BTEC Level 3 IT - Unit 11 - Cyber Security - Paper B | Part 13 - Activity 4 | FORENSIC ANALYSIS
AI Summary
This video explains how to structure an evidence report for an activity, using a provided template. The template requires a section for each piece of evidence, followed by an overall conclusion.
The first evidence item discussed is "Bell Jinder's account." The method of acquiring this evidence was that Bell Jinder, who hired the presenter to assess a threat, made notes and provided them. The evidence detail from Bell Jinder's account provides an overview of events, including dates, times, people, and companies involved. It also accounts for missing items and highlights useful evidence. The presenter finds this evidence "very reliable" because it’s a factual account that can be verified with other sources like the security team or the recruitment office. Bell Jinder has no apparent reason to withhold information or lie. The conclusion for this specific item states that it was useful for quickly understanding what happened, detailing important dates and times, and noting the number of items taken. It's also suggested that the thieves likely only accessed the main meeting room where the phone and laptop were left, as it wouldn't make sense to leave other computers behind if the intention was to steal electronics.
The second evidence item is a "Summary of a meeting with the Ed Excelsior House management company." This evidence was acquired through meeting notes taken by Bell Jinder during the meeting and then provided to the presenter. The evidence detail highlights that multiple parties attended, and information was shared about the trustworthiness of staff hired by Ed Excelsior House. Staff are described as loyal due to higher wages and better working conditions, leading to low turnover. The meeting notes also mention that pickpocketing was "rife" on the Friday night during a party, making CCTV footage less useful. The presence of extra staff reduced the number of thefts. Both the recruitment agency and BCTAA experienced thefts, with only small electronics being taken from the reception area and no forced entry. Phantom payments were also reported from the same event. The presenter considers this evidence "very reliable," despite the involvement of multiple parties, as it comes directly from the source. Ed Excelsior House is viewed with slight skepticism, as they might not readily admit issues with their staff. The conclusion for this item notes that while Ed Excelsior House claims staff loyalty due to good pay, this doesn't preclude theft by cleaning or security staff. The fact that only small electronics were taken suggests limited access or an inability to take larger items without raising suspicion. Phantom payments imply the use of contactless devices to steal money from bank accounts in busy areas, a deliberate act as system errors were ruled out.
The third evidence item consists of "Annotated door access control logs." These logs were obtained from the door entry system, which automatically records entries and exits 24/7. The evidence detail explains that the door control system was likely accessed, and data for specific dates was copied. The system uses near field communication (NFC), and the provided logs were specifically for the 19th Floor, showing who had access and their movement. The categories of information in the logs include log number, card number, date and time, action (in/out), and notes. The logs showed a pattern of normal user access times, flagging any entries outside of allotted times. The presenter categorizes access as "limited" (restricted to certain times) and "semi-unlimited" (allowing entry at any time, but with an alert for unusual times). Four card numbers flagged up on the system: one for the correct 19th Floor but time-limited, one for the 18th Floor (incorrect floor), another for the 19th Floor but time-limited, and a fourth for Senior Management with 24/7 access. The reliability of this evidence is debated. One perspective is that it's "somewhat reliable" because it's annotated, suggesting additional information or context was added, but the lack of usable CCTV makes it difficult to confirm its integrity. Alternatively, the logs are considered "very reliable" as they are produced by an automated system without known faults. The conclusion for this item highlights clear evidence of four cards exhibiting unusual behavior, with three access attempts failing and the fourth succeeding, indicating a trial-and-error approach by the thieves. The use of NFC suggests the thieves may have used a device to clone bank and access cards. It would have been beneficial to have logs from other floors to confirm if the same cards were used elsewhere.
Finally, the presenter discusses their "final conclusion," which synthesizes all the evidence. They theorize that cards were copied using a cloning device to gain entry to the BCTAA office. The absence of reports of missing cards suggests they weren't stolen, despite pickpocketing occurring. A similar wireless cloning device could have been used for payments. The thieves likely made copies of multiple cards and attempted to access the 19th Floor BCTAA office, with four attempts logged within a minute. Once inside, they likely took only small electronics for easy concealment. Accessing the office from the inside requires pressing a button, not a card. The recruitment agency may have been accessed similarly, as logs for that floor were not provided. The commonality across incidents is the theft of small electronics from both BCTAA and the recruitment agency. The presenter does not believe BCTAA staff were involved, as random workers' cards were targeted, as evidenced by the attempt to use an 18th-floor worker's card on the 19th floor. The operation is described as a "simple snatch and grab," as more sophisticated actions, like targeting network equipment or stealing more computers, were not observed.