Discuss about the Digital Forensic Investigation Tools and Procedures.
The information provided by Exotic Mountain Tour Service manager gives indication of possible theft of information by critical analyzing the evidence in hand. For the suspicious emails intercepted on the Web-Server is one of things that need to be thorough scrutinized to identify the sender and the receipt of the same. The Usb drive found on the desk of the contracted employee cannot be at this moment be said to contain sensitive information regarding the company but can be meticulously checked so as to ascertain the same (Chung et al., 2012). This report will give possible procedure, tools and analyzing tools for a good comprehensive forensic report that can be used as evidence in prosecution of the suspect and provide information that can make the company restrategize it plan in case it feels the information provided might compromise it daily operations management.
The following digital forensic examination was based of the two major thing
- Usb drive
- Is there any evidence that the Usb drive contains some sensitive regarding the contract of Superior Bicycles, LLC contractor which was supposed to be kept top secret?
- What evidence is there to show that the Usb had been used to retrieve information before which might be restricted to access by employees of the company?
- What evidence can be found in the drive to show that the company operations has been compromised?
- What evidence is there to directly link the employee of possible cyber-crime is the drive is found containing companies sensitive information?
- The suspicious email retrieved on the Web-Sever
- What is kind of information that is contained in the email regarding the company?
- Who is the sender and the receipting of the email?
- When and how many emails have been sent?
- To determine whether they was a security breach in the network?
- The websites visited at the duration of the suspicious activity management
Forensic tool used in the investigation
The Usb drive is a tangible evidence of any cyber-crimes that the employee could have committed but can be used as evidence if the file is examined (Damshenas, 2012). This will help to identify the following files created by the user, files that the user could have protected (stagenography, encryption and camouflaged). In addition it will determine whether they being file deleted which comprises audible anomalies in mp3, mpeg, wav files, visual anomalies in gif, bmp, jpeg files, structural oddities suggest manipulation and statistical properties of files deviate from norm.
Using Autopsy to close the Web browser prior to starting evaluating of the system duplicate the GCFI-LX.00n (where n represents a number between 1-5), hence the images files capture by the manager links the work folder of the Bob Aspen to the evidence locker, this is the folder labelled the operating section for Autopsy (Dykstra & Sherman, 2013). The results of the examination are saved in the Autopsy evidence locker. Initial discoveries illustrates a possible data theft or suspicious activity through the images provided by the EMTS manager, which makes him, suspect the Bob Aspen is involved in some activities that can to be termed as cybercrimes (Grispos et al., 2012). The images provided by the manager are captured using Autopsy Browser and Sleuth Kit to assess a Linux Ext3 and Ext2 file system.
Usb drive utilizes EPROM and EEPROM technologies. The EEPROM innovation was one of the initial types of non-volatile semiconductor memory chip (Lillis et al., 2016). The advancement of EPROM technologies left the standard that was far-reaching in the late 1970s. Initially EPROM memories were programmed, commonly with machine application, and afterward deleted by exposing the chip to ultraviolet light if the product should have been changed (Imran et al., 2016). Despite the fact that the deletion procedure took an hour or so in the vicinity, this was very satisfactory for development conditions. Nonetheless, these semiconductor memories could not be eradicated electrically, and an absolutely electrical course of action would have been more helpful. The upside of an EEPROM memory aside from the way that the information is stored is non-volatile, is that it is conceivable to read information from it and furthermore delete it and write information to it. To delete the information, a generally high voltage is required, and early EEPROMs required an outside high source of voltage. Later forms of these memory chips perceived the trouble in numerous circuit plans of having an additional supply only for the EEPROM, and they joined the high voltage source into the EEPROM chip. Along these lines, the memory gadget could keep running from a solitary supply, in this way significantly reducing the cost of a general circuit utilizing an EEPROM and disentangling the design.
These computers convey webpages. Web servers are the PCs that stores sites online and conveys website pages to users upon their request. The administration is alluded to as website hosting. Each web server contains a unique IP (Internet Protocol) address, which advises different PCs associated with the Internet on where to locate the server on the large networks. The IP address (Internet Protocol) resembles this: 192.168.74.35; these address connections to a location that is human-friendly, for example, https://www.wagon.com. Web has lease spaces on the web server used by individuals or organizations to build their own sites, and the website server apportions a special site deliver to every site it has (Kohn et al., 2013). When a person connect the Internet, the PC likewise is given an exceptional IP address allocated by his ISP (Internet Service Providers). This address distinguishes the PC's area on the system. When the person hit on a connection to access a site, at www.wagon.com, the program used conveys a demand to waGON's IP address. The request for IP address incorporates return data and capacities like a postal letter sent across over town, yet for this situation, the data is exchanged over a system (Martini & Choo, 2012). The correspondence goes through a few PCs while in transit to waGON, each steering it nearer to its definitive destination management.
Frequently alluded to as just "mail server", an email server is a PC inside your system that fills in as your virtual mail station. A mail server more often than not includes of a storage region where message is separated for local clients and a set of consumer quantifiable tenets that decide the way mail server is supposed to react to the recipient of a certain mail, a databank of customer accounts, which the server will distinguishes and manage locally (Perumal et al., 2015). The correspondences modules that are the sections that handle the exchanging of mails to as well as from different mail servers as well as email users. Normally, the individual responsible for the maintenance of the electronic message server (editing clients, inspecting framework movement) is referred to as postmaster. Various message servers are planned to operate without manual mediation during a typical operations.
Steganography is data hidden inside other data. It is an encrypting system, which can be applied together with cryptography, like an additional secure technique, to make sure that the information is safe. Steganography approaches can be linked to video records, pictures, or sound documents. Normally, when steganography is made of characters comprising hash stamping, but its application inside pictures seems additionally normal. At any degree, steganography protects from stealing copyrighted materials as well as additionally supporting in unapproved access. Different from being inconceivable to an unauthorised third party, just like the case with cryptography, steganography must be evaded by the third party (Sindhu, & Meshram, 2012). Not exclusively should the concealed information be found—viewed as a considerable formidable undertaking all by itself—it must be scrambled, which can be almost impossible.
Graphic image analysis
FIP (Forensic Image Processing) comprises the PC restoration and improvement of imagery surveillance. The objective of FIP is to boost data extraction from imagery surveillance, particularly imagery that is boisterous, fragmented, or over/under uncovered (Omeleze, & Venter, 2013. In spite of the fact that this definition is concerning imagery surveillance, FIP procedures can be connected to different kinds of images, for example impression images, shoe UAV (unmanned aerial vehicle) infrared images, retinal images , and more.
Investigating most recent USB drives are caused with FAT 32. Some old USB drives can likewise be gained like FAT 12/16, which implies that these gadgets utilize File allocation table for sorting out folder names. Mostly, there are two duplicates of the FAT table when that in the event that one gets defiled. At the point when a file enters the file allocation table, its beginning cluster is related to it (Quick & Choo, 2014). Every one of these clusters having a place with various files are fastened together. Consequently, while erasure of any record from a USB drive or Pen drive is, an E5 hex character otherwise called stigma supplants the principal character of the filename. This cluster nonetheless which was related to the erased document is accessible to the Operating framework which can be utilized.
Before beginning any USB Drive forensic examination, one must know about the algorithm being utilized for storage of the files for that procured gadget (Rekhis & Boudriga, 2012). A portion of the USB drives simply should be connected to and can be then utilized as a part of new frameworks. Certain situations can be looked by specialists where more up to date forms like Windows 7, 8, and 10, can't perceive the USB Drive by examination machine. In such situation, it is encouraged to attempt the USB drive on another framework. In any case, it is critical to have a USB hardware blocker introduced in another framework in order to keep any undesirable information transport between a framework and USB Drive. This is to ensure that no adjustment or alteration is finished with the drive and no malware is transported to it.
In the event that your web or application server does exclude the essential log file section fields required for leading the criminological examination, you should utilize an outsider utility which does (Sindhu & Meshram, 2012). Amid the examination, attempt to separate the log file as per client sessions, e.g. in the event that you are utilizing a type of a session token, for instance, a cookie, endeavor to aggregate log passages as indicated by the token. This grouping will give you a superior comprehension of the session flow and timetable and will evacuate clamor made by different clients in the log document. After the grouping is done, you are left with bunches of solicitations assembled by the client or the beginning IP address. Every cluster is sorted out inside as indicated by the time that the request was made. This composed cluster depicts the "Client session flow".
EMTS Company and its employees depend intensely on email correspondences, making it a significant factor in each case. Erased messages can frequently be recovered, regardless of whether they are eradicated purposefully. Metadata, for example, email full header data, time stamps, and so on, would all be able to be extremely valuable in an examination if the legitimacy of an email is ever brought into question (Valjarevic, & Venter, 2012). Email users and servers are regularly full database programs, complete with file sources, contact directors, time administrators, logbooks, and numerous different features, which might all be gotten to forensically. Eradicating or erasing an email does not really imply that it is gone for eternity. Generally, messages can be forensically extricated even after erasure.
To execute the best possible incident reaction processes in an organization management and to utilize the standard strategy for web application forensic investigation, it is prompted that you utilize product, for example, Sanctum's AppShield, which is custom-made particularly for this errand and offers the complete logging facilities, examination, and security required for the present forensic investigation. Undertaking web application investigation is intensely in light of the supposition that all HTTP information is kept in the log files, and is effortlessly gotten to when required. Unfortunately, numerous contemporary web and application servers do exclude appropriate handling of HTTP interchanges logging. Those that do, give the client challenges when trying to extricate the information in a way that will lead an appropriate examination of a hacking attempt or possible burglary of information.
Chung, H., Park, J., Lee, S., & Kang, C. (2012). Digital forensic investigation of cloud storage services. Digital investigation, 9(2), 81-95.
Damshenas, M., Dehghantanha, A., Mahmoud, R., & bin Shamsuddin, S. (2012, June). Forensics investigation challenges in cloud computing environments. In Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on (pp. 190-194). IEEE.
Dykstra, J., & Sherman, A. T. (2013). Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation, 10, S87-S95.
Grispos, G., Storer, T., & Glisson, W. B. (2012). Calm before the storm: The challenges of cloud computing in digital forensics. International Journal of Digital Crime and Forensics (IJDCF), 4(2), 28-48.
Imran, A., Aljawarneh, S., & Sakib, K. (2016). Web Data Amalgamation for Security Engineering: Digital Forensic Investigation of Open Source Cloud. J. UCS, 22(4), 494-520.
Kohn, M. D., Eloff, M. M., & Eloff, J. H. (2013). Integrated digital forensic process model. Computers & Security, 38, 103-115.
Lillis, D., Becker, B., O'Sullivan, T., & Scanlon, M. (2016). Current challenges and future research areas for digital forensic investigation. arXiv preprint arXiv:1604.03850.
Martini, B., & Choo, K. K. R. (2012). An integrated conceptual digital forensic framework for cloud computing. Digital Investigation, 9(2), 71-80.
Omeleze, S., & Venter, H. S. (2013, August). Testing the harmonised digital forensic investigation process model-using an Android mobile phone. In Information Security for South Africa, 2013 (pp. 1-8). IEEE.
Perumal, S., Norwawi, N. M., & Raman, V. (2015, October). Internet of Things (IoT) digital forensic investigation model: Top-down forensic approach methodology. In Digital Information Processing and Communications (ICDIPC), 2015 Fifth International Conference on (pp. 19-23). IEEE.
Quick, D., & Choo, K. K. R. (2014). Impacts of increasing volume of digital forensic data: A survey and future research challenges. Digital Investigation, 11(4), 273-294.
Rekhis, S., & Boudriga, N. (2012). A system for formal digital forensic investigation aware of anti-forensic attacks. IEEE Transactions on Information Forensics and Security, 7(2), 635-650.
Sindhu, K. K., & Meshram, B. B. (2012). Digital Forensic Investigation Tools and Procedures. International Journal of Computer Network and Information Security, 4(4), 39.
Valjarevic, A., & Venter, H. S. (2012, August). Harmonised digital forensic investigation process model. In Information Security for South Africa (ISSA), 2012 (pp. 1-10). IEEE.