Forensic Investigation - USB Embezzlement Essay.

This assignment assesses the following Unit Learning Outcomes; students should be able to demonstrate their achievements in them.

1. Systematically collect evidence at private-sector incident scenes.
2. Document evidence and report on computer forensics findings.
3. Implement a number of methodologies for validating and testing computer forensics tools and evidence.

Prepare a report on the following sections related to the case study scenario. You can use your own USB, create/delete files as mentioned in the scenario and perform forensics. Provide the list of references using IEEE referencing style at the end of the report.

Section 1: Data Acquisition

Prepare a forensic image (bit stream copy) with the record of data deletion. Explain the method and tool you used for acquiring data. You will need this image to perform the consecutive tasks. Please submit this image with your assignment.

Section 2: Data Recovery

The suspect has deleted two image files from the USB, recover the files and explain the method (with screenshots) and tool you used.

In addition, recover data from recycle bin, explain the procedure with screenshots.

Section 3: Data Analysis

Inspect all files in the USB, use a hex editor and analyse if there is any hidden data in files. Provide screenshots of your analysis.

Section 4: Data Validation

Explain different methods of data validation and use one of them to validate data on USB. (400

Data Acquisition

Data acquisition is the process of extracting evidence from computer storage media and drives [1]. This process is very crucial in computer forensics as it will determine the final outcome of the investigation process. As such, data acquisition should be done with utmost care. The use of appropriate tools to acquire data from the source drives is key [2]. In this case that involve USB embezzlement, the investigator chose to use AccessData FTK imager to obtain the drive image. However, there are several tools that can be used to acquire data. They include EnCase, The Sleuth Kit, ProDiscover, and many others. The choice of tool to be used depend on the type of case being investigated [3].

To acquire USB drive image, first start the AccessData FTK Imager and a window like the one shown in will be displayed.

When you click on create disk image a new window will pop up like the one shown in figure 3. Select the ‘physical disk’ option and click next.

When you click on next a new window will be displayed prompting you to select the drive which you want to create the image from. Select the drive and click finish.

After clicking on finish another window will pop-up prompting the user to add destination folder as shown in figure 5 below. Click on ‘add’.

When you click on add, a window will pop-up asking you to select the destination image type as shown in figure 6 below. Select ‘Raw (dd)’ and click on next.

When you click on next, another window will pop-up prompting the user to enter information related to the case as shown in figure 7. Fill in the evidence information correctly and click on next.

When you click on next a window will be displayed asking the user to browse for a folder to save the image and give the image a name as shown. Select your preferred folder and click on finish.

On clicking on finish, a new window will come up prompting you if you want to verify the image after it has been created as shown. Select it and click on create.

When you click on start, the creation process will start as shown in figure 10. Wait for the process to finish.

When the creation process has completed, a window will pop-up automatically showing the image verification results as shown in below.

Verify it and click on close and exit the program. Browse to the folder where you had selected to save the image and confirm.

Data Recovery

After successfully acquiring the drive image, it is possible to conduct data recovery using ProDiscover basic software [4]. Install the ProDiscover basic program and start it. When you start the program, a window will pop-up as shown in figure 12 prompting the user to enter project number and project file name [5]. Fill in the details appropriately and click on open.

When you click on open, the program main window will be displayed. To add the forensic image to the program, navigate to the left menu on the right click on ‘images’ option just below the content view and select on ‘add’. On clicking on add a new window will pop-up asking you to browse for the image as shown.

The program will be loaded to the program, expand on the ‘image’ menu and click on the image in order to view the content as shown in below. All the files that were deleted from the USB will be shown.

On clicking on Copy all Selected Files, a window will pop-up prompting the user to select the location to copy the content [6]. Select preferred folder and click ok. For this case, the investigator chose to save the files back to the USB Drive as shown in below.

On clicking on ok, all the files will be saved to the selected drive or folder. Navigate to the folder/drive to view the content.

To recover files from the recycle bin, start the ProDiscover basic program by double-clicking on the icon.

On clicking on ok, all the files will be saved to the selected drive or folder. Navigate to the folder/drive to view the content. A window will pop up asking for project number and name. Fill in on the details and click on open.

Add image file of the add drive created initially as shown in figure 18.

Navigate to the folder where the image have been store. Click on the plus icon in the ‘Images’ option in the content view section. Expand the image in order to view the content.

Click on ‘deleted files’ in order to view the content that have been deleted from the recycle bin

Right-click on the files and select copy all selected files and choose the folder to save. Click on ok and navigate to the folder where you have recovered the files. You will have recovered data from the recycle bin.

Carrying out data analysis after recovery is very crucial [7]. This make sure that the data that have been recovered have not been corrupted or modified. There exist several ways of to carry out data analysis process [8]. For this case Hex Editor will be used to analyze the data for any hidden files. This can be achieve by loading the file on the Hex editor and enabling the ‘hidden’ function on the ‘file attributes’ tab [9].   The process was repeated for all the files.

Data Analysis

The results of the analysis process was positive, i.e. the files did not contain any hidden data.

Integrity is a very crucial aspect to any computer system. Systems should ensure that it detect any threats that affect the integrity of the data and notify the system administrators [10]. Achieving data integrity involve carrying out data validation on the various data files.

Data validation is the process of checking if the data entered in a particular field is valid and meets the rules set for that field. In essence, it validates the data type of the various fields of a document [11]. Data validation is important because it makes sure the data recovered is correct, clean, and useful. Running data validation of the data increases the confidence of the results. Incomplete, inconsistent, and incorrect data will not be useful to any investigation process.

There exist several data validation methods, but four methods will be discussed in the report. They include:

Type validation method- this validation technique checks for the correctness of data type entered into a particular field. It ensures that if a field have been set to accept only number characters it should not allow text characters.

Required field validation method- this method ensures that the user cannot proceed until particular fields have been filled with data. This is a common validation technique for online forms.

Range Validation- this validation technique is used to check if the data entered falls within a specific range. It ensures that the field does not accept any data outside the set range.

Type validation technique was performed on the recovered files to ensure that they are of the required type. Image files remained image files, text files remained text files, and excel files remained excel files.

In this particular case, the investigator applied the ‘type validation method’ on all the recovered files. This technique was very effective because it was able to help the investigator identify the various types of the files. When this method was applied to the image files, all the images recovered were found to be jpeg format which was confirmed by the investigator that this format was its original format. This validation method was also subjected to text and excel files to find out if the files had been modified or not. The investigator found out that the files were of correct type and had the same properties as the original files. From the result, the investigator concluded that the data was correct and valid.

When carrying out data recovery, data validation is a very important step as it ensures that the recovered data is still useful, correct, an uncorrupted. As such, it this case, it was important to conduct data validation ion order to ensure there was no modification that had been done on the files [12]. The various validation methods helps to analyze the various data and there data types. It ensures that if a file deleted was a word document then when recovered it should remain a word document and should not have been modified to have a different extension. As such data validation should be done on every recovered data file [13].

Conclusion

Every investigator should ensure that data acquisition, recover, analysis, and validation processes are done correctly and using appropriate tools. Order of volatility is a key aspect that investigators should adhere to because it enables them to collect evidence starting from the highly volatile. To have a successful forensic investigation process, the use of appropriate tools and investigator’s experience are two very important aspects.

References

[1] E. Casey, "Digital Stratigraphy: Contextual Analysis of File System Traces in Forensic Science", Journal of Forensic Sciences, 2017.

[2] R. Chandel, "How to gather Forensics Investigation Evidence using ProDiscover Basic", Hacking Articles, 2015. [Online]. Available: https://www.hackingarticles.in/how-to-gather-forensics-investigation-evidence-using-prodiscover-basic/. [Accessed: 27- Aug- 2018].

[4] D. Hayes, A practical guide to computer forensics investigations. Indianapolis, Indiana: Pearson, 2015.

[5] B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. Mason, OH: Cengage Learning US, 2018.

[6] M. Maras, Computer Forensics. Sudbury: Jones & Bartlett Learning, LLC, 2014.

[7] B. ProDiscover, "ProDiscover Forensic Data Recovery", Networkdefensesolutions.com, 2018. [Online]. Available: https://networkdefensesolutions.com/index.php/forensics/78-prodiscoverfilerecovery. [Accessed: 27- Aug- 2018].

[8] R. Sadgune, "ProDiscover Incident Response, ProDiscover Forensics, ProDiscover", Hackforlab.com, 2014. [Online]. Available: https://hackforlab.com/prodiscover-incident-response-feature/. [Accessed: 27- Aug- 2018].

[9] G. Wingate, Computer Systems Validation. Boca Raton, USA: CRC Press, 2016.

[10] J. Marshall, "Examining the Raw Data on Your Hard Drive with a Hex Editor", Tierradatarecovery.co.uk, 2014. [Online]. Available: https://tierradatarecovery.co.uk/examining-the-raw-data-on-your-hard-drive-with-a-hex-editor/. [Accessed: 27- Aug- 2018].

[11] M. Hörz, "HxD - Freeware Hex Editor and Disk Editor | mh-nexus", Mh-nexus.de, 2018. [Online]. Available: https://mh-nexus.de/en/hxd/. [Accessed: 27- Aug- 2018].

[12] D. Hayes, A practical guide to computer forensics investigations. Indianapolis, Indiana: Pearson, 2015.

[13] N. Gilani, "Types of Validation Checks | Techwalla.com", Techwalla, 2018. [Online]. Available: https://www.techwalla.com/articles/types-of-validation-checks. [Accessed: 27- Aug- 2018].