This analysis refers to the listing of events that occurred in a chronological order and the suspects involved. Data obtained as evidence is analyzed on the basis of units of time. It shows a timeline of activities that happened and how these occurrences are related the digital devices', date and time. Temporal analysis can be achieved as time series analysis. Time series analysis evaluates the whole case on the basis of either short or long time intervals. In this case, the evaluation on the evidence obtained from the two hard drives was analyzed on short time intervals. This analysis shows a number of activities that took place in intervals of minutes and hours. It gives an insight of what happened and gives indications that could point to other sources of evidence. In my analysis, I will provide a list of all the actions that as documented during this attack as retrieved from the hard drives and in the logs by the key logger.
In this case, the OATC server failed in early February. Our research showed that the incident of server attack occurred between the evening of 7th Feb and the morning of 8th Feb. This was six months after Gabe canceled a contract between his firm OATC and Wylan the firm which previously offered network and computer support services. The date and time of occurrence of these incidents was retrieved from the two server hard drives. The operating systems have a routine that automatically updates date and time during computer operations.
On 7th February at 5.PM, an intruder logged into the server remotely using a program called Remote Desk-Top. This logging in was successful in the first attempt. The intruder logged in as admin with an alphanumeric pass word of 14 characters (Ahsan, 2003)
At 7.56pm on 7th February the server was restarted using an account that was connected. Immediately, deletion of files started at 7.56pm. The comptroller's computer was also remotely accessed in the same evening at 8.45pm, and all login attempts were successful in the first attempt. At 8.46pm, the internet history was deleted. Deletion of the files from the server completed at 8.50pm. The folders C:\Finnancials and C:\Alice were deleted at 9.00pm. Other folders were also deleted between 9.01pm to 9.11pm. Additional files were also deleted from the server between 9.32pm and 9.35pm. Finally, the active directory was disabled.
The evidence obtained from logs of the key logger Joe changed the admin password to "UPYOURS" on the night of the attack at approximately 11.53pm. The key logger had detailed documented evidence on all the steps that were followed during this attack.
In the relational analysis, the objective is to determine how the digital devices used during this attack relate to various elements of the investigation. One of the elements considered in the relational analysis is the relationship between the geographical locations of the affected computers and the geographical location of the attacker's computer. This helps in revealing whether the attack was from within the affected firm or from outside. This also shows the means of interaction used between the attacker and his target computers. If the crime was on a net work of computers, a diagram can be drawn to represent the relationship between the devices or computers used in network intrusion and the flow of data and activities from one computer to the other in this network. If possible a list of IP address of the affected computers should be included in the analysis. This analysis was very helpful in this case because the attack was on a network of computers. It helped in identifying the specific electronic devices used in the attack and thus revealing if the devices used was from within or by an intruder. It was also helpful in identifying the connection between the actions that were done and the suspect responsible for each action. During the analysis of AOTC's comptroller system, a print attempt was identified. This attempt left a trace in the logs system revealing the attacking computer as JOELAPTOP. After searching for the string JOELAPTOP, two emails were retrieved linking this string to Joseph Damien.
In finding out who is Joe Damien we realized that since childhood he had a natural aptitude for computers and he could program and troubleshoot fluently. He was employed by Wylan after his graduation from a local community college. Wylan is a local firm that offered network and computer support services previously to AOTC until Gabe canceled the contracts six months before this incident. Joe Damien had been assigned the job to maintain and support OATC network by his employer until their contract was canceled. When the two servers were imaged it was found out that software called Remote Desk-Top was used to login remotely as the admin. Login was successful after the first attempt indicating the intruder had the right admin password. Best Service did not change the passwords after succeeding Wylan in OATC network maintenance and support. Therefore, Joe Damien would have the right passwords.
To gather enough evidence against our suspect Gabe and I applied for Anton Pillar order. In April, the court granted us a search warrant against Joe Damien in response to our application for an Anti-pillar order. A private investigator tracked his movement for two weeks. It was noted that he always reported in his office on Monday morning. The following Monday at 8.30am the AOTC served him with the Anti-pillar search order allowing us to seize all electronic evidence in his possession. The laptop he was in possession at that moment was not JOELAPTOP. We found out that it was in his girl friend's apartment. This information was obtained from Joe's black berry as a text replied to him by Alana who was his girl friend (Easttom & Taylor, 2011).
In functional analysis, our objective is to find out how the actions were performed. It involves examining the functions of various application software and the configurations before and after the crime. To achieve this, one should first understand the functions that the original system could achieve before this attack. In this case, Karen could not re-initialize the server, and she could not login in to the computer system. This was a pointer towards intrusion detection. After reviewing all the hard disks submitted for investigation, it was noted that during the attack, the intruder installed a program called VNC viewer which allowed him continued access to OATC network (Gerring, 2007).
During this analysis, we also noted that in the evening of 7th February at 5.00pm this attacker used a program known as Remote Desk-Top to log on remotely. The log in attempt was successful in the first trial. The attacker logged in as the admin user and used a 14 characters password (Bevel & Gardner, 2002).
In the end, we were able to find that through JOELAPTOP had actually been used to access AOTC computer systems, the log of a key logger which had been installed on this laptop gave the best evidence. It was active on the night of the attack and all the steps had been recorded. It showed that Joe had changed the password to UPYOURS.