Order Now
Uncategorized

Task Of Recovering Scrambled Bits And Preparing A Digital Forensics Report

24 min read
Posted on 
April 24th, 2025
Home Uncategorized Task Of Recovering Scrambled Bits And Preparing A Digital Forensics Report

Task 1: Recovering scrambled bits

Process

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

The process that has been used in this case have been started from the collection of the evidence material, that is the machine. Once the machine has been seized, attempts were made to create a digital image of the machine and the files and transfer it to other computers. This helps in preserving the state of the machine as it is and the data collection is done in a very organized manner. Next, all kinds of analysis is performed on the digital image that have been collected and stored in the data. The image was collected in FTK Image and through that software, any kind of corrupted file or image has been identified and studied. With the use of soft ware like Pro Discover, there has been an attempt made to decrypt encrypted data and using the form of decryption different ways of corruption or encryption is analyzed. It can also be used to study into the nature of the different cache files and cooking formed during use of internet (Sunde, et al.,2017). The software has also been used to understand how the data has been encrypted and to look into any form of corruption. With the help of Wire Shark, the network protocol has been analyzed and this has allowed finding out the date of access to the internet and the different sort of search engine that is used and searched texts that could be studied into to understand the general way in which the specified user works through. By the use of ripper software like Rag Ripper, it was easy to take an image of an image and analyze it in isolated by placing it into the different software (Franke, et al., 2018). With Encase, it was possible to conduct different kinds of analysis tests such as cyber security, security analytics, and e-discovery use and hence, several kinds of information appeared through it. Other kinds of studies where the study of cache files include through Pro Discover, and identification of the make and model of the product (Swartz, 2017). The second one of the two has been conducted through the visit to a police academy and acquiring a license so that the legality of entering into the suspect machine and to analyse the areas.

The scrambled bit of information which was obtained partial data from the email connected to the web link. The information over there was suspicious, but very less data was able to identified. In case the data was unidentified due to the encrypt mode of the data. Thus in order to decode the information which was found suspiciously from email connected web link, the company EMPT is planning to use forensic analytical tool. In this circumstance they have used the evaluation version of the software named as WinHex. It is a power tool to detect any suspicious data and it could be recovered using a data wiping tool.

Task 2: Digital Forensics Report

Launching after the program is set up and choosing a folder destination in order to install the program. The set up program is easy to use with any other window wizard. In order to edit the hard disc sectors, the administration permission was taken.

 

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

WinHex is a hex editor. It displays three columns with represent a 16 byte display address. It is a 16 character of text display. The data viewer can be viewed extensively. Both the mode of hex only and text only, could be selected by clicking check boxes within the view menu. The session begins with the start centre and the previously detected files can be viewed.

 

The unknown data can be extracted from any unknown sources. An example way to extract information regarding the location of the data can be found out. This is the way it is proceeded with the available data in the stored drive.

 

This is the way data is viewed in order to go for the data recovery process through this software. There are tools that work with discs involved with stored se of data and the data recovery process.  The scrambled bits of data which was found undetected within the email was anyhow managed to extract by using this software. Now the decoded data will be sent to the administrative section of the EMTS to further decide on the steps of action to be taken ahead.

Case Analysis:

Detection and recovering of graphics files are important as far as the scope of the report is concerned. During the investigation it was found that some of the files particularly the image files were not stored in the normal graphics file format. Hence these suspected files were analyzed using certain available digital forensic tools. There is one way to identify the suspected graphic file. And that is these graphic files consist of header instructions in order to display the image. We can make complete use of the header information, by identifying the data patterns. FTK image, ProDiscover v7, Rag Ripper, Wire Shark and Encase v7 are such forensic digital programs that can be used to identify the data patterns and to carve the graphic files.

  • Identification of the fragments of the graphic file

Carving is a technique that is used in order to recover the fragmented graphic files across the disk area, before recreating the file. To familiar with the data pattern is what actually is done before doing the carving technique. Data patterns are identified using those digital forensic tools and available forensic programs. ProDiscover and WinHex was later used in order to copy the known data patterns from the recovered files. And then the recovered information is restored in order to view the graphic file.

  • Repairing damaged header

Deliverable

The graphic file has a unique header file, which was found inside the USB drive on the desk of Bob Aspen, the travel consultant. These header information were recovered by reconstructing the header information by comparing the patterns of the  hexadecimal values of know graphic file formats. EMTS manager has recovered some web based information from the e mail from the web server administrator. This information were screen captured as provided.

It is necessary that there should be a scope along which one could identify or answer the different kinds of questions that will be necessary to go through the study and to identify the different facts that are required in the study. The scope of the project should revolve around answering the following questions:

  1. Is there any kind of evidence about the ownership of the item, especially, in terms of whether there was more than one user for the same item?
  2. Is there legal authority that has been collected before the analysis into the item has been done?
  3. Is there any kind or corruption of the data while the analysis or image has been taken up?
  4. Is there any kind of credit card activity that has gone through with the use of the item?
  5. Is there evidence that the item could have been used for purposes that have been considered in this area?

The finding show that the computer is the owned property of a person named David Granger who goes by the pseudonym of Mr.Devil. He uses an older version of Windows XP and by the way of blocking access to Microsoft website and by making sure that there is no probable way in which any kinds of updates can be made in his system, he has escaped monitoring.

It can be seen from the analysis of the system and other files that David may have been involved in hacking activities, though there is nothing that has been found in his system which could be termed as incriminating in nature (Flaglien, et al.,2017). There has been no amount of data that has been used which could be identified as illegal in content, but there was certain uninstalled software whose traces suggest that they may have been downloaded illegally. The hacking processes that have been followed had been done in a manner that seems that the individual was attempting to test the security analytics capabilities (Kirchnerv& Gloe, 2015).

There has been no amount of data that can show that the laptop has been used for the purpose of getting into different aspects of traffic and other piracy.

The analysis of the machine has provided the following information:

Make

HP Pavilion

Model

Not mentioned

Operating System

Windows XP SP2

Hardware

Seagate 500 GB

Some of the assumptions that has been used in the following areas are:

  • That the information is the system has been intentionally corrupted
  • The information that has been identified in the machine has been analyzed with the preconceived objective
  • During the time of seizure and evidence collection, no amount of corruption has occurred in the data
  • There has been many files in the entire machine and so it was not possible to look into every aspect of the machine and analyze all the required aspects for the proper analysis of the nature of the crime that might have taken place.

Legal Consideration

From a legal point of view, it was found out that the object or the evidence have been collected from a police station and though it is not legally sanctioned for any one to conduct any kind of analysis or study on an object that has been found outside or in a public area, the object was already in the form of an evidence for a suspect (Sundaram & Nandini, 2017). In this case, the suspect evidence show that the police has collected the same for the purpose of studying or analyzing into the system and for that purpose, it is necessary for the permission to taken from the police authorities on whether any kind of legal procedure can restrict the analysis process (Ko & Zaw, 2015). Hence,the permission had been taken for the project and so legally it has been a permitted project.

Integrity of the Evidence

In terms of the integrity of the evidence, the evidence have been tested and it has been found that the evidence has integrity and it has not been tampered with after any kind of securing process has taken place. First of all, the first step that had been taken was to acquire a digital image of the evidence so that it would be possible for the analysts to take control of the object and investigate it without tampering with the chief element that is the actual laptop (Bjelland, et al., 2018). However, there is a need to make sure that the evidence had not been tampered with dueing the process of collection. For this purpose, the image that has been occupied had been run through different tests to understand the integrity of the data. By using the FTK Image software, the way the image has been taken and whether any part of it is corrupted has been considered (Dilijonaite, et al., 2017). With the use of software like the Pro Discover, any kind of tampering or encryption process has been considered and though that, any corruption has been removed.

Validation and Verification

To make sure that there is a proper integrity of the object that have been collected a specific data analysis and image analysis has been conducted and by the use of different acquisition number and verification techniques, it has been possible to identify the proper evidence that can be considered in this case, and to understand the evidence of the matter.

Name

Acquisition MD5

Verification MD5

Evidence No.

Examiner Name

HP Pavilion

aee4feca5fe5agsg5g55fae

aee4fcaefa5saf4665a4s

1 of 1

So from the above information it can be seen that there is not sure way in which it could be said that the image that has been acquired was tampered with or not before the acquiring of the image. .
File System

The hardware of the system was not in the proper condition that could enable an individual to collect information from the hardware in a proper manner, but it is clear that the file system could be used in a proper way. Firstly, it was necessary for the file to understand the period through which Windows XP has been installed in the system and whether there has been any changes with regards to updates and other activities that could change the framework of the OS (Karie & Venter, 2015). This has been done and could be found from the Configuration file in the Install Date section. The same process could not be used in later version of Windows.

It is recorded as a LJnix Time Ox (hexadecimal) value. Time stamps are recorded in GMT, and adjusted by the computer based on the time zone to which it is set. This hard drive is set to Central Daylight Time – see below, so this time stamp represents 19/8/04 05:48:27 PM (in the time zone of Central Daylight Time). The time zone in use is established by first identifying which of 2 possible control sets are in use in the Registry System hive:

SystemlSelectCurrent – 01 00 00 00.

This value indicates that the Control Set in use is ControlSet001. Within Control set 1, the Time Zone information was found at:

Which indicated a value of -6, which is Central Daylight Time.
Registered owner
The Registered Owner is created by the person installing the operating system. The details from the Registry are:
Item Path: HKLWSoftwareMicrosoftWindowsNTCurentVersionRegisteredOwner
The registered owner is “David Granger”.

Computer Name

MDS adb831a7fdd83dd1e2a309ce7591dff8

Shutdown Time

The last shutdown time of the computer has shutdown time has been found in the windows register and it is presented in the form of hex value and the hex value could be deciphered. Once, the hex values has been run through hex editors software, a feature that is provided in Pro Discover, it was found out that the computer was shut down last on 24/09/07 (24th September, 2007) and the final activity is also placed on this same date.

HelpAssistant

Item Path
File Created
Last Written
19/08/04 PM
Last Accessed
MDS 18a1dbb4a2ad97a88c432a5a2bcOf3c5
Mr. Devil

Item Path
File Created
Devil
MDS 18a1dbb4a2ad97a88c432a5a2bcOf3c5
220619m X
e
Mr. Devil
Item Path
File Created
Last Written
Last Accessed
Devil
19/08/04 PM
MDS 7666c9656b854e4492b046d79f9735f9
SUPPORT 388945aO
O Sign In
Last Accessed
19/08/04 PM

Hence it is from these factors one could see the last time that Mr. Devil has used the machine and how it was used and in the same way, it can be seen that the process of passing the information through different software, one could identify the last login time of the user that is at 17/09/2007 (17th September, 2007).

The data about the final login of the individual and how it has been used can bee seen from the registry that has been presented below:

Target

User

Friendly Name

Last Login

HP Pavilion

Administrator

Administrator

HP Pavilion

Alluserprofie

HP Pavilion

Defaultuserprofile

HP Pavilion

Guest

Guest

HP Pavilion

Helpassistant

HP Pavilion

Mr. Devil

Mr. Devil

17/09/07

05:15:30 AM

HP Pavilion

ProfilesDirectory

HP Pavilion

S-1-5-21

HP Pavilion

S-1-5-22

HP Pavilion

S-1-5-23

HP Pavilion

SUPPORT_5

SUPPORT_5

The evidence in the form of data indexes that has been found by any individual in the organization can be used as a proof or a way to identify any kind of problem in the process. There are several files called index.dat which record a history of web pages visited and URL’s which have been typed.
One of these is the index.dat for Internet Explorer. When parsed out this file shows that the following web page was visited:

Intemet lntemet URL
Explorer
Visited
LinkindexdatType
Visit Count
IJrl Name
IJrl Host
Record Last
Accessed
Expiration
Intemet Artifact
Type
Title
Browser Type
Profile Name
Message Size
http-//edit_yahoo_com,’confighd
=b568cfpOic6gO
edityahoo.com/
20/08/04 AM
15/09/04 PM
History Visited Link
Yahoo’ ID Helper
Internet Explorer (Windows)

Mr. Devil check?

This indicates that a yahoo account of David Grangerusing the name Mrevi12000 was accessed from this computer. This is firm evidence linking the identity of David Granger wither Devil. There are other forms of registry that has been identified and checks out with the above evidence and could be seen from the following information delivered above.

There are several third party softwares that have been installed in the machine of David and these kinds of software have the probability of becoming as an identity or could be used to trace all the kinds of activities that David could have been involved into. Through the different hex editor and data recovery for software  presented with the Encase software, it has been possible to locate the different kinds of software that have been used in the process by David and how it has been uninstalled in what date as well. These are given below:

Registry Key: Microsoft WindowsCurrent Version Wninstall

Fri Aug 27 2004 (UTC)
Ethereal
Fri Aug 27 2004 (UTC)
WinPcap 3.01 alpha
Fri Aug 27 2004 (UTC)
Network Stumbler (remove only)
Page ITC 597 Assignment 2,
Wed Aug 25 2004 (UTC) [email protected] 250 Build 29
Wed Aug 25 2004 (UTC)
[email protected] 250 Build 29

Fri Aug 20 2004 (UTC)
123 Write All Stored Passwords
Fri Aug 20 2004 (UTC)
Powertoys For Windows XP v. 1.00_0000
Fri Aug 20 2004 (UTC)
mlRC
Fri Aug 20 2004 (UTC)
CuteHTML
Fri Aug 20 2004 (UTC)
CuteFTP
Fri Aug 20 2004 (UTC)
Forté Agent
Fri Aug 20 2004 (UTC)
Faber Toys Build 216
Fri Aug 20 2004 (UTC)
Cain & Abel v2_5 beta45
Fri Aug 20 2004 (UTC)
Anonymizer Bar 20 (remove only)
Thu Aug 19 2004 (UTC)
WebFldrs XP
Thu Aug 19 2004 (UTC)
Microsoft NetShow Player 20
MPlayer2
Thu Aug 19 2004 (UTC)
Branding
Thu Aug 19 2004 (UTC)
PCHealth
Thu Aug 19 2004 (UTC)
DirectAnimation
NetMeeting
Thu Aug 19 2004 (UTC)
AddressBook
ICW
OutlookExpress
Thu Aug 19 2004 (UTC)
DirectDrawEx
Fontcore
IE40
IE4Data

Mobile Auction Pack

Scheduling agen

Connection Manager

Some of the tools that have been used in the above list are harmless and are general tools that are used as application software for the normal processes of the individual owner. However, there are some other tools that have been used in the above case which are generally specialized from and is used by hacking communities (Worring, 2015). The use of Ethereal is done by hacking communities as it is required to capture network traffic in a rather promiscuous mode and therefore be capable of breaching into different system. WinPcap are tools that could be used for the same purpose (Venkata, Naskar, Musthyala & Kokkalla, 2017).

Cain and Abel is specified software that is used by the hacker community to extract or change passwords and therefore used to create an access into any kind of system.

Network Stumbler is a very sophisticated tool that has been used by the hacker community to look into different areas of wireless activity, capture the network and create an accesss point within that wireless activity thereby crowding the system.

[email protected] is a tool that scans network and network devices within the system

These are specialisewd tools that are used by the hacker community. There are other harmless tools that have been found in the system some of them being network tracker and network analysis which shows that the owner of the machine was into the technical side of networking and this gives more evidence that the user was involved in hacking and analysis of his/her own system was a way of securing the machine from being hacked and being capable or powerful enough to conduct the hacking (Karampidis & Papadourakis, 2016).

An identification of the different logs that has been used by the owner, it can be seen that the owner had been a member in certain chat forums. One of the chat forums is referred to as break-in group which is a group of ethical hackers who tend to indulge in conversation regarding hackings. The group has legal hackers but it proves that the owner of the machine was into hacking and was part of the chat group (Samy, et al., 2017). The windows chat log shows enough interaction with the chat group.

Newsgroup Items

It is necessary to understand the search patterns and the news items that the user of the machine has frequented or used and in that manner, it would be possible for any individual to understand what kind of interests the user of a specific item might have and how it could affect the general user (Holt, Bossler & Seigfried-Spellar, 2015). This kind of search pattern has been understood through the process of binaries and it can be seen in the following manner:

  • Binaries

Alt.2600 Alt.2600.cardz
Alt. 2600codez
Alt. 2600.crackz
Alt. 2600 .moderated
Alt. binaries. hacking. utilities
Alt.stupidity.hackers.malicious
Free. binaries. hackers.malicious
Free.binaries.hacking.talentless.troll haven
Free. binaries. hacking. talentless.troll-haven
alt.nl.binaries.hack
free. binaries.hacking.beginner
free. binaries.hacking.computers
free. binaries.hacking.utilities
free. binaries.hacking.websites
free. binaries.hacking.utilities
free. binaries.hacking.websites
alt. binaries. hacking.computers
alt.binaries.hacking.websites
alt.dss.hack
alt.binaries.hacking.beginner
alt.hacking
alt. 2600.programz
alt.2600.hackerz

Many of them are associated with a group known as 2600. This is a group of securityenthusiasts which circulates low level security information. It is not an illegal group. ‘ii The names of the groups speak for themselves and indicate an interest in hacking and security matters (Perumal, Norwawi & Raman, 2015). Also, most of the search patterns show that the group most contacted or the news items that has been most frequented in this case would be the hacking and security analysis part. There is a visible interest of the user in the following hacking and other aspects of it and it is from this part that it could be understood that there is a probability that the owner was involved in the act of hacking.

Virus Presence

On the analysis of the image, there has been no virus that could be found in the system. The analysis has been conducted in an attempt to find Trojan Horse or any such other viruses which had not been found.

The different kinds of questions that had been identified in the scope of the study need to be answered and the questions for the study are:

  1. Is there any kind of evidence about the ownership of the item, especially, in terms of whether there were more than one user for the same item?

There is only a few evidences that has pointed out that the item has been owned or used by a person named David Granger who also went by the name of Mr Devil. There is not personal information provided in the machine that could identify the user, but there is email records that have been found and by the use of the email records, it is possible to trace the IP addresses, if necessary.

  1. Is there legal authority that has been collected before the analysis into the item has been done?

There has been a legal permission that has been obtained from the police regarding the use of the item. Since the item was a public item that was present in police custody, it was their permission that was required, which once obtained, made the analysis authorized and legal.

  1. Is there any kind or corruption of the data while the analysis or image has been taken up?

There is no evidence to understand whether any kind of corruption had taken place or not while the collection of the data or the image collection has been conducted in the following machine.

  1. Is there any kind of credit card activity that has gone through with the use of the item?

There has been no evidence of any kind of credit card activity that has been used or recorded in the item.

  1. Is there evidence that the item could have been used for purposes that have been considered in this area?

Yes, there are certain evidences that show that the computer had been used for hacking purposes and that the owner of the computer may have been a hacker. There are ample evidence to show that the owner of the computer had been associated with different hacking groups. However, it is not clear whether the hacking has been illegal or not. No traces of specific hacking processes have been found, but there are traces where the owner has tried to steal packets of data for personal use.

Conclusion

From the evidences and the analysis done, it can be seen that the laptop has been used in a manner for the purposes of hacking and for stealing information or packet data. There is evidences that suggest that the laptop has been used for the purpose of getting into the different aspects of certain network area and creating access points. However, there is no proper proof that could proper incriminate the user of the breaking into any machine or stealing information.

The owner of the laptop has been identified as a David Granger, who went by the name Mr Devil, with which he used to hack.

The presence of empty folders and the shutdown time shows that the laptop had not been in use for a long time.

There are no personal information or credit information present in the laptop

The laptop does not contain any kind of Trojan Horse virus.

References

Bjelland, P. C., Flaglien, A., Sunde, I. M., Dilijonaite, A., Hamm, J., Sandvik, J. P., … & Axelsson, S. (2018). Internet Forensics. Digital Forensics, 275-312.

Dang-Nguyen, D. T., Pasquini, C., Conotter, V., & Boato, G. (2015, March). Raise: A raw images dataset for digital image forensics. In Proceedings of the 6th ACM Multimedia Systems Conference (pp. 219-224). ACM.

Dilijonaite, A., Flaglien, A., Sunde, I. M., Hamm, J., Sandvik, J. P., Bjelland, P., … & Axelsson, S. (2017). Digital Forensic Readiness. Digital Forensics, 117-145.

Flaglien, A. O., Flaglien, A., Sunde, I. M., Dilijonaite, A., Hamm, J., Sandvik, J. P., … & Axelsson, S. (2017). The Digital Forensics Process. Digital Forensics, 13-49.

Franke, K., Årnes, A., Flaglien, A., Sunde, I. M., Dilijonaite, A., Hamm, J., … & Axelsson, S. (2018). Challenges in Digital Forensics. Digital Forensics, 313-317.

Holt, T. J., Bossler, A. M., & Seigfried-Spellar, K. C. (2015). Cybercrime and digital forensics: An introduction. Routledge.

Karampidis, K., & Papadourakis, G. (2016, June). File Type Identification for Digital Forensics. In International Conference on Advanced Information Systems Engineering (pp. 266-274). Springer, Cham.

Karie, N. M., & Venter, H. S. (2015). Taxonomy of challenges for digital forensics. Journal of forensic sciences, 60(4), 885-893.

Kirchner, M., & Gloe, T. (2015). Forensic camera model identification. Handbook of Digital Forensics of Multimedia Data and Devices, 329-374.

Ko, A. C., & Zaw, W. T. (2015). Digital Forensic Investigation of Dropbox Cloud Storage Service. Network Security and Communication Engineering (Ed: Kennis Chan), CRC Press: ?ngiltere, 147-150.

Koenig, B. E., & Lacey, D. S. (2015). Forensic Authentication of Digital Audio and Video Files. Handbook of Digital Forensics of Multimedia Data and Devices, 133-181.

Perumal, S., Norwawi, N. M., & Raman, V. (2015, October). Internet of Things (IoT) digital forensic investigation model: Top-down forensic approach methodology. In Digital Information Processing and Communications (ICDIPC), 2015 Fifth International Conference on (pp. 19-23). IEEE.

Samy, G. N., Shanmugam, B., Maarop, N., Magalingam, P., Perumal, S., & Albakri, S. H. (2017, April). Digital Forensic Challenges in the Cloud Computing Environment. In International Conference of Reliable Information and Communication Technology (pp. 669-676). Springer, Cham.

Sundaram, A. M., & Nandini, C. (2017, April). ASRD: Algorithm for Spliced Region Detection in Digital Image Forensics. In Computer Science On-line Conference (pp. 87-95). Springer, Cham.

Sunde, I. M., Flaglien, A., Dilijonaite, A., Hamm, J., Sandvik, J. P., Bjelland, P., … & Axelsson, S. (2017). Cybercrime Law. Digital Forensics, 51-116.

Swartz, R. (2017). Book Review: Digital Forensics Trial Graphics: Teaching the Jury through Effective Use of Visuals.

Venkata, U. S., Naskar, R., Musthyala, N., & Kokkalla, K. (2017). Deep Learning based Counter-Forensic Image Classification for Camera Model Identification.

Worring, M. (2015). Multimedia Analytics for Image Collection Forensics. Handbook of Digital Forensics of Multimedia Data and Devices, 305-327.

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order
Calculate the price
Pages (275 words)
$0.00
Course Scholars
Company
Legal
How Our Service is Used:
Course Scholars essays are NOT intended to be forwarded as finalized work as it is only strictly meant to be used for research and study purposes. Course Scholars does not endorse or condone any type of plagiarism.
Subscribe
No Spam
© 2025 Course Scholars. All rights reserved.
Course Scholars will be listed as ‘Course Scholars’ on your bank statement.

Order your essay today and save 15% with the discount code GINGER

Order Now