Micro-Project Report

ETI (22618)

Case Study on Cyber Forensics

1.0 RATIONALE:

Advancement and applications of Computer Engineering and Information

Technology are ever-changing. Emerging trends aim at creating awareness about
major trends that will define technological disruption in the upcoming years in the
fields of Computer Engineering and Information Technology.

2.0 AIMS/BENEFITS OF THE MICRO-PROJECT:

 AIM: The aim of a case study on cyber forensics is to provide an in-depth

analysis of a specific cybercrime investigation, detailing the methods and
techniques used to gather digital evidence and identify the perpetrator. The
case study should also provide insight into the challenges faced by
investigators and how those challenges were overcome, as well as the legal
and ethical considerations that arose during the investigation.

BENEFITS:

 Provides practical examples: A case study on cyber forensics provides practical,

real-world examples of how digital forensics is applied in investigating
cybercrimes. This helps forensic investigators and other stakeholders better
understand the nuances and complexities of cybercrime investigations.
 Demonstrates effective techniques: By analyzing the techniques and
methodologies used in a cybercrime investigation, a case study can highlight
effective approaches to digital forensics. This can help investigators improve their
skills and develop more effective strategies for gathering and analyzing digital
evidence.
 Highlights legal and ethical considerations: Cybercrime investigations often
involve complex legal and ethical considerations, including privacy concerns and
issues related to the admissibility of digital evidence in court. A case study can
help investigators and other stakeholders better understand these issues and
develop strategies for addressing them.

3.0 COURSE OUTCOME ADDRESSED:

1. Understanding of cyber threats and vulnerabilities.

2. Legal and ethical issues.
3. Knowledge of cybersecurity frameworks and best practices.
4. Incident response planning.
4.0 ACTUAL METHODOLOGY FOLLOWED:

1. Topic Allocation.
2. Proposal planning.
3. Identifying the case.
4. Collected information from various sources.
5. Finalized the concept for report.
6. Prepared report.

5.0 LITERATURE REVIEW:

1. Studied various cases related to cyber forensics.

2. Compiled information on recent cases.
3. Studied the book of Emerging trends in it.

6.0 ACTUAL RESOURCES USED:

Sr. Name of
Specifications Qty. Remark
no resource/material
Processor-Intel®<br>RAM-4GB-64-bit
1 Computer system 1 -
operating system<br>Win7
2 Internet - 1 -

7.0 OUTPUT OF MICROPROJECT:

Cyber Forensics

What is Cyber Forensics?

Cyber forensics is a process of extracting data as proof for a crime (that involves
electronic devices) while following proper investigation rules to nab the culprit by
presenting the evidence to the court. Cyber forensics is also known as computer
forensics. The main aim of cyber forensics is to maintain the thread of evidence and
documentation to find out who did the crime digitally. Cyber forensics can do the
following:

 It can recover deleted files, chat logs, emails, etc.

 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.
Why Cyber Forensics Is Important?
In today’s technology-driven generation, the importance of cyber forensics is
immense. Technology combined with forensic forensics paves the way for quicker
investigations and accurate results. Below are the points depicting the importance of
cyber forensics:

 Cyber forensics helps in collecting important digital evidence to trace the

criminal.
 Electronic equipment stores massive amounts of data that a normal person
fails to see. For example: in a smart house, for every word we speak, actions
performed by smart devices, collect huge data which is crucial in cyber
forensics.
 It is also helpful for innocent people to prove their innocence via the evidence
collected online.
 It is not only used to solve digital crimes but also used to solve real-world
crimes like theft cases, murder, etc.
 Businesses are equally benefited from cyber forensics in tracking system
breaches and finding the attackers.

Cyber Forensics Is Important?

Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic
experts follow are:

 Identification: The first step of cyber forensics experts is to identify what

evidence is present, where it is stored, and in which format it is stored.
 Preservation: After identifying the data, the next step is to safely preserve the
data and not allow other people to use that device so that no one can tamper
data.
 Analysis: After getting the data, the next step is to analyze the data or system.
Here the expert recovers the deleted files and verifies the recovered data and
finds the evidence that the criminal tried to erase by deleting secret files. This
process might take several iterations to reach the conclusion.
 Documentation: Now after analyzing data a record is created. This record
contains all the recovered and available (not deleted) data which helps in
recreating the crime scene and reviewing it.
 Presentation: This is the final step in which the analyzed data is presented in
front of the court to solve cases.

Case Study:

Case 1: Wrongful Termination

 Background:
A former employee brought a wrongful termination suit against a construction
company, alleging that he was not responsible for the project cost overruns
that had resulted in his firing. The employee’s suit claimed that his superior
directed the project into increased costs and then blamed the results on other
 employees. The former employee’s lawyers produced documents during
discovery that included e-mails sent to his superior, several of which cited
warnings of overruns and suggestions to avoid them.
 Investigation:
An investigation of the former employee’s computer ensued, searching for
evidence of the e-mails. These had been produced in paper form since the
former employee’s superior claimed that he never received those
communications. Examination of the computer showed portions of the e-mail
text within the hard drive’s “unallocated space,” which is the area on a
computer hard drive where deleted information is sent. Since the text did not
appear in the former employee’s e-mail folders, a review of the company’s
e-mail servers was recommended. This would help determine if the e-mails
had been sent. After a thorough examination, there was no evidence of the
e-mails found on the servers. The e-discovery vendor’s research team went to
work testing several scenarios on the server to determine exactly where the
files could be found if the e-mail had been sent.
 Outcome:
All the information was compiled into a report and all the relevant documents
were produced to the construction company’s attorneys. The former project
manager was charged with theft of proprietary information and was ordered to
cease all communications with the company’s clients and return the stolen
information.
 Section of Laws:
Section 43A of the IT Act provides that whenever a corporate body possesses
or deals with any sensitive personal data or information, and is negligent in
maintaining a reasonable security to protect such data or information, which
thereby causes wrongful loss or wrongful gain to any person, then such body
corporate.

Case 2: Stolen Proprietary Information

 Background:
Six months after firing their lead project manager, a local construction
company heard rumors that their former employee was soliciting their two
best clients for his new consulting company. The replacement project manager
also discovered that several proprietary building plans for their most popular
model homes were missing from the former manager’s desktop computer.
 Investigation:
The construction company’s attorneys ordered an investigation of the project
manager’s computer. A forensic specialist was dispatched to the construction
company’s corporate headquarters to make a forensics copy of the computer
hard drive. Once back at the laboratory, an examination was performed on the
forensics copy based on a list of keywords provided by the construction
company provided. The forensics examiners were directed to investigate the
edit history and metadata for all of the files in the “My Documents” and
“Corporate Documents” folders. Furthermore, the investigators were asked to
look for evidence that any of those files had been copied to CD, thumb drive,
or any other external media. The forensics examiners discovered that the
 former manager had indeed taken proprietary information from the company
and had a pattern of missing company time. The most recent edits to the
company’s client list showed that the document was copied to a thumb drive
four hours before he was fired; his user profile was logged into the computer
during the transfer time. He also deleted all the documents in the “My
Documents” folder and removed them from the recycle bin approximately one
hour before leaving the company. On several other occasions during the last
month of his employment, he copied the proprietary specifications for the
newest model home onto a CD. Moreover, the investigators discovered that he
spent three to five hours every day on the Internet shopping for handbags,
ATVs, accessories, and construction opportunities.
 Outcome:
All the information was compiled into a report and all the relevant documents
were produced to the construction company’s attorneys. The former project
manager was charged with theft of proprietary information and was ordered to
cease all communications with the company’s clients and return the stolen
information.
 Section of Laws:
If the wrongful termination of employment is done in violation of any
provisions of labour laws, the various labour laws such as the Industrial
Disputes Act, 1947, the Workmen’s Compensation Act, 1923, State Shops and
Establishments Acts etc shall apply. All major labour laws in India deals with
wrongful termination of employment. However, within the meaning of
‘workman’, even the managerial sector comes within the application of labour
laws in India.

Case 3: IT Destruction

 Background:
A local bank fired their IT manager after several of the bank’s tellers filed
sexual harassment complaints against him. When the bank executives arrived
at work the morning after his termination, they found their computer networks
inoperable, and their servers erased. The IT manager was immediately
suspected, but surveillance cameras showed that none of his entry cards had
been used to let him into the building after he was let go. The bank wanted to
find out what happened, so they contacted their attorneys and hired forensics
experts to collect images of the servers and the IT manager’s computer.
 Investigation:
A forensics investigator made forensic images of the manager’s workstation at
the bank, as well as the server computers. When the imaging process was
complete, the forensic copies were brought back to the laboratory for
investigation. Once all of the evidence was collected, the bank hired a local IT
firm to begin repair of the network and computer problems. Since no one was
physically present at the time of the destruction, the forensics examiners
searched for evidence of a remote connection to the bank’s servers. The
examiner also took note of the specific times the files were deleted. The
examiner found that the user “administrator” had logged into the server
approximately one hour after the IT manager left the bank, and the connection
had originated from a web address that was eventually traced to the general
location of his house. The former IT manager was one of two people with
 knowledge of the “administrator” password. Further expert investigation
revealed that the method to delete files suggested it was someone with
knowledge of the server’s file structure and location.
 Outcome:
Taken together, each of these pieces of information was used to build a case
that the former manager had remotely logged in to the bank’s computers and
maliciously deleted key business data. These results were reported to the bank
and their attorneys, who brought formal charges against the former IT
manager.
 Section of Laws:
Section 43A of the IT Act provides that whenever a corporate body possesses
or deals with any sensitive personal data or information, and is negligent in
maintaining a reasonable security to protect such data or information, which
thereby causes wrongful loss or wrongful gain to any person, then such body
corporate.

Case 4: Key Employee Removal

 Background:
A regional investment services company was planning on terminating their
Chief Financial Officer after many months of performance issues. After
concerns were raised regarding his unfettered access to significant proprietary
and confidential business information, the company’s attorneys recommended
creating a detailed plan for the CFO’s dismissal.
 Investigation:
E-discovery experts were asked to consult with the company’s CEO and legal
team to determine the best management of the CFO’s access to digital
information both during and after his termination. Due to his position at the
company, he had administrative passwords for all the company’s financial
software and tracking systems, making their security of paramount importance.
The e-discovery company’s experience with forensics investigations for
wrongful termination and proprietary information theft cases allowed them to
help create a detailed list of assets to be secured during the termination. In
addition, the e-discovery company was able to suggest several data
preservation measures to be enacted to prepare for any lawsuits that the
terminated CFO might file.
 Outcome:
After taking all the steps recommended in the plan, including the e-discovery
company’s recommendations, the CFO was terminated without incident. The
employee has not filed any wrongful termination claims and the company did
not experience any data loss or alteration.
 Section of Laws:
The Industrial Disputes Act, 1947 mandates a 30- to 90-day notice period
when terminating “workmen.” In the case of manufacturing units, plantations,
and mines with 100 or more workmen, “termination for convenience” requires
government approval; in other sectors, it requires only government
notification.
8.0 SKILLS DEVELOPED:

1. Understood how cyber forensics works.

2. Understood how to prepare case study for cyber forensics.
3. Research skills was developed.

9.0 APPLICATION OF MICROPROJECT:

1. Can be used to study case study on cyber forensics.

2. It will help to deepen the analysis.
3. It enhance the understanding of the complex and ever-evolving field of cyber
forensics.