For this task I will upload a text file with scrambled bits on the Interact site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment.
In this major task you are assumed a digital forensics investigator and asked to prepare a digital forensic report for the following scenario:
You are investigating a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS). EMTS has just finished an expensive marketing and customer service analysis with Superior Bicycles, LLC. Based on this analysis, EMTS plans to release advertising for its latest tour service with a joint product marketing campaign with Superior Bicycles. Unfortunately, EMTS suspects that a contract travel consultant, Bob Aspen, might have given sensitive marketing data to another bicycle competitor. EMTS is under a nondisclosure agreement with Superior Bicycles and must protect this advertising campaign material.
An EMTS manager found a USB drive on the desk Bob Aspen was assigned to. Your task is to determine whether the drive contains proprietary EMTS or Superior Bicycles data. The EMTS manager also gives you some interesting information he gathered from the Web server administrator. EMTS filters all Web-based e-mail traffic traveling through its network and detects suspicious attachments. When a Web-based e-mail with attachments is received, the Web filter is triggered. The EMTS manager gives you two screen captures, shown in Figures 8-5 and 8-6 (Textbook page 327), of partial e-mails intercepted by the Web filter that lead him to believe Bob Aspen might have engaged in questionable activities. (Nelson, Phillips, & Steuart, 2015, p. 326-327)
Task 1: Recovering scrambled bits
The WinHex is the software tool used by forensic experts around the world for various purposes like to repair headers of files, editing the files in binary mode and scrambling of data which can only be reversed if the correct order is known. In order to recover the scrambled bits we need to do the following:
Modify Data-> “left shift by 1-bit option”
![]()
Output:
![]()
Output and decrypted text:
![]()
There are two major software that are used in the forensic investigations ProDiscover and WinHex, both serving a desired important purpose and complementing each other. Thought there are many different software available for the same purpose but the number of features provided by them, make them stand out comparing to the competition.
The ProDiscover is the software that is used to develop the copies of images or disks (physical storage media), these images are used to read sectors and clusters as desired for the purpose of recovering of data and information regarding recovering of data from different clusters. Thought there are number of other features that are used by forensic experts but we use these features of this case study. The ProDiscover is also compatible with number of other hardware as well like write block that means the process of image creation will not affect the original device, this feature is very critical as in few cases the original device needs to remain in the same condition as it was being found.
When the data is being recovered by the forensic expert using the ProDiscover but usually the files have their header or some part of data corrupted or even sometimes the header of the files have been manually altered in order to bypass major filters in organizations. The WinHex forensic tool comes in picture for this special purpose itself, it can alter or edit the data of files in binary mode hence managing the data like edit, copy, delete, paste, insert etc. of data in binary mode is made possible using this tool. This tool in simple terms can be viewed as the binary mode editor using hexadecimal values just like any word editor that works majorly on ASCII values. There are several types of views available like cluster view, tree view etc. that can help in finding the related data quite simple and efficient for any forensic expert. Generating checksum and digest of the data is quite useful tool along with that the reporting can be done using HTML or RTF based format that is beneficial for any forensic expert delivering important findings in their final reports sometimes.
Task 2: Digital Forensics Report
The initial findings of the emails that were being communicated by the Bob Aspen the contract employee at ETMS outside the ETMS official known circle were found later in the screening of emails for all the accounts of the organization. Apart from the emails the USB drive was also recovered form the Bob Aspen’s desk and its was being suspicious for a contract employee to being storage device to the company having strict policy for data and intellectual property. The emails were being scanned and with the help of traced emails, it was clear that the contract employee was indeed trying to leak the data to one of the competitor of the ETMS and data was altered before being send out in order to escape the filtering policy of the organization to send an email with attachment. The emails were being communicated to [email protected] to and from [email protected] which meets the Bob Aspen details registered at the organization. The emails coming from [email protected] were coming from Jim Shu, the time stamp forwarded messages were little off that means the Jim Shu must be from different time zone and must be from western corner of the world as the timestamps are being assigned by the servers not users. The email conversation also asked the employee to alter the extension from jpg to txt and header information as well in order to bypass the email scanners easily.
This section we would be recovering the image file from the USB drive image that was being provided by the ETMS. The initial recovering of data from the file is to search the keyword in ASCII mode with case sensitive match of “FIF”, the reason to use “FIF” not JPEG or JFIF is that this might lead to find the clusters with lots of previous files that might have been stored on the USB drive. These clusters of old files are known as false positive that may lead to lost of unwanted data to be screened by the forensic expert and ultimately leading to loss of time and effort.
We would now create the ProDiscover project and try to find the recoverable file.
- Open the ProDiscover in the Administrator mode and create the project named as C10InChp.
![]()
- Add image that was provided by the ETMS of the USB drive found at the Bob Aspen desk naming C10InChp.eve file.
![]()
- As discussed earlier we would now search for the clusters that ae there on the disk using the cluster-based search with ASCII mode with Case Sensitive selected with keyword to be searched as “FIF” as discussed earlier.
- The clusters matching the search criteria “FIF” will be marked in the usb drive data pane as below.
![]()
- Select the first location or the occurrence of “FIF” and click it to move to the memory location of the found cluster
- Double click the cluster and you will be redirected to the tree view where the files will be listed that are recoverable.
- Right click on the cluster and search for find file
- Press “Yes”
All the matching clusters would be shown and click on show file:
- On the file click on the image and save it as “recover1.jpg”.
As we have found on the email conversation of the accused Bob Aspen, the files header was being changed in order to bypass the email filters at ETMS. Due to this the file is not viewable in any image viewer software, hence we need to edit the header of the file and repair it, in order to view the recovered file.
- Open jpgusing WinHex tool.
- The header contains the first offset at 0 to sixth offset as 7A 7A 7A 7A10 and 7A
- For any known JFIF or JPEG file the header information from first offset should be “FF D8 FF E0” so we alter the values such that header information is fixed.
- Finally, in the right-hand side of the pane replace the zFIF to JFIF and save the file with the name as Fixed1.jpg
Now we would be recovering the file from the clustered data or we can say the data that might have been written down with spilt headers, in order to recover such file following approach would be used:
- Find all the clusters of the image file that is needed to be reconstructed.
- After the successful classification of the clusters we need to mark the starting and ending clusters of the fragmented group.
- Arrange the clusters in correct order or file to recover the file
- Finally recovering and editing the header so as to view the recovered image in any image viewer.
- In the tree view using the search criteria of AE3(2787), to list all the clusters related to the “FIF”, the related clusters would be listed down by the software:
- The new pop-up box window is displayed on the screen, that shows all the related clusters to the search AE3 (2787), we select the clusters and save them to the text file naming AE3-crave.txt.
- We now check the AE3-crave.txt file and mark all the clusters that have been group together and align them to form a correct order of clusters which is quite necessary in order to form the file from the given ranges of the clusters that have been found.
- Fragment range 1—AC4 to B20
- Fragment range 2—1d6 to 229
- Fragment range 3—3cc to 406
- Fragment range 4—14b to 182
- Fragment range 5—938 to 96d
- Fragment range 6—6 to d
- Mark all the clusters using the Add Clusters option and mark clusters in the same sequential order as of fragments found in the earlier search starting from fragment 1 to 6.
- After adding the clusters to option, we use the Recover clusters option and selecting the recover all clusters to single file option we recover the file and save it as recover2.jpg
![]()
- Since the header information might be corrupted that is why we won’t be able to view the recover2.jpg directly, we repair the header information as done earlier to finally view the image recovered.
![]()
- The email captured provided the initial direction of the investigation related to the Bob Aspen being trying to leak the Intellectual Property of ETMS.
- USB disk contained the altered data images which means the Bob Aspen was indeed trying to hide the images leaked to the competition of ETMS that was leading severe loss of revenue to the ETMS.
Conclusion
The case is about the possible theft of intellectual property by a contract employee of Exotic Mountain Tour Services (ETMS), the intellectual property is the secret data that might have been leaked by the employee to competitor who might mitigate the entire project survey done by the ETMS along with the Superior Bicycles, LLC. The leak if true might lead to severe loss of revenue to ETMS as they might lose out to competition their strategic advantage gained from the survey and its results.
ProDiscover is an excellent tool in order to manage disk and images of the storage devices which help in finding digital evidences and perform digital forensics in order to nail the culprits. WinHex is also an excellent tool for digital forensic, enabling the expert to edit the data in binary formats just like any text editor would do so in ASCII mode.
The Bob Aspen was indeed trying to leak out the Intellectual Property that belongs to ETMS, he tried to leak the information via email and via USB as well copying the data.
References
Jiang, C., Liu, I., Liu, C., Chen, Y., & Li, J. (2016). Distributed Log System in Cloud Digital Forensics. 2016 International Computer Symposium (ICS). doi: 10.1109/ics.2016.0059
Ling, T. (2013). The Study of Computer Forensics on Linux. 2013 International Conference On Computational And Information Sciences. doi: 10.1109/iccis.2013.85
Muda, A., Choo, Y., Abraham, A., & N. Srihari, S. (2014). Computational Intelligence in Digital Forensics: Forensic Investigation and Applications. Cham: Springer.
Muda, A., Choo, Y., Abraham, A., & N. Srihari, S. (2014). Computational Intelligence in Digital Forensics: Forensic Investigation and Applications. Cham: Springer.
Olivier, M., & Shenoi, S. (2006). Advances in digital forensics II. New York: Springer.
Prem, T., Selwin, V., & Mohan, A. (2017). Disk memory forensics: Analysis of memory forensics frameworks flow. 2017 Innovations In Power And Advanced Computing Technologies (I-PACT). doi: 10.1109/ipact.2017.8244977
Sibiya, G., Venter, H., & Fogwill, T. (2015). Digital forensics in the Cloud: The state of the art. 2015 IST-Africa Conference. doi: 10.1109/istafrica.2015.7190540
Vaughn, R., & Dampier, D. (2007). Digital Forensics--State of the Science and Foundational Research Activity. 2007 40Th Annual Hawaii International Conference On System Sciences (HICSS'07). doi: 10.1109/hicss.2007.174
