Investigative Conclusion and Testimony No directly quoted material may be used in this project paper. Resources should be summarized or paraphrased with appropriate in-text and Resource page citations. ***Read the parts of each section of this project carefully as you are being asked to answer questions assuming different roles for different questions. SECTION I In the course of this investigation you, as the Information Security Analyst for Provincial Worldwide, have or will need to interview (or perhaps “interrogate”) several people to provide context for the evidence you have collected as well as the rational for your searches. Ms. McPherson and Provincial Worldwide management are asking for everything to be documented and would like you to provide them responses to the following pieces of information: Provide a list of people you believe should be interviewed for this investigation and how they relate to the investigation. What information could they possibly supply? Provide a narrative description of the interview setting and the intended process, before, during, and following the interview (remember that depending on the type of interview, the setting may be different). Explain to the management why these stages are important to a successful interview and investigation. SECTION II For the purpose of the first part of this Section, you are still the Information Security Analyst for the company. Consider this project a continuation of the work you performed in Projects #1 and #2. After seeing you search Mr. Belcamp’s work area and take several pieces of evidence, Ms. Victoria Evans who works in the office across the hall, comes forward with an odd story. Ms. Evans states that she is Mr. Belcamp’s girlfriend, but lately things in their relationship had begun to sour. She produces a thumb drive she says Mr. Belcamp gave her earlier that day. She tells you Mr. Belcamp told her to “keep it safe” and asked her to take it home with her at the end of the day. Ms. Evans tells you she really likes her job at Provincial Worldwide and has no interest in being wrapped up in whatever Mr. Belcamp has done to invite negative attention. 1. The laboratory has asked you to write a short summary of what information you want them to look for on the submitted thumb drive. Identify, for the lab, what digital or non-digital evidence you would like them to look for and explain why that evidence would be important to the case. 2. Because you are the most familiar with the investigation, Ms. McPherson is asking you to brain storm all the locations outside of Mr. Belcamp’s immediate work space where pertinent digital evidence might be found to help with your case. Identify all of these locations, including places where police would have to be involved to search. Identify what places are legal for the company to search, and which ones would require police involvement. Support your inclusion of each location with a short description of what type of evidence might be found there. Now, please assume a different character for the purpose of this next segment of the assessment… You are a forensic examiner at the above mentioned Provincial Worldwide lab. Mr. Stephen Bishop, a newly promoted Regional Security Operations Manager, sent an email to Ms. McPherson who has forwarded it to respond. 3. Write a response to the following email that you have received: To: You, Provincial Worldwide, Digital Forensics Examiner From: Ms. Carol McPherson This case has made Provincial Worldwide upper management recognize the importance of forensic readiness. They have asked that you nominate three (3) forensic examination/analysis (software) tools for them to keep in their budget for the following year. They also state that they want to make sure that the tools nominated are ones that would meet criminal justice-level standards and evidentiary requirements under the Daubert Standard. Please construct a table (chart) that identifies the tool name and their manufacturer, and the capabilities of the tools. Since these tools must meet the Daubert standard, please provide an explanation of how the three tools meet the standards of Daubert. (Management specifically wants tools that can examine/analyze the digital data inside the devices and is not interested in your input on additional tools that write protect or image devices at this time.) After receiving the package from the Data Security Analyst in the field, you sign the chain of custody form and get set to begin your examination. 4. After taking the thumb drive out of storage, you, as the digital forensics analyst, sit down to examine the data. (Presume all personal protective equipment discussed in the course readings is already in place.) Prior to looking through the data contained on the device, you have to make a forensic image. Document what step you take prior to making the image and why this step is important to your overall case. Explain your actions and reasoning thoroughly. Fortunately, the Information Security Analyst was on his/her game, and ALSO sent you copies of several files, reported to be the source code of “Product X”. 5. You, as the digital forensics examiner, used hash values to help locate the source code on the thumb drive. Using verbiage that would be appropriate to communicate to a judge and jury that may not understand computer technology at all, detail and explain the following: • What is a hash value, and how did you use it to identify the source code was present? • Explain an additional use of hash values in the context of digital forensics. You complete your laboratory examination and return the evidence, with your report, back to the Information Security Analyst at the field office.