The Peculiarities of the Present Case Study and the Accent of the Forensic Analysis on the USB Drive
In accordance with the processed statement of the facts, the following assumptions can be made. First and foremost, the company policy was, in fact, violated and the corporate rights have been infringed upon. It is precisely stipulated that it is forbidden by the policy of the firm to download, transmit or store illicit images. Another aspect of the given case analysis is the fact that the job place was shared by two co-workers and it is impossible to attach the ownership of the USB drive card to one of them directly. Therefore, a thorough examination of the both hypothetical owners is to be conducted.
Another important peculiarity of this very case study is the fact that messages containing on the disc drive have been imported from the outside sources and indeed do contain information which is precisely against the policies of the firm. The most notorious sample is the indication that the information which has been encapsulated to the information storage machines is indeed anything, but the items that may directly or indirectly relate to the professional activity of the enterprise. Hereby, the need to find out the owner is becoming more and more important.
The Goals of the Given Forensic Analysis on the USB drive
First and foremost, before the whole process is launched, it is integrally important for the target audience of this report to achieve a complete and all-round understanding of the problem in question. Therefore, in order to accomplish the ultimate goal of this policy, which the defence of the corporate values of the firm, the following questions are to be analyzed and answered:
1) Who is most likely to be the person that owns the drive? The analysis and the report to this question are vitally important for the effective accomplishment of the reviewed policy due to the following reasons. First and foremost, the prospective suspects of committing this atrocious act have already been identified (Rustmann 2002). Then, the task will be to establish that namely they have committed this awful act of the corporate ethics disobedience and the notoriously expressed disregard to the values and to everything which is integrally and vitally important for the preservation and development of the effective contemporary corporate culture (Schneier 2011).
2) How did the images get on the drive? The answer to this section is a vital information for the effective and consecutive procedure of forensic investigation (Casey, 2000). The factors and the reasons and, especially the methods, which explain how the images appeared on the storage drive, must be meticulously and carefully analyzed by the analysts. Otherwise, if they appeared on the USB drive on the legal grounds, the dispute shall not arise in this case and the considerations must be immediately dropped from all suspects (Proske 2008).
3) Were the images downloaded at work? If so, how? This answer is another sine qua non for the effective process of the forensic analysis on the USB drive (Mohay 2003). Provided that it has been ascertained correctly, it can be guaranteed that the entire investigative process will go accordingly (Dodes 2012). If at least one stage of the process of the location identification will be established incorrectly, the entire investigative forensic activity will be menaced considerably (Casey & Stellatos 2002)
4) The establishment of the timeline activity of the application of images. This techniques help to ascertain who used the images and in what timeframes. In other words, perhaps this stage of the forensic investigative analysis is one of the most topical, as it helps to find out ultimately who was the one who violated the policies of the firm.
5) The file analysis of the thumb drive. The aim of this analysis is to investigate and to infer whether the data that was stored on the disc drive was indeed relevant to the operative activity of the company and whether, apart from the violation of the firm’s ethics the company was damaged in any other way. In other words, it is vitally integral to ascertain whether the losses inflicted to the company were of purely ethical nature, or the firm did actually suffer detriment.
Overall, the meticulous and careful combination of the answers on the above stipulated questions constitute a definite and ultimate conclusion on whether the policies of the company have, indeed, been violated (Hillson 2007) and whether those who are allegedly responsible should be brought to any kinds of corporate liability, including instant dismissal.
The process of the Forensic Investigation of the USB Drive
Generally, the process of the forensic analysis on the USB drive is divided into three parts (Caballero 2009). The first is the acquisition of the required data, while the second and the third are the analysis of the data and the report procedure. As far as the common techniques of processing are concerned, the first method is the cross drive analysis of the installed hardware. The aim of this process is to determine whether the specific computer have been utilized for the purposes other than those, which have been given to the person who works on it. After an effective and thorough analysis has been conducted, the specialists can easily detect whether specific data did exist on the hardware in question or whether the hard disk contain anything that can be detrimental for the firm (Mohay 2003).
The Elements of the Process of the USB Drive Investigation
This part of the paper is completely dedicated to the investigation of the images which have been found on the detected USB flash drive. This section is aimed at detailing the peculiarities of each question and the actions that are taken by the analyst at the stage of the implementation. Whereas each stage is analyzed, the substantiation of each step is given with regard to the scholarly and to the business opinion of the leading luminaries of the respective field of the forensic computer analysis.
The Methodology of Forensic Investigation of the USB Drive
First of all, it must be assured that the evidences, indicating the involvement of the alleged corporate malefactors duly meet the requirements, which are legally inherent to the digital evidences (Farmer & Wiatse 2009). Both, the civil and the common law doctrines, i.e. the geographical origin of the parties is not significant, provide three criterions which are utilized for the purposes of the evidence evaluation. Namely, these legally mandated requirements are:
- Authenticity. All the information which will be assembled in the course of investigation must correspond to the real state of events that did take place (Katsicas 2009). The facts that have been outlined must not be distorted or wrongfully comprehended. The artificial creation of the evidences, namely when the intent to accuse the person who didn’t commit unlawful acts, is a crime (Seacord 2009). Moreover, the overwhelming majority of the common law countries, in where this rule is widely accepted, there the criminal liability for computerized perjury does exist even if the imitated act in its turn constitute neither civil, not criminal misdeed. Therefore, the deed of the alleged malefactor can be entirely condones under the law, while the creation of the false circumstances which became the grounds for the lawsuit effectively constitute a tort or even a crime.
- Reliability. The sources from which the information has been obtained must be analyzed and examined with all due diligence and scrutiny (Eoghan 2009). The eye witnessing or hearsay is not admissible in the civil and commercial proceedings (Wanen & Heiser 2002). When the computer forensic analysis on the USB drive of the evidences is concerned, it must be highlighted that specific methods of the investigation are not permitted under the law. In particular, the law forbids the method which connotes the twofold and ambiguous construction of the findings of the evidence. To be more exact, the methods which do not lead to the certain establishment of the certain fact and cannot corroborate the assumption that specific action has been done by a particular personality are considered as non-reliable. To illustrate, the creation of the file where the two names of the creator have been necessitate the application of the method which will ultimately enable the investigator to distinguish between the two alleged creators of the file and to find out who, in fact, created the file (Hillson 2007).
- The last, but not the least criterion is the admissibility of the forensic computer evidences (Vacca 2009). To be more exact, this requirement provides, that before specific evidences are used in the court of law, in the employment tribunal or in the body which is entitled under the law to review the disputed involving the structural entities or the employees of the corporation, the legally regulated procedure of the evidence procurement must take place. In other words, the evidence is admissible and will be used by the adjudicator only in the case this very thing have been obtained in the course and with the full observance of the specific procedure.
Who is most likely to be the person who owns the drive?
In order to answer this question correctly several important aspects are to be taken into consideration by the investigator. First and foremost, the content of the pictures should be reviewed accordingly to ensure that the pictures in question definitely pertain to one of the two alleged suspects. To ensure the proper procedure, the following digital actions must be undertaken:
a) The character of the images detected on the forgotten flash drive. There is a unanimous scientifically convergent opinion that when the data presented is considerably more better analyzed, when there is an opportunity to analyze them in isolation (Farmer & Wietse 2009), i.e. when there is a reasonable opportunity to conduct an analyses and investigation when the operative memory of the computer is not hindered and side-tracked by other processes (Lucas 2012), so that the person who conducts the investigation is in his or her turn completely concentrated on the processing operations.
In the present case the available material precisely indicate that the files have been attempted to be destroyed to conceal the prospective detection that they, in fact, existed. There is a unified scholarly opinion that when the attempt to delete files has been undertaken, it is vitally integral to accentuate the attention of the researchers on the blocks which are subject to being overwritten by the composer of the file. The nature of the information contained on the USB drive in question precisely defines the fact, that since it was found on the table of the colleagues and co-workers Alice and Bob, the one of them is the most likely subject to be the one liable for the theft of the corporate confidential information.
A set of similar situation was ubiquitously reported to have taken place in the offices of the DLA Piper, the international auditing and law firm in 2003 in the premises of the firm in Mumbai, India. Two colleagues (for the security reasons, the authorities of the firm as well as the investigative forces concealed their names) shared the computer. Confidential information about the due diligence procedure of the two international giants have been copied on the CD-R disk and that disk was occasionally identified by the security forces of the firm (Hillson 2007). Considering the fact that the computer was shared by the two workmates, it was necessary to conduct an investigation to detect who was the liable one and not to spread rumours among the employees of the firm. The entire procedure should have been conducted in a confidential and privileged manner, making it impossible for both the employees and the clients of the firm, especially those, whose interests were concerned to become aware about that situation. In order to identify who, in fact, has made a corporate violation, the forensic analysis on the USB drive was conducted. First of all, the timetables and the working schedules of the both suspects were analyzed. The second includes the involvement of the independent research group of specialists, who after a careful computerized examination of the disk identified that it was written on computer when the shift of the second suspect was active. After this person was interrogated by the officials of the firm and the police authorities (corporate theft is a criminally punished misdeed in India) he finally confessed that he was suborned by the competitors of the company. Hereby, the forensic investigation of the corporate confidential information was successfully completed.
Question 2. How Did the Images get on the Drive
In accordance with the popular opinion of the scholars, computer authorities and other respective sources there are several ways to transmit the information on the disc drive and these systems of the file transmission are ubiquitously employed by the various corporate malefactors and violators of the corporate integrity (Eughan 2009). These methods have been used in the major schemes in which the violator tried to transmit the confidential information to the competitors of the firm (Rustmann 2002).
The first method is to record the necessary images on the discussed USB drive directly. In other words, the algorithm of action is simple – the flash drive is inserted into the USB port of the personal computer of the notebook of the alleged corporate malefactor and the data is fixed on the USB drive (Proske 2008). However, the malefactor often takes specific actions in order to conceal the nature of their actions and every possible precaution is taken to ensure that the tracks and all evidences have been eradicated. The data encryption algorithm that is applied in the present case precisely indicates that the element of the privileged information, in particular the stolen images and other related data is not absolutely protected from being stolen by the violators of the corporate ethics. To be more exact, the data encryption code demonstrates the files in question can be easily and unlimitedly transmitted either by means of dispatching them via the mailing system or they can be written on the moveable disk drives and other comparatively small bearers of information. Considering the data found on the disk drive, the assumption that can be made is plain and simple. The coding and the character of the revealed images are sufficient to consider that the files were simply written on the drive and no specific technique to conceal it has been taken by the alleged malefactors (Seacord 2009). The criminals suspected in the creation and the utilization of the wrongfully obtained corporate data usually undertake complicated and the sophisticated actions in order to puzzle the investigators and the members of the corporate security department.
In accordance with the contemporary corporate fraud and other types of corporate malpractice, various methods are applied by the violators of the corporate ethics to make a concealment of their actions. The first method is the transmitting of the files by means of mail service to the persons, who are sanctioned by the authorities of the firm to receive these files, i.e. the customers or the related managerial staff of the company. The main peculiarity is that when the files are transmitted to the postal service, they are intercepted by the accomplices of the malefactors (Ross 1999). Outwardly, everything looks as if nothing serious and corporately punishable has been taken place, however, the person who commits the violation of the corporate rules informs the interceptor about the peculiarities of the transmitted information. To be more exact, the “intercepting department “of the scheme is informed about the methods of the file transmitting and about the geographical and computer addresses of the postal service to which the files are being transmitted. When this information, or to be more exact this metadata, because this information, indeed, constitutes an information about what is obtained by the receiver, the violation of the corporate ethics may be considered as the one, which has already been done. The rest of the operation actions involve the interception of the transmitted data which always happens unnoticeably, because the internal security systems of the contemporary business entities, as well as the security systems of the major postal services are currently incapable of identifying whether the correspondence has been detected and intercepted (Vacca 2009). Outwardly, everything looks as if nothing has happened, but somehow the competitors of the firm became aware of either the industrial secrets of the firm or of the confidential content of the communications with the client. Similar situation occurred in 2008 when the new engine systems elaborated by the engineers of the Renault companies have been intercepted by their competitors, allegedly the hacker attack was organized by the members of Toyota corporation, whom the representatives of the Renault denied selling the engineering secrets of the new methods (Katsicas 2009).
However, in the present case it is evident that the information has been written on the USB drive directly, as the data inscription method of the images indicates that the file blocks have been transmitted directly from the shared personal workplace of the colleagues. The main interception didn’t take place, so it is reasonable to assume that the files have been directly encrypted to the USB flash drive, using the simplest methods of the data encryption and no sophisticated techniques have been used by the file stealer to conceal his activity. It is apparent that the malefactors or the malefactor if he acted alone and the complicity in the corporate theft were not present. Apparently, this person did not even consider the possibility that his actions would be detected and that the act of the violation of the corporate ethics and corporate rules will be eventually exposed.
Overall, it can be recapitulated that the files have been transmitted to the bearer of the information with the application of the most crude and unsophisticated techniques. The files have been simply copied to the storage disc and saved using elementary windows tools. Provided that more intricate methods have been used, the forensic investigation can be hypothetically menaced, but in this case nothing impeded the investigative forces to find out who is the culprit.
Question 3. Were the Images Downloaded at Work? If So, How?
This question is among the most important questions raised before the forensic investigative department, because proper reply to this question helps to determine and to give a legal classification to the action that has been perpetrated allegedly by the employee of the firm (Aaron & Davis 2009). Overall, both the methods of the data encryption, ciphering and transmitting indicate the personal computer installed on the work place of the alleged and the suspected violators of the corporate ethics. In order to find out which computer was used as the host computer for the files transmitting, i.e. to locate the maternal storage of the information, the set of specific actions has to be conducted by the person responsible for the conduct of the investigation. First and foremost, the individual peculiarities of the file are to be compared and contrasted with the data which the computer automatically attaches to the files which are generated on it. To illustrate, when a simple JPEG file is created on the computer, the personal computer of the notebook automatically attach a name of the creating facilities, the time when the files have been created and the user under whose entering name the file has been completed are automatically attributed to this file. Those, who are concerned, can easily look at those peculiarities of the file at the folder “properties”.
The timeline and the username of the created files precisely indicates that the discussed images have been compiled on the computer in question and it is an undisputed for the defence team that no other personal computer, notebook or other facility which has a processor was involved. The scholars unanimously admonish to regard the possibility of the marginal error existence. So the possibility that the files have been obtained from another source should be examined by the investigative team as well. However, as far as the answer to the present question is concerned, it should be elucidated that the possibilities that the file has been created on another computer do not exist at all, as the reviewed individual peculiarities of the files precisely formulate the fact that the file has been created on the computer which the suspected workmates share.
The method of downloading seemed to be crude and amateur. The files have been merely copied and downloaded to the storage facility of the disc and no action has been taken to eradicate the traces and the evidences which may evince the liability of the culprits.
Overall, the in this section of the report the inference is simple and unambiguous. The files have been squarely downloaded from the computer of the suspected workmates. The possible error is very insignificant and it should be reviewed only in the case there are substantiated possibilities that the names, the time of download procedure and the user name of the files have been artificially created to puzzle the investigation and to channel the investigative theories to the wrong direction.
My personal opinion is that whilst the source of the file has been identified and no doubts exist that the files have been downloaded from the working computer of the colleagues who share it, it is still practically impossible to prove that no one intervened and artificially created the peculiarities of the files in order to puzzle the investigation and to shift the responsibility. Unless a more profound forensic analysis on the USB drive of these images has been conducted, it is practically impossible to ascertain that the intervention to the download procedure has been perpetrated.
Question 4. Timeline of Activity for the Users Responsible for the Images
One of the methods ubiquitously employed by the investigative forces to find out, who is liable for the violation of the corporate ethics is to draw a timeline of activity for the people, who can be directly or indirectly involved in the violation of the corporate policy. With the application of these methods in 2011 Apple managed to track down the people, who have been suborned by the most powerful competitor – the Samsung and this way Apple managed to prevent the leak of the industrial secrets of the company (Lucas 2012).
Considering the fact that the working hours of Bob and Alice have been composed in accordance with the working schedule of the company, it is natural to assume that the theft took place when the Bob’s shift was active ( the file have been copied on 12:41, and the shift of Bob is from 8:00 AM to 16:00 PM)
The following situation clearly indicates, that possibly within the designated period both people did have reasonable opportunities to access the files and to dispose them at their own discretion, in the present case to download them to the USB thumb file and to use them in the purposes which contravene the ethics and the principles of the company, hereby committing a severe economic misdeed and contributing to the prosperity of the existing and the emerging competitors of the company.
Considering the time when the file has been downloaded and the timelines of the alleged violators of the ethics it does seem to very probable that the misdeed has been done by Bob, because the download took place when his shift was active.
Question 5. The Analysis of the Files Found on the USB Disk Drive
Considering nature and the importance of the files detected on the USB drive in question, several important assumptions about this files should take place for the purposes of the present forensic analysis on the USB drive. The assumptions are the following:
1) Document # 1, indeed, contains vitally important commercial information about the environment of the company; in particular the figures that are fixed in this document can be used by the competitors of the company to sap the trust of the customers of the firm in the financial capacity of the company.
2) Document # 2 contains the data, which is important for the evaluation of the industrial results accomplished by the firm. This document can be applied by the competitors of the firm to evaluate the existing and the prospective industrial performance evaluation methods of the company. In fact, this information is always considered privileged and unauthorized access to this kind information is always considered an industrial misdeed.
3) Documents # 3 and 4 contain the information about the aspects of the new technology which is currently elaborated by the respective departments of the company. The leak of this information is a severe violation of the corporate internal rules and the person detected doing so must be immediately dismissed from the ranks of the firm.
Overall, having conducted a profound forensic analysis on the USB drive of the presented materials, it can be inferred that the files which are the object of the theft have been copied and downloaded by Bob, who was not authorized by the firm to take these actions and who, therefore, committed a severe violation of the corporate policy. The aspect, which has not been covered in this analysis, is the intent of the malefactor that always constitute an important part of the both civil misdeed and a criminal violation. However, assuming that the intent of the party, which made a disclosure, was to transmit the information to the competitors of the company, the instant dismissal of Bob is highly recommended.