Project Scenario – Computer Forensics

Organization Name: Mega Corp Inc.

With high-visibility breaches in the news impacting such well-known companies as RSA and Sony, the board of directors of Mega Corp has directed the CEO to establish incident response and forensics capabilities that will ensure they are prepared to meet any potential challenges that might come the way of the organization. The CEO wants an independent perspective and has recruited you to be his highly paid consultant. You will provide him with a set of recommendations that he can use to meet the board’s request.

The recommendations you will be expected to provide as the deliverables for this project are:

1. Properly differentiate forensics and incident response activities.

2. Recommend appropriate changes to the existing architecture and IT assets of the project organization.

3. Recommend an appropriate set of preventative controls for implementation in the project organization.

4. Recommend appropriate physical space, incident response, and forensics tools requirements for the project organization and forensics partner.

5. Identify appropriate roles and responsibilities needed for effective forensics incident response for the project organization.

6. Develop appropriate incident classification and response procedures for the project organization.

7. Develop appropriate recommendations for continuous performance improvement of forensics and incident response procedures for the project organization.

High Level Details

Locations:

. Headquarters: Phoenix, Arizona.

. Distribution sites: New York, San Francisco, and New Orleans.

. Global locations: Germany, India, China, Australia, South Africa, and Dubai.

Employees:

. Phoenix, Arizona: About 1200 users.

. Distribution sites:

. New York: 45 users.

. San Francisco: 30 users.

. New Orleans: 25 users.

· Global locations:

. Germany: 15 users.

. India: 12 users.

. China: 10 users.

. Australia: 8 users.

. South Africa: 6 users.

. Dubai: 5 users.

Main Infrastructure items:

· Hosts: They are primarily Windows XP but there are examples of both Macintosh- and Linux-based systems that have been approved for use at some sites.

· Cisco Routers and Switches: Each site will include their local switches and routers, which will be connected directly to the main data center located at the headquarters in Arizona.

· Firewalls: The headquarters and distribution sites have redundant ASA firewalls at the edge of their network and the global locations rely on the host-based Windows firewalls to protect their systems.

· Intrusion Detection: The malware solution for the organization is purchased and managed by each location and is the only form of IDS that is currently in place.

· Domain servers: Running Windows 2008.

· DNS servers.

· DHCP servers.

· Active Directory.

· Exchange Mail servers.

· File & Print servers.

· ERP system (such as PeopleSoft).

Current Environment

Mega Corp Inc. is a multi-national conglomerate consisting of two primary lines of business. These are:

· Mega Corp Consulting. The security consulting operation is located in the corporate headquarters in Phoenix, with remote partners responsible for sales and consultant oversight housed in offices within the nine sales, warehousing, and distribution centers worldwide.

· Mega Corp Solutions. The security products sales and distribution operations are also located in the corporate headquarters in Phoenix. Sales and solutions support staff are housed in offices within the nine sales, warehousing, and distribution centers worldwide.

Mega Corp owns a large office complex in Phoenix, where it is the sole tenant. The building houses the majority of IT staff and assets, both of which are located in the basement of the building in a secure, environmentally controlled space. The exception is first-level support, which is outsourced to India and shares space with the sales and warehousing functions in the country.

Remote sales, warehousing and distribution centers are all located in commercial space settings in shopping malls. They are spaces with separate entrances and exits that have common walls with the neighboring businesses. Some of the locations have a common basement or attic space that they share as storage space with the existing businesses in the mall. These locations will include your backbone network devices (routers, switches), domain controllers, DNS, mail servers, and firewall and intrusion detection systems that allow users to work locally in the event of a broader system failure.

Data on the servers is replicated twice a day from your local sites to the global locations to ensure a safe and secure date transactions between sites and help with a speedy data recovery in times of disasters.

The network is segmented into 10 global virtual LANs that logically separate into the following user groups:

· Information Technology.

· Management.

· Finance.

· Human Resources.

· Marketing and Sales.

· Product Development.

· Training.

· Remote Users.

· Security and Facilities Departments.

· All other users.

New system user requests are completed by the site manager via an electronic form located on the company intranet. User management staff completes those requests from their headquarters location and e-mail the site manager with the account and password information. Account ID is the first initial and last name of the employee. Multiples are mitigated through the addition of a 1, a 2, or, if necessary, a 3 at the end of the ID. Temporary passwords repeat the account ID and then require the user to change the password at logon. All users will be hosted in the main Active Directory servers, which will be designated as the corporate domain system for all hosts in the company.

Project Objectives

To successfully complete this project, you will be expected to:

· Properly differentiate forensics and incident response activities.

· Recommend appropriate changes to the existing architecture and IT assets of the project organization.

· Recommend an appropriate set of preventative controls for implementation in the project organization.

· Recommend appropriate physical space, incident response, and forensics tools requirements for the project organization and forensics partner.

· Identify appropriate roles and responsibilities needed for effective forensics incident response for the project organization.

· Develop appropriate incident classification and response procedures for the project organization.

· Develop appropriate recommendations for continuous performance improvement of forensics and incident response procedures for the project organization.

Week 5

· Incident Classification and Follow Up Procedures (3 pages)

You are aware that having an external forensics partner elevates the risk of improper handling of evidence by untrained individuals. Define and create examples of incidents that would fall under low, medium, and high risk events. In a short paper, create a detailed set of recommendations for how first responders would handle each of these events:

· Include appropriate examples of incidents that would fall under the risk categories.

· Identify how first responders would process a low risk incident.

· Identify how first responders would process a medium risk incident.

· Identify how first responders would process a high risk incident.

When complete, submit your document in the assignment area.

[u05d1] Unit 5 Discussion 1

When an Incident Becomes a Crime (1-page Discussion)

The vast majority of incidents that occur in organizations are the result of carelessness, miscommunication, or other unintentional acts. The potential exists, however, for an incident to escalate into a potential crime. When this occurs, there are very strict rules of evidence handling that are necessary to ensure that when the evidence is presented in court, the organization can offer proof that:

· The evidence is pristine and was properly collected and stored.

· The evidence has not been tainted or altered in any way.

Discuss strategies that are necessary to ensure these goals are met. Also include in your discussion consideration of how an organization can ensure that evidence, once it is no longer needed, will be properly disposed of and the tools that are available to support this work.