Digital Forensics Project - Essay Example

Running head: DIGITAL FORENSICS Digital Forensics Introduction Digital forensics is a branch or Forensic Science that entails recovering and investigating digital material found in devices. Digital forensics also encompasses the investigation of computer crimes. Previously, the term was used interchangeably with computer forensics but has expanded to include the investigation of digital devices that can store data (Sammons, 2012). Digital forensics finds applicability in many areas especially in the courts for refuting or supporting hypotheses during legal proceedings. Digital forensics finds application in the internal audit of the corporation in investigating whether the crime has been committed (Sammons, 2012). Other applications entail investigating whether there was a breach of network within an organization. In the technical aspects of the investigation, digital forensics has several sub-branches that relate to the digital devices that have been in use. They include the network forensics, mobile data computer, and forensics data analysis (Oriyano & Gregg, 2011). Apart from the provision of direct evidence relating to digital crimes, digital forensics has vast applications in authenticating documents, confirmation of alibis, identification, and determining the intent of the breach in the information. To sum it, all digital forensics entails the preservation, extraction, and analysis of the evidence relating to digital content for appropriate legal actions. The field concerns with apprehending criminals who use digital technology in committing crimes. Some of the crimes committed through digital technology include hacking of emails to retrieve important information, retrieving information from the government agencies and institutions in an illegal manner for personalized use or terrorism (Oriyano & Gregg, 2011). Gone are the days when criminals used excessive force to get what they want. They have shifted to the use of technology in wiring money to their accounts especially from banking institutions without the use of force. Digital forensics is of relevance to these cases and helps in averting such crimes (Marcella & Guillossou, 2012). In this project, Digital Forensic Evidence Files will be investigated using the Forensic Toolkit that is available within the Lab. The evidence files have been collected from the suspect’s computer. The files for investigation are true images retrieved from the hard drive of the computer (Marcella & Guillossou, 2012). Three files are available for investigation namely, Thumb drive. E01, Mantooth.E0, and Washer.E01. The files under investigation in this case are the Mantooth.E0 and Washer.E01. After investigation, a report will be filed after detailed investigation of the files. The basis of this investigation finds application after the company suspects that there are fraudulent activities that are happening in the company. The suspected activities include data hiding, stenography as well stealing of the credit card information from the affiliate members of the company (Marcella & Guillossou, 2012). The fraudster is well versed in these activities, and there is a probability that there is information that is either under encryption or hidden. Through collusion with other illegal persons to meet the criminal intent, the perpetrator has been using email for communication. These attachments are the leading proof for the community activities. The investigation will take a timeframe of four weeks. The knowledge from the forensic classes will find great application in attaining a detailed investigation of the criminal activities. Good investigation entails using the available resources to accomplish the process (Marcella & Guillossou, 2012). Internet resources will help in obtaining the necessary information that is relevant to the investigation process. In a time span, it will be possible to have a throughput investigation appropriate for the project. Steps of approaching a crime scene Crime scene investigation entails following certain steps for the investigation to preserve the evidence. The first responder must take certain steps that will help in the preservation of evidence. These steps are taken into consideration for the analysis of the crime. Steps for crime scene investigation entail seven steps. Securing the scene- this is the responsibility of the first responding officer (Sammons, 2012). The priority is the safety of individuals present in the crime scene while the second priority is preserving the evidence. The step entails protecting the crime area. Separating the witness-the step entails separating the people present when the crime was taking place. The step entails getting the information such as the locality of the crime, the suspect, and the victim of the crime. Some of this information will help in the investigation process (Sammons, 2012). Scanning the scene - this step entails determining the place where the photos will be taken (EC-Council Press, 2010). The step helps in understanding the primary, as well as the secondary crime scene. Seeing the scene-the process involves taking the photos of the crime area from several angles. Close-up photos of the scene can be taken with triangulation of the stationary objects included (EC-Council Press, 2010). Sketching the Scene-, these are rough sketches including the measurements of the scene. Searching for the evidence-the process entails several procedures such as quadrant, grid, strip or line search and finally the spiral method. These methods ensure that no area within the crime scene is unsearched (Dutelle, 2011). Securing and collecting the evidence-various approaches are used for the collecting and securing evidence depending on whether it is biological or non-biological (Dutelle, 2011). A lot of care is required to prevent contamination that interferes with integrity of evidence collected. Protecting the integrity of the evidence collected is vital for law enforcement. When the integrity is in doubt, the legal processes could be placed in jeopardy. This necessitates good handling of the evidence (Casey & Brenner, 2011). Various countries have rules relating to collecting of evidence and its preservation. Admissibility of the evidence in the court depends on whether the rules have been followed. Handling of the evidence involves the following steps: Identification of the evidence after it has been seized. Each piece of evidence should be identified and given a reference number and a simple description (Casey & Brenner, 2011). Details such as the day and time when the evidence was collected should be noted. A receipt is issued to the person who collected the evidence as proof of the provided file. Original files and documents should be sealed in boxes and containers and photocopies can be used for investigation (Casey &Altheide, 2010). An inventory of the evidence should be kept. The inventory contains the reference number, box number in which the evidence is kept and its location (Casey &Altheide, 2010). Evidence should be placed in a fireproof location where there is limited access except the custodian. Written records of the steps involved in the handling of the evidence should be maintained and the persons who had direct access to the evidence (Casey & Brenner, 2011). Control sheet needs to be attached to the evidence showing date and time, name of the person who took the evidence. The custodian of evidence should sign the record for authentication purposes. Records containing information on the evidence should be kept separate from the complaint file (Dutelle, 2011). The evidence is taken to the forensic lab for further analysis. After analysis in the lab, the evidence is sent back to the handler of evidence for storage (Dutelle, 2011). Investigation using evidence provided The first step involves reviewing the case. The step is accomplished through evidence review from the material present (Marcella &Guillossou, 2012). Witnesses can also be reviewed to re-check the facts provided. The reviews aim at discerning the facts that meet the elements of crime classification. Re-interviewing the victim. This is done to remove the incidences of false reporting or attain new facts from the victim (Marcella &Guillossou, 2012). The victim in which in our case is the company may clarify the information collected relating to the evidence. Authentication of the crime (Fisher & Fisher, 2012). Review of the evidence and re-interviewing of the victims helps in determining the true nature of the complaint filed. Furthermore, it helps in clearing cases of misidentification and false reporting. Analysis of the evidence. Basing on the known facts relating to the crime, evidence analysis begins. Using the evidence, it will provide the lead factors that contribute to the crime. In the analysis, the following can be elucidated such as the suspect information, victim information, IP addresses logged, delivery of the email addresses, account statements in case of money transactions, the motives of the perpetrator(Fisher & Fisher, 2012). Pursuing the initial leads. The initial leads are some of the factors that serve as the indicator to the crime (EC-Council Press, 2010). Reconstruction of the crime is important at this point since it points to the initiation of the crime. The transaction numbers/accounts indicate the location where the money was transferred. In the case of the IP addresses, they point to the location of the computer used in the passing of the identities (EC-Council Press, 2010). There are cases when the locations that are above the jurisdiction of the investigator. The following step explains the necessary step in dealing with such situation. Obtaining the consent. The consent of the victim help in accessing these areas. Financial institutions and government agencies are out of reach for many people and thus need such documents for permit (Casey & Brenner, 2011). Digital trail of the physical evidence is created in such cases. It is necessary to evaluate all the paper documents. Sometimes the initial evidence collected is not sufficient and collecting more evidence will assist in providing further investigative links. In a digital crime, the investigator may collect the computer used by the perpetrator in the cyber café for further analysis. Creating a timeline. Using the visual concept of the evidence collected timelines are necessary since it gives the prosecutor the basis for understanding the crime (Casey &Altheide, 2010). Building character. Basing on the locations, actors and organization involved, there is a need to capture the identities and their physical appearance (Casey &Altheide, 2010). With this information, the investigator does not need to memorize all the details. Establish a link analysis. After evidence analysis and obtaining the leads, it becomes appropriate to have the information together as a simplification of the whole case. Collaborate through sharing of information (Casey & Brenner, 2011). After evidence analysis, collaboration with the outside agencies is necessary for the investigation process. The state agencies and financial institution may help in the investigation process through the release of vital information relating to the individual (Casey & Brenner, 2011). Tittles for the files to comment on: I. Washer File The drive was imaged by Nick Drehel The numbers of sectors identified in the drive were 250,879 The number or partitions listed were two The volume names of the partitions were Washer and UnpartSpace The serial number for the Washer Partition was 5017-2777 The file system for the two partitions was NTFS The identification of beginning sectors for partition 1 was 63 The identified cluster for $MFT record was NULL The identified MFT record number for the documents and setting directory were 27(27648) The total number of user accounts was 9 The listed user name and their SIDs, the last time logging and the number of times each user logged into the system is provided the following tables The control set in the image file based on the OS was null The identified time zone was UTC The analyzed memory dump files for this case are NULL II. Mantooth File The number of encrypted files for this case were 14 The attacked and cracked file was Steal Credit Numbers.doc with the password being 0zuz3v0 Another file attacked and cracked was SlIST.doc with password unknown Finally, another file Those who owes.doc was attacked with the password being smack. Username SID Last login Time Login count Administrator 500 2/13/2008 2:17:05 UTC 16 Artimus 1008 Never 0 Billy Bob Brubeck 1003 2/13/2008 2:17:08 UTC 22 Captian Hook 1006 2/13/2008 2:17:08 UTC 21 Guest 501 2/13/2008 2:40:33 UTC 0 HelpAssistant 1000 7/25/2007 1:11:56 UTC 0 Mr Smee 1005 2/13/2008 2:17:09 UTC 21 SUPPORT_388945a0 1002 7/25/2007 1:11:56 UTC 0 The Wolf 1004 2/13/2008 2:17:09 UTC 22 Table showing the logging activity, user name SID and the logging count. Dudes Name What $$$ Little Timmy Mth $600.00 Big John Special K $250.00 John Washer H $250.00 Frank the Tank H $5,000.00 Sam I AM Marijuana $100.00 Mac Daddy Special K $200.00 Mr Freeze Special K $698.42 Methalotapus Mth $555.00 megamethamous Mth $250.00 Simple Simon Marijuana $698.00 Total $8,601.42 Individuals owning the documents References Casey, E., & Altheide, C. (2010). Handbook of digital forensics and investigation. Amsterdam: Elsevier/Academic. Casey, E., & Brenner, S. W. (2011). Digital evidence and computer crime: Forensic science, computers, and the Internet, third edition. Waltham, Mass: Academic Press/Elsevier. Dutelle, A. W. (2011). An introduction to crime scene investigation. Sudbury, Mass: Jones and Bartlett Publishers. EC-Council Press (2010). Computer forensics: Investigation procedures and response. Clifton Park, NY: Course Technology Cengage Learning. Fisher, B. A., & Fisher, D. (2012). Techniques of crime scene investigation. Boca Raton, Fla: CRC Press. Marcella, A. J., & Guillossou, F. (2012). Cyber forensics: From data to digital evidence. Hoboken, New Jersey: Wiley. Oregano, S. -P., & Gregg, M. (2011). Hacker techniques, tools, and incident handling. Sudbury, Mass: Jones & Bartlett Learning. Sammons, J. (2012). The basics of digital forensics: The primer for getting started in digital forensics. Waltham, MA: Singers. Read More