COMPUTER FORENSICS: DATA MANIPULATION

Computer expert: Data manipulation

This judicial report was made at the request of a party. It required a computer expert to assess whether or not there had been manipulation of data of a public institution by a former employee.

Technical specifications:

  • Type of work: judicial expert witness at the request of a party
  • Reason for action: Suspicion of data manipulation by a former employee.

 

Problem raised:

A former employee is dismissed from a public administration. Afterwards, changed data appear in the Social Security database to which she had access. The manager of the same company files a lawsuit against her. A computer expert is required to determine the facts and the plausibility of the statements.

The problem stems from the fact that the security policy has been poorly implemented and has failed to address the basic principles of:

  • Minimal leave (the employee should not cause irreparable harm by being fired or at work).
  • No refutation: If a policy of assigning and not being able to share passwords and spaces is not correctly implemented, the authorship of the changes can be questioned.
  • External accesses closed by default: Ports and IP's must be closed by default and must be accessed by whitelist.

 

Procedure followed:

  • Study of the documentation submitted and statements in the administrative file.
  • Analysis of the main computer hard disk.
  • Study of the network configuration and the computer devices connected at the Respondent's home.
  • Study of the logs presented as evidence in the judicial file.
  • Study of the police report and the documentation submitted by the Internet and telephone operators.

 Results obtained:

The computer expert helped to clarify whether the respondent was really responsible for the changes that appeared in the database, or whether it could have been someone else who made the changes.

Suggested actions:

As a result of the incident, a stricter security policy was suggested to the institution that suffered the data change based on:

  • Establish a protocol for access and management of users and passwords.
  • Block access to serversto a subset of users and IP addresses.
  • Assigning employees the minimum permits to be able to perform their work.
  • Train personnel in the implemented security policy.