Search Warrant and Database

Digital Forensics and Cyber Crime Investigation HCC Partner is the top healthcare company in the United States, and the management has noticed an intrusion in the systems based on the alerts from their IDS (Intrusion Detection System) logs that causes the management to question the reliability of the system. Analysis of their systems reveals that HCC uses the Snort IDS that is running in Linux system.

Moreover, the HCC database administrator has received and downloaded the strange email from the Human Resources Department, which makes the system behaving strangely after they open the attachment. The objective of this project is to analyze the HCC database server, the network system and other workstations suspected leading to data leakage. The project will investigate whether there is a possibility of evidence of data breach.

A: Plan for Processing the Incident Scene and Potential Crime The study uses the staircase model for the investigation processing because the model assists in enhancing a practical method for forensic investigation. Typically, digital forensic investigators work from the bottom in a systematic way. Fig 1: Staircase Model Source: Casey, (2011). A 1. Method to Identify Potential Digital Evidence The first strategy to identify the potential evidence is to trace the source of email attachment from the human resource department.

Essentially, all the emails communication and attachment will be stored in the database server. The next step is to the check the hard disk of the human resources computer to verify whether the email is sent from the HR department. The method to verify whether the email comes HR department is to search the company database server for all the emails sent to the database administrator the day the email is received.

While email searching carried out manually can be time-consuming, however, we suggest using the X-Ways Forensics software for the automatic searching for the email. If the email in the hard disk r database is deleted, the next process is to use the forensic software to recover the email deleted on this data. The study suggests using the Encase software to assist in retrieving the deleted emails. The tool has the ability to collect data from various devices, and assist in unearthing the evidence.

If the file is sent from HR department, the next step is to scan the file to detect the presence of malicious software. The study suggests using one of the premium antivirus software to identify whether the file contains the malware and if the file contains the malware, this is the evidence that the file is sent purposely to disrupt the company information systems. At this point, we will scan the entire information system to identify whether the system has been compromised. 2.

Method to Prepare the Search The best strategy to carry out the search is to use the Forensic Toolkit (FTK) effective for a forensic investigation solution. The FTK can assist in faster searching and filtering and provide a comprehensive indexing and processing. The FTL toolkit will assist in correlating data to the source. The tool will assist in linking the email to the sources.

The strategy will assist our company to trace the origin of the email attachment, which will assist in saving the investigative times by identifying the relevant evidence. One of the benefits of the FTK is that it will assist in identifying malicious files and trace the origin of the file. If the email attachment is from the human resources department, the toolkit with the link the file to them.

3.Steps Team take to Seize any Digital Evidence The evidence in the computer system is the same as the other physical evidence presented in court. Before an evidence can be admissible in a court, it must be legally obtained, and it is critical to obtain the evidence legally. The U.S. law mandates that a search warrant must be obtained before seizing a computer evidence, thus, our company will follow this legal procedure by obtaining the evidence. The search warrant will give us the capability of seizing the evidence.

However, we will still need to follow the steps in the search warrant by ensuring that the evidence remains.