Digital Forensics are used in the investigation of criminal’s case. The investigations are not done in same steps for all cases. It may vary according to the evidence of the case. This digital forensic technology gain the significance in both law enforcement and the scientific community. It helps to solve the cases happening in police, prosecution, and in the civil field which includes the banking and enterprises in all over the world. Research of digital forensics in education includes the following three methods. They are, educational methodologies, educational materials, and educational environments. The education methodologies includes law enforcements, policy makers, community, and higher education. The education materials includes textbooks, case studies, experience reports (Turedi & Han, 2013). The educational environments includes physical environments, virtual environments and the remote access environments (Careers in forensic science, 2010). In this report, three forensics tools will be used. They are, FTK Imager, Autopsy and OS (Operating System) Forensics (Yusoff, 2014). The given forensic image will be analyzed. The offense contents will be presented. The ownership of the forensic image or the illegal content will be found. The intent of the accessing or owning of the illegal content (clown content) will be revealed ("Mac OS Forensics Part 4", 2018). The number of files in the given forensic amount will be found. And the installed software for the forensic investigation of clown content will be explained in detail with screenshots. The running sheet of the investigation and the timeline of the event which is created by the Autopsy will be included ("Hacking & Digital Forensics & Autopsy - Stay lunix", 2018).
The resources required in forensic investigation are forensic image and forensic tools. The forensic tools used in investigation are explained in below.
The FTK imager is represented as the investigation tool for the digital forensics ("Dendroecology: A Key Forensic Age-Dating Tool", 2005). It is developed by the access data. This is a software used to investigate the forensic images. It is also considered as the disk imaging tool. This tool mainly concerns about the solution for the digital forensics. Also it is defined as a data preview and imaging tool. The FTK imager tool helps to create the copy of computer data. It will be similar to the original one ("Classical Image Encryption and Decryption", 2015). This tool had many specifications. It is involved in email analysis, password cracking and file analysis. Compared to other forensic tools it seems to be well in the performance ("Mac OS X Forensics Tips, Tricks, Tools, and Training Resources | BlackBag Technologies, Inc.", 2018). And it uses multi core software for the events. IT is used in the development of shared case database. Also it make the files in the safe zone (Armknecht & Dewald, 2015). Data persistence is established by the FTK imager tool. It get the images of the affected computer system and make the operation. The image mounting will be established by the usage of this FTK imager ("Enhancement Of Better Image Detection Using Encryption And Decryption Techniques", 2018). It had many file types for creating the images of system. And the events could be listed by using this FTK imager. Also it had many features. They are listed below.
- It can make the forensic images of the hard drives, folders and separate files.
- The files of the local hard drive and the zip disks will be previewed by using this FTK imager.
- Also the contents would be previewed regarding the forensic images which is stored on the local machine (Tabona, 2018).
- The forensic image can be mounted by this forensic tool. The windows explorer is used to preview the mount image.
- The files and the folders are extracted by from the forensic images. Also it can preview and restore the deleted files form the hard drive (Tudorachi, 2014).
- The FTK imager is used to create the hash files for the forensic images. The tool has mainly two functions. They are MD5 and secure hash algorithm ("Operating System Forensics | National Initiative for Cybersecurity Careers and Studies", 2018).
This tool has some of the major capabilities (Brinson, Robinson & Rogers, 2006). They are email analysis, file encryption, data carving, visualization of the data, web viewer, Cerberus and OCR (Carlton & Worthley, 2010). According to the email analysis this tool is used for parsing the emails and header analysis for the IP address ("Minnesota detectives crack the case with digital forensics", 2018). So the forensic toolkit manager is seems to be a good one regarding to the digital forensics. Next the installation steps will be described ("Infectious Malware-Analysis and Protective Measures", 2015).
The destination folder is displayed for storing the application data. It had the option for changing the path of the folder (Casey, 2012). The program files and backup files will be stored in the destination folder (Zhao, Zong & Wu, 2014).
Generally the operating system is referred as the interface between the hardware and software. In that the operating system forensics is mentioned as the process of useful data from the operating system which is regarding with the mobile or computer device. The collection of information is used to obtain the evidence (Casey, 2013). The analysis off operating system and file system are needs to be recover the computer investigations. And here the file system is used to provide the data roadmap regarding the hard disk. It is also used to analyze the storage of the hard drive. Based on the operating systems the file system will be vary. It could be FAT, exFAT and Ext2fs. The file system has some recovery techniques regarding to the data and file. The techniques are data hiding, data carving and slack space (mannaza, 2018). Then the memory forensics is considered as the important one in the operating system forensics. It is used to combine the virtual memory, Linux memory and memory extraction. It also make the contribution regarding to the web browsing artifacts (Petrisor, 2012). It could be messaging or email artifacts. The operating system are used such as windows, Linux, Mac, IOS and android (Imager 3.4 & AccessData Group, 2018). It has five major steps to examining the operating system forensics. First one is the development of policies and procedures (Mudge, 2007). And the second one is the assessment of evidence. And third one is eh acquisition of evidence. Fourth one is considered as evidence examination. And the alt one is documenting and reporting. This forensic tool is used to analyze the suspicious files and events with hash matching and emails (Casey, 2015). It has the features such as advanced file scripting and indexing (Ochiai, Yamakawa, Fukushima, Yamada & Hayashi, 2000). These things are used to extract the forensic evidence from computers. Also it enables the data management efficiently (Rhee, Riley, Lin, Jiang & Xu, 2014). This tool is used to find the files as faster by using size and time of the file (James, 2018). The email archives can be searched from the outlook. It may also use to recover the files (Cho, Kim, Park & Gil, 2015). The system information would be collected by this tool. The hidden files would be discovered by the OS forensic tool. The OS forensic tool also has some specific features. They are listed below.
- First one is verify the matching files. It would be done by using the MD5 and secure hashing algorithm (Morrison & Petrisor, 2004).
- The difference can be identified by the creation of drive signatures.
- Next the timeline viewer makes the visual representation of the system events. The tool also had the file viewer. The file viewer is used to display the images and streams.
- And the raw disk viewer is used to navigate the raw disk bytes on volumes (Petrisor, 2007). Then the registry files are used to access the registry files regarding the windows.
- It had the email viewer feature. It helps to show the messages directly from the archive.
- Next the web browser enables to browse and capture the online content.
- The SQL database files can be analyzed SQLite browser.
- The Plist files can be viewed by the Plist viewer. And the time and frequency of the applications would be analyzed by the pre fetch viewer (Pattnaik & Jana, 2005).
Installation of OS forensics
The installation of operating system forensics is described below (Ebert, 2012). The step by step procedure is accomplished and the results are delivered through the screenshots (Petrisor, 2005).
Autopsy is an open source digital forensic tool and it mainly used for the forensic investigation. This tool is used to identify and sort the pieces of forensic data. It had the collection of command lines and library (Platt, 2008). This features enables the parsing and analyzing regarding to the forensic data. It had graphical user interfaces. So it seems to be efficient while accessing the tool. The user can view the file system images by this tool. It can also be run in Linux system ("ReversingLabs plugin for Autopsy | Digital Forensics | Computer Forensics | Blog", 2018). The user can verify the data capture and transparency by this open source platform. This tool is quick and easy to download (Ricciuti, 2007). The keyword searches and the website artifacts are established by the autopsy tool. It can be deliverer the results such ass streaming in real time. The user can backtrack the searches by the usage of this tool. But it is not able to create the disk image. First the case is need to be prepared for analyzing the disk image. It had two analysis mode regarding to the autopsy. They are called as dead analysis and live analysis. The dead analysis helps to determine the data evaluation from the suspect system. The evidence can be searched by some of the techniques. They are described below ("SANS Digital Forensics and Incident Response Blog | A Step-by-Step introduction to using the AUTOPSY Forensic Browser | SANS Institute", 2018).
First one is file listing ("Snapshot: S&T is Enhancing the Autopsy Digital Forensics Tool", 2018). It is used to analyze the files and directories with the name and deleted files. Next one is file content. It can be displayed in the way of raw and hex format. This tool is used to prevent the file damage (Shaaban, 2016). The hash databases are enabled here to make the identification of files. The files can be sorted to analyze the type of the file. This operation would be done based on the internal signatures. The thumbnails can be extracted by this tool. Here the file extension would be compared with the usual file format. In the autopsy tool the timeline will be generated automatically based on the events (Skulkin & Courcier, n.d.). It would be useful to identify the location of the files ("Starting a New Digital Forensic Investiation Case in Autopsy 4", 2018). It will be created regarding the evidence. The timeline contains the specification such as modified time, access time. Next one is keyword search. The ASCII strings are used to make the key search regarding the files system. It will be established on fully allocated system or unallocated system. The analysis of Meta data is the important feature in the autopsy tool. This Meta data keep the information’s regarding to the files and directories. The user can view the Meta data by this tool. It also helpful to recover the deleted files. This also useful to analyze the path of the files and directories. Next the data unit analysis would be done by using the autopsy tool. The contents of the data unit can be analyzed by this tool. The image files can be displayed by using the autopsy tool. It contains the layout of the disk and activity time. These information are used in the stage of data recovery. And the autopsy tool provides many functions regarding the case management (Bell, 2018).
In this report, three forensics tools is used. They are, FTK Imager, Autopsy and OS (Operating System) Forensics. The given forensic image is analyzed using these three tools. The offense contents is presented in a well manner. The ownership of the forensic image or the illegal content is found. The intent of the accessing or owning of the illegal content (clown content) is revealed. The number of files in the given forensic amount is found. And the installed software for the forensic investigation of clown content is explained in detail with screenshots. the running sheet of the investigation and the timeline of the event which is created by the Autopsy are included.
Almarri, S., & Sant, P. (2014). Optimised Malware Detection in Digital Forensics. International Journal Of Network Security & Its Applications, 6(1), 01-15. doi: 10.5121/ijnsa.2014.6101
Anastasi, J. (2003). The new forensics. Hoboken, N.J.: John Wiley & Sons.
Armknecht, F., & Dewald, A. (2015). Privacy-preserving email forensics. Digital Investigation, 14, S127-S136. doi: 10.1016/j.diin.2015.05.003
Awasthi, S., Pratap, A., & Srivastava, R. (2017). Framework for Visual Cryptographic based Encryption and Decryption. International Journal Of Computer Applications, 163(3), 17-20. doi: 10.5120/ijca2017913485
Brinson, A., Robinson, A., & Rogers, M. (2006). A cyber forensics ontology: Creating a new approach to studying cyber forensics. Digital Investigation, 3, 37-43. doi: 10.1016/j.diin.2006.06.008
Carbone, F. (2014). Computer forensics with FTK. Birmingham, United Kingdom: Packt Pub.
Carlton, G. (2008). An Evaluation of Windows-Based Computer Forensics Application Software Running on a Macintosh. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2008.1045
Carlton, G., & Worthley, R. (2010). Identifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2010.1069
Casey, E. (2012). Cloud computing and digital forensics. Digital Investigation, 9(2), 69-70. doi: 10.1016/j.diin.2012.11.001
Casey, E. (2013). Triage in digital forensics. Digital Investigation, 10(2), 85-86. doi: 10.1016/j.diin.2013.08.001
Casey, E. (2015). Smart home forensics. Digital Investigation, 13, A1-A2. doi: 10.1016/j.diin.2015.05.017
Casey, E. Handbook of digital forensics and investigation.
Cho, S., Kim, D., Park, J., & Gil, K. (2015). Online Water Monitoring Method as a Water Security Tool: A Feasibility View. Environmental Forensics, 16(3), 231-241. doi: 10.1080/15275922.2015.1059390
Classical Image Encryption and Decryption. (2015). International Journal Of Science And Research (IJSR), 4(11), 607-612. doi: 10.21275/v4i11.sub159282
Dendroecology: A Key Forensic Age-Dating Tool. (2005). Environmental Forensics, 6(1), 3-4. doi: 10.1080/15275920590913813
Easttom, C. System forensics, investigation, and response.
Ebert, J. (2012). Book Review: Mastering Windows Network Forensics and Investigation, 2/E. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2012.1136
Enhancement Of Better Image Detection Using Encryption And Decryption Techniques. (2018). International Journal Of Recent Trends In Engineering And Research, 375-382. doi: 10.23883/ijrter.conf.20171225.057.4wpxm
Fichera, J., & Bolt, S. (2013). Network intrusion analysis. Amsterdam: Elsevier.
Fowler, J. (2017). Compression of Virtual-Machine Memory in Dynamic Malware Analysis. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2017.1437
Han, S., & Lee, S. (2009). Packed PE File Detection for Malware Forensics. The KIPS Transactions:Partc, 16C(5), 555-562. doi: 10.3745/kipstc.2009.16c.5.555
Infectious Malware-Analysis and Protective Measures. (2015). International Journal Of Science And Research (IJSR), 4(12), 1101-1105. doi: 10.21275/v4i12.nov152133
Infectious Malware-Analysis and Protective Measures. (2015). International Journal Of Science And Research (IJSR), 4(12), 1101-1105. doi: 10.21275/v4i12.nov152133
Institute for Career Research. (2010). Careers in forensic science. Chicago, IL.
Ismail, I., Marsono, M., Khammas, B., & Nor, S. (2015). Incorporating known malware signatures to classify new malware variants in network traffic. International Journal Of Network Management, 25(6), 471-489. doi: 10.1002/nem.1913
Jules, K., & Lin, P. (2007). Real-time on-line space research laboratory environment monitoring with off-line trend and prediction analysis. Acta Astronautica, 61(1-6), 27-36. doi: 10.1016/j.actaastro.2007.01.028
Kim, A., Kim, S., Park, W., & Lee, D. (2013). Fraud and financial crime detection model using malware forensics. Multimedia Tools And Applications, 68(2), 479-496. doi: 10.1007/s11042-013-1410-3
Mahawer, D., & Nagaraju, A. (2013). Metamorphic malware detection using base malware identification approach. Security And Communication Networks, 7(11), 1719-1733. doi: 10.1002/sec.869
Malware Detection in Cloud Computing Infrastructures. (2018). International Journal Of Recent Trends In Engineering And Research, 223-227. doi: 10.23883/ijrter.conf.20171201.044.wsqfb
Mattern, J. (2004). Forensics. San Diego, Calif.: Blackbirch Press.
MJ, B. (2016). Elderly Suicide: A 5-Year Forensic Autopsy Analysis in the North of Portugal. International Journal Of Forensic Sciences, 1(1). doi: 10.23880/ijfsc-16000106
Platt, R. (2008). Forensics. Boston, Mass: Kingfisher.
Provataki, A., & Katos, V. (2013). Differential malware forensics. Digital Investigation, 10(4), 311-322. doi: 10.1016/j.diin.2013.08.006
Reilly, D. (2006). Autopsy analysis. New Scientist, 192(2581), 24-25. doi: 10.1016/s0262-4079(06)61320-1
Rhee, J., Riley, R., Lin, Z., Jiang, X., & Xu, D. (2014). Data-Centric OS Kernel Malware Characterization. IEEE Transactions On Information Forensics And Security, 9(1), 72-87. doi: 10.1109/tifs.2013.2291964
Ricciuti, E. (2007). Forensics. New York: Collins.
Sen, S., Aydogan, E., & Aysan, A. (2018). Coevolution of Mobile Malware and Anti-Malware. IEEE Transactions On Information Forensics And Security, 13(10), 2563-2574. doi: 10.1109/tifs.2018.2824250
Shaaban, A. (2016). Practical Windows Forensics. Packt Publishing.
Skulkin, O., & Courcier, S. Windows forensics cookbook.
Stewart, G. (2007). Forensics. Detroit, Mich.: KidHaven Press.
New Malware Analysis Method on Digital Forensics. Indian Journal Of Science And Technology, 8(17). doi: 10.17485/ijst/2015/v8i17/77209
Test results for digital data acquisition tool. (2014).
Vacca, J., & Rudolph, K. (2011). System forensics, investigation, and response. Sudbury, Mass.: Jones & Bartlett Learning.
Zhong guo jian cha chu ban she. (2015). FTK shi zhan ying yong. Bei jing.