Things to keep in mind for the forensic investigation for this case:
• To identify the malicious activities with respect to 5Ws (Why, When, Where, What, Who).
• To identify the security lapse in their network.
• To find out the impact if the network system was compromised.
• To identify the legal procedures, if needed.
• To provide the remedial action in order to harden the system Relevant Guidelines for Initial Preparation
Before starting the investigation, I need to prepare in order to conduct the investigation efficiently. The following steps are needed to take in the preparation stage:
• Gathering all available information from the assessing the incident, such as severity of the incident.
• Identifying …show more content…
Forensic imaging will be created by forensic tools such as FTK. FTK imager will help to preserve the original data as evidence without any changes in data which occurred during the investigation. I will use a write blocker to connect to the target system and copy the entire contents of the target drive to another storage device by using the forensic tool FTK imager. I will use a hard drive to clone the entire system. The hard drive cloning contains only a raw image, and every bit will be copied, and no other extra content will be added. Forensic imaging contains timestamps and it compresses all the empty blocks (Nelson, B., et al., …show more content…
After the disk is imaged, the hash values will be recorded in multiple locations and I will ensure that I do not make any changes to the data from the time of collection of the data till the end of the investigation. Target System Hard drives, External Storage devices, and the Windows NT Server Hard drive must be acquired for the digital forensic investigation in this case.
Examination of Data
Once I have gathered all the available evidences, there will be a need to conduct the examination by the help of various computer forensic investigation tools. I will also examine the file system, Windows registry, Network and Database forensic examination. File System Examination
The Master File Table (MFT) which contains information about all files and disks is the first file in the New Technology File System (NTFS). The files stored in MFT can be found in two (2) ways: resident and non-resident.
When a file is deleted in Windows, the file will be renamed by OS and moved it to the Recycle bin with a unique identity. The OS stores information about the original path and original file name. But if a file is deleted from the Recycle bin, then associated clusters are marked as available for new data. NTFS disks are a data stream, which means they can be added into another existing