logo

Digital Forensic Investigation of Recovering Corrupted Image Files

19 Pages2319 Words447 Views
   

Added on  2023-06-12

About This Document

This report discusses the forensic investigation of recovering corrupted image files using ProDiscover and Hex Workshop software. The report covers the analysis conducted, search for and recovering digital photography evidence, rebuilding file header, reconstructing file fragments, and findings. The report also mentions the tools used and references.

Digital Forensic Investigation of Recovering Corrupted Image Files

   Added on 2023-06-12

ShareRelated Documents
[Document title]
[Document subtitle]
[DATE]
Digital Forensic Investigation of Recovering Corrupted Image Files_1
Table of Contents
Task 2.........................................................................................................................................2
Abstract..................................................................................................................................2
Introduction............................................................................................................................2
Analysis conducted................................................................................................................3
Search for and Recovering Digital photography Evidence....................................................3
Rebuilding File Header........................................................................................................10
Reconstructing File Fragments............................................................................................11
Findings................................................................................................................................14
References............................................................................................................................16
Digital Forensic Investigation of Recovering Corrupted Image Files_2
Task 2
Abstract
The case at hand is about the possible theft of Intellectual Property by a contract employee in
company Exotic Mountain Tour Services (ETMS). The company has just finished an
extensive market analysis and customer service along with Superior Bicycles, LLC. The
reason for the investigation are the two emails that were captured and raises questions about
the data that have been communicated using the email to a competitor. The USB drive was
also found at the workstation on which the contract employee used to operate, the forensic
investigation is about the email and USB drive image and trying to recover as much as data
for the possible recovery of data that have been stolen.
Introduction
ProDiscover is the forensic tool that is used to analyze the disk images, it is windows based
forensic tool that can acquire and analyze the disk partitions. Though the features available
are quite large but only few of them are being used for the forensic purposes.
One of the most important aspect of the ProDiscover is that it can make the remote client
images while rest of the work can continue to work as ever. The forensic images created are
intact though the original disk being continuously being changed or manipulated. Though
ProDiscover is a paid software but available for trail based and student reporting non-
profitable purposes.
Another tool that is being used for this workshop is the Hex Workshop, it is Hex editor that is
developed by BreakPoint Company, it is Windows based utility and being used in several
forensic reporting by forensic experts around the world. The Hex Workshop allows the
feature of binary editing and interpretation of data along with the visualization of the same
like a flexibility of any modern-based word processor. With the help of WinHex forensic
expert can cut, copy, edit, paste, insert, delete any binary data. With the data in this native
structure can be worked upon using the WinHex as well as the data types with integrated
structure and smart bookmark option also being made available. The other useful operations
that are available are find or replace the data, sector location jump, performing various
arithmetic operations, logical operations over the data, generating the checksums and digests
Digital Forensic Investigation of Recovering Corrupted Image Files_3
based on data and view character distributions, all of this report can be exported to HTML or
RTF for detailed publishing of the reports.
Analysis conducted
At the current moment a very little is known of the information on the USB drive of the
suspect intern. We need to ask yourself some basic questions as well as some important
assumptions that are made available in order to proceed in search of any information. There
were two emails that were being forwarded to the terrysadler@groowy.com and
baspen@aol.com, that matches the contract employee credentials and name. Next we need to
check the timestamp and date of the message that have been sent: 4 Feb 2007 9:21 PM, and
the 2007, 5:17 AM -08:00.
As the Jim Shu email sent to the terrysadler@groowy.com account that had been forwarded
to the baspen@aol.com account, the time stamp of the Jim Shu mail is later than the time
stamp used for the terrysadler@groowy.com that means the Jim Shu must be from the
western region with different time zone as the two email server’s time values have been off
due to the fact the time stamp are being provided by the server not the users.
With the next email asking the bob to alter all the data sent in image format to have their
extensions changed to .jpg to .txt and these files are about kayaks. Last message that have the
last line that is responded to the terrysadler@groowy.com that says that Bob cannot be
receive this message.
Search for and Recovering Digital photography Evidence
In this part we are going to recover the corrupted image file that might be there on the image
file provided by the EMTS, the examination would be about finding the “FIF” string, the
reason of using the “FIF” is because using JFIF and JPEG might lead to several other
previous image files that might be present over the USB drive. These false hits that are also
known as false hits needs to be examined and as a forensic investigator needs to verify each
and every file that we are actually looking for.
In order to examine the image C10InChp.eve following are the steps are being used in order
to observe it using the ProDiscover software:
1. Run ProDiscover Basic as Administrator on the Windows based PC and create a new
project named C10InChp, and numbered (1).
Digital Forensic Investigation of Recovering Corrupted Image Files_4

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
Digital Forensic Investigation using ProDiscover and WinHex
|19
|2313
|417

Digital Forensic Investigation using ProDiscover and WinHex
|18
|2124
|374

Intellectual property - Assignment
|18
|2330
|179

Computer Forensic Methodologies: Autopsy and WinHex
|16
|1704
|269

Digital Forensics Report for EMTS Organization
|28
|2503
|371

Digital Forensics: Recovering Deleted Files from USB using Winhex and Stenography Tool
|22
|2401
|395