Digital Forensic Investigation - Case Study Essay.

Discuss the Digital forensics and explain the Digital Forensic Investigation Tools.

Scenarios and Purpose of the Investigation

The company named UCLAN High Tech Crime Unit serves the digital forensic area. I am one of the employer of this company, who works as, Digital forensic investigator. 

Vamos solution is the one of the famous company. One fine day, I will receive call from Managing Director (MD) of this company. In this company, they have one policy that is to check their each and every employee to prevent any data theft. This process is going on every day. One day, during the checking process, one of his employees has a USB flask dick in his hand. So the employee theft something from the office computer is suspected by the security officials and also they informed this case to his MD. Thus, he called me for the investigating of the case. For investigation, he provided me the detected USB memory stick image file and asked to find whether any kind of data theft is available. Also I was asked to submit the evidence to him.

Intention

The key objective of this investigation revolves around the investigation of image file (USB image file). This file is used to investigate the company’s employee.

Purpose

Key objectives are,

• USB flash disk has to be analyzed.
• Collection of data must be related to case.
• Data theft’s motivation must be found.
• Additional details necessary from the company about the case must be identified.
  

The process of investing the cybercrimes is called Digital forensics (InfoSec Resources, 2018).In similar investigations, a lot of tools and methods are present (Casey, 2007). Being a digital forensic investigator, effective method must be selected (Dudley-Gough, 2006). The below list provides a set of digital forensic tools that are available,

• Regripper
• Access data FTK
• Autopsy Tool

Regripper

Digital forensic application widely uses the Regripper for carrying out the investigation of digital forensic.  The name of the software creator is Carloncarvey (InfoSec Resources, 2018). For extracting the data from the personnel computer’s (PC) register is the main purpose of this software. This software reduces the time required for extracting the data from the computer register and also reduces the complication. This software reduces the timing from 10 hours to some minutes. The software is in simple form because it is created by the less skilled investigator. This software is used for adding the plugin Auditpol (Audit Policy). This policy is utilized for finding whether the user modifies his audit policies or not. The raw data that is extracted from the computer’s register is converted into a readable format, by using the software. The digital forensic investigator widey uses this software because of this feature.

Autopsy Tool

Autopsy tool is another software tool which is available in market for same purpose. This tool has some feasible advantages (Sleuthkit.org, 2018). This tool comprises of fantastic graphic user interfaces and also contains high level performance. Thus, it is used widely (Altheide and Harlan Carvey, 2011). Basic Technology Corporation is the company which is created this software. The software tutorials are made by this company and also they provide the access for this software from their company website (Basic Technology Corporation). The advantage of this software is given below.

• Extensible – The user requires adding new function and new plugins. So the software gives the permission.
• Frameworks –The software creator provides the set of instructions or standard procedures which is knows as, “Frame work.” Obeying the framework is required for investigating the forensic case with the help of this software.
• Easy to Use – This software is easily used because of its graphical user inter face (GUI).

Tools

Standard Procedures for Examining the Forensic Data using the Autopsy Tool

For investigating the digital forensic case, there are 10 set of instructions which is given below.(Jahankhani, 2010)

Step-1: Begin

The tool which is utilized for digital Forensic investigation is an online based tool. Initially, it is required to start digital Forensic investigation software which works on windows Operating System and Linus Operating System.

Step-2: Open a New case

For new investigation dialogue box, we have to press the new case icon in the digital forensic software application.

Step-3: To enter data

To enter the date, we have to create the new dialogue box called new case in this digital forensic investigation tool.

Step 4: To select an image file

Once the data entering is completed, we must choose evidence’s address (USB data of image format) by opening the evidence directory selection dialogue box.

Step-5: To add name to the host

After completing the above step, we have to type the host name and its details by opening the host dialogue box.

Step-6: To identify the location of host

To insert a forensic data (disk file in image format) by clicking the add image button.

Step-7: New disk image addition

In the Autopsy digital Forensic software tool, we have to open the new image file by pressing the add image icon on the dialogue box which is available in the screen.

Step-8: To select the image file’s location

There is an option which assists to duplicate the image file, because when worked with the original files it contains few deficiencies. Thus, if worked with duplicates, no problem exists.

Step-9: Gallery for Investigation

To add the new host, this tool is used. It is an advanced feature in Autopsy forensic investigation tool.

Step-10: Additional features

This is the final stage, where the screen shows various options which are highly beneficial for case’s investigation.

FTK Access data

FTK is abbreviated from Forensic Tool Kit. To examine and collect the evidence of the digital forensics, this type of digital forensic software application is used (Access Data, 2018). This tool is created by Access Data Corporation.  For forensic investigation, this company sells many software tools, for scanning the digital forensic data. It can also be beneficial for creating disk image, which is known as FTK imager. It is a digital Forensic software application that provides flexibility in terms of examination. Various digital Forensic image formats for the disk image file could be analyzed using the Access data Forensic Tool Kit. The below list provides a set of digital Forensic software tool:

• Virtual Compact Disk Format
• Image of Error Code Modeler Disc
• Encase Image
• File Disk’s Image

Regripper

Access data Forensic Tool Kit’s Standard operating sequences

Among other digital forensic investigating tool kit, Access data Forensic Tool Kit is most widely used. Because of its working instructions are very easy. It has various stages for digital forensic image’s investigation on DF analysis.

Step 1: File adding evidence

There are four type of evidence. It is required to choose the correct evidence that is given for analyzing. Directory must be selected.

Step 2: Evidence tree

The digital forensic tool is used to develop the tree structured arrangement of evidence which is used for analyzing the different files and folders, which belongs to an image file that has already been provided.

Step 3: Virtual disk mounting

The digital forensic software comprises of various options for mounting analyzed data, as virtual disk (i.e., for Read only Purpose).

The study to investigate things and gathering evidence is called Forensics (Carvey, n.d.). The investigation process related to digital data is stored in the digital storage devices such as, computer hard disk, USB flash stick and cloud storage such as online based is called as, digital forensics. The other name of the digital forensics is computer forensics. This is used to carry the investigation about cybercrimes then, it also collects the evidences against the cybercriminal.

Huge varieties of applications are available in digital forensic application such as to make sure that the confidential data has security. Thus, the evidences can be taken from the computers, online cloud storages, external storage devices and so on whenever required. This is also carried out by the private sectors, because the number of computer users and internet increased day-by-day. The computer technologies’ growth is also favorable for the cyber criminals.

In digital forensic investigation, it is required to gather evidences against the criminals for computer inspection. Thus, it is necessary to make conversion of details into readable format. It is also required for creating report which could be understood easily even by the non-technical audiences. This is the standard procedure followed by all the digital forensic investigators. All the gathered details should be stored as duplicate file, because while working with original file is not secure. Due the high possibilities of data loss. The digital forensic investigation is utilized for making a security system even stronger. This makes sure that the similar error can’t appear again.

For digital forensic investigation, USB flask stick image is the main evidence. This USB flask stick is kept from the employee of Vamos solution. In similar case, it is possible to analyze the USB flask stick by use of DF software tool named as Access data Forensic Tool Kit. The report of investigation is given below which is in image format from pen drive.

Autopsy Tool

Based on our investigation, the USB flask stick has 7963 mega byte memory capacity. It contains four folders and one excel file called “income.xlsx”. First folder is empty and other three folders contain many sub folders. It is cleared that the employee is trying to hide something from the security check up.

Yes. The copy of the important data of the company is presented in the USB flask stick. This is the evidence. There is one excel file called “income.xlsx”. That is retrieved during the investigation of a USB flash stick. The blow figure shows the screenshot of the investigation.

Screenshot of the content of the USB flash stick.

That is the screenshot of the file properties.

Yes. There is the evidence against the employee to theft the something from the computer and also tries to hide it. Our investigation found that the USB flask stick has three folders and one excel file. The 3 folders have many sub folders which may be created to escape from security checkup.

Screenshot of the investigation result that shows too dummy folders.

Investigation result shows that the evidence against the employee. Because the employee creates many dummy folders with same file name to hide something from the onsite security officials. The screen shot of the dummy folder tree was showed in the above figure.

For the further investigation we require the following details from the company. 

Hard disk details which is available in the Personnel Computer.
Online cloud storage details of the suspect

Conclusion

Our investigation report states that the employee of the Vamos company theft some sensitive data from the office computer. It is confirmed that the employee theft the data from company. In the investigation process, we investigate the evidence of USB flask stick which is given. The USB flask stick has one excel file called “income.xlsx” and three other folders. We doubted that this file may be copied from the office computer. The employee created many sub folders with same name (f1, f2, f3 and f4). The sub folders are used to hide something (company data) from security checkup which is carried out by security officers.

References

AccessData. (2018). Forensic Toolkit. [online] Available at: https://accessdata.com/products-services/forensic-toolkit-ftk [Accessed 8 May 2018].

Altheide, C. and Harlan Carvey (2011). Digital Forensics with Open Source Tools. Elsevier Science.

Carvey, H. (2018). Using RegRipper. [online] Windowsir.blogspot.in. Available at: https://windowsir.blogspot.in/2011/04/using-regripper.html [Accessed 8 May 2018].

Carvey, H. (n.d.). Windows registry forensics.

Casey, E. (2007). Handbook of computer crime investigation. Amstersdam: Academic.

Dudley-Gough, N. (2006). Digital Forensic Certification Board. Digital Investigation, 3(1), pp.7-8.

InfoSec Resources. (2018). 7 Best Computer Forensics Tools. [online] Available at: https://resources.infosecinstitute.com/7-best-computer-forensics-tools/#gref [Accessed 8 May 2018].

Jahankhani, H. (2010). Handbook of electronic security and digital forensics. New Jersey: World Scientific.

Sleuthkit.org. (2018). Autopsy: Description. [online] Available at: https://www.sleuthkit.org/autopsy/desc.php [Accessed 8 May 2018].