Digital Forensic Investigation using ProDiscover and WinHex
VerifiedAdded on 2023/06/12
|19
|2313
|417
AI Summary
This document discusses the use of ProDiscover and WinHex in digital forensic investigation. It covers the recovery of digital photography evidence, rebuilding file header, and reconstructing file fragments. The investigation is about the possible theft of intellectual property of Exotic Mountain Tour Services (ETMS) by a contract employee. The document also includes references for further reading.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
[Document title]
[Document subtitle]
[DATE]
[Company name]
[Company address]
[Document subtitle]
[DATE]
[Company name]
[Company address]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
Task 1.........................................................................................................................................2
Task 2.........................................................................................................................................4
Abstract..................................................................................................................................4
Introduction............................................................................................................................4
Analysis conducted................................................................................................................5
Findings................................................................................................................................16
References............................................................................................................................18
Task 1.........................................................................................................................................2
Task 2.........................................................................................................................................4
Abstract..................................................................................................................................4
Introduction............................................................................................................................4
Analysis conducted................................................................................................................5
Findings................................................................................................................................16
References............................................................................................................................18
Task 1
WinHex is the forensic tool used to alter he values of the files, the altered values are done in
order to either repair files or even encrypt them so that only person knowing the correct order
would be able to decrypt the text. In order to recover the text from the current file following
operations would be done:
Modify Data-> “left shift by 1-bit option”
Output:
WinHex is the forensic tool used to alter he values of the files, the altered values are done in
order to either repair files or even encrypt them so that only person knowing the correct order
would be able to decrypt the text. In order to recover the text from the current file following
operations would be done:
Modify Data-> “left shift by 1-bit option”
Output:
Modify Data-> “32-bit byte swap”
Output and decrypted text:
Output and decrypted text:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Task 2
Abstract
The current case in this investigation is about the possible theft by a contract employee of
Intellectual property of company Exotic Mountain Tour Services (ETMS). The company who
has just finished an extensive survey of place and customers with Superior Bicycles, LLC
have formulated critical business data that can if leaked would result in severe loss of revenue
to both the organization and undue advantage to competitors. The leak came into picture
when two emails of the contract employee came into scrutiny of all the emails, the emails
clearly shows the malicious intensions of the employee. The USB drive was also found on the
desk on which the contract employee was used to operate while working in the organization.
This investigation is about the email that was captured along with the USB drive that is found
on the desk of the contract employee.
Introduction
The software used in forensic industry for analyzing the disk images from physical drives is
ProDiscover, though there are several other software available in the market but ProDiscover
is one the finest around with number of features available at the forensic expert disposal,
though only few of them are being used majorly for the forensic purposes only. One of the
important aspect of the ProDiscover is that using the special hardware that provide the option
of Write Lock, we can make the exact copy of the storage device without altering the original
disk in any manner. This feature is also available on the remote clients as well, no matter how
much subject to the change the hard drive is the ProDiscover can easily make the image of
the storage.
Another important tool that is being used by the forensic experts around the world is Hex
Workshop, it is the hex editor that can easily edit, copy, delete, paste, insert over any
hex/binary data. This software is developed by BreakPoint Company, the software can be
used to visualization and can work as any modern text-based editor of binary just like any
word processor. As the data in its native structure can be used to work on binary values, the
data can be viewed in different ways like in tree view structure etc. Another useful feature of
the software is that it can perform the arithmetic and logical operations over the data, the data
can be found using the search feature in hexadecimal and native binary form. Generating
Abstract
The current case in this investigation is about the possible theft by a contract employee of
Intellectual property of company Exotic Mountain Tour Services (ETMS). The company who
has just finished an extensive survey of place and customers with Superior Bicycles, LLC
have formulated critical business data that can if leaked would result in severe loss of revenue
to both the organization and undue advantage to competitors. The leak came into picture
when two emails of the contract employee came into scrutiny of all the emails, the emails
clearly shows the malicious intensions of the employee. The USB drive was also found on the
desk on which the contract employee was used to operate while working in the organization.
This investigation is about the email that was captured along with the USB drive that is found
on the desk of the contract employee.
Introduction
The software used in forensic industry for analyzing the disk images from physical drives is
ProDiscover, though there are several other software available in the market but ProDiscover
is one the finest around with number of features available at the forensic expert disposal,
though only few of them are being used majorly for the forensic purposes only. One of the
important aspect of the ProDiscover is that using the special hardware that provide the option
of Write Lock, we can make the exact copy of the storage device without altering the original
disk in any manner. This feature is also available on the remote clients as well, no matter how
much subject to the change the hard drive is the ProDiscover can easily make the image of
the storage.
Another important tool that is being used by the forensic experts around the world is Hex
Workshop, it is the hex editor that can easily edit, copy, delete, paste, insert over any
hex/binary data. This software is developed by BreakPoint Company, the software can be
used to visualization and can work as any modern text-based editor of binary just like any
word processor. As the data in its native structure can be used to work on binary values, the
data can be viewed in different ways like in tree view structure etc. Another useful feature of
the software is that it can perform the arithmetic and logical operations over the data, the data
can be found using the search feature in hexadecimal and native binary form. Generating
checksums and digest is another important aspect of this software tool. The reporting feature
can be used to generate the extensive report in the HTML or RTF formats.
Analysis conducted
In the initial findings we found that there were two emails that were being communicated
outside the official circle of the organization ETMS. Apart from this the USB drive was
found on the desk of the contract employee Bob Aspen. With the following data at hand we
need to find some important aspects and assumptions which need to be taken care of in order
to retrieve the required data communicated and search for concrete evidence against the Bob.
There were two emails that were intercepted by the filter at the organization which were
being communicated to terrysadler@groowy.com and other one to baspen@aol.com, which
matches the record of contract employee Bob Aspen. The timestamp and the date of the
message sent also align by the time the contract employee was employed in the section of the
office that is 4th Feb 2007 9:21 PM and 5:17 AM.
The email sent to terrysadler@groowy.com from the Jim Shu was forwarded to the
baspen@aol.com mail of the contract employee, the timestamp verifies that the Jim Shu
account is from western location on earth as the timestamp of the later than the timestamp
used by terrysadler@groowy.com, as the timestamps are being assigned by the servers not the
users, this is the reason the timestamp are being off to each other.
The next email in the conversation asking the bob to alter the data in the image so that the
filter at the company doesn’t pick up as well as the .jpg extension was changed to the .txt and
as the file was about the kayaks. The last message conversation received is that the bob
cannot receive this message from terrysadler@groowy.com.
Search for and Recovering Digital photography Evidence
In this section we would be recovering the corrupted image from the USB drive provided by
the EMTS, the initial recovering process would be searching for “FIF” string as “FIF” would
lead to graphical recoverable files, whereas JFIF and JPEG would lead to several other image
files that might be there over the USB drive earlier. These not so important clusters or files
are known as false positives and might lead to lot of extra time in verifying the individual
files and might delay us in finding the right file that we were looking for.
can be used to generate the extensive report in the HTML or RTF formats.
Analysis conducted
In the initial findings we found that there were two emails that were being communicated
outside the official circle of the organization ETMS. Apart from this the USB drive was
found on the desk of the contract employee Bob Aspen. With the following data at hand we
need to find some important aspects and assumptions which need to be taken care of in order
to retrieve the required data communicated and search for concrete evidence against the Bob.
There were two emails that were intercepted by the filter at the organization which were
being communicated to terrysadler@groowy.com and other one to baspen@aol.com, which
matches the record of contract employee Bob Aspen. The timestamp and the date of the
message sent also align by the time the contract employee was employed in the section of the
office that is 4th Feb 2007 9:21 PM and 5:17 AM.
The email sent to terrysadler@groowy.com from the Jim Shu was forwarded to the
baspen@aol.com mail of the contract employee, the timestamp verifies that the Jim Shu
account is from western location on earth as the timestamp of the later than the timestamp
used by terrysadler@groowy.com, as the timestamps are being assigned by the servers not the
users, this is the reason the timestamp are being off to each other.
The next email in the conversation asking the bob to alter the data in the image so that the
filter at the company doesn’t pick up as well as the .jpg extension was changed to the .txt and
as the file was about the kayaks. The last message conversation received is that the bob
cannot receive this message from terrysadler@groowy.com.
Search for and Recovering Digital photography Evidence
In this section we would be recovering the corrupted image from the USB drive provided by
the EMTS, the initial recovering process would be searching for “FIF” string as “FIF” would
lead to graphical recoverable files, whereas JFIF and JPEG would lead to several other image
files that might be there over the USB drive earlier. These not so important clusters or files
are known as false positives and might lead to lot of extra time in verifying the individual
files and might delay us in finding the right file that we were looking for.
We would now create a project in ProDiscover and include the image file provided named as
C10InChp.eve, in order to do so following are the steps that are being followed:
C10InChp.eve, in order to do so following are the steps that are being followed:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1. We would now run the ProDiscover in Administrator user account in order to have full
rights over the protected images. We would create new project named: C10InChp
2. We now add the image to the project using the option Add-> Image file, we browse to the
location of the file C10InChp.eve and add it to the project.
rights over the protected images. We would create new project named: C10InChp
2. We now add the image to the project using the option Add-> Image file, we browse to the
location of the file C10InChp.eve and add it to the project.
3. To retrieve the data, we would use the cluster-based search on this image and pattern used
will be “FIF” as discussed earlier. The parameters that would be selected is Case
Sensitive under ASCII.
will be “FIF” as discussed earlier. The parameters that would be selected is Case
Sensitive under ASCII.
4. We would now first check the keyword that matched the criteria “FIF” and marked in
blue color in the screenshot below.
5. We would now select the first occurrence of the “FIF” and double click it to check the
location of the key in order to directly jump to the respective memory location.
6. In order to come back to the original screen for the location where “FIF” is found, it will
represent it as the cluster number along with the file name in which it is found.
blue color in the screenshot below.
5. We would now select the first occurrence of the “FIF” and double click it to check the
location of the key in order to directly jump to the respective memory location.
6. In order to come back to the original screen for the location where “FIF” is found, it will
represent it as the cluster number along with the file name in which it is found.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7. We would now select the files listed and right click to get the option “Find File”
8. Press “Yes”
All the clusters matching the criteria will be shown on the screen.
All the clusters matching the criteria will be shown on the screen.
9. Right-click on the file listed and select to save it in the file, name the recovered file as
“recover1.jpg”.
“recover1.jpg”.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Rebuilding File Header
As per the email communication that was done by the contract employee Bob Aspen, the file
that was forwarded header was changed in order to bypass the filter mechanism of the
organization. Hence if the header being altered it won’t be possible to open it in any image
viewer, in order to open it we need to use a hex editor to open the jpeg file. Following are the
steps that are needed in order to recover the header and view the file:
1. Open Recover1.jpg using Hex Workshop tool.
2. The data at the top can be viewed easily and their offset from start that is 0 is 7A 7A 7A
7A and the sixth offset too being 7A.
As per the email communication that was done by the contract employee Bob Aspen, the file
that was forwarded header was changed in order to bypass the filter mechanism of the
organization. Hence if the header being altered it won’t be possible to open it in any image
viewer, in order to open it we need to use a hex editor to open the jpeg file. Following are the
steps that are needed in order to recover the header and view the file:
1. Open Recover1.jpg using Hex Workshop tool.
2. The data at the top can be viewed easily and their offset from start that is 0 is 7A 7A 7A
7A and the sixth offset too being 7A.
3. As we know any standard JFIF or JPEG would mean the file headers should have the
value “FF D8 FF E0”, now we would edit these values to replace them with the correct
values in order to fix the header issue.
4. In the right pane as shown in the screenshot replace the zFIF as JFIF.
5. Save the file as Fixed1.jpg, now the file can be opened using any image viewer available.
Reconstructing File Fragments
Now we have recovered the file now we going to reconstruct the image file from the corrupt
header and clusters available in the image file under scan, the approach followed is as
follows:
1. We need to find all the clusters of the image file that we want to reconstruct and find
the related clusters to them.
2. When the clusters would be classified we need to find the starting and ending cluster
point of the fragmented group.
3. Now we arrange the clustered files into one file in the correct order to recover the file
4. Finally rebuilding the entire header of the file in order to view it using image viewer.
value “FF D8 FF E0”, now we would edit these values to replace them with the correct
values in order to fix the header issue.
4. In the right pane as shown in the screenshot replace the zFIF as JFIF.
5. Save the file as Fixed1.jpg, now the file can be opened using any image viewer available.
Reconstructing File Fragments
Now we have recovered the file now we going to reconstruct the image file from the corrupt
header and clusters available in the image file under scan, the approach followed is as
follows:
1. We need to find all the clusters of the image file that we want to reconstruct and find
the related clusters to them.
2. When the clusters would be classified we need to find the starting and ending cluster
point of the fragmented group.
3. Now we arrange the clustered files into one file in the correct order to recover the file
4. Finally rebuilding the entire header of the file in order to view it using image viewer.
We open the project file using the ProDiscover:
1. The tree view will display all the files that are needed to be read and search in order
find all the clusters, we search using the cluster option as done earlier and find the
keyword as AC4(2756). All the related clusters would be listed:
2. As soon as we click in the find option, the dialog box displays all the clusters that have
been found related to the AE3 (2787), we select all the options and paste them to a
notepad file or text file, we name it as AE3-crave.txt.
1. The tree view will display all the files that are needed to be read and search in order
find all the clusters, we search using the cluster option as done earlier and find the
keyword as AC4(2756). All the related clusters would be listed:
2. As soon as we click in the find option, the dialog box displays all the clusters that have
been found related to the AE3 (2787), we select all the options and paste them to a
notepad file or text file, we name it as AE3-crave.txt.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
3. Check all the AE3-crave file all the clusters would be marked and grouped together
along with the range of clusters in the group. We would now arrange all the clusters
with their respective ranges and following are the clusters that have been found:
a. Fragment range 1—AC4 to B20
b. Fragment range 2—1d6 to 229
c. Fragment range 3—3cc to 406
d. Fragment range 4—14b to 182
e. Fragment range 5—938 to 96d
f. Fragment range 6—6 to d
4. Individually find all the clusters and perform the recovery by naming the clusters as
Fragment 1 to 6. All these steps are being performed on the clusters.
along with the range of clusters in the group. We would now arrange all the clusters
with their respective ranges and following are the clusters that have been found:
a. Fragment range 1—AC4 to B20
b. Fragment range 2—1d6 to 229
c. Fragment range 3—3cc to 406
d. Fragment range 4—14b to 182
e. Fragment range 5—938 to 96d
f. Fragment range 6—6 to d
4. Individually find all the clusters and perform the recovery by naming the clusters as
Fragment 1 to 6. All these steps are being performed on the clusters.
5. Now we combine the clusters into one single individual file, include all the fragments
from 1 to 6 into one combined.
6. Now re-create the header of the file recovered and save it as recover2.jpg
Findings
1. The email that were traced or captured were the first blocks that shows that the
concern person Bob Aspen, the analysis start was from this survey only.
2. Two major finding were that the Bob Aspen was indeed trying to leak the data from
the company to 3rd party who might be the competition to the EMTS. Second the
image files were recovered using the ProDiscover and other one is WinHex software to
manipulate the binary data in order to recover the respective headers of the file.
from 1 to 6 into one combined.
6. Now re-create the header of the file recovered and save it as recover2.jpg
Findings
1. The email that were traced or captured were the first blocks that shows that the
concern person Bob Aspen, the analysis start was from this survey only.
2. Two major finding were that the Bob Aspen was indeed trying to leak the data from
the company to 3rd party who might be the competition to the EMTS. Second the
image files were recovered using the ProDiscover and other one is WinHex software to
manipulate the binary data in order to recover the respective headers of the file.
References
Bernaschi, M., Cianfriglia, M., Di Marco, A., Sabellico, A., Me, G., Carbone, G., & Totaro,
G. (2014). Forensic disk image indexing and search in an HPC environment. 2014
International Conference On High Performance Computing & Simulation (HPCS). doi:
10.1109/hpcsim.2014.6903735
Garfinkel, S. (2009). Automating Disk Forensic Processing with SleuthKit, XML and
Python. 2009 Fourth International IEEE Workshop On Systematic Approaches To
Digital Forensic Engineering. doi: 10.1109/sadfe.2009.12
Karabiyik, U., & Aggarwal, S. (2016). Model of hierarchical disk investigation. 2016 4Th
International Symposium On Digital Forensic And Security (ISDFS). doi:
10.1109/isdfs.2016.7473523
Lim, S., Park, J., Lim, K., Lee, C., & Lee, S. (2010). Forensic Artifacts Left by Virtual Disk
Encryption Tools. 2010 3Rd International Conference On Human-Centric Computing.
doi: 10.1109/humancom.2010.5563320
Prem, T., Selwin, V., & Mohan, A. (2017). Disk memory forensics: Analysis of memory
forensics frameworks flow. 2017 Innovations In Power And Advanced Computing
Technologies (I-PACT). doi: 10.1109/ipact.2017.8244977
Sablatura, J., & Karabiyik, U. (2016). The forensic effectiveness of virtual disk
sanitization. 2016 4Th International Symposium On Digital Forensic And Security
(ISDFS). doi: 10.1109/isdfs.2016.7473530
Wick, C., Avramov-Zamurovic, S., & Lyle, J. Hard disk interface used in computer forensic
science. Proceedings Of The 21St IEEE Instrumentation And Measurement Technology
Conference (IEEE Cat. No.04CH37510). doi: 10.1109/imtc.2004.1351427
Bernaschi, M., Cianfriglia, M., Di Marco, A., Sabellico, A., Me, G., Carbone, G., & Totaro,
G. (2014). Forensic disk image indexing and search in an HPC environment. 2014
International Conference On High Performance Computing & Simulation (HPCS). doi:
10.1109/hpcsim.2014.6903735
Garfinkel, S. (2009). Automating Disk Forensic Processing with SleuthKit, XML and
Python. 2009 Fourth International IEEE Workshop On Systematic Approaches To
Digital Forensic Engineering. doi: 10.1109/sadfe.2009.12
Karabiyik, U., & Aggarwal, S. (2016). Model of hierarchical disk investigation. 2016 4Th
International Symposium On Digital Forensic And Security (ISDFS). doi:
10.1109/isdfs.2016.7473523
Lim, S., Park, J., Lim, K., Lee, C., & Lee, S. (2010). Forensic Artifacts Left by Virtual Disk
Encryption Tools. 2010 3Rd International Conference On Human-Centric Computing.
doi: 10.1109/humancom.2010.5563320
Prem, T., Selwin, V., & Mohan, A. (2017). Disk memory forensics: Analysis of memory
forensics frameworks flow. 2017 Innovations In Power And Advanced Computing
Technologies (I-PACT). doi: 10.1109/ipact.2017.8244977
Sablatura, J., & Karabiyik, U. (2016). The forensic effectiveness of virtual disk
sanitization. 2016 4Th International Symposium On Digital Forensic And Security
(ISDFS). doi: 10.1109/isdfs.2016.7473530
Wick, C., Avramov-Zamurovic, S., & Lyle, J. Hard disk interface used in computer forensic
science. Proceedings Of The 21St IEEE Instrumentation And Measurement Technology
Conference (IEEE Cat. No.04CH37510). doi: 10.1109/imtc.2004.1351427
1 out of 19
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.