Digital Forensics Case Study: Workplace Clown Content Investigation

Verified

Added on 2023/06/03

AI Summary

This case study delves into a computer forensics investigation involving the alleged access of illegal clown content in a workplace environment. The investigation begins with the seizure of a computer and the subsequent analysis of a forensic image using tools such as FTK Imager, Autopsy, and OSForensics. The analysis focuses on identifying clown-related content, determining the intent behind accessing such content, and quantifying the number of relevant files. The report details the installation and utilization of each forensic tool, providing justifications for each analytical step. Screenshots are included to demonstrate the results of the analysis, showcasing the presentation of content related to the offense. Furthermore, the study includes an analysis of events, a timeline creation, and the development of running sheets for the forensic tools and investigation. The ultimate goal is to determine whether the suspect owned and accessed the clown content, thereby proving the commission of a crime.

Computer Forensics

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Executive Summary
The clown content is accessed by a computer in the workplace. It is seized and
investigated. The investigators looking for clown content in the forensic image. For this
investigation, the forensic tools are used. By using those forensic tools, the clown content is
searched in the given forensic image. For this, the clown content is owned and accessed by that
particular computer is verified. And the crime has been committed is proved. The analysis is
such identification, intent and quantity of files. The forensic tools such as forensic toolkit imager,
autopsy and operating system forensics. The installing procedures are clearly regarding to the
forensic tools. And the file analysis is made by using the tools. The justification is provided for
each analysis. And then the results are provided through the screenshots for each analysis. The
presentation of content related offence is provided. The events are analyzed. And the timeline is
created for the events. The running sheets also developed regarding the forensic tools and the
investigation.
Page 1 of 68

Table of Contents
1. Introduction.......................................................................................................................................3
2. Resources and Strategies...................................................................................................................3
3. Progress............................................................................................................................................29
3.1 Presentation of content relating to offence.................................................................................29
3.2 Identification................................................................................................................................51
3.3 Intent............................................................................................................................................51
3.4 Quantity of Files...........................................................................................................................52
3.5 Installed Software........................................................................................................................52
4. Conclusion........................................................................................................................................53
5. References........................................................................................................................................54
Appendix A – Running Sheet..................................................................................................................58
Appendix B – Timeline of Events...........................................................................................................62
Page 2 of 68

1. Introduction
The computer forensics is also known as digital forensics. In this computer age, so many
crimes happening based on computers. The computer forensics is used to find the deleted files,
passwords, illegal contents in the computer. The forensic image may be a copy of the hard disk,
CD or DVD etc.The given forensic image will be investigated using appropriate tools. The
analaysis of the firensic image will be done (Al-Hadadi & AlShidhani, 2013). The forensic tools
used for the investigation will be installed and it will be explained in detail. The investigation
will be done and justification for all action done in the investigation will be given (Bodden, n.d.).
2. Resources and Strategies
The resources required for the investigation are Autopsy, OSForensic and FTK Imager.
And also the suspects and a system is needed (Boddington, 2016). The tools used are explained
below.
FTK Imager
In computer forensics, many investigation tools are used. The FTK imager is one of the
tools used in computer forensics (Brinson, Robinson & Rogers, 2006). The full form of FTK
imager is Forensic ToolKit. The FTK imager is used for analyzing the mails and looking for
specific characters. The components of FTK viewer are password recovery toolkit, license
manager, forensic toolkit, FTK Imager, and register viewer (Verolme & Mieremet, 2017).
The license manager component is used to remove or add the licenses from the dongle
and also used to purchase the additional licenses. The license manager renews the subscription
and downloads the product updates (Caloyannides & Caloyannides, 2004). To access license
manager component in FTK, go to Start  All programs  Access Data  license manager 
license manager.
The password recovery toolkit is used to crack the password. The component of a registry
viewer is used for providing access to protected areas of the registry. The protected areas of
registry contain forensic data (Carbone, 2014). These cannot be accessed by the Windows
Page 3 of 68

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Regedit. The registry viewer may contain browser history, recently accessed file lists, installed
programs list, usernames, and passwords (Carlton & Matsumoto, 2011).
FTK imager is used for making a copy of hard drive, thumb drive, CD etc. Then the FTK
imager scans the hard drive or thumb drive or CD and looks for different kinds of data or
information like locating deleted files or emails, crack encryption etc. (Carlton & Worthley,
2010)
Installation of FTK Imager
The installation of FTK imager is explained below in detail.
Step 1: After downloading AccessData FTK imager, install it on the system. Right click on the
AccessData FTK imager and select Run as Administrative (Casey, 2015). After that, the below
wizard is appeared. It is a Welcome to the InstallShield Wizard for AccessData FTK imager. In
that click ‘Next’ (Cohen, 2011)
Step 2: Then, select ‘I accept the terms in thr license agreement’ and Click ‘Next’
Page 4 of 68

Step 3: Then, select the destination folder for AccessData FTK Imager by clicking the change
option. After changing thr destination folder click ‘Next’. (Cohen, 2012)
Step 4: Click ‘Install’ to begin the installation of AccessData FTK Imager. (Computer
forensics, 2010)
Page 5 of 68

Step 5: The installtion is started. It is shown in the below figure.
Step 6: The below-given screenshot shows that the installtion process of FTK Imager is going
on.
Page 6 of 68

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Step 7:The AccessData FTK imager is successfully installed. After the installtion, click ‘Finish’
Page 7 of 68

Step 8: The below screenshot shows the FTK imager screen. In that screen, the Evidence Tree,
File list, Properties (Custom Content Sources) and Viewer are there.
The menu bar in the FTK Imager has four items. They are file menu, view menu, mode menu
and Help menu (Dale & Becker, 2007). The access to all the features in the tool bar is provided
by File menu. The appearance of the FTK imager is customized by view menu. For mode
selection, themode menu is used. The access to the FTK imager user guide is provided by the
Help menu (Wang, Xue, Zheng, Liu & Li, 2012).
Uses of FTK imager
The uses of FTK Imager are listed below.
 The FTK imager is used to create the copies of DVDs, CDs, folders, files, hard drive ect.
The copy of these is called ‘forensic image’ (Djozan, Baheri, Karimian & Shahidi, 2008).
 By using FTK Imager, from the forensic image the folders and file are exported.
Page 8 of 68

 The hash functions in the FTK Imager is used to create the hashes of files. The available
hash functions in the FTK Imager are SHA-1 and MD5. ("Forensics - cred or crud?",
2005)
 The preview of the files and folders as well as the contents of the forensic image can be
viewed.
 The image can be mounted for the Read-Only view.
 The deleted files can be recovered and seen even after they are deleted from the recycle
bin.
Autopsy
The Autopsy is used in digital forensics to investigate what is happened on a system. It is
used by corporate examiners, military and law enforcement (Hanji & Rajpurohit, 2013). It is a
platform for digital forensics (Ieong, 2006). The forensic tools used autopsy as a graphical user
interface. The autopsy is also used to retrieve photos from the memory cards. The Autopsy is
used to examine the mobile phone or a hard drive. Then the pieces of evidence in that mobile
phone or hard drive are recovered from that (Young & Ortmeier, n.d.).
The Autopsy is free and cost-effective tool. It is also easy to install and use. By using
Autopsy, the budget will be reduced in a digital forensic investigation. The Autopsy supports
multiplatform (Windows and UNIX).
Installation of Autopsy
The installation process of Autopsy is shown below in step by step.
Step 1: After downloading Autopsy, install it on the system. Right click on the Autopsy and
select Install. After that, the below wizard is appeared (Kessler, 2007). It is a Welcome to the
Autopsy Setup Wizard. In that click ‘Next’
Page 9 of 68

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Step 2: Then, select the installation folder for Autopsy by clicking the Browse option. After
changing the installation folder click ‘Next’. (Kessler & Schirling, 2006)
Step 3: Click ‘Install’ to begin the installation of Autopsy.
Page 10 of 68

Step 4: The installtion of Autopsy is started. It is shown in the below figure.
Step 5: The below-given screenshot shows that the installtion process of Autopsy is going on.
Page 11 of 68