Part 3: Analyzing Evidence from Mac OS X

Scenario

Two weeks ago, D&B Investigations was hired to conduct an incident response for a major oil company in North Dakota. The companys senior management had reason to suspect that one or more company employees were looking to commit corporate espionage. The incident response teamwent on-site, began monitoring the network, and isolated several suspects.They captured forensic images from the machines the suspects used.Now, your team leader has asked you to examine a forensic image captured froma suspects computer, which runs the Mac OS X operating system. The suspects name is John Smith, and he is one of the companys research engineers.

Tasks

Review the information on the Mac OS X file structure provided inthe chapter titled Macintosh Forensics in the course textbook.

Using Paraben P2 Commander, create a case file and add the image the incident response team captured (filename: Mac OS JSmith.img).

Sort and review the various directories within the Mac OS X image.Look for evidence or indicators that John Smith was or was not committing corporate espionage.This may include direct evidence that John Smith took corporate property, as well as indirect evidence or indicators about who the suspect is and what his activities were during work hours. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting files.

Write a report in which you:

o Document your investigation methods.

o Document yourfindings.Explain what you found that may be relevant to the case, and provide your rationale for each item you have identified as an indicator or evidencethat John Smith was or was not committing corporate espionage.

o Analyze the potential implications of these findings for the company and for alegal case.

Required Resources

Course textbook

Mac OS JSmith.img

Internet access

Submission Requirements

Format: Microsoft Word (or compatible)

Font: Arial, 12-point, double-space

Citation Style: Follow your schools preferred style guide

Length: 24 pages

Self-Assessment Checklist

I applied appropriate evidence collection and handling methods.

I correctly identified and analyzed evidence that is relevant to the investigation.

I analyzed business considerations associated with the scenario.

I analyzed legal considerations associated with the scenario.

I created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation.