Managing Risks for IT Managers, Auditors, and Investigators - Case Study Example

Artifacts Name: Course: Course: Date: Forensic artifacts form an important role in computer systems. The many artifacts realized in windows systems play an important role in serving specific task that are assigned to. One of the most complicated artifact that scientist have to decipher in the widows registry is the shell bag keys. Though complicated in nature, they offer excellent knowledge of understanding the existence of files and folders along with user files. Shell bag keys are used in the storage of user preference for graphical user interface display within the windows explorer. As users use the systems the system identify the most visited areas of the system or of the online modules. Such development of preference allow the system identify the most preferred sites visited by the users. Now realization of the most visited sites by the clients can only be maintained by shell bag indexing in t6he windows systems. The windows shell bag allows the tracking of anything related to the folders such as icons details and lists. Such elements including sort order are tracked by the said artifacts (Altheide & Carvey, 2011). An example of how shell bag in action can be realized is in a situation where a change to the folder can be affected in a system and the same the new preference is realized to be intact on visiting the new folder afresh. Maintenance of user preference is important as it allows the location of a particular resource in question with ease. Shell bags allow the identification of users that visited s particular account at any particular time. In short, the simple existence of a shell bag sub key for a give directory indicates that a specific user account user accessed the referred folder at least once (Peterson & Shenoi, 2009). Sub keys allow the identification of the modifications made to the folders or directories for that matter in any system. In order for one to identify when the folder was last updated or when the same was last modified together with windows timestamps, shell bags allows the realization of this possibility. This ability can allow the correlation and the impediment of folders in MAC since the same information is also stored by keys. Shell bags therefore play a very important role in the forensics of the windows 7. One of the key possibilities of the artifact is the fact that the availability of the historical files and listings can be made possible. In windows 7, the shell bags underwent a large transformation that brings about the great difference between the same in windows XP and windows 7. The registry keys and the system shell bags have been transformed in a way that is of great benefit to windows 7 system users especially with regard to the way system security (Peterson & Shenoi, 2009). Some of the missing shell in windows XP is the ShellNoRoam and the StreamMRU categories of shell bags that were initially used to denote the network, local and removable device folders respectively. Manual deciphering of files has been made hard to do a task. This is because the keys themselves are stored as a slightly different binary format. The only way therefore to decipher the files is by use of Tzworks Shell bags Parser, it being the only windows s7 true Shell bags parser. The same allows one to carry out a remarkable job when it comes to parsing Shell bags structures (Lange & Nimsger, 2009). Advantages The advantages of the Shell bags artifact in the system module are numerous in number. One of the key advantages that the Shell bags allow users to do is to have a preference listing for GUI display within windows explorer. In such case where the preferences are displayed then the information seeking and retrieval becomes a simple task that is easy to realize. Shell bags artifacts also allow the tracking of the changes made to any particular folder. If a simple change is made in the folder or update is made then the shell bags allow the tracking of the same and as instant as the change is committed, such changes will be reflected in the preference list. Another notable advantage is the realization of historical files in some cases. In these cases, files that might not be available at the current instant of access can be made available by the ability of shell bag artifacts (Chisum & Turvey, 2006). Disadvantages A disadvantage however to the same artifact discussed, especially when it comes to the later version of windows, come from the sophistication that has been introduced in it. Deciphering of files manually becomes hard because the keys are stored in complicated binary formats. Manual deciphering in this case therefore becomes hard. In fact it becomes so hard to circumvent by reverse engineering. Anybody with limited knowledge on the same will therefore experience a lot of problems. Windows 7 artifacts Nmap and Zenmap artifacts The first artifact to be considered is the Nmap/Zenmap. The artifact actually comes in various versions however the versions of concern in this discussion are the 4.6 and 5.1 respectively. These artifacts actually are those that remain in the system after a scan which in many cases can be done by use of Nmap or Zenmap. The main aims of these artifacts are not actually to demonstrate that a particular applicator was run or that it was run by a particular individual. Rather the aim is to show that a particular application was run in a specific manner. Another point of importance is also to realize that with this artifact, the knowledge of when certain application was run can also be brought to system or user knowledge. Therefore determination of a particular time frame is possible (Altheide & Carvey, 2011). An example of how this system works is provided in a way that in case such a file of path c:\program files\nmap\zenmap\ was created a particular point when a scan was saved, the user selected name is similar to the saved scan, always containing the extension USR. If the name is ‘first’ for example, then the subsequent file would be ‘first.usr’. It is therefore easy to; locate a scan in a system therefore by use of such artifacts since the name would be similar. These artifacts therefore allow the mirroring of scans that are done on the system. Some of the notable primary files of interest are the recent_scan.txt, target_list.txt, and zenmap.db. All scans performed are mirrored in the USR files and hence incase one of the files is not available the USR files can always be used to get some insight in the scan. Some of the file locations include: File Locations c:\program files\nmap\zenmap\*.usr (where * is the user-provided filename) %User%\.zenmap\recent_scans.txt %User%\.zenmap\target_list.txt %User%\.zenmap\zenmap.db (SQLite db) %User%\%Local%\Temp\tmpf5nhgm Jump List / AppIDs Jump list artifact is an application in windows seven that is developed to be used in the task manager mostly. The main aim is to allow easy access to the recently viewed or opened files. This in nature saves the time taken in consideration of elements of order like use of alphabetical order and application of other algorithms in the search or determination of a recently opened file. The same artifact also plays an important role in allowing quick and efficient access to common tasks within each application of interest. With the jump list artifact, two files are opened when application performs certain actions such as opening a file. These files are automatic destinations-ms files which is located in %appdata%\Microsoft\Windows\Recent\automaticDestinations and custom destination-ms files in %appdata%\Microsoft\Windows\Recent\customDestinations (Peterson & Shenoi, 2009). The above mentioned files are actually hidden files in the windows environment, therefore for them to be exposed, or for one to reach the destination, there is need to type the full path of the destination. This will include provision of the first section of path determination as used in the normal files location in a windows environment (Chisum & Turvey, 2006). AppIDs are used together with jump list as they allow for the identification of a particular file in case of situations where the location of the file is of great importance. Knowing the application ID therefore makes it easy in determination of the location and in fact in accessing the same (Altheide & Carvey, 2011). Example of internet explorer application ID could include some such as: 16ec093b8f51508f Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074 8a1c1c7c389a5320 Safari 3.2.3 (525.29) Or incase of utilities then an ID like the one below could be applicable: 4b6925efc53a3c08 BCWipe 5.02.2 Task Manager 3.02.3 337ed59af273c758 Sticky Notes Dropbox config files/ registry keys artifacts Dropbox is an artifact that runs in various platforms including windows, Mac, or even Linux. The purpose of the artifact is for use in file synchronization, within the system or even between systems. It also allows for the realization of file sharing as well as backup provision for different files. This kind of artifact is designed in a manner that once installed in the system; it will automatically run when the operating system starts. A systray item is added to the system. It is such a system that enables accessing of the files by users (Wiles, Long, & Rogers, 2007). Any local cached documents or offline copies of documents that are saved in the local machine are automatically saved in the ‘My Dropbox’ folder that is created by default in the ‘My documents folder’ in the system. Though this is the default location, the same can however be changed by setting the preference as preferred by the user. This particular artifact allows file sharing. In a situation where systems are connected via a LAN network then the artifact application known as ‘LAN synch’ can be applied. It is this type of application that will allow the systems in the network to communicate with each other. This type of application s actually important as it allows the systems to synch files. This ensures that the network bandwidth consumption is minimized. Synch only transfers files that is being exchange and not entire file. Registry files are used hand in hand with Dropbox in the indexing of the files. More than 170 registry files can be created during installation and through Sysinternals ProcMon more than 58 values can be created. These keys and values will always defer depending on the type of installation and uninstallation done (Wiles, Long, & Rogers, 2007). User info artifacts This type of artifacts rest in the windows registry. In it contains information pertaining to when the file was created, modified plus the user names associated with it. In Microsoft office documents for example, metadata pertaining to particular document is pulled from the use info registry key of the user accounts. Such values that actually form an important aspect in the UserInfo registry are the Username and the company name values. There is a variation in the population of the Username and Company registry values. This arises from the reason that the same information can be entered during installation of Microsoft office whereas in other scenarios the same is not entered upon installation. For the UserInfo registry to be populated therefore in cases where the names vales were not provided upon installation, the first instance a user launches the program, he/she will be prompted to insert a Username and initials. It is this information that can be used to in the determination of the registry key (Peterson & Shenoi, 2009). Net work list artifact Network list program version that is applicable in windows 7 as well as windows vista is the RegRapper w/network.pl plugin v.200090812. This type of artifact contain keys that appears to contain profiles regarding managed and unmanaged networks. Such networks will range from wireless networks to physically connected networks. Information managed by this kind of artifact will also include SSID, date of profile creation, connection establishment last date, WAP MAC address among other types of information (Chisum & Turvey, 2006). Evernote note storage Information can be shared in many forms. The same can also be stored in different formats and forms in a computer system or a database. Evernote therefore is a tool that is used to capture the same different forms of different formats, store the same data and finally share the data across different platforms. Evernote allows the realization of these with no regard whether it is in a form of multimedia mixed in forms of text, images, pdfs or any other documents. It allows the realization of easy search when it comes to those documents. This artifact uses SQLlite database format to store these information. The mode of operation is that as old entries are done away with new record overwrites them (Altheide & Carvey, 2011). For the last ten years, the development of virtual learning environments has increased making the access of education possible in many places and in various forms of interaction and learning. There are various platforms that are used in virtual learning environments. The criteria that should be used to assess the virtual learning environments vary and is debatable. The criteria that is used should best fit the environment of education. With the current environment of technological advancement, there is the need to integrate education to a knowledge society. One way in which this is achieved is by use of information technology to develop strategies that are used for learning. This is possible with the use of VLE (Virtual Learning Environment). The sections that follow will analyze the virtual learning environment of Moodle and Blackboard. Moodle Description This is software that is used for producing courses that are internet based and web sites. This environment is a project which is still going on. The product is provided as open source software. It runs on many database environments and on a computer which is able of running on PHP. The word Moodle originally used to mean Modular Object-Oriented Dynamic Learning Environment; it is mainly used by programmers and theorists in education. The features that are associated with Moodle include the fact that they can be customized so that they fit any given course. There is also the availability of forum that is used for discussion. Also in this environment, the planners are in a position to set announcements and important notices in advance. When a user first logs into a system, they will be reminded that there is an important assignment waiting for them. This is a sure way of reminding users of important meetings and assignments. It is also possible for lecturers and tutors to give the students the assignments that they feel they should be given and give them the deadline dates the way they would like to achieve. T has basic security features and also allows users to upload their own learning materials at will and without any complications. Advantages There are advantages that come with this environment. One of the advantages is the fact that it is extremely possible to develop a new course with the use of this system. After the creation of this course, it is possible to transfer current PPT material and then they can be organized so that they give a smooth information flow in the system. There is also a reduced development time with Moodle because it is not a requirement that one should understand HTML. Moodle has a very intuitive and simple to use user interface. The editor is What You See Is QWhat You Get. This is the reason as to why consultants will not be required to learn any Internet programming languages as they find the use of this system as straight forward. Blackboard What is Blackboard? Blackboard is an online server-based Virtual Learning Environment that incorporates Internet technology to offer teaching and learning via the web platform, with the purpose of making it possible for tutors to develop their own courses or modules. It offers secure access to learning resources in different places at any given point while allowing the tutor control over the availability of learning resources for a course. The main features of blackboard. Each course is given its own server space within Blackboard and restricts course material access to only enrolled students. Tutors can exchange information with their students via discussion boards, one-on-one chat and email facilities, or even post learning and teaching materials. Important messages or announcements can be incorporated on the home page of each Blackboard course, creating a notice board for students, which can be updated easily. The Discussion Board which is basically a form of asynchronous communication channel permits a group of users to take part in discussions while being located in various geographical areas at different times. Someone posts a question that is then visible to others to read and give their own opinions. Replies are indented in order giving a hierarchical order. One-on-one chat enables instructors and students to have synchronous communication online. Its major function lies in prolonged office hours or, for courses, in attending 'live' classroom discussions and one on one question/answer sessions. Online exams, tests and surveys can be securely done. One can enter questions into a pool and then lift them out personally to be applied in new assessments. Advantages Blackboard promotes peer communications, tutor-student interactivity, multiple learning styles, reliable and fixed information source, important learning tools and less administrative work for schools. Students have access rights to discussion boards, student mails and chats within the blackboard, “Many bulletin boards allow students to post drafts of their work, which can be edited online by their peers” (Guernsey, 2003). Students can borrow from other viewpoints while broadening their own original ideas. Students are more encouraged to take part in these discussion boards because of the anonymity factor offered by Blackboard. “Students are more willing to participate [due to] a measure of anonymity, which serves as motivators…people feel more empowered. They are daring and confrontational regarding the expression of ideas” (Kubala, 1998). Blackboard enables professors and tutors to give answers to student questions via online forums and discussions which do away with the issue of inadequate office hours. Professors and instructors also have the alternative of making announcement posts which everyone enrolled in Blackboard has access to. Disadvantages Whatever students do to have their assignments done does count. “Wave after wave of technology reform in education has left many unfilled promises” (Kent, 1999). Blackboard development can be sometimes unfriendly. First is that personal course pages cannot be bookmarked.  If a student comes across an important page within Blackboard, and saves it to his/her “favorites” toolbar, attempts to return to that location would be impossible. Secondly, assignments cannot be looked for within blackboard post sheets joined to the blackboard can be replicated within no time. Students must browse several individual pages to get to own assignments. Blackboard does not also provide electronic mail within courses. Information exchange between students and tutors can be arrived at via message boards. Students can only obtain important information they need by subscribing on to the blackboards parent page. Finally, is the fact that blackboard is rendered unusable as a result of maintenance. It alerts that it will be out of reach between some hours of specific days. References Altheide, C., & Carvey, H. (2011). Digital forensics with open source tools. New York: Elsevier. Banks, J. (2001) From boring to ‘Blackboarding’: building participation through VLE Group Work. CEBE Case Study. Cardiff: CEBE, Cardiff University. Chisum, J. W., & Turvey, B. (2006). Crime reconstruction. New York: Academic Press. Lange, M., & Nimsger, K. (2009). Electronic evidence and discovery: What every lawyer should know now. New York: American Bar Association. Peterson, G., & Shenoi, S. (2009). Advances in digital forensics. New York: Springer. Schroader, A., & Cohen, T. (2007). Alternate data storage forensics. New York: Elsevier. Wiles, J., Long, J., & Rogers, R. (2007). Techno security's guide to managing risks for IT managers, auditors, and investigators. New York: Syngress. Read More