Investigation Into Counterfeit ISIC Cards - Digital Forensics Essay.

1. What evidence exists to suggest Farayi has been counterfeiting ISIC cards?

2. Is there any evidence to suggest that Farayi knew his actions were illegal?

Objective of the Investigation

The main objective of this project is to retrieve a forensic image of the USB data storage device.  Farayi is suspected of selling counterfeit International Student Identity Cards to people who are not entitled to claim the discounts this card brings. An undercover sting operation was setup to catch Farayi in the act of selling his counterfeit goods. Farayi attempted to sell a counterfeit ISIC card to an undercover officer who was part of the sting operation. After being arrested and questioned at the local police station, Farayi provided a USB data stick to be further examined. Under questioning Farayi has stated that all the evidence that can be found is on this USB data stick. This USB storage device has been processed by a forensic imaging technician and the forensic image has been obtained. So I have to recover the forensic image of the USB data storage device. Then the copied Data in USB will be determined. The investigation will be carried out to determine that the hidden data in USB, the reasons and facts behind the theft.

This analysis using two main tool to retrieve a forensic image of the USB data storage device.

• Autopsy
• WinMD5

Data recovery is might be helpful for examination in a wide range of ways. A few Data stay introduce even after Data erasure or USB repartitioning (Gogolin et al., 2013). Also, there are numerous alternatives for offenders with specialized know how to shroud Data, for the most part utilizing a USB supervisor, stenography, encryption and so forth. Discovering, recuperation and remaking of concealed Data can be an extremely tedious and dreary process, however sometimes it might create prove that will split the case. So as to completely see how and why Data stay on a plate, one ought to find out about the idea of putting away Data on a USB.  A USB part is a unit of settled size characterized when record framework is made (generally 512 bits). More seasoned hard USBs may have some 'squandered' storage room outwardly tracks, as intelligently each track is partitioned into break even with number of divisions.  It is conceivable sometimes to shroud Data in the space between areas on the bigger outside tracks. This is known as the division hole. A few Data recuperation administrations might have the capacity to find and recover Data that is covered up in this hole. Erased records and slack space When a working framework composes a document to USB, it dispenses a specific number of segments. The quantity of areas designated relies upon the restrictions of the working framework and setup choices made by the framework overseer. The areas allotted and their area on the plate are recorded in a registry table for later access. At the point when the record is erased, the space initially dispensed to it is essentially set apart as unallocated. The genuine Data stays on the USB (Larson, 2014).

Data Recovery and Hidden Data in USB

User needs to create the case file to open the provided the DD image file. The below screenshots is shows the new case creations. First, enter the case name as Unit09 and browser the base directory. Then click Next button to enter the optional information.

Here, we will select the data sources to add the data sources for created case file. So, select the unallocated space image file and click the next button to proceed the adding the data sources. It is shown below (Pollitt and Shenoi, 2010).

After, browse the data source path to select the DD image file. It is shown below.

Then, configure the DD image file to ingest modules and click the next button. It is shown below.

Finally, added the data sources. Then, the Autopsy tool will be analysed the DD image file to click the Ok button.

Here, the below screenshots is used to displayed the successful analysed of DD image file.

But, the DD image file does not have the MD5 hash number. So, it needs to identify by using the WinMD5 tool. First, user needs to download the install the WinMD5 tool. After, open the tool. Then, browse the DD image file. This process is shown below.

Then, the WinMS5 tool provides the MD5 hash values for provided DD image file. It is shown below.

Here, we will perform the initial survey of the evidence. First, user needs to create the keywords list to discover the relevant digital evidence on the DD image file. List of keywords are shown below (Ray and Shenoi, 2011). 

Creation on keyword list on autopsy
To create the keyword list by click the keyword list and choose the manage lists. It is display the below information. 

Here, we will click the New list to enter the keywords lists. It is shown below 

Once the new list is entered, after enter the new keywords to enter the justification of created keyword list. After, choose the substring match and click the Ok button. 

Finally, we are successfully created the keywords lists and justification of keywords. It is shown below. 

Then, search the information on image files by using the keyword list. Here, we will search the ISIC on keyword search. It is displayed the ISIC related information. 

After, run the ingest modules by click the tool and choose the run ingest modules. It is shown below. 

To run the ingest modules on Keyword search by select configure ingest modules as keyword search and click Finish to run the ingest modules. It is shown below. 

Creating a New Case File and Running Ingest Modules

After search the DD images information by using the keyword search like Unallocated. This process is display the following information. It is shown below.

Here, we will the provided DD image file information. Choose the data sources. It is shown below.

After, right click on data sources and click the properties. It is display the information about the data sources.

The final stage of initial survey is to identify the all the files are relevant to the investigation or not. This process is shown below.  

Here, we will ensure the correct documentation is maintained or used. So, check the correct document related to word documents and images. The provided image has three word document. The First word document file is contains the file size is 20480 and Internal ID is 15.

It is shown below.

 The second word document is contains the 58368 file size and internal ID is 20. It is shown below. 

The third word document is contains the 11477 files and internal ID is 9. It is shown below. 

The provided DD image file has six images. This is analysed below. 

Here, we will interpret and locate the relevant digital evidence. So, look at keyboard list results. It is shown below. 

Click the ISIC images file is shows the following image (Sammons, 2015). 

This scan is used to seem entirely relevant to an investigation into counterfeit ISIC cards. Next, we are going to add a bookmark. To add a bookmark by right click on the results and select the tag files to click the book mark.

Similarly examining the counterfeit ISIC cards. It is shown below.

Also search the ISIC counterfeit cards by using the keyword search. It is shown the below.

Then, open the images file to open in external viewer.

It is shown below. 

Then, examine the file to again the new keyword lists because it is very useful for a digital investigation. The creation of keyword lists is displayed in below. 

The keyword lists are shown below. 

After, search the keyword like sheetal on keyword search. The sheetal is one of the customers. It is shown below. 

Finally, all the evidence is located on a USB drive and investigated files are copied or created on the the USB drive by a computer. So, this computer needs to investigate and it may reveal the lots of more useful evidence. It is used to provide the ability to reconstruct the activities that caused these files to exist.

Here, we will locate the relevant digital evidence to suggest Farayi has been counterfeiting ISIC cards. So, look at keyboard list results. It is shown below.

Click the ISIC images file is shows the following image (Sammons, 2015).

This scan is used to seem entirely relevant to an investigation into counterfeit ISIC cards.

Here, we will suggest that Farayi knew his actions were illegal. So, check the document related to word documents and images. It is shown below. 

Is there any evidence to suggest the names of his customers?

Conclusion

The main objective of this project is to retrieve a forensic image of the USB data storage device. According to the given case, the USB storage device has been processed by a forensic imaging technician and the forensic image has been obtained. So I had to recover the forensic image of the USB data storage device. Then the copied Data in USB is determined. The investigations are carried out to determine that the hidden data in USB, the reasons and facts behind the theft.

References

Gogolin, G., Ciaramitaro, B., Emerick, G., Otting, J. and Pavlov, V. (2013). Digital forensics explained. Boca Raton: CRC Press, Taylor & Francis Group.

Larson, S. (2014). The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Journal of Digital Forensics, Security and Law.

Pollitt, M. and Shenoi, S. (2010). Advances in digital forensics. New York: Springer/International Federation for Information Processing.

Ray, I. and Shenoi, S. (2011). Advances in digital forensics IV. New York: Springer.

Sammons, J. (2015). The basics of digital forensics. Amsterdam: Syngress Media.