IT SECURITY MANAGEMENT

1
Part 1

Task 1: Technical Report

Case Brief: A person has contacted their nearest police department for a potential "stolen
property." The person informed the police that he wanted to buy a motorcycle at a low price.
He has found a website where a seller is selling a motorcycle at a low price. The person
believed that the seller was selling him a stolen motorcycle since, in no way, the motorcycle
could be that cheap. The reason being the motorcycle is quite demanding and popular, and it's
pricing rarely drop. The person doubted when the seller told the person that the motorcycle
will be sold at an 80% discount or lower price than the "original market price." The police
“on hearing this information” have “alerted the auto theft unit." “A sting operation" was
conducted by the "auto theft unit" to purchase the suspected “stolen motorcycle” from the
seller. Some of the “undercover officers” have contacted the seller and purchased the
motorcycle. The suspected seller has provided the “vehicle title,” "registration card", and “the
insurance card” for the motorcycle once he sold the motorcycle to the “undercover officers.”
The “suspect” has been arrested and from him, a "notebook computer" has been retrieved
which may contain vital information. The documents which were provided by the "suspected
seller" seems to be authentic, the "document examiners" have determined that the "documents
were fake and counterfeit.” The "auto theft investigator" then approached “UK law firm
Duncan Lewis Solicitor Company” for forensic investigation and analysis of the “seized
computer.”

Professional Advice
The workers and the staff need to handle the computer notebook very carefully (Xiao et al.
2019). It is essential to determine whether the suspected seller has used this computer
notebook or laptop as “an instrument of the crimes of auto theft”, “frauds, forgery, uttering
false documents” (Lillis et al. 2016). It is also essential for the forensic investigator team to
assess whether the laptop contains information about the “unauthorized possession” of the
“counterfeit vehicle title” and any relevant “repository data" related to the crime. It is
essential to use incognito mode and wear gloves while handling the laptops as there can be
evidence of handprints and persons who have handled the laptops previously.
(forensicsciencesimplified.org, 2020)

2
Initial Risk Assessment
The laptop which needs to be investigated must be cautiously scanned with the help of a
scanner.” It may happen that some tampering devices like cameras, video records are being
attached or present in the laptop that can steal the “forensic investigation team’s data.” In
other words, the “UK law firm Duncan Lewis Solicitor Company” needs to be completed
in "incognito mode" so that by any means critical information of the forensic team gets
leaked to the hackers or third parties (Li et al. 2019). While handling the laptop, if gloves are
not worn then, it can tamper with the already existing handprints on the laptop that can act as
a source of evidence on later stages.

Forensic Processes, Steps and Techniques that needs to be used

“Evidence Description: Item 1”:” “Gateway Solo 9100 Notebook Computer,” “Serial
Number: 666-Z3035-11-003-0322”

Actions Taken:

“March 24, 2016”

1600 hours: Retrieval of the "original data evidence" “from the CCU property room.” It is
being "inventoried, marked and finally catalogued" for the evidence which is described on
"MSP For 67." The "original evidence" “are listed on chain of custody form”
(researchgate.net, 2018).

1625 hours: Examination of the "Gateway solo 9100 Notebook Computer." "Computer
evidence processing" is completed. The BIOS settings are documented, which is presented.

“BIOS” “System Date” “System Time” “Memory” “Boot Order”

“Award 4.6 pg” “3/24/2016” “16:30:03” 128MB “Floppy Drive”

“Hard Drive”

“Actual Date” “Actual Time” “CPU”

3/24/2016 16:30:08 Intel PII 300

3
 Table 1: BIOS update of the notebook
(Source: Case Study)

Figure 1: Forensic technique/steps

(Source: Case Study)

“1750 hours”: “Acquisition of compressed evidence” of the file starts.

“Name and Path of File: F:\hdd01”
“Case #: 01-38-00333”
Examiner: "Examiner name."
“Evidence #: 99-03-333-A”
“Description: 555-Z3024-000-02-0433”

“March 25, 2016”

0900 “hours”: “Report”: “The evidence file for the drive 0” has been created successfully.
“Time Elapsed”: 11:15:01, “7.6 GB read, 0 errors, 11:15:01 elapsed. 0:00:00 remaining.”

4
0912 “hours”: The computer/laptop was shut down. The “evidence file was removed” from
inside the "MO drive unit" and is being "write protected" and placed (Hossain et al. 2018).
The "state police chain custody" form has been completed.

“March 30, 2016”

1500 hours: The computer (evidence) was powered, and the system has been booted to
A:\prompt.
“DOS copy command” used "to copy the evidence files from the Sony MO Disk" drive F: to
"Data" hard drive, E: Successful copying of the files.

April 1 2016
0805 hours: New case, which was titled "99-03-333-A" has been opened. “The existing
evidence file” is added in this case. “The Case file signature was run”.

0915 hours: “Logical analysis” of the data that was present or available in the “case” was
started.

1005 hours: “Data wiping utility” have been used in wiping out the “removable drive” that
was present or available in the "laboratory gateway GX-450 XL computer” (Harbawi and
Varol, 2017). The "unallocated clusters" along with the "file slacks" from the "evidence file
space" have been copied and presented from " case drive I:" After this step, the file is divided
into seven folders. A total of "575 files” that contain 5944 MB files have been copied
(csroc.org.tw, 2017).

1230 hours: NCIS Digit has been initiated. The files which were previously copied from the
evidence have been thoroughly examined. This examine file includes “unallocated clusters
and file stacks.” Around 5.9 MB data processed. Some HTML and graphics file generated,

April 4, 2016
0935 hours: Examination continued on the “graphics and HTML files” that were “extracted
from the previous day's operation.”

5
1005 hours: Keyword "text string" search performed for the entire case. The "hits" were
examined, and "evidentiary value" was extracted.

April 5, 2016
0715 hours: Further examination of the graphics and HTML files.

1355 hours: Further “keyword text string” performed along with the examination of the hits
and the “extraction of evidentiary value.”

April 6, 2016
0815 hours: "Keyword" text string" search for the "entire case" has been performed. Further
extraction of the value has been extracted.

April 7, 2016
0815 hours: Search results further examined.

1345 hours: Further investigation of the hits and value extraction

April 19, 2016

0800 hours: Search results were further examined.
0930 hours: Completion of the “forensic investigation." The "pictures, documents, HTML
files along with the "text fragments for the "investigative interests" have been evaluated. It
makes use of the "file by file examination” (Gupta et al 2016). The files that have been
assessed along with information are mentioned in the findings/analysis section.

Expert Interpretation of evidence produced and some findings of the case.

1. Fifty-nine documents files have been included which contain information about the
documents. It contains the "name of the suspect" and "personal information.” Some
other relevant information includes “counterfeit documents”, “scanned payroll”,
corporate and the “certified checks.”
2. The “documentation” presented by the investigators have been critically reviewed.

6
 3. The "legal authority" has been established "by the search warrant" which were
obtained from the examination for the "computers" present or available in the
"laboratory setting.”
4. The "computer forensic investigator" have met the "case agent" and "additional
information" have been discussed. Some other "relevant potential" evidence has been
sought or assessed in this investigation.
5. The “evidence intake” that was presented has been completed. The "evidence" has
been critically "marked and photographed." A "new file" has been created, and the
"case information" has been successfully entered. This computer (evidence) was
"stored" in the "lab's property room."
6. The “notebook computer” that was presented as evidence has been thoroughly
examined and photographed.
7. "Computer hardware" has also been “presented and documented.” The “controlled
boot disk" which is in the “floppy disk of the computer.” The “BIOS information”
have been documented while the “system time" has also been assessed and compared.
8. The evidence “notebook computer” “has been connected to the” “laboratory
computer” via a “null modem cable” (Du et al. 2017). It is being connected with the
“computer’s parallel ports.”
9. The “evidence computer” has been “booted inside the DOS prompt” having a
“controlled boot disk” that was present or available inside the server mode.
10. After the processing stage, the computer has been powered off.

Task 2: Case Briefing and Investigation process

Part (a)
Research method design

1. The Suspect: The suspect is the “motorcycle seller” who has sold the motorcycle at
such a low price which has raised suspicion that the motorcycle might be a stolen one.
2. Background and Context: A person wishes to buy or purchase a motorcycle at a
low price. The person was searching and browsing various websites and sellers so that
he can buy a brand-new motorcycle at a low price. He wishes to buy the motorcycle at
a lower price than the usual market place, but he never intends to purchase a stolen

7
 motorcycle. The person came across a seller who was selling a new motorcycle at a
meager price which gives rise to suspicion. The price of the motorcycle could not
have been reduced to such a low amount. The person informed the local police about
this scenario that he suspected that the seller is selling a stolen motorcycle to him. The
police on hearing the information contacted the “auto theft unit.” The “auto theft unit”
went undercover and decided to buy the motorcycle from the suspected seller so that
the seller can be caught. The seller on receiving payments from the “auto theft unit”
has provided the bills and documents. However, the document examiners verified that
the documents are ‘counterfeit” and the suspected seller was caught. A laptop/
notebook has been retrieved from the seller which was sent to the “UK law firm
Duncan Lewis Solicitor Company” for “forensic investigation” and analysis purposes.
3. Suspected Criminal Activities: The “suspected criminal activities” related to this
case denote and include “auto theft”, “fraud, forgery,” “uttering false documents” and
“possession of counterfeit vehicle titles.”

Part (b)
Tools and Techniques used
Some critical and important tools have been used for the evaluation of the case (Bajpai,
2020). The laptop/notebook which is retrieved from the suspect needs to be adequately
assessed and evaluated. Some tools which are used for "forensic investigation" are "Guidance
software", "Password recovery toolkit", " EnCase, Digit, Quick View Plus, Microsoft
Windows 10.
It is essential for the staff of the forensic team to critically assess and handle the evidence,
which is the laptop of the seller. The files that are present in the laptop might have been
“modified, deleted or even overwritten” by the suspect to hide his activities and fraudulence.
It is thus critical and essential to manually and critically assess and carry out the “forensic
investigation” and techniques and steps.

Part (c)
The case description is provided and mentioned in part (a). Relevant images and screenshots
are also provided.

Part (d)
Digital Evidences: Findings and Results with Analysis

8
Findings
While the notebook has been assessed and analyzed, around “176 files of” “evidentiary value
or of investigative interests” have been recovered. Some details were mentioned.

1. Around “59 document files” that include various documents and information. The
information reveals or includes the “name of the suspect”, and “some personal
information of the suspect.” Some “texts are also included” in the “counterfeit
documents.” The “scanned payroll”, “corporate and certified checks”, information
about stolen items” have been retrieved and discovered from the evidence (the
laptop).
2. A total of around 38 graphics files have been discovered. It contains "high-resolution
images" that highlights the "payroll, corporates and some relevant certified checks."
There are some currencies, "vehicle titles", “driver license and registration cards”,
from some nearest states of the country (Mutwa et al. 2019). Some “insurance cards”
of numerous companies along with the “counterfeit certified checks that are payable
to a computer company” have also been accessed. The sum payable ranges from
25000 USD to around 40000 USD related to the purchase of the “notebook
computers” or laptops.
3. Around 63 HTML files that include Hotmail and Yahoo have been discovered which
are present in classified form for the “recovered motorcycle.”

Conclusion
The suspect seller has “eventually pleaded guilty” and has been imprisoned till further
judgements as presented in the court.