DIGITAL FORENSICS:
TasK
Task 1: Hands-On Projects
Complete following Hands-On Projects from the textbook (Nelson, Phillips, & Steuart 2015):
Hands-On Project 1-3
Hands-On Project 1-5
Deliverable: Insert C1Prj03 and C1Prj05 reports in your assignment document.
Complete following Hands-On Projects from the textbook (Nelson, Phillips, & Steuart 2015):
Hands-On Project 3-1
Hands-On Project 3-2
Hands-On Project 4-3
Deliverable: Screenshots of all steps taken to complete the projects along with description of each step
Task 2: Case Project
A bank has hired you to investigate employee fraud. The bank uses four 20TB servers on a LAN. You are permitted to talk to the network administrator, who is familiar with where the data is stored. What strategies should you use? Which acquisition method should you use?
Following aspects are the minimum requirements in this project:
• What tools listed in the text book are available?
• How do you plan to acquire the data? Why will you choose a certain acquisition method?
• What diplomatic strategies should you use with the network administrator?
• What privacy issues might be a concern with bank records (bank account numbers, customer names, etc.)?
• How do you plan to validate the data after acquiring it?
Deliverable: Write a 300-500 words report outlining the problems you expect to encounter, explaining how to rectify them, and describing your solution. Be sure to address any customer privacy issues.
Task 3: Research Project
To continue your learning in digital forensics, you should research new tools and methods often. For this project, search for the user manuals for VirtualBox and ProDiscover. Write a guide on how to load a VHD file converted from a ProDiscover.eve image file into VirtualBox.
(Nelson, Phillips, & Steuart 2015)
Deliverable: A guide not more than 500 words.
Rationale
This assessment task covers digital crime, forensic process and procedures, data acquisition and validation, e-evidence, e-discovery tools and equipment, operating systems and file systems. This assessment has been designed to ensure that you are engaging with the subject content on a regular basis. More specifically it seeks to assess your ability to:
• determine the legal and ethical considerations for investigating and prosecuting digital crimes
• formulate a digital forensics process
• evaluate the technology in digital forensics to detect, prevent and recover from digital crimes
• analyse data on storage media and various file systems
• collect electronic evidence without compromising the original data;
• evaluate the functions and features of digital forensics equipment, the environment and the tools for a digital forensics lab;
• compose technical tactics in digital crimes and assess the steps involved in a digital forensics investigation;
• prepare and defend reports on the results of an investigation
MY REQUIREMENTS TO WRITER:
For task -1:
1.Do the hands on project for task 1 and include the screenshots for task 1.Check the deliverables to do the practical and follow the prescribed text book which is mentioned above.
2. I need Screenshots of all steps taken to complete the projects along with description of each step.
For task-2 :
1. For the case project in task 2 answer the above questions and write a 500 words report outlining the problems you expect to encounter, explaining how to rectify them, and describing your solution. Be sure to address any customer privacy issues.
For task-3:
1. For this project, search for the user manuals for VirtualBox and ProDiscover. Write a guide of not more than 500 words on how to load a VHD file converted from a ProDiscover.eve image file into VirtualBox.
Hands-On Project 1-3
<We need infromation from your end as we don’t know your city>
Hands-On Project 1-5
Case 1
David Camez who is a 22 yevar old man from Phoenix, USA was convicted of an international cyber crime and sentenced to 20 years. He used to run an international cyber crime syndicate known as Carder.su. He along with the international cyber crime syndicate were a team of 55 people. About 20 defendants were caught and pleaded guilty among these 2 had gotten imprisonment of upto 2 years while many others were still at large. The case was prosecuted by the Nevada US attorney’s office and justice department’s organized crime unit in washington. The acting attorney said that the working of the group was very sophisticated and it was a highly organized crime with well structured cyber network which operated like a business in order to commit fraud on a global scale. They used to gain into corporate network and gain sensitive information such as credit card numbers and also steal identities. According to the US attorney prosecuting the case he said that the cybercrime has now become more into an industry and is rapidly overtaking traditional crime such as the bank robbery. Cybercrime which was once viewed as crimes of the future is now here and the threat is more than real to almost anyone using internet. According to the US attorney, Camez became involved in petty cyber crimes at the age of 17. The total worth of cyber crime committed by Cader was estimated at 50 Million USD. About 210,000 stolen debit and credit card numbers were recovered from his possession along with 2000 compromised account numbers.
Case 2
Richard Gundersen from NYC was sentence to more than 3 years in an international cybcercrime syndicate. They hacked into computers of more than 12 financial institutions including US military’s payroll service. He was also ordered to pay 88 Million in restitution. His crime was more than just pure cybercrime as he worked as a casher for the crew who involved opening bank accounts in names of the identity theft victimes which were funded by the money stolen from the computers they hacked into. However, the original person to have led the crime was a person from Ukraine known as Sharapka. Although he is stol at large. The insititutions in which they hacked into included some big names such as Aon Hewitt, Automated Data Processing Inc., PayPal, JPMorgan Chase Bank, Nordstrom Bank, Citibank, Fundtech Holdings LLC, E-Trade, Electronic Payments Inc., USAA, iPayment Inc., TIAA-CREF, TD Ameritrade, Veracity Payment Solutions Inc. as well as the payroll arm of U.S. Department of Defense. Once they hacked into the networks, they would divert money from the customer’s accounts to a prepard debit cards which they controlled according to prosecutors. The cards would be obtained in nam,es of people whose identified were stolem by them and sometimes they used to file fraudlent tax in the names of these stolen identities and then seek refunds from IRS. A total of 15 Million USD was defrauded.
Hands-On Project 3-1
Now, knowing all the above details, there are a policy and procedure to be used to set up the structure that is essential for the forensic lab. The policy and the procedure are as below:
Vocabulary
- Digital Forensics: It is a application system that consist of digital investigation and to faster the performance, proper techniques are analyzed to create the chain of digital storage medium. This further will be admissible in court.
- Indication Specialist: He or she is the quality staff member who works out the digital forensic operations. He or she further creates the report on the same.
- Forensic Operation: An investigation, which involves inspection, acquisition, examination as well as analysis of a digital media, carried out using professional forensic equipment hardware and software.
Forensic Collection: It is a process of collecting and securing the physical device that contains forensic evidence. - Forensic acquisition: Gaining of the data stored onto the digital medium through forensic imaging purpose
- Forensic Image: It means a bitwise copy of the real forensic data that is maintained in a forensically sound way. Also, it has the unique hash values that pertain every file.
- Medium / Device: it is a device that maintains the data of digital forensics. It can be CD/DVD. USB memory stick or a SIM. However, something more it has is the flash storage and a smart phone. A device containing the digital forensic data which could
Policy and the procedure
- Physical requirement: Protect and isolate office for forensic services. This includes the server room and the workstations where the forensic analysis will be accepted. Access is only made available to its staff and the one who need to know about it. Others are kept away from this procedure and the work area. The entrance of the candidate or the staff is being monitored by the video surveillance system.
Preparation stage
While on preparing the stage, the entire staff and team should check the checklist that is prepared for forensic professionals. However, this is a step that has to be carried out before entering the operation.A request for authorization should be carried out before the authorization.This should be corresponded by the authority to carry out the digital forensic operation.
Operational stage
The investigation team only with the help of present senior people is carrying out this investigation. Before beginning, a photograph of the surrounding areas should be taken and attached to the report.After this a digital forensic image should be acquired.A secure copy of the acquired data should be prepared as well. In the operational report every project unit and the procedure is being documented separately wherever it is possible. Thus, using secure manner, the evidences should be transferred. This will avoid the misuse of the private details and secretive document leakage.
Analysis and reporting stage
After coming back to the lab, you need to immediately transfer the forensic image to the forensic file server. To be on safer side, you will need to create two copies of the report or image. This shall be done on tape and then it should be kept somewhere in a protected and sealed place such as envelops. Using the tool forensic hardware and software tools, the investigation will be carried and also you can use the needed from the reports tilled with “Operational Analysis Report”. It is important to have a backup of the report and soon it should be transferred to the off site location. Once the investigation team feels that the case is thoroughly investigated, it is the further taken to the Criminal proceedings in the law court.
Case2
Hands-On Project 3-2
The forensic certification program is offered by University of Central Florida. it’s a graduate level program. The program would teak current and historic issues in forensic science, legal and technical aspects including evodemce collection, examination, management, analysis and courtroom procedure. It’s currently unknown as to who endorses the certification. The degree is part of the graudate catalogue which started in 2002-2003 but the university was itself founded way back in 1963.
Hands-On Project 4-3
Solution – A method of connecting a disk drive to your workstation, such as USB, FireWire, external SATA, or internal connections, such as PATA or SATA
2. It is a live forensic acquisition of forensic evidence, because the collected data is being stored on sever of the bank. The reason for this is because it cannot be shut down and the reason for this is because bank functions 27×7. Thus, following the traditional way, there should be a method followed, which is of no disruption to the banking related services.
Live acquisition is helpful because attacks on ram are gone due to traces when the system is taken offline or when it is restarted.
Different tools included in the textbook are Different live Linux bootable CDs such as a penguin sleuth kit, helix, backtrack and more. These tools are useful because the CDs used can be booted with the help of CD/DVD room. The data that is stored on the server is easily accessible without causing any harm to them. There are other tools which are used to DD to image the entire drive or Memfetch to acquire the volatile RAM memory.
At the moment assuming that windows based server is being used, in that case bootable CDs that is mentioned in the textbook should be used to acquire the data. Backtrack is one of the most interesting too of all because of its different inbuilt utilities. These range from 300 data acquisition to data analysis and network inhaling among others.
Using a bootable CD on the suspect’s computer or from a network drive to access the data is best recommended. However, even I would prefer to use the same.
Later use the inbuilt tool such as DD to obtain the data that is available on the server.
(Use memfetch too to capture the instable memory on the RAM. However, while doing this, please note down the hash values of the data that is acquired so that it will be useful for future reference.)
After this, compare the hash files from the unique windows operating system files. (for example DLLS as exes, also compare the data that with the files to ensure the duplication of alteration. )
After this process, the forensic image of data should be made.
To reveal the data you would need the encryption key because of the privacy concerns. The data on the server is being stored by multiple customers and thus to maintain everyone’s privacy, the process has to be followed. (The data on banking servers are not saved in basic text and are always encrypted.)
Also, ensure that the data extracted will be forthright, fast and without system disruption process. However, this would give you the enough reasons to find the culprit.
3. Virtual Box:
It is a hypervisor from Oracle and chains multiple operating methods as guests and hosts, an open source and totally free system. Virtual hard disk file also known as VHD file contains a virtual disk replica of the Physical hard drive. This also includes a portion of disk, files and folders. It is a proprietary format of Microsoft but later its specifications were open so that others can also use them.
To orderto load the VHD here is what you can do:
Use virtual Box – It supports several virtual hard disk images such as VMDK. It is a proprietary virtual hard disk image format by VMW are and among others.
Create a virtual machine with the use of VirtualBox before using any hard disk image.
Create a new one using the “new” option in the toolbar.Then you will be asked for a name give it to the machine and will choose for a functioning system name and its type. Complete the procedure with the specific details and the quantity of ram to be allotted to the virtual machine.Now it will provide an option to use an already existing virtual machine or to create a new one for the hard disk. (Should choose the option to use current virtual hard disk and trace the VHD file that is converted from the prodiscover image). Now fine tune the locations of the virtual machine such as permitting which folders to share or which hardware types of the host machine be made obtainable to the visitor machine and so on.Finally, the virtual engine will be created and then it is prepared to boot using the virtual hard disk image.
References
ComputerWeekly.com,. ‘Digital Forensic Investigation Procedure: Form A Computer Forensics Policy’. N.p., 2015. Web. 3 Apr. 2015.
Europa,. ‘Guidelines On Digital Forensic Procedures For OLAF Staff’. N.p., 2014. Web. 3 Apr. 2015.
