Nature of incident
Mitsubishi Motors Corporation, Ltd. following the enormous success of their Evolution range of cars is aiming to increase further its competitive strength by introducing some new designs for its motorsport department. This is a highly competitive market, with rival companies always on the lookout for an opportunity to get ahead of the rest.
The activities of three employees from the Research and Development department have been brought to the attention of the Security Team. A covert investigation is now underway, as there are legal implications if an employee is wrongly accused. So far, a copy of only one of the suspect’s USB memory stick (Dmitri) has been obtained without his knowledge.
Research and Development Department of Mitsubishi Motors Corporation, Ltd.
Mitsubishi Motors Corporation has a global network spreader over nearly seven continents as well as subcontinents like Europe, Latin America, Asia, Middle East, and Africa, etc. The company maintains global environmental standards for its vehicles and is focused on new technology as well as the project of “global small” cars.
Mitsubishi Motors Corporation, LTD is suspicious about industrial espionage as well as policy braking employees inside the enterprise. The enterprise is suspecting some staff from Research and development department spreading confidential as well as proprietary information outside the MNC. Sending sensitive information outside the firm is against the rules and regulations of Mitsubishi (Ambhire and Meshram 2012). The company has identified three employees Dmitri, Devina and Delroy from RND department and planned a covert investigation on this topic considering the legal implications for employees.
Location of Evidence
System, Network, Server Descriptions
The first suspect Dmitri may have used his particular system of the RND department to spread the information regarding the experiments on cars. The security system should check the cached information in the system ram as well as search hidden files and folders in the drives of Dmitri’s machine. The security also should check information that connects the other two suspects Devina and Delroy in Dmitri's system. After recovering the ISO files from the USB stick connected to Dmitri’s system, the investigator burns the ISO files in a CD and retains multiple copies of the files in other secure systems as well as flash drives (Russ 2015).
Network forensics monitors the anomalous traffic and majorly uses two ways of catching or checking the packets from certain points. In this case, the network of the RND department should be verified and the system of Dmitri must be the point of the traffic in the network. The suspect can delete all log files from his node, but the packet/ frames regulating from the nodes can be presented as evidence. For Ethernet, if the NIC is changed in the promiscuous mode then all the traffic will be passed from Dmitri’s CPU to the node where the security system wants it.
The server evidence includes the used database and metadata of the suspects. Using Live analysis technique, the server RAM can be checked as well as the timestamp of the database for evidence of any transaction from the database of the RND to some remote server (Young et al. 2012).
An identical copy of the suspect’s USB stick has been made for Forensic analysis on 1st March 2009. The USB stick was then returned to the suspect's work computer while he was at lunch.
Handling Details (Chain of Custody)
31/03/2009 12:30 seizure of the USB sticks by investigator David Chadwick.
31/03/2009 12:45 an ISO image was created, which is a digitally identical copy of the original USB stick – verified by investigator Diane Gan
Location of Evidence
The original ISO has been placed in the secure locker, No 1625
A copy of the ISO has been passed to the Forensic Department for analysis
Acquisition of Digital Evidence: Begins when information and physical items are collected or stored for examination purposes. The term "evidence" implies that the collection of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of proof in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee.
Data Objects: Objects or information of potential probative value that are associated with physical items. Data objects may occur in different formats without altering the original information.
Digital Evidence: Information of probative value stored or transmitted in digital form. Physical Items: Items on which data objects or information may be stored and through which data objects are transferred.
Original Digital Evidence: Physical items and the data objects associated with those articles at the time of acquisition or seizure.
Duplicate Digital Evidence: An accurate digital reproduction of all data objects contained on an original physical item.
Copy: An accurate reproduction of information contained on an original physical object, independent of the original physical item.
ToolsThe security system should first note the type of network used by the RND department. In the case of Ethernet Wireshark or TCP dump can be utilized as tools to monitor the traffic. Wireless forensic can use VOIP technology to access the voice communication in the network.
Preservation of Evidence
Validation of Original Evidence
The method includes having or generating unique hash value for the hard drive to authenticate the evidence collected from Dimitris' system (Young et al. 2012).
The popular hash algorithm as if MD-5 or SHA-1 can generate the unique value of the evidence thus making the proof safe from digital interference (Lim and Lee 2013).
As the USB device can be converted into a write-blocking device, the acquisition of the instrument can create a bit perfect copy as evidence. The acquisition of the proof may use the format like EEFF for validation.
The imaging includes the bit-by-bit copy of the evidence.The procedure should consider DOJ or NIST service for the imaging. The digital fingerprint needs to avoid tampering or spoliation (Casey and Steuart 2014).
The result of imaging provides reliable evidence with strong authentication.
The validation includes MD5 algorithm for the integrity of the data or the evidence.
Initial Evidence of the Evaluation
Existing Data Details
Dmitry's data files:
The data files contain the new modeling technique of a new project as well as mention of suspicious outsiders like vendors, rivals, etc.
Connection with other suspects:
Dmitri's system shows multiple logs in from particular time zones as well as frequent chatting data including the model system and technique with Devlina and Delro .The other two suspects also show evidence of improper usage of confidential data files (Quick and Choo 2014).
Recovery of data/evidence:
Recovering the data includes the application of certain tools like Encase, FTK, etc. The evidence is retrieved from the deleted part of the hard disk as well as cache files of the OS (Lim and Lee 2013).
Reconstruction of data:
After recovering all the deleted or hidden evidence or the missing links like image/data files, all the files are reconstructed with the help of RDS as well as the Hash files, etc(Raghavan 2013).
Pertinent Document Summaries
Document 1 Summary – Evidence Assessment
The first part of the report includes the checking of policy as well as digital rules and regulations of the company. The company produces a mission statement for high technology investigation as well as forensic analysis. The second part personnel includes the time of the operations, status of the duty as well as the command structure and configuration. The administration of the evidence needs to consider the topics like license, resource, training as well as the service request and event handling in the particular evidence case (Rahman and Khan 2015).
Document 2 Summary – Evidence Reporting
After collecting the digital evidence, the reconstruction process connects all the missing parts of the evidence. The standard operating procedure is required to maintain the standard of the digital evidence. The technical methods for the digital evidence include some steps like identification, testing, and evaluation of the subject; in this case the evidence. The assessment of the evidence considers the legal authority, assessment as well as the documentation of the custody (Mohamed et al.2014). The evidence assessment considers location, stability as well as the storage of the evidence. The acquisition procedure checks the booting of the CD/DVD, BIOS of the system as well as the digital image construction using tools like Photoshop, etc. The other information includes logical block addressing, CHS, etc. The examination includes preparation, extraction, data hiding analysis like compression, HPA, etc. After the step comes to the file analysis. The file analysis includes the authority checking of the documents etc. The reporting is the last step of the evidence (Raghavan 2013). The reporting part includes chain of custody documentation, network, and system as well as the server information, etc. The additional information includes the topology of the network, installed patches, software version, etc.
Pertinent Images Summary
Image 1 Summary – Jpg/Png or web images
The web images reconstruction requires tools like Photoshop and its different tools like curve tool, High dynamic range tool, brightness and contrast as well as eyedroppers to consider the color of the image (white/black or gray) (Lim and Lee 2013).
Image 2 Summary – Text or Handwriting images
This type of image reconstruction is a difficult procedure. To recover this kind of images the security system needs drum, flatbed scanners as well as film scanners with special features like image sensor, photo multiplier tubes, etc (Mohamed et al.2014).
The report identifies the issues like industrial espionage as well as improper data handling in the MNC Mitsubishi Motors using digital forensics tools. The report finds out the evidence using tools in the network, server as well as in the system against the first suspect and detects the possibility of a connection between other two suspects of the RND department with the first one. Moreover, the report discusses the preservation of the original evidence, imaging as well as evaluation of existing data details and the result from the given evidence. The result includes the proof that shows the suspects are guilty or not.
Ambhire, V.R. and Meshram, B.B., 2012. Digital Forensic Tools. IOSR Journal of Engineering, 2(3), pp.392-398.
Casey, E., Blitz, A. and Steuart, C., 2014. Digital Evidence and Computer Crime.
Dykstra, J. and Sherman, A.T., 2013. Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation, 10, pp.S87-S95.
Lim, K.S. and Lee, C., 2013. A framework for unified digital evidence management in security convergence. Electronic Commerce Research,13(3), pp.379-398.
Mohamed, A.F.A.L., Marrington, A., Iqbal, F. and Baggili, I., 2014. Testing the forensic soundness of forensic examination environments on bootable media. Digital Investigation, 11, pp.S22-S29.
Quick, D. and Choo, K.K.R., 2014. Data reduction and data mining framework for digital forensic evidence: storage, intelligence, review and archive. Trends & Issues in Crime and Criminal Justice, 480, pp.1-11.
Raghavan, S., 2013. Digital forensic research: current state of the art. CSI Transactions on ICT, 1(1), pp.91-114.
Rahman, S. and Khan, M.N.A., 2015. Review of Live Forensic Analysis Techniques. International Journal of Hybrid Information Technology, 8(2), pp.379-388.
Russ, J.C., 2015. Forensic uses of digital imaging. CRC Press.
Young, J., Foster, K., Garfinkel, S. and Fairbanks, K., 2012. Distinct sector hashes for target file detection. Computer, (12), pp.28-35.