AMS has just become aware of this predicament, but are unaware of the how the skimming operation is being conducted. DFI has been contracted by AMS to ascertain if a skimming operation exists, and if so, who is implicated and how the operation is being conducted.
DFI and AMS agreed to place a digital forensics investigator within its Information Technology (IT) department as a systems administrator so that the investigation can be conducted under cover utilizing this role. …show more content…
The tools that you will need?
The digital forensics investigator requires several portable tools for conducting the investigation in a forensically sound manner since the investigation will be conducted off site in AMS. Utilizing the list of devices and OS’s that AMS provided, the digital forensics investigator should ensure that the proper forensics tools are taken to the site for the investigation. According to Gogolin (2013), the forensic tools that would be needed for this investigation are a forensic toolkit, a forensic laptop, write blocker, disk imager, and external hard drives.
The forensic toolkit should be able to collect volatile and non-volatile data to ensure collection of all relevant information. Also, the digital forensics investigator should have a forensic laptop available to conduct investigations off site; as well as a hardware write blocker to ensure evidence is not altered. Furthermore, a disk imager and external hard drives should be available when an image is required of a digital …show more content…
The collection process shall commence utilizing the forensic toolkit necessary for all the devices, conducting either live or dead acquisition, depending the state of the devices. Also, external storage devices shall be imaged for analysis and examination for digital evidence. Furthermore, to gather information from the network ports used to access the network, network forensics must be conducted. However, information can only be collected if there were any prior network security features installed like packet filters, firewalls, and intrusion detection systems (Kizza, 2009). Finally, reviewing log files for the information systems and from network devices will also be conducted for any digital evidence regarding the internal skimming operation.
d. History – how far back will you need to go in your review and how will you determine this?
Creating a timeline is pertinent to identifying how far back the digital forensic investigator must review to gather information regarding the investigation. According to King (2006), the timeline in the forensic plan should include a beginning focal point, validated dates and times, and events. Also, by understanding AMS’s back up policy, the investigator can take the beginning focal point of the internal skimming operation and how long AMS maintains its files to ascertain a