Digital Forensic Investigation Case in OpenText EnCase 23 | Evidence Processor

Cyber Forensics
Evidence Processing using OpenText EnCase

In this video, I'll be discussing a digital forensic investigation case that was solved using OpenText EnCase. I'll be going over the evidence that was recovered, how EnCase was able to help with the investigation, and some of the unique features that the software has to offer.

Scenario Overview

‘Iaman Informant’ was working as a manager of the technology development division at a famous international company OOO that developed state-of-the-art technologies and gadgets.

One day, at a place which ‘Mr. Informant’ visited on business, he received an offer from ‘Spy Conspirator’ to leak of sensitive information related to the newest technology. Actually, ‘Mr. Conspirator’ was an employee of a rival company, and ‘Mr. Informant’ decided to accept the offer for large amounts of money, and began establishing a detailed leakage plan.

‘Mr. Informant’ made a deliberate effort to hide the leakage plan. He discussed it with ‘Mr. Conspirator’ using an e-mail service like a business relationship. He also sent samples of confidential information though personal cloud storage.

After receiving the sample data, ‘Mr. Conspirator’ asked for the direct delivery of storage devices that stored the remaining (large amounts of) data. Eventually, ‘Mr. Informant’ tried to take his storage devices away, but he and his devices were detected at the security checkpoint of the company. And he was suspected of leaking the company data.

At the security checkpoint, although his devices (a USB memory stick and a CD) were briefly checked (protected with portable write blockers), there was no evidence of any leakage. And then, they were immediately transferred to the digital forensics laboratory for further analysis.

The information security policies in the company include the following:

Confidential electronic files should be stored and kept in the authorized external storage devices and the secured network drives.

Confidential paper documents and electronic files can be accessed only within the allowed time range from 10:00 AM to 16:00 PM with the appropriate permissions.

Non-authorized electronic devices such as laptops, portable storages, and smart devices cannot be carried onto the company.

All employees are required to pass through the ‘Security Checkpoint’ system.

All storage devices such as HDD, SSD, USB memory stick, and CD/DVD are forbidden under the ‘Security Checkpoint’ rules.

In addition, although the company managed separate internal and external networks and used DRM (Digital Rights Management) / DLP (Data Loss Prevention) solutions for their information security, ‘Mr. Informant’ had sufficient authority to bypass them. He was also very interested in IT (Information Technology), and had a slight knowledge of digital forensics.

In this scenario, find any evidence of the data leakage, and any data that might have been generated from the suspect’s electronic devices.

Link to download the evidence files: cfreds-archive.nist.gov/data_leakage_case/data-lea…

More information about Open text encase go to www.opentext.com/products/encase-forensic