Digital Forensic - Coursework Example

Digital Forensic Question One Using write-blocker to examine forensic data Concerning the digital forensics, there is need to use write-blockers to create forensic images of the media. The practice is indeed ingrained to the extent that the images created minus write-blocker are easy to suspect. Notably, an individual can use a Windows registry in an attempt to write protect devices such as USB mass storage. An investigator combines a USB-SATA adapter or USB-IDE device with USB write-blocking tricks to offer device protection. Examining forensic data using write-blocker involves a critical NCFS 5-step validation process to test the write protection device. Firstly, an investigator needs to prepare the media. Preparing the media involves attaching a storage media to a forensic workstation using a write-enabled mode, wiping the media, and formatting it. Afterward, there is copying of data to the installed media and deleting a selection of the data from this media. Secondly, the investigator needs to test the media. In this step, the investigator removes and replaces the testing media into the forensic workstation, and then copies the same data to the respective media. Additionally, there is deletion of some selected data from the media. The investigator then images the media into a step-2 folder while noting the MD5 hash. Further, the investigator then validates that the hash value is not similar to the one produced in the first step. The third step involves activating the relevant write-blocking device (Kessler & Carlton, 2014, p. 51). In this case, the investigator removes the media from the forensic workstation and attaches or activates the write-protection device. This step should be done cognizant of the specific procedures of a particular blocker. Fourthly, there is testing of the write-blocking device. The investigator inserts the media into the forensic workstation and copies the files to the media. He or she then tries to delete the files and formatting the media. Finally, the investigator investigates any changes that might have occurred within the media. In this course, there is imaging of the media into step-3 folder and noting the MD5 hash. There is also validation to ensure that the MD5 is similar to the MD5 obtained at step 2. Using Hex Editor to examine forensic data Hex editors permit an examination or modification of files at low-level bytes and bits. Usually, it represents the contents of the file in form of hexadecimal. Other editors, for example, help the user to drive meaning from the file examined, extract Unicode and ASCII contents, recognizing common structures, and even searching the patterns. In this case, an investigator locates a potential malicious code embedded in the device such as VBA macros, JavaScript or shellcode. He then extracts the segments of the suspicious code from the file and then checks the codes. An example of this method is to conduct a file carving where there is a recovery of the fragments and files when the directory entries are missing or corrupt. Using autopsy to examine forensic data Autopsy refers to an open digital source of forensic tools produced by the Basis Technologies. It has numerous ingest modules that are inbuilt to foster forensic data analysis. When using autopsy, one needs to install a forensic toolkit to the investigative device. After all is done, the investigator starts an autopsy forensic browser. After starting the browser, one opens a new case by clicking on new case to allow an addition of evidence. The third step involves addition of the case details, for instance, description, name and the investigator’s names. It is important to note the location of the directory that carries the evidence. Afterward, the investigator adds a host to this particular case and notes the location of the host. Further, the investigator adds an image that will be analysed and then selects the location of the image to be analysed. In the next step, the investigator selects or creates a case gallery where the information will be displayed. In essence, the autopsy is a form of graphical interface with tools that analyse the data entered into the browser. Using netcat to examine forensic data Question Two Metadata refers to the data, which gives description of another data. In essence, it gives a summary pertinent to another set of data to foster finding and working on data a bit easier. Metadata is helpful aspect when it comes to videos, images, and spreadsheets. For example, it gives information about the author, file size, date created, and the date of modification. Hence, it makes it easier for users to locate files stored in the computers and the internet. Cognizant of forensic importance, retrieval and analysis of information is vital. In this regard, metadata gives an upper hand in locating the information and giving accurate information regarding the time created, modified, who created it, and even its size. Investigators need this kind of information to ensure and verify crime in a court of law. Question Three Examining a memory from a system that is running compared to a shutdown system has two main explanations. In fact, the RAM is a part of the computer data storage. However, it is volatile and easily flushed and cannot be in use for a long time. Computers store information in the memory address that can be retrieved by the hardware devices or software applications. In this regard, an actively used data or information by a hardware or computer program runs through the RAM at that particular time when it is in use. Hence, the RAM becomes vital in computer forensics. Thus, in the attempt to acquire the RAM, the system must keep running. In the realm of advanced malware technology, RAM acquisition remains the sole evidence to depict a crime or an intrusion. Secondly, when an investigator shuts down the system, the contents of the RAM get flushed from that particular computer and wipe all active information that might be in the RAM. It is, therefore, important to keep the system running to help collect active data for forensic analysis. Question Four Forensic examiners often utilize imaging techniques to obtain data from disks compared to copying files since the images contain all data from the source disk. In fact, a forensic image contains all current files plus the files from the unallocated and slack spaces. Several relevant forensic artifacts are present in unallocated space such as hidden data, deleted file fragments, and deleted files. The computer forensic experts do access slack and unallocated spaces and other hidden data using proper tools to recover contents treated as forensic evidence. The hidden information has details of what took place using the suspected computer. For example, the kinds of websites visited, the emails received and those that were sent, financial transactions through the internet, and letters. It also contains documents, photographs created, accessed, and modified. The professionals access the data even if it was never saved on the computer. Question Five Chain of custody abbreviated as CoC in a legal context refers to a chronological paper trail of documentation indicating seizure, control, custody, analysis, transfer and outlook of any electronic or physical evidence obtained from a scene of crime. The custody chain has a goal of preserving the evidence collected from the time of collection until its presentation in a court of law. In fact, the parties presenting the data in court have an obligation to ensure that the evidence provided is similar to the one received or collected. They also need to testify that the data and time indicated is factual regarding the reception and transferring of the evidence to another provider. Additionally, the testifiers have to ascertain absence of tampering to the information offered in court while it was in custody. Question Six Hashing is the utilization of the hash functions in the verification the identity of an image to the respective source media. It is comparable to a digital fingerprint cognizant of files. Hashing is mathematically derived from the item contents and then displayed in various sets of letters and numbers. Forensic investigators ought to hash all the information found on the suspected disk images. Everything accomplished by an investigator must remain easily replicated by other persons to facilitate the court verification that the investigator never altered the evidence presented. There are numerous hashing algorithms used, for instance, the MD5, SHA1, and the SHA256. The MD5 comprise a 128-bit-32 character algorithm that is the most common in investigations. Question Seven A promiscuous mode refers to a security policy whose definition can be established at a portgroup or virtual switch level in the vSphere ESX/ESXi. A service console, virtual machine or VMkernel network interface in port groups that allow usage of promiscuous mode can easily see all the networks traffics that traverse the virtual switch. In an attempt to capture a snapshot of the memory allocated to a networked forensic machine, one needs to appropriate tools needed for the job. For instance, a zero’ed disk drive uses a dd command and a USB stick to copy the malware, keep the digital notes, and write logs. The next step is to approach the target where an investigator determines whether the machine can be safely powered off. However, one must grab a RAM image before shutting down the machine. After this, the investigator records all the relevant information such as time, date, and incident name. Further, the investigator identifies all the devices that are plugged to the suspected machine. These devices might include HDD (internal and external) and the USB stick. After that, the information is then written to a file on an already formatted drive. Firstly, mount the external hard drive partition that you need to write to and then change it to a target directory. Afterward, create a directory for and then move it into the directory. After all is done, take an image using the dc3dd. When creating a forensic timeline, investigators can use several procedures. One such procedure include using a SIFT workstation and a log2timeline.py front-end tool that is available in the plaso suite. In this case, the first step is finding a starting sector of the particular NTFS partition via mmls. Secondly, the investigator mounts the NTFS partition that is in a read only mode. Afterward, the mounted partition is processed with all the plugins and then creation of the super timeline in a plaso storage format. A fourth step is to sort the plaso files and generating the super timeline output into the CVS format. Finally, the investigator reduces the data set to resemble the proximal intrusion. There are several procedures to image a hard drive. In this case, an investigator needs a program that will create hard drive’s image automatically, for example, a DriveImage XML is obtainable free from the internet. In the second incidence, the investigator should run the program to access its interface. After a successful installation, there is selection of the drive that the investigator needs to image. Another step is to select a destination drive for the image that is going to be created. After that, the program completes the imaging process after clicking finish button. Question Eight Introduced in the Windows XP, the Windows Prefetch files have the obligation of speeding up the start-up application process. The Prefecth files include the name of executable, the number of times the executable has run, the DLLs Unicode list utilized by the executable, and a timestamp that indicates a last time that a program was run. The Prefetch directory is a vital folder for the forensic examiners because the folders keep massive metadata regarding the applications that have run on the suspect computer. The folder saves varied invaluable metadata such as location of an application on the device, the last dates that the files were accessed, created, modified, and used. Forensic examiners need such information to analyse the evidence and present credible information to the court. Question Nine Windows restore points are features that allow the users to revert their computers’ state to the previous points in time, and are used to recover systems from malfunctions. Usually, when the systems restore, there is creation of a folder that captures all the information on the drive. Therefore, if a crime occurred an investigator can go to the restore points and retrieve the necessary information. Hence, the restore points become in handy when the forensic investigators need vital information pertinent to a crime committed and the suspected machine has been restored. Consequently, the forensic assessor accesses the restore point folder and retrieves substantiation usable in court against the perpetrators. Question Ten Files that have been deleted often provide essential forensic information for the forensic examiners. Thence, knowing where to locate the files and how to provide an interpretation to the metadata associated with their deletion make the cornerstone of winning forensic computer examination. The recycle bins in Microsoft Windows and Windows Vista act as temporary folders to hold files that have recently been deleted from the computer. These folders are located on the recycle bin icon found on the desktop. Question Eleven The CMA of 1990 contains four primary offenses defined under section 1, 2, 3 and 3 A. In essence, the following offenses were mentioned. They included unofficial contact with the computer material and an unofficial access to the materials in the computers with intent of committing or facilitating a crime. Additionally, they involve unauthorized modification of the computer material and making, obtaining or supplying things that can enhance computer misuse offenses. Question Twelve Principle 1: There should be no actions taken by any law enforcing agencies, agents or individuals employed by the agencies should alter data that might be relied upon in a court of law. Principle 2: In a circumstance where an individual finds it vital to access an original data, he or she must demonstrate competence and provide evidence regarding the relevance and varied implications of their actions. Principle 3: Audit trails or records of the entire processes used in digital evidence should be created and appropriately preserved. However, an independent third person must be in a position to examine the processes and obtain the same results. Principle 4: An individual in charge of an investigation has a full responsibility to ensure that there is adherence to the law and all the aforementioned principles. Question Thirteen The RIPA Act is a UK-based parliamentary act that regulates the powers of the public bodies in carrying out investigations and surveillance. It covers the interception of all communications across England. Ostensibly, its introduction aimed at instigating an account of all the technological changes such as internet growth and strong encryptions. Question Fourteen Volatile information refers to the data stored in a volatile memory that is lost when the power is turned off. The volatile information is maintained on the volatile memory by power, and if it is switched off, the information is lost almost immediately. On the contrary, non-volatile information is data stored in the non-volatile memory, and is never lost even when the power is switched off. There is vast information found in the volatile memory, for example processes, network information, cryptographic keys, hidden data, worm information, passwords, and rootkits. The information helps the forensic investigator to uncover potential and credible evidence that can be used against a criminal perpetrator. Question Fifteen Steps to seize a running computer: 1. Maintain the log of actions conducted on the machine 2. Take a photograph of the screen of the running computer for documentation of its state 3. Be sure to identify the OS 4. Keep note of the time and date if indicated on the screen and record them with actual time 5. Dump the RAM into the removable storage device from the system 6. Check whether there is an encryption of disk or file 7. Collect all volatile OS information and save it to a USB device 8. Determine the method of evidence seizure 9. Prepare a report documenting the actions and steps taken The Windows registry refers to the database that contains vital information about the system hardware, all installed programs, profiles, and settings of all accounts available on a computer. The names of the five Windows Registry files include the HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and the HKEY_CURRENT_CONFIG. The Windows registry is not a single large file; instead, it is contains discrete files referred to as hives. Each hive entails a registry tree that has a key serving as a root of that particular tree. The registry hives are located as follows: HKEY_LOCAL_MACHINE\SYSTEM:\system32\config\system HKEY_LOCAL_MACHINE\SAM:\system32\config\sam HKEY_LOCAL_MACHINE\SECURITY: \system32\config\security HKEY_LOCAL_MACHINE\SOFTWARE: \system32\config\software HKEY_USERS\UserProfile: \winnr\profiles\username HKEY_USERS.DEFAULT: \systemm32\config\default The registry file that will be contained in a Faith user machine will appear as HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT. As depicted, the file stores the user settings regarding the documents and the profiles. Question Sixteen The purpose of a well-crafted internal incident response policy is to ensure creation of an effective response pertinent to information security incidences that affect the integrity, availability, and confidentiality of an organization’s administrative services and information assets. The policy provides a definition of the structure to respond to the incident, its roles and responsibilities, besides the requirements of reporting the incidences. It requires that all staff should report incidences immediately while noting the risk and vulnerability assessments. All information should be directed to the CISO. A well-crafted IIRP should provide guidance to a first responder cognizant of a particular security incident. For instance, it should outline the principles that guide the response. Such principles can include how to prepare the response, how to detect a crime, how to contain the incident, steps to eradicate the vulnerability, how to recover and return to the operational state. Additionally, it should provide space for the first responder to document the necessary lessons learned from the incidence. Internal responders should be methodical and cautious when they arrive at the crime scene in the attempt to preserve the scene and minimize contamination while making little disturbance to the physical evidence. They should log or note the dispatch information, be aware of the vehicles or persons leaving or entering the crime scene, and cautiously approach the scene, scan the area, and note other secondary crime scenes. Further, they need to make initial observances to assess the crime scene and ensure their safety before continuing. Moreover, they must remain attentive and alert. Additionally, they must treat the locale as a scene of the crime until its assessment and determination as otherwise. Failing to be cautious and contaminating, the crime scene evidence will lead to a filed investigation. Question Seventeen The CMA of 1990 contains four primary offenses defined under section 1, 2, 3 and 3 A. In essence, the following offenses were mentioned. They included unauthorized access to the computer material and an unauthorized access to the materials in the computers with intent of committing or facilitating a crime. Additionally, they involve unauthorized modification of the computer material and making, obtaining or supplying things that can enhance computer misuse offenses. When found guilty of section 2 offense, the perpetrator is liable to a maximum jail term of 5 years and a fine. Section 3A, for instance, deals with the making, supplying, and obtaining articles to be used in the computer misuse offenses. Question 18 The medamata in a word document is the document medamata. It is attached to the file but cannot be observed on the face of the document. It gives a summary of all the information about a data. In forensic analysis, it is applicable in locating a particular document with ease. It is useful in obtaining forensic data in different ways. It can also be applied in forensic data such that only the intended information is made available. That is called document sensitization. The tool is also useful in protecting data in forensic analysis. Question 19 The three main steps of gathering digital data involve tracking, analyzing, and spreading the data. The first stage involves identification of the right tool or software for gathering the data. The second stage is the implementation of the gathering process. Third involves the consolidation of the database accommodate the required information. Next is the reviewing of the implementation plan. In case there is need, the gathering instruments can be redesigned to fit the needs required for them. There can be the option of adopting a questionnaire format from a hard copy system. Question 20 Steganography is the science and art of not exposing or hiding information. The main objective of the technique is to block an information from the vicinity of a third party. The technique is highly applicable in forensic science. It ensures that a particular information is only availed to the intended parties. Steganography remains dissimilar to cryptography. In cryptography, there is no hiding of the message but the text is written in a manner that the third party cannot read. The technique can enable a user to hide a message in an audio file as well as online image from unintended parties. It works by embedding the secret message on a carrier. Question 21 Linux requires the use of a SWAP system. It is necessary to create a swap space that has configuration on hard drive partitions. In case the computer lacks enough space, Linux can use the space on hard drives. Therefore, to approach the task, there is the need to create Swap partitions. In simple terms, the Swap partitions ensure that there is an overflow to the RAM memory. Windows’s pagefile is usually the closest analogy of the partition. Secondly, Swap can be useful in moving some items to the hard drive to save on space. Question 22 Directory entails an object or node that is found in the Active Domain Services hierarchy. It I useful in finding access to regular entries. A cluster is either a group of connected computers or a group of sectors. The common size is usually 512 bytes. The figure of a cluster usually varies. If a cluster has an allocation unit of 4096 bytes, then the allocation unit is multiplied by 5. The operating system is responsible for allocating files. Some data can still be found at the deletion file because the size of a disk is usually larger than the actual file. Question 23 Host Protected Area is a section of the hard drive that cannot be seen by the operating system. The HPA can be detected on a hard drive. One of the methods of its identification is with Linux. In the presence of HPA, when the system boots, Linux can potentially print a message. There are several versions of Linux that can work in the same way. Preservation of the section can occur by creating images of the hidden sector. After creating the images, they are save in a file ready for further analysis. Question 24 A successful incidence response plan is one that has timelines. Timelines show the time targets that should be achieved in the event of an occurrence. There is a well-defined guideline of how a response should occur. Respondents should have a plan that can enable them to access a scene within the shortest time possible. As a result, they would be able to collect the required information effectively. There are consequences of failing to set up or meet timelines. A possible effect could be the evidences can be contaminated. The people at the scene can also interfere with the evidence. Question 25 It is important to use the TCT when gathering information from a live system. First, there is the need to gather data using a variety of tools. Second, there is the extraction from the metadata section. The final goal is to retrieve the activity done by the use of a snapshot as well the time when the activity took place. The next step is interpretation of the data obtained. Some of the data include source, action, artifact involved, and date. In order to complete the process, there are tools required. Two major classes of the tools are open source and commercial tools. An example is SIFT Workstation. Question 26 A security identifier is a tool used to identify a trustee. It is associated with a unique value that has variable length. A registry hive is group (logical) values, sub-keys and keys. Usually, a hive is in the registry. The system is linked with supporting files that have back-up data. The SAM registry is a useful tool in the forensic analysis. It is used in evaluating information related to a user. NTUSER.DAT contains user profile that contains personal files. It is created on operating system. Question 27 The UK anti hacking statute law is the Computer Misuse Act 1990. According to the act, acquiring unauthorized access to computer is an offense (criminal). The punishment of the crime is a fine and punishment. Imprisonment can be up to 12 months. The law notes four main offenses related to the computer misuse. The first offense is carrying out unofficial adjustment to any computer material. The second offense is carrying out unauthorized access with the intention of facilitating or committing a criminal activity. The third offense is supplying materials that can be used carry out computer misuse. The fourth offense is the gaining unauthorized access to materials of a computer. Question 28 The Regulation of Investigatory Power Act 2000 is a law that regulates the power to carry out investigation and surveillance by public bodies. The law was enacted to take the technological dynamics such as encryption and growth of the internet. The law provides an opportunity for mass surveillance of communication .It provide an opportunity, under condition, for some public bodies to monitor the internet activities of people. The law gives authority to public bodies to access secret information of customers. It authorizes public bodies to demand for installation of surveillance devices. Question 29 Various legal considerations exist of considering when writing a prosecution or defense report. First, there is urgency in taking ethical considerations. That implies behaving within the codes of conduct that are acceptable. It is advisable to follow the chronology of events as they happen. An individual needs to be well versed with the steps of a criminal case to avoid confusion. In addition, the evidences that are cited should base on truthful foundation. In defense, an individual needs to make good defense strategies. Question 30 Write blocking device is important in forensic analysis. A write-blocking device is a tool acquires read-only rights to data. In addition, it does not interfere with the integrity of the data. Therefore, it allows a user to access information without interfering with the data integrity. Question 43 The host-protected area is the hidden protected area on a hard drive that is not visible to the operating system. It is used to store information that cannot be changed or viewed by the user of operating system. It contains diagnostic utilities, boot sector codes and others that are as per the manufacturers’ specification. They aid in booting the device when its booting cannot be done from its primary source. Q 55 Small business and big enterprises use PKI (Public Key Infrastructure) in the authentication and encryption of sensitive information. PKI makes use one private and one public cryptographic key to encrypt and decrypt data. The primary function of the public key is to encrypt data and can be given to other employees in the organization. Contrarily, the owner of an enterprise possess the private key that is he or she uses to decrypt data. The PKI environment consists of five components namely the certificate store, certificate database, registration authority, certification authority, and the key archival server. Similarly, the Private Information Online (PIO) system employs several encryption services to encode the communication of sensitive information and data in companies. Q 56 Compromised key attacks and application-layer attacks are some of the commonly used attacks on secured network systems. In application-layer attacks, attackers cause deliberate faults in an application and a server’s operating system. These attacks enable them to gain the ability to get into a company’s access control and modify, delete, read or modify data. They can also introduce virus and sniffer programs that could corrupt or crush company system. In compromised key attacks, hackers obtain a company’s secret code. They use the compromised keys to gain access to secured information without the knowledge of company staff. Similarly, the keys enable the hackers to modify and decrypt data guaranteeing them additional access to secured information. To minimize the attacks as discussed above, companies can turn mobile and clod computing security systems. These systems provide significant tips crucial to staying ahead of hackers. Q 57 The process begins with clients sending the server their cipher settings, SSL number, and any other crucial information. The server in turn sends the client its information as identified above. The data enhances communication between the server and the client over SSL. The clients then utilize the information from the server for authentication. In addition, the client uses the obtained information to create a premaster secret. The handshake process gets completed with the server sending a message to the clients to inform them of the encrypted messages. Both server and client encryption are crucial due to the session keys obtained during the process. The session keys allow for the validation of the integrity of the handshaking process. Q58 I support the senior managements’ position of sourcing appropriate software to minimize possible security risks by disgruntled employees due to the following reasons. Primarily, dissatisfied employees could take advantage of weak internal processes and access sensitive company information. They can use the accessed data in blackmailing the company into giving in to their demands. They can even threaten to expose crucial information about the company to its competitors. Moreover, they may corrupt or modify company data that could lead to potential loss. Therefore, in my opinion, company officials are justified in sourcing high-tech security systems that could minimize security threats by disgruntled employees. Bibliography Kessler, G. C., & Carlton, G. H. (2014). A Study of Forensic Imaging in the Absence of Write-Blockers. Journal of Digital Forensics, Security and Law, 9(3), 51-58. Read More