Course Number
IT & Technology
Completing the Investigation and Evidence in Court
Student’s Name
Date of Submission
Introduction
Mr. Your prop, a former employee of Make stuff Company has been suspected of stealing intellectual property belonging to his former employee. We have already collected digital forensic evidence on the case. Below are answers to some questions that are likely to rise in the final stages of this case.
1. How would you package the thumb drive for shipment to the lab? Be specific as to what materials you would use, and why? Support your answer.
I will take the thumb drive, put it in an envelope then put it in an envelope. This envelope should be sealed using packing tape then secured using evidence tape. The envelope is preferred to other types of packaging because it is easy to label them in these envelopes. I will handle the drive with gloves before putting it in the bag so as to defend claims that someone else tampered with it (Tu et al, 2013). This is to prevent any chances of being accused of having tampered with the evidence,
2. What would you ask the lab to look for on the submitted thumb drive, and why? Support your answer.
I will ask the lab to look for any information that may belong to Makestuff Company in the drive. I will also ask them to analyze it for any data that can link with Mr. Yourprop’s prospective employer. Such information includes design patterns under the subject. Since Mr. Yourprop is no longer an employee of Makestuff, he is not allowed to have this material. Proving that Mr. Yourprop was in possession of the company’s property and was keen to preserve it after his firing is enough proof that he had taken part in activities that could lead to copyright infringement.
3. Are there any locations outside of Mr. Yourprop’s immediate workspace where pertinent digital evidence might be found to help with your intellectual property theft case? Explain any locations thoroughly and support your answer.
Mr. Yourprop’s car and residence are some of the locations where this evidence could be found. There are chances that Mr. Yourprop has some patterns of these intellectual property on his computer, laptop or other devices that can store or process data. He has been handling the information in these places during his tenure as an employee of Makestuff. It is expected that Mr. Yourpriop should limit the places where he stores his data to the office and a few other places and he deletes this data at the end of his tenure at Makestuff. Preserving such information would mean that he has other intentions such as distributing the confidential information to other people. These two places can be searched either after obtaining Mr. Yourprop’s permission or a court order.
4. How would you protect this thumb drive prior to creating a forensic image for examination? Why is this protection important to your overall case? Explain thoroughly and support your answer.
I will use a write-blocker to protect the drive from write-on commands. The USB write blocker will allow me to display the information on the thumb drive in common text formats and present it to the next custodian without damaging it. It will also help me ensure that the data is not accidentally damaged or altered before I image it. This also upholds the reliability of data retrieved since there are no chances that I tampered with the content of the thumb drive (John, 2012). This will help me when defending the credibility of the data obtained before a court of law.
5. Discuss at least three (3) forensic examination/analysis tools that could be used by you or Makestuff Company’s other digital forensic analysts to process/analyze the thumb drive you received (be specific), ensuring you include the manufacturer of each tool and each tool’s capabilities. Support your answer.
The FTK imager will help me examine files and folders on the drive and analyze the content of these files from the disk. FTK is a free forensic imaging tool manufactured by AccessData. It scans the hard drive for any relevant information. CAINE (Computer Aided Investigative Environment) offers a good environment that will enable me integrate the existing software in form of modules in a friendly manner to avoid damage to either my computer or the drive. The bulk extractor will also allow me to scan and extract information to be viewed by other programs even in the absence of the thumb drive itself. It is manufactured by Garfinkel’s fiwalk program. It scans the hard drive or specific files ten extracts useful information without parsing the file system.
6. What is hashing, and how could you take advantage of it in this case to attempt to determine if Mr. Yourprop’s thumb drive contains copies of the source code? Explain thoroughly and support your answer.
Hashing is a procedure that involves turning data into relatively small integers. Hashing converts voluminous data into hash values, data codes, or just simple hashes. Hashing creates numbers that represent certain files or the drive as a whole. These numbers could be used to determine if Mr. Yourprop has any codes that match the source code. Once the images have been extracted from the drive, we can compare them with those obtained from Makestuff to determine the similarity index (National Forensic Science Technology Center, 2009). Hashed data is compressible and can be stored in thumb drives away from manipulation and this reduces chances of losing the hashed data or activities that compromise its validity.
7. Do you recommend reporting the crime to law enforcement? Why or why not? Are private companies required to report crimes to law enforcement? Support your answer.
I will recommend that we report the crime to the police because we have enough facts that can support our suspicion. Private companies are required to report crimes to law enforcement since they are entities just like others and individuals and can fall victim to crime (Bem & Huebner 2007).It is also important because the police will help us in the investigation process with activities such as using force when an individual bars us from executing a legalized procedure, arrests and securing suspected areas.
8. What is the significance of you being qualified as an expert witness? How is it different from being a simple fact witness? Explain thoroughly and support your answer.
A qualified witness has undergone training. They therefore know the facts that should be emphasized or explained broadly when handling a case. On the other side, a simple fact witness gives the flow of events and will need to be cross-examined to obtain all the information relevant to a case (Garrie&Morrissy 2014). In this case, I can identify the most useful information in the case and avoid unnecessary information. I can also arrange my information logically to prevent confusion.
9. While you are on the stand, the defense asks you the following question based on the fact that you write a personal blog about digital forensics in your off-time, from which it appears you are a staunch supporter of law enforcement. “How do we know you were not just a “police hack” in this case, choosing to report only what would help law enforcement and your company’s bottom-line in this case?” Explain thoroughly.
This case is broad and evidence was collected from a variety of sources. I have presented full evidence on all the areas where we suspected. My reports are not selective. The defendant may use our data if they feel that it may be useful to them since it is a complete wrap up of the situation of the various suspected locations, software and hardware. Besides, I am a qualified digital forensic examiner who has been in the practiced for a long time. My process is well documented and recorded and open for anybody to refer and criticize. The samples were well stored and can be obtained for examination by an independent scientists. I worked to obtain evidence to prove that there were reasons to suspect Mr. Yourprop. The data obtained is complete and all the devices shown in my initial photograph when I entered his former office were all analyzed.
References
Bem, D.,& Huebner, E. (2007). Computer Forensic Analysis in a Virtual Environment. International Journal of Digital Evidence, 6(2), 1-13.
Garrie, D. B., &Morrissy,J. D. (2014) Digital Forensic Evidence in the Courtroom: Understanding Content and Quality. Northwestern Journal of Technology and Intellectual Property, 12(2), 122-128.
John. J. L. (2012). Digital Forensics and Preservation. DPC Technology Watch Report 12-03 November 2012. Great Britain; Digital Preservation Coalition.
Tu, M., Xu, D., Wira, S., Balan, C., & Cronin, K. (2013). On the Development of a Digital Forensics Curriculum. Journal of Digital Forensics, Security and Law, 7(3), 13-33.
National Forensic Science Technology Center. (2009). A Simplified Guide to Digital Evidence. Largo, Florida; National Forensic Science Technology Center® (NFSTC)& U.S Department of Justice.
Last Completed Projects
| topic title | academic level | Writer | delivered |
|---|