Digital Forensics Essay On IP Theft By Bob Aspen.

Task 1: Recovering scrambled bits

For this task I will upload a text file with scrambled bits on the Interact site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment.

Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment.

Task 2: Digital Forensics Report

In this major task you are assumed a digital forensics investigator and asked to prepare a digital forensic report for the following scenario:

You are investigating a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS). EMTS has just finished an expensive marketing and customer service analysis with Superior Bicycles, LLC. Based on this analysis, EMTS plans to release advertising for its latest tour service with a joint product marketing campaign with Superior Bicycles. Unfortunately, EMTS suspects that a contract travel consultant, Bob Aspen, might have given sensitive marketing data to another bicycle competitor. EMTS is under a nondisclosure agreement with Superior Bicycles and must protect this advertising campaign material.

Task 1

WinHex is the digital forensic software used around the world for editing the files in binary using hexadecimal codes, the editing include cut, copy, paste, edit, delete, insert etc. It is also being used to reverse the logical and arithmetic expressions performed on the data, we would be using this method to recover the data from the scrambled bits. (Srinivasan, 2006)

Modify Data-> “left shift by 1-bit option”

                                                      

                                                     

Modify Data-> “32-bit byte swap”

                                                     

Output and decrypted text:

                                                       

Task 2

Abstract

The case is about Bob Aspen who is being accused of theft of Intellectual Property from Exotic Mountain Tour Services (ETMS). The data is leaked to the third party outside the ETMS official circle via email and USB disk copying the important data on to the drive. The ETMS has recently covered an extensive survey along with the Superior Bicycles, LLC. If the data is being leaked then it would give competitive advantage to the competitor of ETMS and will cause severe loss of business in revenue and ETMS will loose all the strategic advantage they have gained after conducting the extensive survey. The entire leak of data came into picture when Bob Aspen’s email is being captured by the scrutiny web department of the company. The email made it clear that accused was indeed trying to deliberately trying to leak the information from the company which is company’s Intellectual property and he also altered his mail attachments in order to bypass the company’s secured firewall in place. The USB that was found is investigated in the report and findings are being marked up so as to frame right and strong charges against the accused

Introduction

There are many software tools available in the market for the purpose of digital forensics investigations but the ones used in this investigation are:

1. ProDiscover
2. WinHex

These two software(s) that are being used majorly by digital forensic experts around the world, both having special purposes like ProDiscover is majorly used for developing the images and their clones so that digital forensic methods can be used to find and retrieve data as if they were done on the real storage device or disk. Similarly, WinHex is used around the world for editing the files in binary using hexadecimal codes, the editing include cut, copy, paste, edit, delete, insert etc. It is also being used to reverse the logical and arithmetic expressions performed on the data. (McDonald, 2017)

Task 2: Digital Forensics Report

The ProDiscover software is compatible with the wide range of images and formats of images that are being used by other forensic tools and experts around the globe. The images made are then read using the ProDiscover and with the help of various operations we can read sectors and clusters from the image in order to recover the data from the images which could have been overwritten or deleted from the disks. ProDiscover is also compatible with number of other hardware that enables the write locks which in turn help expert to develop the copy of the disk without manipulating the original storage device leading it to be remain in the same condition as it was being found. The data recovered from the images are being generally have corrupt headers or missing or edited hex values.

In order to recover or edit the hex values of the data we need to use the hex editor for the same, we are using WinHex in this investigation, the header of the files is being manipulated o edited using the tool and correct hexadecimal values are being inserted or replaced. This tool is quite simple in approach and can easily be used to perform various operations on the files, the report generation utility enables us to generate the report of all operations in HTML and RTF format, both being standards used around the globe.

Analysis conducted

The initial investigation done by the ETMS, the two emails were intercepted based on which the accused Bob Aspen contract employee with the company is under investigation of stealing the important data which is Intellectual Property of ETMS. Apart from the email the USB drive was also found on the desk of Bob Aspen, the USB drive analysis is the prime objective of finding evidence in digital forensic report. With the organization having the strict policy against carrying any digital devices into the organization, the USB drive raised the serious level of alarm over the Bob Aspen intensions and its outcome might lead to severe business loss to the ETMS (Kigwana, 2017). The email also shows that the data was altered before being sent out over the emails and being copied to USB drive, the header being altered in order to bypass the security policy in place of the organization. The emails were communicated being communicated to [email protected] and being communicated to Bob Aspen to [email protected], the emails coming to [email protected] were being communicated from Jim Shu having different time zone as the date and time were in off with each other, this means the Jim Shu must be from far western region, due to the fact that the time zone in the email is provided by the server not the user. The email conversation also asked the Bob Aspen to alter the data in the jpg files as well as to change the jpg extension to txt file. (Caviglione, 2017)

Search for and Recovering Digital photography Evidence

This is the section where we would be recovering the images from the USB drive image provided by ETMS. The initial recovering of data is done using the “FIF” not JPEG or JFIF, this is done in order to skip the older files clusters that must have been found on the image or stored earlier because it is out of scope to check files stored before the data of Bob Aspen joining the company. (Mohlala, 2017 )The clusters that might found can be termed as the false positives, these false positive might lead to unwanted delay in the finding the right evidences and may lead to lost of time and effort of the forensic experts. (Hraiz, 2017)

Abstract

Procedure of recovering files from the ProDiscover is as follows:

1.Open the ProDiscover in admin mode and create the project C10InChp.

                                                                   

2. Add the image provided by the ETMS naming C10InChp.eve to the current project, this sis the same image file of the USB drive confiscated from Bob Aspen’s desk.

                                                                  

                                                                     

3.We would now search for files and clusters on the disk using ASCII mode searching with case sensitive option being marked selected. The keyword used for the search is “FIF” as discussed in the start of this section.

                                                                     

4.The clusters that would match the search criteria would be highlighted in blue color

                                                                   

5.Select the first occurrence of the FIF and click to directly jump to the memory location

                                                                      

6.Double click on the location would redirect to the page of listing all the files on that particular location.

                                                            

7. Right click select option to find file

                                                                 

8.Press “Yes”

                                                               

                                                                               Matching clusters of data will be shown in the pop-up message box.

                                                                    

9.Right click on the file and save the file as “recover1.jpg

                                                                   

Conclusion:

The case is about Bob Aspen who is being accused of theft of Intellectual Property from Exotic Mountain Tour Services (ETMS). The data is leaked to the third party outside the ETMS official circle via email and USB disk copying the important data on to the drive. The leak was indeed there and Bob Aspen the accused have leaked the critical information ahead to some third party or competitor.

The ProDiscover software was used to find the images from the disk image provided by the ETMS, the forensic tool helped in recovering of files and different clusters to reconstruct the original files as well. In order to recover or edit the hex values of the data we need to use the hex editor for the same, we are using WinHex in this investigation, the header of the files is being manipulated o edited using the tool and correct hexadecimal values are being inserted or replaced.

The Bob Aspen leak was found with the capturing of the two emails that were done to unknown location that doesn’t seemed right while scrutiny. The data leak was done using email and possibly using the USB drive as well from which all the data was being recovered.

References:

Caviglione, L., Wendzel, S., & Mazurczyk, W. (2017). The Future of Digital Forensics: Challenges and the Road Ahead. IEEE Security & Privacy, 15(6), 12-17. doi: 10.1109/msp.2017.4251117

Hraiz, S. (2017). Challenges of digital forensic investigation in cloud computing. 2017 8Th International Conference On Information Technology (ICIT). doi: 10.1109/icitech.2017.8080060

Kigwana, I., Kebande, V., & Venter, H. (2017). A proposed digital forensic investigation framework for an eGovernment structure for Uganda. 2017 IST-Africa Week Conference (IST-Africa). doi: 10.23919/istafrica.2017.8102348

Kishore, N., Saxena, S., & Raina, P. (2017). Big data as a challenge and opportunity in digital forensic investigation. 2017 2Nd International Conference On Telecommunication And Networks (TEL-NET). doi: 10.1109/tel-net.2017.8343573

McDonald, J., Manikyam, R., Glisson, W., Andel, T., & Gu, Y. (2017). Enhanced Operating System Protection to Support Digital Forensic Investigations. 2017 IEEE Trustcom/Bigdatase/ICESS. doi: 10.1109/trustcom/bigdatase/icess.2017.296

Mohlala, M., Ikuesan, A., & Venter, H. (2017). User attribution based on keystroke dynamics in digital forensic readiness process. 2017 IEEE Conference On Application, Information And Network Security (AINS). doi: 10.1109/ains.2017.8270436

Srinivasan, S. (2006). Security and Privacy in the Computer Forensics Context. 2006 International Conference On Communication Technology. doi: 10.1109/icct.2006.341936