Digital Forensic Analysis of USB Drive for CO4514 at the University

Verified

Added on 2023/01/17

AI Summary

This assignment is a digital forensics analysis of a USB drive image, conducted using the Autopsy tool. The objective was to determine if a detained employee of Vamos Solution was transferring confidential company information. The analysis involved examining the USB drive image to identify potential data breaches. The student used Autopsy to extract and analyze data, including an Excel file containing sensitive financial information and a deleted Word document hinting at data exfiltration. The investigation also revealed a plain text file containing an email suggesting the employee's motive for potentially stealing the data, stemming from issues with their boss. The student concludes that there is evidence of data theft, but highlights the need for further investigation, including access to the employee's computer, email records and internet history to provide a more comprehensive understanding of the data breach. The report provides a detailed account of the analysis process and the findings, emphasizing the importance of digital forensics in uncovering data theft and protecting sensitive business information.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: CO4514 – DIGITAL FORENSIC TECHNOLOGY
CO4514 – Digital Forensic Technology
Name of the Student
Name of the University
Authors note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1CO4514 – DIGITAL FORENSIC TECHNOLOGY
Introduction
In case of the Digital forensics it is very important to extract, analyse and convey the
results of the analysis so that the results can be used as the evidences in the investigation as
well as prosecution process. The provided evidence is used reviewed and analysed which
was collected and provided to us by previous investigator. It is considered that the evidence
was verified as unaltered.
Background of the project
The USB drive image was captured from the detained employee and the captured
image is analysed in order to find out if the employee was offering proprietary company
(Vamos Solution) information to any of the competitors or any individual due to some
personal benefit or greed or for changing job.
Objective of the Project
The main objective was to check and determine if the employee recorded and
transferring any kind of data that are considered as confidential or business secret by the
organization.
Analysis technique and tools used
For this analysis, the Autopsy tool is used.
Analysis Details and results
Answer to question 1

2CO4514 – DIGITAL FORENSIC TECHNOLOGY
Validation of the availability of data in USB
For the provided USB stick data image, it is found that the file has been used to copy
company info which can be depicted in the following snapshot.
In the above screenshot, a file named income.xlsx is found that seems to be the
revenue and income details of the organization. The excel sheet includes the salary, pension,
dividend, share, and sales details of the Vamos Solutions.
Answer to question 2
Evidence of hiding or deleting data
When, the deleted file option is clicked in the Autopsy tools there are two files
available which are depicted in the following screenshot.

3CO4514 – DIGITAL FORENSIC TECHNOLOGY
Here, as depicted in the above image, it can be observed that there are two files one
is .temp file and another is .docx file.
Therefore, it can be stated that, the. temp file is a system generated file that helps in
the disk caching. Thus, this file cannot be considered. On the other hand, when the file with
the .docx file is clicked the file contained a starting line with,
“Another company secret is here”
Here, it can be said that the employee tried to copy the details available in the excel
may be planned to record in the doc file which was later recorded in the excel file.
Answer to question 3
The reason for stealing the data
Evidence and reason for stealing that data:
In our further investigation, plain text file is found that contains body of an email.
That contains some allegation against distorted behaviour with employee. Following is the
image that contains the text recovered from the given image.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4CO4514 – DIGITAL FORENSIC TECHNOLOGY
From the analysis it is evident that the name of the employee is John Paul Dempsey
and he is having some issues with the boss. The employee was planning to file a complaint
against the boss to the HR department. May be after not getting proper reply from the HR
department the employee tried to smuggle the economic details of the company. As it can
be stated that revelation of the dividend, share and sales related data can adversely impact the
market reputation of the organization. Through the illegal exposure of the different economic
details the relation with the supplier, customer and other shareholders may get hampered in a
bad way. This may lead to the loss of business in the market as well as customers.
Answer to Question 4
Further evidence required for analysis
In order to analyse this case further it is important to get the file creation and
modification time line that may help in getting a detailed data about the whole case data
breach. As there is no web access, registry modification details available on the canptured

5CO4514 – DIGITAL FORENSIC TECHNOLOGY
use drive image available for the analysis. In the analysis of the provided file, it can be said
that there are no images, audio clips, HTML files or pdfs from which it can be said that the
sources from which the employee got this information of the company is not clear. In
addition to, due to lack internet accessibility records in the provided forensic file therefore
internet history records, mailing history needs to be checked for providing better insights and
to get the information about the distribution of the details.
In addition to that, the captured image does not even provide any email lists used by
the detained employee.
Finding
The results of the forensics analysis conducted on provided USB image concludes that
there are available evidences that proves that the detained employees tried to record and
export the business secrets using the USB device.
In addition to that that it must be noted that this comment is made only upon the
available data and files on the captured image. The image also includes some records that are
allegation against the boss about his improper behaviour toward the detained employee. With

6CO4514 – DIGITAL FORENSIC TECHNOLOGY
the further available data on the used devices such as official computers, mail boxes it will be
helpful to extract more data with different methods available to prosecute the employees and
justify their allegations.
Conclusion
The primary goal of the provided forensic examination project is to find and explore
the facts through the use of the different methods and functions available in Autopsy and
other tools. Through the use of these facts it is possible to recreate the data theft event as
mentioned by the organization. This process reveals the truth of the data theft event while
exposing the available remnants of event which was left on the system/ image.