HOME LAB

Cyber Forensics: PC

COMPUTER FORENSICS: PC

DISCLAIMER:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.

  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

ACKNOWLEDGEMENT

I want to extend my heartfelt appreciation to Dr. John Kingston, my module leader, for providing consistent guidance and assistance throughout the creation of this paper. The expertise and perspectives they shared were crucial in aiding me to understand the Forensics Investigation and its techniques.

ABBREVIATIONS  

FTK Forensic Toolkit
NIST National Institute of Standards and Technology
USB Universal Serial Bus
LED Light Emitting Diode
CPU Central Processing Unit
CD         Compact disc
SIM         Subscriber Identity Module
SD         Secure digital card

Table of Contents

ACKNOWLEDGEMENT 2
ABBREVIATIONS 3
TABLE OF FIGURES 5
LIST OF TABLES 6
INTRODUCTION 7
1. SEARCH AND SEIZE: 8
1.1. Items Seized after search: 10
2. IMAGE ACQUISITION: 10
2.1. Forensics Image Creation Steps 11
3. ANALYSIS: 11
3.1. Analysis: Autopsy 11
3.2. Analysis: Listing Findings 12
4. EVIDENCE REPORTING: 13
4.1. Image Timeline: Created 13
4.2. Image Timeline: Deleted 15
4.3. Doc Timeline: Created 15
4.4. Files renamed Timeline: 17
4.5. Evidence conclusion 18
5. PARALLEL REPORTS: 19
5.1. RECORD OF ACTIONS 19
5.2. CHAIN OF CUSTODY RECORD 20
5.3. GENERAL CASE DOCUMENTATION 21
6.1. PROCESS DOCUMENTATION 23
7. CONCLUSION 23
APPENDIX: A 24
FTK IMAGER LIGHT TOOL SCREENSHOTS: 24
APPENDIX: B 26
AUTOPSY ANALYSIS OF CWK1.DD FORENSICS IMAGE: 26
Appendix C: 33
Doc Scrubber tool [Version1.2]: 33
REFERENCES 34

TABLE OF FIGURES 

Figure 1 Problem Statement 7
Figure 2 Forensics Steps 7
Figure 3 Desktop Scene-01 8
Figure 4 Desktop Scene-02 8
Figure 5 Desktop Scene-03 9
Figure 6 Desktop Scene-04 9
Figure 7 Autopsy view 01 12
Figure 8 Autopsy Images preview. 13
Figure 9 HEX value for file5.rtf 16
Figure 10 Changed HEX value of file5.rtf. 17
Figure 11 Chain of Custody label 20
Figure 12 Email for Authorization 21
Figure 13 FTK tool Step 01 24
Figure 14 FTK tool Step 02 24
Figure 15 FTK tool Step 03 24
Figure 16 FTK tool Step 04 25
Figure 17 FTK tool Step 05 25
Figure 18 FTK tool Step 06 25
Figure 19 HASH Ver- FTK tool Step 07 25
Figure 20 Autopsy Images section. 26
Figure 21 Autopsy images preview 27
Figure 22 Autopsy Deleted files. 27
Figure 23 Autopsy Extn. Mismatch 28
Figure 24 file1.jpg 28
Figure 25 File2.dat 28
Figure 26 f0000639.jpg 29
Figure 27 f0000000.jpg 29
Figure 28 file8.jpg 29
Figure 29 file9.jpg 29
Figure 30 file10.jpg 30
Figure 31 image_0.jpg 30
Figure 32  "file13.dll:here" 30
Figure 33  file3.jpg 31
Figure 34 "file4.jpg" 31
Figure 35 Autopsy "file12.doc" 32
Figure 36 "file12.doc- image preview 32
Figure 37 Doc Scrubber Step01 33
Figure 38 Doc Scrubber Step01 33
Figure 39 Doc Scrubber Step01 34

LIST OF TABLES

Table 1 Search & Seize Items 10
Table 2 List of Findings 12
Table 3 Autopsy Images table timeline 14
Table 4 Autopsy Deleted files timeline. 15
Table 5 Autopsy Doc timeline 15
Table 6 Doc Scrubber: Result of file12.doc 16
Table 7 Renamed Files Timeline 18
Table 8 RECORD OF ACTIONS 19
Table 9 AXB Organization Fair Usage policy 22

INTRODUCTION

Problem Statement is detailed in the below Figure 1, followed by the steps which will be performed for the forensic analysis.

Figure 1 Problem Statement
The diagram presented below illustrates the stages incorporated in the forensics cycle (NIST 800-86, 2006).
Figure 2 Forensics Steps

1. SEARCH AND SEIZE:


Preparing for the Search & Seize.
1. Arriving at the investigation scene.
2. Tools required for Search & Seize. 
3. Video graphing entire investigation process
4. Taking Photographs
5. Capturing volatile memories
6. Checking all the items/ devices for any information.
Upon arriving at the investigation scene, the initial step should be to commence video recording to document all subsequent actions undertaken, which are vital to prove what the steps are carried out and useful to prepare report at the later stage. 
Tools: To conduct a thorough investigation some of the equipment’s required are.
precision screwdrivers set, 
few USB sticks to capture volatile memory and for troubleshooting, 
bags to shield any electronic devices and components like Faraday bags, 
Sticker labels to capture Chain-of-custody details, 
rechargeable power bank and several types of cables to charge phones. 
At the investigation Site: Looking at the below [Figure], the desktop is in unlocked and running state. 
The following steps to be carried out.


Figure 3 Desktop Scene-01

Figure 4 Desktop Scene-02



STEP 1: 
o Initially, capture the desktop screen contents including any minimized tabs by taking photographs of the monitor [Figure 3 Desktop Scene-01].
o Subsequently, examine the LED indicator lights on the CPU case unit to identify any ongoing background activity. Continuous blinking of the LED indicators suggests potential malicious or destructive activity. 
o Since this being a controlled organization, it is highly likely to run any destructive programs. 
STEP 2: 
o The second measure is to capture the volatile data from the computer, which is in a turned-on state, using the Volatility Workbench v3.0.1006 application. 
o Once the Volatile data is captured. 
o Check the CD reader from the CPU case unit for any CD is left behind, any other memory sticks and look in the network Wi-Fi card is seen in Figure Desktop Scene-04.
o The white CD, which is on the desk, is loaded into the CD rack and checked for relevant information.
o pull the power cable from rear of the CPU case unit which is seen in Figure Desktop Scene-04.
o Now remove the hard-disk and place in faraday bag with Chain of custody labels. 

Figure 5 Desktop Scene-03


Figure 6 Desktop Scene-04


STEP 3: 
o A close look up into [Figure Desktop Scene-01] provides details – there is a book, a printed sheet, a Phone [basic model] and a CD.  
o The next [Figure Desktop Scene-03] provides some more details like – 3 USB memory sticks, a SIM card, a 32MB Memory card [specialized for camera with name FUJIFLIM XD Picture card] and 2 batteries.
o Trying to find relevant information from the book, are there any written info or marked phrases or patterns and batteries all other items are seized. 
STEP 4:
o Phone – Black [Basic non-smart phone] is searched for any messages and phone calls.
o After making note of the details, the phone is switched off and placed inside the faraday bag. 


1.1. Items Seized after search:


Table 1 Search & Seize Items

ITEMS

SERIAL NUMBER

Desktop Hard disk

HD01

Memory Stick – Black

MSBLACK01

Memory Stick – White

MSWHITE01

Memory Stick – Sliver

MSSLIVER01

Memory Stick – Fujifilm

MSFUJIFLIM01

Sim card – red-white

SIM01

Phone – Black

PHONEBLACK01

CD – white

CDWHITE01

Book – catch-me

BOOK01


2. IMAGE ACQUISITION:

One of the methods used to acquire a copy of investigation devices like USB drives, hard disks, micro-SD cards, and CD drives is the FTK Imager Lite tool. The following steps are followed to create the forensics image of the hard disk/ memory stick. 

2.1. Forensics Image Creation Steps

The following steps are to be followed to recreate the forensic image using FTK Version 4.7.1.2 [Forensic Toolkit]. 
Tableau TD2u write blocker is connected to the desktop- the source USB and destination device copy are connected to respective terminals. 
Launch FTK Imager Lite: 
o FTK Imager Lite -> File menu -> Create disk image.
Select source:
o -> Physical Drive -> next [Figure FTK tool Step 01].
Source Drive selection -> USB -> finish
Create image -> 
o Image Destination-> Add -> Raw(dd) ->next [Figure FTK tool Step 03].
Select image Destination -> 
o select folder -> provide Image file name -> finish.
Create image -> select check box – verify images after they are created -> Start [Figure FTK tool Step 04].
Once the images are created:
Verify Integrity: verifying takes place [Figure FTK tool Step 05], then – Drive/Image verify results dialog box is popped out with MD5 hash values check [Figure FTK tool Step 07].
A write-blocker, whether in the form of hardware or software, is a device that prevents a computer from writing data to any linked storage media, ensuring the preservation of data integrity. A write-blocker is designed to prohibit a computer from writing data to connected storage media (NIST 800-86, 2006). Using a write-blocker is recommended while creating a forensic image. Here the “Tableau TD2u” [refer - PROCESS DOCUMENTATION] hardware-based write-blocker is used to create the Forensics image. The Hash-functions function as a validation mechanism, ensuring that a forensic image accurately replicates the data stored on a computer disk same can be referred in “Figure HASH Ver- FTK tool Step 07”.

3. ANALYSIS:

3.1. Analysis: Autopsy 

Following the creation of the forensic image, the subsequent step involves the analysis of the image to scrutinize the files, including those created or modified, web history activities, and communications such as emails, chat applications, photos, videos, as well as deleted files. 
We search for files related to geometric shapes, such as images, documents, or executable files. We check the browser history and cache to find any visits to prohibited websites with content related to geometric shapes. We review email exchanges for discussions or attachments related to forbidden activities. If chat software is installed, we analyze the chat logs for conversations about the geometric shapes group.
Now we are analyzing the forensic image of the memory sticks as there is no useful evidence from other sources like computer hard disks. The analysis is carried out using Autopsy [version 4.21.0]. The detailed screenshots are accessible in Appendix under – “Autopsy analysis of CWK1.dd Forensics Image”. The below Figure Autopsy view 01 provide an overview of the autopsy analysis. 
Figure 7 Autopsy view 01

3.2. Analysis: Listing Findings

The forensic image analysis yields comprehensive insights into the contents of the memory stick, encompassing a [Table of Findings] comprising 9 image files, 5 deleted files, 1 doc file, and 4 files that have been subject to renaming. 

Table 2 List of Findings

TYPE

Count

Image preview
available

Comments

IMAGE FILES

9

7

1 as txt file
1 non recoverable file

DELETED FILES

5

4

2 Images Repetitive
1 non recoverable file

DOC FILE

1

1

Contains Image file

RENAMED EXTENSIONS

4

3

2 Image files
1 txt file
1 non recoverable file


Reviewing the image preview [Figure Autopsy Images preview.], it is apparent that the staff member has been actively generating and deleting various geometric shapes.

Figure 8 Autopsy Images preview.

4. EVIDENCE REPORTING:


The entire chronology of file activities, including creation, modification, and deletion, has been meticulously documented and is presented in dedicated tables categorized as Images, Deleted Files, Documents and Renamed files, providing a comprehensive overview of the timeline for each file type.

4.1. Image Timeline: Created

The images are created/ modified during the timeline from 2004-06-09 21:52:20 BST till 2004-06-10 08:38:06 BST. 

Table 3 Autopsy Images table timeline

IMG link

Modified Time

Change Time

Access Time

Created Time

Location

Comments

f0000000.jpg

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

/img_cwk1.dd/$CarvedFiles/1/f0000000.jpg

JPG File

f0000639.jpg

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

/img_cwk1.dd/$CarvedFiles/1/f0000639.jpg

JPG File

image_0.jpg

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

/img_cwk1.dd/misc/file12.doc/image_0.jpg

JPG File

file8.jpg

2004-06-09 21:52:20 BST

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

/img_cwk1.dd/archive/file8.zip/file8.jpg

JPG File

file9.jpg

2004-06-09 21:53:32 BST

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

/img_cwk1.dd/archive/file9.boo/file9.jpg

JPG File

file10.jpg

2004-06-10 02:54:53 BST

0000-00-00 00:00:00

0000-00-00 00:00:00

0000-00-00 00:00:00

/img_cwk1.dd/archive/file10.tar.gz/file10.tar/file10.jpg

JPG File

file1.jpg

2004-06-10 07:59:40 BST

2004-06-10 04:27:36 BST

2004-06-10 04:27:36 BST

2004-06-10 04:27:36 BST

/img_cwk1.dd/alloc/file1.jpg

JPG file

file3.jpg

2004-06-10 08:27:02 BST

2004-06-10 04:28:20 BST

2004-06-10 04:28:20 BST

2004-06-10 04:28:20 BST

/img_cwk1.dd/invalid/file3.jpg

No JPG

"file4.jpg"

2004-06-10 08:38:06 BST

2004-06-10 04:28:22 BST

2004-06-10 04:28:22 BST

2004-06-10 04:28:20 BST

/img_cwk1.dd/invalid/file4.jpg

No JPG



4.2. Image Timeline: Deleted

The Images were deleted during the timeline 2004-06-10 07:48:08 BST till 2004-06-10 07:49:18 BST.

Table 4 Autopsy Deleted files timeline.

Name

Modified Time

Change Time

Access Time

Created Time

Location

Comments

f0000000.jpg

0000-00-00

 00:00:00

0000-00-00

 00:00:00

0000-00-00

 00:00:00

0000-00-00

 00:00:00

/img_cwk1.dd/$CarvedFiles/1/

f0000000.jpg

JPG File

f0000639.jpg

0000-00-00

 00:00:00

0000-00-00

 00:00:00

0000-00-00

 00:00:00

0000-00-00

 00:00:00

/img_cwk1.dd/$CarvedFiles/1/

f0000639.jpg

JPG File

f0003372.db

0000-00-00

 00:00:00

0000-00-00

 00:00:00

0000-00-00

 00:00:00

0000-00-00

 00:00:00

/img_cwk1.dd/$CarvedFiles/1/

f0003372.db

No JPG

file6.jpg

2004-06-10

 07:48:08 BST

2004-06-10

 04:28:00 BST

2004-06-10

 04:28:00 BST

2004-06-10

 04:28:00 BST

/img_cwk1.dd/del1

/file6.jpg

JPG File

file7.hmm

2004-06-10

 07:49:18 BST

2004-06-10

 04:43:44 BST

2004-06-10

 04:43:38 BST

2004-06-10

 04:28:00 BST

/img_cwk1.dd/del2/

file7.hmm

JPG File


4.3. Doc Timeline: Created  

This document was created/ modified during the timeline 2004-06-10 08:20:58 BST till 2004-06-10 04:29:17 BST. 

Table 5 Autopsy Doc timeline

Name

Modified

 Time

Change

 Time

Access

 Time

Created

 Time

Location


Comments


file12.doc

2004-06-10

 08:20:58 BST

2004-06-10

 04:29:18 BST

2004-06-10

 04:29:18 BST

2004-06-10

 04:29:17 BST

/img_cwk1.dd/

misc/file12.doc

JPG File


file5.rtf

2004-06-10

 08:41:54 BST

2004-06-10

 04:28:20 BST

2004-06-10

 04:28:20 BST

2004-06-10

 04:28:20 BST

/img_cwk1.dd/

invalid/file5.rtf

No JPG



File “/img_cwk1.dd/misc/file12.doc” when the extension is renamed as JPG and the image file is revealed [Refer- Figure "file12.doc- image preview]. Checking against the Doc Scrubber [V1.2] application reveals the Staff name [Refer- Appendix C:]. 

Table 6 Doc Scrubber: Result of file12.doc

File Analyzed: file12.doc

Title: 

Author: Brian Carrier

Company:

Keywords:

Subject:

Comments:

Template Used: Normal

Application: Microsoft Word 10.1

Created: 10-06-2004 02:20:00

Last Saved: 10-06-2004 02:20:00

Last Edited By: Brian Carrier

Last Printed:

Page Count: 1

Word Count: 0

Character Count: 0

Revision Count: 1

Total Editing Time (minutes): 0

Unique Identifier (GUID): Not Found.

Recent Hyperlinks List: Not Found.

 

Revision Log: Found 1 hidden revision(s)

"Brian Carrier" edited file: "lillet:Users:bcarrier:proj:dftt:8-jpeg-search:files:file12.doc"

 



File “/img_cwk1.dd/invalid/file5.rtf”, the HEX header value is not same as “7B 5C 72 74 66 31” for an RTF Rich Text Format file. 

Figure 9 HEX value for file5.rtf

After deleting the HEX values “78 C2 0E A6” of the “/img_cwk1.dd/invalid/file5.rtf”, saving the file and reopening give a change in the decoded texts [Figure Changed HEX value of file5.rtf] and still there is no useful information obtained. 

Figure 10 Changed HEX value of file5.rtf.

4.4. Files renamed Timeline:

These files were modified during the timeline 2004-06-10 04:27:36 BST till 2004-06-10 08:17:46 BST.

Table 7 Renamed Files Timeline

Name

Modified Time

Change Time

Access Time

Created Time

File Path

Comments

file13.dll:here

2004-06-10 04:29:45 BST

2004-06-10 04:29:45 BST

2004-06-10 04:29:45 BST

2004-06-10 04:29:18 BST

/img_cwk1.dd/misc/file13.dll:here

JPG file

file2.dat

2004-06-10 07:46:52 BST

2004-06-10 04:27:36 BST

2004-06-10 04:27:36 BST

2004-06-10 04:27:36 BST

/img_cwk1.dd/alloc/file2.dat

JPG file

file9.boo

2004-06-10 08:17:46 BST

2004-06-10 04:28:54 BST

2004-06-10 04:28:54 BST

2004-06-10 04:28:51 BST

/img_cwk1.dd/archive/file9.boo

JPG file

file3.jpg

2004-06-10 08:27:02 BST

2004-06-10 04:28:20 BST

2004-06-10 04:28:20 BST

2004-06-10 04:28:20 BST

/img_cwk1.dd/invalid/file3.jpg

No JPG


4.5. Evidence conclusion

In accordance with AXB Organization's Fair Usage Policy outlined in [Table 9 AXB Organization Fair Usage policy], the policy explicitly prohibits any employee from creating, storing, or disseminating pictures of geometric shapes using organizational resources without explicit authorization. Additionally, employees are restricted from searching the web for geometric shapes unrelated to work responsibilities.
Following a caution issued in May 2004, the staff member proceeded to create various shapes between June 9, 2004, 21:52:20 BST, and June 10, 2004, 08:38:06 BST. Upon forensic investigation and the analysis of images showcasing different geometric shapes generated by the staff, as well as attempts to delete specific files, it appears probable that the staff member is indeed employing a variety of geometric shapes. These actions are in violation of the organization's Fair Usage Policy regarding the use of organizational resources for such activities.

5. PARALLEL REPORTS: 


5.1. RECORD OF ACTIONS

Table 8 RECORD OF ACTIONS

RECORD OF ACTIONS - FORENSICS INVESTIGATION

Case ID                                    : AXB001

Recording Officer Details          : G1454

Date and Time of Recording     : 1 July 2004 10:00 Am

Objectives of the Investigation : Collecting Forensics evidence of the suspected staff member Brian Carrier

Actions taken:

1.    Scene Documentation:

a.    Starting the video recording equipment to capture the entire investigation process.

2.    Taking photographs-

a.    of the table, under the table, Front & back of the desktop unit

b.    of the monitor screen, opening the minimized windows and taking photos.

3.    Capturing Volatile memory:

a.    Using the Volatility Workbench is v3.0.1006: GUI For Volatility Framework tool.

b.    Following the steps to create a memory dump on Windows,

c.     run SYSDM.CPL– System Properties >> Advanced >> Settings >> Complete Memory Dump

4.    Forensic Imaging:

a.    Reference the Forensics Image Creation Steps section [IMAGE ACQUISITION:].

5.    Items Seized:

a.    The items are identified on the table and are provided the respective serial number and labelled, same can be identified in search and seize section and CHAIN OF CUSTODY FORM

6.    Analysis Steps:

a.    Analyss steps involved are captured in the section [ANALYSIS:].

7.    Reporting: refer to

a.    RECORD OF ACTIONS

b.    CHAIN OF CUSTODY RECORD

c.     GENERAL CASE DOCUMENTATION

d.    PROCESS DOCUMENTATION

8.    Ending the video recording equipment that was capturing the entire investigation process.

Signature: G1454

Date and End Time: 1 July 2004 05:00 Pm



5.2. CHAIN OF CUSTODY RECORD


Figure 11 Chain of Custody label

5.3. GENERAL CASE DOCUMENTATION

Authorization mail from the organization to conduct search, seize and investigation of the suspected staff desktop PC.

Figure 12 Email for Authorization
AXB organization Policy

Table 9 AXB Organization Fair Usage policy

Policy: AXB Organization Fair Usage policy

Effective Date: 1 April 2003

1. Purpose

This policy is designed to establish guidelines for the use of organizational resources.

 

2. Scope:

This policy applies to all staff members of AXB Organization and governs the use of organizational resources for creating, storing, searching the web for, or disseminating pictures of geometric shapes.

 

3. Prohibited Activities:

Staff members are expressly prohibited from engaging in the following activities:

a. Creating, storing, or disseminating pictures of geometric shapes using AXB organizational resources without explicit authorization.

b. Searching the web for geometric shapes that are not directly related to work responsibilities.

 

4. Monitoring and Reporting:

AXB Organization reserves the right to monitor organizational resources for compliance with this policy. Any employee found in violation will be reported to the appropriate authorities for further investigation.

 

1.   Enforcement

AXB Information Technology department will be responsible for enforcing this policy. The IT department will have the authority to audit employee computer activity and to confiscate or disable any equipment that is being used in violation of this policy.

Revisions

This policy may be revised from time to time. AXB employees will be notified of any changes to this policy.

Approved Date: 31 March 2003

Approved By: HR Head


6 PROCESS DOCUMENTATION

Volatility Workbench is v3.0.1006: GUI For Volatility Framework tool.
o https://www.osforensics.com/tools/volatility-workbench.html
o https://www.cyberpunk.rs/volatility-workbench-gui-for-volatility-framework
Tableau TD2u – hardware-based write-blocker
o https://security.opentext.com/docs/default-source/document-library/user-guide/td2u-forensic-duplicator-user-guide_7b3e638f-e7f3-4540-b9b6-d62a106381d1.pdf
FTK Version 4.7.1.2 [Forensic Toolkit]
o https://www.exterro.com/ftk-imager
o https://d1kpmuwb7gvu1i.cloudfront.net/Imager/4_7_1/FTKImager_UserGuide.pdf
Autopsy [version 4.21.0]
o https://www.autopsy.com/
o https://github.com/sleuthkit/autopsy/blob/develop/Running_Linux_OSX.md
Doc Scrubber [V1.2]
o https://www.brightfort.com/docscrubber.html#FAQ
Organization Policy Link provided by the organization. 

7. CONCLUSION 

The forensic inquiry commenced with search and seizure, progressed to the examination of the desktop PC, and ultimately culminated in the analysis of the forensic image labeled as "CWK1.dd." Throughout the forensic investigation process, various steps were undertaken, including the creation of the forensic image and its subsequent analysis using tools such as Autopsy and Doc Scrubber. Unfortunately, no substantial findings emerged from the examination of the desktop hardware. However, the forensic image extracted from the memory stick provided valuable insights, shedding light on the circumstances that prompted the organization to initiate the investigation. The analysis revealed the creation of diverse images featuring geometric shapes and the deletion of certain files. All these are captured in investigation reports and parallel reports. 

APPENDIX: A
FTK IMAGER LIGHT TOOL SCREENSHOTS:

Figure 13 FTK tool Step 01

Figure 14 FTK tool Step 02

 

Figure 15 FTK tool Step 03


Figure 15 FTK tool Step 03

 




Figure 16 FTK tool Step 04

Figure 17 FTK tool Step 05




 

Figure 18 FTK tool Step 06

Figure 19 HASH Ver- FTK tool Step 07




APPENDIX: B
AUTOPSY ANALYSIS OF CWK1.DD FORENSICS IMAGE

Figure 20 Autopsy Images section.

Figure 21 Autopsy images preview

Figure 22 Autopsy Deleted files.

Figure 23 Autopsy Extn. Mismatch


Figure 24 file1.jpg



Figure 25 File2.dat


Figure 26 f0000639.jpg


Figure 27 f0000000.jpg


Figure 28 file8.jpg

Figure 29 file9.jpg



Figure 30 file10.jpg


Figure 31 image_0.jpg

Figure 32  "file13.dll:here"

Figure 33  file3.jpg

Figure 34 "file4.jpg"

Figure 35 Autopsy "file12.doc"

Figure 36 "file12.doc- image preview

Appendix C:
Doc Scrubber tool [Version1.2]:

Figure 37 Doc Scrubber Step01

Figure 38 Doc Scrubber Step01

Figure 39 Doc Scrubber Step01

REFERENCES

1. (NIST 800-86, 2006), “Guide to Integrating Forensic Techniques into Incident Response”, https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-86.pdf, “https://csrc.nist.gov/pubs/sp/800/86/final”
2. (NTU, 2023), COMP40571: Computer Forensics 202324 – Lecture notes
















































Comments

Popular Posts

Chennai :MTC complaint cell Customer Care No.:+91-9445030516 /Toll Free : 18005991500

Marriage Registration Online steps [Tamil Nadu]

HOME LAB