Investigation Scenario 2: Part 2 and Submission
In completing this second part of the investigation we began last week, you will have the experience of searching for evidence in multiple log files. Very often in an investigation like this, there is no smoking gun, only bits of circumstantial evidence that you will have to piece together to create a time line that helps you to recreate the crime.
Hint: One big question in this investigation is how did the perpetrator exfiltrate the data when it appears that the defense contractors network was locked down tight. You should take a look at port numbers in the firewall log to see what services are run on those numbers, especially if it is a port that we havent talked about before.
All of the log files, with the exception of the key card file, are based on real log files. Part of your challenge in this assignment is to dig through all of the data you dont need to find the data you do. In the e-mail log file, this means using the e-mail header information to determine who is sending the message and who the recipient is. Next, you have to dig through the html to find the text of the actual message. For other log files, you will have to use the information you have been give, IP addresses and MAC addresses, to search through the file for your evidence.
Luckily for you, the following log files have been filtered to include just messages or actions from the four suspects: the e-mail log file and the keycard scan log file. The rest of the files will require you to search for what you want.
Log files for the investigation are attached and include:
Firewall log-Investigation #2 – 2015.docx
Keycard scan log-Investigation #2 – 2015.docx
Authentication log file-Investigation #2 – 2015.docx
E-mail log file-Investigation #2 – 2015.docx
Now that you have been given all of the available log files, you must use them to try and create a time line of the crime.
Once you determine the perpetrator, you have to determine how the data was exfiltrated Hint: look for unusual port numbers. As with the first investigation, you will be creating a final report and a complete evidence appendix for this incidence.
Submitting your Assignment
Review what you completed in Part 1 (last week) and Part 2 of this Investigation Scenario. Create a Final Report for the investigation in the form of a 2-4 page paper (12 point font, double spaced) that includes the following:
A cover sheet with your name and the name of the case (this does not count as one of the pages)
Your investigation notes
The names of anyone arrested and the charges against that individual
Additionally, include an appendix to your report that contains all of your evidence that is separated by letter and organized by type of evidence:
Appendix A original complaint,
Appendix B Company XYZs policies,
Appendix C Company XYZs Authentication log files for May 10 from 8Am to 2PM, etc.
Make sure to include all of the evidence, including the original log files you have received in the appendix
In grading the investigation scenario final reports I will be looking at two things:
How well you document what you did during your investigation
How complete is the appendix to your report. Do not leave out any steps that you took and do not leave out any evidence or documentation from your appendix. Please use the links provided if you are unsure how to write a police report.