Digital Evidence Integrity Analysis
Explain how you downloaded the file, what precautions you took, and how you ensured its integrity?
To ensure the integrity of the file one has to scan the source or the link provided for viruses.
Describe the actual content of the forensics image file. If there are multiple files, list their file names, types and MD5 hash values.
The file contain an unallocated space and therefore, there are no multiple files. The image information is as follows.
Given that “OM3.txt” has a bad signature and the original file header is (25 50 44 46 2d) what tools will you now use to proceed your investigation and why?
A bad signature file is a file that has a known extension like .jpg, but it does not match the header of that extension or any other known header for that matter. You can use forensic tools like Encase software in order to continue with the investigation (Garfinkel, 2010).
Discuss Steganography technique and Describe with screenshots how you going to extract any hidden file?
Steganography is a method that works by exploiting and replacing either unused or useless bits in files such as images, sound and text, among others, with different bits that carry invisible information (Ferreira et al., 2020). In the image below, the software is showing all the readable text of the image under investigation as shown below.
In the second screenshot, I have selected the option for “Show all bytes of this binary file” as indicated below.
The image clearly is indicating how steganography has been applied, that is, hiding invisible information in other files that have unused or useless bits.
Discuss Bit-Shifting technique and Describe with screenshots how you going to fix corrupted file?
Bit shifting can be described as an operation where the order of the bits is altered either in a left or a right direction. The operation is usually carried out for the purposes of performing mathematical operations more effectively and efficiently (Dimitriadis et al., 2020). For example, using Hex Workshop software version 6.8, then one can be able to shift bits either to the right or to the left as shown below.
Opening the image file using Hex Workshop software
Shifting the bits to the right for 32 bits.
The end file has been altered by 32 bits to the right as shown below.
Evidence analysis
Launch the Autopsy software from the start menu on your computer
Click on “New Case” and fill in both the case name and the base directory where your analyzed files will be stored and click “Next.”
Fill in the optional case information for easy tracking and retrieval of the case files whenever required. Then click “Finish” button.
The case is opened and a new database is created specific to that case. The following stage involves adding up a source of the data that is to be analyzed. In this case, the university had provided a link that where the image file to be analyzed can be downloaded from.
Using the “Add Data Source” button, a forensic expert is able to add files to the case by next selecting on the type of image being analyzed.
The image provided is an AccessData Segmented Image and thus this will be a logical file. Select “Logical Image” and then click “Next”
The next screen prompts the forensic examiner to add the logical files and folders to the Autopsy software as indicated below.
Clicking on the “Add” button directs you to the computer’s hard disk where you can select the logical image(s) that you want to include in the case that you are creating. After selecting the path to the image file, then click “Next” as shown below.
The next Autopsy Window helps the forensic expert to select all the tests that they want to run on the image or the data that they have selected for the case as displayed below.
When you click “Next”, the analysis of the files begin automatically.
Files being analyzed
When the analysis is complete, you can view the results on Autopsy
Expert Witness Report
Summary
MP Ltd is a telecommunications company with offices in Melbourne and Muscat. The top management of MP Ltd had reason to suspect that the company employee(s) plan to commit espionage. A contracted incident response team went to the site and began monitoring the network and emails. They seized attached email files from one of suspected employees. Due to the sensitivity of the data, MP Ltd senior management decided to initiate a team to conduct an internal investigation. Thus, with the help of forensic analysis and examination tools, a digital forensic investigation is conducted and a report with findings and conclusions and recommendations is prepared.
Tools used
The tool used for this digital investigation is Autopsy version 15.4.0 for forensic analysis, Hex Workshop version 6.8 for bit shifting purposes and Encase software for checking files that have bad signatures. It should also be noted that Encase software is also a suitable and powerful tool to use instead of Autopsy for forensic examination (Guo and Slay, 2010).
Methodology and procedures
The main purpose of the methodology is to employee digital forensic tools for analysis of the image provided. In forensic examination, case management is critical as it ensures that the integrity of the files is maintained. Digital forensics is a highly complex field that involves a wide variety of potential data sources. With respect to the scenarios of network intrusion, malware installation, and insider file deletion, the most common data sources were derived from devices connected to the local network. Due to space constraints the primary focus was on personal computers connected to a local corporate network. Even within personal computers there can be a variety of data sources to reference and examine, such as log files and locally stored files. Other connected devices should also be thoroughly investigated, such as networked printers and tablets (Mothi et al., 2020).
A novel form of deriving a multitude of data sources is OSINT. OSINT’s application to digital forensics will vary, and many corporations will not have the resources to adequately conduct OSINT. However, this writer himself has seen people post negative things about their work places, sometimes even suggesting they would like to commit a crime there if they could get away with it. It may be that insiders who commit crimes against the company may be so brazen as to post about their disdain for the organization, or their plan to carry out the attack. In this case, OSINT can help to narrow down the attacker. In more complex cases, like when an organization attacks another organization (rather the attacker being a single individual) OSINT can be used to scan publicly available information such as the news and government reports. This information can be used to determine if some outside actor may have a reason for digitally attacking the organization (McCartney, 2015).
All sources of data present with special challenges with respect to collection and examination. In the three scenarios discussed in this paper the most potentially useful data set is usually locally connected devices. These devices are usually owned by the organization in question, therefore they have total control and access to them for preservation, collection, and examination purposes. While these tasks are not simple in any context, the challenge is greatly reduced due to the accessibility of the data sources. If the data sources were remotely located, such as with cloud services, then the task of preserving, collecting, and examining the data may be exceedingly challenging if not impossible. OSINT data sources require a great deal of resources to conduct and special skillsets for thorough examination – skillsets that most digital investigators may not possess, such as psychological analyses of suspects (Horsman, 2020).
Findings
Initially the MP Ltd top management had suspected that its employees(s) were looking to commit espionage and thus, started investigation by monitoring both the company network and employee(s) emails. However, after carrying out the investigation into the image file provided, there is no information or evidence that could point to employee(s) wanting to commit espionage.
Conclusions
After a thorough digital investigation into the image file provided, the conclusions indicate that;
- There are no email files found on any of the employee(s).
- There is no indication that the employee(s) want to commit espionage
Recommendations
The results of the forensic investigation indicate no foul play by any of the company’s employees. Therefore, it is recommended that the top management of MP Ltd drop the investigation due to insufficient evidence indicating that any of the employee is planning to commit espionage.
References
Dimitriadis, A., Ivezic, N., Kulvatunyou, B., and Mavridis, I. (2020). D4I – Digital forensics framework for reviewing and investigating cyber attacks. Array, 5, 100015. https://doi.org/10.1016/j.array.2019.100015
Ferreira, W. D., Ferreira, C. B. R., da Cruz Júnior, G., and Soares, F. (2020). A review of digital image forensics. Computers and Electrical Engineering, 85, 106685. https://doi.org/10.1016/j.compeleceng.2020.106685
Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital Investigation, 7, S64–S73. https://doi.org/10.1016/j.diin.2010.05.009
Guo, Y., and Slay, J. (2010). Testing Forensic Copy Function of Computer Forensics Investigation Tools. Journal of Digital Forensic Practice, 3(1), 46–61. https://doi.org/10.1080/15567280903521392
Horsman, G. (2020). Opinion: Does the field of digital forensics have a consistency problem? Forensic Science International: Digital Investigation, 33, 300970. https://doi.org/10.1016/j.fsidi.2020.300970
McCartney, C. (2015). Forensic data exchange: Ensuring integrity. Australian Journal of Forensic Sciences, 47(1), 36–48. https://doi.org/10.1080/00450618.2014.906654
Mothi, D., Janicke, H., and Wagner, I. (2020). A novel principle to validate digital forensic models. Forensic Science International: Digital Investigation, 33, 200904. https://doi.org/10.1016/j.fsidi.2020.200904
