laboratory to look for any signs of similar programs that were installed on the thumb drive. Mr. Yourprop may have copied the company’s source code in the thumb drive. Links in the thumb drive using file extensions such as the QBW file extension would prove to be important in the tracing of any similar programs that were once installed in the thumb drive by Mr. Yourprop (Ballou, 2010). In addition, Mr. Yourprop may have stored in the company documents such as documents and spreadsheets or even images that belonged to the company.
Are there any locations outside of Mr. Yourprop’s immediate workspace where pertinent digital evidence might be found to help with your intellectual property theft case? Explain thoroughly.
According to Ward et al. (2011) in the journal article, “A United States perspective on electronic discovery rules and electronic evidence,” asserts that the most pertinent mistake that most forensic examiner is that they fail to secure and locate for all sources of digital evidence (Ward, 2011). For instance, there are many places that digital evidence may be found. Mr. Yourprop’s car is a perfect place that digital evidence may be found outside the work area. With the proper search warrant documents, Mr. Yourprop’s car and home may provide excellent sources for digital evidence. The car is excellent since it is the main means of transport for Mr. Yourprop from work to home. The home is also where Mr. Yourprop rests at the end of the day so these two places will serve as a clue to digital evidence. Mobile data entry would be also an area outside the workplace to trace for digital evidence.
How would you protect this thumb drive prior to creating a forensic image for examination? Why is this protection important to your overall case? Explain thoroughly.
According Casey (2002) in the article journal “Error, uncertainty and loss in digital evidence,” asserts that during the collection process, the thumb drive could be used to store any images on the may be obtained from the computer. All the data in the thumb drive needs to be extracted and saved under new folders such as the investigational file (Casey, 2002). This is critical so as to protect the data that was originally stored by Mr. Yourprop. The process of extraction of files from the thumb can be undertaken through the utility option. As part of the collection process from the thumb drive, there should be duplicity or imaging of the thumb drive. Some software such as “Encase” would help in this process of duplicity. The only caution that should be taken is ensuring that the duplicity does not over write the original data. It is important back up the data originally found in the thumb drive.
Discuss at least three forensic examination/analysis tools that could be used by you or Makestuff Company’s other digital forensic analysts to process/analyze the thumb drive you received (be specific), ensuring you include the manufacturer of each tool and each tool’s capabilities.
ProDiscover Basic is the first analytical tool that may be used by forensic investigators. The ProDiscover Basic tool provides the allowance for investigators to be able to examine any information that is contained in drives such as thumb drives. In its working, the forensic examiner needs to load the image before analyzing the image. With the tool, a forensic researcher can image, effectively analyze and eventually report any important evidence.
FTK Imager is the other tool that can be utilized by forensic researchers in the analysis of the thumb drive. For instance, the file and folders that may be contained in the thumb drive may be examined in the created forensic images. The advantage of the FTK Imager tool is that it can also go the extra mile to create or generate any hash of files or better still recovers any files that were deleted from the thumb drive or the hard disk.
P2 eXplorer is the final forensic imaging tool that be used in the examining of the thumb drive. With the P2 eXplorer, any forensic image can be examined from a local or physical disc such as the thumb drive. In an advantage sense, any deleted data from the thumb drive can be retrieved and identified.
What is hashing, and how could you take advantage of it in this case to attempt to determine if Mr. Yourprop’s thumb drive contains copies of the source code? Explain thoroughly.
Hashing can be simply thought of as a concept that enables for storing and searching for values. Niccole Beebe (2009) in the journal article, “Digital forensic research: The good, the bad and the unaddressed,” states that essentially, hashing is the changing the original set of characters into a different alteration that is usually seen as to be of a shorter length character or key when compared to the original set of values. Therefore, hashing may be applied in a data base for the retrieving and sorting items that were contained in the database as opposed to utilizing the original string of values (Beebe, 2009). There exist different types of hashing ranging from internal and external hashing; or static and dynamic hashing.
In Mr. Yourprop’s case, the hashing functionality may be used to simply search for particular records that may be contained in the thumb drive. If the source code or its copy was contained in the thumb drive, any entries may be searched for using the hashing functionality. Therefore, it would be a very prudent functionality.
Do you recommend reporting the crime to law enforcement? Why or why not? Are private companies required to report crimes to law enforcement?
The appropriate action would essentially involve reporting to the necessary authorities. The law enforcement authorities are tasked with the duty to provide law and order despite whether a company is a private or public company. The law enforcement bodies should have in fact have been informed prior the search. For instance, the court system was to be notified to determine whether a search warrant was needed so as to search Mr. Yourprop’s area. This was the only means through which any evidence obtained would have been admissible in a court of law. Without the involvement of the law enforcing bodies, any evidence that would be obtained would not be admissible before the law. Despite the status of a company, it is essential that the company is notified of the violation of the company’s rules.
What is the significance of you being qualified as an expert witness? How is it different from being a simple fact witness? Explain thoroughly.
The significance of an expert witness cannot be understated in the Mr. Yourprop trial. The role of the computer forensic expert is crucial so as to increase the credibility of the evidence brought before the court. An expert computer forensic examiner can take the court and jury that are not experts in the field of what exactly Mr. Yourprop did in the violation of the company policy. The expert forensic knows a lot regarding the protocol that is taken in the collection of evidence and analysis of the evidence obtained. The identification, collection, packaging and documentation of the digital evidence are entirely dependent on the expert skills and opinions possessed by the forensic examiner. This advantage places the expert above and very different from a simple fact witness. It would, thus, be prudent and crucial that an expert witness testifies in court.
While you are on the stand, the defense asks you the following question based on the fact that you write a personal blog about digital forensics in your off-time, from which it appears you are a staunch supporter of law enforcement. “How do we know you were not just a “police hack” in this case, choosing to report only what would help law enforcement and your company’s bottom-line in this case?”
My response to such claims by the defense would be to make the court understand that I am a professional. Being a professional, I am bound by a code of conduct and ethics. The ethics in computer forensic would mean that I am to be subjective and authoritative in my reporting and analysis. In addition, I would make the court understand that the information that was obtained was not unique to me. Any computer expert forensic would have obtained the same information that I obtained.
References
Ballou, S. (2010). Electronic crime scene investigation: A guide for first responders. Boston: Diane Publishing.
Beebe, N. (2009). Digital forensic research: The good, the bad and the unaddressed. Advances in Digital Forensics, 17-36.
Casey, E. (2002). Error, uncertainty, and loss in digital evidence. International Journal of Digital Evidence, 1(2), 1-45.
Ward, B. (2011). A United States perspective on electronic discovery rules and electronic evidence. Transforming Government: People, Process and Policy, 5(3), 268-279.
