Reporting to management / evidence reconstruction and hypothesis

In this article I am covering the main points proved in the previous article, Network Forensics – Traffic Analysis (2)

In order to report to management we will need to create a timeline that can be checked and that is supported by the evidence extracted from the pcap file. I am starting by a timeline of events,

  1. Packet capture started at 13:34:08 2009-10-10
  2. Network interrogated with ARP for IP 192.168.1.159 at 13:34:11 2009-10-10
  3. 192.168.1.159 sends a response with its MAC address 00:21:70:4d:4f:ae
  4. 192.168.1.159 (Ann’s computer) sends a DNS query for smtp.aol.com 13:35:30 2009-10-10
  5. DNS response to 192.168.1.159, smtp.aol.com is in 64.12.102.142 at 13:35:30 2009-10-10
  6. smtp conversation to sec558@gmail.com at 13:35:30 2009-10-10
  7. smtp conversation to mistersecretx@aol.com at 13:38:11 2009-10-10
  8. Packet capture finished at 13:38:22 2009-10-10

The hypothesis supported by the previous time-line and evidence extracted is the following,

  1. Annś laptop probably a Dell Laptop by the Mac identified in the capture sent a DNS request to connect to to the email server in smtp.aol.com
  2. After the initial request she sent an email to her accomplice out of the organization to meet him
  3. Ann also contacted her lover mistersecretx to meet him in Mexico

From the analysis we can conclude that Ann has been involved in insider threat activities. At this point is a must to present a report to management containing and summarizing the above details. This report has to be accompanied by the evidence extracted from the analysis to support the evidences. In oder to make this evidence and hypothesis being considered in court it is important to adhere to the digital evidence preservation guidelines you can find in the following link.

http://www.cps.gov.uk/legal/assets/uploads/files/ACPO_guidelines_computer_evidence%5B1%5D.pdf

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s