PROJECT #3 – Investigative Conclusion and Testimony
No directly quoted material may be used in this project paper. Resources should be summarized or
paraphrased with appropriate in-text and Resource page citations.
Read the parts of each section of this project carefully as you are being asked to answer
questions assuming different roles.
SECTION I
In the course of this investigation you, as the InfoSec Specialist for Greenwood Company, have or will
need to interview (or perhaps "interrogate") several people to provide context for the evidence you have
collected as well as the rational for your searches. Greenwood Company management is asking for
everything to be documented and would like you to provide them responses to the following pieces of
information: Provide a list of people you believe should be interviewed for this investigation. Provide a narrative description of the interview setting and the intended process, before, during,
and following the interview. Explain to the management why these stages are important to a successful interview and
investigation. SECTION II
For the purpose of the first part of this Section, you are still the InfoSec Specialist for
the Greenwood Company. Consider this project a continuation of the work you performed in Projects 1
and 2.
After seeing you search Mr. McBride’s work area and take several pieces of evidence, Ms. Maria
Flores who works in the office across the hall, comes forward with an odd story. Ms. Flores states
that she is Mr. McBride’s fiancé, but lately things in their relationship had begun to sour. She
produces a thumb drive she says Mr. McBride gave her earlier that day. She tells you Mr. McBride
told her to “keep it safe” and asked her to bring it home with her at the end of the day. Ms. Flores
tells you she really likes her job and has no interest in being wrapped up in whatever Mr. McBride
has done to invite negative attention.
1. The laboratory has asked you to write a short summary of what information you want them to look
for on the submitted thumb drive. Identify, for the lab, what digital evidence you would like them to
look for and explain why that evidence would be important to the case.
2. Because you are the most familiar with the investigation, Mr. Jenkins is asking you to brain storm
all the locations outside of Mr. McBride’s immediate work space where pertinent digital evidence
might be found to help with your intellectual property theft case. Identify all of these locations,
including places where police would have to be involved to search. Identify what places are
eligible for company search, and which ones would require police involvement. Support your
inclusion of each location with a short description of what type of evidence might be found there.
Now, please assume a different character for the purpose of this next segment of the
assessment… You are a forensic examiner at the above mentioned Greenwood Company lab. After receiving the package from the InfoSec Specialist in the field, you sign the chain of custody
form and get set to begin your examination.
3. After taking the thumb drive out of storage, you, as the digital forensics analyst, sit down to
examine the data. (Presume all personal protective equipment is already in place.) Prior to
looking through the data contained on the device, you have to make a forensic image. Document
what step you take prior to making the image and why this step is important to your overall case.
Explain your actions and reasoning thoroughly.
4. Write a response to the following email that you have received:
To: You, Greenwood Company Digital Forensics Examiner
From: H. Jenkins, HR Management
This case has made Greenwood Company upper management recognize the importance of forensic
readiness. They have asked that you nominate three (3) forensic examination/analysis (software) tools for
them to keep in their budget for the following year. They also state that they want to make sure that the
tools nominated are ones that would meet criminal justice-level standards and evidentiary requirements
under the Daubert Standard. In your response, please list the tool name, manufacturer, the capabilities of
the tool, and how the three tools meet the standards of Daubert. (Management specifically wants tools
that can examine/analyze the digital data inside the devices and is not interested in your input on
additional tools that write protect or image devices at this time.)
Fortunately, the InfoSec Specialist was on his/her game, and ALSO sent you copies of several
files, reported to be the source code of “Product X”.
5. You, as the digital forensics examiner, used hash values to help locate the source code on the
thumb drive. Using verbiage that would be appropriate to communicate to a judge and jury that
may not understand computer technology at all, detail the following: What is a hash value? How did you use it in this case to determine that Mr. McBride’s thumb drive contains
copies of the source code? Explain an additional use of hash values in the context of digital forensics. You complete your laboratory examination and return the evidence, with your report, back to the
InfoSec Specialist at the field office.
Now, back at the field office, the InfoSec Specialist (a.k.a., you) receives the report from the
Greenwood Lab, which shows that the complete “Product X” source code was found on Mr.
McBride’s thumb drive. In addition, while the evidence was at the lab for examination, you
determined it is also likely that Mr. McBride emailed copies of the source code to his personal
email address.
6. Do you recommend reporting the crime to law enforcement? Why or why not? Are private
companies required to report crimes to law enforcement?
The decision is ultimately made to report the theft to law enforcement and, using primarily the
evidence you developed during your investigation, Mr. McBride is brought to trial for the crime. You (as the forensic examiner from the Greenwood Lab) are qualified as an expert witness
at the trial and called to testify.
7. What is the significance of you being qualified as an expert witness? How is it different from being
a simple fact witness? Explain thoroughly.
8. The prosecutor in this case calls you and brings up the fact that you write a personal blog about
digital forensics in your off-time, from which it appears you are a staunch supporter of law
enforcement. She is concerned that it will look like you are biased in support of law enforcement
and that you only had your company’s bottom line in mind. She asks you to prepare for trial by
practicing answering the following questions – respond to the prosecutor by typing up a transcript
for your response.
“How do we know you are not biased in this case, choosing to report only what would help law
enforcement and your company’s bottom-line? How can I know from your work that your analysis should
be accepted?”
Project Requirements: Each questions should be answered with a minimum of 1-2 paragraphs, so do your research, be
specific, be detailed, and demonstrate your knowledge; submit your project to the assignments
folder. Answers to the above questions should be submitted in a single document (.DOC/.DOCX, .RTF,
or .PDF), with answers separated and/or numbered in respect to the question, so as to make it
clear which question is being answered; The submission should have a cover page, including course number, course title, title of paper,
student’s name, date of submission; Format: 12-point font, double-space, one-inch margins; It is mandatory that you do some research, and utilize outside resources! You must have a
reference page that is consistent with APA citation style
(see https://owl.english.purdue.edu/owl/resource/560/01/ for help).
