MN613 Computer Forensics

EPRB- it is an arrangement of apparatuses for encoded frameworks, information unscrambling and secret word recuperation that works on Windows working framework.AUTOSPY- This is a computerized criminology stage and Graphical User Interface to the Sleuth Kit. It keeps running on Windows, Linux and macOS.

Implementation of computer forensic techniques

Most digital crime activities leave a trace of evidence that allow the investigators to solve and prevent digital crimes [1]. According to my research I have concluded around 90% of all the data processed to information does not leave the digital domains. I will elaborate on the forensic techniques that facilitate acquisition of evidence. Example of these techniques include

Live forensics

Also known as live response. It majorly attempts to identify, control and eliminate possible threats in a live running system environment. In the past, this involved taking images and snapshots so as to perform analysis on these images. This was far-fetched as the process was far from efficient.Live forensic is more efficient if you focus on handling threats on the spot. The main difference between traditional and live forensic is on the time: the procedures of identifying, quantifying and eliminating threats are still similar in both techniques [1].

This techniques has a short life span and therefore its degree of success is determined by focusing on the source of threat. Instead of rushing into the process, one should look for usual suspect files in the system such as temporary directories. On windows, the best way of initiating live forensics is by peaking the active user app data directory, especially its roaming folder.

Password recovery

This refers to the recovery of password protected files. It can be through cracking the password or by passing it.

Passwords provide strong protection to sensitive information. It is in rare cases that the password is lost or the account administrator forgets the password [2]. In cases like this, password recovery is the best way to gain access to information.Brute forces can be used in cracking any password. It does this by attempting all possible passwords. In majority of the cases, this procedure is time consuming.

Smarter techniques have been deployed to reduce the number of possible passwords thus reducing on the time spent on password recovery. With the use of a wide range of array utilities, password recovery is made quite easy.

Deployment forensic tools

ElcomSoft Password Recovery Bundle (EPRB) –

This is a legal instrument that is utilized for secret key recuperation. It opens records, unscramble files and break into scrambled compartments with an across the board secret key recuperation package.

It just keeps running on a Windows Operating System.The apparatus is utilized in recovering passwords for an immense scope of office and business based applications including: Text processors, flag-bearers, office suites, database administration projects, spreadsheets and email customers [3].

The apparatus have however a little computerized process as the instrument requires monitory supervision. These robotized highlights include:

• Remote administration of secret key recuperation workstations.
• Time stamping of CPU Run time and resource usage.

The undertakings performed by the ElcomSoft Password Recovery Bundle include:

• Recovers report and framework passwords to different record positions.
• Monitoring CPU time and asset use.
• Performs password recuperation of client activities.

Autospy

This computerized crime scene investigation program is like a graphical interface device which is utilized to a great extent by military, law offices and corporates to look at PC's past exercises [4]. You can likewise utilize it in recuperating photographs from your camera's or telephone's memory card.

Unlike the EPRB apparatus, it keeps running on different working frameworks. These OS include: Windows, Linux and macOS. The file formats that are supported by Autospy forensic tool include:

• Disk Image-these are files or set of files that are made up of byte for byte hard or media drive copy.
• Local Disk: primary storage device
• Logical Files: files and folders that are locally available in the computer storage.

The vendors support reputation by providing a 24hr help line to facilitate aid if needed.  The vendor also provides a user and developer guide documentation.

The tasks performed by this tool include:

• Gives a course of events examination which shows framework's occasions in a graphical interface.
• Concentrates information from SMS, call logs and contacts.
• It distinguishes documents and organizers in light of their name and way.
• Label records with discretionary label names, for example, 'bookmark' or 'suspicious', and include remarks [5].
• Distinguishes easy routes to accessing records.

Adding source of data

You can include an information source in a few different ways:

• After you make a case, it consequently prompts you to include an information source.
• There is a toolbar thing to include a Data Source when a case is open.
• The "Record", "Include Data Source" menu thing when a case is open.

The information source must stay open for the span of the investigation in light of the fact that the case contains a reference to the information source. It doesn't duplicate the information source into the case organizer.Notwithstanding the kind of information source, there are some basic strides all the while:

1) You will be provoked to determine the information source to include (points of interest are)

2) Autopsy will play out an essential examination of the information source and populate an implanted database with a passage for each document in the information source. No substance is investigated all the while, just the records are counted.

3) While searching information source, it will be provoke a rundown of ingest modules to empower

4) After you design the ingest modules, you may need to sit tight for Autopsy to complete its essential examination of the information source.

5) After the ingest modules have been designed and the fundamental examination of the information source is finished, the ingest modules will start to break down the document substance. Information can be spelt from the source [6].

Assignment section 2

Registered owner, account name in use and the last recorded shut down date and time: MARTIN KING, KINGMARTIN, shutdown Friday, June 16, 2017 12:59:23PM

Account name of the user who mostly used the computer and the user who last logged into it: KINGMARTIN, MARTIN KING.

The time zone is 3GMt standard time

The computer name was be DESKTOP-3AVIC6Z.

Accounts on the OS were Administrator, Guest, Paul Acct.

Applications that are installed in the operating system.

Roslyn Language Services - x86                                                                    14.0.23107     

Application Insights Tools for Visual Studio 2015                                                 3.3            

Microsoft Visual Studio Team Foundation Server 2015 Office Integration (x64)                      14.0.23102     

Adobe Photoshop                                                                                   1.0.0000       

Microsoft Visual Studio 2015 XAML Visual Diagnostics                       14.0.23107     

Microsoft Build Tools Language Resources 14.0 (x86)                            14.0.23107     

Microsoft Visual C++ 2005 Redistributable - x64 8.0.56336 False           8.0.56336      

Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610 False 11.0.60610     

Microsoft Blend for Visual Studio 2015 - ENU                                        14.0.23107     

Microsoft Visual Studio Professional 2015 - ENU                                    14.0.23107     

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 False            9.0.30729       

Windows Espc Resource Package                                                              14.0.23107     

Microsoft Visual Studio 2015 XAML Application Timeline - ENU          14.0.23107     

Microsoft .NET Framework 4 Multi-Targeting Pack                              4.0.30319      

Visual C++ IDE Common Package                                                        14.0.23107     

 Internet Explorer                                      8.9.1.5100     

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30411 False         9.0.30411      

Microsoft Visual Studio Team Foundation Server 2015 Storyboarding (x64)                           14.0.23102     

Microsoft System CLR Types for SQL Server 2014                                                    12.0.2402.11   

The browser that was used is CHROME BROWSER

The directory to the software was. E:Software

The application that was used for email is Yahoo mail

The applications that were installed in the computer and could be used for hacking are

• Cain&Abel

Bibliography

Schneier, B. and Kelsey, ecure audit logs to support computer forensics., CM Transactions on Information and System Security (TISSEC), 2(2), pp.159-176, 2010.

Kruse II, W.G. and Heiser,, Computer forensics: incident response essentials, Pearson Education, 2013.

Yasinsac, A., Erbacher, R.F., Marks, D.G., Pollitt, M.M. and Sommer, P.M, Computer forensics education, IEEE Security & Privacy, 99(4), pp.15-23., 2013.

Yusoff, Y., Ismail, R. and Hassan, Z., 2011, Common phases of computer forensics investigation models., International Journal of Computer Science & Information Technology, 3(3), pp.17-31., 2011.

Fahey, A.L., e fense Inc, omputer forensics, e-discovery and incident response methods and systems, U.S. Patent Application 12/318,083., 2009.

Bradford, P.G., Brown, M., Perdue, J. and Self, B., April. Towards proactive computer-system forensics. In Information Technology: Coding and Computing, Proceedings. ITCC 2004. International Conference on (Vol. 2, pp. 648-652). IEEE., 2012.

Luttgens, J.T., Pepe, M. and Mandia, K, Incident response & computer forensics. McGraw-Hill Education Group., 2014.