HI6006 Competitive Strategy Editing Service
Delivery in day(s): 4
Firstly I have come across many new things while performing these tasks. In the initialisation period I get to know about the case involved in this project. This was a murder case of a girl. The case had been reported by her boyfriend. I learnt how the skilled technicians work at the crime scenes; this was the time the term “ProDiscover” coined in my eyes. By this part of time, my interest towards image analysing tool that is arouses.
1.ProDiscover basic which provides detailed information of the image. This tool is not supported by any MAC, CD-ROM and UNIX which I was unaware of before this. I have learnt that ProDiscover basic supports only NTFS and FAT format. I have learnt allot about the working of ProDiscover basic.
2.I learnt the importance of giving name in specific format to a new project. There are series of step, I learnt. The very first step was to install the software ProDiscover basic and add new project.
3.The very next step was to include the image in your work area.
4.Followed by this step, there was need to select the path of the image file, select the view option to run the associate program.
5.I came to knew that, this software has an extended feature of exporting the individual file. This feature is really helpful when you have to work with individual module of complete project. ProDiscover basic does not provide auto save feature, so there is need of manually saving each project.
6.ProDiscover Basic tool needs to be exit before a new project has been begin which is kind of limitation which I come across so far.
The thing which I deduced with this tool is that ProDiscover basic tool is never recommended as a preliminary forensic tool but within budget constraint this tool is good choice.
I came across so many new concepts which are associated with Forensic examination. The case begins with introduction about the company and what was the issue associated with the company.
My duty was to examine all the forensic examinations and computing internal investigations. I was assigned a duty to examine a USB drive which has been left by a former employee. That employee has been accused for stealing critical information of the company. There are in total 24 files confidential files with text “book”.
There are list of 5 things which I learnt while carrying out the examination of USB drive:
1.Which Tool used: I learnt about the various Images analysing tool. Taking care of the specifications and other things, ProDiscover basic was best among them. The very first step, I learnt the extraction of image file C1PRJ02.eve file to the work area.
2. Opening new project: The process starts by opening a new project and giving a valid name to it, there is need to give brief description about the project. There is no auto save feature provided by ProDiscover basic. There is need to save the project immediately.
3.Adding image file: There is need to add the image file C1PRJ02.eve to your project. This is done from action option in menu and click on add. There is need to check yes for auto image checksum message box.
4.Search toolbar: The preliminary step is to go for a search toolbar to check for a keyword. This will help in
5.Content search methodology: This project helps me to learn how then search processes work in a disk/image file. It is recommended to carry out content search tab and then select the ASCII option and then select the search for the pattern option to search for the keyword ”book”. There is also feature of cluster search while takes a little more time than simple content search.
This case is related to an additional drive which has been used by former employees and may have had access to account number ’461562’ which belongs to vice president of company and may have had access to internet banking.
There are list of 5 things which I learnt while carrying out the examination of external drive:
1.Which Tool used: I learnt about the various Images analysing tool. Taking care of the specifications and other things, ProDiscover basic was best among them. The very first step, I learnt the extraction of image file C1PRJ03.eve file to the work area.
2.ADD the evidence: Add the evidence to the new project. Navigate the image file/drive to the work area and open it. Select yes to auto image checksum. ProDiscover can add .dd image files (standard UNIX).
3.Expanding the content view: I get to learn how to view the graphic files in a drive. Expand the content and select the file path of the image. And click on view from gallery view from the menu. It displays all the graphical files on the drive. Notes can be added to the selected image.
4.Content search tab: Select the content search tab for searching given account number. Then there is need to carry out the cluster search and remember to select the desired result and add comments to it. This helped me to distinguish it from other images.
5.Exporting: while doing this project, I learn how to do export the report. Select the RTF format and type the file name.
In this case, there is requirement of law firm to recover lost data from disk. Before this project I was unaware of anything which could help me in retrieving the deleted files. Before this project, I was not aware of the tool which could help in recovering the deleted files.
This project helped me to learn how to perform extraction on a disk. There, there are list of 5 steps:
1.Software used: I learnt about the various recovery tools. Taking care of the specifications and other things, ProDiscover basic was best among them. ProDiscover is the most budgeted and simple hand used forensic tool without much complications
2.Creating new project: I got to learn how to create a new project in ProDiscover basic and save it with name C1PRJ04.
3.Add image file: I came across how to add image file. Click on the Add from menu and then click on image file C1PRJ04.eve and open it. Check yes on the auto image checksum.
4.Adding pathname: I learned how to add pathname contusing the file. Expand the tree view and then content view and click the path name containing the disk. Analyse all the files displayed in the work area.
5.Sorting deleted files: I learned how to sort all the files into yes or no in the delete column header. This will display all the files in a sorted way.
6.Recovery from disk:I learn how to extract the deleted files by selecting the files with no in delete column header and pasting the files in the work area. This is done one by one, ProDiscover basic does not allow for multiple selections.
7.Save project: I learned that ProDiscover basic does not have auto save options, There is need to save the project manually. Always remember to exit the previous project before starting a new project.
This project is a continuous project from previous project. These hands on project help me in listing all the unallocated files/deleted from the disk. This learning will help me in undergoing my further academic studies.
Things which I learnt in carrying out this project:
1.Open up the project which has been saved in Hands-on-project 1-4 and open it.4 and open it.
2.There is need to sort all the unallocated and allocated files. This will help in creating listing of all unallocated files/deleted files. Sorting can be done by clicking on delete column header.
3.Select the files which have been marked as “yes” in delete column header. Mark the check box which is on left pane. A comment dialog will appear. This comment dialog box will help in adding description.
4.In the comment dialog box, I learnt to give a specific, meaningful description which can be identified later. Giving any random description might result in unidentified selected file from a list.
5. I came to know that the report of selected can be produced by clicking on the report in the tree view. This will help in checking all the selected files.
6.This Report can be exported. There is just need to click on the export button which given in the toolbar. I have given a specific name to this report for its identification C1PRJ05Report.
7. The most important task is to save the project. ProDiscover does not auto save things, these needs to be done manually.
8.Followed by this important learning, I come to know that no new project can be before exiting the previously started project. I save the project and exit the ProDiscover basic.
This task consists of M-57 hypothetical case for the practical knowledge of new investigators. This project I need to identify whether terry is doing something against the policy of company or not.
The evidence is validated using OSForensics tool. Steps followed while carrying out the project:
1.Install the step and run the step and click on the “continue using free version”.
Figure 1: Running the software
2.Click on create new case.
Figure 2: creating new case
3.Fill up the given fields and browse for the desired location and select investigate disks from another machine and selects custom location and click on ok button.
Figure 3: saving new project part 1
Figure 4: saving new project part 2
4.Select the add device button and add the image file Terry-work-usb-2009-12-11.E01 and leave the default settings untouched. Select the image file and click on the open button.
Figure 5: file system browser
5.Click on the file search icon and following given window displays. Search for the keyword .following snapshot displays the result.
Figure 6: Keyword search
6.Now click on the create index icon and click on the predetermined file types and check the entire given file types under predetermined files and click on next button.
Figure 7: Creating index
7.In step 3 of 5 click on start indexing.
Figure 8: Start indexing
8.This indexing will take ETA of 1 hour to get complete. After indexing gets completed, click on open log to check errors while indexing and then select on manage case.
Figure 9: files getting indexed
9.Manage all the files which are considered in the operational image file.
Figure 10: examine the files
By examining the terry-work-USB-2009-12-11.E01, I deduced that image file contains python files and 2 executable files and text documents. The image file contains .jpg format files in which contact details of a person is given.
Figure 11: .jpg format image
This image contains some critical text documents like patentterms.txt, urlscoprights.txt, urlspatents.txt. This file gives a clear indication that Terry is doing illicit or doing working against company’s policy.
Figure 12: text files and python files
Fraud cases bring about new challenges every time than any other cases to the investigators. There are sequences of steps which I will preferably follow in investigating any potential fraud case.
Initial analysis:The process will start with asking the some basic Question and doing initial analysis what kind of fraud is that like is this is an identity or government theft, when did it occur, did it occur somewhere in other places.
Planning of investigation:
It is most critical part to investigate any potential fraud cases. The process will be in progress by identifying the chronological events which will help in giving follow up towards the actual case.
Victim’s interview:I will make every possible effort to get to know the victim. Basic questioning will be done with victim at some silent place. Every minute detail is very important in any fraud investigation; I will go with granular questions like where, what, when. I will conduct this interview for 2-3 times to make sure that all the instances of the investigation will be covered. Victim will be informed to take statements of their financial institutions on regular basis.
Securing evidences:Evidences, on whom support we build the events which may have occurred. I will make sure that I will maintain a copy of the bank accounts, emails, phone records or any social media posts. The evidences can be obtained electronically like Ms Word, MS access or hashes.These evidences need to be secured and validated. There are 4 major acquisition methods for storage devices:
3.Bit-stream disk-to-image file
I will prefer Bit-stream disk-to-image file for validation process. This is the most common method adopted. It will produce replication of original drive bit-by-bit. I will prefer ProDiscover basic tool for carrying out the validation over storage media like USB drive or external drives.
I would choose hash algorithm such as “SHA1” over “MD5” because MD5 is broken and a lot of collisions come across MD5. SHA1 is more robust than MD5. MD5 is considered to be less preferred when the discussion comes to security applications.
1.Reynolds, M(2018). 7 Steps to Forensic Investigation Success Sedgwick. Retrieved from https://www.sedgwick.com/blog/2016/06/03/seven-steps-forensic-investigation-success.
2.Schiro, G. (2018). Collection and Preservation of Evidence. Retrieved from http://www.crime-scene-investigator.net/evidenc3.html.
3.Team, T. (2018). All you want to know about Digital Evidence. Retrieved from https://taxguru.in/income-tax/cbdt-releases-digital-evidence-investigation-manual.html.