Forensics Preparation Report: UniCareer Pty. Ltd. Investigation
VerifiedAdded on 2020/03/28
|20
|4292
|53
Report
AI Summary
This report presents a detailed plan for a digital forensics investigation at UniCareer Pty. Ltd. The investigation aims to determine how a competitor gained access to student and staff email accounts, and if a staff member possesses child pornography. The report outlines the justification for using a computer forensics methodology, emphasizing its role in rigorous investigation and proper evidence handling. It specifies the necessary resources, including X-Ways Forensics and SIFT – SANS Investigative Forensics Toolkit, and details the data acquisition approach, including processing the incident scene, seizing computer evidence, and collecting data from live systems. The report covers data validation and verification procedures, forensic analysis steps (preparation, data extraction, and analysis), and proposes a security policy document addressing risk assessment, internet DMZ equipment, monitoring and filtering, acceptable use, and software updates. The investigation will involve acquiring data from both Windows and macOS systems, utilizing forensic tools for comprehensive analysis. The report concludes with recommendations based on the findings of the investigation.
Forensics Preparation Report
[Name]
[Institution]
[Name]
[Institution]
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Executive Summary
Forensic investigation plays a critical role in identifying and analyzing evidence relating to cyber
crimes. Challenges in digital forensics are increasingly becoming more and more difficult, as
technology advances, and use of mobile smart phones becomes more widespread.
In the case under review, the focus is on identifying how a competitor got hold of email accounts
of students and staff at UniCareer Pty. Ltd. The investigation also seeks to determine if indeed
one of the company’s staff has possession of child pornography, as reported. Applying a
computer forensics methodology to this investigation will encourage a complete and rigorous
investigation, reduce chances of error and ensure proper handling of evidence and analysis.
X-Ways Forensics and SIFT –SANS Investigative Forensics Toolkit will be used in the
investigation, as they contains all tools and technology necessary in evidence acquisition and
analysis.
The plan for the investigation will cover the following steps:
Data acquisition: Process incident scene, Seize physical computer evidence, Collect data
from live system for the e-mail server, Collect special content data such as emails and
graphics
Data validation & verification: Integrity of data collected will be verified by making hash
values and checksums for both the image and the original data and comparing them.
Forensic Analysis Steps: Preparation, creating copies of evidence for analysis, Data
extraction, Timeframe analysis, Data hiding analysis, Application, files and email
analysis
The report also proposes a security policy document for the company, which includes policies on
use of the company IT resources such as emails and computers, policy on updates and patching
of software, policy on vulnerability assessment on the company’s network infrastructure.
Forensic investigation plays a critical role in identifying and analyzing evidence relating to cyber
crimes. Challenges in digital forensics are increasingly becoming more and more difficult, as
technology advances, and use of mobile smart phones becomes more widespread.
In the case under review, the focus is on identifying how a competitor got hold of email accounts
of students and staff at UniCareer Pty. Ltd. The investigation also seeks to determine if indeed
one of the company’s staff has possession of child pornography, as reported. Applying a
computer forensics methodology to this investigation will encourage a complete and rigorous
investigation, reduce chances of error and ensure proper handling of evidence and analysis.
X-Ways Forensics and SIFT –SANS Investigative Forensics Toolkit will be used in the
investigation, as they contains all tools and technology necessary in evidence acquisition and
analysis.
The plan for the investigation will cover the following steps:
Data acquisition: Process incident scene, Seize physical computer evidence, Collect data
from live system for the e-mail server, Collect special content data such as emails and
graphics
Data validation & verification: Integrity of data collected will be verified by making hash
values and checksums for both the image and the original data and comparing them.
Forensic Analysis Steps: Preparation, creating copies of evidence for analysis, Data
extraction, Timeframe analysis, Data hiding analysis, Application, files and email
analysis
The report also proposes a security policy document for the company, which includes policies on
use of the company IT resources such as emails and computers, policy on updates and patching
of software, policy on vulnerability assessment on the company’s network infrastructure.
Table of Contents
Executive Summary.....................................................................................................................................2
1.0 Introduction.....................................................................................................................................5
2.0 Justification.....................................................................................................................................5
3.0 Resources necessary for evidence gathering....................................................................................7
4.0 Approach for data acquisition..........................................................................................................7
4.1 Process incident scene.................................................................................................................8
4.2 Seize physical computer evidence...............................................................................................9
4.3 Collect data from live system.....................................................................................................10
4.4 Collect special content data.......................................................................................................10
4.4.1 E-mail content....................................................................................................................10
4.4.2 Graphics or photographic images......................................................................................11
5.0 Type of data acquisition tools needed............................................................................................11
5.1 X-WAYS FORENSICS.............................................................................................................11
5.2 SIFT –SANS Investigative Forensics Toolkit............................................................................11
6.0 Data validation & verification procedures.....................................................................................12
7.0 Forensic Analysis Steps.................................................................................................................12
7.1 Step 1: Preparation.....................................................................................................................12
7.2 Step 2: Extraction......................................................................................................................13
7.2.1 Physical extraction.............................................................................................................13
7.2.2 Logical extraction...............................................................................................................13
7.3 Step: Analysis of extracted data.................................................................................................14
7.3.1 Timeframe analysis............................................................................................................14
7.3.2 Data hiding analysis...........................................................................................................15
7.3.3 Application, files and email analysis...................................................................................15
8.0 Security policies for the Company.................................................................................................16
8.1 Risk assessment policy..............................................................................................................16
8.2 Internet DMZ Equipment Policy................................................................................................16
8.3 Monitoring and Filtering Policy.................................................................................................17
8.3.1 The Internet Use Filtering System......................................................................................17
8.3.2 The Filtering Rule Changes for Internet Use......................................................................17
Executive Summary.....................................................................................................................................2
1.0 Introduction.....................................................................................................................................5
2.0 Justification.....................................................................................................................................5
3.0 Resources necessary for evidence gathering....................................................................................7
4.0 Approach for data acquisition..........................................................................................................7
4.1 Process incident scene.................................................................................................................8
4.2 Seize physical computer evidence...............................................................................................9
4.3 Collect data from live system.....................................................................................................10
4.4 Collect special content data.......................................................................................................10
4.4.1 E-mail content....................................................................................................................10
4.4.2 Graphics or photographic images......................................................................................11
5.0 Type of data acquisition tools needed............................................................................................11
5.1 X-WAYS FORENSICS.............................................................................................................11
5.2 SIFT –SANS Investigative Forensics Toolkit............................................................................11
6.0 Data validation & verification procedures.....................................................................................12
7.0 Forensic Analysis Steps.................................................................................................................12
7.1 Step 1: Preparation.....................................................................................................................12
7.2 Step 2: Extraction......................................................................................................................13
7.2.1 Physical extraction.............................................................................................................13
7.2.2 Logical extraction...............................................................................................................13
7.3 Step: Analysis of extracted data.................................................................................................14
7.3.1 Timeframe analysis............................................................................................................14
7.3.2 Data hiding analysis...........................................................................................................15
7.3.3 Application, files and email analysis...................................................................................15
8.0 Security policies for the Company.................................................................................................16
8.1 Risk assessment policy..............................................................................................................16
8.2 Internet DMZ Equipment Policy................................................................................................16
8.3 Monitoring and Filtering Policy.................................................................................................17
8.3.1 The Internet Use Filtering System......................................................................................17
8.3.2 The Filtering Rule Changes for Internet Use......................................................................17
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
8.4 Acceptable Use Policy...............................................................................................................17
8.5 The activities with strict prohibitions and without exceptions include:-....................................18
8.6 Policy relating to use of company’s issued email addresses......................................................18
8.6.1 Prohibited Use...................................................................................................................18
8.7 Security policy relating to software Updates, routers and IDS...................................................19
9.0 Recommendations.........................................................................................................................19
References.................................................................................................................................................19
8.5 The activities with strict prohibitions and without exceptions include:-....................................18
8.6 Policy relating to use of company’s issued email addresses......................................................18
8.6.1 Prohibited Use...................................................................................................................18
8.7 Security policy relating to software Updates, routers and IDS...................................................19
9.0 Recommendations.........................................................................................................................19
References.................................................................................................................................................19
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1.0 Introduction
Over the last one decade, there has been a tremendous technological change in the field of
computing. Organizations, business enterprises and even government have become more reliant
on IT for day-to-day business operations. The uptake of computing devices, Internet and the
heavy reliance on IT for business has, in turn, seen an exponential surge in cybercrime. The
nature of cybercrimes has also widened, to include; electronic vandalism, terrorism, extortion,
financial fraud, denial of service to malicious use of hacked computing resources to launch
attacks on other computers.
Forensic investigation plays a critical role in identifying and analyzing evidence relating to
reported and suspected incidences of information systems compromise. Challenges in digital
forensics are increasingly becoming more and more difficult, as technology advances, and use of
mobile smart phones becomes more prolific.
This report presents a plan for carrying out a forensics investigation on the IT systems at
UniCareer Pty. Ltd. The investigation seeks to identify if a competitor compromised the system
to acquire email addresses of students and staff. The investigation also seeks to identify if one of
the staff members has possession of child pornography on his work and personal computer.
2.0 Justification
For this investigation, use of a computer forensics methodology is critical. The methodology will
direct the investigation and help the team focus on the key points of identifying evidence, using
appropriate analysis to evaluate, trace evidence and understand the case under review (Abdalla,
Hazem and Hashem, 2013). A proper forensics methodology will serve as a vital reference point
on the progress and state of the investigation. It will act as a blueprint that will direct the steps to
Over the last one decade, there has been a tremendous technological change in the field of
computing. Organizations, business enterprises and even government have become more reliant
on IT for day-to-day business operations. The uptake of computing devices, Internet and the
heavy reliance on IT for business has, in turn, seen an exponential surge in cybercrime. The
nature of cybercrimes has also widened, to include; electronic vandalism, terrorism, extortion,
financial fraud, denial of service to malicious use of hacked computing resources to launch
attacks on other computers.
Forensic investigation plays a critical role in identifying and analyzing evidence relating to
reported and suspected incidences of information systems compromise. Challenges in digital
forensics are increasingly becoming more and more difficult, as technology advances, and use of
mobile smart phones becomes more prolific.
This report presents a plan for carrying out a forensics investigation on the IT systems at
UniCareer Pty. Ltd. The investigation seeks to identify if a competitor compromised the system
to acquire email addresses of students and staff. The investigation also seeks to identify if one of
the staff members has possession of child pornography on his work and personal computer.
2.0 Justification
For this investigation, use of a computer forensics methodology is critical. The methodology will
direct the investigation and help the team focus on the key points of identifying evidence, using
appropriate analysis to evaluate, trace evidence and understand the case under review (Abdalla,
Hazem and Hashem, 2013). A proper forensics methodology will serve as a vital reference point
on the progress and state of the investigation. It will act as a blueprint that will direct the steps to
be taken at every phase of the forensic investigation cycle (Reith, Carr and Gunsch, 2012).
Proper use of a methodology in this case will not only give clear guideline to the investigators,
but will also be used to ensure the investigation is performed in an approach that benchmarks the
generally accepted practices (Abdalla, Hazem and Hashem, 2013).
Since computer forensics entails uncovering hidden information, and analyzing the information
to understand if a crime was committed, investigations should be thorough. Applying a computer
forensics methodology to this investigation will encourage a complete and rigorous investigation,
reduce chances of error and ensure proper handling of evidence and analysis. A third reason as
to why a methodology is justified in this case is that it will help in refining our understanding of
the basic constituents of a complete and comprehensive investigation, that is independent of any
particular technology. This is because convectional forensic methodologies are designed and
refined to include appropriate steps for identifying evidence, analyzing and applying technology
to uncover hidden or deleted evidence that can unearth a digital crime (Abdalla, Hazem and
Hashem, 2013).
For this case, use of an appropriate methodology will aid in the investigation of how competitors
got hold of email accounts of staff and students, as well as get evidence of the alleged crime of
watching child pornography against one of the staff members. Using a convectional
methodology will facilitate a comprehensive assessment to uncover any crimes committed.
3.0 Resources necessary for evidence gathering
A Comprehensive Forensic Toolkit: here two frameworks and toolkits have been chosen. The
frameworks includes X-WAYS FORENSICS and SIFT –SANS Investigative Forensics Toolkit.
X-way will be used on windows systems and will play a critical role in email analysis. Its main
features includes; disk cloning, detecting deleted or lost hard disk partitions, activity logging, and
Proper use of a methodology in this case will not only give clear guideline to the investigators,
but will also be used to ensure the investigation is performed in an approach that benchmarks the
generally accepted practices (Abdalla, Hazem and Hashem, 2013).
Since computer forensics entails uncovering hidden information, and analyzing the information
to understand if a crime was committed, investigations should be thorough. Applying a computer
forensics methodology to this investigation will encourage a complete and rigorous investigation,
reduce chances of error and ensure proper handling of evidence and analysis. A third reason as
to why a methodology is justified in this case is that it will help in refining our understanding of
the basic constituents of a complete and comprehensive investigation, that is independent of any
particular technology. This is because convectional forensic methodologies are designed and
refined to include appropriate steps for identifying evidence, analyzing and applying technology
to uncover hidden or deleted evidence that can unearth a digital crime (Abdalla, Hazem and
Hashem, 2013).
For this case, use of an appropriate methodology will aid in the investigation of how competitors
got hold of email accounts of staff and students, as well as get evidence of the alleged crime of
watching child pornography against one of the staff members. Using a convectional
methodology will facilitate a comprehensive assessment to uncover any crimes committed.
3.0 Resources necessary for evidence gathering
A Comprehensive Forensic Toolkit: here two frameworks and toolkits have been chosen. The
frameworks includes X-WAYS FORENSICS and SIFT –SANS Investigative Forensics Toolkit.
X-way will be used on windows systems and will play a critical role in email analysis. Its main
features includes; disk cloning, detecting deleted or lost hard disk partitions, activity logging, and
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
verifying the authenticity of data sets (Popescu and Farid, 2014). Moreover, the toolkit can
extract metadata from file types, and even retrieve emails from a wide range email clients
(Popescu and Farid, 2014). The SIFT Toolkit will mainly be used for the macOS systems as it
supports a wide range of file systems, including windows and macOS file systems (Popescu and
Farid, 2014).
Other resources will include;
Evidence collection and packaging materials and equipment
Necessary hardware and supporting software for collecting and analyzing evidence.
Highly experienced individuals in the area of digital forensics.
4.0 Approach for data acquisition
Digital evidence should be handled with the utmost care, as it is naturally fragile and can easily
be destroyed, damaged or altered if handled inappropriately (Casey, 2011). Failure to handle the
evidence properly may result in inaccurate conclusion after analysis (Casey, 2011).
Evidence acquisition for this case will focus on acquiring original digital evidence, while
protecting and preserving the evidence (Richard and Roussev, 2006). For data acquisition, the
process will start with onsite examination, which will include;
Surveying the IT infrastructure and the server room housing the mail servers for the
company (Richard and Roussev, 2006).
At the office of the suspected individual viewing pornographic, the personal computer
and the company’s computer will be seized; although appropriate court order will have
to be sort in order to take control of the user’s personal computer.
The following basic steps will be followed to acquire evidence;
extract metadata from file types, and even retrieve emails from a wide range email clients
(Popescu and Farid, 2014). The SIFT Toolkit will mainly be used for the macOS systems as it
supports a wide range of file systems, including windows and macOS file systems (Popescu and
Farid, 2014).
Other resources will include;
Evidence collection and packaging materials and equipment
Necessary hardware and supporting software for collecting and analyzing evidence.
Highly experienced individuals in the area of digital forensics.
4.0 Approach for data acquisition
Digital evidence should be handled with the utmost care, as it is naturally fragile and can easily
be destroyed, damaged or altered if handled inappropriately (Casey, 2011). Failure to handle the
evidence properly may result in inaccurate conclusion after analysis (Casey, 2011).
Evidence acquisition for this case will focus on acquiring original digital evidence, while
protecting and preserving the evidence (Richard and Roussev, 2006). For data acquisition, the
process will start with onsite examination, which will include;
Surveying the IT infrastructure and the server room housing the mail servers for the
company (Richard and Roussev, 2006).
At the office of the suspected individual viewing pornographic, the personal computer
and the company’s computer will be seized; although appropriate court order will have
to be sort in order to take control of the user’s personal computer.
The following basic steps will be followed to acquire evidence;
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4.1 Process incident scene
Here we assume the company has a server room for mail servers – and that evidence for John
Pickering’s case will be collected from his office. The aim will be to collect all the physical and
non-technical evidence (Garfinkel, 2010). One of the examiners will designated as the Evidence
Custodian, who will record any item collected in an Evidence Form (Garfinkel, 2010).
o At the company’s server room, an examiner will identify the type and number of
computers that will require assessment
o Carry out an initial interview with the systems administrator
o Identify and document data storage systems at the company’s servers
o The focus of the investigation will be the mail server, so the examiner will focus
on the specific server housing the mail server as well as server hosting staff and
student’s details.
o Identify offsite and remote storage, backup options (Richard and Roussev, 2006)
o Identify software in use on the servers (Richard and Roussev, 2006).
Step two is to secure the digital evidence, by establishing a clear chain of custody.
Ensure the examiner’s computer is adequately prepared and configure for data
acquisition.
4.2 Seize physical computer evidence
Seize all computers from John Pickering’s office; this will require a court order in order
to take hold of the personal computer.
Open up the computers seized at John Pickering’s office, access the storage devices and
remove them.
Here we assume the company has a server room for mail servers – and that evidence for John
Pickering’s case will be collected from his office. The aim will be to collect all the physical and
non-technical evidence (Garfinkel, 2010). One of the examiners will designated as the Evidence
Custodian, who will record any item collected in an Evidence Form (Garfinkel, 2010).
o At the company’s server room, an examiner will identify the type and number of
computers that will require assessment
o Carry out an initial interview with the systems administrator
o Identify and document data storage systems at the company’s servers
o The focus of the investigation will be the mail server, so the examiner will focus
on the specific server housing the mail server as well as server hosting staff and
student’s details.
o Identify offsite and remote storage, backup options (Richard and Roussev, 2006)
o Identify software in use on the servers (Richard and Roussev, 2006).
Step two is to secure the digital evidence, by establishing a clear chain of custody.
Ensure the examiner’s computer is adequately prepared and configure for data
acquisition.
4.2 Seize physical computer evidence
Seize all computers from John Pickering’s office; this will require a court order in order
to take hold of the personal computer.
Open up the computers seized at John Pickering’s office, access the storage devices and
remove them.
o While opening the computers, ensure proper care to avoid magnetic field and
static electricity from damaging the storage drives and other components (Casey,
2009).
o Take photographs of the interior configuration of the hardware after opening the
computers.
o Document condition of the drives
o Disconnect the storage devices from the motherboard to prevent data alteration
Document the evidence by capturing the serial number of the devices
Where necessary use a forensics boot disk to boot the suspect computer and collect
evidence (Casey, 2011). This will also be used to test the working of the storage drives
and collecting evidence from laptops.
For removed hard drives, the examiners computer should be used to acquire evidence
from the drives.
Imaging of the hard-drive will be made using a forensic analysis software suite
For verification purposes, Create harsh for the original data and the image of the drive.
4.3 Collect data from live system.
Since it would not be possible to take or shutdown mail servers, evidence will be collected by
imaging the live system. The entire system should be imaged; together with all email data
contained in it.
All volatile digital evidence will be collected first; including; memory dump, process listing,
network connections (Casey, Blitz and Steuart, 2014).
Collecting data on live system will follow the following steps;
static electricity from damaging the storage drives and other components (Casey,
2009).
o Take photographs of the interior configuration of the hardware after opening the
computers.
o Document condition of the drives
o Disconnect the storage devices from the motherboard to prevent data alteration
Document the evidence by capturing the serial number of the devices
Where necessary use a forensics boot disk to boot the suspect computer and collect
evidence (Casey, 2011). This will also be used to test the working of the storage drives
and collecting evidence from laptops.
For removed hard drives, the examiners computer should be used to acquire evidence
from the drives.
Imaging of the hard-drive will be made using a forensic analysis software suite
For verification purposes, Create harsh for the original data and the image of the drive.
4.3 Collect data from live system.
Since it would not be possible to take or shutdown mail servers, evidence will be collected by
imaging the live system. The entire system should be imaged; together with all email data
contained in it.
All volatile digital evidence will be collected first; including; memory dump, process listing,
network connections (Casey, Blitz and Steuart, 2014).
Collecting data on live system will follow the following steps;
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
i. Access the live system and collect volatile data; data on running processes, cache
data, open sockets and ports, logged in users, applications listening on open sockets,
registry entries, memory. Etc (Casey, Blitz and Steuart, 2014).
i. Collect data on Process table, ARP cache and temporary internet files.
ii. Collect log files
iii. Logs from intrusion detection systems and firewalls, routers and network servers.
iv. Physical configuration, network topology.
v. Use a write blocker and writer protector to before starting the system imagining
process (Garfinkel, 2010).
vi. Prepare Chain of custody
4.4 Collect special content data
Special content data will include graphic pictures, emails and any other document. Proper
methods for unearthing hidden and deleted files will also be used to get the data (Garfinkel,
2010).
4.4.1 E-mail content
Collect archived e-mails, backups of the mail server, transactions logs from the mail
server and e-mail traffic. This will include all emails for all accounts hosted on the mail
servers of the company.
4.4.2 Graphics or photographic images
Graphic images will be collected; Proper safeguards will be used by the evidence
custodian in case of Child Pornography to protect the victims.
data, open sockets and ports, logged in users, applications listening on open sockets,
registry entries, memory. Etc (Casey, Blitz and Steuart, 2014).
i. Collect data on Process table, ARP cache and temporary internet files.
ii. Collect log files
iii. Logs from intrusion detection systems and firewalls, routers and network servers.
iv. Physical configuration, network topology.
v. Use a write blocker and writer protector to before starting the system imagining
process (Garfinkel, 2010).
vi. Prepare Chain of custody
4.4 Collect special content data
Special content data will include graphic pictures, emails and any other document. Proper
methods for unearthing hidden and deleted files will also be used to get the data (Garfinkel,
2010).
4.4.1 E-mail content
Collect archived e-mails, backups of the mail server, transactions logs from the mail
server and e-mail traffic. This will include all emails for all accounts hosted on the mail
servers of the company.
4.4.2 Graphics or photographic images
Graphic images will be collected; Proper safeguards will be used by the evidence
custodian in case of Child Pornography to protect the victims.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
5.0 Type of data acquisition tools needed
Due to the fact that this investigation will be performed on both windows and MacOS systems,
two forensics analysis toolkits will be used for purposes of data acquisition and validation. The
tools are;
5.1 X-WAYS FORENSICS
X-Ways Forensics is a forensic framework that includes a wide range of tools and methods to be
used by cybercrime units. This platform is designed to run on Windows OS and provides
comprehensive and efficient results. Its main features includes; disk cloning, detecting deleted or
lost hard disk partitions, activity logging, and verifying the authenticity of data sets (Popescu and
Farid, 2014). Moreover, the toolkit can extract metadata from file types, and even retrieve emails
from a wide range email clients (Popescu and Farid, 2014).
5.2 SIFT –SANS Investigative Forensics Toolkit
The SANS Investigative Forensic Toolkit (“SIFT”) is a computer forensics VMware appliance.
SIFT is Linux based, and comes pre-configured on a VMware, to include a wide range of
software tools and technologies, essential for a comprehensive digital forensics investigation
(Popescu and Farid, 2014). The key competencies of this toolkit include;
Ability to examine raw disks
Ability to analyze a wide range of file systems and evidence formats
Supports Windows, Linux, Solaris and MacOS file systems.
“Places strict guidelines on how evidence is examined, verifying that the evidence has not
changed” (Popescu and Farid, 2014).
Due to the fact that this investigation will be performed on both windows and MacOS systems,
two forensics analysis toolkits will be used for purposes of data acquisition and validation. The
tools are;
5.1 X-WAYS FORENSICS
X-Ways Forensics is a forensic framework that includes a wide range of tools and methods to be
used by cybercrime units. This platform is designed to run on Windows OS and provides
comprehensive and efficient results. Its main features includes; disk cloning, detecting deleted or
lost hard disk partitions, activity logging, and verifying the authenticity of data sets (Popescu and
Farid, 2014). Moreover, the toolkit can extract metadata from file types, and even retrieve emails
from a wide range email clients (Popescu and Farid, 2014).
5.2 SIFT –SANS Investigative Forensics Toolkit
The SANS Investigative Forensic Toolkit (“SIFT”) is a computer forensics VMware appliance.
SIFT is Linux based, and comes pre-configured on a VMware, to include a wide range of
software tools and technologies, essential for a comprehensive digital forensics investigation
(Popescu and Farid, 2014). The key competencies of this toolkit include;
Ability to examine raw disks
Ability to analyze a wide range of file systems and evidence formats
Supports Windows, Linux, Solaris and MacOS file systems.
“Places strict guidelines on how evidence is examined, verifying that the evidence has not
changed” (Popescu and Farid, 2014).
6.0 Data validation & verification procedures
Verification and validation of evidence collected is critical in ensuring that information collected
is accurate (Shanmugam, 2011). The overall validation and verification process will seek to
verify the source and reliability of items and data collected.
The procedure for verifying and validating data will be
For seized computers, serial numbers will be used to verify if they are the original
computers issued to the individual (Delp, Memon and Wu, 2009).
For collected data, and OS images the Integrity of data collected will be verified by
making hash values and checksums for both the image and the original data and
comparing them (Shanmugam, 2011).
7.0 Forensic Analysis Steps
7.1 Step 1: Preparation
This step will entail preparing directories on a designated separate storage media, where data and
files will be recovered into or extracted to (Franke and Axelsson, 2017).
7.2 Step 2: Extraction
7.2.1 Physical extraction
This step will entails extracting data from the seized hard drives, a physical level, without regard
for the underlying file system of the drive (Delp, Memon and Wu, 2009). The methods to be
used will include;
Verification and validation of evidence collected is critical in ensuring that information collected
is accurate (Shanmugam, 2011). The overall validation and verification process will seek to
verify the source and reliability of items and data collected.
The procedure for verifying and validating data will be
For seized computers, serial numbers will be used to verify if they are the original
computers issued to the individual (Delp, Memon and Wu, 2009).
For collected data, and OS images the Integrity of data collected will be verified by
making hash values and checksums for both the image and the original data and
comparing them (Shanmugam, 2011).
7.0 Forensic Analysis Steps
7.1 Step 1: Preparation
This step will entail preparing directories on a designated separate storage media, where data and
files will be recovered into or extracted to (Franke and Axelsson, 2017).
7.2 Step 2: Extraction
7.2.1 Physical extraction
This step will entails extracting data from the seized hard drives, a physical level, without regard
for the underlying file system of the drive (Delp, Memon and Wu, 2009). The methods to be
used will include;
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 20
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.