The recommended length for the final exam is 10 – 15 doubled spaced pages excluding diagrams, illustrations or other addendum. The use of APA formatting is required for any in-text citations and reference list.
1. Tasking One — approximately 600 – 1000 words (2 – 4 pages) excluding diagrams, illustrations or other addendum.
Response for tasking one ….
2. Tasking Two — approximately 600 – 800 words (2 – 3 pages) excluding diagrams, illustrations or other addendum.
Response for tasking two …
3. Tasking Three — approximately 600 – 800 words (2 – 3 pages) excluding diagrams, illustrations or other addendum.
Response for tasking three ….
4. Tasking Four — approximately 600 – 800 words (2 – 3 pages) excluding diagrams, illustrations or other addendum.
Response for tasking four …
________________________________________________________________
The final exam must include this sheet with the student’s name and the date as well as the following statement:
Honor Pledge
This exam is my own work. I received no assistance from any other individual, commercial entity, or unauthorized source.
Suspected violations of the academic integrity policy of the University of Maryland University College will be processed in accordance to the Procedures for Handling Charges of Alleged Academic Dishonesty outlined in Policy 150.25 – Academic Dishonesty and Plagiarism(http://www.umuc.edu/policy/aa15025.shtml).
In typing my name following the word ‘Signature’, I intend that this certification will have the same authority and authenticity as a document executed with my hand-written signature.
Signature: [Insert your name here]
Date: [Insert date here]
________________________________________________________________
Final Exam Scenario
You are the lead forensics investigator for XYZ, Inc. — an industry leading cyber forensic company. You have just been notified that a top 5 health care company (HCC Partners in Life) has hired your company to investigate a potential breach of their medical records system.
The HCC Security Operations Center (SOC) identified some “inconsistencies” in the intrusion detection system (IDS) logs that caused the reliability to be questioned. HCC uses Snort IDS’ running on Linux systems. In addition, the lead HCC database administrator received a strange e-mail from Human Resources (HR), which contained a benefits attachment. When she opened the attachment, the document was blank. She noticed that her system has been acting “strangely” after opening the attachment. She operates a Microsoft Windows XP workstation.
Your team has been tasked with analyzing the HCC network, database server, and any workstations you suspect to determine if there was a breach and any potential patient data leakage. The database server is a Microsoft Windows 2003 Server running Microsoft SQL Server 2008.
If there is any evidence of a breach, HHC has a history of taking these types of incidents to court for prosecution to the full extent of the law.
Note: You are representing the forensic team in this case scenario. The final exam is individual work with no collaboration permitted.
________________________________________________________________
Your Tasking
1. Describe your plan for processing the potential crime/incident scene. (30 points). Some of the items you will want to cover include (not all inclusive):
a. How will your team identify potential digital evidence?
b. How will you prepare for the search?
c. What steps will your team take if you need to seize any digital evidence?
d. What documentation processes will you follow to help support any potential legal proceedings?
e. How will your team/company ensure proper storage/chain of evidence processes are followed?
2. Discuss how your team will approach and process the database administrator’s computer — considering the potential malware on her system. (15 points).
a. Include the steps you will use to image her drive.
b. The areas on her system you will analyze for potential evidence of infection and/or modification.
c. Other items.
3. Discuss how your team will approach and process the database server — as this is the location for patient medical records. (15 points).
a. Include the steps you will use to image the server’s hard drive.
b. The areas on the server’s system you will analyze for potential evidence of infection and/or modification.
c. Other items.
4. Discuss how you prepare your team to be expert witnesses or support any expert testimony court requirements. (15 points).
a. Include the steps you take in the documentation phases of your investigation.
b. How you prepare your team for court testimony.
c. Ethics responsibilities you follow and require in your team’s performance.