Digital Forensics: Investigating Hard Disk Image of TechBank TSB

Verified

Added on 2023/06/15

AI Summary

This report discusses the forensic investigation of the hard disk image of TechBank TSB using various tools and techniques. It covers the analysis of evidence, evidential management, and the functionalities of primary and secondary tools used in the investigation.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: DIGITAL FORENSICS
Digital Forensics
Assignment Number
Name of the Student
Name of the University
Author’s note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1DIGITAL FORENSICS
Lone Star Ltd is one of the digital forensic consultancy firms and is chosen as a case
study for this discourse. They are responsible for gathering information from the digital
device for the investigation purposes. Tech-bank TSB is one of the clients of Lone Star Ltd.
The computer forensic analyst of Lone Star Ltd has been given the charge to investigate the
hard disk image of a windows computer (Sunde et al. 2017). Tech-bank TSB has requested to
collect relevant evidence from the hard disk image and prepare a report based on findings.
Lone Star Ltd has appointed me to conduct an investigation on the hard disk image and
collect all the relevant evidence contained in the disk image. The forensic investigation helps
to know that whether any illegal activities were carried out within Tech-bank TSB or not.
Lone Star Ltd appoints legal authorities to find out the attackers who carry out the
malicious activities. The legal authorities with the help of digital forensics carry out the
effective forensic investigation. I am one of the representatives of the legal authority team. I
use the Registry Viewer and Forensic Too, Kit version 6.0.3.5 to carry out the investigation
procedures (Dang-Nguyen et al. 2015). The digital forensics helps in sorting the files stored
in the database by the file type. Digital forensics aids analysis of windows registry files. OS
forensics, Autopsy 4.1.1 and Registry ripper, have been used for the forensic verification of
the hard disk image.
Evidential management constitutes elements like the usage of the scientific method,
identification, analysis and validation. Proper guidelines are followed in securing and
controlling the evidence. All the evidence collected from the hard disk image are verified
applying best policies and principles like ACPO Principles. Documentations are prepared
based on the verification results of the evidence. The procedure for preparing documentation
is known as CoC. CoC involves preparation of chronological documentation of the evidence.
The analysts keep duplicate files of the documentation (Flaglien et al. 2017). Failures of the
hard disk image can be fatal. All the evidence can get lost from the database. The hackers can

2DIGITAL FORENSICS
hack the system, can modify the files containing the evidence, they can make even the delete
the files as well. One can steal the system as well. Thus a copy of the documentation is
helpful for investigation. Lone Star Ltd followed this approach and investigated the files
present in a hard disk image of Tech-bank TSB.
Lone Star Ltd used various tools and techniques to handle the evidence effectively.
Lone Star Ltd received a package along with an envelope from Royal Mail on 11 January late
at night. The digital consultancy firm has responsibly implemented a chain of custody after
opening the package (Bjelland et al. 2018). Lone Star Ltd found that the package contains
one hard disk.
Lone Star Ltd first created a DD image and file of evidence by using Forensic Tool
Kit image. The DD image and the files were verified via hash files. A copy of the file
containing evidence was created at the beginning. The forensic consultancy firm carried out
all the forensic investigation on the copy files and not on the original files. Lone Star Ltd by
using the Access Data’s Forensic Toolkit conducted all the investigation on the dedicated
forensic workstation (Van Baar, Van Beek and van Eijk 2014). This approach will recover
the files which have been deleted from the hard disk of the TechBank TSB’s computer. MD5
and SHA1 hash values obtained helped to know that the files recovered are all legitimate.
MD5 and SHA1 algorithms can be used while presenting those files to the court. MD5 and
SHA1 ensured that the original files in the hard disk were not modified by any means. In this
way, the integrity and the authenticity of the files were retained (Holt, Bossler and Seigfried-
Spellar 2015). Lone Star Ltd following this approach ensured that the authenticity of the files
stored in the hard disk image of TechBank TSB.

3DIGITAL FORENSICS
The functionalities of primary tools and the secondary tools that were used in
investigating the evidence of the hard disk image of TechBank TSB have been detailed
below.
Evidence analysis is the procedure, by which the evidence files are first identified,
then they are preserved and lastly documentation is prepared and is presented to the court.
There are open source forensic analysis tools and commercial forensic analysis tools
available in the market. There are other forensic analysis tools and they are Forensic
Modules, Autopsy Browser, Sleuth Kit (Sohl et al. 2015). In this report, forensic investigation
on hard disk image of TechBank TSB was carried out using Registry Viewer and
AccessData’s Forensic Toolkit as primary tools. The OS Forensics, Autopsy and Registry
Ripper are the secondary tools that were used in the forensic investigation.
Forensic Tool Kit (FTK) is only one court-cited digital investigation. FTK is designed
to provide speed, stability and ease of use. The forensic toolkit helps in email analysis and
customizable data views and stability. The forensic toolkit provides a framework so that the
solution can align with the organisation’s needs (Taylor, Fritsch and Liederbach 2014).
Forensic Toolkit best work on Windows Operating System. FTK involves Registry Viewer
and FTK Imager.
AccessData Registry Viewer is a standalone product. It contains a set of data files.
The Windows Operating system utilises the data to control the overall functionality of the
Windows interface. It utilises the data to control the user information, hardware and software.
AccessData Registry Viewer gets integrated with the Forensic Tool Kit, and it enables the
analysts so that they can see the contents present in the registry files of Windows operating
system. The analysts can get to visualise the registry files from any system. Registry Viewer
caters easy access to a registry-protected storage database (Thethi and Keane 2014). The

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4DIGITAL FORENSICS
users will have to provide a username, password only then the users can gain access to the
file stored in the database.
FTK is one kind of data preview and data imaging tool. FTK imager saves a hard
disk file image in a file or segments, and the image can be reconstructed in later times. FTK
imager calculates the MD5 hash values, and after that, it confirms the authenticity of the data.
It is a concise tool that enables analysts to create copies of the hard disk images, and these
images can be exported without making any alterations in the original evidence (Zawoad,
Hasan and Skjellum 2015). FTK facilitates bit-by-bit copy or duplication of data. FTK
imager also aids integrity checking by calculating the hash values. Thus it can be concluded
that FTK imager is the most suitable tool for making perfect copies.
An autopsy is the digital forensic tool. The tool allows the analysts to carry on the
investigation on the web server. An autopsy is a tool that helps in analysing the disk images,
local drives and folders. The analysts will not have to perform any tasks manually; an autopsy
will perform all the tasks automatically. Autopsy offers similar functionalities like FTK, they
are keyword search, web artefacts, timeline analysis and hash set filtering. It also provides the
integration facilities (Van Beek et al. 2015). The forensic analysts get the opportunity to
connect with multiple analysts. It is an open source program. Autopsy also caters cost-
effective solutions. Moreover, it is easy to use. It is used as a secondary tool to carry out the
investigation procedures.
RegRipper is the open source forensic application, and the application is valuable in
extracting the vital information like keys, values, and data from the Registry. RegRipper
analyses the data and prepares documentation based on the analysis in easy readable text
format (Kleinmann and Wool 2014). The analysts have the opportunity to personalise the
RegRipper tool according to their needs by using available plugins.

5DIGITAL FORENSICS
OS Forensics tool aids file searching, indexing of data. The tool assists the forensic
analysts to extract passwords. The analysts can also decrypt files and can recover deleted files
from the system and database with ease with the aid of this tool. The analysts can easily
identify the malware files and the malicious activities of the intruders with the help of hash
matching, binary data and drive signature comparisons. OS Forensics tool aids forensic
analysts to extract the required evidence from the computer fast (Martini and Raymond
2016). The tool provides functionalities like file searching and file indexing. Thus this tool
ensures that the data can be managed efficiently with the help of the OS Forensics tool.
The forensic analysts of Lone Star Ltd discover that the Assistant log has been cleared
away. It can be analysed simply by looking at the NTUSER.DAT in ‘techuser’. The forensic
analysts have analysed that a registry-editing tool has been used in the system of TechBank
TSB (Choo and Dehghantanha 2017). The traces of usage of registry-editing tools have been
found in the registry viewer path and software registry that the registry-editing tool.
It can also be analysed whether any USB stick was attached to the system of
TechBank TSB or not. The detailed information about USB stick connectivity or USB stick
usage can be traced viewing the Windows registry files. Windows registry files show every
drive that has been connected to the system (Kleinmann and Wool 2014). It can also be
tracked which drive is attributed to which particular users. Under the MountedDevices
category, the location of GUID associated with the device can be tracked. The location can be
traced under MountedDevices category just below the registry path.
The forensics analysts discover that the user account of the TechBank TSB system
visited the social networking community sites like MSN, Facebook, Youtube and Skype. The
analysts after analysing the hard disk image provided by TechBank TSB found that the three
Facebook accounts were used in the system (Taylor, Fritsch and Liederbach 2014). The three

6DIGITAL FORENSICS
Facebook profiles- Imasha Oshadi Rajapaksha, Amaya Karunanayake and teCHbANK, were
used in the system. Out of the three Facebook profiles used, the two profiles- teCHbANK and
Imasha Oshadi Rajapaksha are currently found to be inactive. The third Facebook profile of
Amaya Karunanayake has been found to be active. The forensic analysts find out that he or
she uses Facebook most of the time, she edits Facebook privacy and security settings. Amaya
has been found to add photos and send messages on Facebook (Taylor, Fritsch and
Liederbach 2014). Recently Amaya creates an event named ‘Continuation of Leadership
Training Programme’.
The user account of the system also visited Skype, and the user has a Skype account.
The user got registered on 29 September in the year 2011. The forensic analysts find out all
these details by assessing the personal profile of the user in the system (Choo and
Dehghantanha 2017). The analysts also discover that Amaya Karunanayake was chatting with
someone named Amilads over Skype. Amaya was talking about the password that he or she
received.
References

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7DIGITAL FORENSICS
Bjelland, P.C., Flaglien, A., Sunde, I.M., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland,
P., Franke, K. and Axelsson, S., 2018. Internet Forensics. Digital Forensics, pp.275-312.
Choo, K.K. and Dehghantanha, A., 2017. Contemporary Digital Forensics Investigations of
Cloud and Mobile Applications. In Contemporary Digital Forensic Investigations of Cloud
and Mobile Applications (pp. 1-6).
Dang-Nguyen, D.T., Pasquini, C., Conotter, V. and Boato, G., 2015, March. Raise: A raw
images dataset for digital image forensics. In Proceedings of the 6th ACM Multimedia
Systems Conference (pp. 219-224). ACM.
Flaglien, A.O., Flaglien, A., Sunde, I.M., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland,
P., Franke, K. and Axelsson, S., 2017. The Digital Forensics Process. Digital Forensics,
pp.13-49.
Holt, T.J., Bossler, A.M. and Seigfried-Spellar, K.C., 2015. Cybercrime and digital forensics:
An introduction. Routledge.
Kleinmann, A. and Wool, A., 2014. Accurate modeling of the siemens s7 scada protocol for
intrusion detection and digital forensics. Journal of Digital Forensics, Security and
Law, 9(2), p.4.
Martini, B., Do, Q. and Raymond Choo, K.K., 2016. Digital forensics in the cloud era: The
decline of passwords and the need for legal reform. Trends & Issues in Crime & Criminal
Justice, (512).
Sohl, E., Fielding, C., Hanlon, T., Rrushi, J., Farhangi, H., Howey, C., Carmichael, K. and
Dabell, J., 2015, October. A field study of digital forensics of intrusions in the electrical
power grid. In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security
and/or PrivaCy (pp. 113-122). ACM.

8DIGITAL FORENSICS
Sunde, I.M., Flaglien, A., Dilijonaite, A., Hamm, J., Sandvik, J.P., Bjelland, P., Franke, K.
and Axelsson, S., 2017. Cybercrime Law. Digital Forensics, pp.51-116.
Taylor, R.W., Fritsch, E.J. and Liederbach, J., 2014. Digital crime and digital terrorism.
Prentice Hall Press.
Thethi, N. and Keane, A., 2014, February. Digital forensics investigations in the cloud.
In Advance Computing Conference (IACC), 2014 IEEE International (pp. 1475-1480). IEEE.
Van Baar, R.B., Van Beek, H.M.A. and van Eijk, E.J., 2014. Digital Forensics as a Service:
A game changer. Digital Investigation, 11, pp.S54-S62.
Van Beek, H.M.A., van Eijk, E.J., van Baar, R.B., Ugen, M., Bodde, J.N.C. and Siemelink,
A.J., 2015. Digital forensics as a service: Game on. Digital Investigation, 15, pp.20-38.
Zawoad, S., Hasan, R. and Skjellum, A., 2015, June. OCF: an open cloud forensics model for
reliable digital forensics. In Cloud Computing (CLOUD), 2015 IEEE 8th International
Conference on (pp. 437-444). IEEE.

1 out of 9

+13062052269

info@desklib.com

Digital Forensics: Investigating Hard Disk Image of TechBank TSB

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Digital Forensics Analysis of a Cyber Crime Case

Assignment File Analysis System

Digital Forensic: Features, Challenges, and Objectives