User Account

All Pages

Discuss the acquisition method that can be used

Assignment Help Other Subject
Reference no: EM133923724

Digital Forensics

Assessment 1:

Introduction
You will submit work in tutorial activities during the study period. This is an individual assessment.

Tutorial 1: Read the enclosed case study (Case Study: famous cases digital forensics) below and answer the following questions:

Discuss your options for acquiring the image
What questions should you ask and how should you proceed?
Explain three common types of digital crime
Discuss the acquisition method that can be used.
Discuss the options that can be used to recover the file.Famous cases involving Digital Forensics
E-mails document the conspiracy to murder her husband 2000 Michelle Theer
On Dec. 17, 2000, John Diamond shot and killed Air Force Capt. Marty Theer. "There [was] no direct evidence, no eyewitness evidence. There is no physical evidence. There is no confusion," said Theer's attorney Daniel Pollitt after the conviction.
But what prosecutors did have was 88,000 e-mails and instant messages on Theer's computer, including personal ads that Theer had written in 1999, web-mail that she had written in response to those ads, clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder Theer's husband.

Postings on Yahoo reveal a kidnapping 2002 Scott Tyree
On January 1st, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. That night Tyree sent an instant message of a photograph of Kozakiewicz bound in his basement to another man in Tampa, FL. The second man checked the Pit tsburgh Post-Gazette website and saw that a girl was in fact missing from her parent's home. The man contacted the FBI on January 3rd and provided the Yahoo screen name of the person who had sent the IM: "master for teen slave girls".

FBI investigators contacted Yahoo to obtained the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the Verizon subscriber to whom that IP address had been assigned. It was Scott William Tyree.
2005 Dennis Rader --- The "BTK" Serial Killer
After eluding police for more than 30 years, a serial killer in Kansas re-emerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file.
Inside that file's metadata was metadata containing the name "Dennis" as the last person to modify the deleted file and a link to the Lutheran Church, where Rader was a Deacon. (Ironically, Rader had sent a floppy disk to the police because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)

Assistant attorney general for Maine caught up in child pornography 2009 James M. Cameron
On February 17, 2009, James M. Cameron was indicated on 16 charges of trafficking in child pornography. Prosecutors alleged that between July 2006 and January 2008 Cameron had uploaded child pornography to a Yahoo photo album using five different aliases. According to an order by a federal judge dated Sept. 28, 2009, ""It begins with two referrals from the (National Center for Missing and Exploited Children) to the Maine State Police on August 3, 2007, and September 6, 2007, which itself had been triggered by a report from the Internet Service Provider Yahoo. Yahoo reported locating numerous images of child pornography in the photos section of a Yahoo! account. Get online assignment help-AI & plagiarism-free-now!
"The Maine State Police Computer Crimes Unit undertook an investigation and ultimately identified the owner of the account to be Barbara Cameron, the defendant's wife. Further investigation confirmed that Mr. Cameron was an assistant attorney general for the state of Maine, and that some of the pornography involved children as young as 4 to 6 years old engaging in sexual conduct. On December 21, 2007, the state executed a search warrant and seized four computers. When the computers were examined, there was evidence of Internet chat between two users about sex with children, images of child pornography and related topics. In one of those conversations, the person identified himself as a married 45-year-old man with a daughter, a description that fits Mr. Cameron."

Tutorial 2: Read the enclosed case studies below and answer the questions in each case: Case 1
At murder scene, you have started making an image of computer's drive. You're in the back bedroom of the house, and a small fire has started in the kitchen. If the fire can't be extinguished, you have only a few minutes to acquire data from a 10GB hard disk. Write one to two pages outlining your options for preserving the data. Case 2
You need to acquire an image of a disk on a computer that can't be removed from the scene, and you discover that it's a Linux computer. What are your options for acquiring the image? Write a brief paper specifying the hardware and software you would use. Case 3
A bank has hired your firm to investigate employee fraud. The bank sues four 20TB servers on a LAN. You are permitted to talk to the network administrator; who is familiar with where the data is stored. What diplomatic strategies should you use? Which acquisition method should you use? Write one to two pages outlining the problems you except to encounter, explaining how to rectify them, and describing your solution. Be sure to address any customer privacy issues. Case 4
You're investing a case involving a 2 GB drive that you need to copy at the scene. Write one to two pages designing three options you have to copy the drive accurately. Be sure to include your software and media choices.

Tutorial 3: Read the enclosed case study (Case Study: Email Infidelity in a Computer Forensics Investigation) below and answer the following questions:

Discuss your options for acquiring the image
What questions should you ask and how should you proceed?
Explain three common types of digital crime
Discuss the acquisition method that can be used.
Discuss the options that can be used to recover the file.

Email Infidelity in a Computer Forensics Investigation Case Study

Email Infidelity in a Computer Forensics Investigation: The boyfriend was very emotional at the thought of being betrayed by his love of many years.


Summary:
A devoted boyfriend had a sneaking suspicion that his girlfriend of many years was cheating on him. The couple shared a computer for many of their activities: work, games, and Internet, so when the boyfriend saw what he thought was an e-mail from another man in his girlfriend's in-box, he was furious. When he accessed the account, there was no such message, but he was sure that his eyes had not been playing tricks on him.
The boyfriend contacted International Counterintelligence Services, Inc., in the hopes that they could get to the bottom of this dilemma. During the free consultation with a trained case analysis, the boyfriend expressed his concerns. The case analysis and the client concluded they would need to call upon the help of the ICS computer forensics technicians.
Now, the boyfriend was very emotional at the thought betrayal. He thought that he would have to fight his fears alone, without the full knowledge of the situation. But he luckily had the strength of a reputable investigative company (and our infidelity private investigator) who would help him get though the crisis.
The investigation began with the client bringing in the laptop computer that the couple shared. He was able to leave it for examination in the computer forensics lab. The computer was first examined for any signs of physical bugging devices. Once assured that it had not been tampered with, the hard drive was removed and forensically "imaged" as an exact replica of the original hard drive. This copied image is where the computer forensic technicians would perform the investigation. This work was all done on the same day in order to have the computer back home, so the client's girlfriend would be none the wiser to the investigation. From here the case manager was in steady contact with the client so he would know the progress of the investigation. The scope of the investigation would concentrate on any e-mail of notable content.
This investigation would prove to be more difficult than first thought, however, because the e-mail system that the couple was using was not a host-based system. This means that it was not a program that was used on the laptop computer, but instead was a Web-based system. Web e-mail, although popular, poses difficulty for forensic technicians recovering deleted messages. Nevertheless, with great effort they found what they had been looking for. The technicians discovered a series of unmarked archived files that were left by the email program on the computer's hard drive, even though the files had been deleted - or so the girlfriend thought. Adding another twist to the investigation, these e-mails had been created under a dummy account so as to separate them from on the girlfriend's main e-mail account.
Conclusion:
Since the files had been compressed they had to be transformed and viewed in a special manner to see the true content. They exposed multiple conversations pointing to betrayal on the part of the girlfriend. The discovered messages were compiled and the case manager immediately contacted the client. The client, although he had a dilemma to face, was very grateful for the hard work that the ICS team had done for him. This was a credit to the well-trained case analyst, case managers, and forensic technicians at ICS. Tutorial 4: Read the enclosed case studies below and answer questions in each case:

Case 1
A new start-up SME (small-medium enterprise) based in Luton with an E-government model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are a number of suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate.
The company makes use of a general purpose eBusiness package (OSCommerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full scale malware/forensic investigation.
As there is increased competition in the hi-tech domain, the company is anxious to ensure that their systems are not being compromised, and they have employed a digital forensic investigator to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems.
Your task is to investigate the team's suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware, and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators. The company uses Windows Server NT for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched.

Discuss how you would approach the following:
Malware investigation
Digital Forensic Investigation
Write a general overview of the methodology that you will use and provide a reasoned argument as to why the particular methodology chosen is relevant.
Write a process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence
Case 2
You're investigating a case involving an employee who's allegedly send inappropriate photos via email in attachments that have been compressed with a zip utility. As you examine the employee's hard disk, you find a file named Orkty.zip, which you suspect is a graphics files. When you try to open the file in an image viewer, a message is displayed indicating that the file is corrupt. Write one pages explaining how to recover Orkty.zip for further investigation. Case 3
You work for a mid-size corporation known for its inventions that does a lot of copyright and patent work. You're investigating an employee suspected of selling and distributing animations created for your corporation. During your investigation of the suspect's drive, you find some files with the unfamiliar extension .xde. The network administrator mentions that other .xde files have been sent through an FTP server to another site. Write one page describing your findings after conducting an Internet search for this file extension.

Tutorial 5
Read the enclosed case studies below and answer the questions in each case: Case 1
As a part of the duties of a digital forensics examiner, creating an investigation plan is a standard practice. Write one to two pages describing how you would organize an investigation into a potential fraud case. In addition, list methods you plan to use to validate the date collected from drives and files, such as Word and Excel, with hashes. Specify the hash algorithm you plan to use, such as MD5 or SHA1.
Case 2

Several graphics files were transmitted via email from an unknown source to a suspect in an ongoing investigation. The lead investigator gives you these graphics files and tells you that at least four messages should be embedded in them. Use your problem-solving and brainstorming skills to determine a procedure to follow. Write a short report outlining what to do.
Case 3
A drive you are investigating contains several password-protected files and other files with headers that don't match the extension. Write a report describing the procedures for retrieving the evidence with some of the forensics tools and hexadecimal editors discussed in chapter 8 and 9. Explain how to identify the files header and determine how their extensions are mismatched. Then discussed what techniques and tools you can use for recovering password from the protected files.
The case in this project involves a suspicious death. Joshua Zarkan found his girlfriend's dead body in her apartment and reported it. The first responding law enforcement officer seized a USB drive. A crime scene evidence technician skilled in data acquisition made an image of the USB drive with ProDiscover and named it C1Prj01.eve. Following the acquisition, the technician transported and secured the USB drive and placed it in a secure evidence locker at the police station. You have received the image file from the detective assigned to this case. He directs you to examine it and identify any evidentiary artifacts that might relate to this case. To process this case, follow these steps to evaluate what's on the image of the USB drive:
Start ProDiscover Basic. (If you're using Windows Vista or later, right-click the ProDiscover desktop icon and click Run as administrator.)
In the Launch Dialog box, click the New Project tab, if necessary. Enter a project number. If your company doesn't have a standard numbering scheme, you can use the date followed by the number representing the case that day in sequence, such as 20190124 01.
Enter C1Prj01 as the project name, enter a brief description of the case, and then click Open.
To add an image file, click Action from the menu, point to Add, and click Image File.
Navigate to your work folder, click C1Prj01.eve, and then click Open. If the Auto Image Checksum message box opens, click Yes.
In the tree view, click to expand Content View. Click to expand Images, and then click the pathname containing the image file. In the work area, notice the files that are listed.
Right-click any file and click View to start the associated program, such as Word or Excel. View the file, and then exit the program.
If you decide to export a file, right-click the file and click Copy File.(Note: Creating a separate folder for exports is a good idea to keep your files organized.) In the Save As dialog box that opens, navigate to the location where you want to save the file, and then click Save.
To save the project to view later, click File, Save Project from the menu. The default project name is the one you entered in Step 3. Select the drive and folder (WorknChap01nProjects, for example), and then click Save. After you have finished examining the files, exit ProDiscover Basic and save the project again, if prompted.

Practical Tasks 2
In this project, you work for a large corporation's IT security company. Your duties include conducting internal computing investigations and forensics examinations on company computing systems. A paralegal from the Law Department, Ms. Jones, asks you to examine a USB drive belonging to an employee who left the company and now works for a competitor. The Law Department is concerned that the former employee might possess sensitive company data. Ms. Jones wants to know whether the USB drive contains anything significant. In

addition, she informs you that the former employee might have had access to confidential documents because a co-worker saw him accessing his manager's computer on his last day of work. These confidential documents consist of 24 files with the text "book." She wants you to locate any occurrences of these files on the USB drive's bit-stream image. To process this case, make sure you have extracted the C1Prj02.eve file to your work folder, and then follow these steps:
Start ProDiscover Basic. In the New Project tab, enter a project number, the project name C1Prj02, and a project description, and then click Open. It's a good idea to get in the habit of saving the project immediately, so click File, Save Project from the menu, and save the file in your work folder (WorknChap01nProjects).
Click Action from the menu, point to Add, and click Image File. Navigate to and click C1Prj02.eve in your work folder, and then click Open. If the Auto Image Checksum message box opens, click Yes.
In the tree view, click to expand Content View, if necessary. Click to expand Images, and then click the pathname containing the image file. In the work area, examine the files that are listed.
To search for the keyword "book," click the Search toolbar button to open the Search dialog box.
In the tree view, click to expand Search Results, if necessary, and then click Content Search Results to specify the type of search. Figure 1-25 shows the search results pane.
Next, open the Search dialog box again, click the Cluster Search tab, and run the same search. Note that it takes longer because each cluster on the drive is searched.
In the tree view, click Cluster Search Results, and view the search results pane. Remember to save your project and exit ProDiscover Basic before starting the next case.
When you're finished, write a memo to Ms. Jones with the following information: the filenames in which you found a hit for the keyword and, if the hit occurred in unallocated space, the cluster number.

Lab 2: Create a Forensic System Case File for Analyzing Forensic Evidence
Overview
In this lab, you will use ProDiscover and Ftk Imager Lite for Analyzing Forensic Evidence.
Lab Tasks
Task1 : Create a Forensic System Case File
On your USB drive create a word file named your Student ID, where the file should contain your name, studentID, mobile number, address and some other personal information.
The file should also contain the following sentence: "I have enrolled for ITSC3004 Computer Forensic." followed by your full name and the date when you registered for this unit.
On the same drive create an excel file named "StudentID.xls", where the First column should be filled with your units name that you had at VIT last semester and the second column should be filled with your marks with those units.
Store your current Photo on USB drive as JPG format or any other image format.
Take a screenshot of your Windows Explorer window showing the content of the USB's folder hosting the three files. Include this screenshot in your final report! Now delete those files, and then take another screenshot of the respective folder's content (after the two files have been deleted). Include this screenshot in your final report!

Task 2 : Analyzing Forensic Evidence
Q1) Use ProDiscover Basic to Acquire an Image of USB Drive. In your report include screenshot for each steps. Q2) Use ProDiscover Basic to Recover Deleted Images. In your report include screenshot for each steps.
Q3) Use Ftk Imager Lite to Acquire an Image of USB Drive. In your report include screenshot for each steps. Q4) Use Ftk Imager Liter to Recover Deleted Images. In your report include screenshot for each steps.
Submission
You need to submit a detailed lab report to describe what you have done and what you have observed; you also need to provide explanation to the observations that are interesting or surprising. Please also list the important screen snippets followed by explanation.

Lab 3: Data Acquisition
Description of the laboratory exercise:
Acquisition and imaging of data from one or more storage media.
Investigation and examination of all information; this depends on the type and size of the equipment and the nature of each case.
Activity 1: The following activity shows an easy way to identify this file metadata. These steps are designed for OSForensics, which has been provided on this book's DVD. If you haven't installed it, do so now. In addition, create a work\Chap05\Chapter work folder on your system. Then extract all compressed files from the Chap05 folder on the book's DVD to your work folder. The work folder path shown in screenshots might differ slightly from yours. Follow these steps:
Start Microsoft Word, and in a new document, type By creating a file, you can identify the author with file metadata. Save it in your work folder as InChp05-01.doc, and then exit Microsoft Word.
To start OSForensics, click Start, point to All Programs, click the OSForensics folder, and click OSForensics. If you're prompted with a warning dialog box and/or notification, click OK to continue, and click OK, if necessary, in the message box thanking you for evaluating the program.
In the OSForesics main window, notice the viewers section in the right pane. Click File and Hex Viewer. In the "Select a file to open" dialog box that opens, navigate to your work folder and double-click the file you created in step 1.
The dialog box that opens has five tabs. Click the File Info tab, where you can see where the file is located along with the date and time it was created. Notice that the file size and its size on the disk are different.

Click the Metadata tab. The information in this tab includes file permissions, file type, file size, and other items. Scroll to the bottom of this tab, where you can see who created the file and who last modified the file.
Exit OSForesics.
Activity 2: You can use the MD5 function in FTK Imager to obtain the digital signature of a file or an entire drive. In the following activity, you use a thumb drive, although you often work with hard drives in actual investigations. First, you create a test file and then generate an MD5 hash value for it. Then you change the file and produce another MD5 hash value, this time noting the change in the hash value. You need a blank, formatted USB drive and a Windows computer to complete the following steps:
Power on your forensic workstation, booting it to Windows.
Insert a blank, formatted USB drive into your computer.
Next, start Notepad. In a new text file, type This is a test to see how an MD5 digital hash works.

Reference no: EM133923724

Questions Cloud

Describe your personal worldview-including the religious : Describe your personal worldview, including the religious, spiritual, and cultural elements that you think most influence your personal philosophy of practice
What is the legacy of womens work during the war : The reading on the Women's Auxiliary Corps (Wacky Times). What conclusion can you reach from the article? What is the legacy of women's work during the war?
How do ethics and professionalism look in environments : Discuss the chief historical and philosophical differences between public schools. How do ethics and professionalism look in either of these environments?
Complaint of abdominal pain in epigastric area : 65-year-old female comes to clinic with complaint of abdominal pain in epigastric area. What contributed to development from this patient's history of PUD?
Discuss the acquisition method that can be used : Explain three common types of digital crime Discuss the acquisition method that can be used - Write a general overview of the methodology that you will use
What can cause diverticulitis in the lower GI tract : A 54-year-old schoolteacher is seeing your today for complaints of passing bright red blood. What can cause diverticulitis in the lower GI tract?
What factors were the impetus for this advancement : What factors were the impetus for this advancement? How was the environment impacted by this advance?
Evaluate and document the current process : Knowing that an important first step in implementing change is to evaluate and document the current process,
Statement rather than the subjective writing demonstrated : Change the following statement in to an objective statement rather than the subjective writing demonstrated.

Reviews

Write a Review

Other Subject Questions & Answers

  Cross-cultural opportunities and conflicts in canada

Short Paper on Cross-cultural Opportunities and Conflicts in Canada.

  Sociology theory questions

Sociology are very fundamental in nature. Role strain and role constraint speak about the duties and responsibilities of the roles of people in society or in a group. A short theory about Darwin and Moths is also answered.

  A book review on unfaithful angels

This review will help the reader understand the social work profession through different concepts giving the glimpse of why the social work profession might have drifted away from its original purpose of serving the poor.

  Disorder paper: schizophrenia

Schizophrenia does not really have just one single cause. It is a possibility that this disorder could be inherited but not all doctors are sure.

  Individual assignment: two models handout and rubric

Individual Assignment : Two Models Handout and Rubric,    This paper will allow you to understand and evaluate two vastly different organizational models and to effectively communicate their differences.

  Developing strategic intent for toyota

The following report includes the description about the organization, its strategies, industry analysis in which it operates and its position in the industry.

  Gasoline powered passenger vehicles

In this study, we examine how gasoline price volatility and income of the consumers impacts consumer's demand for gasoline.

  An aspect of poverty in canada

Economics thesis undergrad 4th year paper to write. it should be about 22 pages in length, literature review, economic analysis and then data or cost benefit analysis.

  Ngn customer satisfaction qos indicator for 3g services

The paper aims to highlight the global trends in countries and regions where 3G has already been introduced and propose an implementation plan to the telecom operators of developing countries.

  Prepare a power point presentation

Prepare the power point presentation for the case: Santa Fe Independent School District

  Information literacy is important in this environment

Information literacy is critically important in this contemporary environment

  Associative property of multiplication

Write a definition for associative property of multiplication.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +91-977-207-8620

Phone: +91-977-207-8620

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd