Digital Forensics
Danyal Hussain
Table of Contents
1. Introduction
1.1. Case Management
1.2. Selection of OS
1.3. Selection Of Forensics Tools
1.3.1. AUTOPSY
1.3.2. FTK IMAGER
1.4. Evidential integrity
1.5. Relevant issues in the case
1.6. Methodology
2.0. Evidence analysis
2.1. Executive Summary
2.2. Container Information
2.3. Forensics Evidences
2.4. Operating system information.
2.5. Web Bookmark
2.6. Devices Attached
2.7. User Personal Profile
2.8. Chromium Extension
2.9. Web Downloads
2.10. Recent Document
2.11. List of Software
2.12. Recycle Bin
3. Findings
3.1 Summary of Findings
3.2. Detail Findings
3.3 How Conclusions Were Reached
3.4. Investigations scope Who? Where? What? With Whom? Why? How Often?
3.5. Evaluation of Evidence
3.6 Validity and Verifiability
3.7 References
3.8 Critical discussion of the investigation
3.9. Appendix
4. Contemporaneous notes
4.1. Conclusion
1. Introduction
My main duty as a digital forensic analyst for a UK law enforcement organization is to work with foreign peers to carry out exhaustive investigations. In this investigation, we are examining a forensic picture that was taken from a computer hard disk that was found at the site. One of our investigation team members has been very careful to oversee the continuity and integrity of the forensic artifacts during the collecting and transit phases. A safe forensic picture of the hard disk has been made with the help of a qualified forensic imaging professional and is kept on our corporate servers together with its hash value for confirmation.
This analysis's goal is to carefully examine the digital evidence present in the forensic image in order to find important details related to the current inquiry. This extensive report will explore every facet of case management, from the choice of suitable forensic instruments and methods to the analysis approach used and the findings from the analysis of digital artifacts. Through a methodical study of the digital trail left on the computer's hard disk, our goal is to gather vital information that clarifies the facts surrounding the crime that is being investigated. Ensuring a transparent chain of custody and protecting the integrity of the digital evidence are critical to the success of this investigation. Our dedication to following established forensic procedures and guidelines guarantees the accuracy and.
During this investigation, the forensic image with the label "image.E01," which was taken from the crime scene's system's hard disk, had the username "JIM-Cloudy." It is our responsibility to ascertain JIM's guilt or innocence. We will carefully investigate JIM's actions on his machine using a variety of forensic technologies in an effort to find any linkages to the purported crime. The nine separate components that make up the forensic evidence file will be subjected to stringent integrity tests prior to a thorough inspection. We will concentrate on detecting any unusual activity, such sending an email on January 18, 2021, at precisely 13:12. In the event that our inquiry reveals that someone else sent the offender a comparable letter at the same time, it would strongly imply JIM's involvement in the criminal activity under scrutiny.
1.1. Case Management
This investigation began with the careful setup of a forensic workstation furnished with necessary equipment such as FTK Imager and Autopsy. In order to protect the continuity and integrity of our processes, a secure download of the forensic picture from the organization's server was carried out. The chain of custody was carefully maintained throughout, and each stage of the procedure was meticulously recorded in contemporaneous notes.
1.2. Selection of OS
Windows 10 was selected as the platform for the examination. Since its release in 2015, Windows 10, which replaced Windows 8.1, has been a mainstay in the computer industry. It keeps evolving with new features and improved security features added on a regular basis. A user-friendly interface, built-in security features like Windows Defender, and extensive compatibility with both hardware and software components are noteworthy features. Windows 10 is a versatile and familiar operating system that can be used on a variety of devices, including PCs, tablets, smartphones, Xbox consoles, and Internet of Things (IoT) devices.
1.3. Selection of Forensics Tools
In this investigation, two primary forensics tools have been selected: Autopsy and FTK Imager.
1.3.1. AUTOPSY
Autopsy is a powerful open-source digital forensics program that is well known for its capacity to do accurate forensic examinations of digital media. Autopsy is a trusted tool used by law enforcement, digital detectives, and security specialists that makes disc imaging, file system analysis, and file investigation easier. Report creation, timeline analysis, metadata extraction, keyword searches, and compatibility with several file formats are some of its capabilities.
1.3.2. FTK IMAGER
Access Data's FTK Imager is a potent digital forensic tool that may be used to obtain and analyze data from storage media, including hard drives and USB drives. With support for AFF, raw, and E01 formats, FTK Imager makes it easier to create forensic photos while maintaining data integrity. It offers functions for data integrity assurance, including hash value verification and file reading, extraction, and analysis. FTK Imager is frequently used in conjunction with other forensic instruments and is essential for carrying out exhaustive investigations.
1.4. Evidential Integrity
Image verification with FTK Imager is essential to guaranteeing the integrity of forensic photos and verifying that the extracted data is loyal to the original and remains unmodified. This procedure makes sure that the handling of digital evidence complies with legal standards, maintains the chain of custody, and looks for any discrepancies. Forensic examiners are able to have more faith in the precision and dependability of the evidence produced in court cases and investigations by validating the integrity of forensic photos. This strengthens the evidence's legitimacy and admissibility.
Start FTK Imager and go to the "Verify Drive/Images" function to get started.
Now, the images verification starts:
Select "Verify Image" from the "File" menu, then check the hash value that is obtained with the hash value of the original hard drive to confirm the image. If the hash values match, the integrity of the imaged copy is confirmed. It's important to record this step since it ensures that the image is an accurate reproduction of the original drive.
1.5. Relevant Issues in the Case
To verify the image, select "Verify Image" from the "File" menu. Then, compare the hash value that is obtained with the original hard drive's hash value. The imaged copy's integrity is verified if the hash values match. This step is crucial to note since it guarantees that the image is a precise replica of the original drive.
1.6. Methodology
The inquiry followed accepted practices in digital forensics, including evidence gathering, analysis, and interpretation. Careful efforts were taken to assure the correctness and dependability of the results by combining manual assessment methods with forensic software. Finding pertinent artifacts, timestamps, and user actions was essential to the investigation in order to piece together an exhaustive timeline of occurrences.
2. Evidence Analysis
By analyzing these evidences, a complete picture of the digital forensic data from a single source is revealed, including the user profile, recent documents, downloads, linked devices, operating system, and online bookmarks.
This data is crucial since it contains timestamps recording user activity, file locations, and device identifiers. These elements are essential for examining the person's digital trail and maybe identifying their behavior.
2.1. Executive Summary
The results of a digital forensic investigation on the system known as DESKTOP-PM6C56D are presented in this report. Examining the digital evidence that was taken from the system—including user profiles, recently downloaded documents, web bookmarks, linked devices, and operating system data—was the main goal of this investigation.
The investigation's goal was to identify user behavior patterns, possible security breaches, and any related hazards by means of painstaking analysis. Every piece of information included in this report comes from the original picture.E01 files function as exact duplicates of the offender's system hard drive.
2.2. Container Information
Following a thorough analysis of "image.E01," the following facts were discovered and are displayed in the screenshot below with comprehensive details. The data from the hard drive discovered at the crime site is displayed in the graph below. We can find images, movies, audio, documents, executables, and more in this graph display.
File Types Count
Images
Videos
Audio
Documents
Executables
Unknown
Other
No Need to Analyzed
Allocated Files
Unallocated
Slack Files
Directories
Usage
OS Drive
(Windows_NT)
OS
Windows_NT
Size
512.11 GB
Count
8,668
114
99
7077
3839
11,906
2970
124,212
154,795
4093
125,607
88,405
2.3. Forensic Evidences
A wide range of data artifacts have surfaced from this evidence, providing insight into the characteristics and actions of the subject of the investigation, JIM. The following parts play different but crucial functions in the forensic investigation process: "Data Source," "File View," "Data Artifacts," "Analysis Results," "OS Accounts," "Tags," "Score," and "Reports." Every aspect is crucial to figuring out the complexities of the investigation and assembling a thorough picture of the case at hand, from outlining the data's origins to offering thorough analysis results and reports.
2.4. Operating System Information
This is the system data that was discovered within the artifacts. System name, operating system, and processor are included in this data. The type of operating system and its version utilized by the suspect are disclosed in this evidence. I have included the size of the source file, which is a copy from the crime scene system, in the table below.
2.5. Web Bookmarks
The online bookmarks provide the browser URL, the creation date and time of the bookmark, and the domain name identifying the sort of server or service that was utilized. These are specifics about bookmarks that are currently being used by the suspect's system browser. The information also details the exact browser that the suspect—in this example, "Bing"—is using and the dates that each bookmark was created.
http://go.microsoft.com/fwlink/p
/?LinkId=255142
Bing url
2018-03-27
Internet
Microsoft.com
/img_Image.E01/vol_vol7/Users/jcloud
y/Favorites/Bing.url
2.6. Devices Attached
This is a list of every device that was linked to the system. This data includes the kind, model, ID, and date and time of the connected device. These are the connected devices that were a part of the allegedly compromised system. The list of questionable systems, together with supporting documentation, may be seen beneath the table.
Device Make Device Model Device ID Date/Time
ROOT_HUB20 4&1671a21&0 2018-03-28 02:45:42 PKT
ROOT_HUB20 4&b21407d&0 2018-03-28 02:45:42 PKT
ROOT_HUB30 4&2d689036&0&0 2018-03-28 02:45:43 PKT
Dell Computer
Corp.
BCM20702A0 Bluetooth Module 28E347017777 2018-03-28 02:45:44 PKT
Intel Corp. Integrated Rate Matching Hub 5&182c2717&0&1 2018-03-28 02:45:43 PKT
Intel Corp. Integrated Rate Matching Hub 5&2cd6d949&0&1 2018-03-28 02:45:44 PKT
Microdia Dell Integrated HD Webcam 6&c0f0d73&0&5 2018-03-28 02:45:44 PKT
Microdia Dell Integrated HD Webcam 7&2bca401f&0&0000 2018-03-28 02:45:44 PKT
SanDisk Corp. SDCZ80 Flash Drive AA010215170355310594 2018-03-27 17:13:16 PKT
SanDisk Corp. SDCZ80 Flash Drive AA010603160707470215 2018-03-28 02:45:44 PKT
2.7. User Personal Profile
The user name, directory path, and the Google Chrome software that is linked to this profile are among the details that make up the suspect's personal information. It also contains the User Chrome ID and—above all—the user's email address, which serves as both the username and other information. In particular, the information is as follows: the user is recognized as Person 1 via the 'Default' path; their Google Chrome User ID is 111256729592432613619; their email address is jimcloudy1@gmail.com.
2.8. Chromium Extensions
This contains information about the browser extensions that the suspect is using, including names, IDs, versions, descriptions, and permissions that have been granted for each extension. The suspect used multiple extensions, including YouTube, Cloud Print, Chrome PDF Viewer, Google Hangouts, Chrome Web Store Payments, Docs, and others, according to this historical data.
2.9. Web Downloads
This data relates to what the user has downloaded; it includes the domain names, source URLs, and destination routes. The domain is the service that is used to download the necessary files. The first section of the information shows the locations to which the downloaded files are saved after they have finished.
This image both contains the downloading files and the source URL for the files, indicating the location of the files.
URLs Because the domain is the name of the system where the files are already stored, it is crucial to know it while downloading files.
2.10. Recent Documents
Information on recent papers is available in this section, including where each item is located and when it was accessed or modified. The evidence also indicates the data source from which this information was gathered and provides the file paths.
2.11. List of Software
A list of the installed programs on the machine is included in this evidence, and none of them are thought to be suspicious. The list contains common user programs together with information on each one, including the program name, folder location, number of runs, and last access date.
2.12. Recycle Bin
I have recovered other files from the recycle bin that at first glance seemed suspicious in this piece of evidence. But a closer look revealed that these fears were unjustified. The files proved to be innocuous "Mem" gif files, even if they had dubious comments attached to them.
3. Findings
A vast collection of digital evidence was gathered during the course of the inquiry, including information from user profiles, operating system logs, web browser history, device connections, and recent document interactions and download patterns. Nevertheless, no solid proof of illegal behavior was discovered. The results underlined the possible weaknesses in data security and stressed the significance of putting strong risk management into place as well as protecting privacy within organizational boundaries.
3.1. Summary of Findings
This section summarizes the key findings from the digital forensic investigation.
3.2 Detailed Findings
Detailed findings provide an organized breakdown of the digital evidence analyzed, categorized by the type of data:
• Desktop Files: The analysis revealed 10 desktop files classified as “Mem” type gifs, which did not relate to the crime.
• Download Files: Examination of 5 downloaded files showed no relevant information connected to the criminal investigation.
• OneDrive Files: Review of 9 OneDrive files also found no data pertinent to the case.
• Other Artifacts: No additional artifacts provided any clues or connections to the crime under investigation..
3.3 How Conclusions Were Reached
The evidence was systematically examined in order to arrive at conclusions. This was done in accordance with normal digital forensic methods, which include the collection, processing, and interpretation of evidence. Finding relevant artifacts, timestamps, and user behaviors was the main goal in order to piece together an event timeline. This timeline showed that the user system had no data for the given day and time, proving that they were not involved in the alleged crime. Jim's innocence was further verified by a careful review of all the data artifacts and forensic portions. Though certain web searches produced suspicious terms, the inability to find matching timings led to the conclusion that Jim was not involved in the crime. While certain actions—like searching for guns and rifles, for example—may cause alarm, the lack of hard proof Connecting Jim to the scene of the crime means he must be released with a parting caution. Jim's private information and legal rights have been protected throughout the investigative process by having all relevant data safely kept in the chain of custody.
These pictures show the JIM's past keyword searches on the internet. He looked for several, suspicious items, but since the date and time do not match, he is innocent. This is a clear screenshot, however the original may be found below it:
me a warning and released him.
3.4. Investigation Scope: Who? Where? What? With Whom? Why? How Often?
The focus of the inquiry was digital evidence obtained from a single device known as DESKTOP-PM6C56D. Operating system logs, web browser histories, device connections, user profiles, document interactions, and download activity were among the many data categories covered by this evidence. Examining user activity, spotting potential security flaws, and evaluating related risks were the main goals. Interestingly, Jim turned out to be the user whose hard disk was connected to a crime scene investigation. Nevertheless, investigation revealed that his system had no evidence against him, proving his innocence.
3.5. Evaluation of Evidence:
The evidence's credibility and admissibility were ensured by the strict adherence to accepted forensic procedures and instruments during its acquisition. Strict adherence to the chain of custody protocol was maintained at all times to protect the evidence's integrity. It included a wide range of carefully gathered and examined digital artifacts relevant to the inquiry. The techniques used in the investigation followed industry-standard digital forensic procedures, guaranteeing the validity and dependability of the data produced.
3.6. Validity and Verifiability
Thoroughly recorded actions and contemporaneous notes were used to carefully validate and verify the investigation process and its results. The legitimacy and verifiability of the inquiry were maintained by using approved forensic instruments and procedures. The findings' validity and verifiability were reinforced by the factual and objective presentation of the information, which was in line with best standards in digital forensics.
3.7. References
Any tools, methodologies, or standards referenced during the investigation are duly acknowledge in this section, ensuring transparency and accountability in the research process.
3.8. Critical Discussion of the Investigation
The investigation's merits were highlighted by the care with which its data were gathered and analyzed, which guaranteed the integrity and accuracy of its conclusions. Nevertheless, other drawbacks were noted, including the lack of background information and supporting documentation on purportedly unlawful actions. These restrictions highlight more general concerns about privacy, data security, and the need for efficient risk management techniques. It is clear from the thorough investigation described above that Jim is innocent. Despite carefully examining every piece of evidence, no clear link linking Jim to the crime could be uncovered. Thus, the ultimate deduction is that Jim-Cloudy is not guilty.
3.9. Appendix
Further materials that corroborate the investigation's conclusions and offer more background are included for reference. These supplemental materials, which provide a more thorough picture of the case, could include extensive evidence logs, in-depth analytical reports, or further investigative findings.
4. Contemporaneous Notes
Date: April 6, 2024
Investigator:[Investigator's Name]
Case Number: [Case Number]
Suspect: Jim Cloudy
System Identifier:DESKTOP-PM6C56D
1. Evidence Collection:
Time: 09:00 AM - Forensic imaging of DESKTOP-PM6C56D using FTK Imager. Image verified for integrity post-capture.
Method: Bit-stream imaging of the hard disk.
Location: Secured facilities at [Location].
2. Evidence Analysis:
Time: 10:30 AM - Initial analysis using Autopsy to review user profiles, document activity, and browser history.
Findings: No immediate evidence linking Jim to the crime identified in the initial review.
Actions: Continued deeper analysis of web bookmarks, download history, and device connections.
3. Detailed Examination:
Time:02:15 PM - Analysis of web search history and connected external devices.
Observations: Searches related to general information on firearms; no direct purchases or illegal activities detected.
4. Timeline Reconstruction:
Time: 04:00 PM - Construction of a timeline of events based on user actions, timestamps, and log files.
Outcome: No activities during the critical times alleged in the crime; another user's account active during suspected times.
5. Chain of Custody:
Documentation: All actions and findings were logged in real-time with signatures from all present team members.
Storage: All digital copies secured in encrypted storage; access logged and restricted to authorized personnel only.
6. Consultation and Review:
Time: 05:30 PM - Review of findings with senior forensic analysts.
Feedback: Agreement on the absence of direct evidence linking Jim to the crime.
7. Reporting:
Time: 06:00 PM - Preparation of the detailed forensic report begun.
Note: Inclusion of all analytic methods, findings, and expert opinions to ensure comprehensive documentation for court purposes.
4.1. Conclusion
DESKTOP-PM6C56D, a digital forensic examination concerning suspect Jim Cloudy, was carried out with forensic techniques and methodologies that have been well tested and widely acknowledged. We followed every precaution to guarantee the integrity and continuity of the evidence throughout the inquiry, as evidenced by our careful chain of custody and the use of contemporaneous notes.
The investigation thoroughly examined all facets of the suspect's digital trail, including download trends, document activity, operating system statistics, and site surfing history. Jim was not directly connected to the suspected crime, according to the evidence. The conclusion that Jim's user profile was inactive during the relevant periods is further supported by the timeline of events that was recreated using the digital artifacts. Furthermore, additional user behavior throughout the alleged time periods indicates the participation of someone else.
After carefully examining Jim Cloudy's digital activity and taking into account the lack of any concrete or indirect digital evidence linking him to the crime, we have come to the conclusion that Jim Cloudy is not a suspect in this case. Our conclusions are supported by a straightforward, convincing, and validated forensic procedure that withstands critical examination.
It is advised that Jim Cloudy be cleared of all charges pertaining to this case as a consequence of this inquiry, with consideration given to conducting more research into other possible suspects in light of the digital evidence gathered. The results of this analysis demonstrate how important it is to continue to focus on upholding strong risk management procedures and high standards of digital privacy.
