HUMAN ASPECTS TO IS SECURITY AND FORENSICS.

BAC3117/BISF3105 ASSIGNMENT 1.
GROUP 21

A) Email and social media have at least one thing in common. There
seems to be
almost nothing that people won’t post or share. Law enforcement and
prospective
employers make use of social media spaces to learn more about suspects
and
prospective employees. Assume that you are required to conduct an
investigation
involving a crime scene on these platforms, how would you go about
extracting
evidence that would be used to bring the suspects to book? [6 marks]
1. To access private data on social media or email accounts, one needs to
obtain sufficient legal authorization (e.g., search warrant or court order).
This step is critical to ensuring that any evidence you collect is admissible in court.
2. Look for digital footprints left by suspects, such as posts, messages, comments, likes, and sha
res on social media.
Search for any suspicious emails, attachments, or communication patterns that may be relate
d to the crime.
3. Collect metadata for posts, emails, and interactions. Timestamps, IP addresses, device
information, and geolocation data are all examples of metadata that can be used to track the
origin and timeline of communication.
4. Utilize specialist tools and techniques to extract data without causing damage. Tools such as
Magnet AXIOM and FTK Imager can assist in retrieving and saving data for analysis.
5. Keep a clear chain of custody for any evidence collected. This involves carefully documenting
when, how, and who acquired the evidence and ensuring that it was not tampered with.
6. Collect and analyse data to identify patterns or relationships that may link the suspect to the
crime. This may entail cross-referencing social media posts with email communications,
geographical data, and timings to create a full case.

B) A bank hired your firm to investigate employee fraud. The bank uses four 20TBmachines on LAN
that have internet connection. You are permitted to talk to the network administrator who is familiar
with where the data is stored. You are allowed to examine all network systems in your investigations
among them the network and security equipment (IDS, IPS etc) and computer systems. What
diplomatic strategies should you use? Which acquisition method should you use? Write a 2 page
report outlining the problems you expect to encounter explaining how to rectify them, and
describing your solution. Be sure to address any customer privacy issues. [14 marks]

Diplomatic Strategies:
Build rapport with the bank:
  The network administrator plays a vital role in facilitating the investigation. Establishing trust
with this individual and the broader IT team is critical.
 I will explain clearly the process that the investigation will take, reassuring the bank's
personnel that their fullest cooperation is needed and that they are kept informed through
the investigation process.
 The approach is non-judgmental and open, so personnel do not feel they are being blamed
or become over-investigated; thus, resistance may be reduced.

Respecting confidentiality:

 One of the most important diplomatic approaches is to reassure the management and
employees of the bank in question that privacy will be respected in conducting the
investigation. Access shall be given only to data relevant for fraud investigation, and all
unrelated personal details about certain persons should be kept secret.
 This work will be done in close cooperation with the bank's legal team to make sure that all
actions are compliant with such data protection regulations as GDPR among other applicable
privacy laws.

Regular stakeholder communication:

 Regular reports to the bank executives and the legal team on the progress of the
investigation would present openness and show that they are all on the same page regarding
the goals of the investigation.
 The early sharing of key findings allows the bank to take timely corrective measures if
necessary and reassures the organization that the investigation is well under way.

Minimize operational disruptions:

 We would ensure the forensic acquisition activities involved in hard drive imaging or log
analysis would not hinder daily activity at the bank. In as much as it would be possible for us
to schedule these activities during off-peak hours, we would do so.

Acquisition Method:
a) Disk Imaging:

This approach preserves the original state of the systems while allowing us to conduct a deep
analysis of the machines’ file systems for evidence of fraud.

We will create these images using tools such as FTK Imager or EnCase. These tools make certain
that the integrity of data is preserved through hash values to verify the authenticity of the image.

b) Log Analysis:

Analyzing logs from the IDS, IPS, and other network equipment would help to establish unauthorized
access or an abnormality in network behavior or suspicious internal data transfers, which may mean
fraud is occurring or has occurred.

We will be applying log analysis tools such as Graylog or Splunk to enable us to filter and search the
logs for patterns and abnormalities more effectively.

c) Network Traffic Capture:

Capturing the live network traffic on an as-is basis, then analyze it through tools like Wireshark or
Zeek. This might show outbound communications of a suspicious nature or internal communications
related to fraudulent activity.

Real-time network traffic capture can be used to provide a view of the ongoing suspicious activities
including data leaks and unauthorized file transfers.

d) Employee Interviews:

Interview relevant employees for further insight. The interviews shall be conducted in a non-
confrontational way, and the employees will have full confidentiality. Reports generated after the
interviews shall ensure anonymity of statements given, hence privacy for the employee and the
interview process to enable honesty.

Report on the Expected Problems and Solutions

1. Volume of data is Large:

Problem: Data is about 80 TB; kept on four different machines, it is inefficient to go through all data
manually, which would also be highly time-consuming.

Solution: Use of targeted keyword searches and filters to reduce the data to the most relevant
timescales, files, and users. Elasticsearch will index the large datasets in search of critical information
linked to the fraud.

2. Encrypted Files:

Problem: If some of the files or communications are encrypted, this may affect our capability to
review the data.

Solution: Assisting the network administrator to acquire encryption keys or to use decryption
software if necessary. If this encryption cannot legally be accessed, we can try and seek plaintext
copies or backup versions of the files.

3. Network Environment Complexity:

Problem: Large, complex networks with multi-tier security-of firewalls, load balancers, and VPNs-
may make traffic tracing difficult to detect suspicious behavior.

Solution: Working with the network administrator to understand the architecture involved, utilizing
complete documentation, and focus on sections of the network for analysis.

4. Data Integrity and Forensic Soundness:

Problem: There is always a chance of corruption of evidentiary data during its acquisition or analysis,
which jeopardizes the admissibility of such evidence to the court.

Solution: Utilization of forensic tools that provide cryptographic hashes of each and every file and
image acquired. This will ensure data integrity that can be verified at any point in an investigation.

5. Employee Privacy:

Problem: An investigation may reveal personal information on irrelevant employees, and it will raise
some privacy concerns.
Solution: Only reviews of data relevant to a fraud investigation. Applying data minimization and
liaising with the legal team within the bank in order to manage any sensitive information with
integrity in relation to privacy laws.

6. Employee Resistance:

Problem: There is a risk that employees might not want to co-operate with the investigation because
they may be afraid of being involved, or otherwise are loyal to their peers.

Solution: Interviewing them in a non-threatening manner to ensure that employees understand the
investigation is focused on fraud, not personal behavior. Anonymization of findings will be required
to protect individual identities unless specific evidence of misconduct arises.

7. Unintentional access to personal data

Problem: During the investigation, there is a risk of accessing sensitive customer information that is
irrelevant to the case, potentially violating privacy laws (e.g., GDPR or local regulations).

Solution: Implementing data minimization protocols will ensure that only data directly relevant to
the investigation is accessed. Use of filtering tools to segregate personal data from investigation-
related data. Collaboration with the bank’s legal team to define the scope of the investigation,
focusing only on the data necessary for uncovering fraudulent activity.

8. Failure to obtain proper authorization

Problem: Accessing customer data without proper legal authorization could result in breaches of
privacy laws, leading to legal consequences for both the investigating firm and the bank.

Solution: Ensuring that legal authorization is obtained before accessing any customer data. This
includes consent from relevant stakeholders, compliance with internal policies, and necessary
approvals from regulatory authorities. This could involve working with the bank’s legal team to
obtain court orders or customer consent, if required.

9. Data breaches or leaks during investigation

Problem: Sensitive customer data may be exposed or compromised during the investigation process,
especially when transferring or storing large amounts of data.

Solution: Use of secure data handling practices, such as encryption during data transfer, secure
storage (e.g., encrypted drives or cloud storage), and access control mechanisms that restrict access
to authorized personnel only. These practices ensure that all devices and systems used in the
investigation are protected against unauthorized access or hacking.

By proactively addressing these challenges and maintaining a strong privacy protocol, the
investigation can proceed without violating customer privacy rights or regulations.