COMPUTER FORENSICS: PC
DISCLAIMER:
- This document contains unedited notes and has not been formally proofread.
- The information provided in this document is intended to provide a basic understanding of certain technologies.
- Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
- Some websites and software may be flagged as malware by antivirus programs.
- The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
- The document is not a substitute for professional advice or expert analysis and should not be used as such.
- The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
- The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
- The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
- The author reserve the right to update or change the information contained in this document at any time without prior notice.
- Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
- It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
- Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
- It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
- It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
- It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.
ACKNOWLEDGEMENT
I want to extend my heartfelt appreciation to Dr. John Kingston, my module leader, for providing consistent guidance and assistance throughout the creation of this paper. The expertise and perspectives they shared were crucial in aiding me to understand the Forensics Investigation and its techniques.
ABBREVIATIONS
FTK Forensic Toolkit
NIST National Institute of Standards and Technology
USB Universal Serial Bus
LED Light Emitting Diode
CPU Central Processing Unit
CD Compact disc
SIM Subscriber Identity Module
SD Secure digital card
Table of Contents
ACKNOWLEDGEMENT 2
ABBREVIATIONS 3
TABLE OF FIGURES 5
LIST OF TABLES 6
INTRODUCTION 7
1. SEARCH AND SEIZE: 8
1.1. Items Seized after search: 10
2. IMAGE ACQUISITION: 10
2.1. Forensics Image Creation Steps 11
3. ANALYSIS: 11
3.1. Analysis: Autopsy 11
3.2. Analysis: Listing Findings 12
4. EVIDENCE REPORTING: 13
4.1. Image Timeline: Created 13
4.2. Image Timeline: Deleted 15
4.3. Doc Timeline: Created 15
4.4. Files renamed Timeline: 17
4.5. Evidence conclusion 18
5. PARALLEL REPORTS: 19
5.1. RECORD OF ACTIONS 19
5.2. CHAIN OF CUSTODY RECORD 20
5.3. GENERAL CASE DOCUMENTATION 21
6.1. PROCESS DOCUMENTATION 23
7. CONCLUSION 23
APPENDIX: A 24
FTK IMAGER LIGHT TOOL SCREENSHOTS: 24
APPENDIX: B 26
AUTOPSY ANALYSIS OF CWK1.DD FORENSICS IMAGE: 26
Appendix C: 33
Doc Scrubber tool [Version1.2]: 33
REFERENCES 34
TABLE OF FIGURES
Figure 1 Problem Statement 7
Figure 2 Forensics Steps 7
Figure 3 Desktop Scene-01 8
Figure 4 Desktop Scene-02 8
Figure 5 Desktop Scene-03 9
Figure 6 Desktop Scene-04 9
Figure 7 Autopsy view 01 12
Figure 8 Autopsy Images preview. 13
Figure 9 HEX value for file5.rtf 16
Figure 10 Changed HEX value of file5.rtf. 17
Figure 11 Chain of Custody label 20
Figure 12 Email for Authorization 21
Figure 13 FTK tool Step 01 24
Figure 14 FTK tool Step 02 24
Figure 15 FTK tool Step 03 24
Figure 16 FTK tool Step 04 25
Figure 17 FTK tool Step 05 25
Figure 18 FTK tool Step 06 25
Figure 19 HASH Ver- FTK tool Step 07 25
Figure 20 Autopsy Images section. 26
Figure 21 Autopsy images preview 27
Figure 22 Autopsy Deleted files. 27
Figure 23 Autopsy Extn. Mismatch 28
Figure 24 file1.jpg 28
Figure 25 File2.dat 28
Figure 26 f0000639.jpg 29
Figure 27 f0000000.jpg 29
Figure 28 file8.jpg 29
Figure 29 file9.jpg 29
Figure 30 file10.jpg 30
Figure 31 image_0.jpg 30
Figure 32 "file13.dll:here" 30
Figure 33 file3.jpg 31
Figure 34 "file4.jpg" 31
Figure 35 Autopsy "file12.doc" 32
Figure 36 "file12.doc- image preview 32
Figure 37 Doc Scrubber Step01 33
Figure 38 Doc Scrubber Step01 33
Figure 39 Doc Scrubber Step01 34
LIST OF TABLES
Table 1 Search & Seize Items 10
Table 2 List of Findings 12
Table 3 Autopsy Images table timeline 14
Table 4 Autopsy Deleted files timeline. 15
Table 5 Autopsy Doc timeline 15
Table 6 Doc Scrubber: Result of file12.doc 16
Table 7 Renamed Files Timeline 18
Table 8 RECORD OF ACTIONS 19
Table 9 AXB Organization Fair Usage policy 22
INTRODUCTION
Problem Statement is detailed in the below Figure 1, followed by the steps which will be performed for the forensic analysis.
|
Figure 1 Problem Statement |
The diagram presented below illustrates the stages incorporated in the forensics cycle (NIST 800-86, 2006). |
Figure 2 Forensics Steps |
1. SEARCH AND SEIZE:
Preparing for the Search & Seize.
1. Arriving at the investigation scene.
2. Tools required for Search & Seize.
3. Video graphing entire investigation process
4. Taking Photographs
5. Capturing volatile memories
6. Checking all the items/ devices for any information.
Upon arriving at the investigation scene, the initial step should be to commence video recording to document all subsequent actions undertaken, which are vital to prove what the steps are carried out and useful to prepare report at the later stage.
Tools: To conduct a thorough investigation some of the equipment’s required are.
• precision screwdrivers set,
• few USB sticks to capture volatile memory and for troubleshooting,
• bags to shield any electronic devices and components like Faraday bags,
• Sticker labels to capture Chain-of-custody details,
• rechargeable power bank and several types of cables to charge phones.
At the investigation Site: Looking at the below [Figure], the desktop is in unlocked and running state.
The following steps to be carried out.
| Figure 3 Desktop Scene-01 |
|
| Figure 4 Desktop Scene-02 |
|
|
• STEP 1:
o Initially, capture the desktop screen contents including any minimized tabs by taking photographs of the monitor [Figure 3 Desktop Scene-01].
o Subsequently, examine the LED indicator lights on the CPU case unit to identify any ongoing background activity. Continuous blinking of the LED indicators suggests potential malicious or destructive activity.
o Since this being a controlled organization, it is highly likely to run any destructive programs.
• STEP 2:
o The second measure is to capture the volatile data from the computer, which is in a turned-on state, using the Volatility Workbench v3.0.1006 application.
o Once the Volatile data is captured.
o Check the CD reader from the CPU case unit for any CD is left behind, any other memory sticks and look in the network Wi-Fi card is seen in Figure Desktop Scene-04.
o The white CD, which is on the desk, is loaded into the CD rack and checked for relevant information.
o pull the power cable from rear of the CPU case unit which is seen in Figure Desktop Scene-04.
o Now remove the hard-disk and place in faraday bag with Chain of custody labels.
| Figure 5 Desktop Scene-03 |
|
| Figure 6 Desktop Scene-04 |
|
• STEP 3:
o A close look up into [Figure Desktop Scene-01] provides details – there is a book, a printed sheet, a Phone [basic model] and a CD.
o The next [Figure Desktop Scene-03] provides some more details like – 3 USB memory sticks, a SIM card, a 32MB Memory card [specialized for camera with name FUJIFLIM XD Picture card] and 2 batteries.
o Trying to find relevant information from the book, are there any written info or marked phrases or patterns and batteries all other items are seized.
• STEP 4:
o Phone – Black [Basic non-smart phone] is searched for any messages and phone calls.
o After making note of the details, the phone is switched off and placed inside the faraday bag.
1.1. Items Seized after search:
Table 1 Search & Seize Items
ITEMS
|
SERIAL NUMBER
|
Desktop Hard disk
|
HD01
|
Memory Stick – Black
|
MSBLACK01
|
Memory Stick – White
|
MSWHITE01
|
Memory Stick – Sliver
|
MSSLIVER01
|
Memory Stick – Fujifilm
|
MSFUJIFLIM01
|
Sim card – red-white
|
SIM01
|
Phone – Black
|
PHONEBLACK01
|
CD – white
|
CDWHITE01
|
Book – catch-me
|
BOOK01
|
2. IMAGE ACQUISITION:
One of the methods used to acquire a copy of investigation devices like USB drives, hard disks, micro-SD cards, and CD drives is the FTK Imager Lite tool. The following steps are followed to create the forensics image of the hard disk/ memory stick.
2.1. Forensics Image Creation Steps
The following steps are to be followed to recreate the forensic image using FTK Version 4.7.1.2 [Forensic Toolkit].
• Tableau TD2u write blocker is connected to the desktop- the source USB and destination device copy are connected to respective terminals.
• Launch FTK Imager Lite:
o FTK Imager Lite -> File menu -> Create disk image.
• Select source:
o -> Physical Drive -> next [Figure FTK tool Step 01].
• Source Drive selection -> USB -> finish
• Create image ->
o Image Destination-> Add -> Raw(dd) ->next [Figure FTK tool Step 03].
• Select image Destination ->
o select folder -> provide Image file name -> finish.
• Create image -> select check box – verify images after they are created -> Start [Figure FTK tool Step 04].
• Once the images are created:
• Verify Integrity: verifying takes place [Figure FTK tool Step 05], then – Drive/Image verify results dialog box is popped out with MD5 hash values check [Figure FTK tool Step 07].
A write-blocker, whether in the form of hardware or software, is a device that prevents a computer from writing data to any linked storage media, ensuring the preservation of data integrity. A write-blocker is designed to prohibit a computer from writing data to connected storage media (NIST 800-86, 2006). Using a write-blocker is recommended while creating a forensic image. Here the “Tableau TD2u” [refer - PROCESS DOCUMENTATION] hardware-based write-blocker is used to create the Forensics image. The Hash-functions function as a validation mechanism, ensuring that a forensic image accurately replicates the data stored on a computer disk same can be referred in “Figure HASH Ver- FTK tool Step 07”.
3. ANALYSIS:
3.1. Analysis: Autopsy
Following the creation of the forensic image, the subsequent step involves the analysis of the image to scrutinize the files, including those created or modified, web history activities, and communications such as emails, chat applications, photos, videos, as well as deleted files.
We search for files related to geometric shapes, such as images, documents, or executable files. We check the browser history and cache to find any visits to prohibited websites with content related to geometric shapes. We review email exchanges for discussions or attachments related to forbidden activities. If chat software is installed, we analyze the chat logs for conversations about the geometric shapes group.
Now we are analyzing the forensic image of the memory sticks as there is no useful evidence from other sources like computer hard disks. The analysis is carried out using Autopsy [version 4.21.0]. The detailed screenshots are accessible in Appendix under – “Autopsy analysis of CWK1.dd Forensics Image”. The below Figure Autopsy view 01 provide an overview of the autopsy analysis.
|
Figure 7 Autopsy view 01
|
3.2. Analysis: Listing Findings
The forensic image analysis yields comprehensive insights into the contents of the memory stick, encompassing a [Table of Findings] comprising 9 image files, 5 deleted files, 1 doc file, and 4 files that have been subject to renaming.
Table 2 List
of Findings
TYPE
|
Count
|
Image preview
available
|
Comments
|
IMAGE FILES
|
9
|
7
|
1 as txt file
1 non recoverable file
|
DELETED FILES
|
5
|
4
|
2 Images Repetitive
1 non recoverable file
|
DOC FILE
|
1
|
1
|
Contains Image file
|
RENAMED EXTENSIONS
|
4
|
3
|
2 Image files
1 txt file
1 non recoverable file
|
Reviewing the image preview [Figure Autopsy Images preview.], it is apparent that the staff member has been actively generating and deleting various geometric shapes.
|
Figure 8 Autopsy Images preview. |
4. EVIDENCE REPORTING:
The entire chronology of file activities, including creation, modification, and deletion, has been meticulously documented and is presented in dedicated tables categorized as Images, Deleted Files, Documents and Renamed files, providing a comprehensive overview of the timeline for each file type.
4.1. Image Timeline: Created
The images are created/ modified during the timeline from 2004-06-09 21:52:20 BST till 2004-06-10 08:38:06 BST.
Table 3 Autopsy Images table
timeline
IMG link
|
Modified Time
|
Change Time
|
Access Time
|
Created Time
|
Location
|
Comments
|
f0000000.jpg
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/$CarvedFiles/1/f0000000.jpg
|
JPG File
|
f0000639.jpg
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/$CarvedFiles/1/f0000639.jpg
|
JPG File
|
image_0.jpg
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/misc/file12.doc/image_0.jpg
|
JPG File
|
file8.jpg
|
2004-06-09 21:52:20 BST
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/archive/file8.zip/file8.jpg
|
JPG File
|
file9.jpg
|
2004-06-09 21:53:32 BST
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/archive/file9.boo/file9.jpg
|
JPG File
|
file10.jpg
|
2004-06-10 02:54:53 BST
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/archive/file10.tar.gz/file10.tar/file10.jpg
|
JPG File
|
file1.jpg
|
2004-06-10 07:59:40 BST
|
2004-06-10 04:27:36 BST
|
2004-06-10 04:27:36 BST
|
2004-06-10 04:27:36 BST
|
/img_cwk1.dd/alloc/file1.jpg
|
JPG file
|
file3.jpg
|
2004-06-10 08:27:02 BST
|
2004-06-10 04:28:20 BST
|
2004-06-10 04:28:20 BST
|
2004-06-10 04:28:20 BST
|
/img_cwk1.dd/invalid/file3.jpg
|
No JPG
|
"file4.jpg"
|
2004-06-10 08:38:06 BST
|
2004-06-10 04:28:22 BST
|
2004-06-10 04:28:22 BST
|
2004-06-10 04:28:20 BST
|
/img_cwk1.dd/invalid/file4.jpg
|
No JPG
|
4.2. Image Timeline: Deleted
The Images were deleted during the timeline 2004-06-10 07:48:08 BST till 2004-06-10 07:49:18 BST.
Table 4
Autopsy Deleted files timeline.
Name
|
Modified Time
|
Change Time
|
Access Time
|
Created Time
|
Location
|
Comments
|
f0000000.jpg
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/$CarvedFiles/1/ f0000000.jpg
|
JPG File
|
f0000639.jpg
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/$CarvedFiles/1/ f0000639.jpg
|
JPG File
|
f0003372.db
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
0000-00-00 00:00:00
|
/img_cwk1.dd/$CarvedFiles/1/ f0003372.db
|
No JPG
|
file6.jpg
|
2004-06-10 07:48:08 BST
|
2004-06-10 04:28:00 BST
|
2004-06-10 04:28:00 BST
|
2004-06-10 04:28:00 BST
|
/img_cwk1.dd/del1 /file6.jpg
|
JPG File
|
file7.hmm
|
2004-06-10 07:49:18 BST
|
2004-06-10 04:43:44 BST
|
2004-06-10 04:43:38 BST
|
2004-06-10 04:28:00 BST
|
/img_cwk1.dd/del2/ file7.hmm
|
JPG File
|
4.3. Doc Timeline: Created
This document was created/ modified during the timeline 2004-06-10 08:20:58 BST till 2004-06-10 04:29:17 BST.
Table 5
Autopsy Doc timeline
Name
|
Modified Time
|
Change Time
|
Access Time
|
Created Time
|
Location
|
Comments
|
file12.doc
|
2004-06-10 08:20:58 BST
|
2004-06-10 04:29:18 BST
|
2004-06-10 04:29:18 BST
|
2004-06-10 04:29:17 BST
|
/img_cwk1.dd/ misc/file12.doc
|
JPG File
|
file5.rtf
|
2004-06-10 08:41:54 BST
|
2004-06-10 04:28:20 BST
|
2004-06-10 04:28:20 BST
|
2004-06-10 04:28:20 BST
|
/img_cwk1.dd/ invalid/file5.rtf
|
No JPG
|
File “/img_cwk1.dd/misc/file12.doc” when the extension is renamed as JPG and the image file is revealed [Refer- Figure "file12.doc- image preview]. Checking against the Doc Scrubber [V1.2] application reveals the Staff name [Refer- Appendix C:].
Table 6 Doc Scrubber: Result of
file12.doc
File Analyzed: file12.doc
Title:
Author: Brian Carrier
Company:
Keywords:
Subject:
Comments:
Template Used: Normal
Application: Microsoft Word
10.1
Created: 10-06-2004 02:20:00
Last Saved: 10-06-2004
02:20:00
Last Edited By: Brian
Carrier
Last Printed:
Page Count: 1
Word Count: 0
Character Count: 0
Revision Count: 1
Total Editing Time
(minutes): 0
Unique Identifier (GUID):
Not Found.
Recent Hyperlinks List: Not
Found.
Revision Log: Found 1 hidden
revision(s)
"Brian Carrier"
edited file:
"lillet:Users:bcarrier:proj:dftt:8-jpeg-search:files:file12.doc"
|
File “/img_cwk1.dd/invalid/file5.rtf”, the HEX header value is not same as “7B 5C 72 74 66 31” for an RTF Rich Text Format file.
|
Figure 9 HEX value for file5.rtf
|
After deleting the HEX values “78 C2 0E A6” of the “/img_cwk1.dd/invalid/file5.rtf”, saving the file and reopening give a change in the decoded texts [Figure Changed HEX value of file5.rtf] and still there is no useful information obtained.
|
Figure 10 Changed HEX value of file5.rtf. |
4.4. Files renamed Timeline:
These files were modified during the timeline 2004-06-10 04:27:36 BST till 2004-06-10 08:17:46 BST.
Table 7 Renamed Files Timeline
Name
|
Modified Time
|
Change Time
|
Access Time
|
Created Time
|
File Path
|
Comments
|
file13.dll:here
|
2004-06-10 04:29:45 BST
|
2004-06-10 04:29:45 BST
|
2004-06-10 04:29:45 BST
|
2004-06-10 04:29:18 BST
|
/img_cwk1.dd/misc/file13.dll:here
|
JPG file
|
file2.dat
|
2004-06-10 07:46:52 BST
|
2004-06-10 04:27:36 BST
|
2004-06-10 04:27:36 BST
|
2004-06-10 04:27:36 BST
|
/img_cwk1.dd/alloc/file2.dat
|
JPG file
|
file9.boo
|
2004-06-10 08:17:46 BST
|
2004-06-10 04:28:54 BST
|
2004-06-10 04:28:54 BST
|
2004-06-10 04:28:51 BST
|
/img_cwk1.dd/archive/file9.boo
|
JPG file
|
file3.jpg
|
2004-06-10 08:27:02 BST
|
2004-06-10 04:28:20 BST
|
2004-06-10 04:28:20 BST
|
2004-06-10 04:28:20 BST
|
/img_cwk1.dd/invalid/file3.jpg
|
No JPG
|
4.5. Evidence conclusion
In accordance with AXB Organization's Fair Usage Policy outlined in [Table 9 AXB Organization Fair Usage policy], the policy explicitly prohibits any employee from creating, storing, or disseminating pictures of geometric shapes using organizational resources without explicit authorization. Additionally, employees are restricted from searching the web for geometric shapes unrelated to work responsibilities.
Following a caution issued in May 2004, the staff member proceeded to create various shapes between June 9, 2004, 21:52:20 BST, and June 10, 2004, 08:38:06 BST. Upon forensic investigation and the analysis of images showcasing different geometric shapes generated by the staff, as well as attempts to delete specific files, it appears probable that the staff member is indeed employing a variety of geometric shapes. These actions are in violation of the organization's Fair Usage Policy regarding the use of organizational resources for such activities.
5. PARALLEL REPORTS:
5.1. RECORD OF ACTIONS
Table 8 RECORD OF ACTIONS
RECORD OF ACTIONS - FORENSICS INVESTIGATION
|
Case ID :
AXB001
|
Recording Officer Details :
G1454
|
Date and Time of Recording :
1 July 2004 10:00 Am
|
Objectives of the Investigation : Collecting Forensics evidence of the suspected staff member
Brian Carrier
|
Actions taken:
1. Scene Documentation:
a. Starting the video
recording equipment to capture the entire investigation process.
2. Taking photographs-
a. of the table, under the
table, Front & back of the desktop unit
b. of the monitor screen,
opening the minimized windows and taking photos.
3. Capturing Volatile
memory:
a. Using the Volatility
Workbench is v3.0.1006: GUI For Volatility Framework tool.
b. Following the steps to
create a memory dump on Windows,
c.
run SYSDM.CPL– System Properties >> Advanced >>
Settings >> Complete Memory Dump
4. Forensic Imaging:
a. Reference the Forensics Image Creation
Steps section [IMAGE ACQUISITION:].
5. Items Seized:
a. The items are identified
on the table and are provided the respective serial number and labelled, same
can be identified in search and seize section and CHAIN OF CUSTODY FORM
6. Analysis Steps:
a. Analyss steps involved
are captured in the section [ANALYSIS:].
7. Reporting: refer to
a. RECORD OF ACTIONS
b. CHAIN OF CUSTODY RECORD
c. GENERAL CASE DOCUMENTATION
d. PROCESS DOCUMENTATION
8. Ending the video
recording equipment that was capturing the entire investigation process.
|
Signature: G1454
|
Date and End Time: 1 July 2004 05:00 Pm
|
5.2. CHAIN OF CUSTODY RECORD
|
Figure 11 Chain of Custody label |
5.3. GENERAL CASE DOCUMENTATION
• Authorization mail from the organization to conduct search, seize and investigation of the suspected staff desktop PC.
|
Figure 12 Email for Authorization |
•
AXB organization PolicyTable 9 AXB
Organization Fair Usage policy
Policy: AXB
Organization Fair Usage policy
|
Effective Date: 1
April 2003
|
1. Purpose
This policy is designed to establish guidelines for
the use of organizational resources.
2. Scope:
This policy applies to all staff members of AXB
Organization and governs the use of organizational resources for creating,
storing, searching the web for, or disseminating pictures of geometric
shapes.
3. Prohibited Activities:
Staff members are expressly prohibited from engaging
in the following activities:
a.
Creating, storing, or disseminating pictures of geometric shapes using AXB
organizational resources without explicit authorization.
b.
Searching the web for geometric shapes that are not directly related to work
responsibilities.
4. Monitoring and Reporting:
AXB Organization reserves the right to monitor
organizational resources for compliance with this policy. Any employee found
in violation will be reported to the appropriate authorities for further
investigation.
1.
Enforcement
AXB Information Technology department will be
responsible for enforcing this policy. The IT department will have the
authority to audit employee computer activity and to confiscate or disable
any equipment that is being used in violation of this policy.
Revisions
This policy may be revised from time to time. AXB
employees will be notified of any changes to this policy.
|
Approved Date: 31
March 2003
|
Approved By: HR Head
|
6 PROCESS DOCUMENTATION
• Volatility Workbench is v3.0.1006: GUI For Volatility Framework tool.
o https://www.osforensics.com/tools/volatility-workbench.html
o https://www.cyberpunk.rs/volatility-workbench-gui-for-volatility-framework
• Tableau TD2u – hardware-based write-blocker
o https://security.opentext.com/docs/default-source/document-library/user-guide/td2u-forensic-duplicator-user-guide_7b3e638f-e7f3-4540-b9b6-d62a106381d1.pdf
• FTK Version 4.7.1.2 [Forensic Toolkit]
o https://www.exterro.com/ftk-imager
o https://d1kpmuwb7gvu1i.cloudfront.net/Imager/4_7_1/FTKImager_UserGuide.pdf
• Autopsy [version 4.21.0]
o https://www.autopsy.com/
o https://github.com/sleuthkit/autopsy/blob/develop/Running_Linux_OSX.md
• Doc Scrubber [V1.2]
o https://www.brightfort.com/docscrubber.html#FAQ
• Organization Policy Link provided by the organization.
7. CONCLUSION
The forensic inquiry commenced with search and seizure, progressed to the examination of the desktop PC, and ultimately culminated in the analysis of the forensic image labeled as "CWK1.dd." Throughout the forensic investigation process, various steps were undertaken, including the creation of the forensic image and its subsequent analysis using tools such as Autopsy and Doc Scrubber. Unfortunately, no substantial findings emerged from the examination of the desktop hardware. However, the forensic image extracted from the memory stick provided valuable insights, shedding light on the circumstances that prompted the organization to initiate the investigation. The analysis revealed the creation of diverse images featuring geometric shapes and the deletion of certain files. All these are captured in investigation reports and parallel reports.
APPENDIX: A
FTK IMAGER LIGHT TOOL SCREENSHOTS:
|
Figure 13 FTK tool Step 01 |
| Figure 14 FTK tool Step 02 |
|
| Figure 15 FTK tool Step 03 |
|
|
Figure 15 FTK tool Step 03 |
|
| Figure 16 FTK tool Step 04 |
|
| Figure 17 FTK tool Step 05 |
|
|
| Figure 19 HASH Ver- FTK tool Step 07 |
|
|
APPENDIX: B
AUTOPSY ANALYSIS OF CWK1.DD FORENSICS IMAGE
|
Figure 20 Autopsy Images section. |
|
Figure 21 Autopsy images preview |
|
Figure 22 Autopsy Deleted files. |
|
Figure 23 Autopsy Extn. Mismatch |
|
Figure 24 file1.jpg |
|
Figure 25 File2.dat |
|
Figure 26 f0000639.jpg |
|
Figure 27 f0000000.jpg |
|
Figure 28 file8.jpg |
|
Figure 29 file9.jpg
|
|
Figure 30 file10.jpg |
Comments
Post a Comment