wgu digital forensics in cybersecurity d431 task 1
bfn1 task 1 investigative plan of action
bfn1 task 2 forensic investigation
Written for
Western Governors University
WGU Digital Forensics in Cybersecurity D431
All documents for this subject (2)
Seller
Follow
Wiseman
Reviews received
Content preview
WGU Digital Forensics in Cybersecurity D431
Task 1 and 2 Already Passed 100%
wiseman lOMoARcPSD|5967629
lOMoARcPSD|5967629
WGU Digital Forensics in
Cybersecurity D431
Task 1 and 2 Already Passed 100%
Western Governors University Digital Forensics in
Cybersecurity D431
NAME
BFN1 Task 1: Investigative Plan of Action
You are a member of the investigative team that has been asked to develop an investigative plan of action. Create an investigative plan of action based on forensic best practices or standards
that your team will implement.
Discuss the strategy that your team will use to maximize the evidence collection and minimize the impact on the organization.
The first step in this process is to assemble an investigative team. After the team has been created and understands the task at hand, we would begin our investigation by meeting with heads of various organizations within the oil company (IT department, Human Resources, the legal team, any relevant senior management, and any other stakeholders with appropriate need to help the investigation). These individuals would need a clear understanding of the risks to the company caused by Mr. Smith’s actions, as he has been accused of stealing proprietary information, which lOMoARcPSD|5967629
is in direct violation of the NDA (Non-Disclosure Agreement) and AUP (Appropriate Use Policy)
documents he signed. The investigative team will need to know Mr.
Smith’s duties within the company and what information he was allowed to access. Next, understanding what Mr. Smith stole from the company will be the first step to pinpointing Mr. Smith’s network access scope. This will maximize the collection of evidence.
Describe the tools and techniques your team will use in evidence gathering, preparation, and analysis.
After the scope of the damage caused by Mr. Smith has been determined, our team will then proceed to collect evidence. Some of the tools used to gather evidence may include:
A camera to photograph and document the state of the workstation.
Imaging tools such as FTK Imager or Clonezilla (both resources are open-source programs needed to make a bit-level copy of a disk. Investigators can work from this copy without the risk of harming evidence on the original disk).
Volatility open-source software to acquire and analyze the data stored in RAM (Olatona, n.d.).
Log analysis tools to parse through data to search for suspicious server activity.
Wireshark (another open-source tool) is used to capture network traffic.
We will work with the physical security team to review camera footage of when and where Mr. Smith was within the building; from there, we can fully determine which workstations/servers he accessed and when. Those areas where he was recorded will be thoroughly photographed. What does the workstation look like? Were the devices left on or powered down? Are any devices plugged into the workstation? What kind of devices and how many? Once these questions have been answered and documented, we will move along the chain of custody.
Describe how your team will collect and preserve required evidence using standardized and
accepted procedures.
The investigative team should follow ISO/IEC 27037 guidelines and best digital forensics practices (Packetlabs, 2021). This outlines the procedure to identify, collect, acquire, and preserve digital evidence.
Before disturbing anything on or around the workstation, photograph and document everything visible. Take note of any devices/cables plugged into the computer, whether the computer was powered on, and a physical picture of what was running on the device.
Take a picture of what is running on Task Manager on the computer.
Capture the volatile system memory using the application Volatility.
Anything that must be removed and taken to a lab for analysis should be documented and secured based on the Chain of Custody standards.
Make a bit-level image of the system.
Store hard drives or other sensitive media/devices in anti-static bags.
Describe how your team will examine the seized evidence to determine which items relate to the suspected company policy violation.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Wiseman. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for £12.60. You're not tied to anything after your purchase.