Vous êtes sur la page 1sur 2

This sample report is from "Appendix: Resources" of the Fundamental Computer Investigation Guide for Windows by

Microsoft Corporation.

Sample - Internal Investigation Report


Northwind Traders
123 Main Way
Redmond, WA
October 18, 2006
Examiner: Scott Culp (Technical Lead, Northwind Traders)
Internal Investigation Team: James Fine (Technical Specialist, Northwind Traders), Spencer Low
(IT Manager, Northwind Traders), Yan Li (Technical Specialist, Contoso Ltd)
Requester: Northwind Traders
Offense: Intellectual Property Theft
CONCLUSION
This investigation concluded that Peter Houston, Sales Manager, Northwind Traders obtained
unauthorized access to privileged files containing the intellectual property of Northwind Traders
and transferred them via e-mail to an unauthorized third party.
FINDINGS
The analysis of the server and laptop computer resulted in 154 files and 14 log entries of
evidentiary interest. Files were examined using standard internal investigation procedures.

Investigation started: September 14, 2006


Investigation completed: October 16, 2006
Investigation hours: 150 hours
Operating systems examined: Microsoft Windows Server 2003 R2, Windows XP SP 2
File system: NTFS
Amount of data analyzed: 1,200,000 MB

Evidence Description
Item 1: One IBM X-Series 360 rack server, Serial Number 111-A1111-11-111-1111.
Actions taken:
Date / time

Action

September 20, 2006 16:30

Retrieved original server from server room. Acquired data


from the server following standard acquisition process.

September 21, 2006 10:00

Analyzed evidence collected from server. Identified files of


interest. Documented the system following standard
procedures.

Additional information: See attached Computer Examination Worksheet and Hard Drive
Examination Worksheet for this system.

Evidence found:
The server was accessed physically and the Active Directory directory service modified to
elevate privilege for account Peter Houston by assigning the account to the Domain
Administrators group on September 12, 2006 at 17:05. The server was interactively logged
on to as nwtraders\Administrator at the time.
Directory D:\Product Development was taken ownership of by Peter Houston.
File D:\Product Development\Research Results.doc was accessed by Peter Houston's
account on September 13, 2006 at 01:09.
File D:\Product Development\Confidential\Product Strategy.doc was accessed by Peter
Houston's account on September 13, 2006 at 01:15.
File D:\Product Development\Strategy\Proposed Partnerships.doc was accessed by Peter
Houston's account on September 13, 2006 at 01:19.
Item 2: One Dell Inspiron 9400 laptop, Serial Number 222-B2222-22-22-2222.
Actions taken:
Date / time

Action

September 21, 2006 13:30

Retrieved laptop from user Peter Houston.

September 28, 2006 07:00

Analyzed evidence collected from laptop. Identified files and


events of interest. Documented the system following
standard procedures.

Additional information: See attached Computer Examination Worksheet and Hard Drive
Examination Worksheet for this system.
Evidence found:
Laptop logged on to as nwtraders\peter on September 13, 2006 at 01:21.
Files Research Results.doc, Product Strategy.doc, and Proposed Partnerships.doc
transferred from server to Temp directory on September 13, 2006 at 01:25.
Internet Explorer navigated to www.hotmail.com on September 13, 2006 at 01:29.
Files e-mailed to <address>@hotmail.com on September 13, 2006 at 01:37.