In the state of Western Australia, it is illegal to access, own or distribute digital content relating to clowns. An allegation was been made to law enforcement whereby a witness claims to have seen an individual access clown related content within a place of work. Following the approval of formal warrants, the computer in question was seized from the work place. The computer was then forensically acquired using FTK Imager. Unfortunately, the junior investigator who obtained the ‘forensic image’ of the computer only performed a logical acquisition. To worsen the situation, the junior investigator forensically wiped the original hard drive from the computer. Fortunately, the logical acquisition was undertaken in a forensically sound manner. The suspect, Clark denies accessing clown content. However, Clark does confirm that the computer does belong to him. Clark stated that he does not always take the computer home or lock it when he is away from his desk.
You are a consultant who specialises in digital forensic investigations. You have been assigned the task of examining a ‘forensic’ image of the laptop, which was seized with correct warrants. It is currently unknown what Clark was doing with the clown content. In Clark’s opinion, the computer was infected with malware which resulted in any potential content appearing on the computer.
Your task is to investigate the supplied forensic image using appropriate tools and process and to develop and submit a written report on your findings. You may use any tools to undertake the investigation but you must justify all of your actions
Overview of tasks
In the Western Australia, a computer is seized from a work place. Because, the according to the information the clown content is accessed by the computer. Accessing, owing and distributing the clown content in Western Australia is illegal. The seized computer is forensically investigated. The forensic image of hard drive is obtained. The forensic image is known as digital evidence. The digital evidence related to the offence is collected. Now, the forensic investigation will be done on the obtained forensic image. This will be done by using forensic tools. The tools used for forensic investigation are OSForensics, Autopsy and FTK Imager. The ownership identification, intention of the offence and the number of files present in the forensic image will be found.
The forensic tools are downloaded and installed to analyze the forensic image from the computer in which the offence is take place. First task is collecting the forensic image of the offence computer. After that analyze the forensic image using appropriate tools. By using these tools the clown content is found which is illegal in Western Australia.
The resources used for the investigation are FTK Imager, OSForensics tool and Autopsy. The Clark who is a suspect, the investigator and a junior investigator. And a system in which the forensic investigation will done. The tools used for investigating the given forensic image are explained below in detail ("Dendroecology: A Key Forensic Age-Dating Tool", 2005).
FTK imager is a forensic tool and a software library package which is used for Access the data from the image ("AccessData", 2018). FTK stores the images in the SMART file format and it is used in the different technologies. It is used to find the different PC crime scene and investigation programming made by Access Data. The toolbox likewise incorporates an independent plate imaging program called FTK Imager. The FTK imager is a software acquisition tool. It is used to preview the evidence quickly ("Chapter 8 - FTK Imager Walkthrough - Incident Response and Computer Forensics, 3rd Edition", 2018). The computer forensics will be examined through the forensic toolkit manager. This forensic tool mainly used to get the evidence and keep it as secure. Also make the analysis about the evidence. IT makes the computer evidence as original. For that it had two ways, one is creating the image off suspect drive by the usage of hardware devices or software resources. It had many specifications regarding with the forensic investigation. They are described below ("Evidence Acquisition Using Accessdata FTK Imager", 2018). First one is email analysis. According to the email analysis the forensic tool provides interface for the email analysis. Also this tool is used to make the email parsing, header analysis regarding to the IP address. Next one is the file encryption. It is considered as the essential feature of forensic toolkit imager ("Forensic Toolkit FTK Imager Free Download - ALL PC World", 2018). It is used to crack the password. By the use of FTK imager we can retrieve the passwords over hundred applications ("FTK Imager - ForensicsWiki", 2018). Third one is data carving. By use the of forensic toolkit imager the robust data would be obtained. Also the investigators have the option to find the files based on the size and data types of the file. Fourth one is data visualization. This is considered as emerging one regarding to the forensic investigation. For the analysis of text data the investigators using the data visualization. It also helpful for the users in the way of making timeline construction, cluster graphs and also the geo location ("Ftk Imager - Free downloads and reviews - CNET Download.com", 2018). The web viewer also considered as the important one and it is used to accelerate the case assessments in real time. The multicast routing would be done by using the web viewer. Another feature is represented as Cerberus. It is used as the powerful automated malware detection. Here the machine intelligence concepts are used to sniffing the malware regarding the computers. OCR is next feature and it known as optical character recognition. It is used to make the images into readable text. Also it enables the multi-language support.
Strategies and Resources
The steps are listed below regarding to the installation of forensic toolkit imager. The screenshots are added for the installation steps. It staring with the initial step of installation and ending with the completion.
Step 1- Welcome page
The initial page for the installation is displayed in the above. The install shield wizard is appeared. The warning section is provided.
Step 2- License agreement
The license agreement is shown in the above screenshot. The license is accepted. It is provided for the purpose of security.
Step 3- Destination folder
The storage path of the access data FK imager is appeared. The path is displayed.
Step 4- Starting of the installation
The ready stage is displayed for the installation. Here the install button should be clicked.
Step 5 – Installing access data FTK imager
The process of installing is appeared. The status is displayed for the installation.
Step 6 – Completion of wizard
The completion process is appeared. It will ready to launch the access data FTK imager.
Step 7- Home page of FTK imager
The home page of the forensic toolkit imager is appeared in the screenshot. It shown the generic options regarding the tool (Bowser-Rollins, 2018).
Step 8- Source selection
The source selection is displayed in the screenshot. The evidence types are shown.
Autopsy is a computerized device and it is mainly used for doing the forensics things and it is tool works in forensics platform and the GUI ("Autopsy - Basis Technology", 2018). It is mainly used in the fields like law requirement activities, defense services, and other corporate analysts who wants to secure their contents ("Autopsy - Digital Forensics Platform - Hacking Vision", 2018). This tool is also used for exploring the contents like checking and investigating the computers to find what kind of activities occurred on a Personal Computers. Using this we can also does the features like recovering images in our camera's memory card. This tool is also used for other backup purposes ("Autopsy – Training | Autopsy", 2018). The software is to a great extent kept up by Basis Technology Corp. with the help of developers from the network. The organization offers bolster administrations and preparing for utilizing the product. The GUI of this tool shows the outcomes from the fundamental volume creation and using this tool it simpler for specialists to retrieve the relevant areas of information ("Autopsy | Open Source Digital Forensics", 2018). It is the forensic tool or software that makes it less difficult to send a significant number of the free generation programs and modules which are used in the Sleuth Kit ("Autopsy of a Dill Pickle-Introductory Lab for Anatomy or Forensics!", 2018). This tool also gives various capacities that guide on the off chance that administration. Specifically, examinations began inside this tools are composed by cases, which can contains different hosts ("Autopsy", 2018). Each and every hosts are arranged to have its opportunity zone for setting the time with the goal that the occasions demonstrated are the equivalent as the first client would have seen. Each host can contain at least one record framework pictures to investigate. The designed autopsy tool has some specific principles. First one is extensible ("International Environmental Forensics Conference Qingdao, China, May 27–30, 2008", 2007). The new functionality should be added by developing the plugins. Also the tool should be provide the standard mechanism regarding the features. It offer many function to the development of case management. Investigators mostly use this case management. The functions are listed below.
The event sequencer is a kind of function used in the case management. The time based events could be added ("Autopsy", 2018). The autopsy tool is used to sort the events. So through this function the investigators can easily determine the events. Next function is the notes. These notes could be saved based on the investigators. These functions are used to the investigators for creating the notes about the files and structures. These notes are stored in the format such as ASCII value. The image integrity is considered as the third function ("Autopsy: Lesson 1: Analyzing Deleted JPEGs", 2018). Here the forensic investigation is used to ensuring the data is modified during the analysis. The autopsy tool develop the MD5 value for all files ("Hacking & Digital Forensics & Autopsy - Stay Anonymous", 2018). This tool is used to validate the integrity of the file. Then the fourth function is the reports. It can create the ASCII reports for the files and other file system structures. These reports are used for the developers to create the datasheets (Galvao, 2006).
The steps are listed below regarding to the installation of Autopsy ("Autopsy: Download", 2018). The screenshots are added for the installation steps. It staring with the initial step of installation and ending with the completion.
OS forensics is the sole property owned by PassMark Software Pty Ltd. They are the leading organization in the digital forensic analyzing software development ("The Evolution of Environmental Forensics in the United States", 2001). Their contribution to the digital forensics is highly noticeable ("The International Society of Environmental Forensics Announces the Following Workshops for 2002", 2002). OS forensic is one of the most important digital forensics analyzing tool. Many software developer use this OS Forensics software tool as a benchmark for test their capability. It shows that the OS forensics software tool is one of the most powerful digital forensic tool kit. Many government agencies as well as Major government agencies are their customers. Mostly this tool used for analyzing the various digital forensic evidences. This software tool is available in two varieties (begam, 2018). One is free editions and another one is Pro version. Here the Pro version has higher capability than free version. Because free version has some of limitations. Even though the free versions also the most powerful digital forensic evidence analyzer. Their pro version is available for 1000 bucks. But it is not that much costly ("Forensics, Anti-forensics and Counter Anti-forensics for JPEG Compressed Images", 2016). This price is reasonable. Because the competitor products are three to four times costlier than this software tool. But feature wise this software is not lower than any competitor products. This software tool has the high price to performance ratio. That’s the reason why most of the private companies prefer this software tool over other tools.
Installation of Forensic toolkit imager
This software mainly works based on the below given three process first one is Discover, second one is Identify and the last one is Manage ("Firefox OS Forensics: Guidelines and Challenges", 2016). This three step process helps to provide the extraordinary digital forensic evidence analyzing experience to the forensic investigators. These three steps are considered as the most prominent features of the any analyzing tool. Because the analyzing tool must provide the feature for analyze the evidences with higher fast (Armknecht & Dewald, 2015). Then the tool must identify the possible threats present in the analyzed evidence. After that the tool also helps to develop the proper formal report about the analysis and findings of the analysis. OS Forensics tool can capable of doing all the three activities as mentioned below. In the below given section the various features given by the OS forensics tool is explained.
- High speed file analyzing engines.
- It can able to search the files within the various files.
- Also can able to find the emails through this software tool.
- Facilitates the recovering option for the deleted files.
- Collects various system details from the digital forensic evidence effectively.
- It also provides the features to extract the various login credentials like user name and password for the evidences.
- This tool has the capability to develop the formal report regarding to the analysis and findings.
- Also create the drive image file for analyzing the evidence without disturbing the source.
- It is powerful enough to rebuild the RAID arrays.
- Also the company provides the excellent after purchase support. It is the most important feature for any goods and services. Their executives are available on all business days to help and support the users of the software tool.
Also the installation procedure for installing this software tool is explained as pictures in the below context. It brings the better understanding than written format (Brinson, Robinson & Rogers, 2006).
Installation of OSForensic
The steps are listed below regarding to the installation of OSForensic. The screenshots are added for the installation steps (Carlton & Worthley, 2010). It staring with the initial step of installation and ending with the completion.
The screenshots are added to find the owner of the file regarding the clowns. We have checked the owner permission of the computer user. By this verification we can make the identification about the suspect (Morrison, 2002). So these analysis are enough to make the decision about suspect. The suspect is the Clark.
The intent of the crime is confirmed. The Clark spreading clowning to all the systems in the work place. Jerry who works with the Clark is wrote the mail “stop clowning about and start working like a superman ;)”. From this, the criminal is the Clark is confirmed. He is purposely doing the act of distributing the clown images and contents.
More clown pictures and a video is found in the forensic image. There are also pdf, web downloads, web history, web search results and emails available. The programs are also installed on the system. And also the recent documents are found in the system.
The Firefox, True crypt and MPlayer2 are the installed software which are related to the investigation of the forensic image. Clark used Firefox to download Clown video, pictures, document from the clown related websites in the internet.
The forensic investigation is done with the help of forensic tool. The contents related to the offence is found including clown images, video, document, web downloads, web search, web bookmark and email. The ownership of the offense content is found and confirmed and then the intention of the crime is verified. The number of files stored in the forensic image of hard drive are analyzed and the programs and software installed on the device which is related to offence is found.
AccessData. (2018). Retrieved from https://www.youtube.com/user/accessdatagroup
Armknecht, F., & Dewald, A. (2015). Privacy-preserving email forensics. Digital Investigation, 14, S127-S136. doi: 10.1016/j.diin.2015.05.003
Autopsy - Basis Technology. (2018). Retrieved from https://www.basistech.com/autopsy/
Autopsy - Digital Forensics Platform - Hacking Vision. (2018). Retrieved from https://hackingvision.com/2017/02/18/autopsy-digital-forensics-platform/
Autopsy – Training | Autopsy. (2018). Retrieved from https://www.autopsy.com/training/
Autopsy | Open Source Digital Forensics. (2018). Retrieved from https://www.autopsy.com/
Autopsy of a Dill Pickle-Introductory Lab for Anatomy or Forensics!. (2018). Retrieved from https://socalnailz.com/2018/08/30/autopsy-of-a-dill-pickle-a-great-introductory-lab-for-anatomy-or-forensics-edgy-instruction/
Autopsy. (2018). Retrieved from https://sourceforge.net/projects/autopsy/
Autopsy. (2018). Retrieved from https://www.sleuthkit.org/autopsy/
Autopsy: Download. (2018). Retrieved from https://www.sleuthkit.org/autopsy/download.php
Autopsy: Lesson 1: Analyzing Deleted JPEGs. (2018). Retrieved from https://www.computersecuritystudent.com/FORENSICS/AUTOPSY/lesson1/index.html
begam, r. (2018). Retrieved from https://nest.unm.edu/files/5513/9251/4756/Tutorial_1_-_FTK_Imager_-_Imaging.pdf
Bowser-Rollins, A. (2018). Tools of the Trade – FTK Imager. Retrieved from https://litigationsupportguru.com/tools-of-the-trade-ftk-imager
Brinson, A., Robinson, A., & Rogers, M. (2006). A cyber forensics ontology: Creating a new approach to studying cyber forensics. Digital Investigation, 3, 37-43. doi: 10.1016/j.diin.2006.06.008
Carlton, G. (2008). An Evaluation of Windows-Based Computer Forensics Application Software Running on a Macintosh. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2008.1045
Carlton, G., & Worthley, R. (2010). Identifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2010.1069
Casey, E. (2012). Cloud computing and digital forensics. Digital Investigation, 9(2), 69-70. doi: 10.1016/j.diin.2012.11.001
Casey, E. (2013). Triage in digital forensics. Digital Investigation, 10(2), 85-86. doi: 10.1016/j.diin.2013.08.001
Casey, E. (2015). Smart home forensics. Digital Investigation, 13, A1-A2. doi: 10.1016/j.diin.2015.05.017
Chandel, R. (2018). Step by Step Tutorial of FTK Imager (Beginners Guide ). Retrieved from https://www.hackingarticles.in/step-by-step-tutorial-of-ftk-imager-beginners-guide/
Chapter 8 - FTK Imager Walkthrough - Incident Response and Computer Forensics, 3rd Edition. (2018). Retrieved from https://ir3e.com/chapter-8-ftk-walkthrough/
Cho, S., Kim, D., Park, J., & Gil, K. (2015). Online Water Monitoring Method as a Water Security Tool: A Feasibility View. Environmental Forensics, 16(3), 231-241. doi: 10.1080/15275922.2015.1059390
Dendroecology: A Key Forensic Age-Dating Tool. (2005). Environmental Forensics, 6(1), 3-4. doi: 10.1080/15275920590913813
Duc, H. (2018). HOW TO INVESTIGATE FILES WITH FTK IMAGER - eForensics. Retrieved from https://eforensicsmag.com/how-to-investigate-files-with-ftk-imager/
Ebert, J. (2012). Book Review: Mastering Windows Network Forensics and Investigation, 2/E. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2012.1136
Evidence Acquisition Using Accessdata FTK Imager. (2018). Retrieved from https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
Firefox OS Forensics: Guidelines and Challenges. (2016). International Journal Of Science And Research (IJSR), 5(6), 290-293. doi: 10.21275/v5i6.nov164047
Forensic Toolkit FTK Imager Free Download - ALL PC World. (2018). Retrieved from https://allpcworld.com/forensic-toolkit-ftk-imager-free-download/
Forensic Toolkit. (2018). Retrieved from https://en.wikipedia.org/wiki/Forensic_Toolkit
Forensics, Anti-forensics and Counter Anti-forensics for JPEG Compressed Images. (2016). International Journal Of Computing, Communication And Instrumentation Engineering, 3(1). doi: 10.15242/ijccie.e0116039
Frysinger, G. (2002). GC×GC—A New Analytical Tool For Environmental Forensics. Environmental Forensics, 3(1), 27-34. doi: 10.1006/enfo.2002.0077
Frysinger, G., Gaines, R., & Reddy, C. (2002). GC × GC--A New Analytical Tool For Environmental Forensics. Environmental Forensics, 3(1), 27-34. doi: 10.1080/15275920216245
FTK Imager - ForensicsWiki. (2018). Retrieved from https://www.forensicswiki.org/wiki/FTK_Imager
FTK Imager 3.2.0. (2018). Retrieved from https://marketing.accessdata.com/ftkimager3.2.0
Galvao, R. (2006). Computer Forensics with the Sleuth Kit and the Autopsy Forensic Browse. The International Journal Of Forensic Computer Science, 41-44. doi: 10.5769/j200601005
Hacking & Digital Forensics & Autopsy - Stay Anonymous. (2018). Retrieved from https://www.udemy.com/hacking-digital-forensics-autopsy-stay-annoymous/
Haddad, R. (2004). Invited Editorial: What is Environmental Forensics?. Environmental Forensics, 5(1), 3-3. doi: 10.1080/15275920490424006
International Environmental Forensics Conference Qingdao, China, May 27–30, 2008. (2007). Environmental Forensics, 8(4), 405-405. doi: 10.1080/15275920701741766
Joyce, R., Powers, J., & Adelstein, F. (2008). MEGA: A tool for Mac OS X operating system and application forensics. Digital Investigation, 5, S83-S90. doi: 10.1016/j.diin.2008.05.011
Kessler, G. (2008). Book Review: Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2008.1051
Larson, S. (2014). The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2014.1165
Machemer, S., & Wang, Z. (2007). Environmental Forensics at Pacifichem 2005. Environmental Forensics, 8(1-2), 75-76. doi: 10.1080/15275920601180594
Morrison, R. (2001). Environmental Forensics: an International Forum. Environmental Forensics, 2(4), 261. doi: 10.1006/enfo.2001.0067
Morrison, R. (2002). International Society of Environmental Forensics (ISEF). Environmental Forensics, 3(2), 89. doi: 10.1006/enfo.2002.0082