Digital forensics is about the examining and recovering data from seized evidence in digital criminal investigation process. In The field of the digital forensics it is important to select a suitable tool to extract and analyse the digital information from the collected evidence.
For this part we have selected the WinHex and Osforensic that are frequently used for the digital forensic tool.
Install and Deploy: Following is the screenshot of the installed application on a windows 10 based system.
Using the WinHex tool we can change the hex values for disk images through which we can edit the values of the data set in the disk image. This is depicted in the following image;
Winhex is one of digital forensic tool that is used as hex and disk editor for data recovery in any digital crime. This tool can be used for only windows operating system. It can recover data from floppy disks, hard disks, ZIP, CD-ROM & DVD, Flash drives and so on.
Supported file formats: This tool can work with the FAT12/16/32, exFAT, NTFS, Ext2/3/4, Next3®, CDFS, UDF, ReiserFS file systems. In addition to that the it is also able to edit data structures using templates through which it can repair boot sector or partition table. In addition to that concatenation, splitting of data files, dividing and combining odd and even bytes of the files can be done using this. Furthermore, it also provides help in disk cloning with the help of X-Ways Replica, 256-bit checksums, AES encryption, wiping confidential files securely from the disk. The application also provides automated editing features. Using this feature any user can automate file editing process using scripts in order to accelerate routine tasks.
Support from the vendors: The vendors provides certification program and user forum in order to support the users to mitigate their issues.
OSForensics
This forensic tool is also a windows based digital forensic tool which can extract evidence from digital systems such as laptops and computers. In addition to that it can perform file indexing and search.
This scan helps in the identification of the suspicious activity on files through the use of hash matching of the files, comparing drive signature, binary data and e-mails. Moreover, this tool is capable of managing the digital investigation process along with the generation of report from the collected digital forensic evidences.
Supported file formats are provided by,Advanced Forensics Format Images* (AFF), AFM (Advanced Forensics Format Images w/ meta data), Split Raw Image (.00n), EnCase EWF (.E01), VMWare Image (.VMDK), EnCase 7 EWF (.EX01), SMART EWF (.S01) ,EnCase Logical EWF (.L01) , VHD Image (.VHD), AFD (Advanced Forensics Format Directories)
Support from the vendor: The vendor, PASSMARK software provides video tutorials, FAQ and document based tutorials and finally a related forum for the user to get help from other experienced users.
Following is the screen shot of finding a deleted file from a USB device to find out the recently delete file. The screenshot depicts the result after use of the “Deleted File Search”.
For the disc image the MD5 hash value is given by à 052a6bc388f30572fa27e58d52f03d09
On the other hand, the SHA-1 hash value is given byà 4553c87b818518f9dfe13add1dbc334edd7b31b9
For the given file it is found that the installed OS was Windows XP. Installed on 20th August, 2004. The product ID is given by, with the version ID 5.1 with the build number 2600. Furthermore, the product ID is given by, 55274-640-0147306-23486.
The date of installation of the OS is provided by, Friday, August 20, 2004.
The Registered owner of the computer is given by, Greg Schardt and the last recorded shut down date and time is provided by 08/27/2004 at 9:16:28 PM. Following is the evidence using the Prodiscover tool. For this question, we have use eventID for shutdown process in the Windows XP operating system.
From the given evidence file, we found that the account name that mostly uses the compute is Mr.Evil
The time zone setting found in the investigation is Central standard time which is available in the windows for the central time of USA and Canada. Screen shot is provided below;
The name of the computer is given by, N-1A9ODN6ZXK4LQ, supporting screen shot is provided below;
In the given disc image, the list of users except Administrator, Guest, system profile, Local Service, Network Service are given by, Mr. Evil, HelpAssistant and support_ 388945a0. Following is the evidence of the user account analysis.
The suspect installed the following list of software’s after installing the operating system,
123 Write All Stored Passwords;
Anonymizer Bar 2.0;
Clain & Abel v2.5 beta;
CuteFTP;
CuteHTML;
Etheral 0.10.6;
FaberToys published by FaberBox;
Forte agent;
mIRC;
Network Stumbler;
WinPcap 3.01alpha;
Following is the screenshot of the analysed disk image;
The last logged on user was Mr.Evil on the system ;
From the registry we found the hex value of the time at which the is given in hex value which is decoded using the Dcode digtal forensic tool. The hex value and the actual time of last shutdown is given by;
Hex value: C4928E51868BC401
Time and date of last shut down: Thu, 26 August 2004 16:04:08 UTC
The IP address assigned to the machine is given by 0.0.0.0 and the explanation for the interfaces available in the provided disk image. The value for the EnableDeadGWDetect is set to 1 or true. Setting the value of this specific parameter to 1 indicated that TCP utilizes Dead Gateway Detection feature. Though the use of feature, TCP asks for change of assigned IP address to another backup gateway. This happens in case the port retransmits a data segment multiple times deprived of receiving a response from the receiver.
Used browsers by the suspect are internet explorer and MSN explorer.
The directory or the path related to the web browser history related data is given by;
HKEY_USER-> CURRENT USER->SOFTWARE->MICROSOFT->MICROSOFT->INTERNET EXPLORER->TYPED URLS.
The visited URL by the suspect is given by;
www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
related screen shot is provided below;
The last assigned DHCP IP Address to the system is provided below along with the screen shot;192.168.1.111
The Outlook was used as the email communication tool as discovered in the investigation of the given disk image.
From the previously listed installed software’s, following are some of the tools that can be used for hacking purposes are;
123 Write All Stored Passwords (Provides all the passwords of logged on user stored in Microsoft PWL file.);
Anonymizer Bar 2.0 (this tool helps the hacker in making the activity on the Internet untraceable);
Clain & Abel v2.5 beta (Password recovery tool);
Etheral 0.10.6;
Network Stumbler (helpful in detection of unauthorized or “rogue” access points);
WinPcap 3.01alpha;
The IRC or the internet relay chat is the service that is based on the client-server architecture. This application is suitable for running on many machines in a distributed system. A typical setup of mIRC includes a single process for server forming a central communication point for multiple clients to connect and communicate with each other.
In the analysis of the recycle bin it is found that there are two files with extension. MAP. usually this files are Debugging maps. Typically, this are plain text files that require the relative offsets of concerned functions. This functions are gain are some version of a compiled binary.
[1]H. Mohammed, N. Clarke and F. Li, “An Automated Approach for Digital Forensic Analysis of Heterogeneous Big Data”, Journal of Digital Forensics, Security and Law, 2016.
[2]A. Irons and H. Lallie, “Digital Forensics to Intelligent Forensics”, Future Internet, vol. 6, no. 3, pp. 584-596, 2014.
[3]M. Anobah, S. Saleem and O. Popov, “Testing Framework for Mobile Device Forensics Tools”, Journal of Digital Forensics, Security and Law, 2014.
[4]C. Grajeda, F. Breitinger and I. Baggili, “Availability of datasets for digital forensics – And what is missing”, Digital Investigation, vol. 22, pp. S94-S105, 2017.
[5]P. H. Rughani, “Data Recovery from Ransom ware Affected Android Phone using Forensic Tools”, International Journal of Computer Sciences and Engineering, vol. 5, no. 8, pp. 67-70, 2017.
[6]C. Hargreaves and J. Patterson, “An automated timeline reconstruction approach for digital forensic investigations”, Digital Investigation, vol. 9, pp. S69-S79, 2012.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
