Question

Facebook Investigation Scenario Part 1 Spring 2017 Note: the following scenario is fictional as are all parties named in the story Initial Complaint: March 20, 2017– 8:41 AM.

Mary Jones, a junior at the University of New Haven has contacted local police stating that sometime between midnight on October 11th, 2016 and 8 am on March 20, 2017, her ex-fiancé, Pete Sampson, posted semi-nude pictures of Ms. Jones on his Facebook page and also called Ms. Jones several derogatory names on Facebook. Ms. Jones is very upset as many other students at the university have already seen and commented on her picture on Facebook. She feels that Mr. Sampson posted the picture as a way of harassing and humiliating her. As a criminal justice major, Ms. Jones is worried that Mr. Sampson’s postings may hurt her future career so she has contacted the local authorities.

In-person interview with Mary Jones: March 20, 2017– 9:30 am

Mary Jones is a 20-year-old criminal justice major at the University of New Haven in her junior year at the school. At approximately 8:00 am this morning, one of her friends texted Ms. Jones and asked her if she had checked out her ex- fiancé, Peter Sampson’s, Facebook page. When Ms. Jones loaded Mr. Sampson’s Facebook page she found a semi-nude picture of herself as well as derogatory comments about herself. When questioned about the origin of the picture, Ms. Jones stated that she had “sexted” the photo to Mr. Sampson sometime in the fall of 2014 when she and Mr. Sampson had just started to date. Ms. Jones also stated that she was only 17 years old at the time of the picture. Upon further questioning, Ms. Jones explained that she had Mr. Sampson had met in early September of their freshman year and had started dating immediately. While they had become engaged over the previous summer, Ms. Jones had broken off the engagement several weeks ago and had begun dating Mr. Sampson’s roommate, Michael Davis. Ms. Jones felt that Mr. Sampson had posted the picture in retaliation to her ending their relationship and that the purpose of Mr. Sampson posting the picture was to harass her and to cause harm to her reputation and to her potential career in law enforcement.

In-person interview with Peter Sampson: March 20, 2017 – 2:45 pm.

Peter Sampson is a 21-year-old criminal justice major in his junior year at the University of New Haven. During the interview, which took place in Mr. Sampson’s dorm room, Mr. Sampson confirmed that he and Ms. Jones had dated and that the relationship ended abruptly several weeks ago when Mr. Sampson discovered Ms. Jones in bed with Mr. Sampson’s roommate, Michael Davis. While Mr. Sampson was still visibly angry with Ms. Jones, he denied having anything to do with posting her picture and making comments about Ms. Jones on his Facebook page. Mr. Sampson further stated that following his discovery of Ms. Jones with Mr. Davis, Mr. Sampson deleted all of the digital photos he had of Ms. Jones as well as all correspondence between himself and Ms. Jones. Mr. Sampson claims to have used one Toshiba laptop computer that was a high school graduation gift for the past 3 years and that no one else has had access to the laptop over the past 24-hour period. When asked if anyone else had access to his computer in the past, Mr. Sampson stated that in Spring semester of 2016 he had loaned the laptop to his roommate, Michael Davis, so Mr. Davis could complete a paper because Mr. Davis’s laptop computer had been damaged and Mr. Davis had not yet gotten a new computer. Mr. Sampson again adamantly denied posting Ms. Jones’s picture on his Facebook page though he admitted that he had left the picture on his page until contacted by law enforcement. When asked who he thought might have posted the picture, Mr. Sampson stated that he believed that his roommate, Michael Davis, had posted the picture to get back at Mr. Sampson because of continuing hostilities between the two roommates following Mr. Sampson’s discovery of Ms. Jones with Mr. Davis. Officers did notice that Mr. Sampson had several “sticky” notes on his desk that contained his passwords for several online accounts including that of Facebook. As officers were preparing to leave, Mr. Sampson’s roommate, Michael Davis, returned to the room. When questioned about Mr. Sampson’s allegations that Mr. Davis had posted Ms. Jones picture, Mr. Davis denied any knowledge of the picture or of Mr. Sampson’s Facebook password. Mr. Davis stated that Mr. Sampson was trying to “pin” the posting of the picture of Ms. Jones on him in an attempt to get Ms. Jones back. When officers asked Mr. Davis about using Mr. Sampson’s laptop the previous Spring, Mr. Davis claimed that he did not remember whether or not he had ever used Mr. Sampson’s computer. Mr. Davis then stated he had to go to class and abruptly left.

Assignment .

Your team of digital forensics and computer crime investigators has been assigned this case. Your goal is to attempt to determine who posted Mary Jones’s photo on Facebook.

Answer 1

A Computer Forensic Investigation generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorised access or not. Computer Forensics Investigators work as a team to investigate the incident and conduct the forensic analysis by using various methodologies (e.g. Static and Dynamic) and tools (e.g. ProDiscover or Encase) to ensure the computer network system is secure in an organization. A successful Computer Forensic Investigator must be familiar with various laws and regulations related to computer crimes in their country (e.g. Computer Misuse Act 1990, the UK) and various computer operating systems (e.g. Windows, Linux) and network operating systems (e.g. Win NT). According to Nelson, B., et al., (2008), Public Investigations and Private or Corporate Investigations are the two distinctive categories that fall under Computer Forensics Investigations. Public investigations will be conducted by government agencies, and private investigations will be conducted by private computer forensic team. This report will be focused on private investigations, since an incident occurred at a new start-up SME based in Luton.

This report also includes a computer investigation model, data collections and its types, evidence acquisitions, forensics tools, malicious investigation, legal aspects of computer forensics, and finally this report also provides necessary recommendations, countermeasures and policies to ensure this SME will be placed in a secure network environment.

2. Case Study

A new start-up SME (small-medium enterprise) based in Luton with an E-government model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are a number of suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate.

The company makes use of a general purpose eBusiness package (OSCommerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full scale malware/forensic investigation.

As there is increased competition in the hi-tech domain, the company is anxious to ensure that their systems are not being compromised, and they have employed a digital forensic investigator to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems.

Your task is to investigate the team’s suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware, and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators.

The company uses Windows Server NT for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched.

Deliverables

Your deliverable in this assignment is a 5,000 word report discussing how you would approach the following:

• Malware investigation

• Digital Forensic Investigation

You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant.

You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence.