Computer Forensics: Investigation, Tools And Techniques Essay.

Discuss about the Computer Forensics, The forensic tools used for the investigation will be installed and it will be explained in detail. The investigation will be done and justification for all action done in the investigation.

Resources and Strategies

The computer forensics is also known as digital forensics. In this computer age, so many crimes happening based on computers. The computer forensics is used to find the deleted files, passwords, illegal contents in the computer. The forensic image may be a copy of the hard disk, CD or DVD etc.The given forensic image will be investigated using appropriate tools. The analaysis of the firensic image will be done (Al-Hadadi & AlShidhani, 2013). The forensic tools used for the investigation will be installed and it will be explained in detail. The investigation will be done and justification for all action done in the investigation will be given (Bodden, n.d.).

The resources required for the investigation are Autopsy, OSForensic and FTK Imager. And also the suspects and a system is needed (Boddington, 2016). The tools used are explained below.

FTK Imager

In computer forensics, many investigation tools are used. The FTK imager is one of the tools used in computer forensics (Brinson, Robinson & Rogers, 2006). The full form of FTK imager is Forensic ToolKit. The FTK imager is used for analyzing the mails and looking for specific characters. The components of FTK viewer are password recovery toolkit, license manager, forensic toolkit, FTK Imager, and register viewer (Verolme & Mieremet, 2017).

The license manager component is used to remove or add the licenses from the dongle and also used to purchase the additional licenses. The license manager renews the subscription and downloads the product updates (Caloyannides & Caloyannides, 2004). To access license manager component in FTK, go to Start à All programs à Access Data à license manager à license manager.

The password recovery toolkit is used to crack the password. The component of a registry viewer is used for providing access to protected areas of the registry. The protected areas of registry contain forensic data (Carbone, 2014). These cannot be accessed by the Windows Regedit. The registry viewer may contain browser history, recently accessed file lists, installed programs list, usernames, and passwords (Carlton & Matsumoto, 2011).

FTK imager is used for making a copy of hard drive, thumb drive, CD etc. Then the FTK imager scans the hard drive or thumb drive or CD and looks for different kinds of data or information like locating deleted files or emails, crack encryption etc. (Carlton & Worthley, 2010)

Installation of FTK Imager

The installation of FTK imager is explained below in detail.

Step 1: After downloading AccessData FTK imager, install it on the system. Right click on the AccessData FTK imager and select Run as Administrative (Casey, 2015). After that, the below wizard  is appeared. It is a Welcome to the InstallShield Wizard for AccessData FTK imager. In that click ‘Next’ (Cohen, 2011)

FTK Imager

Step 2: Then, select ‘I accept the terms in thr license agreement’ and Click ‘Next’

Step 3: Then, select the destination folder for AccessData FTK Imager by clicking the change option. After changing thr destination folder click ‘Next’. (Cohen, 2012)

 Step 4: Click  ‘Install’ to begin the installation of AccessData FTK Imager. (Computer forensics, 2010)

Step 5: The installtion is started. It is shown in the below figure.

Step 6: The below-given screenshot shows that the installtion process of FTK Imager is going on.

Step 7:The AccessData FTK imager is successfully installed. After the installtion, click ‘Finish’

 Step 8: The below screenshot shows the FTK imager screen. In that screen, the Evidence Tree, File list, Properties (Custom Content Sources) and Viewer are there.

The menu bar in the FTK Imager has four items. They are file menu, view menu, mode menu and Help menu (Dale & Becker, 2007). The access to all the features in the tool bar is provided by File menu. The appearance of the FTK imager is customized by view menu. For mode selection, themode menu is used. The access to the FTK imager user guide is provided by the Help menu (Wang, Xue, Zheng, Liu & Li, 2012).

The uses of FTK Imager are listed below.

• The FTK imager is used to create the copies of DVDs, CDs, folders, files, hard drive ect. The copy of these is called ‘forensic image’ (Djozan, Baheri, Karimian & Shahidi, 2008).
• By using FTK Imager, from the forensic image the folders and file are exported.
• The hash functions in the FTK Imager is used to create the hashes of files. The available hash functions in the FTK Imager are SHA-1 and MD5. ("Forensics - cred or crud?", 2005)
• The preview of the files and folders as well as the contents of the forensic image can be viewed.
• The image can be mounted for the Read-Only view.
• The deleted files can be recovered and seen even after they are deleted from the recycle bin.

Autopsy

The Autopsy is used in digital forensics to investigate what is happened on a system. It is used by corporate examiners, military and law enforcement (Hanji & Rajpurohit, 2013). It is a platform for digital forensics (Ieong, 2006). The forensic tools used autopsy as a graphical user interface. The autopsy is also used to retrieve photos from the memory cards. The Autopsy is used to examine the mobile phone or a hard drive. Then the pieces of evidence in that mobile phone or hard drive are recovered from that (Young & Ortmeier, n.d.).

The Autopsy is free and cost-effective tool. It is also easy to install and use. By using Autopsy, the budget will be reduced in a digital forensic investigation. The Autopsy supports multiplatform (Windows and UNIX).

Installation of Autopsy

The installation process of Autopsy is shown below in step by step.

Step 1: After downloading Autopsy, install it on the system. Right click on the Autopsy and select Install. After that, the below wizard  is appeared (Kessler, 2007). It is a Welcome to the Autopsy Setup Wizard. In that click ‘Next’

Step 2: Then, select the installation folder for Autopsy by clicking the Browse option. After changing the installation folder click ‘Next’. (Kessler & Schirling, 2006)

Installation of FTK Imager

Step 3: Click  ‘Install’ to begin the installation of Autopsy.

Step 4: The installtion of Autopsy is started. It is shown in the below figure.

Step 5: The below-given screenshot shows that the installtion process of Autopsy is going on.

Step 6: The installation is completed. Click ‘Finish’

Step 7: Open Autopsy.

Step 8: Create a New Case for investigation.

The Autopsy has the following features.

• Keyword search – used to find specific words or terms in files and also used to find the expression pattern (Kruse & Heiser, 2008)
• Timeline analysis – system events are displayed which is useful in identification of activities
• Media Playback – used to view the images and videos
• File type sorting – the files are sorting accoding to their type
• Email analysis – MBOX format messages are Parsesed.
• Multi-user cases – allows multiuser to examine large cases
• Thumbnail Viewer – the thumbnail of the images are displayed.
• Web Artefacts –it is used to extract user’s web activity
• Andriod support – it supports extraction of data from call logs, contacts, SMS
• File type detection – This is based on the extension and signature mismatch detection of the file (Larson, 2014)
• Filtering of Hash set -  The good files are known by filters and bad files are known by flags
• Tags – files are tagged with tag names (Law, Chow & Mai, 2014)

It is a powerful tool in forensics. It is used to discover, identify and manage the pieces of evidence which are found in digital storage devices and computers ("OSForensics", 2018). It consists of a collection of modules. These modules are used to simplify the tasks ("OSForensics - Digital investigation for a new era by PassMark Software®", 2018).

Installation of OSForensics

The installation of OSForensics tool is explained step by step in below.

Step 1:  The OSForensics Downloader is used to download the OSForensics tool. First, select the desired language and choose the location for the program which is going to install on the system.After that click  ‘Next’ (Le-Khac, Jacobs, Nijhoff, Bertens & Choo, 2018).

Step 2: Click ‘Decline’

Step 3: Click ‘Decline’

Step 4: Downloading of OSForensics is started.

Step 5: Downloading is completed. Click ‘Finish’

Step 6: After that the beloe window is appeared. Click ‘Install Now’

Step 7: After that, the below wizard is appeared. It is a Welcome to the OSForensics Setup Wizard. In that click ‘Next’

Step 8: In below wizard, select ‘I accept the terms in the license agreement’ and Click ‘Next’

Step 9: Choose destination location for OSForensics and Click ‘Next’

Step 10: select the start meneu folder by clicking browse and then click ‘Next’

Step 11: Click ‘Next’

Step 12: Cilck install to install OSForensics on the computer system

Step 13: Installation of OSForensics begins.

Step 14: The installation process of OSForensics is going on. It is shown in the below screenshot.

Stepn 15: Click ‘Next’

Step 16: The below screenshot shows the completing the OSForrensics Setup Wizard. In that wizard, click ‘Finish’.

Step 17: Click ‘Continue Using Free version’

Step 18: The below screenshot showws the Home page of OSForensics tool.

In that, start window has features with its brief description. The Workflow navigation buttons are used to switch between multiple modules (Levy, Hipp, Balis & Yagi, 2012). It is used to allow parallel forensics analysis operations. The customization of workflow navigation buttons is possible.

The features of OSForensics is listed below (Maras, 2015).

• Case management – results from all the modules is aggregated using this module.

Uses of FTK imager

The below figure shows the Case Management Module.

• Filename search – the files or directories are searched by their name

The below figure shows the File Name Search which is under file searching & indexing module (Marshall, 2009).

• Mismatch search –the file which has different extensions is found.

The below figure shows the Mismatch File Search which is under file searching & indexing module (Meister & Chassanoff, 2014).

• Deleted file search – deleted files are searched and recovered from the drive.

The below figure shows the Deleted File Search which is under System Artifacts & Passwords module (Meyer, 2014).

• Memory Viewer – In the volatile memory, the digital evidence is collected and analyzed.

The below figure shows the Memory Viewer which is under Viewer module (Nelson, Phillips & Steuart, n.d.).

• Recent Activity –the recent activities which are related to evidence are scanned in the system.

The below figure shows the Recent Activity which is under System Artifacts & Passwords module.

• Indexing – the text is searched in the file contents

The below figure shows the Indexing which is under File Searching & Indexing module (Petrisor, 2005).

• Passwords – used for decrypting and recovering passwords from different kinds of source.

The below figure shows the Passwords which is under System Artifacts & Passwords module.

• File system browser – the devices in the case are displayed in a hierarchical fashion.
• Web browser – the basic web viewer is provided by this. The basic web viewer has forensics capabilities.
• Registry Viewer – the windows hives is allowed by this.
• Raw disk Viewer – it is used to display the raw disk sector-by-sector contents.
• Email viewer – With the forensics capabilities, the emails are browsed and analyzed.

The file system browser,web browser, registry viewer, raw disk viewer, email viewer are under Viewer module. It is shown below (Petrisor, 2012).

• Forensic imaging – the disk is copied into an image file. It can be restored.

The below figure shows the Forensic imaging which is under Housekeeping module (Philipp, Cowen & Davis, 2010).

• Hash sets – known safe and suspected files are identified using this feature.

The below figure shows the Hash sets which is under Hashing and File identification module (Sadu, 2017).

• System information – the system information are exported and viewed.

The below figure shows the System information  which is under System Artifacts & Passwords module (Sammons, 2015).

The forensic image of the hard drive is mounted on the system. The Autopsy is used to investigate the disk image (Schweitzer, 2003). By adding the disk image as a data source in the Autopsy, the contents in the disk image can be viewed. The contents available in the given disk image is shown below.

The jpg image is found during the investigation (Sealey, 2004). It is not a clown image. It is a flower image.

The clowns dancing mp4 file is also found in the disk image (Seckiner, Mallett, Roux, Meuwly & Maynard, 2018).

The jpg image of kikki_clown_party_pose is found. So, the disk image had the clown image is proved (Taylor, Endicott-Popovsky & Frincke, 2007).

The kikki_clown_party_pose image is viewed. The device which make this image is Canon and its model is Canon EO5 100.

In EXIF Metadata, the size of the kikki_clown_party_pose image is viewed which is 50304. But there is no created date of this image (Tilstone, Savage & Clark, 2006).

 The properties of the kikkii_clown_party_pose jpg image is shown below. It includes source file, device model, device make, size, path and tags (Verolme & Mieremet, 2017).

In the recent documents, the kikkii_clown_party_pose image is there. So it is verified that the clown image is accessed from the Clark’s computer.

Autopsy

The path, path ID, date/time, source file path and artifact ID of the kikkii_clown_party_pose image is found. This clown image is recently accessed on 19-06-2018 at 05:20:06.

In recent documents, another clown related data is found. It is a pdf. The name of the pdf document is ‘A Little Night Music- Send In The Clowns’. It is also accessed on 19-06-2018 at 05:14:31. And also the path, path ID, source file path and artifact ID of the ‘A Little Night Music- Send In The Clowns’ pdf is found (Wang, Xue, Zheng, Liu & Li, 2012).

The mp4 file named as ‘Clowns Dancing’ is also found in the recent documents. The results of this document is shown below. This mp4 file is accessed on 18-06-2018 at 08:15:47. And also the path, path ID, source file path and artifact ID of the ‘Clowns Dancing’ mp4 is found in the results (Young & Ortmeier, n.d.).

 The indexed text of the ‘A Little Night Music –Send In The Clowns’ pdf is viewed. The author of this pdf is ‘Addie’. The date and time of creation, last modified and last saved of this pdf is found. The creation date and time is 20-04-2014, 18:52:01. The last-modified date and time is 20-04-2014, 18:52:01

Another clown image is found on the disk. It is a jpg image. The name of this clown image is Ronald_mcdonald-e14762000032847-660x330.

In the recent documents, the clown related image is found. So, it is verified that the user (Clark) is recently accessed the clown image. The accessing date of the clown image is 18-06-2018. ("OSForensics", 2018)

The clown dancing video is found. So, it is proved that the Clark owned the clown related videos on his system.

The new clown image is found on the disk. This image is modified at June 18, 2018.

The Clark accessing the clown image on June 19, 2018.

Another clown image is found. The Clark owing this image on his system is verified.

In the given disk imager, there are nine web bookmarks. The Clark bookmarked the clown related content. So, he definitely accessing the clown related content.

The properties of the kikkii_clown_party_poes image is shown. It includes modified, change, access and created time of the image and so on.

The Clark owned four operating system user accounts. The username of those four accounts are systemprofile, LocalService, NetworkService and computer.

The user account of systemprofile is recently accessed by the Clark.

Installation of Autopsy

There are two operating system information. One is Windows_NT version.

In the disk image, there are 221 web cookies. The URL, access date and time and Name is listed. Some of the web cookies found are .yahoo.com, .bitpay.com and .domdex.com etc.

 The obtained web downloads from the disk image are proved that the Clark downloaded the clown related images, videos and pdf from the internet. There are six clown related downloads among sixteen web downloads.

Similar to the other details identified from the analysis the user’s the web history also founded. In digital forensic evidence acquisition the interrogators mainly focuses on the browsing history of the suspect. Because it brings the information about the suspect’s actions in recent times. In the given hard disk evidence file more than 100 web histories are there. From the above presented image file the interrogation results are described clearly. From the results, suspect browsed various websites through the Firefox browser ("OSForensics - Digital investigation for a new era by PassMark Software®", 2018).

 The most often key word searched by the suspect is identified based on his web search. Totally the thirty six keywords are searched. Among the thirty six key words most of the key words are about clown. And clown costumes and possess. Suspect also recently used the online video convertor for converting video format. Suspect may use this file for convert the video founded in the above task. He also used the keyword truecrypt. From the identified details that is clear the suspect used Firefox browser for his browsing

Encryption suspected folder contains the details about the encryption process carried out.

There are 102 extension mismatch are detected.

There are plenty of email addresses found in the disk image.

In the Suspect’s Gmail account there are three Gmail are there. Among them one email contains the details regarding to the clown. This email is sent by the suspect to [email protected]. This email sent time is 2018-07-02 (07:50:09 IST). These evidences are against the suspect.

The more information found during the investigation are shown in the following screenshots.

The Clark accessed the clown content is proved from the web downloads which are obtained from the forensic image of disk. The Clark bookmarked a clown related content on the website. So, it is verified that, the Clark accesses the clown related contents frequently.

The Clark accessed and downloaded the clown related content purposely. It is verified by the web bookmarks. And some other activites of the clark.

OSForensics

Only few number of files are found. There are more email addresses, web history, web cookies found. The images and videos are present. The programs installed and also the recent activity are there.

The Clark installed forty two software on his system.  There is no clown related software. But truecrupt and the Mplayer2 may be installed for watching the clown video and encrypt the clown contents.

Conclusion

The given forensic image is investigated using appropriate tools. The analaysis of the firensic image is done. The forensic tools used for the investigation is installed and it is explained in detail. The investigation is done and justification for all action done in the investigation is given. The installation steps are produced regarding to the forensic tools. Totally four images are taken for the alaysis. The three tools are chosen for the analysis of unalloacted file format. By using three tools the  investigation is made. The resultrsa are added through the screenshots. The analysis such as intent, identification and quantity of files are added. The justication and summary is provided for each analysis. For each andd every analysis the screedshots are provoided. Totally five issues are established in the project. Also the running sheet and the timeline are provided reagrding the events.

References

Al-Hadadi, M., & AlShidhani, A. (2013). Smartphone Forensics Analysis: A Case Study. International Journal Of Computer And Electrical Engineering, 576-580. doi: 10.7763/ijcee.2013.v5.776

Bodden, V. Digital forensics.

Boddington, R. (2016). Practical Digital Forensics. Packt Publishing.

Brinson, A., Robinson, A., & Rogers, M. (2006). A cyber forensics ontology: Creating a new approach to studying cyber forensics. Digital Investigation, 3, 37-43. doi: 10.1016/j.diin.2006.06.008

Caloyannides, M., & Caloyannides, M. (2004). Privacy protection and computer forensics. Boston: Artech House.

Carbone, F. (2014). Computer forensics with FTK. Birmingham, United Kingdom: Packt Pub.

Carlton, G., & Matsumoto, J. (2011). A Survey of Contemporary Enterprise Storage Technologies from a Digital Forensics Perspective. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2011.1100

Carlton, G., & Worthley, R. (2010). Identifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2010.1069

Casey, E. (2015). Smart home forensics. Digital Investigation, 13, A1-A2. doi: 10.1016/j.diin.2015.05.017

Cohen, F. (2011). A Case Study in Forensic Analysis of Control. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2011.1087

Cohen, F. (2012). The Science of Digital Forensics: Recovery of Data from Overwritten Areas of Magnetic Media. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2012.1131

Course Technology Cengage Learning. (2010). Computer forensics. Clifton Park, NY.

Installation of OSForensics

Dale, W., & Becker, W. (2007). The crime scene. New York: Kaplan Pub.

Djozan, D., Baheri, T., Karimian, G., & Shahidi, M. (2008). Forensic discrimination of blue ballpoint pen inks based on thin layer chromatography and image analysis. Forensic Science International, 179(2-3), 199-205. doi: 10.1016/j.forsciint.2008.05.013

Forensics - cred or crud?. (2005). Digital Investigation, 2(4), 237-238. doi: 10.1016/j.diin.2005.11.003

Hanji, R., & Rajpurohit, V. (2013). Forensic Image Analysis - A Frame work. The International Journal Of Forensic Computer Science, 8(1), 13-19. doi: 10.5769/j201301002

Ieong, R. (2006). FORZA – Digital forensics investigation framework that incorporate legal issues. Digital Investigation, 3, 29-36. doi: 10.1016/j.diin.2006.06.004

Kessler, G. (2007). Book Review: Computer Forensics: Principles and Practices. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2007.1027

Kessler, G., & Schirling, M. (2006). The Design of an Undergraduate Degree Program in Computer & Digital Forensics. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2006.1009

Kruse, W., & Heiser, J. (2008). Computer forensics. Boston: Addison-Wesley.

Larson, S. (2014). The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2014.1165

Law, F., Chow, K., & Mai, Y. (2014). Understanding Computer Forensics Requirements in China via the “Panda Burning Incense” Virus Case. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2014.1170

Le-Khac, N., Jacobs, D., Nijhoff, J., Bertens, K., & Choo, K. (2018). Smart vehicle forensics: Challenges and case study. Future Generation Computer Systems. doi: 10.1016/j.future.2018.05.081

Levy, B., Hipp, J., Balis, U., & Yagi, Y. (2012). Potential Applications of Digital Pathology and Image Analysis for Forensic Pathology. Academic Forensic Pathology, 2(1), 74-79. doi: 10.23907/2012.010

Maras, M. (2015). Computer forensics. Burlington, MA: Jones & Bartlett Learning.

Marshall, A. (2009). Digital Forensics. Chichester: John Wiley & Sons.

Meister, S., & Chassanoff, A. (2014). Integrating Digital Forensics Techniques into Curatorial Tasks: A Case Study. International Journal Of Digital Curation, 9(2), 6-16. doi: 10.2218/ijdc.v9i2.325

Meyer, T. (2014). Careers in computer forensics. New York: Rosen Publishing.

Nelson, B., Phillips, A., & Steuart, C. Guide to computer forensics and investigations.

OSForensics. (2018). Retrieved from https://www.sirchie.com/osforensics.html

OSForensics - Digital investigation for a new era by PassMark Software®. (2018). Retrieved from https://www.osforensics.com/

Petrisor, I. (2005). Sampling and Analyses—Key Steps of a Forensics Investigation. Environmental Forensics, 6(1), 1-1. doi: 10.1080/15275920590913796

Petrisor, I. (2012). Emerging Environmental Forensics Applications and Case Studies: Review of Environmental Forensics—Proceedings of the 2011 INEF Conference. Environmental Forensics, 13(4), 285-288. doi: 10.1080/15275922.2012.738954

Philipp, A., Cowen, D., & Davis, C. (2010). Hacking exposed, computer forensics. New York: McGraw-Hill.

Sadu, I. (2017). Digital Forensics in the Audit of Public Private Partnerships - A Case Study. Foresic Research & Criminology International Journal, 4(6). doi: 10.15406/frcij.2017.04.00138

Sammons, J. (2015). The basics of digital forensics. Amsterdam: Syngress Media.

Schweitzer, D. (2003). Incident response. Indianapolis: Wiley.

Sealey, P. (2004). Remote forensics. Digital Investigation, 1(4), 261-265. doi: 10.1016/j.diin.2004.11.002

Seckiner, D., Mallett, X., Roux, C., Meuwly, D., & Maynard, P. (2018). Forensic image analysis – CCTV distortion and artefacts. Forensic Science International, 285, 77-85. doi: 10.1016/j.forsciint.2018.01.024

Taylor, C., Endicott-Popovsky, B., & Frincke, D. (2007). Specifying digital forensics: A forensics policy approach. Digital Investigation, 4, 101-104. doi: 10.1016/j.diin.2007.06.006

Tilstone, W., Savage, K., & Clark, L. (2006). Forensic science. Santa Barbara, Calif.: ABC-CLIO.

Verolme, E., & Mieremet, A. (2017). Application of forensic image analysis in accident investigations. Forensic Science International, 278, 137-147. doi: 10.1016/j.forsciint.2017.06.039

Wang, X., Xue, J., Zheng, Z., Liu, Z., & Li, N. (2012). Image forensic signature for content authenticity analysis. Journal Of Visual Communication And Image Representation, 23(5), 782-797. doi: 10.1016/j.jvcir.2012.03.005

Young, T., & Ortmeier, P. Crime scene investigation.