Forensic Investigation Of Windows Computer Hard Disk Image Essay By Lone Star Ltd.

Tools Employed by Lone Star Ltd for Digital Forensic Analysis

Lone Star Ltd, a private digital forensic consultancy firm was engaged with a request for conducting a forensic investigation on a windows computer hard disk image belonging to a client namely ‘Techbank TSB’. The client is requesting to gather relevant evidence and expert opinion from the subject disk image and produce an expert witness report based on following findings. I have been asked by Lone Star Ltd to perform forensic investigation on this hard disk image and to consider any relevant and potential evidence whether the Techbank TSB had reasonable evidence to conclude any illegal or unauthorized activities were occurred in their company.

The aid of digital forensics along with legal authorities was employed by Lone Star Ltd in order to exonerate or convict the accused. To conduct an effective and efficient investigation, I employed the use of the Forensic Tool Kit version 6.0.3.5 (FTK) and Registry Viewer as my primary computer forensic analysis tools for forensics artefacts exploration. In addition, it also aids for hash database lookups, sorting by file type, window registry analysis and timelines of file activity. The investigation also will be carryout by using Autopsy 4.1.1 and Registry ripper as well as OS Forensics as a secondary tool for forensic verification where the test results must be repeatable and reproducible to be considered admissible as electronic evidence.  

The key element of evidential management are as follows: The use of scientific methods, collection and preservation, validation, identification and analysis & interpretation (USDoJ, 2008). These provisions of formal guidelines are important in securing, handling and controlling of evidence as it is the first proof ought to be gained in a way that ensures and preserves the trustworthiness of the evidence. This evidential of trustworthiness must be upheld and verifiable at all stages of investigation by recording every piece of evidence from the collection until the presentation of the report of evidence with the aid of formal best practices, processes and guidelines such as ACPO Principles. These processes of documentation also known as CoC. CoC can be refers to the chronological documentation and/or paper trail showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic (EDRM, no date). To maintain chain of custody, the examination is best led on a duplicate of the original device content of electronic evidence as it is delicate and can be adjusted, harmed or crushed by ill-advised taking care of or examining. There is also a need to protect the copy of the gathered information or data to secure the collection in the event of any harm for further examination or reference. At the point when protecting of imaging this gathered information of data, it should be noted to guarantee that there is no adjustment of information copied (Yudi and Azhari, 2015). Along these lines using write block device and hashing is typically mandatory. 

Purpose of Evidential Management Guidelines

Lone Star Ltd employed industry standard tools and techniques throughout handling, processing and analysis of the evidence. A sealed Royal Mail envelope was received into Lone Star Ltd Labs via Royal Mail overnight delivery on 11 January 2018 at 11:57 AM (MST). A chain of custody was established upon opening the package. The package contained one (1) hard disk sealed in a Royal Mail label pouch. Details about the enclosed media are included below.
        
Lone Star LTD used Forensic Tool Kit Image to create a raw DD image and file of the evidence onto a previously wiped drive. The images and files were verified by their hash values. A working copy of the original image was created onto a previously wiped hard drive. All subsequent analysis was performed on the working copy forensic image, not on the original forensic image acquisition. The analysis was performed on a dedicated forensic workstation using AccessData’s Forensic ToolKit (FTK) in order to recover the deleted files from the TechBank TSB’s computer hard disk image. The SHA1 hash value and MD5 has value were obtained in order to aid in providing the legitimacy of the files recovered. These MD5 and SHA1 algorithms were used as a way demonstrating to the courts, specifically that the digital evidence being presented is in the same state as it was when it was obtained and that it has not been altered in any way, which demonstrating the authenticity and integrity of digital evidence.

Computer evidence analysis is the process of identification, preservation, interpretation and documentation of evidence recorded for presentation in civil or criminal court (Barbara, 2014). Hence, a proper usage of a standard forensic analysis and result verification tools is vital. At present, there are many both open source and commercial forensic analysis tool in the market such as Encase Forensic Modules, The Sleuth Kit and Autopsy Browser, FTK, X-Ways Forensics and etc. As mentioned before, the analysis was performed on a dedicated forensic workstation using AccessData’s Forensic ToolKit (FTK) version and Registry Viewer as a primary tools while Autopsy and Registry Ripper as well as OS Forensics a secondary tools. 

FTK is developed by AccessData that provides cutting-edge analysis, decryption and password cracking that perform on network-based, secure, single-system forensic acquisition of physical devices, logical volumes and RAM (Liang, 2010). It is one of the most widely used as a digital forensic analysis tool and are admissible in court (Hibshi, Vidas and Cranor, 2011). It works in a Windows Operating System and on highly specialized computer that are design to help forensic investigator fully process a case and to retrieve diverse types and amount of data (Adam et. al, 2015). This toolkit consists of many useful modules including a standalone application, FTK imager and Registry Viewer.

Chain of Custody for Electronic Evidence

The AccessData Registry Viewer is a standalone product that consist a set of data files that the Windows operating system uses to control hardware, software, user information and the overall functionality of the Windows interface.  It can be integrated with the FTK that allows user to view the content of the Windows operating system registries and visualize registry files from any system (Bluehost, 2014). In this report, Registry Viewer is very helpful in aiding forensic investigations where it provides access to a registry-protected storage that contain passwords, usernames and other information such as USB identification, list of programs installed in the system and computer, record of internet queries and etc (AccessData, no date).

FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as AccessData Toolkit (FTK) is warranted (AccessData, no date).  It is also a concise tool which can create perfect copies (forensic images) of computer data where hard disk imaging can be exported using a file or set of segments without making changes to the original evidence. (Ibrahim and Malaika,2013). It makes a bit-for-bit duplicate image of the media to prevent accidental or intentional manipulation of the digital evidence which provides a forensic image that is identical in every way to the original. Besides, FTK Imager also provides integrity checking by calculating hash values on data segments of an image (Neil, 2016).

Autopsy is a digital forensic platform that allows users to perform forensic analysis investigation where it runs as a web server and can be accessed using an HTML. It automatically analyzes disk images, local drives or a folder of local files either raw/dd or E01 format content as ingest which avoid the need to perform the task manually (Kaur, Kaur and Khurana, 2016). Besides the fact that it offers the same core features as FTK where it provides timeline analysis, keyword search, web artefacts, hash set filtering and etc, Autopsy also allow third party integration where it gives the user access to collaborate with multi-users such as Register Ripper to work on large cases (SleuthKit, no date).  Moreover, considering its cost effective since it is open source program, easy to use program and provides same features as FTK, this will benefit investigation in acting as a secondary tool to act as a verification and validation tool.

Computer Evidence Analysis and Standard Forensic Tools

RegRipper is a well-known open source forensic software application that can be used to quickly extract  the values of potential information (keys, values, data) from the Registry and presenting it into easy to read text format documents for analysis (Carvey, 2014).  It consists of a framework that execute plugins where user need to select the plugins to access specific Registry hive files via perl scripts in order to access and extract specific keys, values and data (Rasriis, 2014). 

OS Forensics is a comprehensive forensic tool for discovering, identifying and managing high performance file searching and indexing of data where it can extract passwords, decrypt files and recover deleted files quickly and automatically from file and computer system as well as digital storage devices (William, 2017). It allows user to identify suspicious files and activity with hash matching, drive signature comparisons, emails, memory and binary data. Besides, it also allows users to extract forensic evidence from computer quickly with advanced file searching and indexing which enables this data to be managed effectively (Passmark Software, no date).

The Assistant log of the subject system’s search has been removed. This were explicitly shown by looking at NTUSER.DAT in ‘techuser’ where it shows the last written time a registry-editing tool was used. Nonetheless, it still can be found in the search history which is located in the Software registry and at registry viewer path.

In order to identify whether USB stick was connected to the machine or not, the information can be found on Windows registry which each drive that has been plugged into the system. Furthermore, to know the drives that have been used attributed to which specific users, the location of the GUID associated with the device can be found under MountedDevices as shown below Registry Path.

According to the available information, the user account visited several social networking community websites as follows: Facebook, Skype, Gmail, Youtube and MSN. According to the evidence found as per screenshot below, there are 3 different facebook profile were found in the user account which is Amaya Karunanayake, teCHbANK  and Imasha Oshadi Rajapaksha. From the history, it can be seen that these two profile: Imasha Oshadi Rajapaksha and teCHbANK are inactive user as they only view and editing its profile respectively. While Amaya Karunanayake profile, appear to be an active user where most of the time, editing its facebook privacy and security settings, adding photos, messaging and creating an event title ‘Continuation of Leadership Training Programme’.

Tools Employed by Lone Star Ltd for Digital Forensic Analysis

Lone Star Ltd is one of the digital forensic consultancy firms and is chosen as a case study for this discourse. They are responsible for gathering information from the digital device for the investigation purposes. Tech-bank TSB is one of the clients of Lone Star Ltd. The computer forensic analyst of Lone Star Ltd has been given the charge to investigate the hard disk image of a windows computer (Sunde et al. 2017). Tech-bank TSB has requested to collect relevant evidence from the hard disk image and prepare a report based on findings. Lone Star Ltd has appointed me to conduct an investigation on the hard disk image and collect all the relevant evidence contained in the disk image. The forensic investigation helps to know that whether any illegal activities were carried out within Tech-bank TSB or not.

Lone Star Ltd appoints legal authorities to find out the attackers who carry out the malicious activities. The legal authorities with the help of digital forensics carry out the effective forensic investigation. I am one of the representatives of the legal authority team. I use the Registry Viewer and Forensic Too, Kit version 6.0.3.5 to carry out the investigation procedures (Dang-Nguyen et al. 2015). The digital forensics helps in sorting the files stored in the database by the file type. Digital forensics aids analysis of windows registry files. OS forensics, Autopsy 4.1.1 and Registry ripper, have been used for the forensic verification of the hard disk image.

Evidential management constitutes elements like the usage of the scientific method, identification, analysis and validation. Proper guidelines are followed in securing and controlling the evidence. All the evidence collected from the hard disk image are verified applying best policies and principles like ACPO Principles. Documentations are prepared based on the verification results of the evidence. The procedure for preparing documentation is known as CoC. CoC involves preparation of chronological documentation of the evidence. The analysts keep duplicate files of the documentation (Flaglien et al. 2017). Failures of the hard disk image can be fatal. All the evidence can get lost from the database. The hackers can hack the system, can modify the files containing the evidence, they can make even the delete the files as well. One can steal the system as well. Thus a copy of the documentation is helpful for investigation. Lone Star Ltd followed this approach and investigated the files present in a hard disk image of Tech-bank TSB.

Lone Star Ltd used various tools and techniques to handle the evidence effectively. Lone Star Ltd received a package along with an envelope from Royal Mail on 11 January late at night. The digital consultancy firm has responsibly implemented a chain of custody after opening the package (Bjelland et al. 2018). Lone Star Ltd found that the package contains one hard disk.

Purpose of Evidential Management Guidelines

Lone Star Ltd first created a DD image and file of evidence by using Forensic Tool Kit image. The DD image and the files were verified via hash files. A copy of the file containing evidence was created at the beginning. The forensic consultancy firm carried out all the forensic investigation on the copy files and not on the original files. Lone Star Ltd by using the Access Data’s Forensic Toolkit conducted all the investigation on the dedicated forensic workstation (Van Baar, Van Beek and van Eijk 2014). This approach will recover the files which have been deleted from the hard disk of the TechBank TSB’s computer. MD5 and SHA1 hash values obtained helped to know that the files recovered are all legitimate. MD5 and SHA1 algorithms can be used while presenting those files to the court. MD5 and SHA1 ensured that the original files in the hard disk were not modified by any means. In this way, the integrity and the authenticity of the files were retained (Holt, Bossler and Seigfried-Spellar 2015). Lone Star Ltd following this approach ensured that the authenticity of the files stored in the hard disk image of TechBank TSB.

The functionalities of primary tools and the secondary tools that were used in investigating the evidence of the hard disk image of TechBank TSB have been detailed below.

Evidence analysis is the procedure, by which the evidence files are first identified, then they are preserved and lastly documentation is prepared and is presented to the court. There are open source forensic analysis tools and commercial forensic analysis tools available in the market. There are other forensic analysis tools and they are Forensic Modules, Autopsy Browser, Sleuth Kit (Sohl et al. 2015). In this report, forensic investigation on hard disk image of TechBank TSB was carried out using Registry Viewer and AccessData’s Forensic Toolkit as primary tools. The OS Forensics, Autopsy and Registry Ripper are the secondary tools that were used in the forensic investigation.

Forensic Tool Kit (FTK) is only one court-cited digital investigation. FTK is designed to provide speed, stability and ease of use. The forensic toolkit helps in email analysis and customizable data views and stability. The forensic toolkit provides a framework so that the solution can align with the organisation’s needs (Taylor, Fritsch and Liederbach 2014). Forensic Toolkit best work on Windows Operating System. FTK involves Registry Viewer and FTK Imager.

AccessData Registry Viewer is a standalone product. It contains a set of data files. The Windows Operating system utilises the data to control the overall functionality of the Windows interface. It utilises the data to control the user information, hardware and software. AccessData Registry Viewer gets integrated with the Forensic Tool Kit, and it enables the analysts so that they can see the contents present in the registry files of Windows operating system. The analysts can get to visualise the registry files from any system. Registry Viewer caters easy access to a registry-protected storage database (Thethi and Keane 2014). The users will have to provide a username, password only then the users can gain access to the file stored in the database.

Chain of Custody for Electronic Evidence

FTK is one kind of data preview and data imaging tool.  FTK imager saves a hard disk file image in a file or segments, and the image can be reconstructed in later times. FTK imager calculates the MD5 hash values, and after that, it confirms the authenticity of the data. It is a concise tool that enables analysts to create copies of the hard disk images, and these images can be exported without making any alterations in the original evidence (Zawoad, Hasan and Skjellum 2015). FTK facilitates bit-by-bit copy or duplication of data. FTK imager also aids integrity checking by calculating the hash values. Thus it can be concluded that FTK imager is the most suitable tool for making perfect copies.

An autopsy is the digital forensic tool. The tool allows the analysts to carry on the investigation on the web server. An autopsy is a tool that helps in analysing the disk images, local drives and folders. The analysts will not have to perform any tasks manually; an autopsy will perform all the tasks automatically. Autopsy offers similar functionalities like FTK, they are keyword search, web artefacts, timeline analysis and hash set filtering. It also provides the integration facilities (Van Beek et al. 2015). The forensic analysts get the opportunity to connect with multiple analysts. It is an open source program. Autopsy also caters cost-effective solutions. Moreover, it is easy to use. It is used as a secondary tool to carry out the investigation procedures.

RegRipper is the open source forensic application, and the application is valuable in extracting the vital information like keys, values, and data from the Registry. RegRipper analyses the data and prepares documentation based on the analysis in easy readable text format (Kleinmann and Wool 2014). The analysts have the opportunity to personalise the RegRipper tool according to their needs by using available plugins.

OS Forensics tool aids file searching, indexing of data. The tool assists the forensic analysts to extract passwords. The analysts can also decrypt files and can recover deleted files from the system and database with ease with the aid of this tool.  The analysts can easily identify the malware files and the malicious activities of the intruders with the help of hash matching, binary data and drive signature comparisons. OS Forensics tool aids forensic analysts to extract the required evidence from the computer fast (Martini and Raymond 2016). The tool provides functionalities like file searching and file indexing. Thus this tool ensures that the data can be managed efficiently with the help of the OS Forensics tool.

Computer Evidence Analysis and Standard Forensic Tools

The forensic analysts of Lone Star Ltd discover that the Assistant log has been cleared away.  It can be analysed simply by looking at the NTUSER.DAT in ‘techuser’. The forensic analysts have analysed that a registry-editing tool has been used in the system of TechBank TSB (Choo and Dehghantanha 2017). The traces of usage of registry-editing tools have been found in the registry viewer path and software registry that the registry-editing tool.

It can also be analysed whether any USB stick was attached to the system of TechBank TSB or not. The detailed information about USB stick connectivity or USB stick usage can be traced viewing the Windows registry files. Windows registry files show every drive that has been connected to the system (Kleinmann and Wool 2014). It can also be tracked which drive is attributed to which particular users. Under the MountedDevices category, the location of GUID associated with the device can be tracked. The location can be traced under MountedDevices category just below the registry path.

The forensics analysts discover that the user account of the TechBank TSB system visited the social networking community sites like MSN, Facebook, Youtube and Skype. The analysts after analysing the hard disk image provided by TechBank TSB found that the three Facebook accounts were used in the system (Taylor, Fritsch and Liederbach 2014). The three Facebook profiles- Imasha Oshadi Rajapaksha, Amaya Karunanayake and teCHbANK, were used in the system. Out of the three Facebook profiles used, the two profiles- teCHbANK and Imasha Oshadi Rajapaksha are currently found to be inactive. The third Facebook profile of Amaya Karunanayake has been found to be active. The forensic analysts find out that he or she uses Facebook most of the time, she edits Facebook privacy and security settings. Amaya has been found to add photos and send messages on Facebook (Taylor, Fritsch and Liederbach 2014). Recently Amaya creates an event named ‘Continuation of Leadership Training Programme’.

The user account of the system also visited Skype, and the user has a Skype account. The user got registered on 29 September in the year 2011. The forensic analysts find out all these details by assessing the personal profile of the user in the system (Choo and Dehghantanha 2017). The analysts also discover that Amaya Karunanayake was chatting with someone named Amilads over Skype. Amaya was talking about the password that he or she received.

References

Bjelland, P.C., Flaglien, A., Sunde, I.M., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland, P., Franke, K. and Axelsson, S., 2018. Internet Forensics. Digital Forensics, pp.275-312.

Choo, K.K. and Dehghantanha, A., 2017. Contemporary Digital Forensics Investigations of Cloud and Mobile Applications. In Contemporary Digital Forensic Investigations of Cloud and Mobile Applications (pp. 1-6).

Dang-Nguyen, D.T., Pasquini, C., Conotter, V. and Boato, G., 2015, March. Raise: A raw images dataset for digital image forensics. In Proceedings of the 6th ACM Multimedia Systems Conference (pp. 219-224). ACM.

Flaglien, A.O., Flaglien, A., Sunde, I.M., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland, P., Franke, K. and Axelsson, S., 2017. The Digital Forensics Process. Digital Forensics, pp.13-49.

Holt, T.J., Bossler, A.M. and Seigfried-Spellar, K.C., 2015. Cybercrime and digital forensics: An introduction. Routledge.

Kleinmann, A. and Wool, A., 2014. Accurate modeling of the siemens s7 scada protocol for intrusion detection and digital forensics. Journal of Digital Forensics, Security and Law, 9(2), p.4.

Martini, B., Do, Q. and Raymond Choo, K.K., 2016. Digital forensics in the cloud era: The decline of passwords and the need for legal reform. Trends & Issues in Crime & Criminal Justice, (512).

Sohl, E., Fielding, C., Hanlon, T., Rrushi, J., Farhangi, H., Howey, C., Carmichael, K. and Dabell, J., 2015, October. A field study of digital forensics of intrusions in the electrical power grid. In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy (pp. 113-122). ACM.

Sunde, I.M., Flaglien, A., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland, P., Franke, K. and Axelsson, S., 2017. Cybercrime Law. Digital Forensics, pp.51-116.

Taylor, R.W., Fritsch, E.J. and Liederbach, J., 2014. Digital crime and digital terrorism. Prentice Hall Press.

Thethi, N. and Keane, A., 2014, February. Digital forensics investigations in the cloud. In Advance Computing Conference (IACC), 2014 IEEE International (pp. 1475-1480). IEEE.

Van Baar, R.B., Van Beek, H.M.A. and van Eijk, E.J., 2014. Digital Forensics as a Service: A game changer. Digital Investigation, 11, pp.S54-S62.

Van Beek, H.M.A., van Eijk, E.J., van Baar, R.B., Ugen, M., Bodde, J.N.C. and Siemelink, A.J., 2015. Digital forensics as a service: Game on. Digital Investigation, 15, pp.20-38.

Zawoad, S., Hasan, R. and Skjellum, A., 2015, June. OCF: an open cloud forensics model for reliable digital forensics. In Cloud Computing (CLOUD), 2015 IEEE 8th International Conference on (pp. 437-444). IEEE.