Task 1
WinHex is the digital forensic software used around the world for editing the files in binary using hexadecimal codes, the editing include cut, copy, paste, edit, delete, insert etc. It is also being used to reverse the logical and arithmetic expressions performed on the data, we would be using this method to recover the data from the scrambled bits. (Srinivasan, 2006)
Modify Data-> “left shift by 1-bit option”
Modify Data-> “32-bit byte swap”
Output and decrypted text:
Task 2
Abstract
The case is about Bob Aspen who is being accused of theft of Intellectual Property from Exotic Mountain Tour Services (ETMS). The data is leaked to the third party outside the ETMS official circle via email and USB disk copying the important data on to the drive. The ETMS has recently covered an extensive survey along with the Superior Bicycles, LLC. If the data is being leaked then it would give competitive advantage to the competitor of ETMS and will cause severe loss of business in revenue and ETMS will loose all the strategic advantage they have gained after conducting the extensive survey. The entire leak of data came into picture when Bob Aspen’s email is being captured by the scrutiny web department of the company. The email made it clear that accused was indeed trying to deliberately trying to leak the information from the company which is company’s Intellectual property and he also altered his mail attachments in order to bypass the company’s secured firewall in place. The USB that was found is investigated in the report and findings are being marked up so as to frame right and strong charges against the accused
Introduction
There are many software tools available in the market for the purpose of digital forensics investigations but the ones used in this investigation are:
These two software(s) that are being used majorly by digital forensic experts around the world, both having special purposes like ProDiscover is majorly used for developing the images and their clones so that digital forensic methods can be used to find and retrieve data as if they were done on the real storage device or disk. Similarly, WinHex is used around the world for editing the files in binary using hexadecimal codes, the editing include cut, copy, paste, edit, delete, insert etc. It is also being used to reverse the logical and arithmetic expressions performed on the data. (McDonald, 2017)
The ProDiscover software is compatible with the wide range of images and formats of images that are being used by other forensic tools and experts around the globe. The images made are then read using the ProDiscover and with the help of various operations we can read sectors and clusters from the image in order to recover the data from the images which could have been overwritten or deleted from the disks. ProDiscover is also compatible with number of other hardware that enables the write locks which in turn help expert to develop the copy of the disk without manipulating the original storage device leading it to be remain in the same condition as it was being found. The data recovered from the images are being generally have corrupt headers or missing or edited hex values.
In order to recover or edit the hex values of the data we need to use the hex editor for the same, we are using WinHex in this investigation, the header of the files is being manipulated o edited using the tool and correct hexadecimal values are being inserted or replaced. This tool is quite simple in approach and can easily be used to perform various operations on the files, the report generation utility enables us to generate the report of all operations in HTML and RTF format, both being standards used around the globe.
Analysis conducted
The initial investigation done by the ETMS, the two emails were intercepted based on which the accused Bob Aspen contract employee with the company is under investigation of stealing the important data which is Intellectual Property of ETMS. Apart from the email the USB drive was also found on the desk of Bob Aspen, the USB drive analysis is the prime objective of finding evidence in digital forensic report. With the organization having the strict policy against carrying any digital devices into the organization, the USB drive raised the serious level of alarm over the Bob Aspen intensions and its outcome might lead to severe business loss to the ETMS (Kigwana, 2017). The email also shows that the data was altered before being sent out over the emails and being copied to USB drive, the header being altered in order to bypass the security policy in place of the organization. The emails were communicated being communicated to [email protected] and being communicated to Bob Aspen to [email protected], the emails coming to [email protected] were being communicated from Jim Shu having different time zone as the date and time were in off with each other, this means the Jim Shu must be from far western region, due to the fact that the time zone in the email is provided by the server not the user. The email conversation also asked the Bob Aspen to alter the data in the jpg files as well as to change the jpg extension to txt file. (Caviglione, 2017)
Search for and Recovering Digital photography Evidence
This is the section where we would be recovering the images from the USB drive image provided by ETMS. The initial recovering of data is done using the “FIF” not JPEG or JFIF, this is done in order to skip the older files clusters that must have been found on the image or stored earlier because it is out of scope to check files stored before the data of Bob Aspen joining the company. (Mohlala, 2017 )The clusters that might found can be termed as the false positives, these false positive might lead to unwanted delay in the finding the right evidences and may lead to lost of time and effort of the forensic experts. (Hraiz, 2017)
Procedure of recovering files from the ProDiscover is as follows:
1.Open the ProDiscover in admin mode and create the project C10InChp.
2. Add the image provided by the ETMS naming C10InChp.eve to the current project, this sis the same image file of the USB drive confiscated from Bob Aspen’s desk.
3.We would now search for files and clusters on the disk using ASCII mode searching with case sensitive option being marked selected. The keyword used for the search is “FIF” as discussed in the start of this section.
4.The clusters that would match the search criteria would be highlighted in blue color
5.Select the first occurrence of the FIF and click to directly jump to the memory location
6.Double click on the location would redirect to the page of listing all the files on that particular location.
7. Right click select option to find file
8.Press “Yes”
Matching clusters of data will be shown in the pop-up message box.
9.Right click on the file and save the file as “recover1.jpg
Conclusion:
The case is about Bob Aspen who is being accused of theft of Intellectual Property from Exotic Mountain Tour Services (ETMS). The data is leaked to the third party outside the ETMS official circle via email and USB disk copying the important data on to the drive. The leak was indeed there and Bob Aspen the accused have leaked the critical information ahead to some third party or competitor.
The ProDiscover software was used to find the images from the disk image provided by the ETMS, the forensic tool helped in recovering of files and different clusters to reconstruct the original files as well. In order to recover or edit the hex values of the data we need to use the hex editor for the same, we are using WinHex in this investigation, the header of the files is being manipulated o edited using the tool and correct hexadecimal values are being inserted or replaced.
The Bob Aspen leak was found with the capturing of the two emails that were done to unknown location that doesn’t seemed right while scrutiny. The data leak was done using email and possibly using the USB drive as well from which all the data was being recovered.
References:
Caviglione, L., Wendzel, S., & Mazurczyk, W. (2017). The Future of Digital Forensics: Challenges and the Road Ahead. IEEE Security & Privacy, 15(6), 12-17. doi: 10.1109/msp.2017.4251117
Hraiz, S. (2017). Challenges of digital forensic investigation in cloud computing. 2017 8Th International Conference On Information Technology (ICIT). doi: 10.1109/icitech.2017.8080060
Kigwana, I., Kebande, V., & Venter, H. (2017). A proposed digital forensic investigation framework for an eGovernment structure for Uganda. 2017 IST-Africa Week Conference (IST-Africa). doi: 10.23919/istafrica.2017.8102348
Kishore, N., Saxena, S., & Raina, P. (2017). Big data as a challenge and opportunity in digital forensic investigation. 2017 2Nd International Conference On Telecommunication And Networks (TEL-NET). doi: 10.1109/tel-net.2017.8343573
McDonald, J., Manikyam, R., Glisson, W., Andel, T., & Gu, Y. (2017). Enhanced Operating System Protection to Support Digital Forensic Investigations. 2017 IEEE Trustcom/Bigdatase/ICESS. doi: 10.1109/trustcom/bigdatase/icess.2017.296
Mohlala, M., Ikuesan, A., & Venter, H. (2017). User attribution based on keystroke dynamics in digital forensic readiness process. 2017 IEEE Conference On Application, Information And Network Security (AINS). doi: 10.1109/ains.2017.8270436
Srinivasan, S. (2006). Security and Privacy in the Computer Forensics Context. 2006 International Conference On Communication Technology. doi: 10.1109/icct.2006.341936
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download