Discuss About The Forensic Reconstruction Analysis Of Residual.
Digital forensic tools are important aspect of forensic investigation. They help investigator in the proper acquisition and collection of potential evidences that maybe used in court. Hardware and software are two main categories digital forensic.
Profile 1: Victim
|
Name |
Jaclyn Chew |
|
Age |
27 |
|
Relationship to Suspect |
Victim |
|
Relationship to Suspect’s Boss |
Nil |
|
Employer |
Singapore Airlines |
|
Hobbies |
Love Jogging |
|
Address |
1.379498,103.893855, Living Alone |
Profile 1: Suspect
|
Name |
Leonard Kim |
|
Age |
Nil |
|
Relationship to Victim |
Murderer |
|
Relationship to Suspect’s Boss |
Employee |
|
Employer |
Nil |
|
Hobbies |
Nil |
|
Address |
Nil |
Profile 1: Suspect’s Boss
|
Name |
Anthony Liew |
|
Age |
Nil |
|
Relationship to Victim |
Employer |
|
Relationship to Suspect |
Nil |
|
Employer |
Nil |
|
Hobbies |
Nil |
|
Address |
Nil |
Tools of hardware forensic have a range from single, simple components that makes a system of a computer together with the servers while tools of forensics of the software are clustered according to command line applications plus the graphical user (Nelson et al., 2015) interface. There are numerous digital forensic tools available in the market. Some are free while majority are commercially produced. All digital forensic tools accomplish detailed purposes. The purposes are classified in four groups to serve as guidelines for evaluating digital forensic tools (Nelson et al., 2015). They are: Achievement, Authentication and verification; Removal; Reporting and Reconstruction
As the hired forensic investigator tasked to discover electronic evidences hidden in emails and text messages, the following forensic tools will be utilized:
The investigation that is going to take place is meant to uncover and present the truth and nothing but the truth concerning Jaclyn Chew’s murder where the suspect is Leonard Kim (Casey, 2004). However, it is always a challenge for investigators to keep and/or retain items which are potential evidences. This is because digital evidence is fundamentally different from the existing types of evidences. Digital evidence is highly volatile in nature. Handling of it is crucial for its reliability and acceptability in court. Hence, technical procedures and guidance should be strictly observed in conducting digital forensics. So as not to spoil the evidences and ensure its admissibility in court, the following procedure shall be taken:
Day 1: identifying objective and object of investigation
Day 2 – 5: gathering data / information needed for the investigation
Day 6: gathering evidence with forensic tools available
Day 7 and 8: analysis of evidences gathered
Day 9: finalization of report
Day 10: Presentation of Report
The part details the information that concerns the procedure of the forensic procedures regarding the murder of Jaclyn Chew plus tools that are utilised and are a providence explanation of the examination procedure on Leonard Kim’s computer and mobile device.
The computer used in forensic test was a HP EliteBook6930p laptop that had 8 GB RAM and 150 gb ROM. The laptop OS is Windows type and Caine Version 6.0. First of all, two of the most common ways to crack a password is dictionary and brute-force attack… Attack of Brute-force is factually at the time when tool of the software being used tries each letter permutation, symbols and numbers to (Hunt and Zeadally, 2012) have the password cracked. Attack dictionary is probably the quickest way to have the password cracked. (Easttom & Taylor, 2011). One of the best approach in computer crime is to secure the scene even in a password cracking case and do not turn off the system. Developing a SOP (standard operating procedure). One of the procedures that need to be executed at the initiation of a computer crime scene is to document everything before moving, handling, or remove equipment. If the system is turned off, the volatile memory would be lost as well. Removing the employee that is involved.
Documenting everything is critical. Take notes of everything that is active on the computer such as webcams and other devices connected. Once everything is document, slight touch the mouse to have the computer to come out of sleep mode to see what (AlHidaifi, 2018) is on the screen. Check for anything that could be removing the evidence such as deleting or formatting of the drives. Do not turn anything off until after using tools to try to collect volatile data because that data could have evidence that would be lost when the computer loses power. Once documentation of the area has been completed and volatile data has been collected the equipment could be made ready for transport.
Since it isn’t clear whether an attack is currently in progress, check to see if there are any programs being run and take a photographic (Brilis, 2001) evidence. Next check to see if there is any live connection to the system. In every steps, it important to take photographic evidence while writing down date, time and results of everything done before more on to the following steps. In order to see any live connection to the system, I can run an open file command that tell me if any shared files or folders are open and who has them open. (Easttom, 2014). The documentation of every activity down to securing the scene should all follow the chain of custody. Every precaution must be taken in the collection, preservation, and transportation of digital evidence.
The next step would be to pack up the evidence and transport it to a secure forensic location. If it so happens that the attack is still in progress, power to the computer should be disconnected immediately to preserve whatever evidence is left on the computer. Two methods to help investigate in the computer crime is IPS tools or software to have detection and make an attack from happening. Using intrusion detection systems would also detect and send an alert while the threat is in progress in the future. Once all the computers involved in the password cracking hack has been bag, pack and tag and at the secure location, collecting the data from the computers securely is next. To collect evidence from the each multiple computers that were being used for the crime, without altering any of the evidence on it, the digital forensic tool that is most widely used would be EnCase. EnCase is a very complicated software that can help duplicate and read the hard drive on an array of different devices. EnCase would be able to remove the hard drive along with FastBloc which will allow safely preview and acquisition of the hard drives to an EnCase evidence file. EnCase forensic tool can be extremely useful for forensic investigators.
Not all evidence on a computer will last a long time. Volatile memory and data for one like the RAM. The RAM is extremely volatile because as soon as the computer lose its power, the data and memory on the RAM is gone, and the fact that evidence are only last a nanosecond makes it extremely important and the most volatile. Volatility order guides an investigator to have enough proof in an order that is best for it. An order of volatility is prepared by an investigator to make sure that useful info is composed. Volatile order should be arranged from most to least volatile. Volatility order is registered with cache, tables for routing, process table, ARP, modules and kernel statistics. (Professor Messer, 2014). A volatile memory analysis is one way to extract the evidence. A technique that is used to collect a memory and make analysis in an environment tha is isolated is called Volatile Memory Analysis. (Easttom, 2011). Another way to extract the evidence from the volatile memory is by using a Belkasoft RAM Capturer: Volatile Memory Acquisition Tool. A Belkasoft Live RAM Capturer, a small forensic tool that relies on extraction of the entire computer contents memory that is volatile even when anti-dumping system is involved. (Belkasoft, 2017).
The steps to take when identifying digital evidence is simple. However, it varies from device to device. Obtaining a warrant for authorization to search and seize evidence. Then securing the scene. This will keep any evidence from being compromise or going missing. Whoever appear on the scene of the crime first, should preserve the state of the computer by backing up copy of logs, damaged or altered files, and anything the intruder may left just in case the hackers leave behind any trace of their presence. Documenting any losses and damages that may have result of the attack. Securing the evidence such as hard drives, cameras, cell phones, storages, e-mails, and logs from the system, chat-rooms, the firewall, router, and the database, etc. Completing all these while establishing and maintaining the chain of custody. The step that follows involves evidence pack up for transportation t a secured place. (Easttom & Taylor, 2011). At the department lab, forensic examiners are now able to analysis all the evidence collected and retrieve whatever other evidence left on the computer such as evidence from the operating systems and intrusion detection systems. Create a copy of the data and keep the original in a secured area. Use forensic tools to create a forensic image of electronic evidence. Make a description of the findings analysed and have a report written. If the crime is going to court, the forensic examiner must give a testimony under oath in a deposition or in front of a jury in the court.
The tools plus the programmes that were used at the time of the research are:
Autopsy Forensic is a commonly used open source forensic tool. It is a graphical digital forensics platform hosting the Sleuth Kit as well as other digital forensics tools. Normally it’s utilised by government law enforcement institutions (D. and Meeran, 2015) such as the police, national defence, and private examiners in the investigation of digital devices. It is used to recover erased contents of file systems as well as conducting key word searches.
Computer Aided INvestigative Environment, CAINE , an integrated digital forensics environment based on Ubuntu-based GNU/Linux that contributes to offering complete forensics that are in the environment with a GUI that is user
MMLS is a command tool that determines the kind of file systems installed on a hard disk.
Once the USB image was received, preservation of its original state was attained and recorded. The main reason to preserve the image is to maintain its integrity as it is prone to tampering and alteration in the succeeding forensic analysis phases. Immediately the image integrity was established the subsequent analysis was conducted on copies. This gave a way of comparing the copy with original at any phase. As a result the copies are verified to be authentic and have not been altered in any way thereby relevant and reliable.
The investigator used Caine kernel version is 6.0 platform to conduct the digital forensic analysis.
Per Robert Lee’s compilation, a good way to describe the methodology of forensics is by the methods accepted and processes to seize properly, analyse, safeguard, and make a determination of what happened. This can be done in 8 steps according to methodology of SANS for Information Technology investigations forensic. The 8-step methodology helps the investigator to remain in the track to have assurance that the presentation is proper of the evidences of the civic and criminal cases on computers, internal actions of discipline and legal proceedings, unusual operational issues of malware handling. In addition to that it has a best point of start for the reasons of knowledge that are reasonable for the principles of forensic, techniques, guidelines and procedure tools(Hitchcock, Le-Khac and Scanlon, 2016).
Step 1-Verification
Verification is the first step to an incident report that determines the extent and incident scope to have the case assessed on the situation, nature of the case together with its essentials. It is a first step very crucial since it aids in determining the features of the scenario and give an explanation of the approach that identifies, collects and preserve the evidence. It could be helpful to the owners of the business (Rocha, 2014).
Step 2-System Description
The step that follows describes the description of the process that involves data collection about a particular occurrence. It is done by having the notes and making a description of the analysed system, the place the system was acquired, role of the system in a firm. Summary of the OS and its general configuration (Rocha, 2014).
Step 3-Evidence Acquisition
This step involves having possible data sources identified having non-volatile and volatile info acquired to verify the data integrity and making sure that the chain of custody is in place.
Prioritizing evidence collected during this stage is very important to make a determination of the business impact and execution of strategies chosen. Since
Data that is volatile changes every time and the order at which the data is gathered is vital. Network connections, Login sessions, and ARP cache, processes that are in the progress, Contents of RAM and open files are the methods of volatile data collection. The data should be gathered using hard drives which can be done via stream image bit by the use of the writer blocker. Helix can be used to have the system booted locally or remotely by a acquisition of a live system that deals with encryption system (Rocha, 2014).
Step 4-Timeline Analysis
Following evidence gathering is investigating and analysing the forensics lab. This begins with a timeline of at the time when files become accessed, modified, changed and created in a readable format that is readable form for human known as MAC time proof. Info gathered by the use of several tools extracted from metadata layer of the system file then analysed and organized for it to be examined. This extreme objective is to be capable create a preview of the movement done in the framework including its date, the thing included, activity and source. It is important to be careful and quiet which will empower the proof gathering to be far reaching of framework records and working framework. To achieve this, stage a few business or open source devices exists, for example, the SIFT Workstation that is unreservedly accessible and as often as possible refreshed (Rocha, 2014).
Stage 5-Media and Artefact Analysis
This progression enables the examiner to investigate and figure out what programs were executed, which records were downloaded, which documents were tapped on, which indexes were opened, which documents were erased, and the perusing history of the client. It is critical to isolate the great documents from the awful ones keeping in mind the end goal to lessen the information gathered. This should be possible utilizing databases like the Nation Software Reference Library from NIST and hash examinations utilizing apparatuses like hfind from the Sleuth Kit. On the off chance that you are examining a Windows framework you can make a super timetable. This super course of events will consolidate various time sources into a solitary document accordingly lessening the measure of information to be dissected (Rocha, 2014).
Step 6-String or Byte search
This progression comprises of utilizing apparatuses that will look through the low level crude pictures. The essential devices and methods will be utilized to look for byte marks of know records. It is additionally in this progression that you do string looks utilizing customary articulations. The strings or byte marks that are sought are ones significant to the case being taken care of (Rocha, 2014).
Stage 7-Data Recovery
This progression includes information recuperation from record frameworks. Devices important to finish this progression are accessible in the Sleuth Kit that can be utilized to examine the record framework, known as information layer and metadata layer. Breaking down the slack space, unallocated space and top to bottom document framework investigation is a piece of this progression with a specific end goal to discover records of premium. Cutting documents from the crude pictures in view of record headers utilizing apparatuses like premier is another strategy to additionally assemble confirm (Rocha, 2014).
Stage 8-Reporting Results
This last stage includes announcing the aftereffects of the investigation, which incorporates depicting the activities performed, figuring out what different activities should be performed, and prescribing upgrades to approaches, rules, systems, apparatuses, and different parts of the measurable procedure. Detailing discoveries is a key piece of any examination, and this report must be composed mirroring the utilization of logical techniques that can likewise be demonstrated by the agent. Adjust the detailing style contingent upon the crowd and be set up for the answer to be utilized as proof for legitimate or managerial purposes (Rocha, 2014).
Analysis of Leonard Kim and Anthony Liew’s computers provided further evidence needed by the investigator to support some of the facts discovered during the investigation.
|
Action |
Comments |
|
Determining the availability and location of log data by examining configuration files. |
Data is obtainable from /var/log/audit/audit.log. directory It is recovered for the subsequent analysis. |
|
Getting the records of users and login dates and times. |
The suspect was the only user. Logged on several occasions |
|
Identify times of USB flash drive usage. |
Mounted on behalf of the suspect user id, Unmounted from drive on behalf of the suspect user id. |
|
Analysing controlling user’s history file for commands executed. |
Controlling user was the suspect employee |
Securing the trustworthiness of confirmation gathered is imperative in law requirement. On the off chance that the respectability of the proof is dubious, its utilization in lawful procedures could be imperilled, potentially enabling a case to be rejected from court. Nations with a background marked by the control of law have a structure of guidelines and methods stipulating how confirm is to be gathered, utilized and protected. Confirmation is permissible in court just if these tenets have been taken after. Generally the people or elements being attempted have procedural rights, giving them security from each proof messed with to control the result of an examination or preliminary. In this way, it is critical that scientific experts and specialists, and any individual who handles confirm amid an examination know and take after the standards concerning the suitability of confirmation.
Evidential respectability can be safeguarded by utilizing investigative strategies that don’t alter the proof. The treatment of proof amid the whole procedure must be performed or seen by individuals who are dependable, objective and equipped, be that as it may, this requires assist examination in the advanced space. Another factor which can help in safeguarding the respectability of confirmation is known as the “chain of authority” which is the historical backdrop of the proof from the season of seizure to the season of introduction. It includes all the data, including where, how and who collaborated with the confirmation (Hosmer, 2002).
Conclusion
Demonstrating the respectability of computerized prove with time offers critical points of interest over existing best practice strategies. Contingent upon how confirm is kept or spared, the personality of the underwriter, the time the marking occurred and the advanced information we are endeavouring to secure, would all be able to be vouched for when required. This new computerized uprightness stamp will enable us to demonstrate the respectability of advanced confirmation today and later on. We trust this new level of security for computerized proof will propel the gathering, conservation, and utilization of advanced confirmation all while following the correct approaches and in addition cryptographic hashing techniques amid the confirmation accumulation process.
Reference
Aid4mail (2015). Aid4mail 3 user manual. Retrieved from https://www.aid4mail.com/doc/Aid4Mail3_Manual.pdf
Casey, E. (2004). Digital evidence and computer crime: forensic science, computers and the Internet (2nd edition). Great Britain: Elsevier Academic Press.
MOBILedit (2016). MOBILedit forensic. Retrieved from https://www.mobiledit.com/forensic
Nelson, B., Phillips, A., & Steuart, C. (2015). Guide to computer forensics and Investigations (5th ed.). Boston, MA: Cengage Learning.
Belkasoft. (2017). Belkasoft: Forensic Made Easier. Retrieved 14 August, 2017, from https://belkasoft.com/ram-capturer
Easttom, C. (2014). System Forensics, Investigation, and Response. (2nd Ed.). Burlington, MA: Jones & Bartlett Learning.
Easttom, Taylor, C., .J. (2011). Computer Crime, Investigation, and the Law. United States: Cengage Leaning
Professor Messer. (2014). Professor Messer. Retrieved 14 August, 2017, from https://www.professormesser.com/security-plus/sy0-401/order-of-volatility-2/
Hunt, R. and Zeadally, S. (2012). Network Forensics: An Analysis of Techniques, Tools, and Trends. Computer, 45(12), pp.36-43.
AlHidaifi, S. (2018). Mobile Forensics: Android Platforms and WhatsApp Extraction Tools. International Journal of Computer Applications, 179(47), pp.25-29.
Brilis, G. (2001). Remote Sensing Tools Assist in Environmental Forensics:Part II—Digital Tools. Environmental Forensics, 2(3), pp.223-229.
Hunt, R., & Zeadally, S. (2012). Network Forensics: An Analysis of Techniques, Tools, and Trends. Computer, 45(12), 36-43. doi: 10.1109/mc.2012.252
D., E. and Meeran, N. (2015). Forensic Reconstruction and Analysis of Residual Artifacts from Portable Web Browser. International Journal of Computer Applications, 128(18), pp.19-24.
Hitchcock, B., Le-Khac, N. and Scanlon, M. (2016). Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists. Digital Investigation, 16, pp.S75-S85.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download