A minimum of 250 words APA format  4 source of reference and cite at least 2 of the listed reading list below in your write up. No plagiarism double spaced. In text citation  

 

 

UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Contents
Topic 1: Scenario ............................................................................................................................. 2
Scenario: Embezzlement Leads to E-Discovery.......................................................................... 2
Topic 2: Module Introduction ........................................................................................................... 4
Topic 3: Electronic Discovery .......................................................................................................... 5
The E-Discovery Process ............................................................................................................ 5
Forensic Techniques .................................................................................................................... 7
Forensic Toolkits .......................................................................................................................... 8
Which Toolkit Would You Use? ................................................................................................... 9
Felicia Favreau Versus SharKapital........................................................................................... 10
Topic 4: Admissibility of Digital Evidence ...................................................................................... 11
Conundrum in the Courtroom .................................................................................................... 11
Essential Concepts .................................................................................................................... 12
Obtaining a Search Warrant ...................................................................................................... 13
The Plain View Doctrine ............................................................................................................. 14
Activity: Legal Challenges to Admissibility ................................................................................. 15
Topic 5: Report Writing for Forensic Examiners ............................................................................ 17
Writing a Good Digital Forensic Report ..................................................................................... 17
Analyzing a Digital Forensic Report ........................................................................................... 18
Expert Witnesses and Their Credentials ................................................................................... 22
Topic 6: Legal Challenges ............................................................................................................. 24
Presenting Evidence and Testimony in Court ............................................................................ 24
Topic 7: Activity.............................................................................................................................. 26
Activity: Fraud Detector! ............................................................................................................. 26
Topic 8: Summary.......................................................................................................................... 29
Glossary......................................................................................................................................... 30 © UMUC 2011 Page 1 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 1: Scenario
Scenario: Embezzlement Leads to E-Discovery
Digital Evidence Presentation
CSEC650—Module 5
Embezzlement Leads to E-Discovery
During the annual financial audit for brokerage giant SharKapital, the company's
accounting firm discovered a large embezzlement scheme. This immediately placed
SharKapital's management at the center of civil and criminal lawsuits. As blame shifts
from the Chief Executive Officer (CEO) to the Board of Directors, the company's legal
department launches an urgent investigation, or electronic discovery (e-discovery),
process. This process is used to collect and present digital forensic evidence that can
implicate the guilty and clear the innocent.
Scenario
The Case
Headlines are breaking around the world as SharKapital's reputation comes under
scrutiny. While most of their high-end clients are refusing to talk to the media, billionaire
Felicia Favreau refuses to hide her contempt for the way she claims SharKapital has
"mismanaged her funds."
Wall Street Salutes Blair Overton
Blair Overton, the CEO of SharKapital, has completed 20 years in the industry and is
named this year's "Wall Street Czar." Wall Street's biggest and brightest fund managers
salute this financial genius for his leadership skills and financial acumen, which
transformed SharKapital from a small regional player into a global conglomerate.
Overton's ability to negotiate the turbulent stock markets helped SharKapital stay afloat
while his rivals drowned in chaos brought on by global competition and the economic
downturn.
Felicia Favreau Creates Her Peanut Empire
"The Favreau family's climb out of poverty has been a rewarding experience," states
Heiress Felicia Favreau, whose father sold used cars in Detroit just to keep food on the
table. Then one summer, her father's luck turned around after he won the state lottery
and started his own motor oil factory.
His eldest daughter, Felicia, diversified their business by going into producing the world's
finest peanut oil. "We survived on peanuts then, and now we live off them," laughs
Favreau. Miss Favreau invests heavily through SharKapital and is greatly disappointed
that all her money might now be lost to fraudulent management. © UMUC 2011 Page 2 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 The Meeting
A meeting is in progress at SharKapital Headquarters, New York City. In the meeting are
the CIO, Stanley Fox, the CFO, Markus Bingham, and the Public Relations Manager,
Linda Garnett.
A transcript of their conversation is reproduced here.
Stanley: Our CEO, Blair Overton, has been charged with embezzling $120 million over
a 10-year period through a complex series of fraudulent electronic financial transactions.
Markus: Overton borrowed the funds to finance his short-selling of premier stocks. We
had no idea because he had our junior accountants on his payroll. I never saw these
entries.
Linda: That's the same Overton whom Wall Street experts called a "financial genius"
last year? Obviously, this means a massive financial crisis for the company and the
markets.
Markus: Yes. Despite our years of success, it's clear we'll have to declare bankruptcy
now.
Stanley: While Overton will face criminal charges from the District Attorney's office,
SharKapital's board is facing a civil lawsuit from one of our top clients—Felicia Favreau.
Linda: Felicia has filed a negligence case against the board. I've asked our legal
department to launch an e-discovery process immediately to obtain evidence of our
innocence.
Corporate Legal Department
SharKapital's corporate legal department must begin the e-discovery process.
E-discovery is an investigation that corporations or private organizations conduct to
obtain digital forensic evidence in cases of insider trading, accounting fraud, or industrial
espionage.
It is mostly used for civil litigation and not for criminal cases. Law enforcement agencies
are minimally involved, and corporate legal departments initiate and manage the
e-discovery process by hiring private forensic investigators.
Forensic Investigators
SharKapital hires Richman and Stern, LLC, a medium-sized digital forensic investigation
firm. This forensic firm will investigate the embezzlement scheme over the next four
months by image-analyzing 200 or more computers and mobile devices.
After they locate the evidence, some of the forensic experts from Richman and Stern,
LLC will be deposed and will serve as expert scientific witnesses. The experts will also
prepare written forensic reports to present in court to validate the evidence they are
presenting. © UMUC 2011 Page 3 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 2: Module Introduction
Cybersecurity professionals working in the field of digital forensics are often required to
present evidence at legal proceedings such as hearings, depositions, and trials. They
may even be called as expert witnesses, so it is essential that they know how to write
forensic reports and also how to prepare digital evidence for presentation in a courtroom.
This module deals with the presentation of digital evidence in the event of litigation.
There are two types of cases for which forensic experts are called to collect evidence:
civil and criminal. This module discusses the e-discovery process, what it entails, and
how it should be performed in a civil case. The module also covers the admissibility of
evidence in criminal cases. It specifically looks at the steps, precautions, and procedures
necessary to ensure that digital evidence can be given full consideration by a judge and
jury. In addition, the module analyzes common legal methods that attorneys and judges
can use to dismiss digital evidence or have it deemed inadmissible. © UMUC 2011 Page 4 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 3: Electronic Discovery
The E-Discovery Process
Introduction
As most business transactions and reports consist of Electronically Stored Information
(ESI), e-discovery is commonly employed to collect evidence in civil litigation. When a
civil case reaches the discovery phase, both parties launch an e-discovery process to
gather and analyze digital evidence.
Data stored on computers and mobile devices are acquired, examined, and analyzed.
Reports are then compiled. Based on the relevance and value of the evidence acquired,
legal teams determine the arguments they will present in court.
The term "e-discovery" is traditionally used in civil litigation, while the term "computer
forensic investigation" is used in criminal matters. However, the actual forensic
processes are nearly identical in both types of investigation.
Steps
Step 1: Manage Data
Companies are required to follow the Sarbanes-Oxley Act and Internal Revenue Service
requirements for managing their financial and tax accounting data in digital and paper
formats. Company data must be managed in an up-to-date inventory, and managers
must know where the data are located: on-site, at corporate headquarters, or at an offsite storage location. For medium-sized and large companies, this is not a simple task
because of the large volume of data they generate and retain.
Step 2: Collect Data
Investigators must determine which company resources they need to include in their
investigation. For example, if a company's servers are attacked, which servers should be
examined? Investigators must consult various personnel in the company who know how
the data are stored and transferred. Often, the data being collected can amount to
hundreds of gigabytes, even for a small case. If the organization manages its data
efficiently, collecting the data will be simplified.
Step 3: Process Data
Records that are duplicated, outdated, or irrelevant to a case must be pointed out to
management. Such records can then be destroyed through appropriate procedures to
reduce the mass of data to the most relevant case-related information. Records
important to the investigation must be forensically preserved. Investigators must consult
with the IT department, which plays a critical role in this step of the e-discovery process.
Step 4: Review Data
The attorneys review the processed data to select evidence that will build and support
their case in court. Evidence can include source documents, contracts, correspondence
between parties, and balance sheets. This is a vital part of the investigation, and the
quality of the data that were processed will have a direct impact on how the case
develops. After e-discovery, the examiner must preserve the data in a secure manner in
case it has to be retrieved and presented in court. © UMUC 2011 Page 5 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Step 5: Present Data
Lawyers may refer to the Federal Rules of Civil Procedure as their primary legal guide
and evolving case law as their secondary legal guide when presenting evidence in court.
Forensic investigators can organize the evidence neatly and efficiently to help make the
lawyers' arguments convincing and persuasive.
Forensic investigators might also be asked to take the stand as expert witnesses.
Lawyers and witnesses must adequately prepare for anything that might occur during
the course of presenting digital files to a judge or jury in courtroom hearings.
Activity
Question: The world's largest fashion publication, F-Tonic, has discovered that several
corporate spies are working at their subsidiary offices. F-Tonic's CEO believes these
spies have been planted by their biggest rival, Radical Runway. However, before
F-Tonic can fire these spies and take Radical Runway to court, it needs solid evidence.
As part of the e-discovery process, F-Tonic's legal department and forensic consultants
carry out these five tasks.
Arrange the tasks in the correct sequence required to carry out an e-discovery
investigation.
a. Isolate the computers used by the spies.
b. Testify in court about Radical Runway's espionage plan.
c. Image the hard drives of the isolated computers.
d. Identify the e-mails the spies sent to Radical Runway.
e. Refer to the list of files located at the subsidiary offices.
Correct Answer: The correct sequence of tasks is e, a, c, d, b.
Feedback:
F-Tonic's legal department and forensic consultants would carry out the five tasks in this
order: refer to the list of files located at the subsidiary offices, isolate the computers used
by the spies, image the hard drives of the isolated computers, identify the e-mails the
spies sent to Radical Runway, and testify in court about Radical Runway's espionage
plan. © UMUC 2011 Page 6 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 3: Electronic Discovery
Forensic Techniques
When collecting data during the e-discovery process, a forensic examiner uses a wide
range of techniques to extract all possible evidence that supports the investigation.
Searching Keywords
With input from the client and the client's lawyers, the forensic examiner draws up a
list of 50 to 300 keywords. For example, in the SharKapital case, the possible
keywords could include the name of the CEO, as well as the names of the CEO's
relatives, known business associates, and suspected co-conspirators. These
keywords can be mapped to documents, e-mails, and instant messages.
Searching E-Mails
After the forensic investigator obtains a suspected employee's password, he or she
searches the suspect's computer for e-mails sent and received on particular dates.
Through such a narrow but deep search, the examiner identifies the key people with
whom the employee was communicating, such as co-conspirators and financial
supporters. E-mail searches can also be used to identify critical dates of activities
and appointments by acquiring calendar and contact information.
Recovering Deleted Files
Most computer forensic tools can recover deleted files or fragments of deleted files.
To use these tools effectively, the forensic examiner must understand how files are
stored and deleted on a computer's hard drive. The File Allocation Table (FAT) is a
good resource to check for files that may have been deleted. This tells the examiner
whether the user erased critical evidence.
Viewing Slack Space
Operating systems create space clusters on a hard drive in which files can be stored.
Some files are smaller than the cluster size allocated to them, and as a result, there
is unutilized or "slack" space in the cluster. Slack spaces often contain useful
forensic artifacts, such as data fragments from files that have been deleted. Viewing
slack space is another technique for obtaining deleted evidence.
Identifying Files
User- or custodian-specific files include documents, spreadsheets, and presentation
files that were created, accessed, or modified by a specific user, such as the party of
interest in the case. By using forensic tools, the examiner can identify each file's
owner or custodian name, as well as the modified, accessed, and created (MAC)
timestamps. © UMUC 2011 Page 7 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 3: Electronic Discovery
Forensic Toolkits
A forensic examiner can select forensic software appropriate for the techniques he or
she is using. Often, forensic software is bundled up in toolkits to allow a forensic
examiner to perform various functions while collecting evidence. While some forensic
toolkits are little more than a collection of useful utilities, most toolkits are tightly
integrated and have advanced user interfaces.
EnCase® Forensic
EnCase® Forensic, by Guidance Software, is an industry-standard digital forensic
tool. It captures data from a wide variety of digital machines such as servers,
workstations, and mobile phones. This software uses an advanced search
functionality to retrieve data from the disk level, generates reports, and preserves the
integrity of the evidence in a court-approved format.
Forensic Toolkit®
Forensic Toolkit® (FTK) is used by companies in the private sectors and by law
enforcement and government agencies worldwide. It runs on Windows operating
systems and is considered the industry standard in cracking and decrypting
passwords from e-mails and chats. Created by AccessData, FTK also streamlines
keyword searches to locate data accurately.
The Sleuth Kit
The Sleuth Kit (TSK), developed by leading computer forensic researcher Brian
Carrier, allows a forensic examiner to run a series of UNIX or Windows commands
on a live hard drive to analyze it. By adding a Graphic User Interface (GUI) called
Autopsy Forensic Browser to TSK, examiners can organize files in the system by
date, type, and case. Examiners can also verify the integrity of any media images
created for an investigation.
KazForensics
Kazeon's KazForensics has a built-in chain of custody for Electronically Stored
Information (ESI). This feature allows examiners to maintain the data integrity of
documents and e-mails during a forensic examination. Its auditable workflow allows
the transparent and accurate forensic process to be verified in a court of law. © UMUC 2011 Page 8 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 3: Electronic Discovery
Which Toolkit Would You Use?
Question: As a forensic examiner, you need to examine a live computer that runs on a
Linux platform. Which toolkit will be most useful in allowing you to search the computer's
hard drive and organize files based on their type: JPEG, documents, and HTML?
a. Forensic Toolkit
b. The Sleuth Kit
c. KazForensics
d. EnCase® Forensic
Correct Answer: Option b
Feedback:
The Sleuth Kit (TSK) allows forensic examiners to perform live searches on Linux-based
systems and sorts files on the hard drive by type, date, or case. © UMUC 2011 Page 9 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 3: Electronic Discovery
Felicia Favreau Versus SharKapital
The forensic teams employed by Felicia Favreau and SharKapital conducted their
separate e-discovery processes. Felicia Favreau's digital forensics team did not work
with the best evidence. As a result, they tampered with the original evidence. When they
needed to recheck a particular deleted file, they were not able to return to the original
evidence.
SharKapital's digital forensic consultants did not use the best evidence. When they
presented their testimony in court, there were discrepancies in the evidence they found
and the conclusions they reached. As a result, the judge dismissed the evidence from
both sides and declared a mistrial. The other fallout of Blair Overton's embezzlement is
the criminal case between the State of New York v. Blair Overton. © UMUC 2011 Page 10 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 4: Admissibility of Digital Evidence
Conundrum in the Courtroom
The SharKapital trial is in progress at the New York State Supreme Court.
The District Attorney (DA) of New York State has filed criminal charges against
SharKapital's CEO, Blair Overton. The prosecution and Overton's legal team have
presented their evidence during the trial. The judge rules on the admissibility of evidence
presented by both sides.
Judge's Ruling
The evidence presented by the DA was procured without a proper search warrant, and
as a result cannot be considered by the jury in this case. Since the key evidence is found
to be inadmissible, this court finds in favor of the defendant Blair Overton. Case
dismissed.
District Attorney, Craig Holton
When our digital forensics team searched Mr. Overton's holiday home on Long Island,
they discovered e-mails saved in encrypted folders on his home computer. There were
several e-mails exchanged between Mr. Overton and SharKapital's clients, giving
evidence of insider trading. However, all this evidence was considered inadmissible in
court due to the fact that the search warrant was not obtained in the proper manner.
Blair Overton's Lawyer
We were not aware of any e-mails between Mr. Overton and SharKapital's clients, as the
search warrant issued by the court allowed forensic teams to search only Mr. Blair
Overton's Manhattan residence, not his home on Long Island. Therefore, we asked the
judge to declare a mistrial due to incomplete evidence. Because the opposing counsel's
team violated the search warrant, Blair Overton has escaped paying court costs to the
State of New York and also avoided a jail sentence.
Loopholes in the Evidence
The first problem with the evidence was the fact that the key evidence was procured
without a proper search warrant. Besides the key evidence's being found inadmissible,
there were other problems with the criminal investigation.
There was a significant difference between the total number of hard drives reported by
the defendant's forensic team and the total number of hard drives listed by the New York
Police Department's (NYPD). This discrepancy showed up on the chain-of-custody form
attached to the best evidence. Though the forensic team claims they used reliable
forensic tools to obtain evidence from all the devices they were asked to search, some of
the tools gave a number of false positive results. © UMUC 2011 Page 11 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 4: Admissibility of Digital Evidence
Essential Concepts
For computer forensic evidence to be accepted in a court of law, it must meet two criteria
in equal measure: admissibility and sufficiency.
Admissibility
A judge deems a piece of evidence admissible if the evidence satisfies these conditions:
It is relevant to the case being tried.
It has been procured when in plain view or using a search warrant.
It has been preserved with an updated chain of custody.
If the evidence cannot be considered by a judge or jury, then the investigator will have
wasted time and effort in preparing it. Furthermore, a guilty or liable party might escape
punishment if incriminating evidence is inadmissible.
Sufficiency
A judge or jury deems that a piece of evidence is sufficient if they find it to be believable
and persuasive based on lawyers' arguments and expert witnesses' testimony. In short,
they must decide whether the evidence is authentic, accurate, and complete.
The evidence is authentic if it is demonstrated to have come from the claimed sources—
for instance, the suspect's computer, smartphone, or server. The evidence is accurate if
it tells a consistent story beyond a reasonable doubt. The evidence is complete if it tells
only one story, and there are no other stories that the evidence could also tell that might
have a bearing on this specific hearing.
Checklist
To ensure that the evidence they present is convincing and admissible, forensic
investigators must do the following:
1. Use computer media that are considered sterile. This means that the media should
be new and free from malware.
2. Maintain the integrity of the original media. This ensures that the digital evidence is
an exact and forensically sound copy of the original evidence.
3. Correctly label, mark, and control all reports or printouts that are generated during
the course of the forensic examination. This is required especially if reports are sent
to other parties, even if they are not included in the final forensic report. © UMUC 2011 Page 12 of 31 UMUC Cybercrime Investigation and Digital Forensics
CSEC650 Topic 4: Admissibility of Digital Evidence
Obtaining a Search Warrant
During Blair Overton v. State...

Please read the attached PDF 650 to help you understand and to provide a better response Question 1: Give an example of terminology that could be confusing between a digital forensic expert, a
lawyer, judge, and potential jurors.
In your opinion, how could this potential issue be reduced? Can we ever eliminate this issue? A minimum of 250 words APA format 4 source of reference and cite at least 2 of the listed reading list
below in your write up. No plagiarism double spaced. In text citation Question 2: Why is testifying and/or writing a report such a critical part of the computer forensics experts
job?
In your opinion, which one is more important -- testifying or writing a report? A minimum of 250 words APA format 4 source of reference and cite at least 2 of the listed reading list
below in your write up. No plagiarism double spaced. In text citation Question 3 Provide two examples of how you could present a technical term to a nontechnical courtroom
audience.
You may choose two different technical areas or provide two different examples for the same technical
item. A minimum of 250 words APA format 4 source of reference and cite at least 2 of the listed reading list
below in your write up. No plagiarism double spaced. In text citation Reading list 1. BCC STEM Speaker Series- David Papargiris - Digital Forensics https://www.youtube.com/watch?v=_GYaYN_nE7Q
2. How to Incorporate Expert Testimony https://www.boundless.com/communications/textbooks/boundless-communicationstextbook/supporting-your-ideas-9/using-testimony-48/how-to-incorporate-experttestimony-196-4203/
3. Computer Forensic Tool Testing Program http://www.cftt.nist.gov/Methodology_Overview.htm
4. Computer Forensics Tool Catalog http://toolcatalog.nist.gov/
5. Test Results for Electronic Crime Tools http://www.nij.gov/publications/pages/publication-list.aspx?tags=Electronic%20Crime
%20-%20Cybercrime
6. Digital Data Acquisition Tool Specification http://www.cftt.nist.gov/Pub-Draft-1-DDA-Require.pdf
7. Forensic Examination of Digital Evidence: A Guide for Law Enforcement http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
8. Digital Evidence and Forensic Readiness http://drops.dagstuhl.de/opus/volltexte/2014/4549/pdf/dagrep_v004_i002_p150_s14092.p
df
9. Investigating and Prosecuting Cyber Crime: Forensic Dependencies and Barriers to Justice
http://www.cybercrimejournal.com/Brown2015vol9issue1.pdf
10. Computer Printouts as Legal Evidence http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=edselc&AN=edselc.2-52.0-79955452166&site=eds-live&scope=site
11. Certifiable Evidence http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=f5h&AN=31125278&site=eds-live&scope=site
12. Organizational Handling of Digital Evidence http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=i3h&AN=54710809&site=eds-live&scope=site

Attachments:

• 1493452675-week 5.docx