Tools Employed by Lone Star Ltd for Digital Forensic Analysis
Lone Star Ltd is one of the digital forensic consultancy firms and is chosen as a case study for this discourse. They are responsible for gathering information from the digital device for the investigation purposes. Tech-bank TSB is one of the clients of Lone Star Ltd. The computer forensic analyst of Lone Star Ltd has been given the charge to investigate the hard disk image of a windows computer (Sunde et al. 2017). Tech-bank TSB has requested to collect relevant evidence from the hard disk image and prepare a report based on findings. Lone Star Ltd has appointed me to conduct an investigation on the hard disk image and collect all the relevant evidence contained in the disk image. The forensic investigation helps to know that whether any illegal activities were carried out within Tech-bank TSB or not.
Lone Star Ltd appoints legal authorities to find out the attackers who carry out the malicious activities. The legal authorities with the help of digital forensics carry out the effective forensic investigation. I am one of the representatives of the legal authority team. I use the Registry Viewer and Forensic Too, Kit version 6.0.3.5 to carry out the investigation procedures (Dang-Nguyen et al. 2015). The digital forensics helps in sorting the files stored in the database by the file type. Digital forensics aids analysis of windows registry files. OS forensics, Autopsy 4.1.1 and Registry ripper, have been used for the forensic verification of the hard disk image.
Evidential management constitutes elements like the usage of the scientific method, identification, analysis and validation. Proper guidelines are followed in securing and controlling the evidence. All the evidence collected from the hard disk image are verified applying best policies and principles like ACPO Principles. Documentations are prepared based on the verification results of the evidence. The procedure for preparing documentation is known as CoC. CoC involves preparation of chronological documentation of the evidence. The analysts keep duplicate files of the documentation (Flaglien et al. 2017). Failures of the hard disk image can be fatal. All the evidence can get lost from the database. The hackers can hack the system, can modify the files containing the evidence, they can make even the delete the files as well. One can steal the system as well. Thus a copy of the documentation is helpful for investigation. Lone Star Ltd followed this approach and investigated the files present in a hard disk image of Tech-bank TSB.
Lone Star Ltd used various tools and techniques to handle the evidence effectively. Lone Star Ltd received a package along with an envelope from Royal Mail on 11 January late at night. The digital consultancy firm has responsibly implemented a chain of custody after opening the package (Bjelland et al. 2018). Lone Star Ltd found that the package contains one hard disk.
Purpose of Evidential Management Guidelines
Lone Star Ltd first created a DD image and file of evidence by using Forensic Tool Kit image. The DD image and the files were verified via hash files. A copy of the file containing evidence was created at the beginning. The forensic consultancy firm carried out all the forensic investigation on the copy files and not on the original files. Lone Star Ltd by using the Access Data’s Forensic Toolkit conducted all the investigation on the dedicated forensic workstation (Van Baar, Van Beek and van Eijk 2014). This approach will recover the files which have been deleted from the hard disk of the TechBank TSB’s computer. MD5 and SHA1 hash values obtained helped to know that the files recovered are all legitimate. MD5 and SHA1 algorithms can be used while presenting those files to the court. MD5 and SHA1 ensured that the original files in the hard disk were not modified by any means. In this way, the integrity and the authenticity of the files were retained (Holt, Bossler and Seigfried-Spellar 2015). Lone Star Ltd following this approach ensured that the authenticity of the files stored in the hard disk image of TechBank TSB.
The functionalities of primary tools and the secondary tools that were used in investigating the evidence of the hard disk image of TechBank TSB have been detailed below.
Evidence analysis is the procedure, by which the evidence files are first identified, then they are preserved and lastly documentation is prepared and is presented to the court. There are open source forensic analysis tools and commercial forensic analysis tools available in the market. There are other forensic analysis tools and they are Forensic Modules, Autopsy Browser, Sleuth Kit (Sohl et al. 2015). In this report, forensic investigation on hard disk image of TechBank TSB was carried out using Registry Viewer and AccessData’s Forensic Toolkit as primary tools. The OS Forensics, Autopsy and Registry Ripper are the secondary tools that were used in the forensic investigation.
Forensic Tool Kit (FTK) is only one court-cited digital investigation. FTK is designed to provide speed, stability and ease of use. The forensic toolkit helps in email analysis and customizable data views and stability. The forensic toolkit provides a framework so that the solution can align with the organisation’s needs (Taylor, Fritsch and Liederbach 2014). Forensic Toolkit best work on Windows Operating System. FTK involves Registry Viewer and FTK Imager.
AccessData Registry Viewer is a standalone product. It contains a set of data files. The Windows Operating system utilises the data to control the overall functionality of the Windows interface. It utilises the data to control the user information, hardware and software. AccessData Registry Viewer gets integrated with the Forensic Tool Kit, and it enables the analysts so that they can see the contents present in the registry files of Windows operating system. The analysts can get to visualise the registry files from any system. Registry Viewer caters easy access to a registry-protected storage database (Thethi and Keane 2014). The users will have to provide a username, password only then the users can gain access to the file stored in the database.
Chain of Custody for Electronic Evidence
FTK is one kind of data preview and data imaging tool. FTK imager saves a hard disk file image in a file or segments, and the image can be reconstructed in later times. FTK imager calculates the MD5 hash values, and after that, it confirms the authenticity of the data. It is a concise tool that enables analysts to create copies of the hard disk images, and these images can be exported without making any alterations in the original evidence (Zawoad, Hasan and Skjellum 2015). FTK facilitates bit-by-bit copy or duplication of data. FTK imager also aids integrity checking by calculating the hash values. Thus it can be concluded that FTK imager is the most suitable tool for making perfect copies.
An autopsy is the digital forensic tool. The tool allows the analysts to carry on the investigation on the web server. An autopsy is a tool that helps in analysing the disk images, local drives and folders. The analysts will not have to perform any tasks manually; an autopsy will perform all the tasks automatically. Autopsy offers similar functionalities like FTK, they are keyword search, web artefacts, timeline analysis and hash set filtering. It also provides the integration facilities (Van Beek et al. 2015). The forensic analysts get the opportunity to connect with multiple analysts. It is an open source program. Autopsy also caters cost-effective solutions. Moreover, it is easy to use. It is used as a secondary tool to carry out the investigation procedures.
RegRipper is the open source forensic application, and the application is valuable in extracting the vital information like keys, values, and data from the Registry. RegRipper analyses the data and prepares documentation based on the analysis in easy readable text format (Kleinmann and Wool 2014). The analysts have the opportunity to personalise the RegRipper tool according to their needs by using available plugins.
OS Forensics tool aids file searching, indexing of data. The tool assists the forensic analysts to extract passwords. The analysts can also decrypt files and can recover deleted files from the system and database with ease with the aid of this tool. The analysts can easily identify the malware files and the malicious activities of the intruders with the help of hash matching, binary data and drive signature comparisons. OS Forensics tool aids forensic analysts to extract the required evidence from the computer fast (Martini and Raymond 2016). The tool provides functionalities like file searching and file indexing. Thus this tool ensures that the data can be managed efficiently with the help of the OS Forensics tool.
Computer Evidence Analysis and Standard Forensic Tools
The forensic analysts of Lone Star Ltd discover that the Assistant log has been cleared away. It can be analysed simply by looking at the NTUSER.DAT in ‘techuser’. The forensic analysts have analysed that a registry-editing tool has been used in the system of TechBank TSB (Choo and Dehghantanha 2017). The traces of usage of registry-editing tools have been found in the registry viewer path and software registry that the registry-editing tool.
It can also be analysed whether any USB stick was attached to the system of TechBank TSB or not. The detailed information about USB stick connectivity or USB stick usage can be traced viewing the Windows registry files. Windows registry files show every drive that has been connected to the system (Kleinmann and Wool 2014). It can also be tracked which drive is attributed to which particular users. Under the MountedDevices category, the location of GUID associated with the device can be tracked. The location can be traced under MountedDevices category just below the registry path.
The forensics analysts discover that the user account of the TechBank TSB system visited the social networking community sites like MSN, Facebook, Youtube and Skype. The analysts after analysing the hard disk image provided by TechBank TSB found that the three Facebook accounts were used in the system (Taylor, Fritsch and Liederbach 2014). The three Facebook profiles- Imasha Oshadi Rajapaksha, Amaya Karunanayake and teCHbANK, were used in the system. Out of the three Facebook profiles used, the two profiles- teCHbANK and Imasha Oshadi Rajapaksha are currently found to be inactive. The third Facebook profile of Amaya Karunanayake has been found to be active. The forensic analysts find out that he or she uses Facebook most of the time, she edits Facebook privacy and security settings. Amaya has been found to add photos and send messages on Facebook (Taylor, Fritsch and Liederbach 2014). Recently Amaya creates an event named ‘Continuation of Leadership Training Programme’.
The user account of the system also visited Skype, and the user has a Skype account. The user got registered on 29 September in the year 2011. The forensic analysts find out all these details by assessing the personal profile of the user in the system (Choo and Dehghantanha 2017). The analysts also discover that Amaya Karunanayake was chatting with someone named Amilads over Skype. Amaya was talking about the password that he or she received.
References
Bjelland, P.C., Flaglien, A., Sunde, I.M., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland, P., Franke, K. and Axelsson, S., 2018. Internet Forensics. Digital Forensics, pp.275-312.
Choo, K.K. and Dehghantanha, A., 2017. Contemporary Digital Forensics Investigations of Cloud and Mobile Applications. In Contemporary Digital Forensic Investigations of Cloud and Mobile Applications (pp. 1-6).
Dang-Nguyen, D.T., Pasquini, C., Conotter, V. and Boato, G., 2015, March. Raise: A raw images dataset for digital image forensics. In Proceedings of the 6th ACM Multimedia Systems Conference (pp. 219-224). ACM.
Flaglien, A.O., Flaglien, A., Sunde, I.M., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland, P., Franke, K. and Axelsson, S., 2017. The Digital Forensics Process. Digital Forensics, pp.13-49.
Holt, T.J., Bossler, A.M. and Seigfried-Spellar, K.C., 2015. Cybercrime and digital forensics: An introduction. Routledge.
Kleinmann, A. and Wool, A., 2014. Accurate modeling of the siemens s7 scada protocol for intrusion detection and digital forensics. Journal of Digital Forensics, Security and Law, 9(2), p.4.
Martini, B., Do, Q. and Raymond Choo, K.K., 2016. Digital forensics in the cloud era: The decline of passwords and the need for legal reform. Trends & Issues in Crime & Criminal Justice, (512).
Sohl, E., Fielding, C., Hanlon, T., Rrushi, J., Farhangi, H., Howey, C., Carmichael, K. and Dabell, J., 2015, October. A field study of digital forensics of intrusions in the electrical power grid. In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy (pp. 113-122). ACM.
Sunde, I.M., Flaglien, A., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland, P., Franke, K. and Axelsson, S., 2017. Cybercrime Law. Digital Forensics, pp.51-116.
Taylor, R.W., Fritsch, E.J. and Liederbach, J., 2014. Digital crime and digital terrorism. Prentice Hall Press.
Thethi, N. and Keane, A., 2014, February. Digital forensics investigations in the cloud. In Advance Computing Conference (IACC), 2014 IEEE International (pp. 1475-1480). IEEE.
Van Baar, R.B., Van Beek, H.M.A. and van Eijk, E.J., 2014. Digital Forensics as a Service: A game changer. Digital Investigation, 11, pp.S54-S62.
Van Beek, H.M.A., van Eijk, E.J., van Baar, R.B., Ugen, M., Bodde, J.N.C. and Siemelink, A.J., 2015. Digital forensics as a service: Game on. Digital Investigation, 15, pp.20-38.
Zawoad, S., Hasan, R. and Skjellum, A., 2015, June. OCF: an open cloud forensics model for reliable digital forensics. In Cloud Computing (CLOUD), 2015 IEEE 8th International Conference on (pp. 437-444). IEEE.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
