Typically, a database uses either the simple recovery model or the full recovery model. The full recovery model can be supplemented by switching to the bulk-logged recovery model before bulk operations." (Microsoft, 2010 P. 2).
Meanwhile, our company will need to implement the full back up safeguard all our data. Under the full recovery model, the first step is to back up the transaction log. Combination of full back-up with log back ups is equivalent of full database back up. Starting the back up from the log transaction is the best practice to perform a full database back-up. The illustration in Fig 2 reveals the strategy to implement a full back up. As being revealed in the Fig 2, the back up starts from the transaction logs and the next step is to schedule the full database back up and file backups at subsequent interval to satisfy our company requirements. From the illustrations in the Fig 2, the backup (a, C, B, a) is the order in which file back-ups are carried out to satisfy the business requirements. The next step is to place the data back up in separate devises to enhance business continuity.
Fig 2: Data Restore and Back-up Strategy for Our Company
1.4. Create a Detailed Checklist
This section provides detailed checklists t to safeguard our data from the hostile IP address.
Identification of the Hostile IP address. The identification will include the country origin, and the website associated with IP address.
The next step is to block the IP address from communicating with our systems. We will need to install IP address management software to achieve this objective. The strategy will assist our systems to stop exporting data to the hostile IP address.
The next step is to recover our lost data as well as implementing the full back up strategy. The SQL Server 2008 R2 is effective in restoring our lost data.
The next step is to put the recovered data at a separate devices
Inspect the recovered data whether all the data are intact.
Other step is to install the IPS to prevent unauthorized network into our systems.
Final step is to install firewall to block all the unwanted traffic from our systems.
1.5. Determine the Resources Needed
Both financial resources and human resources will be needed to carry out the project. Typically, the company will need to set aside minimum of $30,000 dollars to carry out the task. The company could use an in-house staff or third part providers to carry out the tasks. To safeguard the data integrity, it is critical to use the in-house employees. The following resources will be needed for the project implementation:
Purchase of Forensic tool to recover the lost data exported to the hostile IP address,
Installation of SQL Server 2008 for the data backup,
Installation AutoShun technology or other IP Trace technology to block the hostile IP address getting access to our data,
Set aside skilled manpower in association with a forensic expert to implement the project.
1.6. Establishing the Chain of Custody.
The purpose of this chain of custody is to establish the electronic evidence that leads to the export of data to an identified IP address.
On 25 June 2013, Mr. James Anderson, a forensic expert in our organization collects the evidence that a hostile IP address has corrupted our system leading all our system to export data to the hostile IP address. Our intrusion detection system has notified us that our systems are exporting data to the hostile IP addresses.
The IP address is 58.1456.1246.1 hosted by a company having the major objective to commit criminal activities. The documented evidence reveals the file paths of the data lost from our systems to the hostile IP address.
The evidence of the data theft is from our hard drives and revealed as follows: We have made:
All the image copy of the data restored and data freshly wiped from our system.
Image copy of our operating system logs.
Typically, data are lost from the following systems to the hostile IP:
Data are lost from our server,
Data are lost from our database
Data are lost all from the hard disks of our computer systems,
Data are lost from all software,
Data are lost from all our storage devices, which include tapes, USB, and other storage devices that we use in storing our data.
The type of the data stolen from our system to the hostile IP address is as follows:
Credit card information of our clients,
Sensitive data such as SSN, health information, bank accounts, email, phone number, and addresses of our clients.
The strategy that we use to trace the hostile IP address is as follows:
Using of tracing tools include that include Netscan Pro and Neotrace.
We also Use IDS logs.
With the assistance of our computer forensic expert, the following professionals also assist in the investigation:
Incident team and corporate security,
Emergency response core team,
Forensic Expert of Data Tech Inc. Mr. James Anderson.
1.7. Obtaining and copying an evidence disk drive.
The report identifies that much of the evidence needed to support our forensic investigation is in the disks, hard drives and other storage devices in our systems. We have used forensic tool kits to locate the sample of this evidence. To collect the sample of evidence, our company will need to make the back up of all the data systematically restored. We also make the copy of all the following in the course of our investigation:
We make a copy of all our windows especially the Registry because it contains a wealth of information.
We also make a copy of our password files, the filesystem, and the shell,
We make copy of hard drive as an evidence disk drive,
From the hard drive, we make a copy of restore image and freshly wiped data.
We also make a copy of our operating system logs.
1.8. Analyzing and recovering the digital evidence.
Analysis phase involves gathering all data recovered in a central location for interpretation purpose. The data are recovered from the following:
data files, email, music files, application files,
Internet history files,
Hard disks web activity files, and the analysis of the recovered data revealed that the complete data are restored. The following file are recovered and data inside them are complete:
Data in the application files are recovered
Hard disk drive
USB mass storage device class
Optical computer storage
flash drives smart cards, re-writable CDs and DVDs
1.9. Investigating the Data Recovered
The report uses the FTK recovery application to investigate the data recovered from the target drive. The application displayed the file recovered and the file recovered displayed a complete reconstruction of the data restored. Based on the investigation, it is revealed that there are noticeable evidence of the original file and data recovered. Typically, the structure of the files in the FAT 32 and NFST drives are different from the original data.
Despite the difference in the data structure of the original file and data recovered, the contents of the data are still the same. Thus, our company is able to retrieve all the data, which include:
credit card information of our client,
Bank account number,
Social security number of our client,
1.10. Completing the Case Report
The report carries out the incident response and computer forensic investigation that occurs in our systems. The detailed work carried out is adhered to the rigorous professional practice protocols in digital forensic handling. The forensic computer investigation carried our revealed that our systems are exporting data to a hostile IP address. Upon the investigation, the report has identified that the IP address is owned a company with the objective to carry out the criminal activities. The intension of the owner of the IP address is to steal sensitive information from our systems.
The report has used several forensic tools to stop our systems from exporting data to the hostile IP address, and communicating with the IP address. The AutoShun technology is used to block the IP address from communicating with our systems. Moreover, the report has taken step to recover the data exported to the IP address. Despite that many of the data that have been exported have been deleted from our systems, the report uses different forensic tools to recover the data, and the complete data are recovered.
Thus, the report uses a comprehensive approach to discover the evidence and store the digital evidence to assist our organization to track the criminals. The report also uses a standard digital evidence recovery procedure to restore the lost data exported to the hostile IP address. The evidence of the data captured is…