User Account

All Pages

Analyse and understand your digital device

Assignment Help Theory of Computation
Reference no: EM133184528

CO4514 Digital Forensic Technology - University of Central Lancashire

Scenario

Farayi is suspected of selling counterfeit International Student Identity Cards to people who are not entitled to claim the discounts this card brings. An undercover sting operation was setup to catch Farayi in the act of selling his counterfeit goods. Farayi attempted to sell a counterfeit ISIC card to an undercover officer who was part of the sting operation.

After being arrested and questioned at the local police station, Farayi provided a USB data stick to be further examined. Under questioning Farayi has stated that all the evidence that can be found is on this USB data stick.

A forensic technician has taken custody of the data stick and has performed a full physical acquisition using the DD imaging tool, and have signed this digital image into the evidence locker.

Instructions
You are to examine the full physical acquisition and answer the following questions.

What evidence exists to suggest Farayi has been counterfeiting ISIC cards?
Is there any evidence to suggest that Farayi knew his actions were illegal?
Is there any evidence to suggest the names of his customers?

Produce a report answering these questions. You should assume that you are preparing this report to be used by the Crown Prosecution Service.

You must research two different digital device and discuss how to obtain evidence from the digital device. You will be told which digital device you must research.

You must use the "CO4514 Assignment One Template" (located on Blackboard) for your short report.
This will require a deeper understanding of the underlying technology. You will be told which device to focus on.

Different devices bring their own challenges when it comes to evidence recovery or evidence acquisition. For example, some devices may support a full physical acquisition, some devices may not, and some devices may require a part acquisition using logical methods.

For this task, you are expected to analyse and understand your digital device, and then postulate ways in which to acquire evidence from this device. Part of your write-up should explain where and how evidence is stored on your device.
You should:
• Provide an overview of the digital device you have been assigned. This overview should focus on the hardware capabilities, and summarise the most important parts in relation to an acquisition of evidence
• Identify what kind of acquisition you can perform. This should be informed by your research and should be one of
o Full physical
o Logical
o Part-image
o Manual
• Justify why you believe this acquisition technique is the most appropriate for your specific advice. This justification should be informed by your research into the device.
• Identify and justify which tools you would use to obtain evidence from this device.
• Identify how you uphold the ACPO good practice guide principles. Do not repeat the principles here, this should be about YOU and obtaining evidence from your device. Essentially, you should tell me how you would apply the ACPO good practice guide.
• Identify any evidence artefacts you can obtain from your digital device.
• Explain and justify why those artefacts would be useful in prosecuting a crime.

Performing an Investigation Using Autopsy
You will need to keep contemporaneous notes as you are performing this investigation. You will be reminded to keep your notes at the beginning of the investigation, but towards the end you will not be reminded. Your notes should demonstrate your thought process, your decisions, your actions and your results and should be an open and transparent reflection of your investigation. You may use any tools at your disposal for keeping your contemporaneous notes. For example, you may use QCC Forensic Casenotes (available as a free download) or Microsoft Word.

Read all instructions carefully. This work sheet is set up so that it tells you what you are aiming to achieve, before giving you the instructions on how to achieve it. Read through and entire section and understand the instructions - before you attempt to do any of the work.

Part 1 - Creating the Case File
Aim: You have been provided with a copy of the chain of custody form. Check and update the form, and then create your Autopsy case with the provided details.

You will find the chain of custody form for this scenario on Blackboard. This chain of custody form contains all the necessary information to ensure that the files you have provided have not been tampered with.

Part 2 - Initial Survey
Aim: To perform an initial survey of the evidence and to get a good idea of the kind of evidence that I will be exposed to; develop any intelligence about how the investigation might proceed.

The IDIP process model suggests that we perform an initial survey of the evidence. The purpose of this is to understand the evidence that we are looking at, and to gather any intelligence about the evidence that we may be looking at.

2.1 Write down a list of keywords that you think are relevant to this investigation. Use your imagination and don't yet consult with the digital evidence. Re-read the investigative scenario to try and understand what kind of evidence might be discovered.
In reality, you would probably be told a keyword list by the person in charge, or by the person who is commissioning your investigation. However, it is a useful exercise to try to think of relevant keywords that may help you to discover relevant digital evidence.

2.2 Create a keyword list within Autopsy that contains all of the keywords you have identified above. Instructions to do this follow.
2.2.1 Click the "Keyword List" button on the top right hand side of the Autopsy screen.

2.2.2 Click "Manage Lists" when the window pops up
2.2.3 Click the ‘New List' button
2.2.4 Enter "ISIC Card Counterfeitting" as the list name
2.2.5 Ensure ‘ISIC Card Counterfeitting' is selected
2.2.6 Select the ‘New Keywords' button
2.2.7 Enter the first keyword you have identified in the table above
2.2.8 Select "Substring Match"
Note: You can choose to select the entire string or have this as a part string match; to maximise the number of results I have chosen ‘substring match' - but if you want to limit the number of results you should choose ‘exact match'. If you have a regular expression then select ‘regular expression'.
2.2.8 Click OK
2.2.9 Enter the rest of your keywords
Note: You can actually enter them all at once, and don't need to keep clicking "add new keyword". Just put each keyword on a new line within the new keyword form.
2.2.10 Once you have entered all of your keywords click OK to close the keyword list manager
2.2.11 Run the search facility again to search for the keywords you have just entered.
The keyword list search facility is actually an ingest module that is run when we first added the evidence; so we will need to run it again. However, we now have our ISIC card counterfeiting keyword list set up - and could run it immediately if we ever have to perform another investigation into ISIC card counterfeiting.
2.2.12 Select Tools->Run Ingest Modules->thumbdrive.dd from the main menu
2.2.13 De-select all of the ingest modules, apart from the "Keyword Search" module
2.2.14 Select the "Keyword Search" module from the list
2.2.15 Ensure "ISIC Card Counterfeiting" is ticked (you can keep the others ticked too if you want).
2.2.16 Click ‘Finish'
This will now run the search facility using the keyword list you've entered.
2.2.17 In the "Keyword Hits" tree viewer, expand the "ISIS Card Counterfeiting" option to see all of the search results from your keywords.
2.2.18 Don't spend too much time analysing the search results. Look at the search results and identify anything that needs to be followed up. This might include individual files that you need to examine more closely, it might include new keywords that have become more obvious, and it might include bits of technology that you need to understand a bit better before you complete further investigation.
This last one - "bits of technology" - this is where a deeper and more thorough investigation becomes apparent. This bit is actually beyond this module, and is the reason why the evidence files we are using are so small and simple. A "digital forensic investigation" might have deep knowledge of lots of different types of data files - for example, they might understand how a Word document is actually a ‘compound file' - which means that it is a file that contains a file system. This level of knowledge takes years to build up, and is what makes an ‘experienced' digital forensic investigator.

2.3 Check and record the file system details for the evidence file
2.3.1 Click on the "datasources" item in the tree viewer window.
2.4 Have a quick look around the file system
The last part of the initial survey is to look at the file system and to identify any files that may be relevant to the investigation; and to consider whether or not any further permission/authorisation is required before the investigation can continue.

Part 3 - Documentation Phase
Aim: To ensure the correct documentation is used or maintained.

The initial survey phase will have given you some intelligence about your investigation; and this is a good moment to pause and make sure that you have the correct documentation available and maintained.

The initial survey phase should have revealed to you that there are some files which are immediately and obviously relevant to the investigation scenario. These files include some graphics files and a word document (if you aren't sure what these files are then you should go back and complete the last phase of the survey phase).

It is at this point that an investigator would start reaching for their standard operating procedures (SOPs) that relate to image files and word documents. You probably don't have these so you won't be able to follow these SOPs (this worksheet will have to suffice for now). These SOPs would normally combine to produce an auditable series of steps as well as a guide for the investigator. The SOPs would normally be helpful for ACPO principle 3 which requires an audit form of your actions be kept.

Creation of these audit forms / SOPs is a long and complicated task that requires testing and verification. (Note: the forensic science regulator has recently stipulated new rules relating to verification of digital evidence). Creation of these SOPs is the ‘science' behind a forensic investigation (or at least it is supposed to be). We are not going to spend lots of time creating SOPs on this module; which means there may be a gap in your documentation. Unit 10 will deal with the science behind forensic computing investigations.

You should already have updated your chain of custody form; but if you haven't done then you should take this opportunity to make sure that it is updated now.

Your contemporaneous notes should have been kept up to date as you have moved through this worksheet. If you haven't then you should update them now before you forget everything.

It is also worth reviewing your original instructions to ensure that you have understood what is expected of you; and to ensure that you understand what you have to do. The initial survey phase will have provided you with some intelligence about what you are about to find - is all of it related to your investigation instructions? Do you have the correct authorisation to proceed with your investigation? Not having the correct authorisation may mean that you are breaking the law during this investigation. Might you interfere with someone's privacy in any way? If you might then you should think through the proportionality and necessity of your actions and record your thoughts in your notes.

Phase 4 - Search for Digital Evidence
Aim: to locate and interpret the relevant digital evidence.
4.1 Look at your keyword list results.
One of the keywords I searched for was "ISIC"; and here are the search results.

This tells me that there is a scan of an ISIC card stored on this thumb drive. This scan seems entirely relevant to an investigation into counterfeit ISIC cards, so I'm going to add a bookmark.
4.2 Add a bookmark to this file
To add a bookmark, right click on the file in the results viewer and select Tag File->Quick Tag-> Bookmark
Note: there aren't many files in this evidence pack; however if there were as many files as in a typical digital investigation then this would be one of hundreds of thousands of files, and bookmarking files means you can quickly return to interesting files later.
4.3 Examine the rest of your search results. Bookmark anything that is relevant to your investigation.
As part of your examination, you aren't just looking to see if something is relevant, you are also looking to determine whether or not there are any ‘new' keywords that you might like to use in a search. If new keywords are identified then you should note these in your notes, and collate them somewhere so that you can search for them en-masse. A good time to do that would be immediately after you have examined all of your search results.

4.4 Within the tree viewer window, examine the results of the ingest modules.
This investigation doesn't have much evidence, so there won't be many ingest module results - other investigations may have significantly more.
4.4.1 Click the File Types item in the tree viewer. Expand it, and look at all of the identified files.

Navigate around these files, is there anything of interest? Bookmark anything interesting, and keep a record of your investigation in your case notes.

The image might look entirely innocent, but that is because it is actually hiding something due to the way it is formatted. If I was looking at this in Autopsy then it might not be apparent that I was trying to hide anything. Knowing that I'm trying to hide something could be just as important as knowing something is hidden.
To discover what is hidden, place your cursor at the end of the paragraph before the image (where it says "following image." And then press then ENTER key 5 times.
A good way of hiding information, but just an example - and this example didn't come from the evidence file, so don't report it in your results.

You should have generated further investigative leads during this examination. For example, you should have found examples of more keywords to search for.

Now is the time to go and check out these further investigative leads. Don't forget to update your notes.

The keywords we identified earlier are actually very useful; but it may not be instantly obvious.

If you have gone back and searched further, then you should have used the keyword ‘Sheetal'. The search results should come back with a link to an unallocated file.
This data is actually stored on part of the thumbdrive that a typical user shouldn't be able to access; it is within the first 63 sectors of the disk - which isn't normally accessible. This in itself tells you that the owner of the thumbdrive either..
Had a different file system there previously (and this is a remnant of a previous file sytem)
Has used tools to hide information on purpose

This document tells us several really interesting things.

Sheetal Harris owes £12.50
Alfred Gimigu owes £12.50
Farayi Dzichauya owes £1000 because the pass is used on his blog

Sheetal Harris - the name of the woman in the ISIC card? Possibly.
Alfred Gimigu - the name of the young man in the ISIC card? Possibly.
Farayi Dzichauya - this is the same first name as the person who is being investigated. Has a mistake been made? Was Farayi too quick to own up as the counterfeiter? Was he actually being blackmailed because he used his card on his blog? This is an investigative lead that needs to be followed.

Note: I used a data hiding technique to record this information. I recorded this information in a disk sector outside of the normal "usable" range of a disk partition. It is normal for the first 63 sectors of a disk not to be used for data storage reasons; 62 of these sectors contain places where you can store data if you know how (a hex editor is all that is needed).

Phase 5 - Reconstructing the Evidence

In this instance all of the evidence is located on a USB pen drive; and further analysis isn't possible without further evidence.

These files were created or copied onto the USB pen drive by a computer somewhere. Further investigation may include seizing Farayi's home computer - which will have a record of any connected USB devices. Investigating this computer may reveal lots more useful evidence; it may also provide us with the ability to reconstruct the activities that caused these files to exist.

Phase 6 - Preparing Documents

Aim: To present the evidence in an appropriate format

Download the file "unit 09 - report template.docx" from Blackboard. I have already filled in a lot of the information for you, but you should carefully read through and see what is there and try to understand why it is there.

When you are writing a report like this you must very carefully consider who you are writing it for. In this instance you are writing a report that may be used by a legal team, by a judge, or it may contain evidence that may be used to explain things to a jury. This is a very broad range of people that you are writing for, and as such you should use very easy to understand language and use numbers to cross reference as much as possible. Try not to use language that can be misinterpreted.

This part of the worksheet will have you filling in the gaps in the report template. As you make progress the line numbers may change - so the line numbers I refer to in this section are the original line numbers.

Where you have to add some information, don't feel as though you have to use a single line number. You can add multiple line numbers, as you see fit.

On page 1 change the name of the author and add your qualifications.

In section 1.2 you should add the details of any other exhibits you have created during the investigation of this evidence. For example, you should make it clear that you have contemporaneous notes and a chain of custody document.

In section 1.2 you should have two separate lines for your chain of custody and contemporaneous notes. You will need to add 1.3. This is an example of where you may add extra lines.

In section 3.4 you should add the MD5 value of the image file.

Section 4 is about the evidence related to counterfeiting the ISIC cards. You should provide as much information as is necessary to explain the evidence that you have found. This should be extremely clear and very descriptive. For example, you should explain the nature of the image files you have found; you should export these files and include them in the appendix, and you should provide the filename and path. It might be useful to provide the MD5 for each of these files.

Be careful about your language. All you are doing here is reporting on facts - you are not advocating or providing an opinion on guilt. You must not take sides and must be seen to be unbiased.

Section 5 is about the evidence relating to whether or not Farayi knew his actions were illegal. Don't forget, just because you are asked the question doesn't mean that you will always be able to find the answer (in this instance, the answer should be found).

Section 6 is about the names of the suspect's customers. There is an interesting problem in this section.

Section 7 is where you summarise and provide your opinion. Don't forget, you aren't providing an opinion about somebody's guilt or innocence - your opinion is about the digital evidence, and only the digital evidence.

Remember - you are not witness to a fact; you didn't see Farayi create the counterfeit ISIC cards so you shouldn't say that you think he created them. However, using your expertise in computer forensic investigations and the forensic software, you have been able to discover evidence on the USB thumb drive that suggests ISIC cards have been counterfeit.

The appendices are where you might put copies of the image files and documents. It would be normal for you to export these and burn them onto a CD-ROM or other storage device, and in the process create a new exhibit. However, for the purpose of this example (and the assignment) you should include them in the appendix (unless you want to create a new exhibit and burn a CD-ROM).

Attachment:- Digital Forensic Technology.rar

Reference no: EM133184528

Questions Cloud

Outsource main financial accounting system : Would you advise your client to go ahead and outsource their main financial accounting system? Yes? No? Explain your position.
What should be reported as cash and cash equivalents : The cash on hand includes a P300,000 check payable to ABC Company, dated January 15, 2021. What should be reported as Cash and Cash Equivalents
Discuss the historical perspective and demand : Discuss the historical perspective, demand, and creation of the program. Describe how your program impacts the lack of price transparency and quality today.
Assignment on decision making : Organizational decisions like new products or global expansion have historically been made after a lengthy analysis of available information and risk.
Analyse and understand your digital device : Identity Cards to people who are not entitled to claim the discounts this card brings. An undercover sting operation was setup to catch Farayi in the act
Comment on qantas airways profitability : Based on the ratios provided above, comment on Qantas Airways' profitability by comparing to Virgin Australia
The health care market : Analyze your state's current competitive market model in health care. Compare and contrast the market power of monopolistic and monopsony markets in health care
Creating a competitive environment : Companies that provide high-quality movies, tv shows, and high-quality animated films like Netflix, compete strongly with Disney's Animation Studios, creating a
Market price approach and force approach : The U.S. uses a combination of the market price approach and the force (taxes) approach.

Reviews

Write a Review

Theory of Computation Questions & Answers

  Show polynomial-time algorithm for gdp

Goal is to find expedition of maximum profit. Either show that there exists polynomial-time algorithm for GDP, or show that corresponding decision problem is NP-complete.

  Create and implement a lexical analyzer for c

Create and implement a lexical analyzer for C-- as follows: Write the set of token types to be returned by lexical analyzer. Explain regular expressions for this set of token types.

  Topicthe enhancement of communication process using a

topicthe enhancement of communication process using a particular computer device or software application by the

  Construct a deterministic one way infinite single tape

Construct a deterministic one way infinite single tape Turing machine that accepts the language { w | w in {x, y, z}* such that the number of x's in w

  Properties of the deterministic finite-state automaton

Construct a deterministic finite-state automaton that recognizes the set of all bit strings that contain an even number of 0s and an odd number of 1s.

  Give the transitions for a turing machine

Give the transitions for a turing machine that accepts the language given below.L = {AnBnCn : n>=1}

  Prove the inference rules for functional dependencies

A proof should be made by using the reflexive, augmentation, transitive, decomposition, union, and pseudotransitive rules.

  Design turing machine having at least four nontrivial states

Design Turing machine (using Sipser notation) having at least 4 nontrivial (i.e., nonrejecting) states and at least six nontrivial (i.e., not to the rejecting state) transitions.

  Calculate exact values of your chosen heuristic

For each of the above problems, do all the four search methods to it, Then disuses, which of the search methods below are more appropriate

  Construct a finite-state automaton

Construct a finite-state automaton that recognizes the set of bit strings consisting of a 0 followed by a string with an odd number of 1s.

  Construct a turing machine with given tape symbols

Construct a Turing machine with tape symbols 0, 1, and B that, when given a bit string as input.

  Productions of nonterminals as right regular grammars

Rewrite the productions for each of the following nonterminals as right regular grammars: Identifier, Float. Show the moves made using the DFSA for identifiers in accepting.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd