Digital Forensic Analysis Report
VerifiedAdded on 2023/01/10
|11
|2371
|86
AI Summary
This report conducted a systematic forensic analysis of a possible computer crime involving one of the employees of Flashbill, Mr. Simpson and another employee of Desert Oasis, Jensen who accused of intellectual property theft.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: Digital Forensic 1
Digital Forensic
[Author Name(s), First M. Last, Omit Titles and Degrees]
[Institutional Affiliation(s)]
Author Note
[Include any grant/funding information and a complete correspondence address.]
Digital Forensic
[Author Name(s), First M. Last, Omit Titles and Degrees]
[Institutional Affiliation(s)]
Author Note
[Include any grant/funding information and a complete correspondence address.]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running head: Digital Forensic 2
Executive Summary
The accompanying report was directed by CEO of Flashbill. My responsibility is to take
the proof gathered by the team and report convey actualities that would appear to be significant
the investigation. All the chain of custody procedure have been done to ensure the exhibits are
not tampered with. The report shows there is with reasonable doubt that the two colluded to steal
company’s intellectual property
Case Details
Flash bills CIO' Randal Simpson and Desert Oasis Funding lead developer Sarah Jensen
are being explored under the dread that they might have colluded to sell exclusive organization
data to the rivals in return for an occupation elevation
PC and Forensic Tool Statistics
The PC of CIO was expelled from its situation in Flashbill premises at 4/12/04 8:27:03
PM where it was trucked out to a close-by secure crime scene investigation office. The laptop
underwent a forensic audit. The hard drive image was taken by Encase,a tool good in forensic
audits. This program has a good reputation of providing the accurate hash of harddrive under
investigation to reduce breach of chain of custody by investigation team (Rowell & Potvin,
2015).
Examination
The following section details the start by start procedure done to come to the conclusion
of possible Intellectual property theft.
Logged case-> create a mirror by (C:\forensicsfile\winlabencase.image) by going to File -> Add
Device, clicking sessions, and tapping on including the proof record (Cohen, 2015).
Executive Summary
The accompanying report was directed by CEO of Flashbill. My responsibility is to take
the proof gathered by the team and report convey actualities that would appear to be significant
the investigation. All the chain of custody procedure have been done to ensure the exhibits are
not tampered with. The report shows there is with reasonable doubt that the two colluded to steal
company’s intellectual property
Case Details
Flash bills CIO' Randal Simpson and Desert Oasis Funding lead developer Sarah Jensen
are being explored under the dread that they might have colluded to sell exclusive organization
data to the rivals in return for an occupation elevation
PC and Forensic Tool Statistics
The PC of CIO was expelled from its situation in Flashbill premises at 4/12/04 8:27:03
PM where it was trucked out to a close-by secure crime scene investigation office. The laptop
underwent a forensic audit. The hard drive image was taken by Encase,a tool good in forensic
audits. This program has a good reputation of providing the accurate hash of harddrive under
investigation to reduce breach of chain of custody by investigation team (Rowell & Potvin,
2015).
Examination
The following section details the start by start procedure done to come to the conclusion
of possible Intellectual property theft.
Logged case-> create a mirror by (C:\forensicsfile\winlabencase.image) by going to File -> Add
Device, clicking sessions, and tapping on including the proof record (Cohen, 2015).
Running head: Digital Forensic 3
Set time zone -> Modify Time Zone. From the accompanying screen, We altered the
timezone to be the same with the current location time zone. This is important in getting accurate
logs We then stored recovered files int -> Recover Folders (Nuix, 2014).
The image was scripted in EnCase V4. Click view -> Scripts and chose the start Case
content which provoked me to enter data of the examiner and individual directories in the
examination (Vincze, 2016). Once scripted, the result was stored, and bookmarked. We
additionally expected to check which data we would need in the present. Data such as last
shutdown, timestamp was recorded (Johnson, 2013).Details of laptop include 32bit OS, 250GB
hardrive, windows 7 OS.This was critical in analysis
Set time zone -> Modify Time Zone. From the accompanying screen, We altered the
timezone to be the same with the current location time zone. This is important in getting accurate
logs We then stored recovered files int -> Recover Folders (Nuix, 2014).
The image was scripted in EnCase V4. Click view -> Scripts and chose the start Case
content which provoked me to enter data of the examiner and individual directories in the
examination (Vincze, 2016). Once scripted, the result was stored, and bookmarked. We
additionally expected to check which data we would need in the present. Data such as last
shutdown, timestamp was recorded (Johnson, 2013).Details of laptop include 32bit OS, 250GB
hardrive, windows 7 OS.This was critical in analysis
Running head: Digital Forensic 4
First, we set dictionary of words to use. Realizing what words to begin looking for could
enable us to load unnecessary data (Mendell, 2013). The scrips result contained like: Flatbill
company and Desert Oasis . With this rundown, we made a watchword list by tapping on View -
> Keywords. we right-clicked Keywords -> Add New Folder. I named the directory PSmith
Keywords. When the directory was made we then right tap the PSmith Keywords organizer ->
Insert Keyword List. The rundown box gets put away with the watchwords recently referenced.
The new catchphrases were then chosen and an inquiry was performed by going to Search at the
top.
The hunt was done under the accompanying criteria: look each record for watchwords,
seek document slack and chose catchphrases as it were (Haggerty, Haggerty, & Taylor, 2014).
The table underneath demonstrates the statistical findings of the audit.
With such huge numbers of hits for Flashbill and Desert Oasis, we presumed that the audit was
progressing nicely. We began with the littlest and stirred way up. Advancement's outcomes were
only a spam email. The records found under Flashbill company were venture documents and
some email objects (Pedneault & Davia, 2009). Now we were increasingly intrigued by proof
identifying with some sort of contact between Randal and Sarah (Moss, Endicott-Popovsky, &
First, we set dictionary of words to use. Realizing what words to begin looking for could
enable us to load unnecessary data (Mendell, 2013). The scrips result contained like: Flatbill
company and Desert Oasis . With this rundown, we made a watchword list by tapping on View -
> Keywords. we right-clicked Keywords -> Add New Folder. I named the directory PSmith
Keywords. When the directory was made we then right tap the PSmith Keywords organizer ->
Insert Keyword List. The rundown box gets put away with the watchwords recently referenced.
The new catchphrases were then chosen and an inquiry was performed by going to Search at the
top.
The hunt was done under the accompanying criteria: look each record for watchwords,
seek document slack and chose catchphrases as it were (Haggerty, Haggerty, & Taylor, 2014).
The table underneath demonstrates the statistical findings of the audit.
With such huge numbers of hits for Flashbill and Desert Oasis, we presumed that the audit was
progressing nicely. We began with the littlest and stirred way up. Advancement's outcomes were
only a spam email. The records found under Flashbill company were venture documents and
some email objects (Pedneault & Davia, 2009). Now we were increasingly intrigued by proof
identifying with some sort of contact between Randal and Sarah (Moss, Endicott-Popovsky, &
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running head: Digital Forensic 5
Dupuis, 2015). The outcomes from flashbill returned with 4 fascinating hits. In the midst of the
email documents were 4 impermanent records found at:
These records all contained the message: "I would like to provide you with some content
from my organization in return for a position in desert oasis" – randal@flashbill.com. These
records caught our eye so we made a point to bring down the entrance time frames (all keep
going got to on 3/9/04 around 11:38 AM). we bookmarked the records by denoting the four
records, by choosing them and right clicking -> Bookmark Files. We made another envelope
called TMP Files (FLASHHBILL) and the four were imported there for further utility later.
Oasis outcomes were generally HTML documents that Randal probably the sites she has been
visiting. More hits came from Sarah. They were a blend of web records including information
and data about Flashbill (Garfinkel, 2013). The web documents originated from the Sarah site
where the organization's about and contact pages were visited. Likewise blended in were a
couple of messages to a sarah@desertoasis.com. we chose a couple of records which we spared
to bookmarks in the DBX Files (Sarah) organizer. Two messages specifically emerged that
contained data that appeared to identify with this case. The accompanying beneath is the place
the documents can be found.
Dupuis, 2015). The outcomes from flashbill returned with 4 fascinating hits. In the midst of the
email documents were 4 impermanent records found at:
These records all contained the message: "I would like to provide you with some content
from my organization in return for a position in desert oasis" – randal@flashbill.com. These
records caught our eye so we made a point to bring down the entrance time frames (all keep
going got to on 3/9/04 around 11:38 AM). we bookmarked the records by denoting the four
records, by choosing them and right clicking -> Bookmark Files. We made another envelope
called TMP Files (FLASHHBILL) and the four were imported there for further utility later.
Oasis outcomes were generally HTML documents that Randal probably the sites she has been
visiting. More hits came from Sarah. They were a blend of web records including information
and data about Flashbill (Garfinkel, 2013). The web documents originated from the Sarah site
where the organization's about and contact pages were visited. Likewise blended in were a
couple of messages to a sarah@desertoasis.com. we chose a couple of records which we spared
to bookmarks in the DBX Files (Sarah) organizer. Two messages specifically emerged that
contained data that appeared to identify with this case. The accompanying beneath is the place
the documents can be found.
Running head: Digital Forensic 6
The messages were both from randal@flashbill.com to sarah@desertoasis.com. Coming up next
are the details of the two messages.
The principal email was a similar data found in the impermanent documents that I had
discovered before from the aftereffects of the flashbill company catchphrase look.
The dictionary was very handy,it helps hose to investigate the course of events of the
working framework which records when a document was made, moved, and edited. It puts every
section in a decent logbook see so a specialist can see when there is an excess of changes
(Guidance Software, 2015). By choosing the case we were taking a shot at and going to Timeline
we found that there was overwhelming traffic on 1/23/04, 3/9/04, and 3/15/04. Beginning with
the soonest date and pushing ahead we inspected the information by focused on each date where
The messages were both from randal@flashbill.com to sarah@desertoasis.com. Coming up next
are the details of the two messages.
The principal email was a similar data found in the impermanent documents that I had
discovered before from the aftereffects of the flashbill company catchphrase look.
The dictionary was very handy,it helps hose to investigate the course of events of the
working framework which records when a document was made, moved, and edited. It puts every
section in a decent logbook see so a specialist can see when there is an excess of changes
(Guidance Software, 2015). By choosing the case we were taking a shot at and going to Timeline
we found that there was overwhelming traffic on 1/23/04, 3/9/04, and 3/15/04. Beginning with
the soonest date and pushing ahead we inspected the information by focused on each date where
Running head: Digital Forensic 7
it gets increasingly point by point by the hour and the moment the closer you zoom in. The
traffic created on 1/23/04 was principally hunting down another employment through locales like
Monster.com, Yahoo Jobs, and looking through the Flashbill and Desert Oasis site. The web
documents and treats that were made on this date affirm this; they are found at:
The records on 3/9/04 and 3/15/04 are the heaviest in rush hour gridlock. They
incorporate numerous treats and site records being made and erased in transitory documents
space alongside the two messages recently begun above being changed and erased.
The only experiment remaining included, one was to experience the picture Gallery
and check the pictures found on the document framework. So as to do this we needed to indicate
which directory contained pictures. We checked gallery .Alot of pictures gotten from Raytheon
site just as pictures relating to getting another line of work, including simply we definitely know.
We had discovered pieces of information on the who, the when, and the where yet I was all the
while missing what and how. This followed checking integrity checks for alteration. Running a
mark examination will take the correct mark that a document ought to be and check whether it
hash against the imaged hashed to check integrity. On the off chance that there is maybe a
confusion in calculating the hash, it will be named as so and Encase will disclose to me what
expansion it ought to be. Running a mark investigation makes them select the total picture and
completing a Search (a similar Search as done earlier).
The signature was verified and following was found:
it gets increasingly point by point by the hour and the moment the closer you zoom in. The
traffic created on 1/23/04 was principally hunting down another employment through locales like
Monster.com, Yahoo Jobs, and looking through the Flashbill and Desert Oasis site. The web
documents and treats that were made on this date affirm this; they are found at:
The records on 3/9/04 and 3/15/04 are the heaviest in rush hour gridlock. They
incorporate numerous treats and site records being made and erased in transitory documents
space alongside the two messages recently begun above being changed and erased.
The only experiment remaining included, one was to experience the picture Gallery
and check the pictures found on the document framework. So as to do this we needed to indicate
which directory contained pictures. We checked gallery .Alot of pictures gotten from Raytheon
site just as pictures relating to getting another line of work, including simply we definitely know.
We had discovered pieces of information on the who, the when, and the where yet I was all the
while missing what and how. This followed checking integrity checks for alteration. Running a
mark examination will take the correct mark that a document ought to be and check whether it
hash against the imaged hashed to check integrity. On the off chance that there is maybe a
confusion in calculating the hash, it will be named as so and Encase will disclose to me what
expansion it ought to be. Running a mark investigation makes them select the total picture and
completing a Search (a similar Search as done earlier).
The signature was verified and following was found:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Running head: Digital Forensic 8
The initial two records are venture documents from flashbill company that was kept in
a private directory with adjusted document augmentations. The last two records are printing
spools that appear as though they have been adjusted. The spools relate to every one of the initial
two records being sent to the IP address of 192.168.1.106. The Project 238x was sent to that
address on 3/9/04 and the Project 47x record was sent on 3/15/04 by the client name
RSIMPSON. The IP address is mapped to the HP LaserJet 4000 Series PCL6 at ACME
Industries. Both spool documents can be found at:
Finally, we ran the IE history parser with catchphrase seek content to ensure that every
one of the sites that I had seen through the treats and transitory web documents was really visited
and to ensure that we had not missed any others. So as to run this content I went to the Scripts
menu and included the choices of include bookmarks and make website page and tab-delimited
records and to look through all documents. The report did not convey any new data that had not
as of now been found (Rowell & Potvin, 2015). The last contest we ran was to check whether
there was any data I could acquire from the NTFS INFO2 document.
This is the Recycle Bin record that would contain any erased document data. By
running the content NTFS INFO2 Record Finder and choosing to just peruse INFO2 documents
just and sparing it to the bookmark Recovered NTFS Info2 Records I concocted just a single
The initial two records are venture documents from flashbill company that was kept in
a private directory with adjusted document augmentations. The last two records are printing
spools that appear as though they have been adjusted. The spools relate to every one of the initial
two records being sent to the IP address of 192.168.1.106. The Project 238x was sent to that
address on 3/9/04 and the Project 47x record was sent on 3/15/04 by the client name
RSIMPSON. The IP address is mapped to the HP LaserJet 4000 Series PCL6 at ACME
Industries. Both spool documents can be found at:
Finally, we ran the IE history parser with catchphrase seek content to ensure that every
one of the sites that I had seen through the treats and transitory web documents was really visited
and to ensure that we had not missed any others. So as to run this content I went to the Scripts
menu and included the choices of include bookmarks and make website page and tab-delimited
records and to look through all documents. The report did not convey any new data that had not
as of now been found (Rowell & Potvin, 2015). The last contest we ran was to check whether
there was any data I could acquire from the NTFS INFO2 document.
This is the Recycle Bin record that would contain any erased document data. By
running the content NTFS INFO2 Record Finder and choosing to just peruse INFO2 documents
just and sparing it to the bookmark Recovered NTFS Info2 Records I concocted just a single
Running head: Digital Forensic 9
document erased from the My Documents organizer of RSIMPSON identifying with Desert
Oasis. It didn't appear to be of any an incentive to this case (Gottschalk, 2015).
Conclusion
This report conducted a systematic forensic analysis of a possible computer crime
involving one of the employees of Flashbill, Mr. Simpson and another employee of Desert Oasis,
Jensen who accused of intellectual property theft. The forensic investigation followed the use of
software and tools to analyze the digital footprints of the two accused. It is clear from the audit,
the two had been in constant communication. The emails retrieved from the accused machines
clearly points this out. The search and other files are hidden deep into the accused machines
further confirmed the narrative.
document erased from the My Documents organizer of RSIMPSON identifying with Desert
Oasis. It didn't appear to be of any an incentive to this case (Gottschalk, 2015).
Conclusion
This report conducted a systematic forensic analysis of a possible computer crime
involving one of the employees of Flashbill, Mr. Simpson and another employee of Desert Oasis,
Jensen who accused of intellectual property theft. The forensic investigation followed the use of
software and tools to analyze the digital footprints of the two accused. It is clear from the audit,
the two had been in constant communication. The emails retrieved from the accused machines
clearly points this out. The search and other files are hidden deep into the accused machines
further confirmed the narrative.
Running head: Digital Forensic 10
References
Cohen, F. B. (2015). Digital diplomatics and forensics: going forward on a global basis. Records
Management Journal, 25(1), 21–44. https://doi.org/10.1108/RMJ-03-2014-0016
Garfinkel, S. L. (2013). Digital media triage with bulk data analysis and bulk_extractor.
Computers & Security, 32, 56–72. https://doi.org/10.1016/j.cose.2012.09.011
Gottschalk, P. (2015). Investigating Financial Crime : Characteristics of White-collar Criminals.
In Criminal Justice, Law Enforcement and Corrections. Retrieved from
http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=1049958&site=ehost-live
Guidance Software, I. (2015, October 8). Guidance Software EnCase Forensic Earns 5-Star
Rating in SC Magazine Digital Forensics Review. Business Wire (English). Retrieved
from http://search.ebscohost.com/login.aspx?
direct=true&db=bwh&AN=bizwire.c64575735&site=ehost-live
Haggerty, J., Haggerty, S., & Taylor, M. (2014). Forensic triage of email network narratives
through visualisation. Information Management & Computer Security, 22(4), 358–370.
https://doi.org/10.1108/IMCS-11-2013-0080
Johnson, M. (2013). Cyber Crime, Security and Digital Intelligence. Farnham, Surrey:
Routledge.
Mendell, R. L. (2013). Investigating Information-Based Crimes : A Guide for Investigators on
Crimes Against Person Related to the Theft or Manipulation of Information Assets.
References
Cohen, F. B. (2015). Digital diplomatics and forensics: going forward on a global basis. Records
Management Journal, 25(1), 21–44. https://doi.org/10.1108/RMJ-03-2014-0016
Garfinkel, S. L. (2013). Digital media triage with bulk data analysis and bulk_extractor.
Computers & Security, 32, 56–72. https://doi.org/10.1016/j.cose.2012.09.011
Gottschalk, P. (2015). Investigating Financial Crime : Characteristics of White-collar Criminals.
In Criminal Justice, Law Enforcement and Corrections. Retrieved from
http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=1049958&site=ehost-live
Guidance Software, I. (2015, October 8). Guidance Software EnCase Forensic Earns 5-Star
Rating in SC Magazine Digital Forensics Review. Business Wire (English). Retrieved
from http://search.ebscohost.com/login.aspx?
direct=true&db=bwh&AN=bizwire.c64575735&site=ehost-live
Haggerty, J., Haggerty, S., & Taylor, M. (2014). Forensic triage of email network narratives
through visualisation. Information Management & Computer Security, 22(4), 358–370.
https://doi.org/10.1108/IMCS-11-2013-0080
Johnson, M. (2013). Cyber Crime, Security and Digital Intelligence. Farnham, Surrey:
Routledge.
Mendell, R. L. (2013). Investigating Information-Based Crimes : A Guide for Investigators on
Crimes Against Person Related to the Theft or Manipulation of Information Assets.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Running head: Digital Forensic 11
Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=545566&site=ehost-live
Moss, M. S., Endicott-Popovsky, B., & Dupuis, M. J. (2015). Is Digital Different? : How
Information Creation, Capture, Preservation and Discovery Are Being Transformed.
Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=1454582&site=ehost-live
Nuix. (2014, October 9). Digital Forensics Expert Jim Kent’s Leadership in Investigations and
Cybersecurity and Government Gives Nuix Edge in North America Market. Business
Wire (English). Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=bwh&AN=bizwire.c57810879&site=ehost-live
Pedneault, S., & Davia, H. R. (2009). Fraud 101 : Techniques and Strategies for Understanding
Fraud. Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=314633&site=ehost-live
Rowell, C. J., & Potvin, S. (2015). Preservation Metadata for Digital Forensics. A Report of the
ALCTS PARS Preservation Metadata Interest Group Meeting. American Library
Association Annual Meeting, Las Vegas, June 2014. Technical Services Quarterly, 32(3),
320–325. https://doi.org/10.1080/07317131.2015.1031606
Vincze, E. A. (2016). Challenges in digital forensics. Police Practice & Research, 17(2), 183–
194. https://doi.org/10.1080/15614263.2015.1128163
Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=545566&site=ehost-live
Moss, M. S., Endicott-Popovsky, B., & Dupuis, M. J. (2015). Is Digital Different? : How
Information Creation, Capture, Preservation and Discovery Are Being Transformed.
Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=1454582&site=ehost-live
Nuix. (2014, October 9). Digital Forensics Expert Jim Kent’s Leadership in Investigations and
Cybersecurity and Government Gives Nuix Edge in North America Market. Business
Wire (English). Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=bwh&AN=bizwire.c57810879&site=ehost-live
Pedneault, S., & Davia, H. R. (2009). Fraud 101 : Techniques and Strategies for Understanding
Fraud. Retrieved from http://search.ebscohost.com/login.aspx?
direct=true&db=nlebk&AN=314633&site=ehost-live
Rowell, C. J., & Potvin, S. (2015). Preservation Metadata for Digital Forensics. A Report of the
ALCTS PARS Preservation Metadata Interest Group Meeting. American Library
Association Annual Meeting, Las Vegas, June 2014. Technical Services Quarterly, 32(3),
320–325. https://doi.org/10.1080/07317131.2015.1031606
Vincze, E. A. (2016). Challenges in digital forensics. Police Practice & Research, 17(2), 183–
194. https://doi.org/10.1080/15614263.2015.1128163
1 out of 11
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.