Cyber Forensics: PC

COMPUTER FORENSICS: PC

DISCLAIMER:

• This document contains unedited notes and has not been formally proofread.
• The information provided in this document is intended to provide a basic understanding of certain technologies.
• Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
• Some websites and software may be flagged as malware by antivirus programs.
• The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
• The document is not a substitute for professional advice or expert analysis and should not be used as such.
• The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
• The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
• The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
• The author reserve the right to update or change the information contained in this document at any time without prior notice.

• Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
• It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
• Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
• It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
• It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
• It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

ACKNOWLEDGEMENT

I want to extend my heartfelt appreciation to Dr. John Kingston, my module leader, for providing consistent guidance and assistance throughout the creation of this paper. The expertise and perspectives they shared were crucial in aiding me to understand the Forensics Investigation and its techniques.

ABBREVIATIONS  

FTK Forensic Toolkit

NIST National Institute of Standards and Technology

USB Universal Serial Bus

LED Light Emitting Diode

CPU Central Processing Unit

CD         Compact disc

SIM         Subscriber Identity Module

SD         Secure digital card

Table of Contents

ACKNOWLEDGEMENT 2

ABBREVIATIONS 3

TABLE OF FIGURES 5

LIST OF TABLES 6

INTRODUCTION 7

1. SEARCH AND SEIZE: 8

1.1. Items Seized after search: 10

2. IMAGE ACQUISITION: 10

2.1. Forensics Image Creation Steps 11

3. ANALYSIS: 11

3.1. Analysis: Autopsy 11

3.2. Analysis: Listing Findings 12

4. EVIDENCE REPORTING: 13

4.1. Image Timeline: Created 13

4.2. Image Timeline: Deleted 15

4.3. Doc Timeline: Created 15

4.4. Files renamed Timeline: 17

4.5. Evidence conclusion 18

5. PARALLEL REPORTS: 19

5.1. RECORD OF ACTIONS 19

5.2. CHAIN OF CUSTODY RECORD 20

5.3. GENERAL CASE DOCUMENTATION 21

6.1. PROCESS DOCUMENTATION 23

7. CONCLUSION 23

APPENDIX: A 24

FTK IMAGER LIGHT TOOL SCREENSHOTS: 24

APPENDIX: B 26

AUTOPSY ANALYSIS OF CWK1.DD FORENSICS IMAGE: 26

Appendix C: 33

Doc Scrubber tool [Version1.2]: 33

REFERENCES 34

TABLE OF FIGURES 

Figure 1 Problem Statement 7

Figure 2 Forensics Steps 7

Figure 3 Desktop Scene-01 8

Figure 4 Desktop Scene-02 8

Figure 5 Desktop Scene-03 9

Figure 6 Desktop Scene-04 9

Figure 7 Autopsy view 01 12

Figure 8 Autopsy Images preview. 13

Figure 9 HEX value for file5.rtf 16

Figure 10 Changed HEX value of file5.rtf. 17

Figure 11 Chain of Custody label 20

Figure 12 Email for Authorization 21

Figure 13 FTK tool Step 01 24

Figure 14 FTK tool Step 02 24

Figure 15 FTK tool Step 03 24

Figure 16 FTK tool Step 04 25

Figure 17 FTK tool Step 05 25

Figure 18 FTK tool Step 06 25

Figure 19 HASH Ver- FTK tool Step 07 25

Figure 20 Autopsy Images section. 26

Figure 21 Autopsy images preview 27

Figure 22 Autopsy Deleted files. 27

Figure 23 Autopsy Extn. Mismatch 28

Figure 24 file1.jpg 28

Figure 25 File2.dat 28

Figure 26 f0000639.jpg 29

Figure 27 f0000000.jpg 29

Figure 28 file8.jpg 29

Figure 29 file9.jpg 29

Figure 30 file10.jpg 30

Figure 31 image_0.jpg 30

Figure 32  "file13.dll:here" 30

Figure 33  file3.jpg 31

Figure 34 "file4.jpg" 31

Figure 35 Autopsy "file12.doc" 32

Figure 36 "file12.doc- image preview 32

Figure 37 Doc Scrubber Step01 33

Figure 38 Doc Scrubber Step01 33

Figure 39 Doc Scrubber Step01 34

LIST OF TABLES

Table 1 Search & Seize Items 10

Table 2 List of Findings 12

Table 3 Autopsy Images table timeline 14

Table 4 Autopsy Deleted files timeline. 15

Table 5 Autopsy Doc timeline 15

Table 6 Doc Scrubber: Result of file12.doc 16

Table 7 Renamed Files Timeline 18

Table 8 RECORD OF ACTIONS 19

Table 9 AXB Organization Fair Usage policy 22

INTRODUCTION

Problem Statement is detailed in the below Figure 1, followed by the steps which will be performed for the forensic analysis.

Figure 1 Problem Statement

The diagram presented below illustrates the stages incorporated in the forensics cycle (NIST 800-86, 2006).

Figure 2 Forensics Steps

1. SEARCH AND SEIZE:

Preparing for the Search & Seize.

1. Arriving at the investigation scene.

2. Tools required for Search & Seize. 

3. Video graphing entire investigation process

4. Taking Photographs

5. Capturing volatile memories

6. Checking all the items/ devices for any information.

Upon arriving at the investigation scene, the initial step should be to commence video recording to document all subsequent actions undertaken, which are vital to prove what the steps are carried out and useful to prepare report at the later stage. 

Tools: To conduct a thorough investigation some of the equipment’s required are.

• precision screwdrivers set, 

• few USB sticks to capture volatile memory and for troubleshooting, 

• bags to shield any electronic devices and components like Faraday bags, 

• Sticker labels to capture Chain-of-custody details, 

• rechargeable power bank and several types of cables to charge phones. 

At the investigation Site: Looking at the below [Figure], the desktop is in unlocked and running state. 

The following steps to be carried out.

Figure 3 Desktop Scene-01

Figure 4 Desktop Scene-02

• STEP 1: 

o Initially, capture the desktop screen contents including any minimized tabs by taking photographs of the monitor [Figure 3 Desktop Scene-01].

o Subsequently, examine the LED indicator lights on the CPU case unit to identify any ongoing background activity. Continuous blinking of the LED indicators suggests potential malicious or destructive activity. 

o Since this being a controlled organization, it is highly likely to run any destructive programs. 

• STEP 2: 

o The second measure is to capture the volatile data from the computer, which is in a turned-on state, using the Volatility Workbench v3.0.1006 application. 

o Once the Volatile data is captured. 

o Check the CD reader from the CPU case unit for any CD is left behind, any other memory sticks and look in the network Wi-Fi card is seen in Figure Desktop Scene-04.

o The white CD, which is on the desk, is loaded into the CD rack and checked for relevant information.

o pull the power cable from rear of the CPU case unit which is seen in Figure Desktop Scene-04.

o Now remove the hard-disk and place in faraday bag with Chain of custody labels. 

Figure 5 Desktop Scene-03

Figure 6 Desktop Scene-04

• STEP 3: 

o A close look up into [Figure Desktop Scene-01] provides details – there is a book, a printed sheet, a Phone [basic model] and a CD.  

o The next [Figure Desktop Scene-03] provides some more details like – 3 USB memory sticks, a SIM card, a 32MB Memory card [specialized for camera with name FUJIFLIM XD Picture card] and 2 batteries.

o Trying to find relevant information from the book, are there any written info or marked phrases or patterns and batteries all other items are seized. 

• STEP 4:

o Phone – Black [Basic non-smart phone] is searched for any messages and phone calls.

o After making note of the details, the phone is switched off and placed inside the faraday bag. 

1.1. Items Seized after search:

Table 1 Search & Seize Items

ITEMS	SERIAL NUMBER
Desktop Hard disk	HD01
Memory Stick – Black	MSBLACK01
Memory Stick – White	MSWHITE01
Memory Stick – Sliver	MSSLIVER01
Memory Stick – Fujifilm	MSFUJIFLIM01
Sim card – red-white	SIM01
Phone – Black	PHONEBLACK01
CD – white	CDWHITE01
Book – catch-me	BOOK01

2. IMAGE ACQUISITION:

One of the methods used to acquire a copy of investigation devices like USB drives, hard disks, micro-SD cards, and CD drives is the FTK Imager Lite tool. The following steps are followed to create the forensics image of the hard disk/ memory stick. 

2.1. Forensics Image Creation Steps

The following steps are to be followed to recreate the forensic image using FTK Version 4.7.1.2 [Forensic Toolkit]. 

• Tableau TD2u write blocker is connected to the desktop- the source USB and destination device copy are connected to respective terminals. 

• Launch FTK Imager Lite: 

o FTK Imager Lite -> File menu -> Create disk image.

• Select source:

o -> Physical Drive -> next [Figure FTK tool Step 01].

• Source Drive selection -> USB -> finish

• Create image -> 

o Image Destination-> Add -> Raw(dd) ->next [Figure FTK tool Step 03].

• Select image Destination -> 

o select folder -> provide Image file name -> finish.

• Create image -> select check box – verify images after they are created -> Start [Figure FTK tool Step 04].

• Once the images are created:

• Verify Integrity: verifying takes place [Figure FTK tool Step 05], then – Drive/Image verify results dialog box is popped out with MD5 hash values check [Figure FTK tool Step 07].

A write-blocker, whether in the form of hardware or software, is a device that prevents a computer from writing data to any linked storage media, ensuring the preservation of data integrity. A write-blocker is designed to prohibit a computer from writing data to connected storage media (NIST 800-86, 2006). Using a write-blocker is recommended while creating a forensic image. Here the “Tableau TD2u” [refer - PROCESS DOCUMENTATION] hardware-based write-blocker is used to create the Forensics image. The Hash-functions function as a validation mechanism, ensuring that a forensic image accurately replicates the data stored on a computer disk same can be referred in “Figure HASH Ver- FTK tool Step 07”.

3. ANALYSIS:

3.1. Analysis: Autopsy 

Following the creation of the forensic image, the subsequent step involves the analysis of the image to scrutinize the files, including those created or modified, web history activities, and communications such as emails, chat applications, photos, videos, as well as deleted files. 

We search for files related to geometric shapes, such as images, documents, or executable files. We check the browser history and cache to find any visits to prohibited websites with content related to geometric shapes. We review email exchanges for discussions or attachments related to forbidden activities. If chat software is installed, we analyze the chat logs for conversations about the geometric shapes group.

Now we are analyzing the forensic image of the memory sticks as there is no useful evidence from other sources like computer hard disks. The analysis is carried out using Autopsy [version 4.21.0]. The detailed screenshots are accessible in Appendix under – “Autopsy analysis of CWK1.dd Forensics Image”. The below Figure Autopsy view 01 provide an overview of the autopsy analysis. 

Figure 7 Autopsy view 01

3.2. Analysis: Listing Findings

The forensic image analysis yields comprehensive insights into the contents of the memory stick, encompassing a [Table of Findings] comprising 9 image files, 5 deleted files, 1 doc file, and 4 files that have been subject to renaming. 

Table 2 List of Findings

TYPE	Count	Image preview available	Comments
IMAGE FILES	9	7	1 as txt file 1 non recoverable file
DELETED FILES	5	4	2 Images Repetitive 1 non recoverable file
DOC FILE	1	1	Contains Image file
RENAMED EXTENSIONS	4	3	2 Image files 1 txt file 1 non recoverable file

Reviewing the image preview [Figure Autopsy Images preview.], it is apparent that the staff member has been actively generating and deleting various geometric shapes.

Figure 8 Autopsy Images preview.

4. EVIDENCE REPORTING:

The entire chronology of file activities, including creation, modification, and deletion, has been meticulously documented and is presented in dedicated tables categorized as Images, Deleted Files, Documents and Renamed files, providing a comprehensive overview of the timeline for each file type.

4.1. Image Timeline: Created

The images are created/ modified during the timeline from 2004-06-09 21:52:20 BST till 2004-06-10 08:38:06 BST. 

Table 3 Autopsy Images table timeline

IMG link	Modified Time	Change Time	Access Time	Created Time	Location	Comments
f0000000.jpg	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	/img_cwk1.dd/$CarvedFiles/1/f0000000.jpg	JPG File
f0000639.jpg	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	/img_cwk1.dd/$CarvedFiles/1/f0000639.jpg	JPG File
image_0.jpg	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	/img_cwk1.dd/misc/file12.doc/image_0.jpg	JPG File
file8.jpg	2004-06-09 21:52:20 BST	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	/img_cwk1.dd/archive/file8.zip/file8.jpg	JPG File
file9.jpg	2004-06-09 21:53:32 BST	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	/img_cwk1.dd/archive/file9.boo/file9.jpg	JPG File
file10.jpg	2004-06-10 02:54:53 BST	0000-00-00 00:00:00	0000-00-00 00:00:00	0000-00-00 00:00:00	/img_cwk1.dd/archive/file10.tar.gz/file10.tar/file10.jpg	JPG File
file1.jpg	2004-06-10 07:59:40 BST	2004-06-10 04:27:36 BST	2004-06-10 04:27:36 BST	2004-06-10 04:27:36 BST	/img_cwk1.dd/alloc/file1.jpg	JPG file
file3.jpg	2004-06-10 08:27:02 BST	2004-06-10 04:28:20 BST	2004-06-10 04:28:20 BST	2004-06-10 04:28:20 BST	/img_cwk1.dd/invalid/file3.jpg	No JPG
"file4.jpg"	2004-06-10 08:38:06 BST	2004-06-10 04:28:22 BST	2004-06-10 04:28:22 BST	2004-06-10 04:28:20 BST	/img_cwk1.dd/invalid/file4.jpg	No JPG

4.2. Image Timeline: Deleted

The Images were deleted during the timeline 2004-06-10 07:48:08 BST till 2004-06-10 07:49:18 BST.

Table 4 Autopsy Deleted files timeline.

Name	Modified Time	Change Time	Access Time	Created Time	Location	Comments
f0000000.jpg	0000-00-00  00:00:00	0000-00-00  00:00:00	0000-00-00  00:00:00	0000-00-00  00:00:00	/img_cwk1.dd/$CarvedFiles/1/ f0000000.jpg	JPG File
f0000639.jpg	0000-00-00  00:00:00	0000-00-00  00:00:00	0000-00-00  00:00:00	0000-00-00  00:00:00	/img_cwk1.dd/$CarvedFiles/1/ f0000639.jpg	JPG File
f0003372.db	0000-00-00  00:00:00	0000-00-00  00:00:00	0000-00-00  00:00:00	0000-00-00  00:00:00	/img_cwk1.dd/$CarvedFiles/1/ f0003372.db	No JPG
file6.jpg	2004-06-10  07:48:08 BST	2004-06-10  04:28:00 BST	2004-06-10  04:28:00 BST	2004-06-10  04:28:00 BST	/img_cwk1.dd/del1 /file6.jpg	JPG File
file7.hmm	2004-06-10  07:49:18 BST	2004-06-10  04:43:44 BST	2004-06-10  04:43:38 BST	2004-06-10  04:28:00 BST	/img_cwk1.dd/del2/ file7.hmm	JPG File

4.3. Doc Timeline: Created  

This document was created/ modified during the timeline 2004-06-10 08:20:58 BST till 2004-06-10 04:29:17 BST. 

Table 5 Autopsy Doc timeline

Name	Modified  Time	Change  Time	Access  Time	Created  Time	Location	Comments
file12.doc	2004-06-10  08:20:58 BST	2004-06-10  04:29:18 BST	2004-06-10  04:29:18 BST	2004-06-10  04:29:17 BST	/img_cwk1.dd/ misc/file12.doc	JPG File
file5.rtf	2004-06-10  08:41:54 BST	2004-06-10  04:28:20 BST	2004-06-10  04:28:20 BST	2004-06-10  04:28:20 BST	/img_cwk1.dd/ invalid/file5.rtf	No JPG

File “/img_cwk1.dd/misc/file12.doc” when the extension is renamed as JPG and the image file is revealed [Refer- Figure "file12.doc- image preview]. Checking against the Doc Scrubber [V1.2] application reveals the Staff name [Refer- Appendix C:]. 

Table 6 Doc Scrubber: Result of file12.doc

File Analyzed: file12.doc Title:  Author: Brian Carrier Company: Keywords: Subject: Comments: Template Used: Normal Application: Microsoft Word 10.1 Created: 10-06-2004 02:20:00 Last Saved: 10-06-2004 02:20:00 Last Edited By: Brian Carrier Last Printed: Page Count: 1 Word Count: 0 Character Count: 0 Revision Count: 1 Total Editing Time (minutes): 0 Unique Identifier (GUID): Not Found. Recent Hyperlinks List: Not Found.   Revision Log: Found 1 hidden revision(s) "Brian Carrier" edited file: "lillet:Users:bcarrier:proj:dftt:8-jpeg-search:files:file12.doc"

File “/img_cwk1.dd/invalid/file5.rtf”, the HEX header value is not same as “7B 5C 72 74 66 31” for an RTF Rich Text Format file. 

Figure 9 HEX value for file5.rtf

After deleting the HEX values “78 C2 0E A6” of the “/img_cwk1.dd/invalid/file5.rtf”, saving the file and reopening give a change in the decoded texts [Figure Changed HEX value of file5.rtf] and still there is no useful information obtained. 

Figure 10 Changed HEX value of file5.rtf.

4.4. Files renamed Timeline:

These files were modified during the timeline 2004-06-10 04:27:36 BST till 2004-06-10 08:17:46 BST.

Table 7 Renamed Files Timeline

Name	Modified Time	Change Time	Access Time	Created Time	File Path	Comments
file13.dll:here	2004-06-10 04:29:45 BST	2004-06-10 04:29:45 BST	2004-06-10 04:29:45 BST	2004-06-10 04:29:18 BST	/img_cwk1.dd/misc/file13.dll:here	JPG file
file2.dat	2004-06-10 07:46:52 BST	2004-06-10 04:27:36 BST	2004-06-10 04:27:36 BST	2004-06-10 04:27:36 BST	/img_cwk1.dd/alloc/file2.dat	JPG file
file9.boo	2004-06-10 08:17:46 BST	2004-06-10 04:28:54 BST	2004-06-10 04:28:54 BST	2004-06-10 04:28:51 BST	/img_cwk1.dd/archive/file9.boo	JPG file
file3.jpg	2004-06-10 08:27:02 BST	2004-06-10 04:28:20 BST	2004-06-10 04:28:20 BST	2004-06-10 04:28:20 BST	/img_cwk1.dd/invalid/file3.jpg	No JPG

4.5. Evidence conclusion

In accordance with AXB Organization's Fair Usage Policy outlined in [Table 9 AXB Organization Fair Usage policy], the policy explicitly prohibits any employee from creating, storing, or disseminating pictures of geometric shapes using organizational resources without explicit authorization. Additionally, employees are restricted from searching the web for geometric shapes unrelated to work responsibilities.

Following a caution issued in May 2004, the staff member proceeded to create various shapes between June 9, 2004, 21:52:20 BST, and June 10, 2004, 08:38:06 BST. Upon forensic investigation and the analysis of images showcasing different geometric shapes generated by the staff, as well as attempts to delete specific files, it appears probable that the staff member is indeed employing a variety of geometric shapes. These actions are in violation of the organization's Fair Usage Policy regarding the use of organizational resources for such activities.

5. PARALLEL REPORTS: 

5.1. RECORD OF ACTIONS

Table 8 RECORD OF ACTIONS

RECORD OF ACTIONS - FORENSICS INVESTIGATION

Case ID                                    : AXB001

Recording Officer Details          : G1454

Date and Time of Recording     : 1 July 2004 10:00 Am

Objectives of the Investigation : Collecting Forensics evidence of the suspected staff member Brian Carrier

Actions taken: 1.    Scene Documentation: a.    Starting the video recording equipment to capture the entire investigation process. 2.    Taking photographs- a.    of the table, under the table, Front & back of the desktop unit b.    of the monitor screen, opening the minimized windows and taking photos. 3.    Capturing Volatile memory: a.    Using the Volatility Workbench is v3.0.1006: GUI For Volatility Framework tool. b.    Following the steps to create a memory dump on Windows, c.     run SYSDM.CPL– System Properties >> Advanced >> Settings >> Complete Memory Dump 4.    Forensic Imaging: a.    Reference the Forensics Image Creation Steps section [IMAGE ACQUISITION:]. 5.    Items Seized: a.    The items are identified on the table and are provided the respective serial number and labelled, same can be identified in search and seize section and CHAIN OF CUSTODY FORM 6.    Analysis Steps: a.    Analyss steps involved are captured in the section [ANALYSIS:]. 7.    Reporting: refer to a.    RECORD OF ACTIONS b.    CHAIN OF CUSTODY RECORD c.     GENERAL CASE DOCUMENTATION d.    PROCESS DOCUMENTATION 8.    Ending the video recording equipment that was capturing the entire investigation process.

Signature: G1454

Date and End Time: 1 July 2004 05:00 Pm

5.2. CHAIN OF CUSTODY RECORD

Figure 11 Chain of Custody label

5.3. GENERAL CASE DOCUMENTATION

• Authorization mail from the organization to conduct search, seize and investigation of the suspected staff desktop PC.

Figure 12 Email for Authorization

• AXB organization Policy

Table 9 AXB Organization Fair Usage policy

Policy: AXB Organization Fair Usage policy		Effective Date: 1 April 2003
1. Purpose This policy is designed to establish guidelines for the use of organizational resources.   2. Scope: This policy applies to all staff members of AXB Organization and governs the use of organizational resources for creating, storing, searching the web for, or disseminating pictures of geometric shapes.   3. Prohibited Activities: Staff members are expressly prohibited from engaging in the following activities: a. Creating, storing, or disseminating pictures of geometric shapes using AXB organizational resources without explicit authorization. b. Searching the web for geometric shapes that are not directly related to work responsibilities.   4. Monitoring and Reporting: AXB Organization reserves the right to monitor organizational resources for compliance with this policy. Any employee found in violation will be reported to the appropriate authorities for further investigation.   1.   Enforcement AXB Information Technology department will be responsible for enforcing this policy. The IT department will have the authority to audit employee computer activity and to confiscate or disable any equipment that is being used in violation of this policy. Revisions This policy may be revised from time to time. AXB employees will be notified of any changes to this policy.
Approved Date: 31 March 2003	Approved By: HR Head

6 PROCESS DOCUMENTATION

• Volatility Workbench is v3.0.1006: GUI For Volatility Framework tool.

o https://www.osforensics.com/tools/volatility-workbench.html

o https://www.cyberpunk.rs/volatility-workbench-gui-for-volatility-framework

• Tableau TD2u – hardware-based write-blocker

o https://security.opentext.com/docs/default-source/document-library/user-guide/td2u-forensic-duplicator-user-guide_7b3e638f-e7f3-4540-b9b6-d62a106381d1.pdf

• FTK Version 4.7.1.2 [Forensic Toolkit]

o https://www.exterro.com/ftk-imager

o https://d1kpmuwb7gvu1i.cloudfront.net/Imager/4_7_1/FTKImager_UserGuide.pdf

• Autopsy [version 4.21.0]

o https://www.autopsy.com/

o https://github.com/sleuthkit/autopsy/blob/develop/Running_Linux_OSX.md

• Doc Scrubber [V1.2]

o https://www.brightfort.com/docscrubber.html#FAQ

• Organization Policy Link provided by the organization. 

7. CONCLUSION 

The forensic inquiry commenced with search and seizure, progressed to the examination of the desktop PC, and ultimately culminated in the analysis of the forensic image labeled as "CWK1.dd." Throughout the forensic investigation process, various steps were undertaken, including the creation of the forensic image and its subsequent analysis using tools such as Autopsy and Doc Scrubber. Unfortunately, no substantial findings emerged from the examination of the desktop hardware. However, the forensic image extracted from the memory stick provided valuable insights, shedding light on the circumstances that prompted the organization to initiate the investigation. The analysis revealed the creation of diverse images featuring geometric shapes and the deletion of certain files. All these are captured in investigation reports and parallel reports. 

APPENDIX: A
FTK IMAGER LIGHT TOOL SCREENSHOTS:

Figure 13 FTK tool Step 01

Figure 14 FTK tool Step 02

Figure 15 FTK tool Step 03

Figure 15 FTK tool Step 03

 

Figure 16 FTK tool Step 04

Figure 17 FTK tool Step 05

 

Figure 18 FTK tool Step 06

Figure 19 HASH Ver- FTK tool Step 07

APPENDIX: B
AUTOPSY ANALYSIS OF CWK1.DD FORENSICS IMAGE

Figure 20 Autopsy Images section.

Figure 21 Autopsy images preview

Figure 22 Autopsy Deleted files.

Figure 23 Autopsy Extn. Mismatch

Figure 24 file1.jpg

Figure 25 File2.dat

Figure 26 f0000639.jpg

Figure 27 f0000000.jpg

Figure 28 file8.jpg

Figure 29 file9.jpg

Figure 30 file10.jpg

Figure 31 image_0.jpg

Figure 32  "file13.dll:here"

Figure 33  file3.jpg

Figure 34 "file4.jpg"

Figure 35 Autopsy "file12.doc"

Figure 36 "file12.doc- image preview

Appendix C:
Doc Scrubber tool [Version1.2]:

Figure 37 Doc Scrubber Step01

Figure 38 Doc Scrubber Step01

Figure 39 Doc Scrubber Step01

REFERENCES

1. (NIST 800-86, 2006), “Guide to Integrating Forensic Techniques into Incident Response”, https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-86.pdf, “https://csrc.nist.gov/pubs/sp/800/86/final”

2. (NTU, 2023), COMP40571: Computer Forensics 202324 – Lecture notes