Background
Discuss about the entails information for digital forensic investigation.
Background
The report that will help be EMTS determine whether the employee has stolen very sensitive data regarding the contact agreement with Superior Bicycles, LLC and if so what kind of information that the employee had stolen (Baier & Breitinger, 2011). This will not only help the company to have prosecution evidence against the employee but also reorganize their plans considering the magnitude of the information, which had been provided to their competitor and the harm it might cause. Mainly this report will focus on the usb flash drive as well as the intercepted emails on the company’s Web-Server. This will involve using a number of digital forensic tool and the data retrieved used to giving appropriate findings on the same (Yusoff et al., 2011).
Engagement Scope
The scope about this report is based on the aspects of doubtful activities recorded through the mail servers as well as the Usb flash drive seized on the working desk belonging to the contracted employee.
By application of the 5W (who, when, why, what and where) tells whether there occurred suspicious activities that might be risky to the company.
- Identify whether the network system of the company was compromised
- Offer corrective process in order to secure as well as hardening the system
- If need be, identify the lawful process that might be taken
- Could there be deleted file and they files that have been overwritten
- Determine the time as well as the date, the file was discovered on the employee’s Usb flash drive
- Are there some file that could be damaged or destroyed in the Usb drive
- What content about the company in the employee’s Usb flash drive
Tools used
Xplico
COFEE
Wireshark
Bulk Extractor
Preliminarily finding shows a likely data stealing or suspicious practices thru the images produced by the company’s manager that makes him, suspicious that the contracted employee, Bob Aspen might have conducted himself in a way that can be related to cybercrime (Wang et al., 2012). The images that he produced were captured through Autopsy Browsers and Sleuth Kits to do evaluation Linux Ext3 and Ext2 file structure. With Autopsy for closing the Website browser before one start to evaluate the system copy the GCFI-LX.00n (n representing numbers from 1 to 5), therefore the image files captured through the manager, associates Bob Aspen’s work folder to the proof folder, the folder branded the operating area for Autopsy (Solomon, 2011). Investigation results are kept in the Examination evidence locker (autopsy folder).
Also, the Usb found on the lock can be linked to the above activities especially if the employees are not allowed to carry Usb drive to their workplace (Reilly et al., 2011). Further examining the Usb drive using the above tools will give an evidence as to what data is in the file. As of now the Usb drive cannot be used as evidence of any crime but with further examination can actually give more evidence on the same.
Engagement Scope
Relevant programs examined on the Web-Server
Web-email
This is any email user actualized as a web software running on a web server. Cases of webmail application are SquirrelMail and Roundcube. Cases of webmail providers are Yahoo! Mail, Gmail, AOL Mail, and Outlook.com/Hotmail.com. Most webmail providers additionally offer email access by a computer email user utilizing standard email protocols, while numerous web access suppliers give a webmail user as a feature of the email service incorporated into their network access bundle (Nelson et al., 2014).
Likewise, with every web software, webmail’s fundamental gain due to the utilization of a computer email user is the capacity to transmit as well as get emails wherever from a website browser (Maras, 2011). The major disadvantage it ought to be linked to Internet while utilizing the electronic message apps. Other application additionally exist to incorporate portions of webmail operations into an operating system. For the webemail application which are accessed via HTTP that is considered unsecure can be read by the third party who can access the transfer of data, for example over the WI-FI connections (Luttgens et al., 2014). However, this may be prevented by linking the webmail service via HTTPS for it encrypts connection. Both the Gmail and Yahoo! Mail necessitates that all the webmail connection be HTTPS whereas Gmail has supported it since it launching Yahoo! Mail added this option in 2013.
The EPROM and EEPROM program of the Usb Drive
The devices the use Read only memory are considered a special case in a usual system processes the memory only reads however it does not change (Lin et al., 2012). These memories are non-volatile, this implies that the information stored is retained when only powered. Usb drives uses the EPROM and EEPROM technologies. EEPROM cells comprises of one, one-and-a-half, or two transistors, EPROM and ROM are cells is made up of one transistor. Transistor threshold voltage determines whether it is “0” or “1”. Voltage of the cell is placed on the gate during the read cycle (Gupta et al., 2012). Contingent on the coded threshold voltage, the transistor can or cannot move the current. This current or lack of current is transformed by the sense amplifier into 0 or 1.
Electrically Erasable Programmable ROM (EEPROM) provides users with excellent performance and capabilities. Just a single external source of power is requisite due to the high energy voltage for erase/program is produced internally. Erase and Write procedures are executed on byte to byte basis (Guo et al., 2012). Ultraviolet Erasable Programmable Read Only Memory (EPROM) is a distinct sort of electrically programmed ROM, however it is erasable when under ultraviolent light.
Tools used
Encryption
Encryption refers to a process for altering data on computers in a way that it ends up muddled (Baier & Breitinger, 2011). In this situation, regardless of whether somebody might access a computer containing specific data on it, they likely will not be in a position to use the information except when they have confounded expensive applications or the initial information key. Encryption utilizes three techniques.
Hashing: this approach generates a distinct, fixed-stretch signatures for messages or data set. Each “hash” is distinctive to a particular mail, thus trivial adjustments to the messages make it easy to track. After data is encoded through hashing method, it can never be decoded or reversed (Bennett, 2012).
Symmetric methods: The encryption is known by the name private-key cryptography, as well is referred by this name for the keys employed to decode as well as encoding messages should remain safe, as anybody gaining access to it might decrypt the data (Bennett, 2012).
Asymmetric methods: Different from symmetric method, it is referred to as public-key cryptography and it is not pretty comparable to the two other methods for it utilizes two keys for encoding or decoding (it might perhaps be more secure thusly (Conklin et al., 2015).
Graphic image analysis
Image forensics passive techniques are contingent on the fact that different processing stages during image acquisition, post-processing and storage processes leave identifying traces of those processes offering a unique fingerprint to trail the history of the image (Casey, 2011). Various forensic purposes uses these fingerprints from the source identification to tampering detection.
These stages causes imperfections to the final image outputs. The relics or imperfections are different from one gadget to another as well as form a distinct fingerprints that may be applied to follow the source gadgets and the justifying detection (Conklin et al., 2015). The imperfections are caused since to device inperfections like chromatic aberrations, CFA interpolation, distortion, sensor imperfections and other processing stages like lossy compression. Artifacts and distortion presence in these artifacts gives clue about image’s integrity and originality.
Findings
One approach to conceal allotments is to make a segment and after that utilization a disk editor, for example, Norton DiskEdit, to erase any reference to it physically. To get to the erased segment, clients can alter the partitioning table and re-make the connections, and afterward, the concealed segment returns when the drive is restarted. Another approach to conceal sections with disk partitioning utilities, like; System Commander, Partitioning Magic, Linux GRUB (Grand Unified Bootloader) or GDisk that gives startup menus where one can select an operating system. The framework as per point contempt any other bootable partition. To circumvent the system, one must make sure he/she account all space in the drive when he is evaluating proof drives. Break down all drive segments containing spaces which can never be denoted with the aim that one can select if they have extra evidence (Conklin et al., 2015). Users might use programming skills of assembling language to determine the way of creating a low-level encoding program that advance requests of the parallel data, causing the altered information become indistinguishable when gotten with text editors or detail word processors. This software adjusts bits for all bytes in a document. To safeguard a folder containing implicating or sensitive data, these suspects execute an assembly program (called macro) on the document for scrambling the bits. In order to reach the folder, they execute a new program that regenerates diversified bits to unique request. Part of these applications are yet applied today and might make it difficult for any examiner to dissect information found on a hard drive.
Summary
Wireshark, being a network analyzing tool formerly referred to as Ethereal, effectively captures packets and display them using a format, which can easily be read by human (Conklin et al., 2015). Wireshark comprises color-coding, filters, as well as other structures that allows one to dig deeper into the network traffic, then inspect packets separately. Wireshark capturing packets, filtering them, as well as inspecting them. Applying Wireshark for inspecting distrustful programs’ network traffic, study the flow of network traffic, or even troubleshoot network issues.
E-mail forensics is the studying of content as well as source of e-mails as evidences of recognizing actual sources of messages, time/data of transmission, comprehensive record of the e-mail transaction, and the intention of the person who send. This study includes investigation of port scanning, metadata, as well as keyword search for production ascription and e-mail cons recognition. Metadata within the electronic messages as a controlling information (envelopes and headers having headers within the messages, body contain information about the course through which emails traversed or the despatcher. Some may be muddled to hide identity of the sender. A comprehensive analysis of the headers as well as their association is done during header analysis. In this analysis, copies of server logs and conveyed e-mails are examined to detect source of any e-mail text. E-mails removed from clients (receivers or senders) whose retrieval is impossible might be demanded from servers (ISP or Proxy) since majority of them keep copies of e-mails immediately after they are delivered. In addition, logs preserved by servers might be examined to find the addresses of the PC in charge of making the electronic message transaction (Colombini & Colella, 2011). Nevertheless, servers keep the copies of server logs and e-mail only for short periods while some might never co-operate with people investigating.
Conclusion
In this paper, a realistic website compromise was looked at, demonstrating that a great deal of information can be gathered only from network analysis. Based on the artifacts captured, it was shown how the command and control channel could be analyzed, leading to its decryption. This lead to identifying the actions taken by the attacker, and degree that the system was compromised. Using known and controlled scenarios are a great way for an analyst to improve their skills, or to focus on a specific set of tools. By continually identifying weaknesses in skills and isolating scenarios around them, you will be able to focus on measured improvement.
References
Baier, H., & Breitinger, F. (2011, May). Security aspects of piecewise hashing in computer forensics. In IT Security Incident Management and IT Forensics (IMF), 2011 Sixth International Conference on (pp. 21-36). IEEE.
Bennett, D. (2012). The challenges facing computer forensics investigators in obtaining information from mobile devices for use in criminal investigations. Information Security Journal: A Global Perspective, 21(3), 159-168.
Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.
Colombini, C., & Colella, A. (2011, August). Digital profiling: A computer forensics approach. In International Conference on Availability, Reliability, and Security (pp. 330-343). Springer, Berlin, Heidelberg.
Conklin, W. A., White, G., Cothren, C., Davis, R., & Williams, D. (2015). Principles of computer security. McGraw-Hill Education Group.
Guo, H., Jin, B., & Shang, T. (2012, August). Forensic investigations in cloud environments. In Computer Science and Information Processing (CSIP), 2012 International Conference on (pp. 248-251). IEEE.
Gupta, R., Jain, A., & Singh, G. (2012). Combine use of steganography and visual cryptography for secured data hiding in computer forensics. International Journal of Computer Science and Information Technologies, 3(3), 4366-4370.
Lin, C. H., Lee, C. Y., & Wu, T. W. (2012). A cloud-aided RSA signature scheme for sealing and storing the digital evidences in computer forensics. International journal of security and its Applications, 6(2), 241-244.
Luttgens, J. T., Pepe, M., & Mandia, K. (2014). Incident response & computer forensics. McGraw-Hill Education Group.
Maras, M. H. (2011). Computer forensics: Cybercriminals, laws, and evidence. Jones and Bartlett Publishers, Inc..
Nelson, B., Phillips, A., & Steuart, C. (2014). Guide to computer forensics and investigations. Cengage Learning.
Reilly, D., Wren, C., & Berry, T. (2011). Cloud computing: Pros and cons for computer forensic investigations. International Journal Multimedia and Image Processing (IJMIP), 1(1), 26-34.
Solomon, M. G., Rudolph, K., Tittel, E., Broom, N., & Barrett, D. (2011). Computer forensics jumpstart. John Wiley & Sons.
Wang, D., Han, B., & Huang, M. (2012). Application of fuzzy c-means clustering algorithm based on particle swarm optimization in computer forensics. Physics Procedia, 24, 1186-1191.
Yusoff, Y., Ismail, R., & Hassan, Z. (2011). Common phases of computer forensics investigation models. International Journal of Computer Science & Information Technology, 3(3), 17-31
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
