Overview of Forensic tools: FTK imager
The case study will be analyzed. And the requirements will be identified. The description will be provided regarding to the forensic tools. The suitable tool will be decided for the disk analysis. The autopsy tool is mentioned. Another tools are FTK imager and operating system forensics. The description is provided regarding tools definition and features. Totally five issues will be explained here. The first issue is the presentation part. In this the clown related contents will be identified and analyzed. And the screenshots will be added for the clown contents (“Digital Evidence and Forensics | National Institute of Justice”, 2018). In the second issue the identification will be done regarding the file ownership. Next the third issue will be done. The intention of the analysis will be explained. The installed software’s will be analyzed (“What is Digital Forensics? – Definition from Techopedia”, 2018). The justification will be provided regarding the clown findings. The finding results will be added through the screenshots. The running sheet and the event timeline are provided with the table (Geradts & Bijhold, 2002).
FTK imager is a forensic tool which is created by Access Data and using this feature the different forensics operations were done. FTK imager will create a copy or an evidence in the tool without making any changes in the original data. The different forensics operation include the scanning, locating, discovering etc. This FTK imager can also able to recover the deleted images and using the deleted image this tool will also identifies the hidden contents in the deleted images (Liu, Ling, Zou, Yan & Lu, 2010). This FTK imager will also supports the disk imaging feature and using this feature the analysis will be done very easily. It identifies the hidden contents by uploading a dummy image in the hard drive and reconstructed the image in the drive again. During this technique all the other hidden information will be identified (Norell et al., 2014). There are different features are there in the FTK imager (Luo, Huang & Qiu, 2010). They are:
creates the images for forensics operation, folder and file previewing, previewing the own contents, exports the files, creates hashes in the files, recovers the files and its contents after the deletion of the file, mounting the images to the drive, generating the hash reports to the files etc. these are the different features of the FTK imager (Wen & Yu, 2003).
Autopsy is a forensic tool and it is similar to the sleuth kit and using this tool the forensics operations such as identifications, investigations and recovering procedures can be done. It is an open source and platform independent tool which consists of different features for accessing the hidden information (Cooper, 2008). Normally this autopsy tool is used in the fields like law and order, defense services, and other crime investigating fields etc. Using this tool we can able to recover the deleted contents in a storage device. For example we can able to restore the deleted images in our phone memory card. The below listed items are the different features of the Autopsy tool (2018) (Cain, Brazelton & Dye, 2016).
Autopsy
The graphical user interface of this tool good. Hence the use of this tool is very easy and handling the different operations are easily achieved (Dalrymple & Smith, n.d.).
The different modules are there in the autopsy. Hence the tool is extensible. The different modules of the autopsy are timeline analysis, hash filtering, keyword search, multimedia support, data carving etc. (Finn, 2009).
This is tool is very fast during the investigation and analysis will be done with in the some short period of time.
The autopsy tool will analyze the different sort of files such as disk images, files or folders in the different locations using the E01 input file formats (“Autopsy: Lesson 1: Analyzing Deleted JPEGs”, 2018).
Reporting is another feature in the autopsy and using this module the different sort of reports as well as investigations have been identified (“Autopsy | Open Source Digital Forensics”, 2018). The reporting in the autopsy tool will happen in the form of keyword hits, documents, and histories etc. (2018).
The other features of the Autopsy tool are:
Multi user cases, registry analysis, email analysis, file type sorting, media playback, hash set filtering, android support, Unicode string extraction, robust file system analysis, Data carving, Data visualization, Web viewer, Cerberus etc. these are the different features of the autopsy and using these features the autopsy tool can able to do different forensics operations that are helpful for the analyzing and identifying the different media contents (“Digital forensics”, 2018).
FTK imager gives the feature called email analysis and using this analysis one can able to analyze the contents in the email and also used to identify the source IP address (Carbone, 2014).
These are the different features of the Autopsy tool (“Autopsy”, 2018).
OS forensics is a kind of tool or software technique which is used to investigate and analyze the digital data or an evidence from the given data. The data may present in the form of any format. This OS forensics tool uses different forensics techniques to identify and analyze a different kind of contents present in a certain location (Fichera & Bolt, 2013). This OS forensics is also used to discover the hidden contents in the storage devices such as hard drives, compact disks and other USB storage devices (Mahdian & Saic, 2009).
This OS forensics also have other functionalities that are used to achieve the digital forensics capabilities (FTK shi zhan ying yong, 2015). The different functionalities of the OS forensics are email analysis, data imaging, image restoration, data acquisition, extraction of the data etc. using these different functionalities the OS forensics does the different analyzing techniques to find the hidden content (Pasquini, 2016).
Apart from the different functionalities of the OS forensics, there are different features are also there (2018). The different features of the OS forensics are finding the files very quickly, search the contents within the files, search for emails, recovers the deleted contents, uncovers the recent activities, collecting the system information, viewing the active memory contents, extracting the login credentials, detecting the hidden contents in the disk areas. These are the different features of the OS forensics (Stadlinger & Dewald, 2017).
OS Forensics
OS forensics has a special feature called finding the particular file for forensics operation in a quick session of time. The searching operation in the OS forensics has very fast and results for the particular search will happen in a short period of time (Chandel, 2018).
It is a feature in the OS forensics and it has an ability to search the email archives. Using this search the different hidden contents may be identified or the individual messages can also be identified (Gardner & Bevel, 2009).
Recovers the deleted contents is a feature and using this feature the OS forensics tool will identify the deleted contents after recovering the data from the recycle bin. Once the file is restored then the file is recovered to its previous location.
OS forensics has a special feature called uncovering the recent activities. Using this feature the recent activities has been easily recovered or identified during the unexpected closing periods. The recent activities include opened documents, connected network shares, browsing history etc.
In this feature the tool will collect the system information such as connected devices, RAM amount, number of hard drives etc.
Viewing the active memory features views the current memory size of the device after investigating the binary dumps.
Extract and recovers the login credentials from the different web browsers.
These are the different features of the OS forensics.
Initially the clown content is identified from the suspect hard drive. So the analysis is made on the given hard drive. The autopsy tool is suitable one to make the disk analysis. First the disk image is extracted and putted in the autopsy tool for the analysis. The extracted contents are displayed. Totally 19 GB files are retrieved from the disk analysis. It contains the program files, user data, and mail database and interesting items.
The clown images are identified from the disk. We have analyzed the disk and make the conclusion such as the Clark is a suspect. Because the Clark only downloaded the clown images and stored in a specific folder. The clown images are added below. For analyzing the autopsy tool is used. It is considered as the best tool for the disk analysis.
We have identified the clown image from the disk. From the clown image content we can ensure the suspect is the Clark. The image is stored in the computer desktop. These clown images are downloaded from the web pages by the computer user. Totally the suspect has 10 or more clown images with him. The clown image k7827739 file is displayed. The mail has sent to someone regarding the clown content by the Clark on the same day. This is enough to ensure the suspect.
Another clown image is found on the same day. It is also stored in the computer desktop. So the clown images are downloaded by the computer user. The time is also similar to mail details. So through this details we can ensure the Clark is a suspect. It is also created at 2nd July. The image file is k14032380.
The above mentioned clown image is presented in the computer desktop. According to the web downloads history the suspect will be ensured as Clark. Because the Clark only downloaded the images related to the clown. The web bookmarks are there for the proof. Here the displayed image file is k13320412. It is created at 2nd July and the time is 06:45. The URL links are there to represent downloads. The main issue is download histories are mentioned the computer user. So the Clark is a suspect.
The index clown image is identified from the disk analysis. This is existing under the desktop files. The user is the computer. It is also created on 2nd July. The time period is around 6:42. So from these details we can decide the Clark is a suspect.
Here the clown related pdf is found from the hard drive. The name of the pdf is ‘A little Night Music – Send in the Clowns.pdf ‘. It is created at 19th June 2018. The searches are made by the Clark regarding the pdf. The clown pdf search is made at 05:14: 29. And it is accesses by the Clark after three seconds. At that time surely the computer should kept by the Clark. So the Clark is a suspect.
Next the clown dancing video is discovered from the disk analysis. It is existing under the user downloads. The user named as a computer. So the Clark would be a suspect. Also the clown video is downloaded from the web at 08:15:46. And it is modified after two seconds. So from these details we could be known the suspect. The Clark is a suspect. He only store the clown dancing video in the download folder.
The ownership of the files are identified. Through this we can able to get the suspect. The screenshots are added below.
The Clark only accesses the clown contents. Because the clown image downloaded time and the mail access time is same. And also the web bookmarks and the histories are against the Clark. So we the Clark is a suspect (MJ, 2016).
Here totally more than 10 clown images are presented. And one clown video file is there. That is clown dancing. And one pdf file is there such as a little night send in the clowns (Shaaban, 2016) (Weiss, 2009). Also it contains many programs files and deleted files also. It has 54895 files regarding the deletion. And web bookmarks and downloads and the recovery files are presented here in the computer user. So these files downloaded and saved by the computer user. So the Clark is a suspect.
The Clark installed the software such as Mplayer2 and true crypt. These software’s are used for the Clark to access the clown contents (Wen & Yu, 2003). Totally here forty two software’s are installed in the computer user. The suspect Clark need only two programs. The Mplayer2 software is used to play the clown dancing video and true crypt software is used to make the encryption.
Conclusion
The discussion is made regarding the forensic tools. The case study is analyzed. The description is provided for the features of forensic tools. The disk image is extracted and analyzed using the autopsy tool. Then the clown contents are identified. The clown images, videos and files are delivered in the presentation section. The clear justification is provided for findings regarding the clown contents. The screenshots are added to display the clown images. The access time, modified time and size also mentioned for each images. The identification is done regarding the ownership. And the intention of the project is explained. The quantity of files are analyzed and details are provided regarding to them. The installed software’s are analyzed and justified. The running sheet and the event timeline are provided. The finding results are added through the screenshots.
References
(2018). Retrieved from https://nest.unm.edu/files/5513/9251/4756/Tutorial_1_-_FTK_Imager_-_Imaging.pdf
(2018). Retrieved from https://nest.unm.edu/files/8813/9252/1107/Tutorial_6_-_Kali_Linux_-_Sleuthkit.pdf
(2018). Retrieved from https://dercyber.files.wordpress.com/2014/06/digital-forensic-analysis-using-helix-and-autopsy-imaging1.pdf
(2018). Retrieved from https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/digital-forensics
(2018). Retrieved from https://www.forensicfocus.com/Autopsy | Open Source Digital Forensics. (2018). Retrieved from https://www.autopsy.com/Autopsy. (2018). Retrieved from https://www.sleuthkit.org/autopsy/
Autopsy: Lesson 1: Analyzing Deleted JPEGs. (2018). Retrieved from https://www.computersecuritystudent.com/FORENSICS/AUTOPSY/lesson1/index.html
Cain, M., Brazelton, J., & Dye, D. (2016). Identifying Errors in Forensic Autopsy Reports Using a Novel Web-Based Program. Academic Forensic Pathology, 6(1), 103-108. doi: 10.23907/2016.010
Carbone, F. (2014). Computer forensics with FTK. Birmingham, United Kingdom: Packt Pub.
Chandel, R. (2018). Step by Step Tutorial of FTK Imager (Beginners Guide ). Retrieved from https://www.hackingarticles.in/step-by-step-tutorial-of-ftk-imager-beginners-guide/
Cooper, C. (2008). Forensic science. New York, N.Y.: DK Pub.
Dalrymple, B., & Smith, J. Forensic digital image processing.
Digital Evidence and Forensics | National Institute of Justice. (2018). Retrieved from https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx
Digital forensics. (2018). Retrieved from https://en.wikipedia.org/wiki/Digital_forensics
Evidence Acquisition Using Accessdata FTK Imager. (2018). Retrieved from https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
Fichera, J., & Bolt, S. (2013). Network intrusion analysis. Amsterdam: Elsevier.
Finn, J. (2009). Capturing the criminal image. Minneapolis, Minn.: University of Minnesota Press.
Forensic Toolkit. (2018). Retrieved from https://accessdata.com/products-services/forensic-toolkit-ftk
Gardner, R., & Bevel, T. (2009). Practical crime scene analysis and reconstruction. Boca Raton: CRC Press.
Geradts, Z., & Bijhold, J. (2002). Content Based Information Retrieval in Forensic Image Databases. Journal Of Forensic Sciences, 47(2), 15245J. doi: 10.1520/jfs15245j
Gloe, T., & Böhme, R. (2010). The Dresden Image Database for Benchmarking Digital Image Forensics. Journal Of Digital Forensic Practice, 3(2-4), 150-159. doi: 10.1080/15567281.2010.531500
Inch, S. (2008). A Simple Image Hiding Technique: What You May Be Missing. Journal Of Digital Forensic Practice, 2(2), 83-94. doi: 10.1080/15567280802047150
Liu, J., Ling, H., Zou, F., Yan, W., & Lu, Z. (2010). Digital Image Forensics Using Multi-Resolution Histograms. International Journal Of Digital Crime And Forensics, 2(4), 37-50. doi: 10.4018/jdcf.2010100103
Luo, W., Huang, J., & Qiu, G. (2010). JPEG Error Analysis and Its Applications to Digital Image Forensics. IEEE Transactions On Information Forensics And Security, 5(3), 480-491. doi: 10.1109/tifs.2010.2051426
Mahdian, B., & Saic, S. (2009). Using noise inconsistencies for blind image forensics. Image And Vision Computing, 27(10), 1497-1503. doi: 10.1016/j.imavis.2009.02.001
MJ, B. (2016). Elderly Suicide: A 5-Year Forensic Autopsy Analysis in the North of Portugal. International Journal Of Forensic Sciences, 1(1). doi: 10.23880/ijfsc-16000106
Norell, K., Läthén, K., Bergström, P., Rice, A., Natu, V., & O’Toole, A. (2014). The Effect of Image Quality and Forensic Expertise in Facial Image Comparisons. Journal Of Forensic Sciences, 60(2), 331-340. doi: 10.1111/1556-4029.12660
Pasquini, C. (2016). Statistical and deterministic approaches for multimedia forensics. ELCVIA Electronic Letters On Computer Vision And Image Analysis, 15(2), 16. doi: 10.5565/rev/elcvia.984
Shaaban, A. (2016). Practical Windows Forensics. Packt Publishing.
Springer Verlag. (2016). Handbook of Pediatric Autopsy Pathology.
Stadlinger, J., & Dewald, A. (2017). A Forensic Email Analysis Tool Using Dynamic Visualization. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2017.1413
Tahiri, S. (2016). Mastering Mobile Forensics. Packt Publishing.
Teixeira J, M. (2017). Forensic Psychiatric Autopsy: A Challenge Assessment. Austin Journal Of Forensic Science And Criminology, 4(2). doi: 10.26420/austinjforensicscicriminol.2017.1062
Weiss, S. (2009). Forensic photography. Upper Saddle River, N.J.: Pearson/Prentice Hall.
Wen, C., & Yu, C. (2003). Fingerprint Pattern Restoration by Digital Image Processing Techniques. Journal Of Forensic Sciences, 48(5), 2002385. doi: 10.1520/jfs2002385
Wen, C., & Yu, C. (2003). Fingerprint Pattern Restoration by Digital Image Processing Techniques. Journal Of Forensic Sciences, 48(5), 2002385. doi: 10.1520/jfs2002385
Zhong guo jian cha chu ban she. (2015). FTK shi zhan ying yong. Bei jing.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
