Interviews are referred as a professional conversation that is conducted with specific goal or purpose in mind. Hence the main aim of an interview is to gather more evidence through the facts and other relevant information supplied by the witnesses. Therefore for an interview (which is usually conducted throughout a particular investigation) to be successful, the interview need to obtain some background information and data about the witnesses, potential suspects and also the subject matter of investigation. In addition, interrogation is described as the process of questioning an individual with some force. In also includes the act of moving towards the denial of a confession or incident. Hence for any interview to be successful there should be an objective interviewer, relevant questions and also strategic planning. The text will, therefore, answer some important question regarding the Greenwood Company.
Question One: Provide a list of people you believe should be interviewed for this investigation
In order for the InfoSec Specialist for the Greenwood Company to obtain relevant information during the investigation that he can use as evidence in the court of law, he needs to interview several people he believes will assist in the investigation. Some of the people that should be interviewed include Mr. McBride himself, his wife or fiancé because she might have seen or heard anything that will be useful during the investigation (Wang, 2007). Thirdly is Mr. McBride’s co-worker, who might have seen the unusual behavior of Mr. McBride or seen anything suspicious. Fourthly are the cleaning staffs that have been cleaning and washing Mr. McBride’s office and desks during his course of employment. In addition, several stakeholders of the company need to be interviewed and interrogated so that he can obtain credible information that is not biased (Wang, 2007). Other people that should be interviewed include heads of different departments, human resource manager who employed him, chain managers of the organizations who are responsible for the daily operations of the enterprise. Finally, Mr. Bob, Maria Flores and also the security officer who can indicate anyone who has been visiting Mr. McBride for the last few days or any relevant information to be used during the investigation. Furthermore, will also interview the forensic examiner and Mr. Jenkins Hence one needs to interview the neutral witness’s first then interview the corroborating witnesses next (Wang, 2007).
Question Two: Provide a narrative description of the interview setting and the intended process, before, during, and following the interview.
The setting of an interview needs to be conducive where the respondents that are going to be interviewed need to feel safe and are in an effective position to articulate all the survey questions at hand and also providing responses that represent the importance of the event. Therefore, the interviewing setting needs to an environment and an atmosphere that will help the interviewer to be able to communicate freely. The setting should also be in a good physical condition in term of the temperature, size, and ventilation and also light. Finally, the seating techniques should allow also allow the interviewee and the interviewer to be comfortable equally and an appropriate distance is established to establish or maintain an eye contact.
When the interview process has been executed effectively and properly, it will have features before, during and also after the entire interview. Before the interview, its process involves preparation, planning and then practice. It is because it is vital for one to understand and know the important and relevant questions to ask that pertains to the investigation at hand. Therefore the specialist should plan by organizing and gathering pertinent document that is relevant to the interview. Also, he or she should obtain information or data concerning the individual being interviewed. Then, they should prepare adequately so that he or she can be able to capture relevant questions about that particular interview. He or she should also be prepared to handle the survey questions presented. Finally, they should practice adequately to be familiar with the questions and also how they will handle the situation at hand.
During the interview, the specialist needs to establish a good rapport during the initial contact. Secondly, pay great attention to the depth of the discussion and answers, thoughtfulness, attitude and body language of the person being interviewed. Then the specialist can also take good notes or record the interview for reference during the investigation. The specialist should also exhibit professional and courteous behavior and appearance at all times. Furthermore, after the interview, the interviewer needs to listen to his or her instinct. Check his or her notes and records and analyze the vital information that relates to the investigation. Finally, he or she should do a follow up on the interviewee to see if their statements are different to what they said during the interview.
Question Three: Explain to the management why these stages are important to a successful interview and investigation.
Interviewing stages are very vital in an investigation process since they assist in investigating some issues or facts in depth way. The stages also assist in discovering how a person feels and thinks about a given scenario. The stages are also used for resource allocation, strategic planning and also in making an informed decision. It also assists in adding some human dimension to the impersonal data. Assist in explaining statistical data and deepening our understanding of a given case or situation. They allow the specialist to records the owners own words. Assist in achieving high response rates from the interviewer. The ambiguities answers can be clarified as well as incomplete answers being followed up. Finally, the stages in interviewing process assist in obtaining precise wording that is tailored to the respondent and also the precise meaning of the questions are also being clarified.
When Mr. McBride’s fiancé hands over the thumb drive to me, I will handle the thumb drive with care and with the same procedure as I did before. That is gloves, which’s of custody log and also documents any necessary information about the handed thumb drive such as its serial code and name. It is because I will want to preserve the physical evidence like the fingerprints. Then will send the thumb drive to the lab and ask the person in charge to identify all the information and documentation that relates to “Project X” that Mr. McBride might have stored in it. Then the lab can also obtain any of the financial statement which shows any transactions that are out of the ordinary. Finally, the lab can obtain any vital information such as contact details of individuals who I believe could be involved in the case. It is vital to obtain this kind of information since they will assist in the investigation of the intellectual property theft and also document the obtain evidence that will be used against Mr. McBride in court. Also, I would instruct the lab to use the software to detect any of the hidden or partially deleted spaces on the thumb drive.
First, I would recommend a search to be conducted in all the areas that Mr. McBride accessed to hiding or storing information. The places include his locker where we could obtain the thumb drive, small notes that may contain the name and contact of the people who could be involved. If his locker is locked, the company management can get involved and break to search (Robbins, 2008). It is because, the locker is the property of the company, and the enterprise has the power to conduct the search on it. Common areas within the company such as break room, rooms where digital media and files are kept or stored can also be searched. In these places, one can obtain important files that Mr McBride might have kept that relate to the theft of the intellectual property rights and also any device that can store data that relate to the case (Robbins, 2008).
In addition, another location that is eligible for the company search is the security room that contains all the day to day videos from the CCTV. Here the InfoSec Specialist can obtain the media and review any of the CCTV footage that will show any suspicious action or movement of Mr. McBride’s within the institution (Robbins, 2008). Areas or locations that will involve or require police involvements is Mr. McBride’s house, car, his new working office and his personal belonging such as the laptop and mobile phone. Here the law enforcement agency needs to interview with a legal and appropriate search warrant that will assist them to obtain any evidence that will be useful during the investigation and in accordance with the intellectual property rights case (Workplace Fairness, 2016).
For the evidence to remain unaltered there is specific precaution that the forensic examiner needs to take. It is because preservation of particular evidence is very important if one needed to make the evidence admissible in the court of law. It is an action that includes developing and creating the forensically correct copy of desired media presented and can be achieved by obtaining the bit-stream image of the entire original information/data (Henry, 2009). Therefore the step one can take to make an image copy from the original data is by the use of one device which will ensure that the requirements of preserving the evidence are met, and that is the physical write blocker device.
It is a device that will prevent any alteration or modification of the original proof. Hence the image process is then performed where the original storage medium or the thumb drive (either external storage or hard drive device) to the write-blocker (Henry, 2009). Then the write blocker will be attached to the forensic workstation. After it has been attached to the forensic workstation, the forensic examiner will then use special software that will be employed so as to create or develop the forensic image that will be used as one of the evidence in the court of law (Henry, 2009).
To: H. Jenkins,
From: (your name)
Greenwood Company Digital Forensics Examiner
Re: Three Forensic Examination/Analysis (Software) Tools
As the digital forensic examiner of Greenwood Company, I am glad that the enterprise is recognizing the essence of the forensic readiness. Therefore, the three important software tools that I recommend for the company to add and keep in their budget for the following year include;
1) EnCase is a computer forensic software that comes from or manufactured by the guidance software. It is the world’s leading answer for forensics and computer investigation. Hence it is a commercial software package that allows the investigator to examine and image data from devices such as palm PDAs, removable media like the CDs and Floppy disk and the hard drives (Software, 2016). The software is used to create the image of the medium presented such as hard disk. The image is then called the Evidence File in the EnCase is then analyzed by use of EnCase program. In addition, the software allows a forensic examiner to transcribe small scripts or programs that perm highly customized search an also filtering of information or data that has been imaged by a device (Software, 2016).
2) Vogon Forensic Software is software that was developed and manufactured by Vogon International. It is imaging software that is used to develop and create an exact replica of information or data on the drive or devices which can later be indexed by processing software so as to allow easy and fast searching by the components of investigation (U.S. Department of Justice, 2008).
3) Belkasoft is evidence analysis and search software for digital data that is manufactured by the Belkasoft Evidence Centre. It is software that has been trusted by thousands of the expert globally. It is a forensic solution for analyzing, extracting, locating and acquiring digital evidence that is stored on mobile devices and computers (U.S. Department of Justice, 2008). In addition, it is a tool that quickly extracts the digital evidence from the multiple sources through analysis of the chip-off dumps, JTAG, UFED, Android and Blackberry backups, Ios, memory dumps, drive images and hard drives. Furthermore, it will lay out vital forensic artifacts from the devices for the investigators to examine even more closely, review or even add to the report.
Therefore, these tools also meet the standards of the Daubert because they provide the rule of the evidence which regards to the admissibility of the expert witnesses testified that is conducted during federal legal proceedings.
Being the digital forensic examiner, I used the hash values so as to assist and help me in locating the source code that was on the thumb drive. Where hashing is referred as the process of generating the values or value from the string of the text by the use of the mathematical function (Ensuring Data Integrity with Hash Codes, 2016). It uses an algorithm to be able to create a certain value from the original source that is prior to transmission or storage. In addition, the hash value created can also be used to create another different hash that will be used to compare it with the first hash value. Hence it can be used in proving the integrity of the data in evidence and providing digital fingerprints. Furthermore, the hash value can also be seen as the way of encryption or cryptography.
Hashing is used in this case by developing and creating the hash value for the company’s original or unique source code and also creates the hash value of the source code of Mr. McBride’s thumb drive. These two hash values are compared with each other and when they became identical and the source codes then match, it means that the source code that was found on the evidence that is the thumb drive is actually the “Product X” (intellectual property) of the Greenwood Company that Mr. McBride actually stole. Therefore, when I made the thumb drive forensic image, I copied all the data that was in Mr. McBride’s drive to a different and clean drive. Then I connected the clean thumb drive to a write-blocker. During the copying process, the hash drive was also recording. Finally, when I compared the two source code, I verified that they were matching, where I come to a conclusion that the source code that was in Mr. McBride thumb drive is indeed the “Product X” that belong to the Greenwood Company (Ensuring Data Integrity with Hash Codes, 2016).
In addition, the hash value can also be used for different purposes in the content of the digital forensics. For example, the hash value can use in verifying the veracity of the messages that are sent through any unsecured means. They are also used for evidence authentication and file identification. Hence it is a unique tool to specific information or data and cannot be duplicated. It is because when the data changes in any way. The hash value also changes so as to pair with the existing digital file. Finally, it is used at the beginning when evidence is obtained and also at the end so as to ensure evidence integrity (Keana, 2013).
Since there is clear evidence that the source code that was found on Mr. McBride’s thumb drive is actually the source code for Greenwood Company (Adams, 2004). It indicates a crime was committed and law enforcement agency need to be involved. In addition, there is a clue that Mr. McBride might have emailed the source code of “product X” to his own personal email, the law enforcement needs to be involved who will come with a legal search warrant that will be used in searching his personal email to see who was send the source code and whether it was actually sent. In addition, when the crime is reported to the law enforcement, the material containing the company source code can be seized and confiscated by the police, which will assist in reducing risk in the company (Adams, 2004). The police report could also be used by the Greenwood Company to convalesce the company losses through insurance.
Furthermore, the crime should be reported since the company source code has been considering being an intellectual property, and the stealing of any intellectual property in a crime punishable by law. Mr. McBride is then charged by with the criminal copyright infringement and is punishable by a fine that does not exceed $250000 and imprisonment of about three years (Adams, 2004). Mr. McBride can also be charged by law with pre-release of the criminal copyright infringement because the source code of “product X” was not yet released by the Greenwood Company. Additionally, private companies are not supposed to report crimes to the law enforcement because of the law enforcement deals with public sectors and the society (Adams, 2004). Moreover, there is a certain circumstance where they can employ the law enforcement where the theft conducted is found in the company law and is punishable by law.’
An expert witness is decided as an individual who has become a specialist in a particular subject. The expert witness is also an individual who may present or give his or her opinion without being a witness in any occurrence that relates to the criminal case. Hence there is the importance of one the being an expert witness (Schwarz, 2004). It is vital to be an expert witness because one’s opinion is usually based on the person’s experience or skills, certification, training and virtue of education. In addition, it is also important because their opinion is also based on four major criteria: first, the expert has applied the methods and principles to facts of cases (Schwarz, 2004). Secondly, the testimony of the witness is a product of the reliable methods and principles. Thirdly, the testimony of the expert witness is based on enough or sufficient data or facts. Finally, his or her knowledge assist the judge and the jury in determining the facts and understand the evidence.
The expert witness is actually different from a fact witness because, the expert witness does not need to observe and understand the situation so as to participate on the case (Schwarz, 2004). On the other hand, the fact witness has only the knowledge of what he or she has witnessed or observed in a particular situation by the use of their five senses only. They can also be called the material witness since they provide their truth statements based on their own perception regarding a given crime or event (Schwarz, 2004).
Even though McBride has violated the policy of the company, depending on the enterprise handbook, it may not be the committed crime. Therefore, the company should conduct an internal investigation unless he had purposefully repossessed the property of the organization with an intention to commit the crime (Wang, 2007). But is the case is handed over to the law, McBride will be taken to trial and I as the forensic examiner will act as an expert witness to present facts of the presented evidence. Hence in the preparation of the trial, I will practice and respond to the question that respond to the prosecutor be typing the transcript for my response.
Prosecutor: “how can I know from your work that your analysis should be accepted?”
Answer: my analysis my profession an also my integrity is on the line. Therefore, the process I used in collecting the evidence and how I handle and document the evidence followed the industrial standards and practices so as to preserve the state and originality of the evidence. In addition, I also correctly filed chain of custody the moment the evidence was brought to me and in my possession. In addition, all the evidences that I have gathered in relation to this case was obtained and retrieved with rightful procedure, standards and laws, hence they were not selective.
Prosecutor: “how do we know you are not biased in this case, choosing to report only what would help law enforcement and your company’s bottom line?”
Answer: as the company expert witness, I assure you all that own professional activities does not at all conflict with my own personal goals. I respect the community, law enforcement and also believe that they both should be recognized and applauded for the best work they have done. Moreover, my work needs me to uphold the morals and standards of the company policies and local statues to report any of the wrongdoings such as theft. Hence according to my knowledge in relation to the case, and my extensive qualification, I have been called here as an expert witness to the case to prevent facts of the evidence.
Adams, C. (2004). The Right of Privacy of Employees with Respect to Employer-Owned Computers and E-mails. University of Tulsa College of Law. TU Law Digital Commons. 75 Oka B. J.2567
Ensuring Data Integrity with Hash Codes. (2016). Msdn.microsoft.com. Retrieved 4 November 2016, from https://msdn.microsoft.com/en-us/library/f9ax34y5 (v=vs.110).aspxFact
Henry, P. (2009). SANS Digital Forensics and Incident Response Blog | Best Practices In Digital Evidence Collection | SANS Institute. Retrieved fromhttps://digital-forensics.sans.org/blog/2009/09/12…
Keana, C. (2013). Capturing a Forensic Image. Penn Arts & Sciences. Retrieved 3 November 2016, from https://sites.sas.upenn.edu/sites/default/files/kl…
Robbins, J. (2008). An Explanation of Computer Forensics. Retrieved April 9, 2008, fromhttp://computerforensics.net/forensics.htm
Schwarz, T. (2004). Computer forensics unfixes file system. Computer Engineering 252 Retrieved from:http://www.cse.scu.edu/~tschwarz/coen252_04/Lectur…
Software, G. (2016). EnCase Forensic Software – Top Digital Investigations Solution. Guidancesoftware.com. Retrieved 5 November 2016, from https://www.guidancesoftware.com/encase-forensic
U.S. Department of Justice. (2008). Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. Retrieved from National Criminal Justice Reference Service:://www.ncjrs.gov/pdffiles1/nij/219941.pdf
Wang, S.-J. (2007). Measures of Retaining Digital Evidence to Prosecute Computer-Based Cyber-Crimes. Computer Standards & Interfaces, 29 (2),
Workplace Fairness. (2016). Workplace Searches – Workplace Fairness. Retrieved September 11, 2016, from https://www.workplacefairness.org/workplace-search…