Digital Forensics Report: Analyzing Disk Image for HMRC Investigation
VerifiedAdded on 2023/04/25
|47
|2845
|269
Report
AI Summary
This forensic computing report details the analysis of a provided disk image file using Autopsy and ProDiscover, focusing on identifying incriminating evidence related to a potential bomb threat sent via email. The analysis covers various aspects, including email evidence, web browser activity, and file system contents, with a comparison of the effectiveness of both tools in uncovering relevant data. The report outlines the steps taken during the investigation, such as keyword searches and timeline analysis, and presents findings related to potential tax fraud committed by Mr. Larry Bevois. The comprehensive analysis aims to provide a clear understanding of the digital evidence and its implications, with appendices including evidence listings and timelines. Desklib is a valuable resource for students seeking similar solved assignments and study tools.
Forensic Computing
Student Name: *****
Student ID: ******
Submission Date: ******
Executive Summary
Student Name: *****
Student ID: ******
Submission Date: ******
Executive Summary
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Main objective of this project is to analysis the provided forensics disk image file, to identify and
justify the incriminating evidence, by using two forensics tools such as Autopsy and
ProDiscover. The offender seems to be attempt to use email, to send a bomb threat to interface
with the national oil exposition. It seems that it undertook during Robert Bonner’s email account
from his personal computer located at his residence on 18/10/2013. You have to play out a
legitimate digital forensic analysis by utilizing these two apparatuses, implying that you are
expected to demonstrate exculpatory proof to be revealed in the analysis. Consider performing
two complete digital analysis on the provided case file, and later talk aboutthe different tools
utilized, after looking at its effectiveness.
justify the incriminating evidence, by using two forensics tools such as Autopsy and
ProDiscover. The offender seems to be attempt to use email, to send a bomb threat to interface
with the national oil exposition. It seems that it undertook during Robert Bonner’s email account
from his personal computer located at his residence on 18/10/2013. You have to play out a
legitimate digital forensic analysis by utilizing these two apparatuses, implying that you are
expected to demonstrate exculpatory proof to be revealed in the analysis. Consider performing
two complete digital analysis on the provided case file, and later talk aboutthe different tools
utilized, after looking at its effectiveness.
Table of Contents
1 Introduction..............................................................................................................................1
1.1 Background Description.................................................................................................1
1.2 Objectives of the Project.................................................................................................1
2 Overall Tool Features Comparison..........................................................................................1
2.1 Autopsy............................................................................................................................1
2.2 Pro discover.....................................................................................................................3
3 Locate Phase Product Comparison..........................................................................................4
3.1 Autopsy............................................................................................................................4
3.2 ProDiscover......................................................................................................................9
4 Select or Search Phase Product Comparison.........................................................................11
4.1 Autopsy..........................................................................................................................11
4.2 ProDiscover....................................................................................................................15
5 Analyzeand Validate Phase Product Comparison.................................................................17
5.1 Autopsy..........................................................................................................................17
5.2 ProDiscover....................................................................................................................26
6 Summary and Conclusion......................................................................................................33
6.1 Summary of Autopsy strengths and weaknesses........................................................34
6.2 Summary of Pro Discover strengths and weaknesses................................................34
References......................................................................................................................................34
Appendix........................................................................................................................................35
1. Evidence Listing................................................................................................................35
Autopsy.................................................................................................................................35
ProDiscover..........................................................................................................................39
2. Evidence Timeline.............................................................................................................41
Autopsy.................................................................................................................................41
1 Introduction..............................................................................................................................1
1.1 Background Description.................................................................................................1
1.2 Objectives of the Project.................................................................................................1
2 Overall Tool Features Comparison..........................................................................................1
2.1 Autopsy............................................................................................................................1
2.2 Pro discover.....................................................................................................................3
3 Locate Phase Product Comparison..........................................................................................4
3.1 Autopsy............................................................................................................................4
3.2 ProDiscover......................................................................................................................9
4 Select or Search Phase Product Comparison.........................................................................11
4.1 Autopsy..........................................................................................................................11
4.2 ProDiscover....................................................................................................................15
5 Analyzeand Validate Phase Product Comparison.................................................................17
5.1 Autopsy..........................................................................................................................17
5.2 ProDiscover....................................................................................................................26
6 Summary and Conclusion......................................................................................................33
6.1 Summary of Autopsy strengths and weaknesses........................................................34
6.2 Summary of Pro Discover strengths and weaknesses................................................34
References......................................................................................................................................34
Appendix........................................................................................................................................35
1. Evidence Listing................................................................................................................35
Autopsy.................................................................................................................................35
ProDiscover..........................................................................................................................39
2. Evidence Timeline.............................................................................................................41
Autopsy.................................................................................................................................41
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 Introduction
1.1 Background Description
The HMRC (Her Majesty's Revenue and Customs) has been leading an analysis concerning
Mr. Larry Bevois who is an organization chief of XUZ Circuits Ltd. Generally, the HMRC
suspect Mr. Bevois has been intentionally captivated in tax avoidance, by guiding a portion of
his organization pay to an off shore financial balance in Belize. HMRC have sensible conviction
that the maintained strategic distance is more prominent than £75,000 and at first offered Mr.
Bevois the chance to co-work in the investigation and dodge criminal approvals; in any case,
HMRC trusts Mr. Bevois has been unscrupulous in his announcements amid the COP9
investigation and has now propelled a criminal investigation. The seizure of Mr. Bevois financial
balances in the UK has been uncertain and they have now looked to, and acquired, images of Mr.
Bevois PC. At the season of seizure, Mr. Bevois PC was exchanged, thus a memory catch was
additionally taken. HMRC requires proof that it may demonstrate that Mr. Bevois has submitted
assessment extortion and that he has acted with the purpose to submit the charge
misrepresentation. Explore both of the images and present your discoveries in an answer to be
provided to the HMRC.
1.2 Objectives of the Project
This project’s main objective includes analyzing the provided forensics disk image file, to
identify and justify the incriminating evidence, by using two forensics tools such as Autopsy and
ProDiscover. The offender seems to be attempt to use email, to send a bomb threat to interface
with the national oil exposition. It seems that it undertook during Robert Bonner’s email account
from his personal computer located at his residence on 18/10/2013. You have to play out a
legitimate digital forensic analysis by utilizing these two apparatuses, implying that you are
expected to demonstrate exculpatory proof to be revealed in the analysis. Consider performing
two complete digital analysis on the provided case file, and later talk about the different tools
utilized, after looking at its effectiveness (Gladyshev& Rogers, 2012).
1
1.1 Background Description
The HMRC (Her Majesty's Revenue and Customs) has been leading an analysis concerning
Mr. Larry Bevois who is an organization chief of XUZ Circuits Ltd. Generally, the HMRC
suspect Mr. Bevois has been intentionally captivated in tax avoidance, by guiding a portion of
his organization pay to an off shore financial balance in Belize. HMRC have sensible conviction
that the maintained strategic distance is more prominent than £75,000 and at first offered Mr.
Bevois the chance to co-work in the investigation and dodge criminal approvals; in any case,
HMRC trusts Mr. Bevois has been unscrupulous in his announcements amid the COP9
investigation and has now propelled a criminal investigation. The seizure of Mr. Bevois financial
balances in the UK has been uncertain and they have now looked to, and acquired, images of Mr.
Bevois PC. At the season of seizure, Mr. Bevois PC was exchanged, thus a memory catch was
additionally taken. HMRC requires proof that it may demonstrate that Mr. Bevois has submitted
assessment extortion and that he has acted with the purpose to submit the charge
misrepresentation. Explore both of the images and present your discoveries in an answer to be
provided to the HMRC.
1.2 Objectives of the Project
This project’s main objective includes analyzing the provided forensics disk image file, to
identify and justify the incriminating evidence, by using two forensics tools such as Autopsy and
ProDiscover. The offender seems to be attempt to use email, to send a bomb threat to interface
with the national oil exposition. It seems that it undertook during Robert Bonner’s email account
from his personal computer located at his residence on 18/10/2013. You have to play out a
legitimate digital forensic analysis by utilizing these two apparatuses, implying that you are
expected to demonstrate exculpatory proof to be revealed in the analysis. Consider performing
two complete digital analysis on the provided case file, and later talk about the different tools
utilized, after looking at its effectiveness (Gladyshev& Rogers, 2012).
1
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
2 Overall Tool Features Comparison
2.1 Autopsy
Autopsy refers to an advanced legal sciences stage and it is a graphical interface for the
Sleuth Kit® and other computerized crime scene investigation devices. Autopsy is used by law
requirement, corporate inspectors and military for researching what activity took place in the
Personal Computer. It is even possible to use it for recouping the photographs from the memory
card of the camera.
Investigation Features
The following is the rundown of Autopsy highlights.
• Multi-User Cases: Collaborate with individual inspectors on expansive cases.
• Hash Set Filtering: Filter out realized great records utilizing NSRL and banner
realized terrible documents utilizing custom hash sets in Hash Keeper, md5sum, and
EnCase groups.
• Timeline Analysis: In the graphical interface, it shows the framework occasions for
helping to distinguish the movement.
• Keyword Search: The extraction of text and file sought modules empower to discover
the records which notice the explicit terms and discover the normal articulation
designs.
• Web Artifacts: Extracts web action from basic programs to help distinguish client
movement.
• Tags: Tag records with discretionary label names, for example, 'bookmark' or
'suspicious', and include remarks.
• Registry Analysis: Uses Reg Ripper to distinguish the records and USB devices.
• Thumbnail watcher: Displays thumbnail of images to help quickly view the images.
• Email Analysis: Parses MBOX design messages, for example, Thunderbird (Gogolin,
2013).
Analysis Modes
• A dead Analysis happens when a committed investigation framework is utilized to
analyze the information from a presume framework. For this situation, Autopsy along
with The Sleuth Kit are kept running in a confided condition, commonly in the lab.
2
2.1 Autopsy
Autopsy refers to an advanced legal sciences stage and it is a graphical interface for the
Sleuth Kit® and other computerized crime scene investigation devices. Autopsy is used by law
requirement, corporate inspectors and military for researching what activity took place in the
Personal Computer. It is even possible to use it for recouping the photographs from the memory
card of the camera.
Investigation Features
The following is the rundown of Autopsy highlights.
• Multi-User Cases: Collaborate with individual inspectors on expansive cases.
• Hash Set Filtering: Filter out realized great records utilizing NSRL and banner
realized terrible documents utilizing custom hash sets in Hash Keeper, md5sum, and
EnCase groups.
• Timeline Analysis: In the graphical interface, it shows the framework occasions for
helping to distinguish the movement.
• Keyword Search: The extraction of text and file sought modules empower to discover
the records which notice the explicit terms and discover the normal articulation
designs.
• Web Artifacts: Extracts web action from basic programs to help distinguish client
movement.
• Tags: Tag records with discretionary label names, for example, 'bookmark' or
'suspicious', and include remarks.
• Registry Analysis: Uses Reg Ripper to distinguish the records and USB devices.
• Thumbnail watcher: Displays thumbnail of images to help quickly view the images.
• Email Analysis: Parses MBOX design messages, for example, Thunderbird (Gogolin,
2013).
Analysis Modes
• A dead Analysis happens when a committed investigation framework is utilized to
analyze the information from a presume framework. For this situation, Autopsy along
with The Sleuth Kit are kept running in a confided condition, commonly in the lab.
2
• A live investigation takes place when the presume framework is currently examined
when it runs. For such situation, in an untrusted domain, the autopsy along with The
Sleuth Kit are kept running from the CD. This is often utilized amid episode reaction
while the occurrence is being affirmed. After it is affirmed, the framework can be
procured and a dead investigation is performed.
Case Management
• Case Management: The investigations are sorted out based on cases, where it could at
least have a single host. Every single host is settled to contain its respective time zone
setting and clock skew with the goal that the occasions showed are equivalent to what
the initial client might have viewed. Each host could at least have a single record
framework images, for investigation.
• Event Sequencer: The time-based situations could be added from the document
movement or the IDS and the firewall logs. Autopsy sorts out the situations with the
goal which the arrangement of situation’s occurrence could be decided more
effectively.
• Image Integrity: The image integrity is critical for guaranteeing that the records aren’t
adjusted during the analysis. Of course, the autopsy analysis, will generate MD5
value for every single record which is imported or created. Any record’s
trustworthiness, which Autopsy utilizes could be approved as and when required.
2.2 Pro discover
ProDiscover Forensic is a ground breaking Personal Computer security tool which
empowers the experts of Personal Computers to identify a large amount information from the
Personal Computer’s circle and also it ensures proof and makes effective evidentiary reports, to
use the procedures that are legitimate (Sammons, 2015). This product highlights the PC legal
sciences with instruments for complete occurrence reaction. It includes all the essential IT
measurable capacities full plate imaging, record metadata data, hash-keeping and a capacity to
discover the shrouded information, just as assemble information on circles from the complete
system. Each one highlights are incorporated with one principle interface that is very task
proficient with all the usefulness in one spot. The program performed well under our tests. If the
interface format becomes comfortable, it is observed that it was an integral asset ready to
completely image both the plate on our crime scene investigation test circle and a plate on a PC
3
when it runs. For such situation, in an untrusted domain, the autopsy along with The
Sleuth Kit are kept running from the CD. This is often utilized amid episode reaction
while the occurrence is being affirmed. After it is affirmed, the framework can be
procured and a dead investigation is performed.
Case Management
• Case Management: The investigations are sorted out based on cases, where it could at
least have a single host. Every single host is settled to contain its respective time zone
setting and clock skew with the goal that the occasions showed are equivalent to what
the initial client might have viewed. Each host could at least have a single record
framework images, for investigation.
• Event Sequencer: The time-based situations could be added from the document
movement or the IDS and the firewall logs. Autopsy sorts out the situations with the
goal which the arrangement of situation’s occurrence could be decided more
effectively.
• Image Integrity: The image integrity is critical for guaranteeing that the records aren’t
adjusted during the analysis. Of course, the autopsy analysis, will generate MD5
value for every single record which is imported or created. Any record’s
trustworthiness, which Autopsy utilizes could be approved as and when required.
2.2 Pro discover
ProDiscover Forensic is a ground breaking Personal Computer security tool which
empowers the experts of Personal Computers to identify a large amount information from the
Personal Computer’s circle and also it ensures proof and makes effective evidentiary reports, to
use the procedures that are legitimate (Sammons, 2015). This product highlights the PC legal
sciences with instruments for complete occurrence reaction. It includes all the essential IT
measurable capacities full plate imaging, record metadata data, hash-keeping and a capacity to
discover the shrouded information, just as assemble information on circles from the complete
system. Each one highlights are incorporated with one principle interface that is very task
proficient with all the usefulness in one spot. The program performed well under our tests. If the
interface format becomes comfortable, it is observed that it was an integral asset ready to
completely image both the plate on our crime scene investigation test circle and a plate on a PC
3
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
on our system. Additionally, it was discovered to be highly productive, quick and had precise
imaging. The remote specialists have less impression. The documentation is wide spread and
provides clear program highlight’s clarifications. Innovation Pathways provides top to bottom
support on the site, along with how it contacts help from the email and telephone, just as the
online gathering (Ray & Shenoi, 2011).
This product has great value for the practically identical products which are undeniably
progressively costly. The highlights of a completely able system based PC legal sciences
instrument, combined with capacity for accumulating the proof remotely makes it superb value.
This product is rated as our best purchase in the PC legal science’s product class.
3 Locate Phase Product Comparison
3.1 Autopsy
Open Autopsy tool. Create a new case to click the new case.
Enter the case name as Forensics_Case. Further, to save the disk image file, browse the
directory and the button called, Next must be selected.
4
imaging. The remote specialists have less impression. The documentation is wide spread and
provides clear program highlight’s clarifications. Innovation Pathways provides top to bottom
support on the site, along with how it contacts help from the email and telephone, just as the
online gathering (Ray & Shenoi, 2011).
This product has great value for the practically identical products which are undeniably
progressively costly. The highlights of a completely able system based PC legal sciences
instrument, combined with capacity for accumulating the proof remotely makes it superb value.
This product is rated as our best purchase in the PC legal science’s product class.
3 Locate Phase Product Comparison
3.1 Autopsy
Open Autopsy tool. Create a new case to click the new case.
Enter the case name as Forensics_Case. Further, to save the disk image file, browse the
directory and the button called, Next must be selected.
4
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Here, enter the optional information where the case number is 001. Next, the button called, finish
must be selected for creating the autopsy case file.
5
must be selected for creating the autopsy case file.
5
Later, add the data source to click the Disk image and select the button called, Finish.
Then, browse the provided case file which is 2014 case file and select the button called, Open.
6
Then, browse the provided case file which is 2014 case file and select the button called, Open.
6
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Next, configure the ingest modules.
7
7
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Finally, for adding the data source, press the finish button.
At last, the provided case file was successfully added. It is demonstrated in the below figure.
8
At last, the provided case file was successfully added. It is demonstrated in the below figure.
8
The provided case file has three volumes and it is illustrated below.
3.2 ProDiscover
In ProDiscover, open the ProDiscover tool. Next, the provided image file appears, then
click on add image. It is illustrated below.
9
3.2 ProDiscover
In ProDiscover, open the ProDiscover tool. Next, the provided image file appears, then
click on add image. It is illustrated below.
9
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 47
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.