FINAL PROJECT – Investigative Conclusion and Testimony
- No directly quoted material may be used in this project paper.
- Resources should be summarized or paraphrased with appropriate in-text and Resource page citations.
***Read the parts of each section of this project carefully as you are being asked to answer questions assuming different roles for different questions.
In the course of this investigation you, as the Information Security Analyst for Provincial Worldwide, have or will need to interview (or perhaps “interrogate”) several people to provide context for the evidence you have collected as well as the rational for your searches. Ms. McPherson and Provincial Worldwide management are asking for everything to be documented and would like you to provide them responses to the following pieces of information:
- Provide a list of people you believe should be interviewed for this investigation and how they relate to the investigation. What information could they possibly supply?
- Provide a narrative description of the interview setting and the intended process, before, during, and following the interview (remember that depending on the type of interview, the setting may be different).
- Explain to the management why these stages are important to a successful interview and investigation.
For the purpose of the first part of this Section, you are still the Information Security Analyst for the company. Consider this project a continuation of the work you performed in Projects #1 and #2.
After seeing you search Mr. Belcamp’s work area and take several pieces of evidence, Ms. Victoria Evans who works in the office across the hall, comes forward with an odd story. Ms. Evans states that she is Mr. Belcamp’s girlfriend, but lately things in their relationship had begun to sour. She produces a thumb drive she says Mr. Belcamp gave her earlier that day. She tells you Mr. Belcamp told her to “keep it safe” and asked her to take it home with her at the end of the day. Ms. Evans tells you she really likes her job at Provincial Worldwide and has no interest in being wrapped up in whatever Mr. Belcamp has done to invite negative attention.
1. The laboratory has asked you to write a short summary of what information you want them to look for on the submitted thumb drive. Identify, for the lab, what digital or non-digital evidence you would like them to look for and explain why that evidence would be important to the case.
2. Because you are the most familiar with the investigation, Ms. McPherson is asking you to brain storm all the locations outside of Mr. Belcamp’s immediate work space where pertinent digital evidence might be found to help with your case. Identify all of these locations, including places where police would have to be involved to search. Identify what places are legal for the company to search, and which ones would require police involvement. Support your inclusion of each location with a short description of what type of evidence might be found there.
Now, please assume a different character for the purpose of this next segment of the assessment… You are a forensic examiner at the above mentioned Provincial Worldwide lab. Mr. Stephen Bishop, a newly promoted Regional Security Operations Manager, sent an email to Ms. McPherson who has forwarded it to respond.
3. Write a response to the following email that you have received:
To: You, Provincial Worldwide, Digital Forensics Examiner
From: Ms. Carol McPherson
This case has made Provincial Worldwide upper management recognize the importance of forensic readiness. They have asked that you nominate three (3) forensic examination/analysis (software) tools for them to keep in their budget for the following year. They also state that they want to make sure that the tools nominated are ones that would meet criminal justice-level standards and evidentiary requirements under the Daubert Standard. Please construct a table (chart) that identifies the tool name and their manufacturer, and the capabilities of the tools. Since these tools must meet the Daubert standard, please provide an explanation of how the three tools meet the standards of Daubert. (Management specifically wants tools that can examine/analyze the digital data inside the devices and is not interested in your input on additional tools that write protect or image devices at this time.)
After receiving the package from the Data Security Analyst in the field, you sign the chain of custody form and get set to begin your examination.
4. After taking the thumb drive out of storage, you, as the digital forensics analyst, sit down to examine the data. (Presume all personal protective equipment discussed in the course readings is already in place.) Prior to looking through the data contained on the device, you have to make a forensic image. Document what step you take prior to making the image and why this step is important to your overall case. Explain your actions and reasoning thoroughly.
Fortunately, the Information Security Analyst was on his/her game, and ALSO sent you copies of several files, reported to be the source code of “Product X”.
5. You, as the digital forensics examiner, used hash values to help locate the source code on the thumb drive. Using verbiage that would be appropriate to communicate to a judge and jury that may not understand computer technology at all, detail and explain the following:
• What is a hash value, and how did you use it to identify the source code was present?
• Explain an additional use of hash values in the context of digital forensics.
You complete your laboratory examination and return the evidence, with your report, back to the Information Security Analyst at the field office.
Now, reverting back to your role as the Information Security Analyst back at the field office (a.k.a., you), you receive the report from the Lab which shows that the complete “Product X” source code was found on Mr. Belcamp’s thumb drive. In addition, while the evidence was at the lab for examination, you determined it is also likely that Mr. Belcamp emailed copies of the source code to his personal email address.
6. Do you recommend reporting the crime to law enforcement? Why or why not? Are private companies required to report crimes to law enforcement?
7. Explain what additional steps you could take to prove that the source code had been sent to his personal email address.
The decision is ultimately made to report the theft to law enforcement and, using primarily the evidence that you developed during your investigation, Mr. Belcamp is brought to trial for the crime. You (now as the forensic examiner from the Lab) are qualified as an expert witness at the trial and called to testify.
8. What is the significance of you being qualified as an expert witness? How is it different from being a simple fact witness? Explain thoroughly.
9. Mr. Belcamp’s attorney in this case calls you to the stand and brings up the fact that you write a personal blog about digital forensics in your off-time, from which it appears you are a staunch supporter of law enforcement. She believes you are biased in support of law enforcement and that you only had your company’s bottom line in mind. The company’s attorney however, prepared you for these types of questions and had you prepare for trial by practicing answering the following questions – respond to Mr. Belcamp’s attorney by typing up a transcript for your response (You may use first-person grammar, I, me, my, etc., in your response for this question).
“How do we know you are not biased in this case, choosing to report only what would help law enforcement and your company’s bottom-line? How can we know from your work that your analysis should be accepted by the court?”
• Each question should be answered thoroughly looking at all the issues presented, so do your research, be specific, be detailed, and demonstrate your knowledge; submitting your project through the appropriate assignment folder.
• This project should be submitted in a single Microsoft Word document (.DOC/.DOCX), with answers separated and/or numbered in respect to the question, so as to make it clear which question is being answered. It may be in a question and answer format, or as described with answers to the associated question numbers;
• The paper should be written in third-person grammar, not first person (which means – I, me, myself, etc.); except for question nine (9).
• The submission is to have a cover page that includes course number, course title, title of paper, student’s name, and the date of submission per APA writing format;
• Format: 12-point font, double-space, one-inch margins;
• It is mandatory that you do some research, and utilize outside resources! You must have a reference page at the end of your project that is consistent with APA citation style and format (see https://owl.english.purdue.edu/owl/resource/560/01/ for help). You should have a minimum of (5) five references for this paper, and properly cited in the body of the paper per APA guidelines.
Project #2- Investigative Collection of Evidence
CCJS 321 Digital Forensics in the Criminal Justice System
Project #2 – Investigative Collection of Evidence
By: Shreeji Patel
September 17, 2019
- Summary of the incident
Mr. Newman, the Human Resources Director, made notifications that the company’s executive team had earlier on dismissed Mr. John Belcamp from employment as the company’s engineer in New Product’s Division due to constant lateness and absenteeism. Mr. Newman reported that the former engineer had made questionable statements about a highly profitable long term project that the company is currently working on. He feared that Mr. John Belcamp might have carried the company’s intellectual property with him for use in his new employment in the company rival’s premises. Mr. Newman feared that Mr. John Belcamp might have carried the product’s source code. He gave me a copy of the source code to aid my investigations as the company’s Information Security Analyst.
As the Information Security Analyst, the US legal authority as stated in the Fourth Amendment of the Constitution to search and seize any document that would prove to have been used for digital crime since there is a probable cause of occurrence of crime and the place of search is well defined and described. Chang (2018). By the power of the above legal authority, I can search Mr. Belcamp’s office space and desk for any allegedly suspicious electronic and paperwork material which contains the product’s source code content or such relatable content.
Part II: Physical Evidence Acquisition
2. According to Mr. Belcamp’s office workspace as indicated on the photo, the items that would most likely hold digital evidence include a digital hard drive, a USB drive, a small silver voice recorder, and a Dell model laptop.
The digital hard drive has an irregular rectangular shape, is silver and black and has a green label. The hard drive, from the manufacturer’s information, can hold up to 1 TB of information, is easily portable and has extra storage for large files, videos, and photos. The drive might have stored information about the company’s new product and search code which makes it very useful in the investigation and as digital evidence during prosecution.
The USB flash has both metallic and plastic components, has black and grey colors on both ends and has a minute hole on one side. The accused might have used it to store data transferred from computers and laptops in the form of document files, videos, and photos which might be necessary during the investigation. It would also provide digital and physical evidence during prosecution. The voice recorder is small and silver, it might contain audio recordings of the suspect’s conversations with other parties or recordings of his voice as well. It would provide digital and physical evidence during prosecution.
Finally, the laptop is a Dell model, black and about thirty centimeters in length. It might have store audio, video, word documents, and powerpoint presentations of the new product’s processing. It would provide digital and physical evidence and additional information which might not be present in the hard drive and the USB flash drive.
Steps to the careful handling of items to avoid contamination of evidence
For the Western Digital Hard drive, digital photos should be taken before it is picked from its original place. The evidence custodian should then pick it in latex or chloroprene gloved hand using a pair of tongs and place it in an airtight antistatic bag that has a zip. Goodison, Davis, & Jackson (2015). The bag should then be correctly labeled and put in the evidence container. The handling measures would prevent contamination of the already present fingerprints.
The laptop should be handled similarly. The evidence custodian in chloroprene gloved hands should disconnect it from any external power source, close it, and put it in a sizeable antistatic container, label it correctly and carefully place it in the evidence container. It should also be recorded in the evidence book.
3.Items of non-digital evidence
The square, yellow sticky notes stuck on the desktop computer and the shelf might contain handwritten reminders of meetings or events related to the company’s new product and search code that the suspect might have recorded. They would provide real evidence during prosecution. The papers placed on the shelf might be typed, or handwritten documents containing information, sketches, and frameworks of the company’s new product and search code written by the suspect. They would be used as real evidence during prosecution as well.
There is also a notebook on the office work table. It is white and has a blue logo on the left-hand side of the page. As is the case with the other paper works, this too might contain written notes about the new product and the search code which can be used as real evidence during prosecution. Finally, there is a white stapler with a stainless steel ream on the desk. It might contain forensic evidence such as fingerprints which can be used as supplementary evidence to back up the allegations against the suspect.
Steps of collecting the items to mitigate the loss of evidence
First, the evidence custodian should take photographs of the sticky notes and the paper documents on the shelves before handling them physically. Second, they should pick the documents in latex-gloved hands and put them in security bags that have a zipper, each item in its bag, for forensic search and descriptions. Third, the items should be put in evidence containers ready for transport to the forensic science laboratories. Lillis, Becker, O’Sullivan & Scanlon (2016).
4. Security procedures and environmental considerations for the storage of evidence
(i) The evidence both digital and non-digital should be stored in paper, envelope and antistatic containers, in case of the laptop, and not plastic containers. Plastic produces static electricity and allows humidity and condensation thus interfering with the evidence. The digital evidence should be stored in an area that has no extreme temperature, pressure, and humidity. Li, Bajramovic, Gao, & Parekh (2016).
(ii) The digital evidence should be stored away from magnetic fields caused by speakers, for example, vibrations and moisture to mitigate alteration of evidence.
(iii)The digital evidence should be packaged in a way that will prevent deformation. The packaging and storage container can be a thick-walled antistatic container for safety.
(iv) For security purposes, all the evidence should be labeled; the time of collection, the location, and its name. Each item should then be recorded in a book for future reference and to the checklist if all items are available.
(v) All the evidence should be recorded in the inventory according to the agency’s policies and a chain of custody maintained for any item removed from the storage area. Prayudi, & Sn (2015).
5. Brian Duggers, made a commendable trial in describing the digital materials collected for evidence in the evidence document. His description incorporates most of the items’ specific features. The voice recorder, however, is scantly described. He should have included its measurement approximations to expound on how “small” it is. It also has black coloring on the front part. Brian did not include the black colour in his statement, which might cause ambiguity in case a similar voice recorder is found elsewhere in the room. He should also have included the initial location of the item identified to avoid confusion in case a similar item is found.
Chang, C. H. (2018). New Development Regarding Search Warrants under the Fourth Amendment of the US Constitution–Jones, Jardines & Grady. EurAmerica, 48(2), 267-333.
Goodison, S. E., Davis, R. C., & Jackson, B. A. (2015). Digital evidence and the US Criminal Justice System. Identifying technology and other needs to more effectively acquire and utilize digital evidence.
Lillis, D., Becker, B., O’Sullivan, T., & Scanlon, M. (2016). Current challenges and future research areas for digital forensic investigation. arXiv preprint arXiv:1604.03850.
Li, J., Bajramovic, E., Gao, Y., & Parekh, M. (2016). Graded security forensics readiness of SCADA systems. Informatik 2016.
Prayudi, Y., & Sn, A. (2015). Digital chain of custody: State of the art. International Journal of Computer Applications, 114(5).