Pearson Set Assignment

Activity -3
UNIT 11 CYBER SECURITY AND INCIDENT MANAGEMENT
ASSESSOR – HIMANSHU BABBAR

STUDENT NAME: Ibrahim Zitouni

PEARSON ID: 20000351

DATE: 13 JULY 2021

TIME: 10:00 AM – 12:00 PM

Contents
Forensic Collection of Evidence...................................................................................................................2
Meeting Requirements for Desktop Forensics........................................................................................2
The Challenges of Live Forensics.............................................................................................................3
Network Forensics.......................................................................................................................................4
Agreeing a Network-Testing Methodology..............................................................................................4
Scanning of Local Infrastructure..........................................................................................................4
Reviewing & Analysing Network Devices & Logs.................................................................................5
Analyzing Malware Activity & Alerts....................................................................................................5
Forensic Analysis Requirements..................................................................................................................5
Maintaining an Accurate Record.........................................................................................................6
Recording Findings & Reliability..........................................................................................................6
Recording Alterations..........................................................................................................................7
Creation of Visual Evidence of Findings...............................................................................................7
Evaluating Findings......................................................................................................................................8
Ensuring Evidence is Relevant.............................................................................................................8
Evaluation of the Findings...................................................................................................................8
Making Recommendations..................................................................................................................9
Evaluation of my cyber security plan.........................................................................................................10
Internal policy implications and the effects on external service providers................................................11
Conclusion.............................................................................................................................................11
References.................................................................................................................................................11

1|Page
Forensic Collection of Evidence
The examination of IT systems used in cybercrime is referred to as digital forensics. Investigators utilize
this to obtain evidence towards a criminal as well as civil prosecution versus the perpetrators of the
incident. This could therefore aid in the prevention of similar assaults by determining how they
happened.

Meeting Requirements for Desktop Forensics

There exist a variety of procedures which should be completed whenever executing desktop forensics in
order to conduct the inquiry properly but also securely Consider the following scenario:

Confiscation of Devices
Obtaining the equipment implicated throughout the assault would be the initial step towards executing
desktop forensics. That'll comprise the computer systems and linked equipment that have been
impacted during the cyberattack (peripherals, external storage). This would additionally detail the origin
for the assault albeit unless it occurred external from Online-Doc, the authorities would continue to
investigate it following legal procedures. It's critical to seize such equipment in order to protect the
evidence's validity. This would be attributable to the fact that most of the evidence stored upon devices
(including system logs) could be simply erased or corrupted, both accidentally or deliberately.

Taking an Image of the System

A system image represents a replica from a computer drive that is identical to the original. That includes
the operating system, configurations, applications, and documents. Whenever Online-Doc has seized the
equipment implicated throughout the assault they would photograph them since they must not conduct
the examination upon the initial devices. This should put the evidence under jeopardy of being
destroyed or contaminated.

Using a Forensics Analysis Tool

Forensic analysis tools comprise computer programs which automates or expedite common forensic
operations by performing specific forensic investigation duties. Several among these forensics
equipment within Online-Doc usually multi-purpose since they perform a variety of tasks. Others, on the
other hand, specialize in forensics.

2|Page
Reviewing Files & Settings, Logs & User Activity
The initial step needs to go over each of the files (particularly registry files) and configurations to see if
something had gotten changed or removed. In certain cases, specific tools could be used to restore
erased files. System logs remain particularly crucial to examine because they contain all of the
occurrences which the operating system records within the Online-Doc server. This could include things
like downloaded programs, whenever the computer got switched on or off, sudden blackouts, login
times as well as durations among others. However, utilizing different forensic technologies, staff
members of Online-Doc could see what web pages individuals have viewed, what apps they've utilized,
what memory sticks they've linked, what files they've obtained, what networks they've connected,
among much more.

Malware Analysis & Alerts

Malware analysis would enable Online-Doc to learn about a harmful program's internal workings There
seem to be a number of specialized forensic instruments available to help with this. This assists the
forensic analyst through determining the extent of the malware's harm as well as could even be utilized
as evidence during court disputes.

The Challenges of Live Forensics

Changing Data in Situ

The risk of altering data within the system that potentially compromise the evidence, becomes a major
difficulty during realtime forensics for Online-Doc. It's also possible when malicious code remains active
and inflicting damage towards the system's data.

Recovering Corrupted Data & Preventing Data Corruption

Whenever Online-Doc decides to conduct a real investigation, one of the most difficult challenges is
preventing data corruption or recovering corrupted data without compromising the evidence. The
investigators can achieve this with the help of specialized instruments.

Capturing Data in Active Memory

Network devices, operating system, file systems, viruses in memory, details of open windows, but also
plenty more could all be found throughout the active memory. As a result, collecting this accurately

3|Page
becomes critical for such live forensics to be useful. Fortunately, there's a whole variety of tools which
may be utilized to accomplish this.

Losing Temporary Files

Temporary files constitute additional type of volatile data that could be recovered via live forensics.
Based upon their functionality, temporary files would be deleted whenever the software quits or the
computer is turned off. Because temporary files could be deleted as a result of operations such as
shutting applications, the investigators should ensure that the activities that Online-Doc has been doing
during the time, the conduction period should not result in the deletion of temporary files.

Network Forensics
Agreeing a Network-Testing Methodology

The initial stage towards network forensics would be to come to an agreement mostly between forensic
supervisory as well as investigative authorities upon a network-testing methodology. A group of people
inside Online-Doc that holds accountable for authorizing the investigations' activity is known as the
forensic supervisory as well as investigative authorities. If Online-Doc were to comply upon this
methodology simply means collaborating about what the investigators should but also should not
conduct as well as ensuring that the necessary permits remain in existence.

Scanning of Local Infrastructure

Online-doc must be capable to monitor existing local network architecture plus collect information
which is getting transferred in order to conduct network forensics successfully. However, they must first
confirm that they receive authority to do so. Online-Doc will have the authority to examine traffic using

4|Page
their internal network without authorization under the Telecommunications (Lawful Business Practice)
(Interception of Communications) Guidelines (2000). Personnel must, nevertheless, be informed
knowing their discussions might well be recorded, according to ICO regulations. Online-Doc could
examine their network utilizing expert analysis tools provided organizations properly evaluated these
challenges. Such tools are divided into two categories: passive and active analytic tools. Sending sample
traffic across the network but also observing whatever occurs to it as it moves throughout the network
can be utilized as active analysis tools.

Reviewing & Analysing Network Devices & Logs

Essential evidence regarding a cyber assault would frequently be found upon equipment attached to the
network. In the same way, infrastructure equipment such as ports, routers, and gateways must be
examined. Certain systems, including firewalls, would keep logs of what has happened, including such
connections formed but also traffic which has flowed across. Developers of Online-Doc could
additionally check the configuration parameters of these systems once more. Ultimately, Online-Doc
could examine client and server records. Each of these logs are normally accessible upon this server
(client logs will also be on the individual client devices).

Analyzing Malware Activity & Alerts

If Online-Doc were to use network forensics to examine the malware's activities, or what it's genuinely
performing. This could also give a wealth of data, including traces which could be used to determine the
impact from the virus upon this system or the origin of the assault this would be very advantageous to
Online-Doc.

5|Page
Forensic Analysis Requirements
Whenever analyzing evidence inside a forensic investigation, it's critical to think about how well the
evidence was documented, but rather how significant as well as dependable the evidence is to the
inquiry. This necessitates thorough evaluation but also examination of the evidence, therefore this is not
only relevant to cyber security in general.

Maintaining an Accurate Record

It's critical that Online-Doc keeps detailed records including its cyber security danger. The most
important aspect of this is ensuring that the evidence is recorded throughout a timely manner. This
evidence must be kept only at scene of the occurrence or as soon as it is identified. Whenever this
isn't practicable, it must be documented as early as appropriate. Failing to capture evidence inside a
reasonable period might result in a variety of problems. For example, the evidence of the organization
might be destroyed/modified by the hacker, or it might be deleted through a worker of Online-Doc
accidentally shutting the computer off.

Recording Findings & Reliability

It's critical to involve numerous bits of data once capturing evidence findings. This contains the
following:

1. Evidence Item
2. Method of Acquiring Evidence
3. Evidence Detail
4. Evidence Reliability
5. Conclusions

6|Page
As previously stated, Online-Doc must be capable of assessing the evidence's dependability once
capturing research results. Evidence generated instantly by the system as well as its software has been
normally regarded as trustworthy as long as it has been documented immediately. Even so, evidence
gathered from individuals (such as staff from Online-Doc), including discussions as well as interactions,
must be scrutinized far more cautiously.

Recording Alterations

As portion with the investigation method evidence could be tampered with, both inadvertently or
purposefully by the researcher. It's possible they experienced a difference to stop a danger throughout
the investigation, or they deleted an open document that an employee of Online-Doc was working on by
mistake. Clearly, whatever changes might have a significant influence upon that evidence's
dependability, but it's critical that any changes that may occur within Online-Doc are documented. Each
date and time with the modification, as well as a summary with the alteration but also who produced it,
must all be included. This could still then be utilized to explain the details of the evidence, its
dependability, as well as its judgments.

Creation of Visual Evidence of Findings

Once conducting forensic analysis, visual evidence could be highly valuable. Printing settings, software
production, as well as other material is frequently far more dependable than recording observations
verbally or in writing. Particularly since Online-Doc could analyze the data independently, avoiding any
errors produced by the individuals that supplied the evidence. As a result, Online-Doc could be quite
convinced throughout the evidence's reliability. Visual evidence must be obviously readable and
therefore not crop off and disregard segments of the evidence; otherwise, crucial data of Online-Doc
could well be overlooked. It is, of course, critical that the visual evidence be recorded as soon as
possible.

7|Page
Evaluating Findings
Ensuring Evidence is Relevant

Hardly all evidence during an incident usually linked towards the perpetrator. If an employee of Online-
Doc attaches an unknown Usb drive onto their desktop, it is possible that the computer will become
contaminated with virus. Nevertheless, it's possible that it's not the case. It could become a result of a
staff member of Online-Doc visiting a website but rather opening an anonymous email. Conversely,
there's many situations when something is classified as dangerous yet isn't. If the Online-Doc's anti-
virus software might just have recognized an application as malware, the anti-virus warning could having
produced a false positive.

Evaluation of the Findings

Provide Evidence of a Crime and/or an Incident

Evidence proving a crime/incident transpired is required by businesses. It's conceivable perhaps there
was no occurrence at place but also perhaps the occurrence was misidentified. Online-Doc must be
capable to sort every single source with evidence as well as determine whatever is and is not concrete
evidence for a wrongdoing To corroborate the findings, everything must be explicitly explained.

Show the System has been Externally/Internally Compromised

Most essential, Online-Doc needs to understand either the system got hacked from the outside or from
within. For instance, Online-Doc could be aware that the danger involved malicious software. To prevent
this ever happening again, they have to understand when the problem been caused by accessing files,
attaching a USB stick, transferring data through network access, or any of a number of other
possibilities.

8|Page
Strongly Support One Possible Cause
There could be multiple causes based on the facts. It's likely that the malware got onto someone’s
computer through a USB drive or a shady site. Given the evidence, Online-Doc would have to figure out
whichever reason would be more probable. To accomplish so, employees of Online-Doc must regularly
evaluate all of the variables examined by the organization. Evidence's dependability but also relevancy
are very crucial, however Online-Doc must also analyze the facts overall.

Making Recommendations

Following the evaluation including its facts and identification with the main source regarding the
occurrence, Online-Doc must provide suggestions to stop potential security vulnerabilities. This should
entail making recommendations for enhancements within three different categories.

1. The content of cyber security documentation

2. Adherence of cyber security documentation
3. Security protection measures

Whenever Online-Doc makes changes, it's critical to explain why certain changes are necessary. Online-
Doc should demonstrate a genuine commitment to mitigating potential security risks. If there's not a
demonstrable gain in exchange, the organization would not undertake a potentially devastating
adjustment.

9|Page
Evaluation of my cyber security plan
Advantages

There is a higher level of trust in information security arrangements

Both private companies and government organizations are major players in the cybersecurity market,
and each offers unique services and costs. There is a subdivision under the government cyber element
for citizen and contractor cyber operations. The adoption of good information security arrangements
will also have a positive impact on the business as trust in the Online-doc will be more likely to be
established among stakeholders.

Recovery from breaches in a shorter period of time

In order to respond effectively in the event of an accident within the Online-Doc business, the
cybersecurity plan should contain incident response procedures and techniques. By doing so, the plan
will be able to respond earlier and recover faster.

Credentials will be secured better through increased security controls

A cybersecurity plan and incident prevention and response plan can improve security and protect
Online-Doc from data breaches and other incidents because no data, such as company credentials, can
be lost, which reduces the chance of incidents and data breaches occurring.

Business operations are safer and more stable thanks to improved security and continuity

As a result, a strategy for interacting with data interruptions natural catastrophes, disasters,
breakdowns, or criminal attacks could be devised.

Preventing unauthorized access can help Online-Doc keep their data and network secure

Confidential documents contain information that is not to be shared or accessed by unauthorized

people. Confidential information is accessible only to those authorized to access it. Unauthorized
individuals who are not associated with Online-Doc cannot access it.

Disadvantages

Certain measures should be maintained regularly

Updating software regularly serves as a safeguard against cyberattacks, as if Online-Doc possess old-
fashioned features and software do not handle the latest attacks.

Online-Doc and its systems may be disrupted by this type of activity

It may become more difficult to implement new systems for Online-Doc as other processes as safety
measures and tools have to be executed.

10 | P a g e
Firewalls may restrict access to Online-Docs network because they are safety measures

Firewalls can restrict Online-Doc employee' access to certain Internet activities until configured
correctly, which may cause a variety of problems

There may be some difficulty in implementing certain features

Correctly configuring firewalls and other safety measures could be challenging for Online-Doc as non-
experts may not be able to successfully implement the safety measures.

Internal policy implications and the effects on external service providers

It is important to keep information secure to prevent data breaches and cyberattacks. Security systems
are prone to vulnerabilities due to the employees of Online-doc. Staff members of Online-Doc share
passwords, they click links, they attach documents, they use unapproved cloud applications, and it is
also possible that Online-Doc staff member don't encrypt the sensitive files.

It is imperative that both senior executives and IT departments of Online-Doc’s take cybersecurity
seriously. Keeping security up to date is not only the responsibility of IT professionals and management,
but should be the responsibility of all employees of Online-Doc. Information systems and data need to
be protected at all times, so outlines responsibility can be an effective way to teach employees the
importance of cybersecurity. Employees can follow policies (if implemented by Online-Doc) that prohibit
them from exploitation of social media sites or encode email attachments.

Data exfiltration is caused by employees of companies at least half of the time, according to a study by
McAfee. This could possibly allude to Online-Doc as To maintain the security of applications and data,
employees and consultants of Online-Doc should receive training in cybersecurity policies.

Developing policies can also be disadvantageous. Policies could be difficult to communicate over
especially if Online-Doc is a large online organization. Employees may not see policies as an efficient
management method. Positions and beliefs of management are outlined in statements of policy.

Defining and clarifying top management objectives is easier with written and implied policies. An
executive management statement communicates the vision and actions of Online-Doc. Executive
management should provide strategic policy statements to employees at all levels to serve as guidance
to their work.

Conclusion
A good approach is to consider the plan as a package that includes many different measures of
cybersecurity and incident response plans. Additionally, the various policies can be used to prevent data
breaches and violations since both employees and consumers of Online-Doc are required to follow the
policies. Online-Doc's processes and flow may be disrupted as a result of some measures, but it is
imperative to remain secure and safe from hackers and cyber threats.

References

11 | P a g e
BTEC LEARNER ASSESSMENT SUBMISSION AND DECLARATION

Learner Name: Ibrahim Zitouni

Assessor Name: Himanshu Babbar

Pearson BTEC Level 3 Extended Diploma in

BTEC Programme Title:
Information Technology

Unit and Title: Unit 11 Cyber Security and Incident Management

Understand cyber security threats, system

Assignment Title: vulnerabilities & Explore the implications and
methods of protection

Submission Date: 13 July 2021

Please list the evidence submitted for each task. Indicate the page numbers where the
evidence can be found or describe the nature of the evidence (e.g. video, illustration).

Assignment task reference Evidence submitted

Learner acknowledgement & declaration

I hereby acknowledge that I received the tasks related to the Pearson Set Assignment on
the above given dates.

I certify that the work submitted for this assignment is my own. I have clearly
referenced any sources used in the work. I understand that false declaration is a form
of malpractice.

By uploading this document, I am electronically signing it.

Learner signature: Ibrahim Zitouni Date: 13 July 2021

12 | P a g e
2020/21 BTEC Learner Assessment Submission Declaration | Issue Date: June 2020 | Version 1.0 . ........

13 | P a g e