Digital Forensics Tools and Techniques
VerifiedAdded on 2020/03/16
|26
|2413
|62
AI Summary
This assignment delves into the world of digital forensics, focusing on essential tools and techniques employed by investigators. It discusses file system formats (NTFS, FAT32), password cracking software such as Ophcrack, and network analysis tools like Wireshark. The document also highlights other prominent password cracking tools like Offline NT Password & Registry Editor, Kon-Boot, Cain & Abel, John the Ripper.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
digital forensics
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Executive summary
Company A is a construction company. The CEO of company A suspects that some files
have been stolen. The CEO also notices that an employee formats his USB drive frequently.
Before the stolen information reaches the approver, the company A has to inform the approver
about the stolen files and file information and has to track the company which submits the same
file. The company A contacts the forensic investigator and asks them to find out the files theft
and the details of the files. The investigator investigates the suspected employee and catches his
USB drive which is in formatted mode. The investigator retrieves the data from the formatted
USB drive and also the suspected employee’s network traffic. By using wire shark traffic
analyzer it is found that the suspected employee has spoofed the company’s mail address using
mail spoofing software. The investigator retrieves the data in USB but it appears to be in
encrypted format and the investigator user rainbow cracker to crack the password of the
encrypted file and the investigator provides the file details to company A. Company A transfers
the information to Approver to decertify the work if submitted by other companies. The
company A provides the investigated details to the approver for proof.
1
Company A is a construction company. The CEO of company A suspects that some files
have been stolen. The CEO also notices that an employee formats his USB drive frequently.
Before the stolen information reaches the approver, the company A has to inform the approver
about the stolen files and file information and has to track the company which submits the same
file. The company A contacts the forensic investigator and asks them to find out the files theft
and the details of the files. The investigator investigates the suspected employee and catches his
USB drive which is in formatted mode. The investigator retrieves the data from the formatted
USB drive and also the suspected employee’s network traffic. By using wire shark traffic
analyzer it is found that the suspected employee has spoofed the company’s mail address using
mail spoofing software. The investigator retrieves the data in USB but it appears to be in
encrypted format and the investigator user rainbow cracker to crack the password of the
encrypted file and the investigator provides the file details to company A. Company A transfers
the information to Approver to decertify the work if submitted by other companies. The
company A provides the investigated details to the approver for proof.
1
Table of Contents
1. Introduction.......................................................................................................................................4
2. Analysis..............................................................................................................................................4
3. Findings............................................................................................................................................14
4. Conclusion........................................................................................................................................17
5. Appendix..........................................................................................................................................17
Reference..................................................................................................................................................25
2
1. Introduction.......................................................................................................................................4
2. Analysis..............................................................................................................................................4
3. Findings............................................................................................................................................14
4. Conclusion........................................................................................................................................17
5. Appendix..........................................................................................................................................17
Reference..................................................................................................................................................25
2
Glossary
forensic : Crime investigation science
USB : Universal Serial Bus is an industry standard in digital devices communication
Wireshark : Formerly called as Ethereal , is a network pocket capturing and investigation tool
Spoofing : Identity cheating to get access to others data
rainbow cracker : A hash cracking tool
encrypted file : Format changed file which cannot be read without decrypting
Scam : Illegal way of cheating people
Caller ID : Identification details of the communication initiator
IP Address : Numerical address of a network connected device
Gmail : Email service provider
3
forensic : Crime investigation science
USB : Universal Serial Bus is an industry standard in digital devices communication
Wireshark : Formerly called as Ethereal , is a network pocket capturing and investigation tool
Spoofing : Identity cheating to get access to others data
rainbow cracker : A hash cracking tool
encrypted file : Format changed file which cannot be read without decrypting
Scam : Illegal way of cheating people
Caller ID : Identification details of the communication initiator
IP Address : Numerical address of a network connected device
Gmail : Email service provider
3
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1. Introduction
Company A suspects some files have been stolen. It has to provide the details of the stolen files
with the investigation report to stop others from using the file. Company A contacts the forensic
officer. The forensic officer finds out that the attacker has hacked the CEO’s computer using
ophcrack and copied files to the USB drive and sent from his computer using a proofed address
to some other company. The investigator retrieves the formatted USB drive of the suspected
employee and opens the encrypted files using ophcrack. The investigation will be carried based
on the complaints provided by the CEO. The investigation results will be provided which will be
helpful for company A to submit it to the approver
2. Analysis
Tools used by attacker
Ophcrack
Email spoofing software
Tools used by investigator
USB data retrieval (from formatted USB)
Rainbow cracker software(to find password of encrypted file)
Hacking password protected computer by ophcrack
In order to crack password that are very simple and short a tool called ophcrack is used.
Even though the ophcrack tool is an old tool, we can use the tool with some limitations.
The ophcrack tool is downloaded from the website and the ISO image file is burned into
Universal serial bus or compact disc (Ophcrack, 2012).
The locked personal computer is started by ophcrack and select “Ophcrack Graphic Mode –
Automatic”
It takes some time to recover the password of the computer. once the password is recovered it
will be displayed on the user interface of the ophcrack tool (Blackstone & Lewis, 2007).
4
Company A suspects some files have been stolen. It has to provide the details of the stolen files
with the investigation report to stop others from using the file. Company A contacts the forensic
officer. The forensic officer finds out that the attacker has hacked the CEO’s computer using
ophcrack and copied files to the USB drive and sent from his computer using a proofed address
to some other company. The investigator retrieves the formatted USB drive of the suspected
employee and opens the encrypted files using ophcrack. The investigation will be carried based
on the complaints provided by the CEO. The investigation results will be provided which will be
helpful for company A to submit it to the approver
2. Analysis
Tools used by attacker
Ophcrack
Email spoofing software
Tools used by investigator
USB data retrieval (from formatted USB)
Rainbow cracker software(to find password of encrypted file)
Hacking password protected computer by ophcrack
In order to crack password that are very simple and short a tool called ophcrack is used.
Even though the ophcrack tool is an old tool, we can use the tool with some limitations.
The ophcrack tool is downloaded from the website and the ISO image file is burned into
Universal serial bus or compact disc (Ophcrack, 2012).
The locked personal computer is started by ophcrack and select “Ophcrack Graphic Mode –
Automatic”
It takes some time to recover the password of the computer. once the password is recovered it
will be displayed on the user interface of the ophcrack tool (Blackstone & Lewis, 2007).
4
Hacking password protected computer by windows password recovery tool
The computer with the administration rights is taken and the keys program are downloaded.
The tool is installed and an empty Universal serial Bus stick or a compact disc are inserted
creating the password reset disk (Easttom, 2013).
Burn the Universal serial Bus or compact disc for making the bootable password reset disk. After
burning the burned Universal serial Bus or compact disc is inserted into the computer which is
locked.
5
The computer with the administration rights is taken and the keys program are downloaded.
The tool is installed and an empty Universal serial Bus stick or a compact disc are inserted
creating the password reset disk (Easttom, 2013).
Burn the Universal serial Bus or compact disc for making the bootable password reset disk. After
burning the burned Universal serial Bus or compact disc is inserted into the computer which is
locked.
5
The locked computer is restarted and it is booted from the password reset disk. Then
independently the windows password recovery program is launched. The version of windows
and the username what we need are selected. At last personal computer is rebooted to access
without the password (Galbally, Satta, Gemo & Beslay, 2014).
Spoofing
Spoofing is the process of cybersecurity which disguise is to bugs and animals. The
criminal hacker disguise their fraudulent operation and portrait them as honest and truthful by
this method of spoofing.
For example, the mail received to you looks like that come from a known person but the hacker
spoofed through the email address and it seems to be from the known person (Kraft & Weyert,
2013)
A method called scamming method used for the purpose of caller ID spoofing in which the
hacker disguises their real phone number to a fake phone number.
Another method is spoofing the system Internet Protocol address and able to access the server by
authenticating based on the IP address (Stallings, 2017).
Spoofing email and its prevention
First step in email spoofing is to disguise the “From” field to show the fake email address of the
sender. This strengthens the receiver to believe that the email is genuine in spite of having
unwanted contents.
6
independently the windows password recovery program is launched. The version of windows
and the username what we need are selected. At last personal computer is rebooted to access
without the password (Galbally, Satta, Gemo & Beslay, 2014).
Spoofing
Spoofing is the process of cybersecurity which disguise is to bugs and animals. The
criminal hacker disguise their fraudulent operation and portrait them as honest and truthful by
this method of spoofing.
For example, the mail received to you looks like that come from a known person but the hacker
spoofed through the email address and it seems to be from the known person (Kraft & Weyert,
2013)
A method called scamming method used for the purpose of caller ID spoofing in which the
hacker disguises their real phone number to a fake phone number.
Another method is spoofing the system Internet Protocol address and able to access the server by
authenticating based on the IP address (Stallings, 2017).
Spoofing email and its prevention
First step in email spoofing is to disguise the “From” field to show the fake email address of the
sender. This strengthens the receiver to believe that the email is genuine in spite of having
unwanted contents.
6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
The main cause behind this email spoofing is the email is a vast business and the sensible
messages have the high rate than the legitimate one. In the past few years, a new high level scam
known as Called Business Email Compromise (BEC) or whaling is used which is a high level
that controls company budgets and money. The hacker may be a work colleague or managers
who expect payment at a particular account. The hacker complies when such payments and sees
the sender address (Buchanan, 2017)
A technology called SMTP is useful for transmission and reception of emails which enables the
email spoofing to be done. The main disadvantage of SMTP is it doesn’t check whether the
“From” field is genuine or not (Engdahl, 2011). The computer can also change as SMTP server
and send spoofed emails which blocks port that is responsible for sending emails by the Internet
Service Provider. For spoofing an email hacker has to use any one of the SMTP services that are
free online (Daskalaki, 2011).
7
messages have the high rate than the legitimate one. In the past few years, a new high level scam
known as Called Business Email Compromise (BEC) or whaling is used which is a high level
that controls company budgets and money. The hacker may be a work colleague or managers
who expect payment at a particular account. The hacker complies when such payments and sees
the sender address (Buchanan, 2017)
A technology called SMTP is useful for transmission and reception of emails which enables the
email spoofing to be done. The main disadvantage of SMTP is it doesn’t check whether the
“From” field is genuine or not (Engdahl, 2011). The computer can also change as SMTP server
and send spoofed emails which blocks port that is responsible for sending emails by the Internet
Service Provider. For spoofing an email hacker has to use any one of the SMTP services that are
free online (Daskalaki, 2011).
7
Here when the receiver replies to the sender it will be sent to the real sender not to the hacker
who sends as real one. This will not affect the hacker till we try to check the link or do action in
the initial email (Stinson, 2016).
8
who sends as real one. This will not affect the hacker till we try to check the link or do action in
the initial email (Stinson, 2016).
8
To spot spoofing email as a user
First step is to check the name and address of the sender, but this is not useful for every time and
helps in removing criminal hackers who use same email addresses. For example
help@faceb00k.com or even stranger derivations.
Gmail gives us easy way to check whether the mail coming from others is a true one or not. In
order to check first we have to select the drop down box under the sender name.
9
First step is to check the name and address of the sender, but this is not useful for every time and
helps in removing criminal hackers who use same email addresses. For example
help@faceb00k.com or even stranger derivations.
Gmail gives us easy way to check whether the mail coming from others is a true one or not. In
order to check first we have to select the drop down box under the sender name.
9
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
If mailed by fields and signed by fields are present, then it is a genuine and not a fake mail
(Covaleski, 2013).
Then we will be taken to a different page that has lots of writing in notepad font. When we
cannot find we can press the search button and look for the following mentions:
For SPF:
For DKIM:
If both these are a “pass”, then the email is legal.
Sending reply and asking for confirmation
10
(Covaleski, 2013).
Then we will be taken to a different page that has lots of writing in notepad font. When we
cannot find we can press the search button and look for the following mentions:
For SPF:
For DKIM:
If both these are a “pass”, then the email is legal.
Sending reply and asking for confirmation
10
By sending reply for the spoofed email, we can able to identify whether it is a mail from criminal
hacker because when we reply for that spoofing mail it goes to the original owner not to the
spoofer (Marshall, 2009).
Recovering data from formatted or corrupted USB/flash drive
First Windows CMD is used to fix the flash drive.
Select "Run" at start menu and type "cmd" in the input box. A command promote will be opened.
Type the command "CHKDSK [driveletter] /r" in the command promote. For instance flash
drive's drive letter is "E", then type command "CHKDSK E: /r" in command promote.
The command "CHKDSK" checks the specify disk for structure corruption. The paramter "/r"
helps command to repair the issues it finds.
It asks to save lost chains into files when all the above steps are completed. Select "Yes". Chkdsk
will report back what has done and go to my computer and check out the drive.
But sometimes, command "CHKDSK" can't repair logical error on the corrupted flash drive. At
that time, a third part data recovery tool is used to get lost data back.
Recover data from formatted and corrupted USB flash drive, pen drive with M3 data recovery
Free
First step is to connect the flash drive to the computer system and install the M3 data recovery
free. The program is run and select “Data Recovery” module (Gogolin, 2013)
11
hacker because when we reply for that spoofing mail it goes to the original owner not to the
spoofer (Marshall, 2009).
Recovering data from formatted or corrupted USB/flash drive
First Windows CMD is used to fix the flash drive.
Select "Run" at start menu and type "cmd" in the input box. A command promote will be opened.
Type the command "CHKDSK [driveletter] /r" in the command promote. For instance flash
drive's drive letter is "E", then type command "CHKDSK E: /r" in command promote.
The command "CHKDSK" checks the specify disk for structure corruption. The paramter "/r"
helps command to repair the issues it finds.
It asks to save lost chains into files when all the above steps are completed. Select "Yes". Chkdsk
will report back what has done and go to my computer and check out the drive.
But sometimes, command "CHKDSK" can't repair logical error on the corrupted flash drive. At
that time, a third part data recovery tool is used to get lost data back.
Recover data from formatted and corrupted USB flash drive, pen drive with M3 data recovery
Free
First step is to connect the flash drive to the computer system and install the M3 data recovery
free. The program is run and select “Data Recovery” module (Gogolin, 2013)
11
Select the flash drive and choose “Next” for searching the lost data
Every sector on the selected volume is analyzed and lost files are found by the M3 Data
Recovery
12
Every sector on the selected volume is analyzed and lost files are found by the M3 Data
Recovery
12
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
After the scanning of files are over files that are found are previewed. Then select the files that
we need to recover and save them
13
we need to recover and save them
13
For better flash drive recovery we should not defrage flash drive before the lost data have been
got back and recovered files have to be saved in the another drive other than original drive (Li,
2010).
3. Findings
It has been found out that the attacker cracked the CEO’s password using ophcrack.
The attacker copied the files to USB drive.
The attacker sends spoofed email from his system to some other company and formats his
drive. These details has been found out by using wire shark traffic analyzer and it was
found that the attacker used spoof mailing software.
The investigator retrieves the hard disk and gets access of the encrypted data using
rainbow cracker.
The details of the files are found out and the suspected thief is confirmed to be real thief.
The investigation results are submitted to the approver.
CEO’s Gmail which made him suspect that somebody has spoofed his email address
14
got back and recovered files have to be saved in the another drive other than original drive (Li,
2010).
3. Findings
It has been found out that the attacker cracked the CEO’s password using ophcrack.
The attacker copied the files to USB drive.
The attacker sends spoofed email from his system to some other company and formats his
drive. These details has been found out by using wire shark traffic analyzer and it was
found that the attacker used spoof mailing software.
The investigator retrieves the hard disk and gets access of the encrypted data using
rainbow cracker.
The details of the files are found out and the suspected thief is confirmed to be real thief.
The investigation results are submitted to the approver.
CEO’s Gmail which made him suspect that somebody has spoofed his email address
14
The forensic investigator tries to recover the files
The investigator examining traffic analysis
15
The investigator examining traffic analysis
15
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Evidence-1
The image from survilence camera which captured Peter’s cabin and the screen of email spoofer on
his system
16
The image from survilence camera which captured Peter’s cabin and the screen of email spoofer on
his system
16
Evidence-2
The investigator recovering the files and decrypting the encrypted files
4. Conclusion
The company A problems are solved by using rainbow cracking and hard disk retrieval
techniques. The password of the company A admin system is stolen by using ophcrack software.
The files are stolen in the encrypted format and send through spoofing email. The stolen files
content are found using cryptography technique. Peter is concluded as the thief. Camera image of
Peter’s system screen showing the usage of email spoofing software is considered as evidence.
The retrieved file is submitted to the approver by the company A.
5. Appendix
Formatting
Formatting is rearranging the storage blocks in proper order. There are many formats in this
process. The end of the formatting results in filesystem. Different types of file systems are
NTFS
FAT 32
NTFS5
And many more
17
The investigator recovering the files and decrypting the encrypted files
4. Conclusion
The company A problems are solved by using rainbow cracking and hard disk retrieval
techniques. The password of the company A admin system is stolen by using ophcrack software.
The files are stolen in the encrypted format and send through spoofing email. The stolen files
content are found using cryptography technique. Peter is concluded as the thief. Camera image of
Peter’s system screen showing the usage of email spoofing software is considered as evidence.
The retrieved file is submitted to the approver by the company A.
5. Appendix
Formatting
Formatting is rearranging the storage blocks in proper order. There are many formats in this
process. The end of the formatting results in filesystem. Different types of file systems are
NTFS
FAT 32
NTFS5
And many more
17
18
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Ophcrack
It is a password cracking software. It uses predefined password hash tables.
19
It is a password cracking software. It uses predefined password hash tables.
19
Some of the other password cracking tools are given below
Offline NT Password & Registry Editor
20
Offline NT Password & Registry Editor
20
Kon-Boot
21
21
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cain & Abel
John the Ripper
22
John the Ripper
22
Wireshark
Wireshark is the world's famous network pocket analyser analyzer
23
Wireshark is the world's famous network pocket analyser analyzer
23
24
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Reference
Blackstone, W., & Lewis, W. (2007). Commentaries on the laws of England. Clark,
NJ: Lawbook Exchange.
Buchanan, W. (2017). Cryptography. Aalborg: River Publishers.
Covaleski, J. (2013). Hacking. San Diego, CA: ReferencePoint Press.
Daskalaki, A. (2011). Digital forensics for the health sciences. Hershey, PA:
Medical Information Science Reference.
Easttom, C. (2013). System Forensics, Investigation and Response. Sudbury: Jones
& Bartlett Learning, LLC.
Engdahl, S. (2011). Forensic technology. Detroit: Greenhaven Press.
Galbally, J., Satta, R., Gemo, M., & Beslay, L. (2014). Biometric spoofing.
Luxembourg: Publications Office.
Gogolin, G. (2013). Digital forensics explained. Boca Raton, FL: CRC Press.
Kraft, P., & Weyert, A. (2013). Network Hacking. Haar: Franzis Verlag.
Li, C. (2010). Handbook of research on computational forensics, digital crime, and
investigation. Hershey, PA: Information Science Reference.
Marshall, A. (2009). Digital Forensics. Chichester: John Wiley & Sons.
Ophcrack. (2012). [Place of publication not identified].
Stallings, W. (2017). Cryptography and network security. Boston: Pearson.
Stinson, D. (2016). Cryptography. [Place of publication not identified]: Crc Press.
25
Blackstone, W., & Lewis, W. (2007). Commentaries on the laws of England. Clark,
NJ: Lawbook Exchange.
Buchanan, W. (2017). Cryptography. Aalborg: River Publishers.
Covaleski, J. (2013). Hacking. San Diego, CA: ReferencePoint Press.
Daskalaki, A. (2011). Digital forensics for the health sciences. Hershey, PA:
Medical Information Science Reference.
Easttom, C. (2013). System Forensics, Investigation and Response. Sudbury: Jones
& Bartlett Learning, LLC.
Engdahl, S. (2011). Forensic technology. Detroit: Greenhaven Press.
Galbally, J., Satta, R., Gemo, M., & Beslay, L. (2014). Biometric spoofing.
Luxembourg: Publications Office.
Gogolin, G. (2013). Digital forensics explained. Boca Raton, FL: CRC Press.
Kraft, P., & Weyert, A. (2013). Network Hacking. Haar: Franzis Verlag.
Li, C. (2010). Handbook of research on computational forensics, digital crime, and
investigation. Hershey, PA: Information Science Reference.
Marshall, A. (2009). Digital Forensics. Chichester: John Wiley & Sons.
Ophcrack. (2012). [Place of publication not identified].
Stallings, W. (2017). Cryptography and network security. Boston: Pearson.
Stinson, D. (2016). Cryptography. [Place of publication not identified]: Crc Press.
25
1 out of 26
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.