Digital Forensics Plan for Cygnus Law Solicitors
1. Executive Summary
- On August 6, 2023, at 04:15, an intrusion alarm was triggered at Cygnus Law Solicitors.
- Local police found no forced entry but noticed the rear exit door was ajar.
- A computer and printer in Office 2 were active, indicating possible intrusion-related activities.
- A digital forensics incident response team was dispatched due to the sensitive nature of the firm's criminal cases.
- The primary goal is to secure potential digital evidence in a forensically sound manner according to NPCC guidelines.
2. Initial Digital Evidence Assessment
- Key Observations: Intruder alarm activation indicates unauthorized presence; Open rear exit door suggests access through an unsecured entry.
- Electronics State: Active computers and printers in Office 2 raise concerns about targeted data access or exfiltration.
- CCTV and Network Infrastructure: CCTV cameras were off and the wireless router was functional, implying network use during the intrusion.
3. Significant Digital Evidence
- USB Device: A WD Elements portable hard drive connected to the main computer indicates efforts to copy sensitive data quickly.
- Active Printer: Printing a list of current clients serves as evidence of targeted data access.
- Unidentified USB Devices: Found in other offices, potentially malicious, requiring urgent forensic examination.
- Nokia 105 Phone: Found near the exit, could contain crucial communications and belong to the intruder.
4. Evidence from the Suspect
- Items recovered included a Samsung A5 smartphone and an encrypted SanDisk Ultra 64 GB USB flash drive.
- The USB drive contained a folder named ‘spacehuhn’ encrypted with 256-bit AES, indicating a high-security level for the data.
- Suspect refused to provide password access, complicating potential retrieval of information.
5. Initial Response Steps by Digital Forensics Team
- Secure the premises to prevent evidence contamination.
- Legal authorizations must be verified for evidence seizure and analysis.
- Follow the NPCC principles for digital evidence handling:
- No Data Modification: Use hardware write-blockers to preserve integrity.
- Competent Personnel: Ensure only trained professionals handle evidence.
- Preserve Audit Trails: Maintain records for independent review.
- Overall Responsibility: Ensure compliance with legal guidelines throughout investigation.
6. Strategic Plan for Evidence Acquisition
- Priority 1: Live acquisition of the computer in Office 2 for volatile data.
- Priority 2: Image the USB device in Office 2 for potential data transfer evidence.
- Priority 3: Secure the printed client list for physical evidence.
- Priority 4: Analyze unidentified USB devices from other offices for potential malicious activity.
- Priority 5: Acquire data from the Nokia 105 phone for communication logs.
7. Forensic Acquisition from Suspect's Possessions
- Smartphone and Laptop Analysis: Examine devices for communications and planning evidence.
- USB Drive: Attempt password recovery through investigation.
- Microcontrollers: Analyze the Arduino and ESP8266 for unauthorized access capabilities.
8. Recommendations
- Commence Triage: Follow the acquisition process outlined above promptly.
- Maintain Documentation: Record all evidence handling meticulously for legal compliance.
- Security Review: Recommend a comprehensive review of IT security measures, including full disk encryption for sensitive client data and updated systems.
9. Digital Evidence Inventory Overview
| Item | Location | Observations | Priority |
|---|
| Computer | Office 2 | Powered on, logged in | 1 |
| USB Device | Office 2 | Active, potential for data exfiltration | 2 |
| Printer | Office 2 | Printing client list | 3 |
| Unidentified USB Device 1 | Reception Area | Unknown type | 4 |
| Nokia 105 Phone | Near Rear Exit | Active, connected to network | 5 |