Question

Background

ACME is a multinational corporation with offices in the US, Europe and Malaysia. The company provides a multitude of services and products which include electronics, chemicals and medical equipment. Additionally, the company has several contracts with the US department of defense and department of energy, however any service or products provided to DoD/DoE are not listed in the company’s public records.

As a forensic examiner for ACME you are tasked from time to time to support corporate investigations. Last week you received the paperwork to complete the remote acquisition of a system belonging to Mr. Ocho Pelota and to retrieve any evidence regarding the possible exfiltration of company data. Based on corporate policy all computer systems are setup with a standard image, which includes a remote acquisition agent, and a locked down configuration of the operating system so that employees cannot install or store any type of information on their boot drive, including any browser data. All digital work products are stored on network file servers which will be examined by a different team. However, there are no countermeasures in place to prevent employees from accessing their system’s USB interfaces and connect keys or external drives to the system. Next time Mr. Pelota’s system accesses an external USB device you will be notified to retrieve any evidence attached to his system.

​​​​​​​

Answer 1

The question deals with the forensic acquisition of data from an employee's computer at ACME, focusing on potential unauthorized data transfers via USB devices. Essential software tools for this task include database user interface and query software, email, and office suite software for analysis and reporting.

Step-by-step explanation:

As a forensic examiner for ACME, the task at hand involves remotely acquiring data from the system of Mr. Ocho Pelota to investigate potential data exfiltration. Understanding the corporate IT infrastructure is critical, which includes the remote acquisition agent and the restrictions on the boot drive to limit local data storage. The investigation will particularly focus on external USB device connections, as the current security measures do not prevent the use of USB interfaces, representing a potential avenue for unauthorized data transfer.

During the investigation, software like Microsoft Access and other database user interface and query software may be utilized to manage and analyze any extracted data. For communication purposes, email software will be used, while analysis and report generation will likely involve the Microsoft Office Suite, particularly programs like Microsoft Excel.

With ACME being a provider of various services and products, including sensitive contracts with the Department of Defense and Energy that are withheld from public records, it is essential to maintain high standards of data control and security protocols. This situation underscores the importance of robust monitoring systems and the need for updates to the security measures in place to mitigate potential vulnerabilities involving removable media devices.