PricingBlogAbout Us

Digital Forensics Report: Image Recovery and Analysis of USB Drive

Verified

Added on  2023/06/12

|19
|2319
|447
Report
AI Summary
This report presents a digital forensics investigation into the possible theft of intellectual property, focusing on the analysis of a USB drive and email communications. The investigation employs ProDiscover and Hex Workshop to recover corrupted image files, rebuild file headers, and reconstruct fragmented files. Key steps include identifying and extracting image clusters, repairing file headers using Hex Workshop to match standard JPEG formats, and reconstructing fragmented images by sequentially ordering and combining identified clusters. The findings confirm the recovery of images from the USB drive and highlight concerns regarding data communication, emphasizing the effectiveness of ProDiscover and WinHex in digital forensics investigations. Desklib provides this document as a valuable resource for students studying digital forensics, offering insights into practical techniques and tools used in real-world investigations.
Document Page
[Document title]
[Document subtitle]
[DATE]
[Company name]
[Company address]
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Table of Contents
Task 2.........................................................................................................................................2
Abstract..................................................................................................................................2
Introduction............................................................................................................................2
Analysis conducted................................................................................................................3
Search for and Recovering Digital photography Evidence....................................................3
Rebuilding File Header........................................................................................................10
Reconstructing File Fragments............................................................................................11
Findings................................................................................................................................14
References............................................................................................................................16
Document Page
Task 2
Abstract
The case at hand is about the possible theft of Intellectual Property by a contract employee in
company Exotic Mountain Tour Services (ETMS). The company has just finished an
extensive market analysis and customer service along with Superior Bicycles, LLC. The
reason for the investigation are the two emails that were captured and raises questions about
the data that have been communicated using the email to a competitor. The USB drive was
also found at the workstation on which the contract employee used to operate, the forensic
investigation is about the email and USB drive image and trying to recover as much as data
for the possible recovery of data that have been stolen.
Introduction
ProDiscover is the forensic tool that is used to analyze the disk images, it is windows based
forensic tool that can acquire and analyze the disk partitions. Though the features available
are quite large but only few of them are being used for the forensic purposes.
One of the most important aspect of the ProDiscover is that it can make the remote client
images while rest of the work can continue to work as ever. The forensic images created are
intact though the original disk being continuously being changed or manipulated. Though
ProDiscover is a paid software but available for trail based and student reporting non-
profitable purposes.
Another tool that is being used for this workshop is the Hex Workshop, it is Hex editor that is
developed by BreakPoint Company, it is Windows based utility and being used in several
forensic reporting by forensic experts around the world. The Hex Workshop allows the
feature of binary editing and interpretation of data along with the visualization of the same
like a flexibility of any modern-based word processor. With the help of WinHex forensic
expert can cut, copy, edit, paste, insert, delete any binary data. With the data in this native
structure can be worked upon using the WinHex as well as the data types with integrated
structure and smart bookmark option also being made available. The other useful operations
that are available are find or replace the data, sector location jump, performing various
arithmetic operations, logical operations over the data, generating the checksums and digests

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
based on data and view character distributions, all of this report can be exported to HTML or
RTF for detailed publishing of the reports.
Analysis conducted
At the current moment a very little is known of the information on the USB drive of the
suspect intern. We need to ask yourself some basic questions as well as some important
assumptions that are made available in order to proceed in search of any information. There
were two emails that were being forwarded to the terrysadler@groowy.com and
baspen@aol.com, that matches the contract employee credentials and name. Next we need to
check the timestamp and date of the message that have been sent: 4 Feb 2007 9:21 PM, and
the 2007, 5:17 AM -08:00.
As the Jim Shu email sent to the terrysadler@groowy.com account that had been forwarded
to the baspen@aol.com account, the time stamp of the Jim Shu mail is later than the time
stamp used for the terrysadler@groowy.com that means the Jim Shu must be from the
western region with different time zone as the two email server’s time values have been off
due to the fact the time stamp are being provided by the server not the users.
With the next email asking the bob to alter all the data sent in image format to have their
extensions changed to .jpg to .txt and these files are about kayaks. Last message that have the
last line that is responded to the terrysadler@groowy.com that says that Bob cannot be
receive this message.
Search for and Recovering Digital photography Evidence
In this part we are going to recover the corrupted image file that might be there on the image
file provided by the EMTS, the examination would be about finding the “FIF” string, the
reason of using the “FIF” is because using JFIF and JPEG might lead to several other
previous image files that might be present over the USB drive. These false hits that are also
known as false hits needs to be examined and as a forensic investigator needs to verify each
and every file that we are actually looking for.
In order to examine the image C10InChp.eve following are the steps are being used in order
to observe it using the ProDiscover software:
1. Run ProDiscover Basic as Administrator on the Windows based PC and create a new
project named C10InChp, and numbered (1).
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
2. Add the image file (source book resources) C10InChp.eve provided:
Document Page

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
3. In order to perform the cluster-based search over the image file for “FIF”, we need to
select the following parameters: Case Sensitive and Search for Pattern(s)
4. Now we check the first key search that highlights the “FIF” searched in blue color:
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
5. Now we double click on the first item located as “FIF” and it will show the location of the
search key, the location is exact on the item.
6. In order to be able to come on the original screen, click on the “FIF” item located, it will
show the location of the searched key and its location is exact on the item.
Document Page
7. Right-click on the files listed on the screen and select the option “Find File”.
8. Press “Yes”

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
Lots of cluster would be shown on the screen in the list format:
9. Right-click gametour2 and select Copy File and save in exported files folder as
“recover1.jpg”
10. Save the Recover.jpg file and keep it for next use.
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Rebuilding File Header
As we know from the email communication that the hex bits offset was changed and in no
case we would be able to open it using the Image Viewer, for this purpose we need to
examine the file’s header so that we can match it to a good JPEG file or not, incase it doesn’t
we need to change the image file hex so that it matches the required image file header.
Following are the steps taken to recover the header of the image file using the Hex
Workshop:
1. Open Recover1.jpg using Hex Workshop tool.
2. Now as we can see that the data at the top of the window the values are starting from first
byte position (offset 0) are 7A 7A 7A 7A, and the sixth offset being 7A.
Document Page
3. As we can see that the any standard JFIF or JPEG file header are of values “FF D8 FF
E0”, we need to replace the values in the file with correct values.
4. In the right pane, click to the left of FIF, backspace to delete the z, and type J.
5. Finally save the file as “Fixed1,jpg”. After the repair of the header the file can be easily
opened using any of the image viewer available.
Reconstructing File Fragments
This is where we are going to reconstruct the fragmented image file having the corrupt
header. To recover the header and file, we need to do the following operations:
1. First, we need to locate all the clusters of fragmented image file.
2. Now as we have classified the clusters now we need to find the starting and ending
clusters of each fragmented group.

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

chevron_up_icon
1 out of 19
circle_padding
hide_on_mobile
zoom_out_icon
logo.png

Your All-in-One AI-Powered Toolkit for Academic Success.

  +13062052269
info@desklib.com

Available 24*7 on WhatsApp / Email

[object Object]
Unlock your academic potential

Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.