IS415 - Project Part 1

The purpose of this research is to investigate and explore a corporate crime case study, identify the core areas of concern for a computer forensic investigation as well as describe the forensic tools that are required in evaluating these areas of concern. A corporate crime is defined as a crime committed by a corporation or an individual or a group of people associated to a corporation (Frank, & Lynch, 1992, p. 12). The chosen corporate crime case study for this research is the denial of service attack which involved Scott Dennis, an ex- computer system supervisor for the United States district court of Alaska (Seth, 2010).

Scott initiated three attacks on denial of service on Judsys, a personal mail server corporate that is possessed and managed by the United States district court. In the process, he managed to block the system by overflowing it with several emails which resulted in the need to shut down of the computer sustaining Judsys and consequently being taken out of service. Investigation was done and Scott was identified as the one responsible by tracing the internet procedures to his private computer (Seth, 2010). In 2001, he was sentenced to 6 months in jail, 3 of home detention follow by a year of monitored release.

Denial of service attack is a sort of attack, commonly on web, that is intended to interrupt the usual function of the intended computer network thus making the computer resources unavailable to the users (Howes, Smith & Good, 2003, p. 415). The commonly used method of service attack is to propel a saturation of unremitting requests for outside communication to the targeted computer, thus creating a large occurrence of fake traffic such that the rightful web passage assigned for the authentic users is held back. Thus the core areas of concern for Scott's case would be; integrity of evidence, where everything associated to the case is kept under control so as to avoid alteration. Extraction is the next area of concern and involves duplication of the evidence without altering it (Jones, 2007). After the evidence has been extracted, the next step is to interpret it. Interpretation of evidence should be performed carefully and an expert should be invited to counter-check that the project results are the actual ones and not otherwise. The next stage is documentation. Its purpose is to reproduce the process so that another expert can use the same material and notes to arrive at the same conclusion as the first expert. The last area of concern is the rule of evidence where the admissibility, dependability and relevancy of the expert are determined (Jones, 2007).

For any forensic investigation to produce accurate results, there are several tools that are essentials for evaluating the above mentioned areas of concern. The first thing an investigator needs to do is to remove the suspected system. Live View is thus useful for creating a practical disk from the system that will allow the investigator to safely examine a replica of the system without messing about with any installed objects. Once the system has been rebooted, the investigator should download a StartupList and determine the things that might have been put in the system during restarting sessions. HijackThis can be used as a supplement the StartuList tool in ruling out evident malware (Bourque, 2008).

The next action is to determine open files. In Linux, isof is used to list all open files by default. OpenFilesView can also be used as an additional tool that lists all processes and files in the system (Malin, Casey & Aquilina, 2008, p. 52). While the system is running, Wireshark can be used to locate anything that is sent out of the system to another destination unexpectedly. This tool also helps in determining any suspicious thing existing in the system. Helix 3 is also another tool that is used in forensic to evaluate the areas of concern. This tool is used to safely examine the disk so as to be sure of what has been altered/ interfered with (Bourque, 2008).