The incident response center has been contacted by the President of thecompany. . He has one simple request. He needs you to do some data recovery andrecover some data from a simple file. He also wants to know what happened tothe file, in case he is being “hacked”.
The President has a personal USB flash device that contains a series ofdirectories with information that did not pertain to the company and he wantedto keep separate from the information on the company’s servers.. One directoryof special interest is called SAINTBNK and includes an important file. The filecontains the account number. This number is required for him to access hisoff-shore bank online. The bank is on the Island of Guernsey and is not readilyaccessible. To minimize money laundering, the bank rules require an in-personvisit to obtain details of a specific account, including the account number.The President is unable to travel to the island at this time but needs toaccess his account to make payments on his private plane. The files are notencrypted as the USB rarely leaves the President’s office and does not containany official company confidential information..
The President had given the USB to the company accountant to work on anotherissue, but the accountant accidently reformatted the USB drive. Now the filesare no longer readable. He did not want to use the company resources initially,so he had a private forensic expert came in and they made an image of the file.However, the President did not trust him to retrieve the data as he believesthe account number to be very sensitive and the expert was boasting about hisknowledge of bank hacking. The image is attached.
The President states that he needs that 18 digit account number (3 sets of 6digits separated by hyphens). The file is *very* important and he would like torecover the file exactly as it was.
Your assignment is to look at the file image and recover the file using antforensic tools. You will also prepare a detailed report for the President thatincludes the following:
· The account number ;
· A description of your hypothesis as to whathappened to make the file “disappear”;
· A description of how you recovered the data; and
· A recommendation on how he should protect hisaccount number that would prevent this problem from happening again.
If you cannot find the account number describe the steps that you wentthrough to find the data.
Note: I will function as the “President” who lost the data and hascontacted the incident response center. Feel free to “interview me”and ask any further information that you feel necessary, via email.