Case Study: Action Forensics

In Module 1, you were provided with information about the individuals employed by Action Forensics and their responsibilities. The company has the following employees:

• There are eight trained forensic investigators who utilize forensic software to analyze the digital images on the SAN. These same investigators perform all hard drive imaging.
• There is an evidence custodian who manages all evidence brought into Action Forensics protected storage area and maintains all chain-of-custody records for each evidence item.
• There is a company President, who is responsible for acquiring business contacts and finding forensic work for the investigators.
• There is a company secretary who handles all correspondence and phone calls.
• There is a network technician who is responsible for maintaining the network, all computers, and the required software installations, patches, security updates, firewall configuration, and other network-related activities.
• The company maintains a long-term consulting contract with a law firm to advise on legal issues.

In Module 2, you were provided with information about the two networks in use at Action Forensics.

There are two separate networks in the Action Forensics facility. The first network, shown here, is the administrative network used by the President, secretary, and network technician. Each device or computer has its own UPS for power backup.

The second network, shown here, is the forensic network used by the eight forensic investigators, evidence custodian, and the network technician. Each device or computer has its own UPS for power backup. The only information allowed on the dedicated Internet connection is backup data from the SAN to the offsite data backup facility.

Every computer on both networks runs Windows 7. The eight forensic workstation computers are all dual boot and run Ubuntu Linux as well. All Windows systems have the current version of Microsoft Office.

Only the network technician has administrator rights on all computers on both networks.

In this activity, you will be devising a Data Collection plan that describes how information on each asset will be collected.

Develop a Data Collection plan that can be used to perform Data Collection on the different assets in the Action Forensics organization. As you develop this plan you will have to make decisions based on your understanding of how the company works. Do not worry that you are making a wrong decision. For example, you may decide the owner of the 50 TB SAN is the network technician instead of the evidence custodian, or even one or more of the forensic investigators. What is important is that you document your reason for choosing one owner over another.

Based on your understanding of Action Forensics, identify what might be collected in the following areas:

• Listings of Enterprise Applications
• Listings of Databases
• Software Inventory
• Hardware Inventory
• System Diagrams
• Technical Design Documents

For each item that you identify, decide which of the following specific items should be collected:

• Asset Name
• System Name
• Description of the System
• Hostnames or IP Address
• Vendor, if any
• System Owner
• Technical Support Contact
• Department that uses the Asset
• Description of Data
• Classification of Data
• Number of Records

Decide which of the following specific items should be collected for an application:

• Operating System
• Database

Decide which of the following specific items should be collected for a database:

• Operating System
• Applications Supported

Remember, the object of this activity is to develop the Data Collection plan, not to actually collect the data. Keep in mind that someone who has never performed Data Collection should be able to follow your plan with a minimum of questions.