Digital Forensics in Criminal Justice - Essay Example

Digital Forensics in the Criminal Justice System

PART 1

The following people should be interviewed in order to establish whether or not they might have witnessed any suspicious behavior from the rogue employee.

• The members of the team that worked on “Project X” should be interviewed so as to find out whether the disgruntled employee showed any interest in their work that could have at the time seemed normal, but in retrospect, could be considered to be suspicious (Bella & Eloff, 2015). They people who worked on the source code project could also be interviewed so as to find out if at any given time, the disgruntled employee asked to use their computers for reasons that might not have seemed suspect at the time.
• Employees whose cubicles were closest to the suspect’s. They can attest to whether anything that the suspect did might have seemed vaguely suspicious or unusual to them. Details like whether he seemed to receive frequent and unusual phone calls could come in handy (Stanivukovic & Randjelovic, 2016).
• The employees who seemed closest to the suspect while he still worked at the company.
• The members of the IT and network security department will be asked whether they might have noticed access to the network that seemed odd (Stanivukovic & Randjelovic, 2016).

The interview process will be conducted in one of the offices of the executives, and away from the view of the rest of the staff that work for the company. The interviews will be timed in such a way that they work around the schedules of the interviewees so as not to cause a lot of disruptions or to draw unnecessary attention to the fact that there is an ongoing investigation in the office (Bella & Eloff, 2015). The interviewees will be called in one at a time and I will have a simple and friendly chat with each one of them so as not to make them nervous or defensive. I would make it clear right at the start of the interview that the interviewees are in no trouble at all and that their assistance was required in shedding light to an important matter that the company was facing. The interview process would include questions regarding the interviewee’s personal relationship with the disgruntled employee, their opinion of his character and work ethic, if they believed that McBride was capable of the things he has been accused of, and other general questions. I would then proceed to ask the interviewees whether they noticed any suspicious behavior from the disgruntled employee in question. I will take notes on the major points that the interviewees raise during the interview, and I would also make an audio recording of the interview process upon the consent of the interviewee. After the interviews I would compile a list of the observations that were made by the people I interviewed to see if any assertions could count as compelling evidence against McBride (Bella & Eloff, 2015).

The setting up of the interview, the interview process itself, and the actions and analysis after the interview are all important processes that have to be undertaken in order to ensure that quality information is collected in from the interview, and that that information is properly documented for the purpose of having clear records in case the investigation has to be turned over to law enforcement (Casey, 2013). It is important not to antagonize the witnessed during the interview because they might conceal important information for fear of self-incrimination. It is also important to interview each of the witnesses one at a time to avoid a case where they modify their accounts of events as a reaction to the accounts of the other witnesses if they were interviewed together.

PART 2

Summary Information for Thumb Drive Evidence

The thumb drive is likely to contain the source code for the project that the company has been working on. The evidence to look for will be in form of bits of incomplete code that may be part of a bigger piece of the stolen source code. It is possible that the whole source code is in the thumb drive, although that is unlikely since the code is still a work in progress (Casey, 2013). Keep an eye out for any encrypted files because Mr. McBride might have made an attempt to conceal the identity of the stolen software. Also beware of the files that look suspicious as the thumb drive might have been outfitted with a self-destruct virus in case Mr. McBride got caught with the stolen intellectual property (Irons & Lallie, 2014). This evidence is important because it could be key evidence in the prosecution of Mr. McBride should the company move forward with the plan to charge him with intellectual property. It could also be important if the company were to file a complaint with the trade commission against the rival company that hired Mr. McBride to commit corporate espionage (Stanivukovic & Randjelovic, 2016). Another important piece of evidence to look out for is the presence of hacking software in the thumb drive, which Mr. McBride could have used to gain access to parts of the company’s network that he did not have clearance to visit. This could be the key evidence that proves whether or not Mr. McBride committed corporate espionage.

Places where Mr. McBride could have kept stolen intellectual property

• At his apartment or house, in a personal computer or a thumb drive. If the information was kept in a computer or flash drive at his home, the company has no authority to carry out a search in this case, and law enforcement should be brought in to deal with the issue.
• In a locker in a gym or a sports club. If the suspect had a gym membership, there is a likelihood that he kept a thumb drive or a CD with the stolen intellectual property in his locker (Casey, 2013). If the gym is a part of the company, the company may be able to carry out a search in this case. However, if the gym is unaffiliated to the company, the police would have to be involved.
• In a safety deposit box in a bank. Given the valuable nature of the intellectual property that Mr. McBride had in his possession, he might have opted to store it in a safety deposit box in a thumb drive. Law enforcement would have to be involved because the company has on authority to carry out this search.
• In the computer cloud. Because the intellectual property was in form of digital information, it is highly likely that the stolen information could have been stored in the cloud. Access to someone’s cloud storage requires a warranty, which implies that the police will be involved (Irons & Lallie, 2014). It is unlikely that the stolen information could have been stored in a cloud space that was owned by the company, so this search cannot be legally conducted within the company.

PART 3

Before creating a forensic image, the first thing I will do is to acquire a memory dump. It is vital that there be a memory dump before the power is turned on for the forensic imaging process. This is because the memory dump contains key information such as the encryption key and other metadata that is important in the forensic imaging process (Irons & Lallie, 2014). After that, a disk image of the suspect’s computer can be acquired.

Email response

To: H. Jenkins, HR Management

From: Me, Greenwood Company Digital Forensics Examiner

The following are three of the best digital forensics equipment’s that I have hand pick as per the requirements that you listed in your email:

• X Ways forensics. This is a platform that is highly advanced and it used extensively in digital forensic examinations. It can be used to extract evidence hidden within a computer or thumb drive, and it meets Duabert Standards because it does not in any way alter the evidence, and it is highly reviewed by experts in the field.
• Encase is a digital forensics tool that can serve a myriad of purposes in forensic analysis of computer drives. It is widely used to find evidence in different devices, and it meets the Duabert Standards because it has been extensively used by many reputable law enforcement agencies.
• Oxygen Forensic Suite can be used to recover any evidence, even the kind that has been deleted from the device. It meets the Duabert Standard because the information gained from its use is usually relevant, reliable, and scientific in nature.

I hope you will find these tools useful in your digital forensic analysis in the future.

Hash values are basically numbers or digits that make it easier for computer software’s to look for specific information in databases. They essentially make searches faster in software’s. Without hash values, it would take a very long time to find information that you are looking for in a database.

When the source code was written, it contained hash values that could be used to identify it. Using a digital forensics software, we imputed some of the hash values, and we eventually got some matches within the flash drive.

Other used of hash values include to determine whether or not a dataset has been altered and to find out if files have been corrupted.

PART 4

I would recommend that the crime be reported to law enforcement. This is because the intellectual property of the company is already in the possession of the rival company, and the criminal indictment of the perpetrator will form a basis for an intellectual property claim against the company that orchestrated the whole thing and got away with a source code worth millions in revenue (Garfinkel, 2010). Private companies are required to report crimes to law enforcement, however, some disputes between the employer and the employee are not necessarily criminal in nature, although they may qualify as civil disputes. The disputes to be reported have to be considered on a case by case basis, but it is always wise to report any occurrences that are potential criminal in nature and to let the law enforcement agencies make the determination on their own.

As an expert witness, I possess the technical knowhow that was vital in the acquisition of the evidence that I will be presenting (Dyer, 2011). Being an expert witness means that the court will lend weight to my opinions on the matters that are related to my expertise. My explanation will help the judge and the members of the court understand complex concepts that require a lot of technical knowledge to grasp (Dyer, 2011). A fact witness tells the story of what he or she witnessed, and is not allowed in the court proceedings to give an opinion of those facts. An expert witness on the other hand can give an opinion on the matter before the court, but that opinion is restricted to issues in which the witness is considered an expert (Dyer, 2011).

How do we know you are not biased in this case, choosing to report only what would help law enforcement and your company's bottom-line?

First of all, I do have a special place in my heart for law enforcement and the work that they do to keep the community safe. I also care for my job, and for the profitability of the company that pays my salary. More than that, I care about truth and facts. The kind of work that I do requires a lot of objectivity and rationality, and the digital forensics evidence that I present before this court is accurate and it is not at all tampered with (Garfinkel, 2010). While my personal feelings towards my company and towards law enforcement may make it seem as though I cannot be trusted to be objective, I will stake my reputation on the evidence that I present here today. But more importantly than that, this being a court of facts, I will not ask you to take my word for it, I would invite the prosecution and the defense team to independently verify the forensic information that I will present here today. I believe it is the right of the defendant to have any possible doubt crosschecked, and I assure you that an independent forensic examiner will come up with the same observations and conclusions that I did.

How can I know from your work that your analysis should be accepted?

All of my analysis for the purposes of this investigation is properly documented and organized so that if there is any need for independent verification, all files, documents and pieces of evidence are readily available for that purpose (Garfinkel, 2010). I followed the standard practices that are used by the most reputable law enforcement agencies, and at no point in my investigation was any of the evidence compromised.