User Account

All Pages

How to prepare a computer investigation

Assignment Help Computer Network Security
Reference no: EM133932435

Digital Forensics Lab

Lab: Email and Social Media Forensic

Practical Tasks:
Examining E-mail Messages
After you have determined that a crime has been committed involving e-mail, first access the victim's computer to recover the evidence. Using the victim's e-mail client, find and copy any potential evidence. It might be necessary to log on to the e-mail service and access any protected or encrypted files or folders. If you can't actually sit down at the victim's computer, you have to guide the victim on the phone to open and print a copy of an offending message, including the header. The header contains unique identifying numbers, such as the IP address of the server that sent the message. This information helps you trace the e-mail to the suspect.

In some cases, you might have to recover e-mail after a suspect has deleted it and tried to hide it. You see how to recover those messages in "Using AccessData FTK to Recover E-mail" later in this chapter. For now, you continue working with a victim's computer as a cyber detective.

Copying an E-mail Message
The following activity shows you how to use Outlook 2010/2016, included with Microsoft Office, to copy an e-mail message to a USB drive or a folder in your computer. (Note: Depending on the Outlook version you use, the steps might vary slightly.)
If Outlook is installed on your computer, follow these steps:

Insert a USB drive into a USB port.
Open Windows Explorer or the Computer window, navigate to the USB drive, and leave this window open.
Start Outlook by clicking Start, pointing to All Programs, pointing to Microsoft Office, and clicking Microsoft Office Outlook 2010/2016.
In the Mail Folders pane (see Figure 1), click the folder containing the message you want to copy. For example, click the Inbox folder. A list of messages in that folder is displayed in the pane in the middle. Click the message you want to copy.
Resize the Outlook window so that you can see the message you want to copy and the USB drive icon in Windows Explorer or the Computer window.
Drag the message from the Outlook window to the USB drive icon or a folder in Windows
Explorer or the Computer window.
Click File, Print from the Outlook menu to open the Print dialog box. After printing the e-mail so that you have a copy to include in your final report, exit Outlook.

Viewing E-mail Headers
After you copy and print a message, use the e-mail program that created it to find the e-mail header. After you open e-mail headers, copy and paste them into a text document so that you can read them with a text editor.
To retrieve an Outlook e-mail header, follow these steps:
Double-click the email message you copied in the previous section. Click File->info->Properties (In the right pane) as shown in Figure 2
Select all the message header text as shown in Figure 3, and then press Ctrl+C to copy it to the Clipboard.
Start Notepad, and then press Ctrl+V in a new document window to paste the message header text.
Save the document as Outlook Header.txt in your work folder. Then close the document and exit Outlook.

To retrieve an Gmail e-mail header, follow these steps:

Open the email message in Gmail.
Select the More downward-pointed arrowhead (?) next to the Reply button in the top right corner for the message whose headers you want to see.
Select Show original from the menu that comes up as shown in Figure 4 and 5.

Examining E-mail Headers
The next step is examining the e-mail header you saved to gather information about the e-mail and track the suspect to the e-mail's originating location. The primary piece of information you're looking for is the originating e-mail's domain address or an IP address. Other helpful information includes the date and time the message was sent, filenames of any attachments, and unique message number, if it's supplied. Get top-notch online assignment help.
To open and examine an e-mail header, follow these steps:

Open the Computer window or Windows Explorer and navigate to your work folder.
Double-click a .txt file containing message header text, such as Outlook Header.txt.
The message header opens in Notepad.
Figure 6 shows a message header copied from an Outlook e-mail. (The e-mail addresses are not real addresses.) Line numbers have been added for reference.

The e-mail header in Figure 6 provides a lot of information. Lines 1 to 5 show the e-mail servers through which the message traveled. Line 1 shows the return path, which is the address an e-mail program uses for sending a reply, usually indicated as the "Reply to" field in an e-mail. Do not rely on the return path to reveal the e-mail's source account, however. Spoofing (faking) an e-mail address in the Return-Path line is easy to do. Line 2 identifies the recipient's e-mail address. When you're investigating e-mail, you should verify this address by confirming it with the e-mail service provider. Request a bill or log to make sure the account name in Line 2 is the one the victim uses. (Check with your attorney general's office to determine the type of documentation you need.) Line 3 indicates the type of e-mail service that sent the e-mail, such as qmail (UNIX e-mail), and includes an ID number, such as 12780 in Figure 6. With these ID numbers, you can examine logs from the transmitting e-mail server to determine whether the message was actually sent from it. If the transmitting e-mail server doesn't list this unique ID number, there's a good chance the message was spoofed. Line 4 lists the IP address of the e-mail server that sent the message-192.152.64.20, in this example. It also identifies the name of the server sending the message: in this case, smtp.superiorbicycles.biz.

Lines 6 and 7 provide information important for e-mail investigators. Line 6 shows a unique ID number that the sending e-mail server assigned to the message. In Figure 12-12, it's 20101212082330.40429. You can use this number to track the message on the originating e mail server in e-mail logs. Line 7 shows the IP address of the server sending the e-mail and lists the date and time the e-mail was sent. For example, 10.187.241.199 is the IP address of the sending server web4009.mail0.myway.com, and Sun 12 Dec 2010 00:23:30 PST is the date the message was sent. Line 7 might also identify the e-mail as being sent through an HTTP client, as it does in Figure 6. The e-mail header in Figure 12-12 doesn't include a Line 8, which usually identifies attachments. An attachment can be any type of file, from a program to a picture. If a message includes an attachment, investigate it as a supporting piece of evidence. If you're working with the victim, the attachment is usually still attached to the e-mail. If you're investigating a suspect's computer, remember to work with the copied version. On a suspect's computer or forensic image, search for the attached file with a forensics tool, such as FTK, or the OS's Search or Find feature to determine whether the file was saved and still exists on the drive. If you're investigating an e-mail attachment with an unfamiliar file extension, such as .mdf, you can search the Internet to find out what program creates a file of this type.

Analysing Email header online

Go to the following link:

Paste your copied email header in the specified field as in Figure 7 and 8 to discover the source IP address and other information pertaining to a mail.

Take a snapshot of the report

Attachment Analysis
Most viruses and malware are sent through email attachments. Investigating attachments is crucial in any email-related investigation. Confidential information leakage is another important field of investigation. There are software tools available to recover email-related data, such as attachments from computer hard discs. For the analysis of suspicious attachments, investigators can upload documents into an online sandbox such as VirusTotal to check whether the file is malware or not. However, it is important to bear in mind that even if a file passes a test such as VirusTotal's, this is not a guarantee that it is fully safe. If this happens, it is a good idea to investigate the file further in a sandbox environment such as Cuckoo. Get top-notch online assignment help.

Project 1

In this project, you use Facebook Forensic Toolkit by Afentis Software to discover the friends and other information of a public Facebook profile. Although you can use your own Facebook logon for this project, creating a logon connected to your professional email account is highly recommneded for working on actual cases.

Start Web browser, go to StalkScan or NetBootCamp, and download the trial version of the Facebook Forenisc Toolkit. Install the software, and the start it.

In the opening window (see Figure 10), click the Examine Profile and Clone Data option

In the New Case-Information window, click the browse button next to "Location of examination results" create a subfolder of your work folder called project 1 and click OK

Enter today's data for the case number and your name for the examiner. Enter Test for the other information. Click the blue right arrow in the upper left corner

Enter the URL for the Facebook page of a topic you are interested in. Click the blue right arrow to continue. Adjust the Profile/Conent information as needed. Click the blue right arrow to continue , and then click Authenticate. When prompted to authenticate with a valid logon, enter valid Facebook logon credentials, and click Log In. if you are asked to allow fbcrawler to post to Facebook for you, click Not Now.

Click Start on the right, and examine the information in each category(see Figure 11)

Next click HOME at the top, enter the Facebook page of a famous person, repeat the authentication process in Step 5, and then repeat 6. When you are finished, exit the program

Write a one to two page describing the information you expected to find and what you actually found

Lab: OSForensic

Learning Outcome:

Students will learn how to prepare a computer investigation.
Apply what digital forensics techniques.

Practical Tasks:
In this lab, you will investigate different features of OSForensics tools. The features include searching hidden and deleted file, mis match file search, file system browser, create image of a USB drive, recovery password, comparing hash of two files, and create a signature of a USB drive.
File Name Search
The File Name Search Module can be used to search for names of files and folders that match the specified search pattern
In a USB drive, store the following file
A protected pdf files. You can encrypt a pdf file using online encryption tools and choose a common password while encrypting the file. You can use the following tools

Mismatch File Search

The Mismatch File Search Module can be used to locate files whose contents do not match its file extension. This module can uncover attempts to hide files under a false file name and extension by verifying whether the actual file format matches its intended file format based on the file extension.

Signature

Signatures allow users to identify changes in a directory structure between two points in time. Generating a signature creates a snapshot of the directory structure, which includes information about the contained files' path, size and attributes. Changes to a directory structure such as files that were created, modified and deleted can be identified by comparing two signatures. These differences can quickly identify potential files of interest on a suspected machine, such as newly installed software or deleted evidence files.

Signatures differ from Hash Sets in the following ways:

The signature is not required to contain any file hashes
The file path, size and attributes of the files on the hard drive are included in the signature.

OSForensics provides the following File Signature Analysis functionality:

Create Signature
Module that handles all aspects of generating a signature.
Compare Signature
Module that allows the user to compare previously generated signatures. A summary of any changes between the signatures are displayed to the user.

Create Signature

The Create Signature module is used for creating a signature file. This is used for creating a snapshot of a system's directory structure at a point in time.

A signature can be created using the default options by simply specifying a starting directory and clicking the "Start" button. Advanced options for signature generation can be found by clicking the "Config..." button to open the Create Signature Configuration Window. After the signature has been created, the user will be prompted to save the file signature. Saving should only take a couple of seconds, even for very large signatures.

The signature creation process can be cancelled at any time by clicking the Stop button.

Create a signature of your USB drive and save it in your computer or your USB drive. Change a file in your USB drive and create another signature of the same USB drive and compare the both signatures. You should see that both signatures don't match as you changed the content of one of the files in your USB drive.

Verify/Create Hash

The Verify / Create Hash module is used for verifying the integrity of files by calculating its hash value. It can also be used to create a hash of a whole partition or physical disk drive or a simple text string.
To calculate a hash for a file, simply input the file path, select one of the available hash functions and press Calculate. To verify the calculated hash with a known hash value, copy the known hash value into the Comparison Hash field.

To create a hash for a partition or drive, select the 'Volume' radio button and then use the drop down to select from the available drives and partition. Note that administrator privileges are required for this feature.

To create a hash of a line of text select the text option and type or paste the text you want to hash into the text field.

Hash Function / Secondary Hash Function
Specify the hash function to use for hashing. A secondary hash function can also be specified to calculate the hash value simultaneously.
Upper case output
If checked, the calculated hash will be in upper case.

Create a hash for one of the files in your USB drive and put it in the Comparison Hash field. Now change the file and generate hash of the same file again and observe that both hash codes do not match as you modified the file.

Password

Generating Rainbow Tables

This window is used for generating Rainbow Tables. These tables can then be used in the Rainbow Table Password Recovery Window.

To generate a Rainbow Table, fill in the input fields with the appropriate values under the Password Parameters box..

Under the Hash Routine field, select the hash routine that was used to encrypt the password into a hash. Currently, there are four hash routines to choose from, md5, lm, ntlm, and sha1.

Under the Password Length fields, select the suspected minimum and maximum length of the password.

Reference no: EM133932435

Questions Cloud

Are city planners familiar with the tragedy of the commons : Are city planners familiar with the tragedy of the commons and do they take it into consideration when designing cities and urban areas?
What causes the ozone-air quality warnings : Ozone warning are like the air quality warnings that we get sometimes when driving in the car on the highway. What causes the ozone/air quality warnings?
Glutamate in nucleus accumbens after cocaine : Briefly but completely describe the interaction between dopamine and glutamate in the nucleus accumbens after cocaine use.c
Explain your professional beliefs about this disordet : Explain your professional beliefs about this disorder, supporting your rationale with three scholarly references from scholastic references.
How to prepare a computer investigation : ITSC3004 Digital Forensics Lab, Victorian Institute of Technology - Create a hash for one of the files in your USB drive and put it in the Comparison Hash field
Discuss the importance of cross-cultural communication : Discuss the importance of cross-cultural communication. Describe different techniques that can be used to enhance cross-cultural communication.
Compartmentalization in prokaryotic and eukaryotic organisms : Explain the similarities and differences between the compartmentalization between prokaryotic and eukaryotic organisms.
Should be responsible for them at the end of products life : Do you think manufacturers should be responsible for them at the end of the products' life? Or is it the consumer's responsibility to dispose of it properly?
Which stage are jeffreys symptoms consistent with : He feared that his mother no longer loved him. According to Freud's Psychosexual Development, which stage are Jeffrey's symptoms consistent with?

Reviews

Write a Review

Computer Network Security Questions & Answers

  An overview of wireless lan security - term paper

Computer Science or Information Technology deals with Wireless LAN Security. Wireless LAN Security is gaining importance in the recent times. This report talks about how vulnerable are wireless LAN networks without any security measures and also talk..

  Computer networks and security against hackers

This case study about a company named Magna International, a Canada based global supplier of automotive components, modules and systems. Along with the company analysis have been made in this assignment.

  New attack models

The Internet evolution is and is very fast and the Internet exposes the connected computers to attacks and the subsequent losses are in rise.

  Islamic Calligraphy

Islamic calligraphy or Arabic calligraphy is a primary form of art for Islamic visual expression and creativity.

  A comprehensive study about web-based email implementation

Conduct a comprehensive study about web-based email implementation in gmail. Optionally, you may use sniffer like wireshark or your choice to analyze the communication traffic.

  Retention policy and litigation hold notices

The purpose of this project is to provide you with an opportunity to create a document retention policy. You will also learn how to serve a litigation hold notice for an educational institute.

  Tools to enhance password protection

A report on Tools to enhance Password Protection.

  Analyse security procedures

Analyse security procedures

  Write a report on denial of service

Write a report on DENIAL OF SERVICE (DoS).

  Phising email

Phising email It is multipart, what are the two parts? The HTML part, is it inviting the recepient to click somewhere? What is the email proporting to do when the link is clicked?

  Express the shannon-hartley capacity theorem

Express the Shannon-Hartley capacity theorem in terms of where is the Energy/bit and is the psd of white noise.

  Modern symmetric encryption schemes

Pseudo-random generators, pseudo-random functions and pseudo-random permutations

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +91-977-207-8620

Phone: +91-977-207-8620

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd