In this task the investigator was assigned a case of recovering files that were deleted from a USB drive. Three files were created on the USB (a word document, an excel document, and a portrait image of the investigator). These files were then deleted. This report will explain the process of forensic data acquisition.
The investigator will use EnCase imager to obtain the forensic image from the USB drive for the purpose of analysis and recovery.
In order to acquire the forensic image from the USB drive, the following steps were followed. After downloading the EnCase imager program, run it. On loading the program the main window will be displayed as shown in figure 3. From the menu on the left click on ‘add local device’
When you click on add local device a new window will pop-up as shown in figure 4 below. Select all the options except ‘only show write-blocked’ option; leave it unchecked and click next.
Upon clicking next, the program will read all the associated drive including logical partitions, physical drives, RAM, CD ROM, and process running on the system as shown in figure 5. From the options provided select the drive from which the evidence is to be obtained. In this case, drive 2 is selected because it is the USB drive that is under investigation. It is recommended that physical drives with logical partitions are selected because complete disk image can be obtained through physical drive [1]. Click on ‘Finish’.
A ne window will be displayed as shown in figure 6. This window will display the list of the evidence that have been selected. If the case had more than one evidence then all of them would be listed.
Click on the evidence twice in quick succession in order to view the content of the drive. The investigator can skin on any file or folder that is not relevant to the case before acquiring the image.
From the submenu click on acquire and continue to obtain the forensic image from the evidence disk. On clicking ‘Acquire’, a window will pop-up asking the investigator to enter information that is related to the case being investigate as shown in figure 8 below. E01 is the format that has been selected for the image [2]. Fill in the information correctly and then click on ‘Format’ Tab select preferred image format and verification Hash.
Now click on ‘Ok’ for the image acquisition process to start. The window will also display image acquisition status and the bottom right and the remaining time for the process to complete
Once the process of acquisition has completed, the image will be saved to the folder that the investigator had selected
The investigator then generated Hash value in order to prove the authenticity of the evidence. Click on ‘Device’ and select ‘Hash’ in order to generate the hash value.
Click on report once the process of hashing has completed. The report can be copied and pasted in a word document for future reference.
The data acquisition process has completed.
Data recovery is the process of restoring deleted or corrupted data from a physical drive or logical partition [3]. This process is very crucial in computer forensic as the recovered data will serve as the evidence that can be presented in a court of law. In the case that is being investigated, ProDiscover Basic software will be used to carry out the process of data recovery. ProDiscover Basic is a very simple and easy to use forensic tool. First, install the ProDiscover Basic and execute it. When the program has loaded it will ask the user to enter the information regarding the case [4].
Expand on the image in order to view the contents of the expand on the image by clicking on the plus sign and click on the image so as to display the content on the main display.
From the content that has been displayed, browse for the content that is relate to the case being investigated. To recover the files, select all the files related to the case, right click on them and select ‘Copy all selected files’.
A new window will pop-up asking the investigator to choose the location to recover the files to as shown in figure 19. Choose your preferred folder or drive and click on ‘ok’. The USB drive was selected as the preferred drive.
On clicking ‘ok’ all the selected files will be restore/ recovered to the destination folder [5]. Navigate to the USB drive to see the recovered files. F
Data analysis in computer forensics is the process of examining data with regards to computer crime. The objective of data analysis is to find out and examine data patterns [6]. It is crucial to analyze recovered data so as to check on the relevance, validity, and accuracy of the data recovered. Different investigators have different ways of carrying out data analysis but in the case being investigated, the use of Hex editor was employed to analyze the data recovered for any hidden files [7]. To achieve this, the recovered data was loaded on the Hex editor and activating the ‘hidden’ which is a sub function of ‘file attribute’ located on the bottom right of the program window as shown in figure 21 below.
The analysis process did not identify any hidden files in the recovered files.
Data validation is a very crucial step in computer forensics. It ensures the data restored is meaningful, useful, and meets the data rules set out. Data validation fosters data integrity which is a key aspect in forensic investigation [8]. Investigator has to carry out several data validation processes in order to achieve data integrity. There exist several methods of data validation:
Require field: this is a validation technique that is used to validate data entered on online forms. This method ensures that the user cannot continue until the set fields have been filled with data.
Type Validation- a common validation technique for databases and excel files. This method check for the correctness of data type entered in a particular data field [9]. If a data field has been set to only allow text characters then it should not allow any other data type in the text field. Type validation technique can further be used to check for the file extensions to ensure it is of valid extension.
Range validation- this method checks to validate the data entered if it falls between a set ranges. When a range has been set on a particular data field, it must not allow any data outside the range.
In this case, the investigator applied type validation on the recovered files to ensure that they were of correct file extension and valid data [10]. The result was positive and the investigator concluded that the files were valid and contain relevant, correct, and complete data.
In forensic investigation, copying a drive is one of the critical process and requires skills and experience so as not to damage the evidence. Computer forensics requires that all the drive properties are copied correctly and should be complete [11]. There exist four methods of copying a drive but in this task only three will be discussed. They include sparse data copy, disk-to-disk copy, and logical disk-to-disk copy. The investigation circumstance and environment is what determines the copy method.
Sparse data copy- this is a type of drive copy that gathers fragments of data deleted specifically .PST and .OST files relating to mails and RAID servers [12]. AccessData FTK imager is a recommended software to carry out this type of copy.
Disk to disk copy- this is a common and flexible copy technique that is mostly used to prepare multiple copies of the original drive [13]. There are several tools that can be used to carry out this type of copy, they include The Sleuth Kit, FTK imager, ProDiscover basic, and Encase.
Logical disk to disk copy- this is a copy technique that is mostly used when there is limited time to copy the drive. This method enables the investigating officer to only copy the relevant content of the case. Encase is a recommended utility to achieve this type of copying a drive [14].
Conclusion
Computer forensics is becoming more critical in the current era. It requires skills and expertise in order to collect relevant, complete, and accurate evidence that can be submitted in a court of law. Order of evidence volatility is very important because this aspect allows the investigator to obtain evidence starting with the highly volatile and valuable evidence going down. Data acquisition is a crucial step that will determine the overall outcome of the investigation process and should be carried out correctly and using the appropriate tool.
References
[1] D. Hayes, A practical guide to computer forensics investigations. Indianapolis, Indiana: Pearson, 2015.
[2] M. Maras, Computer Forensics. Sudbury: Jones & Bartlett Learning, LLC, 2014.
[3] R. Sadgune, “ProDiscover Incident Response, ProDiscover Forensics, ProDiscover”, Hackforlab.com, 2014. [Online]. Available: https://hackforlab.com/prodiscover-incident-response-feature/. [Accessed: 27- Aug- 2018].
[4] B. ProDiscover, “ProDiscover Forensic Data Recovery”, Networkdefensesolutions.com, 2018. [Online]. Available: https://networkdefensesolutions.com/index.php/forensics/78-prodiscoverfilerecovery. [Accessed: 27- Aug- 2018].
[5] T. OTW, Hackers-arise.com, 2016. [Online]. Available: https://www.hackers-arise.com/single-post/2016/10/10/Digital-Forensics-Part-3-Recovering-Deleted-Files. [Accessed: 30- Aug- 2018].
[6] J. Marshall, “Examining the Raw Data on Your Hard Drive with a Hex Editor”, Tierradatarecovery.co.uk, 2014. [Online]. Available: https://tierradatarecovery.co.uk/examining-the-raw-data-on-your-hard-drive-with-a-hex-editor/. [Accessed: 30- Aug- 2018].
[7] M. Hörz, “HxD – Freeware Hex Editor and Disk Editor | mh-nexus”, Mh-nexus.de, 2018. [Online]. Available: https://mh-nexus.de/en/hxd/. [Accessed: 30- Aug- 2018].
[8] G. Wingate, Computer Systems Validation. Boca Raton, USA: CRC Press, 2016.
[9] N. Gilani, “Types of Validation Checks | Techwalla.com”, Techwalla, 2018. [Online]. Available: https://www.techwalla.com/articles/types-of-validation-checks. [Accessed: 27- Aug- 2018].
[10] G. Wingate, Computer Systems Validation. Boca Raton, USA: CRC Press, 2016.
[11] S. Moramarco, “Digital Forensics”, InfoSec Resources, 2016. [Online]. Available: https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/#gref. [Accessed: 30- Aug- 2018].
[12] C. Eoghan, “Focused digital evidence analysis and forensic distinguishers”, Digital Investigation, vol. 18, pp. A1-A3, 2016.
[13] E. Casey, “Digital Stratigraphy: Contextual Analysis of File System Traces in Forensic Science”, Journal of Forensic Sciences, 2017.
[14] B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. Mason, OH: Cengage Learning US, 2018.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download