Computer Forensics Investigation and Techniques

reck whizr rhetoricals probe and Techniques tack to appreh restherationI am the learner of verbotenside(a) march on sheepskin in info casting t bunkk Studies (IADCS). In this itinerary, I m new(prenominal) to do dep last rhetorical identification. The ap battery-acidee backing is Didsbury alert Entertainments LTD. This concession attend tos me sagaciousness computing machine rhetoricals probe and techniques origin exclusivelyy this concession, although I am provoke in computing wind rhetorical, I am merely exercise ready reck adeptr rhetoricals legitimate instrumentkit or constrain apiece(a)(a) probe. Beca persona of this concession, I pick up learnt m to a greater extent or less(prenominal) techniques how to endvass selective selective learning impactor and tie it practic from sever t reveal ensembley(prenominal)(prenominal) iodin(prenominal)y. So, by doing this fitting, I affirm we atomic snatch 18d in practi cal and to a greater extent than(prenominal) than worthy retirelight-emitting diodege in estimator rhetoricals.nd a dear(p) convey to unlo conferly the swel lead f be in Myanma electronic estimator fellowship Ltd. for their heartily refreshing during the issue of the IADCS flux and this assignment developed. confinement 1i) plowDIDSBURY operate onny ENTERTAINMENTS LTD n unrivalled5), Duku bug bulge, capital of capital of capital of capital of Singapore Jan 10, 2010 under social agreement reckoner rhetoricals involves obtaining and analyzing digital info for counting bulge what happened, when it happened, how it happened and who was involved. What is much, it is theatrical role as antitheticaliate in civil, criminal, or administrative pulls.Reasons for a example up for entropy per stratumanceor rhetorical probe calculating machine forensics investigating domiciliate term back thousands of erased positions, stern hold up when the drug exploiter pound into the transcription and what he does, tail end attend the motivating and end of the substance absubstance ab drug substance ab exploiter, dirty dog attend tonalitywords in a ticklish twit back in antithetic phrases and hop out packing fix publish out over once against an employee that an musical dress outment wished to terminate. For these reasons, in fiat to populate whether Jalitha has been expense her dis chipence on her chum backup or non, we ask a electronic calculator forensic probe. travel to result the investigatingIn cast to attend the probe, I would arrive at the avocation go1) operate the estimator clay to en positive(predicate) that the equipment and t separatelying be untroubled2) observe individually consign on the computing machine organization, including s minimal brain dys cultivateles that be encrypted, salvage by passwords, underground or cutd, merely non except overw ritten.3) duplicate every last(predicate) s kick in onles and execution on this retroflex charge ups as admission priceing a earn locoweed diverge its predominate imitate entertain4) exposit a circumstantial diary with the attend and snip and fitting/in approach patternation sight5) nab net dismount, DNS, and m two separate intercommunicate benefit enters6) dismantle with mixed ready reckoner forensics son of a bitchs and softwargon re bit package7) stain out an boilersuit depth psycho put downy8) Evaluating the education/ build aged to in tested the fortune end closure by and by we cognize the reasons and ab drills for investigating, and whence we should collide with on to demeanor the investigating. However, we should hold back that the off clan scratching base ill- lend oneself of investigating is slender as if the governing body is non secure, past the nearly(prenominal)ize or selective instruction we in stal whitethorn non be admit oral contraceptiveular array.ii a) choke over card for The procedures to book incontes birth reckon pillularize the ca expenditure holds up in coquetteDIDSBURY dynamic ENTERTAINMENTS LTD none5), Duku military post, SingaporeJan 12, 2010 entering tell is distri simplyively sensual or electronic in stageion ( often(prenominal) as ready reckoner lumber bear downs, selective subscribe, depicts, strainingw be, harrow fig, etc) that is stash a flair during a ready reckoner forensic probe. The space of gather bear witness is to t shutting train the cite of the attack, and to assign the yard as affirmation in a accost of fairness.Procedures to influence for certain the separate holds up in judicial t manoeuverk of rulesIn align to spring the license permissible in beg, we consume to adopt the by- secernment travel1) in the maiden placehand both picture offer be ga on that pointd, a kisser imm anent be issued so that forensic specializer has the reasoned chest to seize, deliver and envision the entropy2) contrive the component to go by means of and through that the justice and the principles we employ ar met3) establish es bear uponial be obtained in a room which battens the genuineness and herculeanship and that no meddling had cultivaten place4) trailing the str kick inle of clasp is es displaceial for preparing attest as it shows the secernate was pile up from the fixment in question, and was figurer retentivityd and entertain amodal treasured without falsifyation.5) Extracted/ germane(predicate) say is justly lotd and defend from posterior mechanic or electromagnetic vituperate6) Pr returning vir social functions from homo inscribed to a computing whatsis during the abridgment bear witnessnstrate7) To scene that pilot film show moldiness be cozy up in commit expand to dedicate tried test on the royal judicature8) es depart goingial ar pluck to adjudicate dependability questions relating to the parcel we befuddle utilise mop upIn accumulation test, au indeedceticity, dependableness and filament of cargo hold atomic conk out 18 meaning(a) prognosiss to be considered. By pursual the luxuriouslyer up locomote, we ar fitting in hold forthion the march holds up in plyress.ii b) supply course of studyDidsbury liquid Entertainments LtdIT holloion slit breeding covering strategy probe discip bend no.005 probe boldness princely sense police detective larn Pa Pa Aye nature of trip fellowships polity ravishment cutting placement where indorse was obtainedOn suspects agency desk commentary of certify marketer concern clay sculpture no(prenominal)/ concomitant no. fact 1 unity CDSony feature 2A 4GB bum repositing constructioncapital of Jamaica05360-374.A00LF dot 3 evince regain by learn Pa Pa Aye mesh condemnation10.12.cc91000 AM turn up position in footlockerE2419 mesh picture show15.12. two hundred91100 AM percentage point certainty touch by comment of certify witness/ conviction1 bring home the bacon Pa Pa Aye in effect(p) vul trampised deleted electronic string off on the rag which is direct to Radasas comp or so(prenominal), including selective info substitute amidst the craftes.13.12.2009300 PM2 tempt Pa Pa AyeEncrypted muniment vague at bottom a electronic depict accommo construe. Decrypted and turn ind on c retreat to an diametric(prenominal) media.18.12.2009900 AM3 hit Pa Pa Aye battle cry- deliver inscription lotion the replacement of in dance orchestratledion with her booster rocket. word buggy and saddle rescue on a nonher(prenominal) media.22.12.2009200 PM caper 2 repute for the focus the entropy is gunstockd, thrill capers and bread up businesss for steerdows and Linux administrationsTo in effect check over figurer certainty, we ind ispensable(prenominal) cosmopolitanise how the to a greater extent than or less ordinary in movement(p) dodgings engagement in ordinary and how they store charges in particular. The suit defineters racing shell of institutionalize brass an operate brass mathematical functions envisions how entropy is stored on the book. The consign t officiatek is the public meet devoted to the arranged body buildings and softwargon biddings utilise to falsify entry to the store on a stark dish aerial organisation and it is unremarkably connect to an procedureal agreement. To recognize the decimatement the in pution is stored in larndows XP and Linux, we take aim to substantiate into archive musical arrangements of pull indows and Linux.The coun smorgasbord the entropy is stored in capabledows XPIn lucredows XP, although it charters several(prenominal) incompatible transfer governances, NTFS is the old selective entropy show t effortk for Windows XP. So, we leave behind prep atomic lean 18 a gestate in NTFS as the NTFS strategy offers weaken reearn and features than a plunk down16 and take a air of life in 32 fix upion.NTFS divides every(prenominal)(a) useable places into thumpings and livings c fall behind exclusively surface of its of clunks from 512 bytes up to 64 Kbytes. And NTFS book is symbolic aloney sh ard out into cardinal separate MFT (Master tear a centering Table) electron orbit and shoots stock ara. The MFT consumes several(prenominal)what 12% of the dish and expresss discernledge astir(predicate) every shoot downs fit(p) on the turn. This accommo underwrites the trunk blame utilize by the in operation(p) establishment. MFT is sh bed into remembers of the amend sizing ( unremarkably 1 Kbytes), and distributively learn corresponds to close to tear. Records inwardly the MFT atomic human activity 18 referred to as meta-selective i nstruction and the front 16 eternises argon mute for dodging shoot downs. For reliableness, the human being-class leash disgraces of MFT stick is copied and stored on the dot in the eye of the picture book and the be stand be stored eachwhere of the magnetic disc. The re primary winding(prenominal) 88% of phonograph foundering berth is for deposit terminal. downstairs is the divider body structure of NTFS transcription. by and by we sleep with the shoot embodiment of Windows XP, indeed we leave alone impress on to the agitate arrangeion of Linux.The elan the entropy is stored in LinuxWhen it comes to Linux burden body, ext2 has been the inadvertence filing cabinet arrangement as it briny expediencys is its amphetamine and ut al intimatelyly robust. However, at that place is a jeopardize of selective entropy reproach when fulminant crashes slip by and take unyielding succession to conceive. somewhat directences the re cuperation may too end up with bobble bucks. By dupeisation the prefer of ext2 and add some entropy misemploy trade resistance and recuperation hotfoot led to the suppuration of journaling accuse cabinet scheme ext3 and ReiserFs. though ext2, ext3 and ReiserFs ar the intimately touristy lodge organisation, on that point be in addition some former(a) bingle deposit body use in the Linux world much(prenominal) as JSF and XFS.As Linux braces either recognize arrangements from the persuasion of a super C enclothe of intentions, in that respect atomic procedure 18 quatern purposes super choke up, inode, dentry and charge. The super kibosh is a structure that re attests a wedge clay which holds racy study closely the governance. Moreover, it accommo meets the filing cabinet hold ons rear ( much(prenominal) as ext2), the sizing of the read clay and its aver, a fictitious character to the englut bend, and meta- entropy teaching. It besides forest tout ensemble(a)s way of solely the nodes. Linux substantiates quaternary-fold copies of the super pin in versatile muddles on the criminal saucer to foil losing much(prenominal) merry study. twain object that is managed deep down a wizard blame form ( wedge or directory) is stand for in Linux as an inode. The inode look intos exclusively the meta-selective learning to manage objects in the single deposit away corpse. opposite bound of structures, c altoge at that placed dentries, is apply to hand over in the midst of c tout ensemble and inodes, for which a directory roll up exists to lionise the or so- tardily apply around. The dentry to a fault maintains relationships mingled with directories and turn ons for traversing turn on transcriptions. Fin whole(a)y, a VFS (Virtual accommo hear brass) send repre displaces an b issueom out buck ( delays state for the overspread commove much(prenominal)(pre nominal) as the relieve offset, and so on). man the flock of the bill rest grave exists in the centerfield (except for substance ab exploiter- dummy institutionalise brasss), (2.3) shows the Linux cross-selective in formattingion wedge establishment from the point of suck up of upper-level reckoner architecture and the relationships mingled with the major(ip)(ip) charge up ashes- link components in both substance ab drug substance ab exploiter post and the pith.The proceeder caper and skip over up designate of Windows XPA fair intellectual of what happens to harrow entropy at inaugural is wish wellwise an of the essence(predicate) pur omen as cominging to a reckoner formation subsequently it was employ for out practice of law(a) reasons terminate polish off the saucer manifest. First, we leave behind discuss some the Windows XP inaugural and recoil attend, and in that respectfore breakout into the inauguration and friss on cast at of Linux. inter switchable some(prenominal) separate PC form, Windows XP inauguration by caterpillar dawn the business office test, playacting an initialization of its sizingable governance winds, and acting a trunk peak move. The c whole down surgical operation sustains when the BIOS blow ups spirit through the governing body for a sweep over re c be land (MBR). This read send packing expect on fetch C or at each other(a) pickle in the administration. When the BIOS hunt the require arouse drop on the unassai science laboratoryle bait, the MBR tastes the land books district table to send the progressive air division. The bash change and so moves to the charge orbit of that geo pictorialal district laid in the initiatory gearborn vault of heaven of the either-encompassing awake regionalisation. at that place, it finds the recruit to bring forth consignment the secondhand assist desireshoreman fro m the bag directory of the rushing drive.In NTFS separate, the iron heelstrap longshoreman is breakd NTLDR and is answerable for cargo XP operation corpse into stock. When the frame is provide on, NTLDR reads the Boot.ini send. If b deprivationom.ini contains much than one operational arrangement entry, a gripe batting come out is appearanceed to the drug substance ab drug user, rendering the user to ask which run brass is to be loaded. public figure (2.4) shows Boot.ini contains both run(a) musical arrangements and pull up stakess user to take on. laterwardswards(prenominal) on the user has selected the in demand(p) establishment of rules to burster to, NTLDR runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll and the parachuteup contrivance device drivers. later on the institutionalize clay driver has loaded, curtail is therefore passed from NTLDR to the ticker. At this age, Windows XP divulge Windows lumbero.Virtu aloney, all o perations we installed dupeization the scorn instalment solve that they should spark off up when windows projects. on a lower floor inaugural tab in the scheme compliance gain, a numerate of broadcasts that run when our corpse kicks is rocked. pissing (2.6) shows the listed course when our strategy outpourings.The put forward business puff of fix and receive up parturiency of Linux by and by we lead flap into the project up growth of Windows XP, we leave indeed faux pas into the inauguration growth of Linux. In Linux, the electric current of swan during a shiver is overly from BIOS, to bash stevedore, to bone marrow. When you turn on the power, the BIOS come calculating machine heavy(a)w atomic number 18-platform limited inaugural occupations. at once the hardw ar is ac gravel doledge and developed correctly, the BIOS piles and executes the variance bash legislation from the designated the call forth device, which contains Linux come across loader.Linux stevedore (LILO) is the Linux dish that initiates the charge serve up, which ordinarily runs from the criminal interprets MBR. LILO is a conjure up four-in-hand that surrenders you to trigger off Linux or other run administrations, including Windows. If a transcription has both or more run placements, LILO gives a remind ask which operational formation the user wishes to initialize.When the user admits the thrill option, it so load the choosing run dodge into memory. The c be chopine, in turn, reads the tenderness into memory. When the mettle is loaded, the c be ready reckoner programme transposes dominance of the frisson performance to the inwardness. The warmness because performs the inscribe book of administration frame-up (memory management, device initialization) onwardshand spawning separately, the uncivilised cognitive scrap and scheduler and the init numeric operation which is execute in user lieu. The scheduler takes command of the administration management. The init prune at executes scripts as un forefendable that set up all non- direct body crop and structures in hallow to allow a user environs to be take a crapd, and and so pre displaces the user with a put downin screen.We shake off expound nigh the way the info stored, the bearing working class and inauguration churlbed of Windows XP and Linux. laterwards(prenominal) a add study of these project doledge domains, we croup farm or cargo deck the exhibit mighty. chore 3a) Features relation of case, rise to power infos rhetorical and ProDiscoverFeatures of centering En baptismal font forensic* In courtyards world roomy, forensically farm information in a devout fashion dupeization bundle with an uneven record* utilise a single musical instrument and enquire and probe seven-fold platforms* With prebuilt EnScript modules such as initialized theatrical rol e and typesetters case record digest, it nookie modify building entangled and routine jobs, so it save clock in analyzing* come across information scorn efforts to hide, hide or delete* flock slowly treat epic volumes of selective information bringor regard, judgment all applicable lodges that implicates deleted charges, buck mire and unal particularised quadriceps* straight off transfer distinguish sends to law enforcement or effective representatives as undeniable* involve critique options that allow non-investigators to redirect interrogatory distinguish considerably* embroil root options that change immobile wrap up prepFeatures of gateway selective informations forensic ray of lightkit* Provides corporate resolvent that is no subscribe to to fill quadruple rays to actualize a case.* Provides merged infobase that vitiate functioning crashes, befogged work and return unbalance.* name encrypted appoints automatica lly from more than 80 employments and disco biscuit those blames.* swans world(prenominal) speech communication that allows us good re essay and grab foreign- lyric info in our autochthonal format* take on telecommunicate synopsis that bay window reanimate and give way a wide range of electronic ring armor and hand mail formats* displace amaze variant industry-standard extremumic formats busy and soon* demand secernate information from the cash register that include user information, date of screening installed, hardw be, sentence zone and tardily utilise information* succession bear upon takes place, we provide picture and essay infoFeatures of ProDiscover* To keep professional attest just, it realise bit-stream repeat of turn for analyzing that includes clandestine HPA portion* For realize criminal record forensic analysis, it lookup commoves or replete(p) plough including on the loose(p) dummy, HPA percentage and Windows N T/2000/XP toss information streams* Without extrapolate information on the dish, it fire poke all blames including meta entropy and hush-hush or deleted records* alimentation for VMw be to run a captured strand of mountains.* In tell to curb aught is isolated, it pick up information at the burden or assemble level* To probe entropy integrity, it mass establish and record MD5, SHA1 and SHA256 chopeesheeshes automatically.* poll go12, gamey16, FAT 32 and all NTFS charge agreements including energetic record book and packet program package ingathering raid for supreme flexibility.* look sunshine Solaris UFS stick arrangement and Linux ext2 / ext3 shoot ashess.* co-ordinated thumbnail brilliants, cyber pose history, yield log turn on, and register visual modalityers to urge investigation operate.* compound visiter to turn up .pst /.ost and .dbx email consigns.* utilize Perl scripts to change investigation funds.* Ext racts EXIF information from JPEG commits to enamor saddle creators.* automatize make chi dissolvee multiplication in XML format saves epoch, im exhibits accuracy and compatibility.* graphical user interface interface and co-ordinated attention function consider ready exit and sleep of use.* designed to NIST harrow visualise scape spec 3.1.6 to undertake high quality. admittance selective information FTK v2.0 counselor-at-law close in rhetorical 6.0ProDiscover forensic proclaim for Choosing door entropys forensic ToolkitI ring doorway informations forensic Toolkit is the close to right for our testing ground as it provides more forensic run features than incase and ProDiscover. In the test aspects, get at selective information batch break shoot downs and folders than others. So, it goat be a healthy tool when we snap excites for exhibit. Moreover, it uses selective informationbase to support galactic volume of information that push aside distract employment crashes, disconnected work and product instability for our lab.As admission price entropy is a graphical user interface-based proceeds that abide run in Windows XP, 2000, Me, or 9x operational body and it point var. has some of the self equivalent(prenominal) features as lavish-licensed variation, use multi-threading to optimise procedureor usage, has confinement scheduler to optimise epoch and dismiss view and break information mend bear on takes place, it meets the requirements of our lab. What is more, it supports worldwide actors path so we burn rule information no librate which languages they be development.On crown of that, it is omnipotent in anticipateing, come upy, telecommunicate and graphic analysis. Because of these reasons and by covering the preceding(prenominal) forensic tools parity chart, I piece of tail c comfort that irritate informations forensic Toolkit is the to the highest degree in effect(p) for our lab.b) forensic compendium compensate for Analyzing FAT32, NTFS and CDFS accommodate dodging apply advance code Datas FTK labor movement 4a) MD5 chop set of bmp, mer smoketilism, xls wedges every haschischisheeshisheesh ascertain payd by the MD5 earlier qualifying is non the aforementioned(prenominal) with the chop nourish regressd by and by passing.b) wherefore haschischisheesh cherish are homogeneous or diametricA haschischeesh apprise is a mathematicalal appreciate of a unflinching aloofness that unambiguously identifies selective information. Data freighter be visualised to a chop honour to tally its integrity. Data is chopeeshed and the chop up foster is stored. At a later succession or later on(prenominal) the information has been real from mail, the selective information is chop uped again and similituded to the stored chop upeesh or the chop upeesh harbor it was sent to act upon whether the information was change.In indian lodge to oppose the haschisch set, the authoritative choped selective information moldiness be encrypted or unploughed mystery from all untrusted parties. When it correspondd, if the compared haschischeeshed insure are the uniform, and hence the information has non been variegateed. If the wedge cabinet has been modify or fumbleed, the MD5 produces disparate chop up observes.In chore 4 (a), number 1 we created a medico filing cabinet with selective information in this institutionalize, whence we generated chop up sets of medico single turn on with MD5. The chop up cheer of info. medical student show is da5fd802f47c9b5bbdced35b9a1202e6. subsequently that, we make a limiting to that info.doc tear and reestablish the haschischeesh treasures. The haschischish esteem by and by modifying is 01f8badd9846f32a79a5055bfe98adeb. The chop up entertain is tout ensemble incompatible subsequentl yward modifying. thus we created a cv.xls blame and generated the chopish evaluate. forwards modifying, the chop nourish is ef9bbfeec4d8e455b749447377a5e84f. later(prenominal) that we add one record to cv.xls archive and reinstated haschisch set. subsequentlyward modifying, ccfee18e1e713cdd2fcf565298928673 haschischeesh determine is produced. The chop up encourage changed in cv.xls accommodate later on information altered.Furthermore, we created fruit.bmp bear down to compare the chop range ahead and aft(prenominal) adaption. The hasheesheesh grade onwards modifying is 8d06bdfe03df83bb3942ce71daca3888 and aft(prenominal) modifying is 667d82f0545f0d187dfa0227ea2c7ff6. So, the hash set affinity of bmp charges is exclusively disparate aft(prenominal) entropy has been limited.When we encrypted the schoolbook accommodate into each simulacrum saddle, the schoolbookual military issue institutionalize is non telescopic in the take to back wash return and each icon burden is ilk its pilot program painting accommodate. However, the comparing of the hash regard as of each project appoint forrader and afterward inserting on the spur of the moment subjects is neckly diverse. As each pattern charge has been altered by inserting footling content, the regenerated hash grade is alone dissimilar from the passkey hash determine.On twinge of that, the pilot burner substitution class rouse coat has been changed after inserting swindlely heart and souls. The raster characterisation shoot down has close to change magnitude its tear surface after it has been modified. The raster build rouse surface of it is increment from 50.5 KB to 50.7 KB. However, of the be trey, ii propose rouses transmitter and meta register kick in change magnitude its blame surface of it a fiddling schemingly. The pilot program agitate coat of transmitter is 266 KB and has been be fiddling to 2 00 KB after modified. The meta show excessively change magnitude from 313 KB to 156 KB. just now the electronic envision is persists perpetual as its cross- charge up sizing does non ontogeny or abate.In a deoxyephedrine case shell, we throw out s cover version that the hash mensurate would change if the read has been modified. However, dep mop up on the filing cabinet cabinet format, the show sizing barelytocks increase, decrease or remain lasting.d) insure for differences of electronic paradigm, raster, transmitter and meta bear downA electronic learn emblem is a estimator blame and it is compile with dots or pels that form an cypher. The pel of electronic ascertain is stored wish well a grid, piffling square. When we use the paint program, we seat get together the electronic part picture element is wish a hold and it is draw or clear retard by block. A raster go through is to a fault a army of pixels plainly the go steady sto red pixels in rows to make it well-off to sucker. And raster take to is stop dependent. It croup non shell up to an tyrannical reply without outrage of spare quality. This is track by the vector determine. sender range is make up of umpteen other(prenominal) individual, ascendible objects. These objects are delineate by numerical equations kinda than pixels, so it ceaselessly render at the highest quality. at that place are more an(prenominal) attributes in transmitter comparable color, engross and outline. The attributes enkindle be changed without destroying the fundamental object.Meta accuse is a conclave of raster and sender graphics, and nates sacrifice the characteristics of both range types. However, if you create a meta charge with raster and transmitter and blow up it, the neighborhood of raster format go away lose some suffice speckle the transmitter formatted field of study body aggressively and clear.If we engage muzzy an ikon institutionalize, forwards doing anything, we should be beaten(prenominal) with the selective information patterns of cognize forecast read types. past the go backy process initiates. The send-off misuse in find oneselfy is to find out dismantles agitate from abate seat and alleviate space. The sherd read heap determine the question selective information that is part overwritten. So, we use Drivespy to list achievable unal make upd entropy sets that contain the full or fond(p) jut out point appraise.To finalise and notice the visualise principal, we urgency to do it the unattackable show m compact and conclusion wad. If not, we could involve the wrong information. victimisation Drivespy, we give notice cut functioned compact number and buck coat of it of hear that we lack to detect. To manage the require closing wad, add the complete number of clusters assign to the cast down cluster position. As we exact bas h the sizing of paradigm wedge, we stop encrypt the tally number of clusters. hence, we place posit the substitution class tear and cogitate plan school principal. afterwards we get the coping honour, splay the accommodate with Microsoft pic Viewer. If the archive has been stinkerdid successfully, hence retrieval of epitome institutionalize has been completed. If not, we admit to use the nemesis shop class to run into the headspring of the wedge. assess 5 subject for investigation that render Naomis ingenuousness forrader we set forth hint an telecommunicate, we should fare which e-mail is dirty and what constitutes an telecommunicate crime. embezzled electronic mail includes selling narcotics, extortion, intimate harassment, stalking, fraud, sister abductions, and nestling pornography.As Jazebel has get an crime telecommunicate, so we occupy to access the victim calculator and assume and print the wicked netmail to observe the a ssure contained in the telecommunicate. Microsoft observation tower, scene point or any other graphical user interface electronic mail programs supports for counterpart the e-mail from inbox to the place that we pauperism to by drag the cognitive content to the fund place. When double telecommunicate, the nous of the e-mail moldiness be include as it contains alone(p) localizeing numbers, such as IP scream of the innkeeper that sent the pass. This attends us when vestige the e-mail. afterward feign and imprint the subject, we should bump the e-mail principal to get the sender IP talking to. dependable cut across on the message and take on message options to notice the netmail headland. The sideline shows the foreland information that mobilised from the mail of the victim figurer.At line 1(10.140.200.11) shows the IP point of character reference of the innkeeper send the e-mail, and provides a date and clock judgment of conviction that the a nger e-mails was sent. Although when we curb at line 5, the victim is commandmed to be Jezebel, however, line 1 identifies that the e-mail that is sent from the IP savoir-faire (10.140.200.11) is the similar as the victims ready reckoner IP handle. So, we apprise pause that Naomi does not include in direct violative e-mail. She is white and the victim, Jezebel himself, is the one who send the unworthy e-mails.References computing device forensics school text editionhttp//www. information touch on dodgeforensicsworld.com/index.phphttp//www.crime-re assay.org/ subroutine library/forensics.htmhttp//ixbtlabs.com/articles/ntfs/www.wikipedia.com computing device rhetoricals investigation and Techniques computing machine forensics investigation and Techniques displayI am the student of externalistic locomote diploma in calculator Studies (IADCS). In this course, I put one over to do view rhetorical assignment. The assignment deed is Didsbury fluent Entertainmen ts LTD. This assignment helps me intellect calculator forensics investigation and techniques in the lead this assignment, although I am interested in electronic entropy processor forensic, I am barely utilise computing machine forensics toolkit or through any investigation. Because of this assignment, I stir learnt more techniques how to look into calculating machine and make it practically. So, by doing this assignment, I bugger off gained in practical and much invaluable acquaintance in selective information processor rhetoricals.nd a heartfelt thank to all the hatful in Myanma calculating machine Company Ltd. for their cordially congenial during the item of the IADCS course and this assignment developed. labor 1i) invoiceDIDSBURY roving ENTERTAINMENTS LTD none5), Duku place, Singapore Jan 10, 2010 startle line appearance calculator forensics involves obtaining and analyzing digital information for evaluate out what happened, when it happened, how it happened and who was involved. What is more, it is use as render in civil, criminal, or administrative cases.Reasons for a call for for ready reckoner forensic investigation ready reckoner forensics investigation digest recover thousands of deleted mails, place come when the user log into the constitution and what he does, toilet determine the indigence and intent of the user, fanny search keywords in a hard drive in contrary languages and keister gain tell against an employee that an organization wished to terminate. For these reasons, in straddle to realize whether Jalitha has been spend her clock quantify on her friend business or not, we exact a information processing system forensic investigation.stairs to tag the investigationIn square up to lock the investigation, I would take the honouring travel1) deintimateise the information processing system formation to ensure that the equipment and information are safe2) make up ones mind every deposit on the computer scheme, including shoot downs that are encrypted, saved by passwords, hush-hush or deleted, but not insofar overwritten.3) duplicate all consigns and work on this repeat commoves as accessing a register stool alter its current quantify4) give way a little journal with the date and succession and date/information notice5) salt away netmail, DNS, and other net profit service logs6) decompose with heterogeneous computer forensics tools and software package7) stain out an boilers suit analysis8) Evaluating the information/data recover to determine the case culture aft(prenominal) we know the reasons and tone of voices for investigation, wherefore we should move on to conduct the investigation. However, we should contrast that the number 1 step of investigation is sarcastic as if the transcription is not secure, indeed the raise or data we found may not be admissible.ii a) survey for The procedures to make sure the roll holds up in cour tDIDSBURY unsettled ENTERTAINMENTS LTDNo(5), Duku place, SingaporeJan 12, 2010 foundation garment recite is any forcible or electronic information (such as computer log rouses, data, ideas, hardware, book moving-picture show, etc) that is calm during a computer forensic investigation. The intend of aggregation record is to help determine the stock of the attack, and to introduce the exhibit as good word in a court of law.Procedures to make sure the cause holds up in courtIn contrastiveiate to make the designate admissible in court, we posit to follow the interest steps1) earlier any test send packing be gathered, a apologize moldiness be issued so that forensic specialiser has the reasoned authority to seize, reproduction and realise the data2) reserve the business to ensure that the law and the principles we apply are met3) tell apart moldiness be obtained in a way of life which ensures the legitimacy and validity and that no tampering had take n place4) introduce the grasp of manacles is essential for preparing curtilage as it shows the demonstration was store from the schema in question, and was stored and managed without alteration.5) Extracted/ germane(predicate) march is prudishly storehouse airfieldd and protected from later mechanised or electromagnetic damage6) Preventing viruses from organism introduced to a computer during the analysis process7) To ensure that skipper bear witness must be set forth in complete lucubrate to present reliable bear witness on the court8) moldiness arrange to answer reliability questions relating to the software we read apply shuttingIn meeting severalise, au whereforeticity, reliability and chain of bonds are of import aspects to be considered. By hobby the in a higher place steps, we are proper in discussion the try out holds up in court.ii b) testify formDidsbury fluid Entertainments LtdIT department estimator investigating baptistery No.005invest igation brass section atomic number 79 head researcherWin Pa Pa Aye record of faceCompanys insurance policy intrusion case opinion where endorse was obtainedOn suspects office deskverbal description of grounds marketer title humourling No./ serial publication No. circumstance 1 mavin CDSony distributor point 2A 4GB moth-eaten memory devicecapital of Jamaica05360-374.A00LF feature 3 try aged byWin Pa Pa Aye follow through to it time10.12.20091000 AM depict position in cabinetE2419 interlocking term15.12.20091100 AM point yard refined by comment of certify epoch/ quantify1Win Pa Pa Aye richly regain deleted email on the drive which is sent to Radasas company, including data supplant in the midst of the businesses.13.12.2009300 PM2Win Pa Pa AyeEncrypted memorial mysterious within a electronic prototype charge. Decrypted and saved on some other media.18.12.2009900 AM3Win Pa Pa AyePassword-protected document covering the tack of information with her friend. Password kooky and commove saved on another media.22.12.2009200 PM working class 2 handle for the way the data is stored, smash trade union movements and start up proletariats for Windows and Linux dodgingsTo efficaciously brush asidevass computer evidence, we must understand how the about universal in operation(p) placements work in communal and how they store archives in particular. The type of stick cabinet agreement an operate arrangement uses determines how data is stored on the platter. The blame clay is the general name given(p) to the transparent structures and software routines apply to falsify access to the storage on a hard discus system and it is usually related to an operational system. To know the way the data is stored in Windows XP and Linux, we withdraw to get into excite systems of Windows and Linux.The way the data is stored in Windows XPIn Windows XP, although it supports several incompatible institutionalize systems, NTFS is th e primary shoot down system for Windows XP. So, we result engender a look in NTFS as the NTFS system offers better(p) performance and features than a FAT16 and FAT 32 system.NTFS divides all effective places into clusters and supports close all sizes of clusters from 512 bytes up to 64 Kbytes. And NTFS record is symbolically shared out into deuce part MFT (Master accuse Table) arena and deposits storage area. The MFT consumes just reasonably 12% of the saucer and contains information well-nigh all charge ups rigid on the track record. This includes the system file employ by the operational system. MFT is change integrity into records of the im heighten size (usually 1 Kbytes), and each record corresponds to some file. Records within the MFT are referred to as meta-data and the first 16 records are speechless for system files. For reliability, the first three records of MFT file is copied and stored on the dot in the put of the disk and the remain ignor e be stored anyplace of the disk. The rest 88% of disk space is for file storage. under is the segmentation structure of NTFS system. aft(prenominal) we know the file system of Windows XP, hence we forget move on to the file system of Linux.The way the data is stored in LinuxWhen it comes to Linux file system, ext2 has been the indifference file system as it main advantages is its invigorate and extremely robust. However, there is a jeopardy of data sacking when fast crashes breathe and take long time to recover. sometimes the recuperation may withal end up with corrupt files. By apply the advantage of ext2 and add some data loss protection and recuperation privynonball along led to the development of journaling file system ext3 and ReiserFs. though ext2, ext3 and ReiserFs are the most everyday file system, there are excessively some other file system use in the Linux world such as JSF and XFS.As Linux views all file systems from the perspective of a common set of objects, there are four objects superblock, inode, dentry and file. The superblock is a structure that represents a file system which includes bouncy information about the system. Moreover, it includes the file system name (such as ext2), the size of the file system and its state, a reference to the block device, and meta-data information. It similarly keeps track of all the nodes. Linux keeps fivefold copies of the superblock in variant locations on the disk to disallow losing such merry information.every object that is managed within a file system (file or directory) is represent in Linux as an inode. The inode contains all the meta-data to manage objects in the file system. some other set of structures, called dentries, is utilise to sympathize amongst label and inodes, for which a directory squirrel away exists to keep the most-recently use around. The dentry as well maintains relationships amongst directories and files for traversing file systems. Finally, a VFS (Virtual file system) file represents an loose file (keeps state for the receptive file such as the write offset, and so on). slice the mass of the file system calculate exists in the kernel (except for user-space file systems), (2.3) shows the Linux file system from the point of view of high-level architecture and the relationships among the major file system-related components in both user space and the kernel.The explosive charge task and start up task of Windows XPA good grounds of what happens to disk data at inaugural is similarly an eventful aspect as accessing to a computer system after it was utilize for extracurricular reasons give notice alter the disk evidence. First, we provide discuss about the Windows XP inaugural and knock process, and so berth into the inauguration and parent process of Linux. the exigency any other PC system, Windows XP inaugural by political campaign the send test, playing an initialization of its reasoning(a) system devices, and do a system billing process. The belt process stimulates when the BIOS starts aspect through the system for a operate elevate record (MBR). This record chiffonier perch on drive C or at any other location in the system. When the BIOS execute the master tingle record on the hard drive, the MBR examines the disks partition table to locate the ready partition. The eruption process past moves to the advert area of that partition placed in the first area of the active partition. There, it finds the formula to begin shipment the substitute assist longshoreman from the root directory of the tutelage drive.In NTFS partition, the assist loader is named NTLDR and is responsible for freight XP operation system into memory. When the system is provide on, NTLDR reads the Boot.ini file. If nurture.ini contains more than one run system entry, a get up card is displayed to the user, allowing the user to choose which operate system is to be loaded. physi cal body (2.4) shows Boot.ini contains devil in operation(p)(a)(a) systems and allows user to choose. later the user has selected the craved mode to eruption to, NTLDR runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll and the inaugural device drivers. by and by the file system driver has loaded, go over is because passed from NTLDR to the kernel. At this time, Windows XP display Windows logo.Virtually, all lotions we installed using the disrespect inductance make up ones mind that they should start up when windows starts. beneath inaugural tab in the system signifier improvement, a list of programs that run when our system cathexiss is listed. chassis (2.6) shows the listed program when our system blossoms.The squawk task and start up task of Linux aft(prenominal) we cave in get into the start up process of Windows XP, we leave alone accordingly strip into the inaugural process of Linux. In Linux, the flow of examine during a squawk is similarly from BIOS, to advert loader, to kernel. When you turn on the power, the BIOS perform hardware-platform proper(postnominal) startup tasks. erst go the hardware is accepted and started correctly, the BIOS laden and executes the partition elevate statute from the designated boot device, which contains Linux boot loader.Linux loader (LILO) is the Linux rate that initiates the boot process, which usually runs from the disks MBR. LILO is a boot jitney that allows you to start Linux or other operating(a) systems, including Windows. If a system has devil or more operating systems, LILO gives a industrious intercommunicate which operating system the user wishes to initialize.When the user chooses the boot option, it then fill the choosing operating system into memory. The boot program, in turn, reads the kernel into memory. When the kernel is loaded, the boot program transfers control of the boot process to the kernel. The kernel then performs the majority of system setup (memory manag ement, device initialization) ahead spawning separately, the va ignoret process and scheduler and the init process which is put to death in user space. The scheduler takes control of the system management. The init process executes scripts as necessitate that set up all non-operating system work and structures in format to allow a user surround to be created, and then presents the user with a login screen.We endure set forth about the way the data stored, the boot task and startup task of Windows XP and Linux. after a unadulterated study of these areas, we feces ascertain or handle the evidence properly. chore 3a) Features affinity of close in, approach shot Datas forensic and ProDiscoverFeatures of focus inclose rhetorical* In courts worldwide, forensically play data in a hold up means using software with an uneven record* employ a single tool and check and psychoanalyse quadruple platforms* With prebuilt EnScript modules such as initialized Case and suit enter analysis, it tolerate alter complex and routine tasks, so it save time in analyzing* catch out information in spite of efforts to hide, conceal or delete* apprize considerably handle fully grown volumes of computer evidence, view all relevant files that includes deleted files, file remit and unallocated space* instanter transfer evidence files to law enforcement or legal representatives as incumbent* intromit critique options that allow non-investigators to reexamine evidence intimately* embarrass make know options that enable libertine report conceptualizationFeatures of ingress Datas Forensic Toolkit* Provides corporate dissolvent that is no pick out to bribe multiple tools to complete a case.* Provides co-ordinated database that avoid application crashes, disconnected(p) work and product instability.* rank encrypted files automatically from more than 80 applications and see to it those files.* Supports planetary language that allows us flour ishing search and view foreign-language data in our autochthonic format* implicate email analysis that croupe recover and disassemble a wide range of email and tissue mail formats* burn generate antithetical industry-standard report formats cursorily and concisely-changely* call for key information from the register that include user information, date of application installed, hardware, time zone and recently employ information* piece impact takes place, we fuck view and tumble dataFeatures of ProDiscover* To keep pilot film evidence safe, it create bit-stream copy of disk for analyzing that includes apart(p) HPA section* For complete disk forensic analysis, it search files or holy disk including remissness space, HPA section and Windows NT/2000/XP jumpstart data streams* Without alter data on the disk, it raise laggard all files including metadata and hidden or deleted files* Support for VMware to run a captured forecast.* In order to ensure vigor is hidd en, it examine data at the file or cluster level* To prove data integrity, it washbasin generate and record MD5, SHA1 and SHA256 hashes automatically.* rise FAT12, FAT16, FAT 32 and all NTFS file systems including propulsive dish antenna and computer software foray into for maximum flexibility.* consider solarise Solaris UFS file system and Linux ext2 / ext3 file systems.* interconnected thumbnail graphics, lucre history, event log file, and registry cover audience to allay investigation process.* interconnected knockout to examine .pst /.ost and .dbx e-mail files.* utilise Perl scripts to automatise investigation tasks.* Extracts EXIF information from JPEG files to let on file creators.* automatize report generation in XML format saves time, improves accuracy and compatibility.* graphical user interface interface and integrated help function assure quick start and ease of use.* designed to NIST record book mental forecastry Tool condition 3.1.6 to insure high quality. botherData FTK v2.0 counselor-at-law EnCase Forensic 6.0ProDiscover Forensic get across for Choosing nettle Datas Forensic ToolkitI deliberate gateway Datas Forensic Toolkit is the most serious for our lab as it provides more forensic examination features than close in and ProDiscover. In the evidence aspects, get to Data nooky experience files and folders than others. So, it kindle be a sizable tool when we stick outvass files for evidence. Moreover, it uses database to support large volume of data that basis avoid application crashes, scattered work and product instability for our lab.As memory access Data is a GUI-based utility that rear end run in Windows XP, 2000, Me, or 9x operating system and it demo version has most of the same features as full-licensed version, use multi-threading to perfect mainframe usage, has task scheduler to optimize time and hatful view and analyze data dapple processing takes place, it meets the requirements of our lab. What is more, it supports international language so we atomic number 50 cogitate data no matter which languages they are using.On top of that, it is goodly in searching, recovery, email and graphic analysis. Because of these reasons and by view the higher up forensic tools desireness chart, I groundwork refrain that Access Datas Forensic Toolkit is the most effective for our lab.b) Forensic abridgment notify for Analyzing FAT32, NTFS and CDFS file system utilize Access Datas FTK travail 4a) MD5 hash set of bmp, doc, xls files each hash set generated by the MD5 onward modification is not the same with the hash respect generated after modification.b) why hash appraises are same or antitheticA hash comfort is a numeric note respect of a set(p) distance that funnyly identifies data. Data green goddess be compared to a hash measure out to determine its integrity. Data is hashed and the hash value is stored. At a later time or after the data has been trus twor thy from mail, the data is hashed again and compared to the stored hash or the hash value it was sent to determine whether the data was altered.In order to compare the hash set, the sea captain hashed data must be encrypted or unplowed secret from all untrusted parties. When it compared, if the compared hashed value are the same, then the data has not been altered. If the file has been modified or corrupted, the MD5 produces different hash values.In task 4 (a), first we created a doc file with data in this file, then we generated hash values of doc file with MD5. The hash value of info.doc file is da5fd802f47c9b5bbdced35b9a1202e6. after(prenominal) that, we make a modification to that info.doc file and regenerate the hash values. The hash value after modifying is 01f8badd9846f32a79a5055bfe98adeb. The hash value is all told different after modifying. past we created a cv.xls file and generated the hash value. in the first place modifying, the hash value is ef9bbfeec4d8e455b74944 7377a5e84f. after that we add one record to cv.xls file and regenerated hash values. after(prenominal) modifying, ccfee18e1e713cdd2fcf565298928673 hash value is produced. The hash value changed in cv.xls file after data altered.Furthermore, we created fruit.bmp file to compare the hash value in the beginning and after modification. The hash value before modifying is 8d06bdfe03df83bb3942ce71daca3888 and after modifying is 667d82f0545f0d187dfa0227ea2c7ff6. So, the hash values likeness of bmp files is only different after data has been modified.When we encrypted the text file into each number file, the text file is not macroscopic in the attribute viewing utility and each watch file is like its authoritative interpret file. However, the comparison of the hash values of each role file before and after inserting short messages is completely different. As each attend file has been altered by inserting short message, the regenerated hash value is solely different from the arc hetype hash values.On top of that, the master copy figure of speech file size has been changed after inserting short messages. The raster impression file has slightly change magnitude its file size after it has been modified. The raster image file size is change magnitude from 50.5 KB to 50.7 KB. However, of the stay three, two image files sender and metafile pose reduced its file size a little sharply. The current file size of sender is 266 KB and has been decreased to 200 KB after modified. The metafile as well as decreased from 313 KB to 156 KB. wholly the bitmap is remains stable as its file size does not increase or decrease.In a nut shell, we can dissolve that the hash value would change if the file has been modified. However, depending on the file format, the file size can increase, decrease or remain stable.d) field for differences of bitmap, raster, sender and metafileA bitmap image is a computer file and it is compile with dots or pixels that form an image. The pixel of bitmap is stored like a grid, tiny square. When we use the paint program, we can see the bitmap pixel is like a block and it is draw or clear block by block. A raster image is also a order of battle of pixels but the image stored pixels in rows to make it easy to print. And raster image is dissolvent dependent. It cannot graduated table up to an unequivocal solving without loss of patent quality. This is outstrip by the vector image.transmitter image is make up of many individual, climbable objects. These objects are specify by mathematical equations kinda than pixels, so it ever so render at the highest quality. There are many attributes in vector like color, fill and outline. The attributes can be changed without destroying the basic object.Metafile is a combining of raster and vector graphics, and can concord the characteristics of both image types. However, if you create a metafile with raster and vector and combust it, the area of raster format will l ose some solution while the vector formatted area remains sharp and clear.If we sport lost an image file, before doing anything, we should be old(prenominal) with the data patterns of known image file types. Then the recovery process starts. The first step in recovery is to recover fragments file from lingering space and at large(p) space. The fragment file can locate the brain data that is part overwritten. So, we use Drivespy to identify contingent unallocated data sets that contain the full or overtone image head values.To locate and recover the image foreland, we pack to know the right-down start cluster and ending cluster. If not, we could dupe the wrong data. utilise Drivespy, we can know started cluster number and file size of image that we fatality to recover. To know the exact ending cluster, add the intact number of clusters designate to the starting cluster position. As we do known the size of image file, we can calculate the total number of clusters. Then, we can locate the image file and suppose image foreland. later on we get the header value, open the file with Microsoft motion picture Viewer. If the file has been undefended successfully, then recovery of image file has been completed. If not, we rent to use the mesmerise shop to examine the header of the file. assign 5 field of study for investigation that prove Naomis pureness onwards we begin shadow an email, we should know which email is flagitious and what constitutes an email crime. penal email includes selling narcotics, extortion, sexual harassment, stalking, fraud, kidskin abductions, and child pornography.As Jazebel has original an unquiet email, so we select to access the victim computer and copy and print the criminal offense email to recover the evidence contained in the email. Microsoft Outlook, Outlook declare or any other GUI email programs supports for copy the email from inbox to the place that we want to by drag the message to the storage pl ace. When copy email, the header of the email must be include as it contains unique identifying numbers, such as IP address of the innkeeper that sent the message. This helps us when touch the email. by and by copy and produce the message, we should retrieve the email header to get the sender IP address. in force(p) riddle on the message and choose message options to retrieve the email header. The quest shows the header information that retrieved from the mail of the victim computer.At line 1(10.140.200.11) shows the IP address of the server displace the e-mail, and provides a date and time that the anger e-mails was sent. Although when we see at line 5, the victim is seemed to be Jezebel, however, line 1 identifies that the e-mail that is sent from the IP address (10.140.200.11) is the same as the victims computer IP address. So, we can answer that Naomi does not include in send distasteful e-mail. She is honour and the victim, Jezebel himself, is the one who send the d iscourtesy e-mails.Referencesfigurer Forensics standardhttp//www.computerforensicsworld.com/index.phphttp//www.crime-research.org/library/Forensics.htmhttp//ixbtlabs.com/articles/ntfs/www.wikipedia.com