Digital Forensic Investigation using ProDiscover and WinHex
VerifiedAdded on 2023/06/12
|18
|2124
|374
AI Summary
This article covers the step-by-step process of conducting a digital forensic investigation using ProDiscover and WinHex. It includes the recovery of data and reconstruction of file headers. The investigation is based on a case of attempted theft of Intellectual Property of Exotic Mountain Tour Services (ETMS) by a contract employee. The article also discusses the software tools used in the investigation, such as ProDiscover and WinHex, and their features. The findings of the investigation are also presented. References are provided at the end of the article.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
[Document title]
[Document subtitle]
[DATE]
[Company name]
[Company address]
[Document subtitle]
[DATE]
[Company name]
[Company address]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
Task 1.........................................................................................................................................2
Task 2.........................................................................................................................................4
Abstract..................................................................................................................................4
Introduction............................................................................................................................4
Analysis conducted................................................................................................................4
Findings................................................................................................................................16
References............................................................................................................................17
Task 1.........................................................................................................................................2
Task 2.........................................................................................................................................4
Abstract..................................................................................................................................4
Introduction............................................................................................................................4
Analysis conducted................................................................................................................4
Findings................................................................................................................................16
References............................................................................................................................17
Task 1
WinHex is the forensic software used in order to alter the values in binary data of the files,
this is done generally to repair the headers of the known file systems, scrambling the data and
to recover the data can only be retrieved back to recover the text. In order to recover the text
following operations are needed to be done:
Modify Data-> “left shift by 1-bit option”
Output:
WinHex is the forensic software used in order to alter the values in binary data of the files,
this is done generally to repair the headers of the known file systems, scrambling the data and
to recover the data can only be retrieved back to recover the text. In order to recover the text
following operations are needed to be done:
Modify Data-> “left shift by 1-bit option”
Output:
Modify Data-> “32-bit byte swap”
Output and decrypted text:
Output and decrypted text:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Task 2
Abstract
The case under the investigation is about the contract employee attempt of theft of
Intellectual Property of Exotic Mountain Tour Services (ETMS). The company Exotic
Mountain Tour Services have just finished the extensive survey with association with
Superior Bicycles, LLC in order to formulate an extensive business strategy. The leak of any
such data would mean loss of revenue and trust for the ETMS that would lead to entire
campaign being under tremendous loss for them. The entire leak came into picture when the
contract employee’s emails were intercepted by the organization and via those they came to
know about the malicious practices of the contract employee. The USB drive was also
recovered from the desk of the employee about which the entire forensic investigation would
take place.
Introduction
The two major software used in the current case investigation case are ProDiscover and
WinHex. The ProDiscover software is the forensic software tool that is used to make and
analyze the images of the storage devices. There are number of feature set that are available
for the expert disposal, though only few of them are being generally used around the world
by the forensic experts. Using the special hardware write block we can develop exact copy of
images without altering the images of the storages.
Another important software tool for the same forensic purposes is WinHex, WinHex is the
forensic software used in order to alter the values in binary data of the files, this is done
generally to repair the headers of the known file systems, scrambling the data and to recover
the data can only be retrieved back to recover the text. It enables the user to edit the opened
file in binary by using the edit, cut, copy, paste, delete, insert etc. with different view
available like tree view, cluster view etc. The arithmetic and logical operations can be made
and done over the data, cluster-based search is important feature that enables the user to work
on different clusters to recover files directly or via clusters. The reporting feature of exporting
the reporting into HTML and RTF format is a nice addon feature.
Analysis conducted
In the start we have two emails that were being communicated outside the company that too
being communicated over the unofficial mail address that doesn’t belong to ETMS
Abstract
The case under the investigation is about the contract employee attempt of theft of
Intellectual Property of Exotic Mountain Tour Services (ETMS). The company Exotic
Mountain Tour Services have just finished the extensive survey with association with
Superior Bicycles, LLC in order to formulate an extensive business strategy. The leak of any
such data would mean loss of revenue and trust for the ETMS that would lead to entire
campaign being under tremendous loss for them. The entire leak came into picture when the
contract employee’s emails were intercepted by the organization and via those they came to
know about the malicious practices of the contract employee. The USB drive was also
recovered from the desk of the employee about which the entire forensic investigation would
take place.
Introduction
The two major software used in the current case investigation case are ProDiscover and
WinHex. The ProDiscover software is the forensic software tool that is used to make and
analyze the images of the storage devices. There are number of feature set that are available
for the expert disposal, though only few of them are being generally used around the world
by the forensic experts. Using the special hardware write block we can develop exact copy of
images without altering the images of the storages.
Another important software tool for the same forensic purposes is WinHex, WinHex is the
forensic software used in order to alter the values in binary data of the files, this is done
generally to repair the headers of the known file systems, scrambling the data and to recover
the data can only be retrieved back to recover the text. It enables the user to edit the opened
file in binary by using the edit, cut, copy, paste, delete, insert etc. with different view
available like tree view, cluster view etc. The arithmetic and logical operations can be made
and done over the data, cluster-based search is important feature that enables the user to work
on different clusters to recover files directly or via clusters. The reporting feature of exporting
the reporting into HTML and RTF format is a nice addon feature.
Analysis conducted
In the start we have two emails that were being communicated outside the company that too
being communicated over the unofficial mail address that doesn’t belong to ETMS
organization trusted zones. Apart from this the USB drive was being found at the desk of the
Bob Aspen the contract employee, this is the information that we have in hand to work over
the case, we need to recover the data from the USB drive based on the information retrieved
from the emails in order to retrieve the concrete evidence against the accused Bob Aspen.
There were two different emails that were being used to communicate using the
terrysadler@groowy.com and being replied or communicated to baspen@aol.com. This
record matches the Bob Aspen email address used while working in the organization on the
contract position. The timestamp of the sent and received mails are off that means the
account operated must be from different time zoned location from west as the timestamps are
being given by the server not the user.
The next conversation asks the bob aspen to alter the data so that it can bypass the filters in
place of the organization. It also directed the Bob Aspen to change the extension of the file
and alter the header information as well.
Search for and Recovering Digital photography Evidence
In order to recover the files from the USB drive which was given by the EMTS, the initially
the image was created by using the ProDiscover and its image was loaded in the ProDiscover
software, the initial recovering involved the searching of the search criteria string matching
“FIF”, the reason for the “FIF” keyword is that JFIF and JPEG would lead to lot of false
positive images as well that would lead to time wastage as the expert would need to examine
each and every file that have been communicated. The important is to recover the recent files
as the Bob Aspen must have used to transfer the confidential Intellectual Property. In order to
recover the data and create a solid evidence case we would use the ProDiscover as well as the
WinHex to recover the header information or to reconstruct it in order to have the best
possible outcome of the file retrieved and file can be viewed easily.
Bob Aspen the contract employee, this is the information that we have in hand to work over
the case, we need to recover the data from the USB drive based on the information retrieved
from the emails in order to retrieve the concrete evidence against the accused Bob Aspen.
There were two different emails that were being used to communicate using the
terrysadler@groowy.com and being replied or communicated to baspen@aol.com. This
record matches the Bob Aspen email address used while working in the organization on the
contract position. The timestamp of the sent and received mails are off that means the
account operated must be from different time zoned location from west as the timestamps are
being given by the server not the user.
The next conversation asks the bob aspen to alter the data so that it can bypass the filters in
place of the organization. It also directed the Bob Aspen to change the extension of the file
and alter the header information as well.
Search for and Recovering Digital photography Evidence
In order to recover the files from the USB drive which was given by the EMTS, the initially
the image was created by using the ProDiscover and its image was loaded in the ProDiscover
software, the initial recovering involved the searching of the search criteria string matching
“FIF”, the reason for the “FIF” keyword is that JFIF and JPEG would lead to lot of false
positive images as well that would lead to time wastage as the expert would need to examine
each and every file that have been communicated. The important is to recover the recent files
as the Bob Aspen must have used to transfer the confidential Intellectual Property. In order to
recover the data and create a solid evidence case we would use the ProDiscover as well as the
WinHex to recover the header information or to reconstruct it in order to have the best
possible outcome of the file retrieved and file can be viewed easily.
1. Run the ProDiscover using the Administrator mode in order to have all the access rights
to the system. Create new project name C10InChp
2. We now add the image received using the Add option and then selecting the image file
from the location C10InChp.eve file.
to the system. Create new project name C10InChp
2. We now add the image received using the Add option and then selecting the image file
from the location C10InChp.eve file.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
3. We start the retrieving process with the help of cluster base search option available in the
software and use the keyword as “FIF” along with this we would be searching in ASCII
with Case sensitive option being selected.
software and use the keyword as “FIF” along with this we would be searching in ASCII
with Case sensitive option being selected.
4. All the retrieved keyword files that matches the “FIF” criteria are being highlighted in
blue color. This is an important aspect of the file to be recovered.
5. We would now select the first occurrence of the “FIF” and click it to vie the keymap in
order to jump to the required memory location.
blue color. This is an important aspect of the file to be recovered.
5. We would now select the first occurrence of the “FIF” and click it to vie the keymap in
order to jump to the required memory location.
6. To come to the original screen, click on the keyword found location and all the files
matching the criteria will be shown.
7. Select the image and click on the option “find file”
matching the criteria will be shown.
7. Select the image and click on the option “find file”
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
8. Press “Yes”
All the clusters matching the criteria will be shown on the screen.
All the clusters matching the criteria will be shown on the screen.
9. Right click to save the listed file and name it as “recover1.jpg”
Rebuilding File Header
As communicated on the email the Bob Aspen have altered the image file header in order to
bypass the security of the organization. The file whose header has been changed cannot be
opened using any standard image viewer software. We need to reconstruct the header in order
to view the file, we open the file using the WinHex editor to modify the jpeg file header,
reconstruct it and save it and try to open the file in the image viewer.
1. Open Recover1.jpg using Hex Workshop tool.
2. We can see the offset from 0 or start have the header information saved as 7A 7A 7A 7A
and sixth offset being saved as 7A as well.
As communicated on the email the Bob Aspen have altered the image file header in order to
bypass the security of the organization. The file whose header has been changed cannot be
opened using any standard image viewer software. We need to reconstruct the header in order
to view the file, we open the file using the WinHex editor to modify the jpeg file header,
reconstruct it and save it and try to open the file in the image viewer.
1. Open Recover1.jpg using Hex Workshop tool.
2. We can see the offset from 0 or start have the header information saved as 7A 7A 7A 7A
and sixth offset being saved as 7A as well.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
3. As we know that the JFIF or JPEG file should have the header information as “FF D8 FF
E0”, we replace the content in the file with the correct header and try to fix the file.
4. Finally, in the right pane replace the z FIF with JFIF to construct the header.
5. Save the file as Fixed1.jpg.
Reconstructing File Fragments
In order to construct the file from the different clusters from the image file, we need to find
the correct header and cluster’s starting and ending locations in order to have the file
reconstructed successfully.
1. Find all the clusters related to the image file that is needed to be reconstructed
2. Classify their respective starting and ending locations to manage the fragmented
group of clusters
3. Arrange the clusters in the correct order to recover the file
4. Rebuild the header as done in previous image to be able to view the image using the
image viewer.
E0”, we replace the content in the file with the correct header and try to fix the file.
4. Finally, in the right pane replace the z FIF with JFIF to construct the header.
5. Save the file as Fixed1.jpg.
Reconstructing File Fragments
In order to construct the file from the different clusters from the image file, we need to find
the correct header and cluster’s starting and ending locations in order to have the file
reconstructed successfully.
1. Find all the clusters related to the image file that is needed to be reconstructed
2. Classify their respective starting and ending locations to manage the fragmented
group of clusters
3. Arrange the clusters in the correct order to recover the file
4. Rebuild the header as done in previous image to be able to view the image using the
image viewer.
Open the C10InChp.eve file again in the project or open the previously created project in
ProDiscover:
1. The tree view will list all the files and clusters that can be recovered, the option to
search for keyword AC4(2756), the cluster that are related to the current search will be
listed in the window pane.
2. Right click on the cluster and select the list of clusters, all the clusters would be
displayed in the list box represented, the cluster AE3 (2787) we try to copy all the
clusters and paste them to the text editable file and save the file as AE3-crave.txt.
ProDiscover:
1. The tree view will list all the files and clusters that can be recovered, the option to
search for keyword AC4(2756), the cluster that are related to the current search will be
listed in the window pane.
2. Right click on the cluster and select the list of clusters, all the clusters would be
displayed in the list box represented, the cluster AE3 (2787) we try to copy all the
clusters and paste them to the text editable file and save the file as AE3-crave.txt.
3. Check the AE3-crave.txt file that should have all the clusters listed and marked
together, now the clusters would be arranged in order to have the better reconstructed
of the image file. The clusters with different fragment name and ranges are being listed
below:
a. Fragment range 1—AC4 to B20
b. Fragment range 2—1d6 to 229
c. Fragment range 3—3cc to 406
d. Fragment range 4—14b to 182
e. Fragment range 5—938 to 96d
f. Fragment range 6—6 to d
4. We would now classify the fragments in current order and recover the cluster into one
single file from fragments 1 to 6. These fragments recovery are being followed from
fragment 1 to 6.
together, now the clusters would be arranged in order to have the better reconstructed
of the image file. The clusters with different fragment name and ranges are being listed
below:
a. Fragment range 1—AC4 to B20
b. Fragment range 2—1d6 to 229
c. Fragment range 3—3cc to 406
d. Fragment range 4—14b to 182
e. Fragment range 5—938 to 96d
f. Fragment range 6—6 to d
4. We would now classify the fragments in current order and recover the cluster into one
single file from fragments 1 to 6. These fragments recovery are being followed from
fragment 1 to 6.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
5. Save the file as recover2.jpg and we reconstruct the file header as done with the
recover1.jpg.
Findings
1. The email indeed gave the insight to the malicious activities of the Bob Aspen, the
analysis shows he indeed try to leak out the Intellectual property of the ETMS using
the email and USB drives.
2. The two images that were found from the USB drive are the images that were being
communicated on the email from baspen@aol.com. The second image was recovered
using the clustering of the image and recovering the header using the WinHex
software.
recover1.jpg.
Findings
1. The email indeed gave the insight to the malicious activities of the Bob Aspen, the
analysis shows he indeed try to leak out the Intellectual property of the ETMS using
the email and USB drives.
2. The two images that were found from the USB drive are the images that were being
communicated on the email from baspen@aol.com. The second image was recovered
using the clustering of the image and recovering the header using the WinHex
software.
References
Bernaschi, M., Cianfriglia, M., Di Marco, A., Sabellico, A., Me, G., Carbone, G., & Totaro,
G. (2014). Forensic disk image indexing and search in an HPC environment. 2014
International Conference On High Performance Computing & Simulation (HPCS). doi:
10.1109/hpcsim.2014.6903735
Halboob, W., Mahmod, R., Udzir, N., & Abdullah, M. (2015). Privacy Levels for Computer
Forensics: Toward a More Efficient Privacy-preserving Investigation. Procedia
Computer Science, 56, 370-375. doi: 10.1016/j.procs.2015.07.222
Jiang, C., Liu, I., Liu, C., Chen, Y., & Li, J. (2016). Distributed Log System in Cloud Digital
Forensics. 2016 International Computer Symposium (ICS). doi: 10.1109/ics.2016.0059
Jones, A., Vidalis, S., & Abouzakhar, N. (2016). Information security and digital forensics in
the world of cyber physical systems. 2016 Eleventh International Conference On Digital
Information Management (ICDIM). doi: 10.1109/icdim.2016.7829795
Karabiyik, U., & Aggarwal, S. (2016). Model of hierarchical disk investigation. 2016 4Th
International Symposium On Digital Forensic And Security (ISDFS). doi:
10.1109/isdfs.2016.7473523
Prem, T., Selwin, V., & Mohan, A. (2017). Disk memory forensics: Analysis of memory
forensics frameworks flow. 2017 Innovations In Power And Advanced Computing
Technologies (I-PACT). doi: 10.1109/ipact.2017.8244977
Vaughn, R., & Dampier, D. (2007). Digital Forensics--State of the Science and Foundational
Research Activity. 2007 40Th Annual Hawaii International Conference On System
Sciences (HICSS'07). doi: 10.1109/hicss.2007.174
Bernaschi, M., Cianfriglia, M., Di Marco, A., Sabellico, A., Me, G., Carbone, G., & Totaro,
G. (2014). Forensic disk image indexing and search in an HPC environment. 2014
International Conference On High Performance Computing & Simulation (HPCS). doi:
10.1109/hpcsim.2014.6903735
Halboob, W., Mahmod, R., Udzir, N., & Abdullah, M. (2015). Privacy Levels for Computer
Forensics: Toward a More Efficient Privacy-preserving Investigation. Procedia
Computer Science, 56, 370-375. doi: 10.1016/j.procs.2015.07.222
Jiang, C., Liu, I., Liu, C., Chen, Y., & Li, J. (2016). Distributed Log System in Cloud Digital
Forensics. 2016 International Computer Symposium (ICS). doi: 10.1109/ics.2016.0059
Jones, A., Vidalis, S., & Abouzakhar, N. (2016). Information security and digital forensics in
the world of cyber physical systems. 2016 Eleventh International Conference On Digital
Information Management (ICDIM). doi: 10.1109/icdim.2016.7829795
Karabiyik, U., & Aggarwal, S. (2016). Model of hierarchical disk investigation. 2016 4Th
International Symposium On Digital Forensic And Security (ISDFS). doi:
10.1109/isdfs.2016.7473523
Prem, T., Selwin, V., & Mohan, A. (2017). Disk memory forensics: Analysis of memory
forensics frameworks flow. 2017 Innovations In Power And Advanced Computing
Technologies (I-PACT). doi: 10.1109/ipact.2017.8244977
Vaughn, R., & Dampier, D. (2007). Digital Forensics--State of the Science and Foundational
Research Activity. 2007 40Th Annual Hawaii International Conference On System
Sciences (HICSS'07). doi: 10.1109/hicss.2007.174
1 out of 18
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.