Free Sample   Digital Forensic Case Study


Students can't be Wrong!






PhD Experts


250 Words

Digital Forensic Case Study

  156 Downloads   |   10 Pages 2,301 Words   |   Published Date: 24/08/2015

Question - Write a case study on Digital Forensic methodology?




Executive Summary.


      Global Finance Background and Concern.

Digital Forensic Methodology.

      Scope of the Case.

Digital Forensic Methodology Approach.

       Investigation Process.


       Volatile Data Capture.

       Non- Volatile Data Capture.


       File System Examination.

       Windows Registry Examination.

       Network Forensic Examination.

       Database Forensic Examination.








Executive Summary

Global Finance company stands to be one of the largest finance company, providing the investment, superannuation and retirement services in Australia. It has a wider range of clients right from individuals to the corporation and superannuation fund investors. Very soon the company has widened its services throughout the globe with information technology support and strives to overcome the security challenges of the company.


Global Finance company experiences a suspect or compromise of the information in one manager’s computer, working in the Queensland branch. Information security officer is accountable to this challenge and enforced an investigation audit team to investigate the source of the compromise to overcome the challenge.

Global Finance Background and Concern

The Global Finance Company is in the following state as considered by the audit team.

  1. Global Finance is a huge international player company with more than 10,000 employees employed throughout the world, with sector interests.
  2. The concern with the security is the compromise of the manager’s computer, in one of its branches in Australia.
  3. Global Finance company has been spread worldwide with the support of information technology.
  4. Networking and application infrastructure in the branch offices are missing after 2000, so the there is flat network environment with no access restrictions.
  5. Servers and workstations in the head office and all the branch offices are based on Microsoft Windows.
  6. Implementation of the network segmentation and firewall is poor.
  7. Though instruction detection and logging detection are existing, these are not regularly used.
  8. Head office has the necessary information technology infrastructure and technology with potential investigative and forensic capabilities.
  9. Information security officer has initiated the investigation by enforcing an audit team for digital forensic investigation.
  10. Auditing team has got the responsibilities of digital forensic analysis, documentation and presentation of the same to the information security officer.

Digital Forensic Methodology

Digital forensic investigation methodology is recommended and employed by the information security officer, as the methodology can find and reveal the source of compromise of the manager’s computer, by detecting all the workstations and networking among them. Digital forensic investigation methodology involves the sub tasks of data recovery, in case if any of the potential data is lost and network forensic to find if there is any compromise caused through the network.

Before the investigation started by the audit team, they need to follow the following principles.

  1. Data present in the media should not be modified and the data has to be presented as is to the information security officer.
  2. Each team member of the audit must be well acquainted with enough expertise to ensure that the data is handled safely, without loss.
  3. The team has to preserve all the relevant documented information done, during the investigation.
  4. The whole and sole accountable person in this investigation is the information security officer, so everything has to be communicated and submitted to the information security officer.



Scope of the Case

          Digital forensic investigation done in the Global Finance company has the following scope.

  • Identification of any malicious activities and investigation of 5ws or why, when, what, where and who
  • Identifying the security lapse in the network
  • Identification of all possible digital evidence within the network
  • Finding and estimating the impact of the investigation, if the compromise happened
  • Identification of the legal procedure, in case the misconduct is found illegal
  • The extent of investigation and further security steps are taken by the information security officer, who is whole and sole accountable person

Digital Forensic Methodology Approach

There are many digital forensic methodology approaches followed according to the situation, so there is no one common approach that fits all the cases. In the case of the compromise of the branch of the Global Finance company, the approach recommended is FSFP or Four Step Forensics Process.

The approach has the following processes.


The arrow is the indication of preservation of the document evidence throughout the process.

Investigation Process

Digital forensic investigation is done in the following phases.


Collection consists of identification, labeling and recording the data from all the sources possible, followed by the maintaining the integrity of the data. Data is primarily collected as both volatile and non volatile data.

The same LAN connection is to be used to access the forensic workstation of the manager and other workstations. Server of manager’s computer is taken as the target in this case. Microsoft Windows software is run in this server. To hear from the server, ‘cryptcatp tool is used. The team creates toolset optical drive and opened through a trusted console, comd.exe.

The following statements are then executed.

Cryptcat 6543 – k key

Use the following command, for the data capture from the forensic workstation.

Cryptcat -1 –p 6543 –k key >>

Other tools that can be used here are the graphical user interface tools, like Process Explorer, Tcpview and Rootkit Revealer. The other Windows based tools used to capture the data are,

Ipconfig – for collection of the subject system details

HBGray’s fastDump – to acquire the local physical memory

Doskey or history - for collection of command history

HBGray’s F-Response – to acquire remote physical memory

Netfile – for identification of the drivers and services

Netusers and qusers – for identification of the logged in user information

Other potential data is collected from the clipboard. Other potential data is network connection present, running processes and network data.

Volatile Data Capture

Volatile data capture involves the data collection from the RAM, registry and cache memory.

Non- Volatile Data Capture

Potential non volatile data collection involves the collection of the antivirus logs, database logs, windows event logs, IDS logs, domain controller logs, application logs, firewall logs and other online data. Collection of the non volatile data is also called as forensic imaging.

The non volatile data collection involves data present in the hard disc and other removable discs, like flash drives, USB drives, CD, DVD, memory cards, remote hard drives and remote computers, in the form of MS Outlook, MS Word and Spreadsheet. Collection continues with the other computers, switches, network topology documentation, network diagrams, routers and servers. Live networking traffic can clue very significant and potential digital data for the investigation.

Forensic imaging involves copy of the entire non volatile data from the manger’s system and no further alterations are to be done. Various tools used for forensic imaging are FTK, EnCase and ProDiscover with write block. Forensic imaging is better than the hard disc cloning, as it copies the integrated data that includes the metadata, which is significant in the investigation. The audit team does both this offline data and other online data using the tools, ethereal and Wireshrk tools.

All the collected data is well documented by the audit team.


After the digital data collection is done, examination is conducted using forensic investigation tools. Investigation is done for the manager’s computer, as the following.

File System Examination

New Technology File System disc or NTFS disc file has MFT or Master File Table information. MFT has all the files and disc crucial information. MFT contains the metadata of the files, which are existing and deleted, noted by the operating system.

The data in file is stored as

c: echo text_mass > file1.txt:file2.txt

The following command is used to retrieve the above,

c:more <file1.txt:file2.txt

virus is also another potential data malfunction and so has to be considered for investigation.



Windows Registry Examination

          Windows registry logs can reveal modification of the file information according to the time, lastwrite registry details, precise data in a database for the user application along with the hardware device reference point.

The Windows registry structure is






The important keys and values are,

User Activity: user performed actions and activities over the manager’s computer can be accessed through HKEY_CURRENT_USER

Autostart : This registry is a set that is launched without initiation of the user.

MRU or Most Recent Used List: to keep track of the current activities.

Other important clues are USB Removable storage, UserAssit, Wireless SSIDs, etc.

Network Forensic Examination

Tracking of packet forensics or packet mining is tracked via the network to track the network traffic like mails, browsing history, queries, etc.

Network forensic tools can be applied in one of the two ways, security related and the other is forensic data according to the enforcement of the law. The team uses many network forensic tools and techniques to discrete investigated data like registry information, process listing, service listing, system information, logged on users, registry users, network connections and binary memory dump to explore and investigate. Packet sniffers help identifying and mapping the fingerprinting, web services and email communication, etc.

Database Forensic Examination

Database data is tracked through the queries for data identification and then preserved to analyze. IP addresses are tracked for remote connections. Database transactions are tracked though Data Manipulation and Data Definition Languages, DML and DDL. Customized file configuration is used to execute Database Consistency Checker and Distributed Management Views towards intrusion explosion.


          Detailed data analysis is done after considering each of the digital evidence data. The analysis includes the following actiivites.

  1. Unusual application requests
  2. Looking the unusual and hidden files along with unusually opened sockets
  3. Malicious activies
  4. Complete analysis for memory
  5. Unusual accounts
  6. Malware analysis
  7. Complete analysis of timeline
  8. Patching level system
  9. Updated levels
  10. Complete analysis of file systems
  11. Complete analysis of event correlation

The crucial malware analysis includes various tasks within, like, examining the logs, prefetch examination, search of known malware using either dynamic or static analysis.


After the analysis the findings are summarized as,

  1. Identification of the compromise of the manager’s computer
  2. Identification of persistent remote access or direct access by the attacker
  3. Installing OS patch if not done in the target computer
  4. Malware that is suspected


Investigation is done over the manager’s computer and all other computers and computing devices present in the branch office. Audit team creates a formal report and then submitted to the information security officer.

Final Report


The report has the purpose of submission of the formal investigated information, related to the sources of compromise occurred to the manager’s and all other computers.

Author of the Report

Information Security Officer

Incident Summary

All the source of the compromise that are found and suspected on manager’s computer.

Digital Evidences

All relevant log files and other potential digital evidences found in the investigation


Analysis of the sources of the compromise


The manager’s computer is digitally investigated for the sources of compromise, along with the and other computers in the regional office

Supporting Documents

Volatile, non- volatile data, registry info, log info and the reports generated from the tools.




The suspected manager’s or targeted computer is completely digitally investigated using digital forensic technology, from the Queensland branch office and finally the formal report is being submitted to the information security officer.


“Cyber Forensic Investigation Plan”, International Journal of Advance Research (2008),, Volume 1, Issue 1, accessed on 9 January, 2015.

7safe, (2013) “Good Practice Guide for Computer-Based Electronic Evidence”.

Siti Rahayu Selamat, Robiah Yusof, Shahrin Sahib (2008), “Mapping Process of Digital Forensic Investigation Framework”, JCSNS International Journal of Computer Science and Network Securit, Vol 8.

ACPO (2013), “Good Practice Guide for Computer-Based Electronic Evidence”, V4.0

Aquilina, M.J., (2003), “Malware Forensics, Investigating and Analyzing Malicious Code”, Syngress,

Kenneth J. Zahn (2013), “Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise”, GIAC (FREM) Gold Certification

Fowler, K., (2007), “Forensic Analysis of a SQL Server 2005 Database Server”.



Khanuja, H.K., and Adane, D.S., (2011), “Database Security Threats and Challenges in Database Forensic: A Survey”, IPCSIT vol.20 (2011), Singapore: IACSIT Press.

John Ashcroft (2001), “Electronic Crime Scene Investigation, A guide for First Responders”, NIJ Guide

M Reith, C Carr, G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence

Kent, K.,, (2006). “Guide to Integrating Forensic Techniques into Incident Response”, National Institute of Standards and Technology (Ed.) (Vol. 800-86): U.S. Department of Commerce.

Richard Brian Adams (2012), “The Advanced Data Acquisition Model (ADAM): A Process Model for Digital Forensic Practice”

Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). “Systematic Digital Forensic Investigation Model”, International Journal of Computer Science and Security, 5(1), 118-130.

Shiner, D.L.D., and Cross, M., (2002), ” Scene of the Cybercrime”, 2nd edn, Syncress: Burlington.

Reino, A. (2012), “Forensics of a Windows System”, Roche.

Armstrong, C. (2003), “Mastering Computer Forensics. In C. Irvine & H. Armstrong”, Security Education and Critical Infrastructures Kluwer Academic Publishers. delivers assignment help to millions of students of USA. We have in-house teams of assignment writers who are experts on wide ranges of subjects. We have appointed teams of native writers who provide assignment help to students in New York City and all over the USA. They are skilled assignment writers who successfully cater to search terms like’ do my assignment in the USA' and readily entertain queries related to write my assignments.

Most Downloaded Sample of Programing

  165 Download  |   2 Pages 309 Words

 These Items Act As Barriers To Intercultural Communication

1. How do these items act as barriers to intercultural communication?Answer:  The communication barriers Linguistic, Cultural and Emotional act as barriers for...

Read More

  65 Download  |   2 Pages 429 Words

 The Asch And Milgram Experiments Assignment

A just and fair decision always reflects an objective process, however, not all decisions are fair and just because they have influences and impacts that is actuall...

Read More

  156 Download  |   10 Pages 2,301 Words

 Digital Forensic Case Study

Question - Write a case study on Digital Forensic methodology?  ContentsExecutive Summary.Introduction.      Global F...

Read More

  38 Download  |   10 Pages 2,338 Words

 Professional Skills For Information And Communication Technology Portfolio

 Table of ContentsIntroductionWeek 3: Critical ThinkingWeek 5: SWOT analysis of presentation skillsWeek 7: Reflective WritingWeek 11: Personal Ethi...

Read More

  90 Download  |   16 Pages 3,848 Words

 Role Of Information Technology On Services Of Aldermore Bank

Question-Write A report based on role of information technology of financial corporate sector company Aldermore bank?  Executive summaryThe report i...

Read More

  253 Download  |   9 Pages 2,091 Words

 Upgrade Of Network Of Pharmaceutical Company

Question-Q1.Design a work break down structure (WBS) for this project with milestones?Q2. What are the key risks and how would you manage them?Q3. What are the key ...

Read More

  244 Download  |   24 Pages 5,949 Words

 Data Collection And Data Analysis

  The small business organizations need to have adoption of the cloud computing practices to a significant level. With the adoption of cloud computing...

Read More

  128 Download  |   11 Pages 2,608 Words

 Information Technology - Virtualisation And Online Training Literature Review

Question :Write a Literature Review for the Topic/Project below following a set structure. The Literature Review is a critical examination of the most relevant, r...

Read More

  54 Download  |   9 Pages 2,202 Words

 Technique Of Technology Road Mapping

Question 1 :Give a brief introduction and explanation (approximately 500 words) of the technology that you have chosen and then produce a technology road map that s...

Read More

  138 Download  |   15 Pages 3,562 Words

 Internet Marketing: Research And Marketing Plan Of “Amazon”

Introduction:Internet marketing or online marketing is the approach where the marketers are promoting the products with the help of internet. Under this process, th...

Read More

  358 Download  |   10 Pages 2,446 Words

 Emerson Transaction Hub: A Bright Idea That’s Paying Off

Question:1. Briefly describe the business processes supported by a Supply Chain Management (SCM) information system. In a global business like Emerson what are th...

Read More

  230 Download  |   5 Pages 1,196 Words

 Information Systems - Case Study

Question:Read the case study ‘Success to Succession’. • Identify the importance of wetware costs. • Identify an organisation implementing an A...

Read More

  305 Download  |   9 Pages 2,002 Words


IntroductionThe current digital age allows most of the organisations around the world to have the information and communication technologies to have the business ...

Read More

  292 Download  |   9 Pages 2,193 Words

 Briefing Paper Marking Guide - Big Data

IntroductionIn this briefing paper, the ICT topic ‘Big Data’ will be reviewed from literatures. Big data is the new IT buzzword that refers to the vol...

Read More

  323 Download  |   7 Pages 1,626 Words

 Research Writing Exercise Planner

IntroductionIt is not necessary that a crime can only take place outside the protection of the home. In fact a large number of crimes take place in the home also....

Read More

  205 Download  |   4 Pages 823 Words

 Types Of Actions Involve Database

Question:1. What four main types of actions involve databases? Briefly discuss each.? 2. What are the responsibilities of the DBA and the database designers? 3. Wha...

Read More

  45 Download  |   7 Pages 1,743 Words

 Effective Communication & Research

Question :What is effective professional communication? Answer:Professional communication is emerging as an area of investigation in various discipline...

Read More

  349 Download  |   2 Pages 332 Words

 Development Of An ER Diagram And Database Implementation

Question:To give  you  practical  experience  in using Entity-Relationship and Relational Database modeling techniques. Project Specifi...

Read More

  192 Download  |   10 Pages 2,454 Words

  Information Technology: Network Security

Question:Snort Rules                       &nbs...

Read More

  20 Download  |   12 Pages 2,870 Words

 A Digital Forensic Investigation Plan

Question:As part of the auditing team in capacity of a Digital Forensics expert, your task is to prepare digital forensics investigative plan to enable a systematic...

Read More