Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Digital Forensics

Verified

Added on 2023/06/11

AI Summary

This report summarizes a scenario that happened at Exotic Mountain Tour Services and Superior Bicycles LLC that lead to a data breach. The report is a step-wise analysis of the evidence given, as run in ProDiscover digital examination tool and conclusion of the finding.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: DIGITAL FORENSICS 1
Digital forensics
Name of the Student:
Name of the Institution:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

DIGITAL FORENSICS 2
Executive Summary
Technology is fast and vast growing, and so are methods to compromise it. Data integrity is more
important to any organization that aims at achieving a high competitive edge over other firms.
Given this fact, digital forensic tools have been devised to help analyze any malicious activities
(JenningsSmith Associates, n.d.). This report summarizes a scenario that happened at Exotic
Mountain Tour Services and Superior Bicycles LLC that lead to a data breach. But given the
intensity with which the ‘attackers’ tried to hide evidence and damage any available fingertips,
extensive search and examination became necessary for the success of the analysis.

DIGITAL FORENSICS 3
Table of contents
Executive Summary.........................................................................................................................2
List of Figures..................................................................................................................................4
Introduction......................................................................................................................................5
Scope, Case analysis and Findings..................................................................................................5
Storage Media forensics..................................................................................................................6
Email Service Forensics and Findings...........................................................................................11
Conclusion.....................................................................................................................................17
Tools Used.....................................................................................................................................17
References......................................................................................................................................18
Appendix........................................................................................................................................19

DIGITAL FORENSICS 4
List of Figures
Figure 1: logical image capture.......................................................................................................7
Figure 2: deleted files......................................................................................................................8
Figure 3: suspicious files dinged.....................................................................................................8
Figure 4: suspicious files.................................................................................................................8
Figure 5: opening them with winhex tool........................................................................................9
Figure 6: secret files exposed..........................................................................................................9
Figure 7: html messages................................................................................................................10
Figure 8: first intercepted email.....................................................................................................12
Figure 9: second intercepted mail..................................................................................................13

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

DIGITAL FORENSICS 5
Digital Forensics
Introduction
The Exotic Mountain Tour Service and the Superior Bicycles (LLC) entered into a deal in
which the later was to roll out an advert of its new product, but with conjunction with the former.
The deal, it appears was supervised by a contract travel agent, Bob Aspen, and part of the deal
was not to reveal any critical information or data to outside competitors. Bob, however appears
to have breached the contract and has engaged in a series of malicious activities that have left the
management at EMTS suspicious. Key to these activities are a USB drive believed to have been
used to transfer some critical information that could be part of the deal between the two firms as
well. The web-based email filter at the EMTs systems has revealed a series of blocked
conversations that Bob could have initiated. Now that the USB has been found at a desk that was
assigned to the agent, it sends the management to undertaking a digital forensic analysis in a bid
to establish whether in actual sense, Bob entered into malicious engagements with their
competitors.
This report is step-wise analysis of the evidence given, as run in ProDiscover digital
examination tool and conclusion of the finding.
Scope, Case analysis and Findings
In forensic examination involving graphic files, locating and recovering such files from
the suspects’ drive and determining which are key to the examination is an important
undertaking, while ensuring that data is not compromised in the process of locating, recovery and
analysis, as well as presentation (Enos & H). This means that the collected evidence has to be
specially handled, and stored for both analysis and presentation purposes. Additionally, it is wise

DIGITAL FORENSICS 6
to examine all materials found with the suspect, or on their premises to ascertain whether a crime
or data breach occurred or not (forensicsciencesimplified.org, 2013).
This analysis undertaking involves examination of a USB drive, to check if it contains
any sensitive data, whether hidden or not, and an analysis of two screen shots obtained from the
email-based on a web-server system. Exchangeable image file formats can be examined based on
information in the pictures/graphics since each picture, represented in pixels, contains a header
section which gives instructions and information in regard to image display, and the file format
(Philip , 2011). Although it is hard to memorize details contained in the header, it is wise to do a
comparison of the images with the suspected ones. Once this is established, examination can take
place, but one has to ensure that any fragmented files on a disk are reconstructed so as to help
identify any useful patterns used in the graphics files. Any damaged headers should be repaired
as well.
The analysis of the presented media and media device was conducted on a ProDiscover
Basic platform, and conclusions made based on the unmasking made or observed.
Storage Media forensics
Exponential growth in the field and manufacture of flash drives has been experienced
thanks to the ever evolving technology. Data stored in external and internal drives could be a
reflection of human behavior and depending on the circumstances, may be subjected to forensic
analysis (Krishnum). A USB device believed to have been used by Bob Aspen is under
investigation in this case, and this analysis will be focusing on searching for any available data
that could lead to meaningful evidence, from both allocated and unallocated disk space, or to
determine any related data was actually deleted.

DIGITAL FORENSICS 7
Following is a step by step analysis of the drive:
On opening the flash drive on my personal computer, it was found that it was empty and
no files in it. This prompted a logical capture of the drive’s image using ProDiscover software,
an undertaking that revealed that in fact, the disk had some data in it since a 27.0 MB memory
space was marked as used/allocated while a total of 7.49 GB was unallocated.
Figure 1: logical image capture
Upon capturing the image in ProDiscover, the log file was checked for any errors a
process that unmasked many deleted files. As a consequent, these deleted files were dinged in
order to unmask any suspected files. A total of seven files were classified as being suspicious.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

DIGITAL FORENSICS 8
Figure 2: deleted files
Figure 3: suspicious files dinged
Figure 4: suspicious files

DIGITAL FORENSICS 9
Since the suspicious files were corrupted and could not work, winhex tool was used to try read
the content of these files leading to the realization that the file extensions had indeed been
changed thus rendering them unreadable.
Figure 5: opening them with winhex tool

DIGITAL FORENSICS 10
Figure 6: secret files exposed
Among those files was a file with an .html extension. This prompted further analysis bringing to
my knowledge the existence of some message conversations.
Figure 7: html messages

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

DIGITAL FORENSICS 11
Another evidence unmasked was that there was a picture hidden in a text file. On opening
it the picture was under passport number “123456” that was obtained from the html file. On
accessing the content of the text file under the name SECRET, it was revealed that in deed some
malicious engagements took place between Bob and some outside parties.
Email
Service
Forensics and Findings
The following images (chain of custody) were obtained from the web filter system, a system that
‘listens’ to email communications taking place within the organization’s intranet, and blocks any
if it finds them as being malicious or if they have questionable attachments.

DIGITAL FORENSICS 12
Figure 8: first intercepted email
Figure 1: first intercepted capture of the email conversations

DIGITAL FORENSICS 13
Figure 9: second intercepted mail
Figure 2: second interception of the email conversations
Since there is little information as to what to search for in the presented USB drive as at
no, some assumptions ought to be made based on what can currently work? An analysis of the
first picture of the interrupted email conversation reveals the following.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

DIGITAL FORENSICS 14
1. That the email was sent from an individual whose address is terysadler@goowy.com and
the intended recipient was Bob Aspen, the firm’s contract as indicated by the recipient’s
email address baspen99@aol.com.
2. Looking at the date in which the conversation took place, it was established that the
exchange took place on February 4, 2007 at 9:21 Pm time.
3. Casting an eye to the second screen shot gave the following facts:
4. The sender was identified as Jim Shu, and the conversation took place on February 5,
2007 at 5: 17 AM- 0800 GMT.
The findings from these two conversations is that Jim in actual sense sent the first one, later
forwarded to terrysadler@goowy.com’, an argument that is validated by the timestamps of each
mail- Jim Shu’s timestamp is later than that of terry, although the two could be in different time
zones, with Jim somehow East of Terry Sadler. If this is not the case, then we shall have to infer
that the email server timestamp is or was rather off, given the fact that timestamp to any activity
in the network system is provided by the server itself.
From the first message, Jim tells Terry to have Bob change some unknown file extensions
from .txt to .jpg. These files, it is revealed are about some new kayaks. Terry replies, in the last
line, that Bob can’t receive the message. The greater assumption that is made at this point is that
the person being referred to is actually the contract travel agent- Bob Aspen and the following
facts remain irrefutable.
1) That Jim Shu’s email in fact refers to JPEG files,
2) That the attached files- by Jim, are actually .txt files, only that the extensions have been
changed possibly to cover up a fraud.

DIGITAL FORENSICS 15
3) That these attachments could be photographs of the new kayaks that Jim refers to in his
email.
4) And that the email accounts engaged in this conversation are terrysadler@goowy.cpm,
shu1@yahoo.com and baspen99@aol.com.
Second email leads us to the conclusions that;
1) Jim has in real sense visited the kayaks factory, thus directly implicating him, and the trio
in general.
2) There is another party who has shown interests in the factory.
3) The modified (using a hexadecimal editor) JPEG photos have in real sense been
smuggled out by Jim.
4) Jim instructs his counterparts to reedit the photos and add the .jpeg extension to make
them viewable.
5) Jim in real sense thinks that Bob works in the EMTs and a copy of this email was sent to
(cc) nautjeriko@lycos.com.
Could be that Bob downloaded the files in question to his USB drive and deleted them, and
as such an extensive search in all sections became necessary. Here understanding the core
difference between the JFIF JPEG and EXIF JPEG file formats was crucial here, so as to
understand how to do the search. While the JFIF format contains 0x FFD8 FFE0 in its first four
bytes, the EXIF has 0x FFD8 FFE1 as its the sixth byte.
In the second e-mail, Jim Shu mentions 0x FF D8 FF E0, which is a JFIF JPEG format.
Requesting its sixth byte to be changed to a 0x4A, an upper case character J. (Melanie, 2017).

DIGITAL FORENSICS 16
These files could have been downloaded to the USB drive, altered and then deleted by
Bob, and a thorough search- both in the allocated and unallocated sections of the drive- was
therefore done using the forensics tool aforementioned.
Procedure for search:
1. Start ProDiscover Basic-as an admin, click the New Project toolbar button. In the New
Project dialog box, typeC10InChpfor the project number and filename, and then click
OK.
2. Click Action from the menu, point to Add, and click Image file.
3. In the Open dialog box, navigate to your work folder, clickC10InChp.eve, and then click
Open. If necessary, click yes in the Auto Image Checksum message box.
4. To start the search process, click the Search tool bar button or click Action, the menu to
open a search dialog box.
5. Click the Cluster Search tab, and then click the Case Sensitive check box. Under Search
for the pattern(s), typeFIF Under Select the Disk(s)/Image(s) you want to search in, click
theC10InChp.evefile, and then click OK.
6. Once the search is complete, click the first search hit, 4CA (1226), to display the cluster’
Searching clusters in ProDiscover Locating and Recovering Graphics Files393
7. When the search is done, click the first search hit, 4CA (1226), to display the cluster’s
content.
8. Double-click the highlighted row4CA (1226) to display the cluster view.
9. Next, you need to locate the file. Right-click cluster block4CA (1226) and click Find
File, and then click Yes in the warning message. From the List of Clusters dialog box,
click Show Fi, and then click Close.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

DIGITAL FORENSICS 17
10. In the work area, right-click the gametour2.exefile and click Copy File. In the Save As
dialog box, delete the original filename, typeRecover1.jpg, and then click Save to save
this file in your work folder.
11. Click File, Exit from the menu, and then click yes to save this project in your work
folder.
Conclusion
From the email conversations and the results of rebuilding damaged file headers, and that
it was hard reading from some of the recovered fields, it became evident that Bob in fact engaged
in data breach activities. This information was specifically shared to stakeholders in a newly
established firm that was dealing with the same product, Kayaks.
Tools Used
The analysis of the evidence presented was done on a ProDiscover digital forensic
software running on Windows PC.

DIGITAL FORENSICS 18
References
Enos, K. M., & H, S. V. (n.d.). User-generated Digital Forensic Evidence in Graphic Design
Applications. Retrieved May 22, 2018, from users.cs.fiu:
https://users.cs.fiu.edu/~fortega/df/research/images/paper5.pdf
forensicsciencesimplified.org. (2013). A Simplified Guide To Digital Evidence. Retrieved May
22, 2018, from forensicsciencesimplified.org:
http://www.forensicsciencesimplified.org/digital/how.html
JenningsSmith Associates. (n.d.). Computer Hacking Investigations, Evidence Collection, and
Data Recovery Services. Retrieved May 22, 2018, from JenningsSmith Associates:
https://www.jsainvestigations.com/private-investigation-services/cyber-forensic-
investigations-evidence-collection-data-recovery/
Krishnum, S. (n.d.). A forensics overview and analysis of USB flash memory devices.
Proceedings of the 7th Australian Digital Forensics Conference . Edith Cowan
University . Retrieved May 22, 2018, from
https://pdfs.semanticscholar.org/4ebd/c730818d801841bbdb3879bebdb67fcb8f54.pdf
Melanie, N. (2017, October 17). Recovering Graphics Files. Retrieved May 22, 2018, from
SLIDEX.TIPS: https://slidex.tips/download/recovering-graphics-files
Philip , C. (2011). Digital Forensics Tool Testing –Image Metadata in the Cloud. Retrieved May
22, 2018, from brage.bibsys:
https://brage.bibsys.no/xmlui/bitstream/handle/11250/143978/Philip%20Clark.pdf?
sequence=1

DIGITAL FORENSICS 19
Appendix
USB- Universal Serial Bus
ProDiscover- this is a commercial digital forensic tool developed by Technology Pathways and
which can convert disk raw images into readable and bootable VMware machine.

1 out of 19

+13062052269

info@desklib.com

Digital Forensics

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Digital Forensic Report for EMTS Organization

Digital Forensic Report for Exotic Mountain Tour Service

Digital Forensics: Recovering Deleted Files from USB using Winhex and Stenography Tool

Digital Forensics Report for a Case Study on Intellectual Property Theft

Digital Forensics Report for Exotic Mountain Tour Service

Digital Forensics: Investigation and Recovery of Lost Data