This section describes the various design interfaces available in the proposed system. An examiner can access the system via the login page as seen in Figure 27. A user with admin access can login to the system without having to register as a new user; all other users have to click on new user button and will be directed to the registration page as shown in Figure 28.
Once the registration is complete, a user name and password will be generated and the user can proceed to the login page. Once the login in successful, the user will be directed to the user home page as shown in Figure 29. A user with admin access can click on the admin tab and will be taken to the admin home page as seen in Figure 30.
96
Figure 27: System login Page
Figure 28: New Examiner Registration Page
97 Figure 30 is the examiner’s home page. In this page, an examiner can start a new case, view cases assigned by the administrator, resume current examination and generate report. This page also has a last login and IP address-tracking feature that will prevent misuse of the application and help in auditing.
Figure 29: Examiner Home Page
Figure 30 is the administrator’s home page; it has the same features as that of an examiners home page, but with the exception of user management. This feature allows an administrator to approve new users and manage current examination. The admin dashboard has the summary of all the current cases, the status and the case officer investigating the case.
98
Figure 30: Admin Home Page
Incident Reporting Phase:
This is the first phase of the examination where a forensic examiner starts recording various details pertaining to the reported incident. This screen has four tabs each opening in its own window and the examiner can cycle through all the four tabs. Figure 31 to Figure 36 describe various options and features available in this phase.
99
Figure 31: Incident Reporting Phase 1 - Contact Details
Figure 31 shows the contact detail page where the forensic examiner records the contact details of the person reporting the incident. The contact details include full name, e-mail address and phone number.
100
Figure 32: Incident-Reporting Phase 1 - Incident Type
Figure 32 shows the options available for a forensic examiner to choose the incident type such as a user reported event or a system report. Then the examiner can choose the type of event such as but not limited to database access, authentication failure, changes and loss or gain in privilege. The examiner also has the ability to upload a user report.
101
Figure 33: Incidence Reporting Phase 1 - System Audit
Figure 33 is the screen that allows a forensic examiner to record information triggered because of a system audit requiring examination. In this screen, the examiner has the options of recording the audit date and audit details such as but not limited to logon, logoff, source of database usage, usage outside normal operating hours, DDL activities, database errors etc. via a drop down list.
The examiner can also upload a system audit report and any other information that needs to be recorded that does not fit in with the predefined fields in the system audit other field.
102
Figure 34: Incidence Reporting Phase 1 - System Details
Figure 34 is the screen that records the details of the compromised system and the forensic examiner can record the location of the affected system, the database instance such as Oracle, Microsoft SQL Server (MSSQL), MySQL, DB2, Informix, Sybase ASE, or PostgreSQL.
The database version and the operating system on which the database is hosted such as Windows NT, 2000, 2003 or 2008, XP, Vista or Win 7 series or non-window platform such as Linux, UNIX or Solaris.
The examiner can also record the host platform as physical device or a virtual infrastructure.
103
Figure 35: Incidence Reporting Phase 1 - Network Details
Figure 35 shows the screen that lets the forensic examiner records network details of an incident such as Hardware & Assets, connectivity of the system to the network, if the system is connected to another device, network address, MAC address, and the internet provider. The detail of the internet provider is required to get authorisation to investigate or obtain information, if their network was used as a part of the attack (Carrier &
Spafford, 2003, p. 7).
104
Figure 36: Incidence Reporting Phase 1 - Physical Security
Figure 36 shows the screen that lets the forensic examiner record the physical security details such as locks, alarm, and access control at the server room. This screen also permits the examiner to identify and records the primary function of the database. Some of the available options are banking, finance, human resource, testing, life support, power grid, hospital record management or any non-critical databases. The system also captures back up details.
105 Examination Preparation Phase:
This is the second phase of the examination where a forensic examiner starts making important decision such as network isolation, scanning network to identify various database configurations, obtaining authorisation from relevant authorities both internal and external before starting the examination. This screen has four tabs each opening in its own window and the examiner can cycle through all the four tabs. Figure 38 describes various options and features available in this phase. All the four tabs have drop down lists, are similar to each other, and permit the examiner to choose the appropriate action in a given situation. In the network isolation tab the examiner can record if the crime scene needs freezing, internet disconnection or local network disconnection. In the network scan tab, the examiner can record if all the required network details have been captured. In the authorisation tab the examiner can record if the entire required internal and external authorisation has been obtained.
Figure 37: Incidence Preparation - Network Isolation
106 Physical & Digital Examination Phase:
This is the third phase of the examination where the forensic examiner performs physical and digital examination according to industry standard and uploads the results into the application. This screen has four tabs, each opening in its own window and the examiner can cycle through all the four tabs. Figure 38 describe various options and features available in the physical examination phase. All four tabs, namely preservation, survey, search & collect and reconstruction, have the same features. The examiner first performs the task and then uploads the report into the application.
Figure 38: Physical Examination Phase
107
Figure 39: Digital Examination Phase
Figure 39 describes various options and features available in the digital examination phase. The interface is similar to physical examination phase with the exception of validation tab. The examiner first performs the task and then uploads the report into the application.
108 Documentation & Presentation Phase:
This is the fourth phase of the examination where reports are generated and the case is reviewed before being presented to the concerned authorities. Figure 40 describes the various options available in this phase. This screen has three tabs each opening in its own window and the examiner can cycle through all the three tabs. The report generation tab allows an examiner to select a case and generate a technical or legal report. The update case tab permits the examiner to update any missing details of the examination and the review tab has the summary of the entire case.
Figure 40: Documentation & Presentation Phase
109 Post Examination Phase:
This is the fifth phase of the examination where examination data is archived and evidence returned. Figure 41 describes the various options available in this phase. This screen has three tabs each opening in its own window and the examiner can cycle through all the three tabs.
In the data-archiving tab, the examiner can select the relevant case and upload details of data archiving. The evidence-returning phase has similar interface as data archiving and the examiner can upload details of evidence returned to the client. In the review case tab the examiner can review the entire case up to its present status.
Figure 41: Post Examination Phase
110 Post Examination Analysis Phase:
This is the final phase of the examination where the examiner and the client analyse the case for system, application and policy lesson learnt. Figure 42 describes the various options available in this phase. This screen has three tabs each opening in its own window providing the same interface and function and the examiner can cycle through all the three tabs.
In the system lesson tab, the examiner can select the case and upload the system lesson learnt. The application and policy lesson tab has the same feature and once this process is completed, the case is closed.
Figure 42: Post Examination Analysis
111