Computer Forensics: Tools and Techniques for Digital Investigation
VerifiedAdded on 2023/06/03
|68
|6481
|239
AI Summary
This article discusses computer forensics and the tools used for digital investigation such as FTK Imager, Autopsy, and OSForensics. It provides step-by-step instructions for installing and using these tools, as well as an overview of their features and uses. The article also covers the importance of computer forensics in investigating crimes involving computers.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Computer Forensics
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Executive Summary
The clown content is accessed by a computer in the workplace. It is seized and
investigated. The investigators looking for clown content in the forensic image. For this
investigation, the forensic tools are used. By using those forensic tools, the clown content is
searched in the given forensic image. For this, the clown content is owned and accessed by that
particular computer is verified. And the crime has been committed is proved. The analysis is
such identification, intent and quantity of files. The forensic tools such as forensic toolkit imager,
autopsy and operating system forensics. The installing procedures are clearly regarding to the
forensic tools. And the file analysis is made by using the tools. The justification is provided for
each analysis. And then the results are provided through the screenshots for each analysis. The
presentation of content related offence is provided. The events are analyzed. And the timeline is
created for the events. The running sheets also developed regarding the forensic tools and the
investigation.
Page 1 of 68
The clown content is accessed by a computer in the workplace. It is seized and
investigated. The investigators looking for clown content in the forensic image. For this
investigation, the forensic tools are used. By using those forensic tools, the clown content is
searched in the given forensic image. For this, the clown content is owned and accessed by that
particular computer is verified. And the crime has been committed is proved. The analysis is
such identification, intent and quantity of files. The forensic tools such as forensic toolkit imager,
autopsy and operating system forensics. The installing procedures are clearly regarding to the
forensic tools. And the file analysis is made by using the tools. The justification is provided for
each analysis. And then the results are provided through the screenshots for each analysis. The
presentation of content related offence is provided. The events are analyzed. And the timeline is
created for the events. The running sheets also developed regarding the forensic tools and the
investigation.
Page 1 of 68
Table of Contents
1. Introduction.......................................................................................................................................3
2. Resources and Strategies...................................................................................................................3
3. Progress............................................................................................................................................29
3.1 Presentation of content relating to offence.................................................................................29
3.2 Identification................................................................................................................................51
3.3 Intent............................................................................................................................................51
3.4 Quantity of Files...........................................................................................................................52
3.5 Installed Software........................................................................................................................52
4. Conclusion........................................................................................................................................53
5. References........................................................................................................................................54
Appendix A – Running Sheet..................................................................................................................58
Appendix B – Timeline of Events...........................................................................................................62
Page 2 of 68
1. Introduction.......................................................................................................................................3
2. Resources and Strategies...................................................................................................................3
3. Progress............................................................................................................................................29
3.1 Presentation of content relating to offence.................................................................................29
3.2 Identification................................................................................................................................51
3.3 Intent............................................................................................................................................51
3.4 Quantity of Files...........................................................................................................................52
3.5 Installed Software........................................................................................................................52
4. Conclusion........................................................................................................................................53
5. References........................................................................................................................................54
Appendix A – Running Sheet..................................................................................................................58
Appendix B – Timeline of Events...........................................................................................................62
Page 2 of 68
1. Introduction
The computer forensics is also known as digital forensics. In this computer age, so many
crimes happening based on computers. The computer forensics is used to find the deleted files,
passwords, illegal contents in the computer. The forensic image may be a copy of the hard disk,
CD or DVD etc.The given forensic image will be investigated using appropriate tools. The
analaysis of the firensic image will be done (Al-Hadadi & AlShidhani, 2013). The forensic tools
used for the investigation will be installed and it will be explained in detail. The investigation
will be done and justification for all action done in the investigation will be given (Bodden, n.d.).
2. Resources and Strategies
The resources required for the investigation are Autopsy, OSForensic and FTK Imager.
And also the suspects and a system is needed (Boddington, 2016). The tools used are explained
below.
FTK Imager
In computer forensics, many investigation tools are used. The FTK imager is one of the
tools used in computer forensics (Brinson, Robinson & Rogers, 2006). The full form of FTK
imager is Forensic ToolKit. The FTK imager is used for analyzing the mails and looking for
specific characters. The components of FTK viewer are password recovery toolkit, license
manager, forensic toolkit, FTK Imager, and register viewer (Verolme & Mieremet, 2017).
The license manager component is used to remove or add the licenses from the dongle
and also used to purchase the additional licenses. The license manager renews the subscription
and downloads the product updates (Caloyannides & Caloyannides, 2004). To access license
manager component in FTK, go to Start All programs Access Data license manager
license manager.
The password recovery toolkit is used to crack the password. The component of a registry
viewer is used for providing access to protected areas of the registry. The protected areas of
registry contain forensic data (Carbone, 2014). These cannot be accessed by the Windows
Page 3 of 68
The computer forensics is also known as digital forensics. In this computer age, so many
crimes happening based on computers. The computer forensics is used to find the deleted files,
passwords, illegal contents in the computer. The forensic image may be a copy of the hard disk,
CD or DVD etc.The given forensic image will be investigated using appropriate tools. The
analaysis of the firensic image will be done (Al-Hadadi & AlShidhani, 2013). The forensic tools
used for the investigation will be installed and it will be explained in detail. The investigation
will be done and justification for all action done in the investigation will be given (Bodden, n.d.).
2. Resources and Strategies
The resources required for the investigation are Autopsy, OSForensic and FTK Imager.
And also the suspects and a system is needed (Boddington, 2016). The tools used are explained
below.
FTK Imager
In computer forensics, many investigation tools are used. The FTK imager is one of the
tools used in computer forensics (Brinson, Robinson & Rogers, 2006). The full form of FTK
imager is Forensic ToolKit. The FTK imager is used for analyzing the mails and looking for
specific characters. The components of FTK viewer are password recovery toolkit, license
manager, forensic toolkit, FTK Imager, and register viewer (Verolme & Mieremet, 2017).
The license manager component is used to remove or add the licenses from the dongle
and also used to purchase the additional licenses. The license manager renews the subscription
and downloads the product updates (Caloyannides & Caloyannides, 2004). To access license
manager component in FTK, go to Start All programs Access Data license manager
license manager.
The password recovery toolkit is used to crack the password. The component of a registry
viewer is used for providing access to protected areas of the registry. The protected areas of
registry contain forensic data (Carbone, 2014). These cannot be accessed by the Windows
Page 3 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Regedit. The registry viewer may contain browser history, recently accessed file lists, installed
programs list, usernames, and passwords (Carlton & Matsumoto, 2011).
FTK imager is used for making a copy of hard drive, thumb drive, CD etc. Then the FTK
imager scans the hard drive or thumb drive or CD and looks for different kinds of data or
information like locating deleted files or emails, crack encryption etc. (Carlton & Worthley,
2010)
Installation of FTK Imager
The installation of FTK imager is explained below in detail.
Step 1: After downloading AccessData FTK imager, install it on the system. Right click on the
AccessData FTK imager and select Run as Administrative (Casey, 2015). After that, the below
wizard is appeared. It is a Welcome to the InstallShield Wizard for AccessData FTK imager. In
that click ‘Next’ (Cohen, 2011)
Step 2: Then, select ‘I accept the terms in thr license agreement’ and Click ‘Next’
Page 4 of 68
programs list, usernames, and passwords (Carlton & Matsumoto, 2011).
FTK imager is used for making a copy of hard drive, thumb drive, CD etc. Then the FTK
imager scans the hard drive or thumb drive or CD and looks for different kinds of data or
information like locating deleted files or emails, crack encryption etc. (Carlton & Worthley,
2010)
Installation of FTK Imager
The installation of FTK imager is explained below in detail.
Step 1: After downloading AccessData FTK imager, install it on the system. Right click on the
AccessData FTK imager and select Run as Administrative (Casey, 2015). After that, the below
wizard is appeared. It is a Welcome to the InstallShield Wizard for AccessData FTK imager. In
that click ‘Next’ (Cohen, 2011)
Step 2: Then, select ‘I accept the terms in thr license agreement’ and Click ‘Next’
Page 4 of 68
Step 3: Then, select the destination folder for AccessData FTK Imager by clicking the change
option. After changing thr destination folder click ‘Next’. (Cohen, 2012)
Step 4: Click ‘Install’ to begin the installation of AccessData FTK Imager. (Computer
forensics, 2010)
Page 5 of 68
option. After changing thr destination folder click ‘Next’. (Cohen, 2012)
Step 4: Click ‘Install’ to begin the installation of AccessData FTK Imager. (Computer
forensics, 2010)
Page 5 of 68
Step 5: The installtion is started. It is shown in the below figure.
Step 6: The below-given screenshot shows that the installtion process of FTK Imager is going
on.
Page 6 of 68
Step 6: The below-given screenshot shows that the installtion process of FTK Imager is going
on.
Page 6 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Step 7:The AccessData FTK imager is successfully installed. After the installtion, click ‘Finish’
Page 7 of 68
Page 7 of 68
Step 8: The below screenshot shows the FTK imager screen. In that screen, the Evidence Tree,
File list, Properties (Custom Content Sources) and Viewer are there.
The menu bar in the FTK Imager has four items. They are file menu, view menu, mode menu
and Help menu (Dale & Becker, 2007). The access to all the features in the tool bar is provided
by File menu. The appearance of the FTK imager is customized by view menu. For mode
selection, themode menu is used. The access to the FTK imager user guide is provided by the
Help menu (Wang, Xue, Zheng, Liu & Li, 2012).
Uses of FTK imager
The uses of FTK Imager are listed below.
The FTK imager is used to create the copies of DVDs, CDs, folders, files, hard drive ect.
The copy of these is called ‘forensic image’ (Djozan, Baheri, Karimian & Shahidi, 2008).
By using FTK Imager, from the forensic image the folders and file are exported.
Page 8 of 68
File list, Properties (Custom Content Sources) and Viewer are there.
The menu bar in the FTK Imager has four items. They are file menu, view menu, mode menu
and Help menu (Dale & Becker, 2007). The access to all the features in the tool bar is provided
by File menu. The appearance of the FTK imager is customized by view menu. For mode
selection, themode menu is used. The access to the FTK imager user guide is provided by the
Help menu (Wang, Xue, Zheng, Liu & Li, 2012).
Uses of FTK imager
The uses of FTK Imager are listed below.
The FTK imager is used to create the copies of DVDs, CDs, folders, files, hard drive ect.
The copy of these is called ‘forensic image’ (Djozan, Baheri, Karimian & Shahidi, 2008).
By using FTK Imager, from the forensic image the folders and file are exported.
Page 8 of 68
The hash functions in the FTK Imager is used to create the hashes of files. The available
hash functions in the FTK Imager are SHA-1 and MD5. ("Forensics - cred or crud?",
2005)
The preview of the files and folders as well as the contents of the forensic image can be
viewed.
The image can be mounted for the Read-Only view.
The deleted files can be recovered and seen even after they are deleted from the recycle
bin.
Autopsy
The Autopsy is used in digital forensics to investigate what is happened on a system. It is
used by corporate examiners, military and law enforcement (Hanji & Rajpurohit, 2013). It is a
platform for digital forensics (Ieong, 2006). The forensic tools used autopsy as a graphical user
interface. The autopsy is also used to retrieve photos from the memory cards. The Autopsy is
used to examine the mobile phone or a hard drive. Then the pieces of evidence in that mobile
phone or hard drive are recovered from that (Young & Ortmeier, n.d.).
The Autopsy is free and cost-effective tool. It is also easy to install and use. By using
Autopsy, the budget will be reduced in a digital forensic investigation. The Autopsy supports
multiplatform (Windows and UNIX).
Installation of Autopsy
The installation process of Autopsy is shown below in step by step.
Step 1: After downloading Autopsy, install it on the system. Right click on the Autopsy and
select Install. After that, the below wizard is appeared (Kessler, 2007). It is a Welcome to the
Autopsy Setup Wizard. In that click ‘Next’
Page 9 of 68
hash functions in the FTK Imager are SHA-1 and MD5. ("Forensics - cred or crud?",
2005)
The preview of the files and folders as well as the contents of the forensic image can be
viewed.
The image can be mounted for the Read-Only view.
The deleted files can be recovered and seen even after they are deleted from the recycle
bin.
Autopsy
The Autopsy is used in digital forensics to investigate what is happened on a system. It is
used by corporate examiners, military and law enforcement (Hanji & Rajpurohit, 2013). It is a
platform for digital forensics (Ieong, 2006). The forensic tools used autopsy as a graphical user
interface. The autopsy is also used to retrieve photos from the memory cards. The Autopsy is
used to examine the mobile phone or a hard drive. Then the pieces of evidence in that mobile
phone or hard drive are recovered from that (Young & Ortmeier, n.d.).
The Autopsy is free and cost-effective tool. It is also easy to install and use. By using
Autopsy, the budget will be reduced in a digital forensic investigation. The Autopsy supports
multiplatform (Windows and UNIX).
Installation of Autopsy
The installation process of Autopsy is shown below in step by step.
Step 1: After downloading Autopsy, install it on the system. Right click on the Autopsy and
select Install. After that, the below wizard is appeared (Kessler, 2007). It is a Welcome to the
Autopsy Setup Wizard. In that click ‘Next’
Page 9 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Step 2: Then, select the installation folder for Autopsy by clicking the Browse option. After
changing the installation folder click ‘Next’. (Kessler & Schirling, 2006)
Step 3: Click ‘Install’ to begin the installation of Autopsy.
Page 10 of 68
changing the installation folder click ‘Next’. (Kessler & Schirling, 2006)
Step 3: Click ‘Install’ to begin the installation of Autopsy.
Page 10 of 68
Step 4: The installtion of Autopsy is started. It is shown in the below figure.
Step 5: The below-given screenshot shows that the installtion process of Autopsy is going on.
Page 11 of 68
Step 5: The below-given screenshot shows that the installtion process of Autopsy is going on.
Page 11 of 68
Step 6: The installation is completed. Click ‘Finish’
Step 7: Open Autopsy.
Page 12 of 68
Step 7: Open Autopsy.
Page 12 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Step 8: Create a New Case for investigation.
The Autopsy has the following features.
Page 13 of 68
The Autopsy has the following features.
Page 13 of 68
Keyword search – used to find specific words or terms in files and also used to find the
expression pattern (Kruse & Heiser, 2008)
Timeline analysis – system events are displayed which is useful in identification of
activities
Media Playback – used to view the images and videos
File type sorting – the files are sorting accoding to their type
Email analysis – MBOX format messages are Parsesed.
Multi-user cases – allows multiuser to examine large cases
Thumbnail Viewer – the thumbnail of the images are displayed.
Web Artefacts –it is used to extract user’s web activity
Andriod support – it supports extraction of data from call logs, contacts, SMS
File type detection – This is based on the extension and signature mismatch detection of
the file (Larson, 2014)
Filtering of Hash set - The good files are known by filters and bad files are known by
flags
Tags – files are tagged with tag names (Law, Chow & Mai, 2014)
OSForensics
It is a powerful tool in forensics. It is used to discover, identify and manage the pieces of
evidence which are found in digital storage devices and computers ("OSForensics", 2018). It
consists of a collection of modules. These modules are used to simplify the tasks ("OSForensics -
Digital investigation for a new era by PassMark Software®", 2018).
Installation of OSForensics
The installation of OSForensics tool is explained step by step in below.
Step 1: The OSForensics Downloader is used to download the OSForensics tool. First, select the
desired language and choose the location for the program which is going to install on the
system.After that click ‘Next’ (Le-Khac, Jacobs, Nijhoff, Bertens & Choo, 2018).
Page 14 of 68
expression pattern (Kruse & Heiser, 2008)
Timeline analysis – system events are displayed which is useful in identification of
activities
Media Playback – used to view the images and videos
File type sorting – the files are sorting accoding to their type
Email analysis – MBOX format messages are Parsesed.
Multi-user cases – allows multiuser to examine large cases
Thumbnail Viewer – the thumbnail of the images are displayed.
Web Artefacts –it is used to extract user’s web activity
Andriod support – it supports extraction of data from call logs, contacts, SMS
File type detection – This is based on the extension and signature mismatch detection of
the file (Larson, 2014)
Filtering of Hash set - The good files are known by filters and bad files are known by
flags
Tags – files are tagged with tag names (Law, Chow & Mai, 2014)
OSForensics
It is a powerful tool in forensics. It is used to discover, identify and manage the pieces of
evidence which are found in digital storage devices and computers ("OSForensics", 2018). It
consists of a collection of modules. These modules are used to simplify the tasks ("OSForensics -
Digital investigation for a new era by PassMark Software®", 2018).
Installation of OSForensics
The installation of OSForensics tool is explained step by step in below.
Step 1: The OSForensics Downloader is used to download the OSForensics tool. First, select the
desired language and choose the location for the program which is going to install on the
system.After that click ‘Next’ (Le-Khac, Jacobs, Nijhoff, Bertens & Choo, 2018).
Page 14 of 68
Step 2: Click ‘Decline’
Page 15 of 68
Page 15 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Step 3: Click ‘Decline’
Step 4: Downloading of OSForensics is started.
Page 16 of 68
Step 4: Downloading of OSForensics is started.
Page 16 of 68
Step 5: Downloading is completed. Click ‘Finish’
Step 6: After that the beloe window is appeared. Click ‘Install Now’
Page 17 of 68
Step 6: After that the beloe window is appeared. Click ‘Install Now’
Page 17 of 68
Step 7: After that, the below wizard is appeared. It is a Welcome to the OSForensics Setup
Wizard. In that click ‘Next’
Step 8: In below wizard, select ‘I accept the terms in the license agreement’ and Click ‘Next’
Page 18 of 68
Wizard. In that click ‘Next’
Step 8: In below wizard, select ‘I accept the terms in the license agreement’ and Click ‘Next’
Page 18 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Step 9: Choose destination location for OSForensics and Click ‘Next’
Step 10: select the start meneu folder by clicking browse and then click ‘Next’
Page 19 of 68
Step 10: select the start meneu folder by clicking browse and then click ‘Next’
Page 19 of 68
Step 11: Click ‘Next’
Step 12: Cilck install to install OSForensics on the computer system
Page 20 of 68
Step 12: Cilck install to install OSForensics on the computer system
Page 20 of 68
Step 13: Installation of OSForensics begins.
Step 14: The installation process of OSForensics is going on. It is shown in the below screenshot.
Page 21 of 68
Step 14: The installation process of OSForensics is going on. It is shown in the below screenshot.
Page 21 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Stepn 15: Click ‘Next’
Step 16: The below screenshot shows the completing the OSForrensics Setup Wizard. In that
wizard, click ‘Finish’.
Page 22 of 68
Step 16: The below screenshot shows the completing the OSForrensics Setup Wizard. In that
wizard, click ‘Finish’.
Page 22 of 68
Step 17: Click ‘Continue Using Free version’
Step 18: The below screenshot showws the Home page of OSForensics tool.
Page 23 of 68
Step 18: The below screenshot showws the Home page of OSForensics tool.
Page 23 of 68
In that, start window has features with its brief description. The Workflow navigation
buttons are used to switch between multiple modules (Levy, Hipp, Balis & Yagi, 2012). It is
used to allow parallel forensics analysis operations. The customization of workflow navigation
buttons is possible.
The features of OSForensics is listed below (Maras, 2015).
Case management – results from all the modules is aggregated using this module.
The below figure shows the Case Management Module.
Filename search – the files or directories are searched by their name
The below figure shows the File Name Search which is under file searching & indexing module
(Marshall, 2009).
Page 24 of 68
buttons are used to switch between multiple modules (Levy, Hipp, Balis & Yagi, 2012). It is
used to allow parallel forensics analysis operations. The customization of workflow navigation
buttons is possible.
The features of OSForensics is listed below (Maras, 2015).
Case management – results from all the modules is aggregated using this module.
The below figure shows the Case Management Module.
Filename search – the files or directories are searched by their name
The below figure shows the File Name Search which is under file searching & indexing module
(Marshall, 2009).
Page 24 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Mismatch search –the file which has different extensions is found.
The below figure shows the Mismatch File Search which is under file searching & indexing
module (Meister & Chassanoff, 2014).
Deleted file search – deleted files are searched and recovered from the drive.
The below figure shows the Deleted File Search which is under System Artifacts &
Passwords module (Meyer, 2014).
Page 25 of 68
The below figure shows the Mismatch File Search which is under file searching & indexing
module (Meister & Chassanoff, 2014).
Deleted file search – deleted files are searched and recovered from the drive.
The below figure shows the Deleted File Search which is under System Artifacts &
Passwords module (Meyer, 2014).
Page 25 of 68
Memory Viewer – In the volatile memory, the digital evidence is collected and analyzed.
The below figure shows the Memory Viewer which is under Viewer module (Nelson,
Phillips & Steuart, n.d.).
Page 26 of 68
The below figure shows the Memory Viewer which is under Viewer module (Nelson,
Phillips & Steuart, n.d.).
Page 26 of 68
Recent Activity –the recent activities which are related to evidence are scanned in the
system.
The below figure shows the Recent Activity which is under System Artifacts & Passwords
module.
Indexing – the text is searched in the file contents
The below figure shows the Indexing which is under File Searching & Indexing module
(Petrisor, 2005).
Page 27 of 68
system.
The below figure shows the Recent Activity which is under System Artifacts & Passwords
module.
Indexing – the text is searched in the file contents
The below figure shows the Indexing which is under File Searching & Indexing module
(Petrisor, 2005).
Page 27 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Passwords – used for decrypting and recovering passwords from different kinds of
source.
The below figure shows the Passwords which is under System Artifacts & Passwords module.
File system browser – the devices in the case are displayed in a hierarchical fashion.
Web browser – the basic web viewer is provided by this. The basic web viewer has
forensics capabilities.
Registry Viewer – the windows hives is allowed by this.
Raw disk Viewer – it is used to display the raw disk sector-by-sector contents.
Email viewer – With the forensics capabilities, the emails are browsed and analyzed.
The file system browser,web browser, registry viewer, raw disk viewer, email viewer are under
Viewer module. It is shown below (Petrisor, 2012).
Page 28 of 68
source.
The below figure shows the Passwords which is under System Artifacts & Passwords module.
File system browser – the devices in the case are displayed in a hierarchical fashion.
Web browser – the basic web viewer is provided by this. The basic web viewer has
forensics capabilities.
Registry Viewer – the windows hives is allowed by this.
Raw disk Viewer – it is used to display the raw disk sector-by-sector contents.
Email viewer – With the forensics capabilities, the emails are browsed and analyzed.
The file system browser,web browser, registry viewer, raw disk viewer, email viewer are under
Viewer module. It is shown below (Petrisor, 2012).
Page 28 of 68
Forensic imaging – the disk is copied into an image file. It can be restored.
The below figure shows the Forensic imaging which is under Housekeeping module (Philipp,
Cowen & Davis, 2010).
Page 29 of 68
The below figure shows the Forensic imaging which is under Housekeeping module (Philipp,
Cowen & Davis, 2010).
Page 29 of 68
Hash sets – known safe and suspected files are identified using this feature.
The below figure shows the Hash sets which is under Hashing and File identification module
(Sadu, 2017).
System information – the system information are exported and viewed.
Page 30 of 68
The below figure shows the Hash sets which is under Hashing and File identification module
(Sadu, 2017).
System information – the system information are exported and viewed.
Page 30 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
The below figure shows the System information which is under System Artifacts & Passwords
module (Sammons, 2015).
3. Progress
3.1 Presentation of content relating to offence
The forensic image of the hard drive is mounted on the system. The Autopsy is used to
investigate the disk image (Schweitzer, 2003). By adding the disk image as a data source in the
Autopsy, the contents in the disk image can be viewed. The contents available in the given disk
image is shown below.
Page 31 of 68
module (Sammons, 2015).
3. Progress
3.1 Presentation of content relating to offence
The forensic image of the hard drive is mounted on the system. The Autopsy is used to
investigate the disk image (Schweitzer, 2003). By adding the disk image as a data source in the
Autopsy, the contents in the disk image can be viewed. The contents available in the given disk
image is shown below.
Page 31 of 68
The jpg image is found during the investigation (Sealey, 2004). It is not a clown image. It is a
flower image.
Page 32 of 68
flower image.
Page 32 of 68
The clowns dancing mp4 file is also found in the disk image (Seckiner, Mallett, Roux, Meuwly
& Maynard, 2018).
The jpg image of kikki_clown_party_pose is found. So, the disk image had the clown image is
proved (Taylor, Endicott-Popovsky & Frincke, 2007).
Page 33 of 68
& Maynard, 2018).
The jpg image of kikki_clown_party_pose is found. So, the disk image had the clown image is
proved (Taylor, Endicott-Popovsky & Frincke, 2007).
Page 33 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
The kikki_clown_party_pose image is viewed. The device which make this image is Canon and
its model is Canon EO5 100.
In EXIF Metadata, the size of the kikki_clown_party_pose image is viewed which is 50304. But
there is no created date of this image (Tilstone, Savage & Clark, 2006).
Page 34 of 68
its model is Canon EO5 100.
In EXIF Metadata, the size of the kikki_clown_party_pose image is viewed which is 50304. But
there is no created date of this image (Tilstone, Savage & Clark, 2006).
Page 34 of 68
The properties of the kikkii_clown_party_pose jpg image is shown below. It includes
source file, device model, device make, size, path and tags (Verolme & Mieremet, 2017).
Page 35 of 68
source file, device model, device make, size, path and tags (Verolme & Mieremet, 2017).
Page 35 of 68
In the recent documents, the kikkii_clown_party_pose image is there. So it is verified that
the clown image is accessed from the Clark’s computer.
The path, path ID, date/time, source file path and artifact ID of the
kikkii_clown_party_pose image is found. This clown image is recently accessed on 19-06-2018
at 05:20:06.
Page 36 of 68
the clown image is accessed from the Clark’s computer.
The path, path ID, date/time, source file path and artifact ID of the
kikkii_clown_party_pose image is found. This clown image is recently accessed on 19-06-2018
at 05:20:06.
Page 36 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
In recent documents, another clown related data is found. It is a pdf. The name of the pdf
document is ‘A Little Night Music- Send In The Clowns’. It is also accessed on 19-06-2018 at
05:14:31. And also the path, path ID, source file path and artifact ID of the ‘A Little Night
Music- Send In The Clowns’ pdf is found (Wang, Xue, Zheng, Liu & Li, 2012).
The mp4 file named as ‘Clowns Dancing’ is also found in the recent documents. The
results of this document is shown below. This mp4 file is accessed on 18-06-2018 at 08:15:47.
And also the path, path ID, source file path and artifact ID of the ‘Clowns Dancing’ mp4 is found
in the results (Young & Ortmeier, n.d.).
Page 37 of 68
document is ‘A Little Night Music- Send In The Clowns’. It is also accessed on 19-06-2018 at
05:14:31. And also the path, path ID, source file path and artifact ID of the ‘A Little Night
Music- Send In The Clowns’ pdf is found (Wang, Xue, Zheng, Liu & Li, 2012).
The mp4 file named as ‘Clowns Dancing’ is also found in the recent documents. The
results of this document is shown below. This mp4 file is accessed on 18-06-2018 at 08:15:47.
And also the path, path ID, source file path and artifact ID of the ‘Clowns Dancing’ mp4 is found
in the results (Young & Ortmeier, n.d.).
Page 37 of 68
The indexed text of the ‘A Little Night Music –Send In The Clowns’ pdf is viewed. The
author of this pdf is ‘Addie’. The date and time of creation, last modified and last saved of this
pdf is found. The creation date and time is 20-04-2014, 18:52:01. The last-modified date and
time is 20-04-2014, 18:52:01
Another clown image is found on the disk. It is a jpg image. The name of this clown
image is Ronald_mcdonald-e14762000032847-660x330.
Page 38 of 68
author of this pdf is ‘Addie’. The date and time of creation, last modified and last saved of this
pdf is found. The creation date and time is 20-04-2014, 18:52:01. The last-modified date and
time is 20-04-2014, 18:52:01
Another clown image is found on the disk. It is a jpg image. The name of this clown
image is Ronald_mcdonald-e14762000032847-660x330.
Page 38 of 68
In the recent documents, the clown related image is found. So, it is verified that
the user (Clark) is recently accessed the clown image. The accessing date of the clown image is
18-06-2018. ("OSForensics", 2018)
The clown dancing video is found. So, it is proved that the Clark owned the clown related
videos on his system.
Page 39 of 68
the user (Clark) is recently accessed the clown image. The accessing date of the clown image is
18-06-2018. ("OSForensics", 2018)
The clown dancing video is found. So, it is proved that the Clark owned the clown related
videos on his system.
Page 39 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
The new clown image is found on the disk. This image is modified at June 18, 2018.
The Clark accessing the clown image on June 19, 2018.
Page 40 of 68
The Clark accessing the clown image on June 19, 2018.
Page 40 of 68
Another clown image is found. The Clark owing this image on his system is verified.
Page 41 of 68
Page 41 of 68
In the given disk imager, there are nine web bookmarks. The Clark bookmarked the
clown related content. So, he definitely accessing the clown related content.
The properties of the kikkii_clown_party_poes image is shown. It includes modified,
change, access and created time of the image and so on.
Page 42 of 68
clown related content. So, he definitely accessing the clown related content.
The properties of the kikkii_clown_party_poes image is shown. It includes modified,
change, access and created time of the image and so on.
Page 42 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
The Clark owned four operating system user accounts. The username of those four
accounts are systemprofile, LocalService, NetworkService and computer.
The user account of systemprofile is recently accessed by the Clark.
Page 43 of 68
accounts are systemprofile, LocalService, NetworkService and computer.
The user account of systemprofile is recently accessed by the Clark.
Page 43 of 68
There are two operating system information. One is Windows_NT version.
In the disk image, there are 221 web cookies. The URL, access date and time and Name
is listed. Some of the web cookies found are .yahoo.com, .bitpay.com and .domdex.com etc.
Page 44 of 68
In the disk image, there are 221 web cookies. The URL, access date and time and Name
is listed. Some of the web cookies found are .yahoo.com, .bitpay.com and .domdex.com etc.
Page 44 of 68
The obtained web downloads from the disk image are proved that the Clark downloaded
the clown related images, videos and pdf from the internet. There are six clown related
downloads among sixteen web downloads.
Similar to the other details identified from the analysis the user’s the web history also
founded. In digital forensic evidence acquisition the interrogators mainly focuses on the
Page 45 of 68
the clown related images, videos and pdf from the internet. There are six clown related
downloads among sixteen web downloads.
Similar to the other details identified from the analysis the user’s the web history also
founded. In digital forensic evidence acquisition the interrogators mainly focuses on the
Page 45 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
browsing history of the suspect. Because it brings the information about the suspect’s actions in
recent times. In the given hard disk evidence file more than 100 web histories are there. From the
above presented image file the interrogation results are described clearly. From the results,
suspect browsed various websites through the Firefox browser ("OSForensics - Digital
investigation for a new era by PassMark Software®", 2018).
The most often key word searched by the suspect is identified based on his web search.
Totally the thirty six keywords are searched. Among the thirty six key words most of the key
words are about clown. And clown costumes and possess. Suspect also recently used the online
video convertor for converting video format. Suspect may use this file for convert the video
founded in the above task. He also used the keyword truecrypt. From the identified details that is
clear the suspect used Firefox browser for his browsing
Page 46 of 68
recent times. In the given hard disk evidence file more than 100 web histories are there. From the
above presented image file the interrogation results are described clearly. From the results,
suspect browsed various websites through the Firefox browser ("OSForensics - Digital
investigation for a new era by PassMark Software®", 2018).
The most often key word searched by the suspect is identified based on his web search.
Totally the thirty six keywords are searched. Among the thirty six key words most of the key
words are about clown. And clown costumes and possess. Suspect also recently used the online
video convertor for converting video format. Suspect may use this file for convert the video
founded in the above task. He also used the keyword truecrypt. From the identified details that is
clear the suspect used Firefox browser for his browsing
Page 46 of 68
Encryption suspected folder contains the details about the encryption process carried out.
There are 102 extension mismatch are detected.
Page 47 of 68
There are 102 extension mismatch are detected.
Page 47 of 68
There are plenty of email addresses found in the disk image.
Page 48 of 68
Page 48 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
In the Suspect’s Gmail account there are three Gmail are there. Among them one email
contains the details regarding to the clown. This email is sent by the suspect to
jazzasimpson0000@gmail.com. This email sent time is 2018-07-02 (07:50:09 IST). These
evidences are against the suspect.
The more information found during the investigation are shown in the following screenshots.
Page 49 of 68
contains the details regarding to the clown. This email is sent by the suspect to
jazzasimpson0000@gmail.com. This email sent time is 2018-07-02 (07:50:09 IST). These
evidences are against the suspect.
The more information found during the investigation are shown in the following screenshots.
Page 49 of 68
Page 50 of 68
Page 51 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Page 52 of 68
Page 53 of 68
Page 54 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
3.2 Identification
The Clark accessed the clown content is proved from the web downloads which are obtained
from the forensic image of disk. The Clark bookmarked a clown related content on the website.
So, it is verified that, the Clark accesses the clown related contents frequently.
3.3 Intent
The Clark accessed and downloaded the clown related content purposely. It is verified by
the web bookmarks. And some other activites of the clark.
Page 55 of 68
The Clark accessed the clown content is proved from the web downloads which are obtained
from the forensic image of disk. The Clark bookmarked a clown related content on the website.
So, it is verified that, the Clark accesses the clown related contents frequently.
3.3 Intent
The Clark accessed and downloaded the clown related content purposely. It is verified by
the web bookmarks. And some other activites of the clark.
Page 55 of 68
3.4 Quantity of Files
Only few number of files are found. There are more email addresses, web history, web
cookies found. The images and videos are present. The programs installed and also the recent
activity are there.
3.5 Installed Software
The Clark installed forty two software on his system. There is no clown related software. But
truecrupt and the Mplayer2 may be installed for watching the clown video and encrypt the clown
contents.
Page 56 of 68
Only few number of files are found. There are more email addresses, web history, web
cookies found. The images and videos are present. The programs installed and also the recent
activity are there.
3.5 Installed Software
The Clark installed forty two software on his system. There is no clown related software. But
truecrupt and the Mplayer2 may be installed for watching the clown video and encrypt the clown
contents.
Page 56 of 68
4. Conclusion
The given forensic image is investigated using appropriate tools. The analaysis of the
firensic image is done. The forensic tools used for the investigation is installed and it is
explained in detail. The investigation is done and justification for all action done in the
investigation is given. The installation steps are produced regarding to the forensic tools. Totally
four images are taken for the alaysis. The three tools are chosen for the analysis of unalloacted
file format. By using three tools the investigation is made. The resultrsa are added through the
screenshots. The analysis such as intent, identification and quantity of files are added. The
justication and summary is provided for each analysis. For each andd every analysis the
screedshots are provoided. Totally five issues are established in the project. Also the running
sheet and the timeline are provided reagrding the events.
Page 57 of 68
The given forensic image is investigated using appropriate tools. The analaysis of the
firensic image is done. The forensic tools used for the investigation is installed and it is
explained in detail. The investigation is done and justification for all action done in the
investigation is given. The installation steps are produced regarding to the forensic tools. Totally
four images are taken for the alaysis. The three tools are chosen for the analysis of unalloacted
file format. By using three tools the investigation is made. The resultrsa are added through the
screenshots. The analysis such as intent, identification and quantity of files are added. The
justication and summary is provided for each analysis. For each andd every analysis the
screedshots are provoided. Totally five issues are established in the project. Also the running
sheet and the timeline are provided reagrding the events.
Page 57 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
5. References
Al-Hadadi, M., & AlShidhani, A. (2013). Smartphone Forensics Analysis: A Case
Study. International Journal Of Computer And Electrical Engineering, 576-580. doi:
10.7763/ijcee.2013.v5.776
Bodden, V. Digital forensics.
Boddington, R. (2016). Practical Digital Forensics. Packt Publishing.
Brinson, A., Robinson, A., & Rogers, M. (2006). A cyber forensics ontology: Creating a new
approach to studying cyber forensics. Digital Investigation, 3, 37-43. doi:
10.1016/j.diin.2006.06.008
Caloyannides, M., & Caloyannides, M. (2004). Privacy protection and computer forensics.
Boston: Artech House.
Carbone, F. (2014). Computer forensics with FTK. Birmingham, United Kingdom: Packt Pub.
Carlton, G., & Matsumoto, J. (2011). A Survey of Contemporary Enterprise Storage
Technologies from a Digital Forensics Perspective. Journal Of Digital Forensics, Security
And Law. doi: 10.15394/jdfsl.2011.1100
Carlton, G., & Worthley, R. (2010). Identifying a Computer Forensics Expert: A Study to
Measure the Characteristics of Forensic Computer Examiners. Journal Of Digital
Forensics, Security And Law. doi: 10.15394/jdfsl.2010.1069
Casey, E. (2015). Smart home forensics. Digital Investigation, 13, A1-A2. doi:
10.1016/j.diin.2015.05.017
Cohen, F. (2011). A Case Study in Forensic Analysis of Control. Journal Of Digital Forensics,
Security And Law. doi: 10.15394/jdfsl.2011.1087
Page 58 of 68
Al-Hadadi, M., & AlShidhani, A. (2013). Smartphone Forensics Analysis: A Case
Study. International Journal Of Computer And Electrical Engineering, 576-580. doi:
10.7763/ijcee.2013.v5.776
Bodden, V. Digital forensics.
Boddington, R. (2016). Practical Digital Forensics. Packt Publishing.
Brinson, A., Robinson, A., & Rogers, M. (2006). A cyber forensics ontology: Creating a new
approach to studying cyber forensics. Digital Investigation, 3, 37-43. doi:
10.1016/j.diin.2006.06.008
Caloyannides, M., & Caloyannides, M. (2004). Privacy protection and computer forensics.
Boston: Artech House.
Carbone, F. (2014). Computer forensics with FTK. Birmingham, United Kingdom: Packt Pub.
Carlton, G., & Matsumoto, J. (2011). A Survey of Contemporary Enterprise Storage
Technologies from a Digital Forensics Perspective. Journal Of Digital Forensics, Security
And Law. doi: 10.15394/jdfsl.2011.1100
Carlton, G., & Worthley, R. (2010). Identifying a Computer Forensics Expert: A Study to
Measure the Characteristics of Forensic Computer Examiners. Journal Of Digital
Forensics, Security And Law. doi: 10.15394/jdfsl.2010.1069
Casey, E. (2015). Smart home forensics. Digital Investigation, 13, A1-A2. doi:
10.1016/j.diin.2015.05.017
Cohen, F. (2011). A Case Study in Forensic Analysis of Control. Journal Of Digital Forensics,
Security And Law. doi: 10.15394/jdfsl.2011.1087
Page 58 of 68
Cohen, F. (2012). The Science of Digital Forensics: Recovery of Data from Overwritten Areas of
Magnetic Media. Journal Of Digital Forensics, Security And Law. doi:
10.15394/jdfsl.2012.1131
Course Technology Cengage Learning. (2010). Computer forensics. Clifton Park, NY.
Dale, W., & Becker, W. (2007). The crime scene. New York: Kaplan Pub.
Djozan, D., Baheri, T., Karimian, G., & Shahidi, M. (2008). Forensic discrimination of blue
ballpoint pen inks based on thin layer chromatography and image analysis. Forensic Science
International, 179(2-3), 199-205. doi: 10.1016/j.forsciint.2008.05.013
Forensics - cred or crud?. (2005). Digital Investigation, 2(4), 237-238. doi:
10.1016/j.diin.2005.11.003
Hanji, R., & Rajpurohit, V. (2013). Forensic Image Analysis - A Frame work. The International
Journal Of Forensic Computer Science, 8(1), 13-19. doi: 10.5769/j201301002
Ieong, R. (2006). FORZA – Digital forensics investigation framework that incorporate legal
issues. Digital Investigation, 3, 29-36. doi: 10.1016/j.diin.2006.06.004
Kessler, G. (2007). Book Review: Computer Forensics: Principles and Practices. Journal Of
Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2007.1027
Kessler, G., & Schirling, M. (2006). The Design of an Undergraduate Degree Program in
Computer & Digital Forensics. Journal Of Digital Forensics, Security And Law. doi:
10.15394/jdfsl.2006.1009
Kruse, W., & Heiser, J. (2008). Computer forensics. Boston: Addison-Wesley.
Larson, S. (2014). The Basics of Digital Forensics: The Primer for Getting Started in Digital
Forensics. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2014.1165
Law, F., Chow, K., & Mai, Y. (2014). Understanding Computer Forensics Requirements in
China via the “Panda Burning Incense” Virus Case. Journal Of Digital Forensics, Security
And Law. doi: 10.15394/jdfsl.2014.1170
Page 59 of 68
Magnetic Media. Journal Of Digital Forensics, Security And Law. doi:
10.15394/jdfsl.2012.1131
Course Technology Cengage Learning. (2010). Computer forensics. Clifton Park, NY.
Dale, W., & Becker, W. (2007). The crime scene. New York: Kaplan Pub.
Djozan, D., Baheri, T., Karimian, G., & Shahidi, M. (2008). Forensic discrimination of blue
ballpoint pen inks based on thin layer chromatography and image analysis. Forensic Science
International, 179(2-3), 199-205. doi: 10.1016/j.forsciint.2008.05.013
Forensics - cred or crud?. (2005). Digital Investigation, 2(4), 237-238. doi:
10.1016/j.diin.2005.11.003
Hanji, R., & Rajpurohit, V. (2013). Forensic Image Analysis - A Frame work. The International
Journal Of Forensic Computer Science, 8(1), 13-19. doi: 10.5769/j201301002
Ieong, R. (2006). FORZA – Digital forensics investigation framework that incorporate legal
issues. Digital Investigation, 3, 29-36. doi: 10.1016/j.diin.2006.06.004
Kessler, G. (2007). Book Review: Computer Forensics: Principles and Practices. Journal Of
Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2007.1027
Kessler, G., & Schirling, M. (2006). The Design of an Undergraduate Degree Program in
Computer & Digital Forensics. Journal Of Digital Forensics, Security And Law. doi:
10.15394/jdfsl.2006.1009
Kruse, W., & Heiser, J. (2008). Computer forensics. Boston: Addison-Wesley.
Larson, S. (2014). The Basics of Digital Forensics: The Primer for Getting Started in Digital
Forensics. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2014.1165
Law, F., Chow, K., & Mai, Y. (2014). Understanding Computer Forensics Requirements in
China via the “Panda Burning Incense” Virus Case. Journal Of Digital Forensics, Security
And Law. doi: 10.15394/jdfsl.2014.1170
Page 59 of 68
Le-Khac, N., Jacobs, D., Nijhoff, J., Bertens, K., & Choo, K. (2018). Smart vehicle forensics:
Challenges and case study. Future Generation Computer Systems. doi:
10.1016/j.future.2018.05.081
Levy, B., Hipp, J., Balis, U., & Yagi, Y. (2012). Potential Applications of Digital Pathology and
Image Analysis for Forensic Pathology. Academic Forensic Pathology, 2(1), 74-79. doi:
10.23907/2012.010
Maras, M. (2015). Computer forensics. Burlington, MA: Jones & Bartlett Learning.
Marshall, A. (2009). Digital Forensics. Chichester: John Wiley & Sons.
Meister, S., & Chassanoff, A. (2014). Integrating Digital Forensics Techniques into Curatorial
Tasks: A Case Study. International Journal Of Digital Curation, 9(2), 6-16. doi:
10.2218/ijdc.v9i2.325
Meyer, T. (2014). Careers in computer forensics. New York: Rosen Publishing.
Nelson, B., Phillips, A., & Steuart, C. Guide to computer forensics and investigations.
OSForensics. (2018). Retrieved from http://www.sirchie.com/osforensics.html
OSForensics - Digital investigation for a new era by PassMark Software®. (2018). Retrieved
from https://www.osforensics.com/
Petrisor, I. (2005). Sampling and Analyses—Key Steps of a Forensics
Investigation. Environmental Forensics, 6(1), 1-1. doi: 10.1080/15275920590913796
Petrisor, I. (2012). Emerging Environmental Forensics Applications and Case Studies: Review of
Environmental Forensics—Proceedings of the 2011 INEF Conference. Environmental
Forensics, 13(4), 285-288. doi: 10.1080/15275922.2012.738954
Philipp, A., Cowen, D., & Davis, C. (2010). Hacking exposed, computer forensics. New York:
McGraw-Hill.
Page 60 of 68
Challenges and case study. Future Generation Computer Systems. doi:
10.1016/j.future.2018.05.081
Levy, B., Hipp, J., Balis, U., & Yagi, Y. (2012). Potential Applications of Digital Pathology and
Image Analysis for Forensic Pathology. Academic Forensic Pathology, 2(1), 74-79. doi:
10.23907/2012.010
Maras, M. (2015). Computer forensics. Burlington, MA: Jones & Bartlett Learning.
Marshall, A. (2009). Digital Forensics. Chichester: John Wiley & Sons.
Meister, S., & Chassanoff, A. (2014). Integrating Digital Forensics Techniques into Curatorial
Tasks: A Case Study. International Journal Of Digital Curation, 9(2), 6-16. doi:
10.2218/ijdc.v9i2.325
Meyer, T. (2014). Careers in computer forensics. New York: Rosen Publishing.
Nelson, B., Phillips, A., & Steuart, C. Guide to computer forensics and investigations.
OSForensics. (2018). Retrieved from http://www.sirchie.com/osforensics.html
OSForensics - Digital investigation for a new era by PassMark Software®. (2018). Retrieved
from https://www.osforensics.com/
Petrisor, I. (2005). Sampling and Analyses—Key Steps of a Forensics
Investigation. Environmental Forensics, 6(1), 1-1. doi: 10.1080/15275920590913796
Petrisor, I. (2012). Emerging Environmental Forensics Applications and Case Studies: Review of
Environmental Forensics—Proceedings of the 2011 INEF Conference. Environmental
Forensics, 13(4), 285-288. doi: 10.1080/15275922.2012.738954
Philipp, A., Cowen, D., & Davis, C. (2010). Hacking exposed, computer forensics. New York:
McGraw-Hill.
Page 60 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Sadu, I. (2017). Digital Forensics in the Audit of Public Private Partnerships - A Case
Study. Foresic Research & Criminology International Journal, 4(6). doi:
10.15406/frcij.2017.04.00138
Sammons, J. (2015). The basics of digital forensics. Amsterdam: Syngress Media.
Schweitzer, D. (2003). Incident response. Indianapolis: Wiley.
Sealey, P. (2004). Remote forensics. Digital Investigation, 1(4), 261-265. doi:
10.1016/j.diin.2004.11.002
Seckiner, D., Mallett, X., Roux, C., Meuwly, D., & Maynard, P. (2018). Forensic image analysis
– CCTV distortion and artefacts. Forensic Science International, 285, 77-85. doi:
10.1016/j.forsciint.2018.01.024
Taylor, C., Endicott-Popovsky, B., & Frincke, D. (2007). Specifying digital forensics: A
forensics policy approach. Digital Investigation, 4, 101-104. doi: 10.1016/j.diin.2007.06.006
Tilstone, W., Savage, K., & Clark, L. (2006). Forensic science. Santa Barbara, Calif.: ABC-
CLIO.
Verolme, E., & Mieremet, A. (2017). Application of forensic image analysis in accident
investigations. Forensic Science International, 278, 137-147. doi:
10.1016/j.forsciint.2017.06.039
Wang, X., Xue, J., Zheng, Z., Liu, Z., & Li, N. (2012). Image forensic signature for content
authenticity analysis. Journal Of Visual Communication And Image Representation, 23(5),
782-797. doi: 10.1016/j.jvcir.2012.03.005
Young, T., & Ortmeier, P. Crime scene investigation.
Page 61 of 68
Study. Foresic Research & Criminology International Journal, 4(6). doi:
10.15406/frcij.2017.04.00138
Sammons, J. (2015). The basics of digital forensics. Amsterdam: Syngress Media.
Schweitzer, D. (2003). Incident response. Indianapolis: Wiley.
Sealey, P. (2004). Remote forensics. Digital Investigation, 1(4), 261-265. doi:
10.1016/j.diin.2004.11.002
Seckiner, D., Mallett, X., Roux, C., Meuwly, D., & Maynard, P. (2018). Forensic image analysis
– CCTV distortion and artefacts. Forensic Science International, 285, 77-85. doi:
10.1016/j.forsciint.2018.01.024
Taylor, C., Endicott-Popovsky, B., & Frincke, D. (2007). Specifying digital forensics: A
forensics policy approach. Digital Investigation, 4, 101-104. doi: 10.1016/j.diin.2007.06.006
Tilstone, W., Savage, K., & Clark, L. (2006). Forensic science. Santa Barbara, Calif.: ABC-
CLIO.
Verolme, E., & Mieremet, A. (2017). Application of forensic image analysis in accident
investigations. Forensic Science International, 278, 137-147. doi:
10.1016/j.forsciint.2017.06.039
Wang, X., Xue, J., Zheng, Z., Liu, Z., & Li, N. (2012). Image forensic signature for content
authenticity analysis. Journal Of Visual Communication And Image Representation, 23(5),
782-797. doi: 10.1016/j.jvcir.2012.03.005
Young, T., & Ortmeier, P. Crime scene investigation.
Page 61 of 68
Appendix A – Running Sheet
Date/Time Events Duration
17/10/2018 – 5:05 pm Analyzing files from 182.dd
in Autopsy
OUTCOME:
The files in the 182.dd are
loaded on the Autopsy
50 minutes
17/10/2018 – 6:00 pm The jpg image is searched
OUTCOME:
WelcomeScan.jpg is obtained
5 minutes
17/10/2018 – 6:07 pm Mp4 file is searched
OUTCOME:
Clowns dancing.mp4 is found
10 minutes
17/10/2018 – 6:20 pm The jpg image is searched
OUTCOME:
Kikkii_clown_party_pose.jpg
is obtained
5 minutes
17/10/2018 – 6:27 pm Kikkii_clown_party_pose.jpg
properties are viewed
OUTCOME:
Device make and model, size,
path of the image is found.
The user name ‘computer’
owned this image.
5 minutes
17/10/2018 – 6:35 pm The clown related pdf is
searched
OUTCOME:
A Little Night Music-Send In
The Clowns.pdf is found
20 minutes
Page 62 of 68
Date/Time Events Duration
17/10/2018 – 5:05 pm Analyzing files from 182.dd
in Autopsy
OUTCOME:
The files in the 182.dd are
loaded on the Autopsy
50 minutes
17/10/2018 – 6:00 pm The jpg image is searched
OUTCOME:
WelcomeScan.jpg is obtained
5 minutes
17/10/2018 – 6:07 pm Mp4 file is searched
OUTCOME:
Clowns dancing.mp4 is found
10 minutes
17/10/2018 – 6:20 pm The jpg image is searched
OUTCOME:
Kikkii_clown_party_pose.jpg
is obtained
5 minutes
17/10/2018 – 6:27 pm Kikkii_clown_party_pose.jpg
properties are viewed
OUTCOME:
Device make and model, size,
path of the image is found.
The user name ‘computer’
owned this image.
5 minutes
17/10/2018 – 6:35 pm The clown related pdf is
searched
OUTCOME:
A Little Night Music-Send In
The Clowns.pdf is found
20 minutes
Page 62 of 68
17/10/2018 – 6:57 pm The properties of A Little
Night Music-Send In The
Clowns.pdf is viewed
OUTCOME:
The user account name of
‘computer’ is owned this pdf.
3 minutes
17/10/2018 – 7:03 pm A Little Night Music-Send In
The Clowns.pdf is analyzed.
OUTCOME:
It is downloaded by the
username ‘computer’
6 minutes
17/10/2018 – 7:11 pm The jpg image is found
OUTCOME:
Ronald_mcdonald-
e14762000032847-660x330.
5 minutes
17/10/2018 – 7:18 pm The jpg image is found
OUTCOME:
Scary-halloween-custumes-
ideas-Clown-blood-
Halloween-party-custumes-
e1410943909179.jpg is found
4 minutes
17/10/2018 – 7:28pm The jpg image is searched
OUTCOME:
1492447345937.jpg is found
7 minutes
17/10/2018 – 7: 42pm Web bookmarks are analyzed
OUTCOME:
The clown related bookmark
is found. The illegal website
https://theconversion.com
5 minutes
Page 63 of 68
Night Music-Send In The
Clowns.pdf is viewed
OUTCOME:
The user account name of
‘computer’ is owned this pdf.
3 minutes
17/10/2018 – 7:03 pm A Little Night Music-Send In
The Clowns.pdf is analyzed.
OUTCOME:
It is downloaded by the
username ‘computer’
6 minutes
17/10/2018 – 7:11 pm The jpg image is found
OUTCOME:
Ronald_mcdonald-
e14762000032847-660x330.
5 minutes
17/10/2018 – 7:18 pm The jpg image is found
OUTCOME:
Scary-halloween-custumes-
ideas-Clown-blood-
Halloween-party-custumes-
e1410943909179.jpg is found
4 minutes
17/10/2018 – 7:28pm The jpg image is searched
OUTCOME:
1492447345937.jpg is found
7 minutes
17/10/2018 – 7: 42pm Web bookmarks are analyzed
OUTCOME:
The clown related bookmark
is found. The illegal website
https://theconversion.com
5 minutes
Page 63 of 68
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
which contains clown related
concepts is found
17/10/2018 – 7:50 pm The user accounts in the OS
are searched
OUTCOME:
Four active operating system
users of systemprofile,
LocalService,
NetworkService and
computer is found
7 minutes
17/10/2018 – 8:01 pm Clown content is searched in
the web cookies
OUTCOME:
No clown related web
cookies are found
20 minutes
7/10/2018 – 8:23 pm The web download list is
analyzed
OUTCOME:
The clown related images,
video and pdf are found
10 minutes
17/10/2018 – 8:35 pm Web history and web search
are analyzed
OUTCOME:
The accessing of Clown
related texts and truecrypt is
verified
20 minutes
17/10/2018 – 8:57 pm Encryption suspected folders
are searched
OUTCOME:
The clown contents are
10 minutes
Page 64 of 68
concepts is found
17/10/2018 – 7:50 pm The user accounts in the OS
are searched
OUTCOME:
Four active operating system
users of systemprofile,
LocalService,
NetworkService and
computer is found
7 minutes
17/10/2018 – 8:01 pm Clown content is searched in
the web cookies
OUTCOME:
No clown related web
cookies are found
20 minutes
7/10/2018 – 8:23 pm The web download list is
analyzed
OUTCOME:
The clown related images,
video and pdf are found
10 minutes
17/10/2018 – 8:35 pm Web history and web search
are analyzed
OUTCOME:
The accessing of Clown
related texts and truecrypt is
verified
20 minutes
17/10/2018 – 8:57 pm Encryption suspected folders
are searched
OUTCOME:
The clown contents are
10 minutes
Page 64 of 68
encrypted. This is found
17/10/2018 – 9:15 pm The email addresses and
email messages are searched
OUTCOME:
The mail which contains
clown content is found.
25 minutes
17/10/2018 – 9: 42pm Users of the system is
searched
OUTCOME:
The suspect of the username
computer is there.
5 minutes
17/10/2018 – 9: 48pm The device attached to the
system is analyzed.
OUTCOME:
There is no suspected items
found.
10 minutes
Appendix B – Timeline of Events
File name File
extension
Creation Date
(yyyy/mm/dd)
and Time
(hr:min:sec)
Modification
Date
(yyyy/mm/dd
)
and Time
(hr:min:sec)
How it is
created and
reason for
creation
Page 65 of 68
17/10/2018 – 9:15 pm The email addresses and
email messages are searched
OUTCOME:
The mail which contains
clown content is found.
25 minutes
17/10/2018 – 9: 42pm Users of the system is
searched
OUTCOME:
The suspect of the username
computer is there.
5 minutes
17/10/2018 – 9: 48pm The device attached to the
system is analyzed.
OUTCOME:
There is no suspected items
found.
10 minutes
Appendix B – Timeline of Events
File name File
extension
Creation Date
(yyyy/mm/dd)
and Time
(hr:min:sec)
Modification
Date
(yyyy/mm/dd
)
and Time
(hr:min:sec)
How it is
created and
reason for
creation
Page 65 of 68
Clown dancing .mp4
2018/06/16 at
8:15:41
2018/06/16 at
8:15:47
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
Scaryclown
.jpg
2018/06/18 at
5:50:04
2018/06/18 at
5:50:06
The image was
downloaded from
the website. For
owning,
accessing and
distributing, it is
downloaded
intentionally.
Scary-halloween-
costumes-ideas-Clown-
blood-halloween-party-
costumes-
e141094390179
.jpg
2018/06/18 at
5:51:54
2018/06/18 at
5:51:55
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
1492447345937
.jpg
2018/06/18 at
5:52:15
2018/06/18 at
5:52:15
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
Web bookmark –
The psychology behind
why clowns creep us out.
2018/06/18 at
08:20:36
The bookmark is
done on the
webpage. It is
made to access
the clown related
contents quickly.
The reason for
downloading is to
know about
psychology
reasons about
scaring clowns.
A little night music –
Send in the clowns
.pdf
2018/06/19 at
5:14:24
2018/06/19 at
5:14:31
The Clark
downloaded this
pdf from the
website. The
reason for
Page 66 of 68
2018/06/16 at
8:15:41
2018/06/16 at
8:15:47
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
Scaryclown
.jpg
2018/06/18 at
5:50:04
2018/06/18 at
5:50:06
The image was
downloaded from
the website. For
owning,
accessing and
distributing, it is
downloaded
intentionally.
Scary-halloween-
costumes-ideas-Clown-
blood-halloween-party-
costumes-
e141094390179
.jpg
2018/06/18 at
5:51:54
2018/06/18 at
5:51:55
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
1492447345937
.jpg
2018/06/18 at
5:52:15
2018/06/18 at
5:52:15
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
Web bookmark –
The psychology behind
why clowns creep us out.
2018/06/18 at
08:20:36
The bookmark is
done on the
webpage. It is
made to access
the clown related
contents quickly.
The reason for
downloading is to
know about
psychology
reasons about
scaring clowns.
A little night music –
Send in the clowns
2018/06/19 at
5:14:24
2018/06/19 at
5:14:31
The Clark
downloaded this
pdf from the
website. The
reason for
Page 66 of 68
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
downloading is to
know more about
clowns.
Kikki_clown_party_pose
.jpg
2018/06/19 at
5:20:06
12018/06/19
at 5:20:06
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
Ronald_mcdonald-
e1476200032847-
660x330
.jpg
2018/06/19 at
05:20:41
2018/06/19 at
05:20:42
This image is
also downloaded
from the website
to own, access
and distribute.
Mail : clowning about 2018/07/02 at
07:50:09
2018/07/11 at
05:41:54
The clown
related mail is
send from the
Clark to Jazza
Simpson.
Page 67 of 68
know more about
clowns.
Kikki_clown_party_pose
.jpg
2018/06/19 at
5:20:06
12018/06/19
at 5:20:06
The image was
downloaded from
the website. It is
downloaded for
owning and
distributing
purpose
Ronald_mcdonald-
e1476200032847-
660x330
.jpg
2018/06/19 at
05:20:41
2018/06/19 at
05:20:42
This image is
also downloaded
from the website
to own, access
and distribute.
Mail : clowning about 2018/07/02 at
07:50:09
2018/07/11 at
05:41:54
The clown
related mail is
send from the
Clark to Jazza
Simpson.
Page 67 of 68
1 out of 68
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.