The Potential Breach of HCC Essay

Introduction

The HCC Partners in Life is an aggregated medical service provider that dispenses curative, preventive, and palliative care to diagnose and treat patients (Nichols, 2008). In the recent past, the HCC Security Operations Center has perceived of malware and policy transgressions within its Intrusion Detection System (IDS). Ever since the lead HCC database administrator opened an email attachment, her computer system has divulged technical snags. These glitches have elucidated the need to review potential breach, prompting HCC to engage due forensic investigation services from our XYZ Incorporation. This paper projects the blueprint procedures that we, at XYZ Inc., have lined up to explore the HCC network, its database server, plus other workstations. After that, a court prosecution will follow, where I, in the capacity of the Lead Forensic Investigator, will represent the forensic team.

Body

What is Our Plan to Process the Potential Crime/ Incident Scene?

My response strategy constitutes of an Enterprise Incident Response and the famous FOR508 1 (Marshall, 2008). Below is a summary of our program with a recommendation from Marshall’s Digital Forensics.

Response program

1. Preparation. Outline the tools to counter the intrusion effectively. The tools for use here include data capture of traffic, packets, network recording, audit logs, and audit trails.
2. Identification. Spot and distinguish all the compromised systems and workstations, in this case, the database administrator’s computer system and the database server.
3. Containment. Fathom the exact steps in which the breaches ensued and establish the encroached details.
4. Recovery. File a threat intelligence, which HCC will use in the face of a future security adversary.

How will we identify the potential digital evidence?

The XYZ Inc. team has devised the following stratagem to pinpoint the pertinent evidence, with a tribute to Casey’s Foundations of Digital Forensics.

1. Cyber crime investigation. We shall scrutinize timeline and MFT anomalies, deleted files, registry keys, NTFS timestamps, ShimCaches, and Sleuthkit toolsets. Research will also include scanning of physical entities such as thumb drives, cell phones, CDs, external hard drives, routers, and PDAs among others.
2. Data collection. The predominant data collection method lies in appropriate data capture from email servers, backup media, network shares, cellular devices, and the computer setups. Equally important is scrutiny of fax machines, scanners, printers, digital cameras, and answering machines.

How will we prepare for the search?

The preparation stage entails the considerations that the team should take into account beforehand such as organizing a Chain of Custody and threat intelligence. This chain is crucial in demonstrating the bearings of all HCC units of evidence, from the time of collection to the time of testifying in the court (Casey, 2011). A sufficient preparation comprises of fraud detection, operational time length, discerning malicious engineers, as well as documenting legal evidence (Marshall, 2008).

What steps will we take to seize digital evidence?

With reference to Barret and Kipper (2010), we aim to collect and obtain live evidence by executing the steps below.

1. Photograph HCC’s database servers, workstations, and the running computer screens.
2. Secure live data including RAM image, logged on users, and the network connection state.
3. Disengage the power connection within the entire HCC working space.
4. Map out and mark all the cords.
5. Tally the model and serial numbers of the hardware devices.
6. Disengage the devices from their cords.
7. Search the HPA and subsequently image the hard drives.
8. Wrap up all evidence entities into evidence bags.

What documentation processes will we follow to help support any potential legal proceedings?

Marshall explains that documentation of forensic findings embodies data preservation and presentation (2008). We will appoint the aid of dedicated hardware and software accessories such as write blockers and Helix hardware imagers to register evidence, following guidance from Pandya (2013). We shall further detail into affidavits, the Chain of Custody and file the substantiated evidence of a breach, the data collection, and preservation methods.

How will my team follow proper storage on evidence means?

Marshall (2008) asserts that appropriate evidence repository epitomizes tabulation of items within the Chain of Custody. At XYZ Inc., we go all out to contend to this chain by tagging and labeling of the proof fundamentals (Nelson, Philips & Stuart, 2010). Tagging and labeling aids in easier and faster recognition of the testimonial items later. My response team will tag the item description, date, location, brand name, police case number, and serial numbers of the assembled hardware devices.

How Will My Team Approach and Process the Database Administrator’s Computer?

The HCC database administrator remarked that she had observed technical anomalies within her computer workstation, following the opening of an email attachment she received from the Human Resources. The attachment to the email contained some vital information on the company benefits. According to Nelson, Philips and Stuart (2010), such malware encroachment is critical to a company as it poses financial and regulatory risks for the firm. Apparently, malware technicians have perked up their expertise and so have we, at XYZ Inc. With adherence to Pandya (2013), my team and I have drafted the following approaches to process probable malware.

1. Assessing malware risks. Here, we will gauge the attack vectors susceptible to breach such as firewall, the Microsoft Baseline Security Analyzer (MBSA), and antivirus software on the computer in question.
2. Physical security. We shall employ this defense plan to prevent theft, human error, and tampering of records. The critical elements involved are network access points, personnel security, server computers, plus the administrator’s computer.
3. Logical security. Here, we assess software safeguards across the HCC workforce to establish which other persons, apart from the administrator, has admission to the particular workstation. We shall look at user IDs, password entries, rights of use, and authentication.
4. Reactive and proactive procedures. We shall use reactive methodologies to unravel the attack program utilized to compromise the administrator’s system, with particular attention to the email attachment. Furthermore, we shall also employ proactive policies to avert the host-based attack from endangering the entire HCC network.

What steps will we use to image her drive?

Barret and Kipper (2010) quote that hard drive imaging and cloning has a rule of thumb- to, at no time, reshape the original media. We will perform forensic imaging an assortment of various storage media such as her hard drive, floppy disks, zip drives, and CDs. We will administer a bit stream imaging by way of generating an exact bit-for-bit replica of the original subject media on the drives. We shall also implement the MD5 algorithm standard to test data integrity, MD5 hash values, and digital signature applications. We shall begin by documenting the Chain of Custody, followed by noting the type, model, brand, and the drive’s serial number. Next, we photograph the drive and authenticate the date and time details of the drive, before finally certifying the exactness of the information gathered (Pandya, 2013).

What areas on her system will we analyze for potential evidence of infection?

We see fit to examine the physical components of the administrator’s computer system, concerning the CPU, chips, boards, monitor, printer, and storage media (Barret and Kipper, 2010). Further, we shall pore over the RAM, internal hard drive, backups, and caches, CDs, DVDs, and digital cameras. In addition to this, we have a mind to evaluate varied software tools such as data storage techniques, application packages and the system’s operating system as a whole. The reason for this is that we firmly believe that data infringements exist in a dual form. Pandya explains a double form as the state where the physical dimension of evidence is a product of software application creation (2013).

Other items

Casey offers that deployment and management are crucial in mitigating malicious attacks (2011). In this case, we will validate, monitor, and report on the optimum antivirus software, Window Defenders, user education, log files, and the MBSA. The objective behind this is to confirm that the followed procedures to authenticate the firewall, gateway, and the MBSA, are efficient and thorough, explains Barret and Kipper (2010).

How Will My Team Approach and Process the Potential Breach in the Database Server?

The tipoff from the HCC Snort IDS has alerted probability of infections in the firm’s database. Security failures that lead to interference of personal medical records and data in HCC are synonymous with legal, financial, regulatory, and reputation risks for the entire enterprise (Nichols, 2008). These risks advance prospects of danger in detriment to the associated patients, as mischievous characters could steal their identities (Nichols, 2008). In an imperious move, my team and I have formulated a number of recovery processes using various approaches and tools. Referring to Pandya (2013), we intend to apply cleaning applications including the Malicious Software Removal Tool, Sysinternals tools, along with manual procedures as follows.

1. Detach the affected server from the rest of the network.
2. Modify all account and system passwords, paying exceptional attention to financially oriented structures, in addition to those that host commercial information.
3. Distinguish processes and drivers that lack icons, company names, or descriptions.
4. Investigate peculiar URLS, DLLs or services, and bare TCP/IP.
5. Deactivate malevolent drivers, processes, files, and auto starts.
6. Reboot the system.
7. Ultimately, update and renew the impaired database files and reserves.

What steps will we use to image the database server?

In reverence of the HCC server’s inconsistencies, an e-investigation server imaging is paramount. My team and I have arranged to employ the same steps as those applied to mirror the administrator’s drive, with guidance from Barret and Kipper (2010). These encompass logging the Chain of Custody, the drive’s serial number. Next, we take pictures of the internal hard drives and authenticate the date and time details, before finally certifying the accuracy of the information accumulated (Barret & Kipper, 2010). We also contemplate on the usage of special software imaging tools such as the EnCase, SHA, and MD5 hash functions, in combination with just standards to clone the HCC server.

1. Dislodge the internal hard drives from the server one-at-a-time.
2. Note the model, type, brand, position, and the drives’ serial numbers in a catalog, before taking a picture of them.
3. Attach each hard drive to a rapid computer forensic imaging equipment to generate bit-by-bit forensic duplicates.
4. Tabulate these data in digital forensic image folders enclosing drive checksum values, SHA1, and MD5 hash values.
5. Contrast the images against the initial hash values, in the event, correcting errors, partitions, encryption, as well as file systems.
6. Record the server’s clock and internal calendar, before reinstalling the drives.

Which areas of the server system will we analyze for potential evidence of infection?

Based on references from Pandya (2013), my team and I propose to comb through familiar places to fish out possible infection. These familiar areas highlight the hidden, deleted, or temporary files, in combination with spools, RAM, internal hard drives, the RAM, backups, and caches. We intend to scan memory buffers, network storage, ISP records, steganography, printouts, notes, and swap spaces (Pandya 2013). Over and above, we shall also pore over external media equipment such as iPods, digital cameras, CDs, and DVDs.

Other items

In addition to the chartered scheme for identifying the security infringement, we have also resolved to scan and monitor the entire HCC network. Drawing instructions from Barret and Kipper (2010), my team will use Nmap, IP traf, TCP dump, plus Wireshark scanners to probe and filter packets. We also intend to review the proposed antivirus software to give an optimum value. These procedures will aid in surveying the traffic trends within the network and eventually, disclose the perpetrators.

How Will I Prepare My Forensic Team to Support Any Expert Testimony Court Requirements?

One of the duty objectives of a certified forensic expert is serving as an expert witness in a court of law (Marshall, 2008). My thought processes are to acquaint my forensic crew of their expected roles in a federal court and due compliance with Civil Procedure and Rules of Evidence (Nichols, 2008). By virtue of their job specification, the forensic investigators are expert witnesses, permissible to project opinions on sensitive issues. I will dispense professional training courses to equip the team with witness knowledge including the responsibility to help the jury comprehend the facts and factual conclusions (Marshall, 2008). In addition, I will notify them on the added benefits to proffer opinion testimonies, calculated facts, as well as inadmissible evidence.

What are the steps I will take in the documentation phases of the investigation?

I plan to emulate the research documentation procedures outlined above to serve as an auxiliary tool in preparing my witness experts. Data preservation and presentation are essential constituents in mastering how to support expert testimony. Crime investigators are subject to learning the representation of affidavit writing and bearing witness to those facts and declarations present (Nelson, Philips & Stuart, 2010).

How will I prepare my team for a court testimony?

In fulfillment of the directives prescribed by the U.S. Supreme Court, forensic investigators must submit and testify on the tabled evidence (Marshall, 2008). I have integrated the NIJ online training course to equip my team with professionalism as itemized below. Moreover, the course assists to prepare for the pretrial discovery process to endure challenging opposing attorneys (Casey, 2011).

1. Oath-taking. The process of taking the oath when summoned to bear witness necessitates the witness to stand upright and give your word to the clerk. It requires the expert witness to declare, “I do” in a clear and concise manner.
2. Be knowledgeable. Acknowledge jurisdictional laws, the forensic subject matter, and the Rules of Evidence, courtesy of the Federal state.
3. Cultivate organization skills. Have well-organized reports enabling fast and easy reference.
4. Be alert. Practice intelligibility, promptness, and credibility in responding to queries from attorneys. Recognize prejudicial motions that ban testifying on evidence.
5. Be levelheaded. Conduct yourself in a controlled manner and avoid laughing or sneering. Act reasonably by way of desisting from making utterances only until you get to the witness stand.
6. Tell the truth. Most importantly, be genuine and speak the truth concerning the facts and evidence.
7. Maintain emotional stability. Balance your temper even when asked extremely discourteous questions.

What are the ethical responsibilities that I conform to and require of my team’s performance?

The digital forensic field comprises of compounded Code of Ethics, as illustrated below; that uphold integrity and virtue of the discipline (Nelson, Philips & Stuart, 2010). In my capacity as the Lead Forensic Investigator, I duly comply with these ethical requirements and assure of the same from my response team.

1. Exercise steadfastness, integrity, and diligence in discharging of duties.
2. Remain objective in examining and presenting forensic records and statistics.
3. Conduct reputable and validated assessments by way of decent morals and ethical standards.
4. Give truthful testimonies and evidence withal, facing any court, board or other proceedings.
5. Cleave to all legal orders and stipulations anticipated by the courts.
6. Avoid any events or courses of action that would bring about a conflict of interest, at any point in the survey process.
7. Exercise practice of sincere and conscientious research within the scope of the contract.

Conclusion

The HCC Partners in Life, a healthcare company, has freshly endorsed us, the XYZ Inc., to unearth interference of their medical records. We have forwarded a proposal with which to detect and test the hypothetical evidence that will suffice as permissible evidence in a court of law.

References

Barret, D., & Kipper, G. (2010). Virtualization and forensics: A digital forensic investigator’s guide to virtual environments. Amsterdam: Syngress/ Elsevier.

Casey, E. (2011). Foundations of digital forensics. In Digital evidence and computer crime: Forensic science, computers, and the Internet. (3rd ed.). (pp 3-34). London, England: Academic Press.

Marshall, A. M. (2008). Digital forensics: Digital evidence in criminal investigation. Chichester, UK: Wiley- Blackwell.

Nelson, B., Philips, A., & Stuart, C. (2010). Guide to computer forensics and investigations. Boston, MA: Course Technology Cengage Learning.

Nichols, C. L. (2008). Medical identity theft. Chicago, Ill: AHIMA.

Pandya, P. (2013). Chapter 14, Local Area Network Security. In Vacca, J. R. (Ed.), Computer and information security handbook. Boston, MA: Morgan Kaufmann Publishers.