ASSIGNMENT TWO Semester 1, 2023 ITDF6.100 DIGITAL FORENSICS FUNDAMENTALS Student IDs (required): 2022000384 Names (optional): Jordyn Hanekom Due Date: Refer to assessment Time: DIGITAL FORENSICS FUNDAMENTALS Page 1 of 4 ITDF6 100 DFF labwork template.docx LAB FOUR: REPORT WRITING Overview/Case summary Mr. Peabody, the owner of a small software development company, MobilizeIT, which specialises in writing software for both Android and Apple mobile devices. Via an anonymous source Mr. Peabody has discovered that there has been a software breach resulting availability of the program code and assets for a soon-to-be-released game. This software breach will result in a significant financial loss for the company and so Mr. Peabody has hired an expert in the field to conduct a forensic investigation on this breach and report on the findings. Objectives This report is a summary of the findings concerning the software breach that occurred within MobilizeIT, resulting in the publication of program code and assets for an unreleased game. The objectives of this report are to identify and investigate the origin and extent of this breach, summarise the investigative process undertaken and present the findings regarding this software breach. Evidence analysed During the investigation, a close analysis of the unauthorized exposed program code and assets as well as logs relating to the development of the unreleased game was commenced. This included files such as Java source code and unique, game specific assets such as audio files and animation sequences required for gameplay. Online platforms that the unauthorized files were found on also underwent close investigation and were compared to the search histories of the employees of MobilizeIT. Employee computers were also analysed to shed further light upon the investigation, including a thorough search of all files stored on the device, browser history and any portable storage devices such as USB’s. Communication history/logs of the employees were also analysed including emails, both to internal and external parties, and any other internal communications to locate any evidence regarding the breach. Upon investigation, this revealed many interactions relating to the upcoming game including file sharing and team collaboration. The outsourced IT company provided documentation on the IT infrastructure and support of MobilizeIT, and further investigation into the team structure and software development processes provided insight on the organizational structure within MobilizeIT. Investigation Steps Initial information acquisition: Engaged in an initial briefing with Mr. Peabody where he provided detailed information regarding the software breach, including background information on the development, the nature of the breach, the implications of the breached code and assets and anyone he believes to be a likely suspect. Key personnel interviewing: Mr. Peabody and the software development team were interviewed to acquire further insight into their role in the game development, any knowledge, or suspicions they may have relating to the breach. Network analysis: A thorough investigation into the network logs and configuration were conducted in order to assess any possible entry points or vulnerabilities within the network that could have been targeted and exploited, facilitating the software breach. Forensic evidence procurement and analysis: All computers and servers accessed/used by employees, namely admin staff, software development team and Mr. Peabody himself, were analysed to collect digital evidence. Access logs and file transfer logs were among the evidence gathered. This evidence was then examined to provide insight as to whether any suspicious activities have contributed to or caused the unauthorized online publishing of the program code and assets. DIGITAL FORENSICS FUNDAMENTALS Page 2 of 4 ITDF6 100 DFF labwork template.docx Communication analysis: Communication records were reviewed to determine whether there was any suspicious contact or potential insider involvement. The content of internal and external communications was analysed for evidence of any unauthorized file sharing or suspicious conversation and behaviour. Security investigation: The outsourced IT company provided information on their role in the security of MobilizeIT. Internal documentation on team structure and software development processes was also analysed. These investigations were used to gain understanding of any vulnerabilities or weaknesses within these security procedures that may have allowed for the breach to occur. Findings The unauthorized release of program code and assets has been confirmed as the data was found to be available online. Multiple copies of the files were found to be accessible on a variety of file sharing websites and online platforms, this lends itself to the idea that the unauthorized distribution of patented information originated from an internal party within MobilizeIT. Examination of forensic evidence has narrowed the suspect list, showing it is most likely that the breach came from an individual in the software development team. A close examination of employee computers and workstations has revealed significant evidence such as suspicious internet search history, including frequent visits to game development related forum blogs as well as to the websites that the unreleased data was found on. Additional evidence was found in the form of suspicious files, comprising of text files that contained sections of program code and many non-business-oriented emails and addresses, further implicating certain employees within the software development team as the likely perpetrators of the software breach. Supplementary investigation of the communication logs also contributed to the likelihood of illicit activity within the software development team. Analysis revealed that some of the employees have been using personal email accounts to collaborate in an unauthorized, non-business-oriented manner with external parties, discussing and sharing patented information and assets regarding the unreleased game. After an intensive analysis of network logs and configurations has revealed the presence of a compromised server within the infrastructure of MobilizeIT, that was used as a launch point for the unauthorized release of the game program code and assets. Suspicious USB devices were investigated and found to have been linked directly to the unauthorized sharing of the unreleased game data. The USB devices were found to have copies of the program code, assets, and related documentation. These findings strongly indicate deliberate attempts to share and further distribute the confidential information. Conclusion This investigation has confirmed that a software breach has occurred within MobilizeIT and resulted in the unauthorized publication of program code and assets for an unreleased game. The breach appears to be a combination of internal and external factors, involving illicit activities within the company and external collaboration for the publication of confidential information. The discovery of suspicious browser history and files, non-business-oriented emails and external collaboration and a USB device that contains compromised code and assets provide substantial evidence of internal intent to distribute proprietary information. Exhibits Exhibit 1: Screenshot of suspicious files found on certain software development team employees devices containing program code, images and animation and related documentation. DIGITAL FORENSICS FUNDAMENTALS Page 3 of 4 ITDF6 100 DFF labwork template.docx Exhibit 2: Screenshot of game development forum search history found on select software development team members devices: Exhibit 3: Screenshot of the contents of the USB found: DIGITAL FORENSICS FUNDAMENTALS Page 4 of 4 ITDF6 100 DFF labwork template.docx