Task 1: Recovering Scrambled Bits And Task 2: Digital Forensics Essay.

For this task, I will upload a text file with scrambled bits on the Interact site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment.

Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment.

Task 2: Digital Forensics Report (20 Marks)

In this major task you are assumed a digital forensics investigator and asked to prepare a digital forensic report for the following scenario:  

You are investigating a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS).  EMTS has just finished an expensive marketing and customer service analysis with Superior Bicycles, LLC.  Based on this analysis, EMTS plans to release advertising for its latest tour service with a joint product marketing campaign with Superior Bicycles.  Unfortunately, EMTS suspects that a contract travel consultant, Bob Aspen, might have given sensitive marketing data to another bicycle competitor.  EMTS is under a nondisclosure agreement with Superior Bicycles and must protect this advertising campaign material.

An EMTS manager found a USB drive on the desk Bob Aspen was assigned to.  Your task is to determine whether the drive contains proprietary EMTS or Superior Bicycles data.  The EMTS manager also gives you some interesting information he gathered from the Web server administrator. EMTS filters all Web-based e-mail traffic travelling through its network and detects suspicious attachments.  When a Web-based e-mail with attachments is received, the Web filter is triggered.  The EMTS manager gives you two screen captures, shown in Figures 8-5 and 8-6 (Textbook page 327), of partial e-mails intercepted by the Web filter that lead him to believe Bob Aspen might have engaged in questionable activities.  (Nelson, Phillips, & Steuart, 2015, p. 326-327)

Deliverable: For this forensic examination, you need to search all possible places data might be hiding and submit a digital forensics report of 1800-2000 word.

Rationale

This assessment task covers data validation, e-discovery, steganography, reporting and presenting, and has been designed to ensure that you are engaging with the subject content on a regular basis. More specifically it seeks to assess your ability to:

• determine the legal and ethical considerations for investigating and prosecuting digital crimes
• analyse data on storage media and various file systems
• collect electronic evidence without compromising the original data;
• evaluate the functions and features of digital forensics equipment, the environment and the tools for a digital forensics lab;
• compose technical tactics in digital crimes and assess the steps involved in a digital forensics investigation;
• prepare and defend reports on the results of an investigation

Marking criteria

Task 1: Recovering scrambled bits (5 Marks) 

Criteria	HD 100% - 85%	DI 84% - 75%	CR 74% - 65%	PS 64% - 50%	FL 50% - 0
Successfully recovering the scrambled bits to their original order(5 marks)	Scrambled bits are restored to the original text. Tool used to decode the text is mentioned and justification to use the tool is also provided. The process to restore the scrambled bits is clearly described with screenshots inserted of all steps.	Scrambled bits are restored to the original text. Tool used to decode the text is mentioned but the justification is not very clear. The process to restore the scrambled bits is described with some screenshots.	Scrambled bits are restored to the original text. Tool used to decode the text is mentioned but the justification is not very clear. The process to restore the scrambled bits is described but no screenshots provided.	Scrambled bits are restored to the original text. No justification of tool used is provided, process seems to be somewhat vague.	Scrambled bits are restored but not matching with the original text. Tool is not mentioned and process is not described.
Possible marks	5.0 – 4.25	4.24 – 3.75	3.74 – 3.25	3.24 – 2.5	2.4 – 0

Task 2: Forensics report (20 Marks) 

Criteria	HD 100% - 85%	DI 84% - 75%	CR 74% - 65%	PS 64% - 50%	FL 50% - 0
Introduction: Background, scope of engagement, tools and findings (3 marks)	All elements are present, well expressed, comprehensive and accurate.	All elements are present and largely accurate and well expressed.	All elements are present with few inaccuracies.	Most elements are present possibly with some inaccuracies.	Fails to satisfy minimum requirements of introduction.
Possible marks	3.0 – 2.55	2.54 – 2.25	2.24 – 1.95	1.94 – 1.5	1.4 – 0
Analysis: relevant programs, techniques, graphics (5 marks)	Description of analysis is clear and appropriate programs and techniques are selected. Very good graphic image analysis.	Description of analysis is clear and mostly appropriate programs and techniques are selected. Good graphic image analysis.	Description of analysis is clear and mostly appropriate programs and techniques are selected.  Reasonable graphic image analysis.	Description of analysis is not completely relevant. Little or no graphics image analysis provided.	Fails to satisfy minimum requirements of analysis.
Possible marks	5.0 – 4.25	4.24 – 3.75	3.74 – 3.25	3.24 – 2.5	2.4 – 0
Findings: specific files/images, type of searches, type of evidence, indicators of ownership (5 marks)	A greater detail of findings is provided. Keywords and string searches are listed very clearly. Evidence found is very convincing. An indication of ownership is very clear.	Findings are provided, keywords and string searchers are listed. The evidence is sound. Ownership is clear.	Findings are provided, some keywords are listed. The evidence is reasonable which relates to the ownership.	Findings are provided but are somewhat vague. Keywords and strings are not very clear. Evidence found may be questionable.	Fails to satisfy minimum requirements providing findings.
Possible marks	5.0 – 4.25	4.24 – 3.75	3.74 – 3.25	3.24 – 2.5	2.4 – 0
Conclusion: Summary, Results (3 marks)	High level summary of results is provided which is consistent with the report.	Well summarised results and mostly consistent with the findings.	Good summary of results. Able to relate the results with findings. No new material is included.	Satisfies the minimum requirements. Results are not really consistent with the findings.	Fails to satisfy minimum requirements of summarising the results.
Possible marks	3.0 – 2.55	2.54 – 2.25	2.24 – 1.95	1.94 – 1.5	1.4 – 0
References: Must cite references to all material used as sources for the content (2 marks)	APA 6th edition referencing applied to a range of relevant resources. No referencing errors. Direct quotes used sparingly. Sources all documented.	APA 6th edition referencing applied to a range of relevant resources. No more than 2 referencing errors. Direct quotes used sparingly. Sources all documented.	APA 6th edition referencing applied to a range of relevant resources. No more than 3 errors. Direct quotes used in-context. Sources all documented.	APA 6th edition referencing applied to a range of relevant resources. No more than 4 errors. Direct quotes used in-context. Some sources documented.	Referencing not done to the APA 6th edition standard. Over-use of direct quotes. Range of sources used is not appropriate and/or not documented.
Possible marks	2.0 – 1.7	1.6 – 1.5	1.4 – 1.3	1.2 – 1.0	0.9 – 0
Glossary / Appendices: (2 marks)	Glossary of technical terms used in the report is provided which has generally acceptable source of definition of the terms and appropriate references are included. Relevant supporting material is provided in appendices to demonstrate the evidence.	Glossary of technical terms used in the report is provided which has mostly acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence.	Glossary of some technical terms used in the report is provided which has mostly acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence.	Glossary of some technical terms used in the report is provided however terms are not generally common and some references are missing. Some supporting material is provided in appendices.	Most terminologies are missing.  Appendices are either not provided or are irrelevant.
Possible marks	2.0 – 1.7	1.6 – 1.5	1.4 – 1.3	1.2 – 1.0	0.9 – 0

Presentation

The following should be included as minimum requirements in the report structure:

• Executive Summary or Abstract
  This section provides a brief overview of the case, your involvement as an examiner, authorisation, major findings and conclusion 
  • Table of Contents
  • Introduction
  Background, scope of engagement, forensics tools used and summary of findings 
  • Analysis Conducted
  o Description of relevant programs on the examined items
  o Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions etc
  o Graphic image analysis
  • Findings
  This section should describe in greater detail the results of the examinations and may include:
  o Specific files related to the request
  o Other files, including deleted files that support the findings
  o String searches, keyword searches, and text string searches
  o Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and newsgroup activity
  o Indicators of ownership, which could include program registration data.
  • Conclusion 
  Summary of the report and results obtained
  • References
  You must cite references to all material you have used as sources for the content of your work
  • Glossary
  A glossary should assist the reader in understanding any technical terms used in the report. Use a generally accepted source for the definition of the terms and include appropriate references. 
  • Appendices
  You can attach any supporting material such as printouts of particular items of evidence, digital copies of evidence, and chain of custody documentation.

Follow the referencing guidelines for APA 6 as specified in .

Submit the assignment in ONE word or pdf file on TURNITIN. Please do not submit *.zip or *.rar or multiple files.

­­­­­­

Task 1: Recovering Scrambled Bits

       In computer forensic digital information is identified and analyzed and used as a digital evidence in criminal, civil and administrative cases .Using different rules documents are maintained in a computer. Computer forensics need search warrants when preparing to search for a digital evidence. Reporting, analysis and analysis are the three stages in digital forensics.

First we have to gather the evidence from the suspect computer and identify whether the crime happen are not. Using computer forensics tools we can determine whether the suspect committed a crime or violated the company policy. Investigation process involves investigating the suspect computer and then collecting the evidence and preserving the evidence on a different computer. Computer forensic involves recovering deleted files and hidden files. In computer crimes and misuses evidence must be required.

2. Background Scenario:

                                EMTS is one of the best marketing and Service Company for the customer. In this company finished the marketing and customer service with Superior bicycles. EMTS is the best one compare to other Company. EMTS aimed to advertising the Superior Bicycles Product.in this EMTS Company, the person are gathering the Sensitive data for the marketing purpose to transfer the other Company. The EMTS are find out the suspected person.

Thus the Company signed the agreement for Superior bicycles, so the company details are much secured.   The Bob Aspen stored the all information about the Superior Bicycles into the USB derive. The EMTS manager found out the USB drive and check out all the files, but the person deleted the whole files. The EMTS manager used to retrieve the data using the forensics tool. Thus help of the tool to retrieve all the deleted message, through the network. Web based is received the attachments fie through e-mail.

3. Forensic Tools used:

• Win hex
• Pro discover Basic
• Hex Workshop

3.1Win hex:

            Win hex is the most powerful tool. Win hex tool is discovered by AG Germany. Win hex tool is the latest version, it will produced the new advance one called hex editor. The tool is mainly used to gathering the information for the purpose of evidence. The tool widely used for analysis the data , editing and recovery the deleted data.

3.2Pro discover basic:

          Pro discover basic tool is one of the forensic tool. Mainly used for the change the image file into the bootable file. It’s made by the Technology pathways, it’s one of the user friendly tool.

4. Scope of Engagement:       

 DFS:

       The method are used to derive the scientific tools, they are collection, validation, analysis, identification and presentation. The digital source are most important for gathering the evidence.

4.1Three types of digital Forensics communities:

• Law Enforcement
• Military
• Business and Industry

   Digital Forensics Science:

4.2 Process:

The DFS activities are naturally investigated by the following Process are given below:

• Identification
• Examination
• Analysis
• Decision

4.3Subtypes of DFS:  They are three types of the DFS Analysis are given below:

• Media Analysis
• Code Analysis
• Network Analysis.
• 4.3.1Media Analysis:

                   Computer are mainly used to refer the Media. Media is the major parts of the Digital Forensics Science. Media analysis is the stored medium, it could be focused on the flash Memory and RAM. Media Analysis is also called as the network Analysis.

Task 2: Digital Forensics Report

4.3.2Methodology of Digital Forensics:

• Acquire
• Authenticate
• Analyze

4.3.3Context of Computer Forensic 

5. Summary of findings:

          Our windows system installed the two forensic tool named as Hex Editor and pro discover basic. The hex editor tool mainly used for the shifting the bits. In our system contains the file name.txt. Thus the file contains the Cipher text data Converted into the Scrambled bits. By taking the scramble bits data to analysis and put into the hex editor tool .Thus the tool are easily finding out the plain text. The hex editor tool contains the operation toolbar, thus the toolbar are converted the bits into the plain text. If the original Palin text are generated could be change the bits type. This tool contains the 8,16,32,64 bits types, Change the bits one by one dependent on the original plain text. Another tool used for our windows system .Thus tool are mainly used for the converting the image file only. Thus any viruses occur any images, it could be easily find out the pro discover basic tool. Thus the tool are Commercial one for our windows System.

6. Analyzing digital Evidence

              In digital evidence analysis you need to recover data. Suspect deleted the file or damage the file or overwritten files on a disk. Now the files are deleted the existing space become free. Forensic investigator need to recover the data .Identify the recourses and gathering the resource in your investigation plan. To acquire Bob Aspen’s from the Information department and then secure the evidence. Forensics workstation must require to conduct investigation and analysis. Computer forensic and data recovery are different.

    You need the following items

• Bit stream imaging tool -Win Hex
• ProDiscover basic software
• Evidence custody form
• Evidence container for the storage media
• Computer to store the collected evidence and evidence locker

Evidence form which is used in corporate world      

Report generated using evidence collection form.

7. Task 1: Recovering Scrambled bits

            Win hex editor is the most powerful tool for analyzing. It can be converted the real image into the VMware, thus the tool are converted any of the file System like FAT, NTFS, CDFS, UDF media files. It is the important and good tool for analyzing.

Download Hex Workshop:

 

 

 TASK -2

8. Acquire a USB Drive using ProDiscover basics

           ProDiscover basic is a computer forensic tools which is used to recover the deleted files. After analyzing the computer you can retrieve the damaged and deleted files. To conduct an investigation you need to you forensic software. 

 Using variety of method evidence is collected. No single method retrieves all data from the disk so using several   software’s retrieve the evidence. Evidence custody form contains case number, investigating organization (name of the organization), name of the investigator, short description of the case, exact location where the evidence was collected. A list of Evidence item collected, Evidence recovery tools, Date and time of evidence collected. You need to create a folder on your computer to store the digital evidence .create a sub folder to organize all the related files. Create two folder named as bicycle and Bob .copy the folder into USB drives. ProDiscover can convert a raw image of a disk into a bootable VMWare Machine. 

11. Conclusion:

                      Digital forensic is the application used to support the Criminal activities. Digital forensic is also known as digital forensic science. It is the branch of the forensic science. This is mainly used for the forensic report evidence and investigation purpose. Thus tool are used for the recovering the deleted data from the secondary storage. We are using the two forensic tool. Hex editor and pro discover basics tool are the Commercial one for the user. The user are easily view the raw file and image file. Thus file are converted to the binary data .

If the binary data file are access the forensic tool. Thus the tool change the binary file into the plain original text file. Before converting the plain text file, the data should be stored the computer file, it could be the hexadecimal format. The features of the tool are learning themselves. Many tutorials point are not available. In thus tool some of the files are open or not open based on the Source code. The pro basic tool are mainly used for the converting the image file into VMware manner. Thus the data could be secreted to pass through the client to server, could not be share the third party.

12. Reference

Carrier, B (2001). "Defining digital forensic examination and analysis tools". Digital Research Workshop II. Archived from the original on 15 October 2012. Retrieved 2 August 2010.

Peter Sommer (January 2004). "The future for the policing of cybercrime". Computer Fraud & Security 2004.

"Technology Crime Investigation::Mobile forensics". Archived from the original on 17 May 2008. Retrieved 18 August 2010.

Gary C. Kessler, “Anti-Forensics and the Digital Investigator, Champlain College Burlington”, 5th Australian Digital Forensics Conference, December 2007

Reilly .D, Wren .C, Berry .T, “Cloud computing: Forensic challenges for law enforcement”, Internet Technology and Secured Transactions (ICITST), 2010 International Conference for , vol., no., pp.1-7, 8-11 Nov. 2010 [URL] 

Federal Bureau of Investigation (FBI), “Regional Computer Forensics Laboratory (RCFL)”, Program Annual Report for Fiscal Year 2007, Washington, DC, 2008

Peter Mell, Timothy Grance, “The NIST Definition of Cloud Computing”, NIST Special Publication, September 2011, 

Dominik Birk, Christopher Wegener, “Technical Issues of Forensic Investigations in Cloud Computing Environments”, Systematic Approaches to Digital Forensic Engineering (SADFE), IEEE Sixth International Workshop on , vol., no., pp.1-10, 26-26 May 2011,

Stephen Biggs, Stilianos Vidalis, “Cloud Computing: The impact on digital forensic investigations”, Internet Technology and Secured Transactions, 2009. ICITST 2009. International Conference for, vol., no., pp.1-6, 9-12 Nov. 2009,

Ben Kepes, “Understanding the Cloud Computing Stack SaaS, Paas, IaaS”, Diversity Limited, 2011,