Digital Evidence in Computer Forensic Tools †MyAssignmenthelp.com

Question: Discuss about the Digital Evidence in Computer Forensic Tools. Answer: Introduction The devices under the investigation are Laptop and External HDD which were confiscated from the Mrs. Waugh at the Airport baggage scanner. The Malicious looking Mrs. Waugh looked tensed at the airport reporting stations, the baggage under the scanner looked suspicious and was immediately taken into investigation by the authorities. The Laptop and the External HDD being the digital devices then were confiscated and were handed over to the investigation team and rest of the baggage was left to the crime police for further investigations. On 26th September 2017 at 1:15 am the flight from Pakistan landed Adelaide International airport having the number TR354, the during the routine baggage scan the baggage had some malicious packets along with the digital devices. The digital evidences include a Laptop of Model No.: YT98987 and Serial No.: YT786393650300752 and External HDD with the serial No. GHDD7868667 were found and confiscated. Officer Maxwell confiscated and sealed the devices into the baggage number ID4533 for the case and were handed over to the Digital Investigator Officer Mr. Zampa. The initial investigation revealed that the External HDD size was 500 GB. Analysis Conducted The digital evidences include a Laptop of Model No.: YT98987 and Serial No.: YT786393650300752 and External HDD with the serial No. GHDD7868667. The devices were given to the investigation team in the sealed envelope No. ID34244. The office of digital devices is situated at the Adelaide. The devices were being digitally copied and all the digital evidences then being secured, the copy mode used is logical copy with bit by bit operation so as to make the exact copy using special software like ProDiscover. The extra hardware protects the any write operation on the devices. (Zhicong, Delin Shunxiang, 2008) The images being created are kept and their backup as well being created and stored on other external devices as well as on cloud so that in case of any haphazard the evidences are secured. The Laptop that was being confiscated had the following configuration: Intel Core2Duo dual core 500 GB HDD with different size partition 8 GB RAM External HDD was also imaged and the images were kept as in the case of the Laptop HDD at multiple locations, (Zhicong, Delin Shunxiang, 2008) the imaging software used was ProDiscover and the screenshot of the entire process is being given below: The two-layer security in order to make sure nothing is being written on the investigating devices the Hardware with write block switch is being used in order to make the copy, the software used is ProDiscover that would help in mitigating the chance of anything being written in the digital evidences. (Bariki, Hashmi Baggili, 2011) Therefore, the devices are never being written and remain in the state in which they were being confiscated. The exact copy is made using the ProDiscover and the process is being shown below: The logical mode is used in order copy that enables us to make the partition based copy of the hdd, this way we can easily create the exact copy of the partition and investigate the smaller region by region that could help in speeding up the entire process. (Bariki, Hashmi Baggili, 2011) The disk images can be further analyzed using the FTKImager software and findings can be reported to help discover the evidences that could help in creating solid evidence and case against the culprit Mrs. Waugh. The USB drive is being copied and using the FTKImager the investigation could be carried out and the possible evidences could be managed and checked upon. The examination is up to the forensic expert for pursuing the USB drive further. (Bariki, Hashmi Baggili, 2011) The logical drive option is used in order to create the specific hard disk partition and being copied to make the original device copy. Analysis of the HDD drive copied: There have been many files and folders that have been deleted from the disk, the software that have been used is the FTKImager in order to analyze the HDD images for the purpose of recovering and reading the files that have been deleted. The recovered files then would help in creating the strong evidences against the culprit so that we can frame the culprit. (Garfinkel, Malan, Dubec, Stevens Pham, 2006) Several files were being found in the image that were deleted and using the FTKImager we were easily able to the recover them, the many files recovered had nothing much as solid evidence but there were some files that could have been easily being taken into consideration. (Garfinkel, Malan, Dubec, Stevens Pham, 2006) The data was being recovered was easy to guess as the first being the email address, second being the name of the company or organization and then being the credit card numbers. The further investigation on the data can be done by the police as this would come under the crime investigation. (Bariki, Hashmi Baggili, 2011) The next step is to recover the image files so as to find out the bmp and gif based images, the tool used to investigate the images is the S-Tool in order to recover the secret files from the images hidden under them. The files whose resolution is small and size being on the higher side are being specially investigated. The passphrases for the purpose being selected randomly and S-Tools are being recovered by the files. To recover the secret text the secret passphrase and encryption combination are being tried and the data file is being revealed. (Bariki, Hashmi Baggili, 2011) The data revealed from the file and being investigated the following information was being revealed by the software. The hidden file in the images shows the malicious activities being planned by Mrs. Waugh. (Bariki, Hashmi Baggili, 2011) The finding includes the following: The data revealed from the file and being investigated the following information was being revealed by the software The data was being recovered was easy to guess as the first being the email address, second being the name of the company or organization and then being the credit card numbers. Conclusion The evidence collected can be used to make the strong case against Mrs. Waugh and the evidence would surely help in uncovering other associates which could be further involved in this racket and cases could also being filed against them. The investigation details are being mentioned below with summary of the findings: The digital evidences include a Laptop of Model No.: YT98987 and Serial No.: YT786393650300752 and External HDD with the serial No. GHDD7868667 were found and confiscated. Copy of the devices were created using the ProDiscover and Hardware which blocks any write operations The evidences were kept in very high security after the imaging process. OS of the Laptop was Windows 10. Account of the laptop was named Waugh Browser history was also investigated but being out of scope of this reporting. References Bariki, H., Hashmi, M., Baggili, I. (2011). Defining a Standard for Reporting Digital Evidence Items in Computer Forensic Tools.Lecture Notes Of The Institute For Computer Sciences, Social Informatics And Telecommunications Engineering, 78-95. https://dx.doi.org/10.1007/978-3-642-19513-6_7 Garfinkel, S., Malan, D., Dubec, K., Stevens, C., Pham, C. (2006). Advanced Forensic Format: an Open Extensible Format for Disk Imaging.IFIP Advances In Information And Communication Technology, 13-27. https://dx.doi.org/10.1007/0-387-36891-4_2 Stefanovic, L., Mircevski, J. (2012). Programming tools used in forensic approach for the internet sites contents discovering.2012 20Th Telecommunications Forum (TELFOR). https://dx.doi.org/10.1109/telfor.2012.6419502 Zhicong, Q., Delin, L., Shunxiang, W. (2008). Analysis and Design of A Mobile Forensic Software System Based on AT Commands.2008 IEEE International Symposium On Knowledge Acquisition And Modeling Workshop. https://dx.doi.org/10.1109/kamw.2008.4810559