Add to collection(s) Add to saved
  1. No category
Uploaded by Jordyn Hanekom

Basic Digital Forensics Report

advertisement 
DIGITAL FORENSICS FUNDAMENTALS
Page 1 of 4
ITDF6 100 DFF labwork template.docx
LAB FOUR: REPORT WRITING
Overview/Case summary
Mr. Peabody, the owner of a small software development company, MobilizeIT, which specialises in writing
software for both Android and Apple mobile devices. Via an anonymous source Mr. Peabody has discovered that
there has been a software breach resulting availability of the program code and assets for a soon-to-be-released
game. This software breach will result in a significant financial loss for the company and so Mr. Peabody has hired
an expert in the field to conduct a forensic investigation on this breach and report on the findings.
Objectives
This report is a summary of the findings concerning the software breach that occurred within MobilizeIT, resulting in
the publication of program code and assets for an unreleased game. The objectives of this report are to identify and
investigate the origin and extent of this breach, summarise the investigative process undertaken and present the
findings regarding this software breach.
Evidence analysed
During the investigation, a close analysis of the unauthorized exposed program code and assets as well as logs
relating to the development of the unreleased game was commenced. This included files such as Java source code
and unique, game specific assets such as audio files and animation sequences required for gameplay. Online
platforms that the unauthorized files were found on also underwent close investigation and were compared to the
search histories of the employees of MobilizeIT. Employee computers were also analysed to shed further light upon
the investigation, including a thorough search of all files stored on the device, browser history and any portable
storage devices such as USB’s. Communication history/logs of the employees were also analysed including emails,
both to internal and external parties, and any other internal communications to locate any evidence regarding the
breach. Upon investigation, this revealed many interactions relating to the upcoming game including file sharing
and team collaboration. The outsourced IT company provided documentation on the IT infrastructure and support
of MobilizeIT, and further investigation into the team structure and software development processes provided
insight on the organizational structure within MobilizeIT.
Investigation Steps
Initial information acquisition: Engaged in an initial briefing with Mr. Peabody where he provided detailed
information regarding the software breach, including background information on the development, the nature of
the breach, the implications of the breached code and assets and anyone he believes to be a likely suspect.
Key personnel interviewing: Mr. Peabody and the software development team were interviewed to acquire further
insight into their role in the game development, any knowledge, or suspicions they may have relating to the breach.
Network analysis: A thorough investigation into the network logs and configuration were conducted in order to
assess any possible entry points or vulnerabilities within the network that could have been targeted and exploited,
facilitating the software breach.
Forensic evidence procurement and analysis: All computers and servers accessed/used by employees, namely
admin staff, software development team and Mr. Peabody himself, were analysed to collect digital evidence. Access
logs and file transfer logs were among the evidence gathered. This evidence was then examined to provide insight
as to whether any suspicious activities have contributed to or caused the unauthorized online publishing of the
program code and assets.
DIGITAL FORENSICS FUNDAMENTALS
Page 2 of 4
ITDF6 100 DFF labwork template.docx
Communication analysis: Communication records were reviewed to determine whether there was any suspicious
contact or potential insider involvement. The content of internal and external communications was analysed for
evidence of any unauthorized file sharing or suspicious conversation and behaviour.
Security investigation: The outsourced IT company provided information on their role in the security of MobilizeIT.
Internal documentation on team structure and software development processes was also analysed. These
investigations were used to gain understanding of any vulnerabilities or weaknesses within these security
procedures that may have allowed for the breach to occur.
Findings
The unauthorized release of program code and assets has been confirmed as the data was found to be available
online. Multiple copies of the files were found to be accessible on a variety of file sharing websites and online
platforms, this lends itself to the idea that the unauthorized distribution of patented information originated from an
internal party within MobilizeIT. Examination of forensic evidence has narrowed the suspect list, showing it is most
likely that the breach came from an individual in the software development team.
A close examination of employee computers and workstations has revealed significant evidence such as suspicious
internet search history, including frequent visits to game development related forum blogs as well as to the
websites that the unreleased data was found on. Additional evidence was found in the form of suspicious files,
comprising of text files that contained sections of program code and many non-business-oriented emails and
addresses, further implicating certain employees within the software development team as the likely perpetrators
of the software breach.
Supplementary investigation of the communication logs also contributed to the likelihood of illicit activity within the
software development team. Analysis revealed that some of the employees have been using personal email
accounts to collaborate in an unauthorized, non-business-oriented manner with external parties, discussing and
sharing patented information and assets regarding the unreleased game.
After an intensive analysis of network logs and configurations has revealed the presence of a compromised server
within the infrastructure of MobilizeIT, that was used as a launch point for the unauthorized release of the game
program code and assets.
Suspicious USB devices were investigated and found to have been linked directly to the unauthorized sharing of the
unreleased game data. The USB devices were found to have copies of the program code, assets, and related
documentation. These findings strongly indicate deliberate attempts to share and further distribute the confidential
information.
Conclusion
This investigation has confirmed that a software breach has occurred within MobilizeIT and resulted in the
unauthorized publication of program code and assets for an unreleased game. The breach appears to be a
combination of internal and external factors, involving illicit activities within the company and external
collaboration for the publication of confidential information. The discovery of suspicious browser history and files,
non-business-oriented emails and external collaboration and a USB device that contains compromised code and
assets provide substantial evidence of internal intent to distribute proprietary information.
Exhibits
Exhibit 1: Screenshot of suspicious files found on certain software development team employees devices containing
program code, images and animation and related documentation.
Exhibit 2: Screenshot of game development forum search history found on select software development team
members devices:
DIGITAL FORENSICS FUNDAMENTALS
Page 3 of 4
ITDF6 100 DFF labwork template.docx
Exhibit 3: Screenshot of the contents of the USB found:
DIGITAL FORENSICS FUNDAMENTALS
Page 4 of 4
ITDF6 100 DFF labwork template.docx
Related documents
ITDF6 100 DFF labwork Jordyn - Report (1)
ITDF6 100 DFF labwork Jordyn - Report (1)
Contract FP
Contract FP
Policy No. 3.1009 TITLE: Louisiana Security Breach Notification Law
Policy No. 3.1009 TITLE: Louisiana Security Breach Notification Law
Form 2 - Cost estimate
Form 2 - Cost estimate
Download
advertisement