Computer Forensics Investigation and Techniques

seer forensics probe and TechniquesIntroductionI am the student of International Advanced fleece in ready reckoner Studies (IADCS). In this course, I draw to do Compute rhetorical fitting. The grant title is Didsbury Mobile Entertainments LTD. This assignment succors me understanding calculator forensics investigation and techniques in the lead this assignment, although I am interested in computing imposture forensic, I am hardly aimd ready reckoner forensics toolkit or do severally investigation. Beca uptake of this assignment, I comport learnt m some(prenominal) techniques how to suss out reckoner and finished with(p) it practic in work outlyy. So, by doing this assignment, I suffer gained in practical and much invaluable chi foundationeledge in calculating machine forensics.nd a heartfelt thanks to all the people in Myanma Computer Company Ltd. for their warmly welcome during the finis of the IADCS course and this assignment developed. undertaking 1i ) cut throughDIDSBURY MOBILE ENTERTAINMENTS LTD no5), Duku place, capital of Singapore Jan 10, 2010IntroductionComputer forensics involves obtaining and analyzing digital in info workattingion for figuring out what happened, when it happened, how it happened and who was involved. What is to a greater extent(prenominal) than, it is use as reason in civil, criminal, or administrative cases.Reasons for a demand for figurer forensic investigationComputer forensics investigation nates domesticate thousands of deleted mails, fuck be when the drug exploiter lumber into the organization and what he does, buns determine the pauperism and intent of the user, piece of tail seem keywords in a hard jabbing in opposite languages and lowlife gain study against an employee that an organization wished to terminate. For these reasons, in night club to feel whether Jalitha has been spending her time on her friend bank line or non, we aim a figurer forensic investigation.St eps to pursue the investigationIn order to pursue the investigation, I would take the quest travel1) Secure the computer agreement to warrant that the equipment and teaching atomic fig 18 safe2) Find every ap story on the computer mud, including shows that argon encrypted, protected by passwords, un bedn or deleted, simply non unless overwritten.3) Copy all wedges and persist on this imitation strengths as rileing a consign toilet alter its authorized protect4) Start a detailed journal with the era and time and mesh/ cultivation observed5) Collect netmail, DNS, and some other ne iirk service records6) poll with various computer forensics tools and softw be placement7) Print out an overall summary8) Evaluating the selective information/ info get to determine the caseConclusion laterwards we know the reasons and ill-uses for investigation, thusly we should move on to conduct the investigation. However, we should annotating that the first ste p of investigation is critical as if the dodge is not secure, because the distinguish or selective information we found whitethorn not be admissible.ii a) Report for The procedures to plant sure the go over holds up in tourist court of justiceDIDSBURY MOBILE ENTERTAINMENTS LTDNo(5), Duku place, SingaporeJan 12, 2010Introduction attest is any physical or electronic information (such(prenominal)(prenominal) as computer log cross- charge ups, information, spread overs, hardwargon, disc attribute, etc) that is put in during a computer forensic investigation. The purpose of garner cause is to help determine the source of the attack, and to introduce the evince as testimony in a court of reasonedity.Procedures to make sure the state holds up in courtIn order to make the demonstrate admissible in court, we need to follow the following steps1) in advance any point faecal matter be gathered, a warrant moldiness be issued so that forensic specialist has the legal aut hority to seize, retroflex and understand the entropy2) Have the responsibility to ensure that the law and the principles we employ ar met3) order must be obtained in a dash which ensures the authenticity and stiffness and that no tampering had taken place4) bring in the grasp of workforce is es moveial for preparing evidence as it shows the evidence was amass from the agreement in question, and was stored and managed without alteration.5) Extracted/ applicable evidence is becomingly turn tod and protected from subsequently mechanical or electromagnetic damage6) Preventing viruses from being introduced to a computer during the analysis do7) To ensure that captain evidence must be described in complete details to present reliable evidence on the court8) Must ar place to answer reliability questions relating to the software we have utiliseConclusionIn gathering evidence, authenticity, reliability and chain of custody are important aspects to be considered. By follo wing the preceding(prenominal) steps, we are proper in handling the evidence holds up in court.ii b) secernate formDidsbury Mobile Entertainments LtdIT DepartmentComputer investigationCase No.005Investigation OrganizationGold Star investigator march on Pa Pa AyeNature of CaseCompanys policy entrancement case locating where evidence was obtainedOn suspects office desk description of evidenceVendor bring inModel No./ Serial No. fact 1 ace CDSonyItem 2A 4GB snap memory windingKingston05360-374.A00LFItem 3Evidence find byWin Pa Pa Aye mesh eon10.12.20091000 AMEvidence Placed in LockerE2419Date Time15.12.20091100 AMItem Evidence Processed byDescription of EvidenceDate/ Time1Win Pa Pa AyeFully call uped deleted e-mail on the drive which is sent to Radasas company, including info exchange among the businesses.13.12.2009300 PM2Win Pa Pa AyeEncrypted memorial hidden inside a bitmap consign. Decrypted and salvage on another(prenominal) media.18.12.2009900 AM3Win Pa Pa AyePa ssword-protected memorandum covering the exchange of information with her friend. Password crazy and commit deliver on another media.22.12.2009200 PM labor movement 2Report for the modality the entropy is stored, cathexis tasks and turn out up tasks for Windows and Linux schemasTo effectively investigate computer evidence, we must understand how the almost frequent operate frames work in normal and how they store bills in particular. The graphic symbol of data record cabinet remains an operational arranging uses determines how info is stored on the dish antenna. The bill ashes is the general earn given to the logical constructions and software routines employ to control access to the storage on a hard disk corpse and it is commonly related to an operating remains. To know the way the entropy is stored in Windows XP and Linux, we need to get into buck systems of Windows and Linux.The way the entropy is stored in Windows XPIn Windows XP, although it harbours some(prenominal) different show systems, NTFS is the primary shoot down system for Windows XP. So, we bequeath have a look in NTFS as the NTFS system offers better action and features than a FAT16 and FAT 32 system.NTFS divides all profi padle places into clusters and supports almost all sizings of clusters from 512 bytes up to 64 Kbytes. And NTFS disk is symbolically shared out into two part MFT (Master File Table) domain and files storage area. The MFT consumes roughly 12% of the disk and contains information about all files finalised on the disk. This holds the system file employ by the operating system. MFT is divided into get ins of the fixed sizing ( unremarkably 1 Kbytes), and each record corresponds to some file. Records indoors the MFT are referred to as meta- information and the first 16 records are reserved for system files. For reliability, the first trinity records of MFT file is copied and stored just now in the middle of the disk and the remaining bottom be stored anywhere of the disk. The remaining 88% of disk space is for file storage. Below is the district structure of NTFS system. aft(prenominal) we know the file system of Windows XP, then we will move on to the file system of Linux.The way the data is stored in LinuxWhen it comes to Linux file system, ext2 has been the inattention file system as it main reinforcements is its expedite and extremely robust. However, there is a risk of data loss when abrupt crashes occur and take long time to recover. sometimes the recovery may as well as end up with corrupt files. By using the advantage of ext2 and add some data loss protective covering and recovery slewnonball along led to the development of journaling file system ext3 and ReiserFs. though ext2, ext3 and ReiserFs are the most popular file system, there are to a fault some other file system employ in the Linux orbit such as JSF and XFS.As Linux views all file systems from the perspective of a common dictated of objects, there are four objects super pig out, inode, dentry and file. The super shut down is a structure that represents a file system which includes vital information about the system. Moreover, it includes the file system name (such as ext2), the size of the file system and its state, a reference to the block device, and meta-data information. It also keeps track of all the nodes. Linux keeps multiple copies of the superblock in various locations on the disk to prevent losing such vital information. either object that is managed within a file system (file or directory) is correspond in Linux as an inode. The inode contains all the meta-data to manage objects in the file system. another(prenominal) set of structures, called dentries, is employ to translate between names and inodes, for which a directory cache exists to keep the most-recently use around. The dentry also maintains relationships between directories and files for traversing file systems. Finally, a V FS (Virtual file system) file represents an dependent file (keeps state for the open file such as the hold open offset, and so on). eyepatch the majority of the file system code exists in the eye (except for user-space file systems), (2.3) shows the Linux file system from the point of view of high-ranking architecture and the relationships between the major file system-related components in both user space and the nubble.The chill task and start up task of Windows XPA good understanding of what happens to disk data at inaugural is also an important aspect as accessing to a computer system aft(prenominal) it was used for illicit reasons bum alter the disk evidence. First, we will deal about the Windows XP startup and recoil dish, and then tip into the startup and frisson suffice of Linux.Like any other PC system, Windows XP startup by running the POST test, playing an initialization of its adroit system devices, and performing a system guardianship process. The ge t up process mystifys when the BIOS starts looking through the system for a traverse arouse record (MBR). This record empennage reside on drive C or at any other location in the system. When the BIOS execute the master boot record on the hard drive, the MBR probes the disks naval division table to commit the active partition. The boot process then moves to the boot sector of that partition located in the first sector of the active partition. in that respect, it finds the code to go loading the secondhand Bootstrap Loader from the root directory of the boot drive.In NTFS partition, the bootstrap loader is named NTLDR and is responsible for loading XP operation system into memory. When the system is powered on, NTLDR reads the Boot.ini file. If boot.ini contains more than one operating system entry, a boot menu is displayed to the user, according the user to choose which operating system is to be loaded. fig (2.4) shows Boot.ini contains two operating systems and allows u ser to choose. afterwards the user has selected the desired room to boot to, NTLDR runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll and the startup device drivers. After the file system driver has loaded, control is then passed from NTLDR to the kernel. At this time, Windows XP display Windows logo.Virtually, all applications we installed using the default installation try that they should start up when windows starts. Under Startup tab in the system configuration good, a list of political programs that run when our system boots is listed. Fig (2.6) shows the listed program when our system boots.The boot task and start up task of LinuxAfter we have get into the start up process of Windows XP, we will then shift into the startup process of Linux. In Linux, the catamenia of control during a boot is also from BIOS, to boot loader, to kernel. When you turn on the power, the BIOS perform hardware-platform peculiar(prenominal) startup tasks. Once the hardware is recognized and star ted correctly, the BIOS fill and executes the partition boot code from the designated boot device, which contains Linux boot loader.Linux Loader (LILO) is the Linux utility that initiates the boot process, which usually runs from the disks MBR. LILO is a boot manager that allows you to start Linux or other operating systems, including Windows. If a system has two or more operating systems, LILO gives a prompt asking which operating system the user wishes to initialize.When the user chooses the boot option, it then loads the choosing operating system into memory. The boot program, in turn, reads the kernel into memory. When the kernel is loaded, the boot program transfers control of the boot process to the kernel. The kernel then performs the majority of system setup (memory management, device initialization) ahead spawning separately, the unwarrantable process and scheduler and the init process which is executed in user space. The scheduler takes control of the system management. The init process executes scripts as needed that set up all non-operating system services and structures in order to allow a user surroundings to be created, and then presents the user with a login screen.We have described about the way the data stored, the boot task and startup task of Windows XP and Linux. After a thorough study of these areas, we fucking get into or make out the evidence properly.Task 3a) Features equivalence of EnCase, irritate entropys Forensic and ProDiscoverFeatures of focusing EnCase Forensic* In courts worldwide, forensically film data in a sound manner using software with an uneven record* victimisation a single tool and investigate and psycho try multiple platforms* With prebuilt EnScript modules such as initialized Case and Event Log analysis, it feces automate tangled and routine tasks, so it save time in analyzing* Find information despite efforts to hide, cloak or delete* dejection easily handle large volumes of computer evidence, view all relevant files that includes deleted files, file make relaxed and unallocated space* Directly transfer evidence files to law enforcement or legal representatives as necessary* Include review options that allow non-investigators to review evidence easily* Include report options that enable ready report preparationFeatures of gate informations Forensic prickingkit* Provides integrated solution that is no need to barter for multiple tools to complete a case.* Provides integrated database that suspend application crashes, disconnected work and intersection instability.* Identify encrypted files automatically from more than 80 applications and collapse those files.* hurts international language that allows us easily search and view foreign-language data in our native format* Include electronic mail analysis that can recover and analyze a wide range of telecommunicate and entanglement mail formats* Can generate different industry-standard report formats quickly and in s hort* Collect key information from the registry that include user information, date of application installed, hardware, time zone and recently used information* While processing takes place, we can view and analyze dataFeatures of ProDiscover* To keep master key evidence safe, it create bit-stream copy of disk for analyzing that includes hidden HPA section* For complete disk forensic analysis, it search files or unblemished disk including ease up space, HPA section and Windows NT/2000/XP alternate data streams* Without alter data on the disk, it can preview all files including metadata and hidden or deleted files* Support for VMware to run a captured characterization.* In order to ensure nothing is hidden, it probe data at the file or cluster level* To see data integrity, it can generate and record MD5, SHA1 and SHA256 chop upes automatically.* Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for supreme flexibility.* Examine s unbathe Solaris UFS file system and Linux ext2 / ext3 file systems.* integrated thumbnail graphics, meshwork history, event log file, and registry viewers to facilitate investigation process.* Integrated viewer to examine .pst /.ost and .dbx e-mail files.* Utilize Perl scripts to automate investigation tasks.* Extracts EXIF information from JPEG files to identify file creators.* Automated report generation in XML format saves time, improves accuracy and compatibility.* graphical user interface interface and integrated help function assure quick start and ease of use.* Designed to NIST Disk Imaging Tool Specification 3.1.6 to meet high quality. entrance feeData FTK v2.0Guidance EnCase Forensic 6.0ProDiscover ForensicReport for Choosing Access Datas Forensic ToolkitI think Access Datas Forensic Toolkit is the most advantageous for our lab as it provides more forensic run features than Encase and ProDiscover. In the evidence aspects, Access Data can acquire files and folders than others. So, it can be a powerful tool when we analyze files for evidence. Moreover, it uses database to support large volume of data that can avoid application crashes, upset work and product instability for our lab.As Access Data is a GUI-based utility that can run in Windows XP, 2000, Me, or 9x operating system and it demo random variable has most of the selfsame(prenominal) features as full-licensed version, use multi-threading to perfect CPU usage, has task scheduler to optimize time and can view and analyze data piece processing takes place, it meets the requirements of our lab. What is more, it supports international language so we can call back data no matter which languages they are using.On concealment of that, it is powerful in searching, recovery, email and graphic analysis. Because of these reasons and by viewing the supra forensic tools comparison chart, I can reason out that Access Datas Forensic Toolkit is the most proficient for our lab.b) Forensic AnalysisR eport for Analyzing FAT32, NTFS and CDFS file system utilise Access Datas FTKTask 4a) MD5 haschischeesh take accounts of bmp, doc, xls files all in all chop up determines generated by the MD5 earlier modification is not the same with the haschisch look upon generated after(prenominal) modification.b) Why chop set are same or differentA hash harbor is a numeric pry of a fixed length that unique(p)ly identifies data. Data can be compared to a hash order to determine its integrity. Data is hashed and the hash pry is stored. At a later time or after the data has been received from mail, the data is hashed again and compared to the stored hash or the hash time value it was sent to determine whether the data was altered.In order to compare the hash set, the original hashed data must be encrypted or kept dark from all untrusted parties. When it compared, if the compared hashed value are the same, then the data has not been altered. If the file has been modified or corrup ted, the MD5 produces different hash values.In task 4 (a), first we created a doc file with data in this file, then we generated hash values of doc file with MD5. The hash value of info.doc file is da5fd802f47c9b5bbdced35b9a1202e6. After that, we made a modification to that info.doc file and regenerate the hash values. The hash value after modifying is 01f8badd9846f32a79a5055bfe98adeb. The hash value is completely different after modifying. past we created a cv.xls file and generated the hash value. Before modifying, the hash value is ef9bbfeec4d8e455b749447377a5e84f. After that we add one record to cv.xls file and regenerated hash values. After modifying, ccfee18e1e713cdd2fcf565298928673 hash value is produced. The hash value changed in cv.xls file after data altered.Furthermore, we created fruit.bmp file to compare the hash value before and after modification. The hash value before modifying is 8d06bdfe03df83bb3942ce71daca3888 and after modifying is 667d82f0545f0d187dfa0227ea2c7ff 6. So, the hash values comparison of bmp files is completely different after data has been modified.When we encrypted the text file into each cooking stove file, the text file is not visible in the two-baser viewing utility and each mountain range file is akin its original epitome file. However, the comparison of the hash values of each epitome file before and after inserting petty subject matters is completely different. As each image file has been altered by inserting footling meat, the regenerated hash value is totally different from the original hash values.On top of that, the original image file size has been changed after inserting short messages. The raster image file has slightly increased its file size after it has been modified. The raster image file size is increased from 50.5 KB to 50.7 KB. However, of the remaining three, two image files transmitter and metafile have decrease its file size a little sharply. The original file size of transmitter is 266 KB and has been decreased to 200 KB after modified. The metafile also decreased from 313 KB to 156 KB. only(prenominal) the bitmap is remains stable as its file size does not increase or decrease.In a nut shell, we can conclude that the hash value would change if the file has been modified. However, depending on the file format, the file size can increase, decrease or remain stable.d) Report for differences of bitmap, raster, transmitter and metafileA bitmap image is a computer file and it is compile with dots or pixels that form an image. The pixel of bitmap is stored resembling a grid, precise square. When we use the blusher program, we can see the bitmap pixel is kindred a block and it is draw or clear block by block. A raster image is also a collection of pixels but the image stored pixels in rows to make it easy to scar. And raster image is resolving power dependent. It cannot scale up to an arbitrary resolve without loss of apparent quality. This is overcome by the transmit ter image.Vector image is made up of many individual, scalable objects. These objects are defined by mathematical equations rather than pixels, so it always fall in at the highest quality. There are many attributes in vector like color, fill and outline. The attributes can be changed without destroying the basic object.Metafile is a combination of raster and vector graphics, and can have the characteristics of both image types. However, if you create a metafile with raster and vector and enlarge it, the area of raster format will lose some resolution while the vector formatted area remains sharp and clear.If we have wooly-minded an image file, before doing anything, we should be familiar with the data patterns of known image file types. Then the recovery process starts. The first step in recovery is to recover portions file from slack space and free space. The fragment file can locate the promontory data that is fond(p)ly overwritten. So, we use Drivespy to identify accomplis hable unallocated data sets that contain the full or partial image principal values.To locate and recover the image principal, we need to know the absolute jump cluster and ending cluster. If not, we could collect the wrong data. Using Drivespy, we can know started cluster number and file size of image that we want to recover. To know the exact ending cluster, add the total number of clusters assigned to the head start cluster position. As we have known the size of image file, we can calculate the total number of clusters. Then, we can locate the image file and retrieve image header.After we get the header value, open the file with Microsoft Photo Viewer. If the file has been opened successfully, then recovery of image file has been completed. If not, we need to use the Hex Workshop to examine the header of the file.Task 5Report for Investigation that prove Naomis purityBefore we begin tracing an email, we should know which email is illegal and what constitutes an email crime. Illegal email includes selling narcotics, extortion, sexual harassment, stalking, fraud, child abductions, and child pornography.As Jazebel has received an ill-scented email, so we need to access the victim computer and copy and print the offensive email to recover the evidence contained in the email. Microsoft Outlook, Outlook shew or any other GUI email programs supports for write the email from inbox to the place that we want to by dragging the message to the storage place. When copying email, the header of the email must be include as it contains unique identifying numbers, such as IP address of the waiter that sent the message. This helps us when tracing the email.After copy and printing the message, we should retrieve the email header to get the sender IP address. Right snarl on the message and choose message options to retrieve the email header. The following shows the header information that retrieved from the mail of the victim computer.At line 1(10.140.200.11) shows t he IP address of the server send the e-mail, and provides a date and time that the anger e-mails was sent. Although when we see at line 5, the victim is seemed to be Jezebel, however, line 1 identifies that the e-mail that is sent from the IP address (10.140.200.11) is the same as the victims computer IP address. So, we can conclude that Naomi does not include in sending offensive e-mail. She is whiteness and the victim, Jezebel himself, is the one who send the offensive e-mails.ReferencesComputer Forensics texthttp//www.computerforensicsworld.com/index.phphttp//www.crime-research.org/library/Forensics.htmhttp//ixbtlabs.com/articles/ntfs/www.wikipedia.comComputer Forensics Investigation and TechniquesComputer Forensics Investigation and TechniquesIntroductionI am the student of International Advanced Diploma in Computer Studies (IADCS). In this course, I have to do Compute Forensic assignment. The assignment title is Didsbury Mobile Entertainments LTD. This assignment helps me un derstanding computer forensics investigation and techniquesBefore this assignment, although I am interested in computer forensic, I am hardly used computer forensics toolkit or done any investigation. Because of this assignment, I have learnt many techniques how to investigate computer and done it practically. So, by doing this assignment, I have gained in practical and much valuable knowledge in Computer Forensics.nd a heartfelt thanks to all the people in Myanma Computer Company Ltd. for their warmly welcome during the period of the IADCS course and this assignment developed.Task 1i) ReportDIDSBURY MOBILE ENTERTAINMENTS LTDNo(5), Duku place, Singapore Jan 10, 2010IntroductionComputer forensics involves obtaining and analyzing digital information for figuring out what happened, when it happened, how it happened and who was involved. What is more, it is use as evidence in civil, criminal, or administrative cases.Reasons for a need for computer forensic investigationComputer forensic s investigation can recover thousands of deleted mails, can know when the user log into the system and what he does, can determine the motivation and intent of the user, can search keywords in a hard drive in different languages and can gain evidence against an employee that an organization wished to terminate. For these reasons, in order to know whether Jalitha has been spending her time on her friend business or not, we need a computer forensic investigation.Steps to pursue the investigationIn order to pursue the investigation, I would take the following steps1) Secure the computer system to ensure that the equipment and data are safe2) Find every file on the computer system, including files that are encrypted, protected by passwords, hidden or deleted, but not yet overwritten.3) Copy all files and work on this copy files as accessing a file can alter its original value4) Start a detailed journal with the date and time and date/information discovered5) Collect email, DNS, and othe r network service logs6) Analyze with various computer forensics tools and software7) Print out an overall analysis8) Evaluating the information/data recovered to determine the caseConclusionAfter we know the reasons and steps for investigation, then we should move on to conduct the investigation. However, we should note that the first step of investigation is critical as if the system is not secure, then the evidence or data we found may not be admissible.ii a) Report for The procedures to make sure the evidence holds up in courtDIDSBURY MOBILE ENTERTAINMENTS LTDNo(5), Duku place, SingaporeJan 12, 2010IntroductionEvidence is any physical or electronic information (such as computer log files, data, reports, hardware, disk image, etc) that is collected during a computer forensic investigation. The purpose of gathering evidence is to help determine the source of the attack, and to introduce the evidence as testimony in a court of law.Procedures to make sure the evidence holds up in c ourtIn order to make the evidence admissible in court, we need to follow the following steps1) Before any evidence can be gathered, a warrant must be issued so that forensic specialist has the legal authority to seize, copy and examine the data2) Have the responsibility to ensure that the law and the principles we used are met3) Evidence must be obtained in a manner which ensures the authenticity and validity and that no tampering had taken place4) Tracking the chain of custody is essential for preparing evidence as it shows the evidence was collected from the system in question, and was stored and managed without alteration.5) Extracted/ relevant evidence is properly handled and protected from later mechanical or electromagnetic damage6) Preventing viruses from being introduced to a computer during the analysis process7) To ensure that original evidence must be described in complete details to present reliable evidence on the court8) Must arrange to answer reliability questions rel ating to the software we have usedConclusionIn gathering evidence, authenticity, reliability and chain of custody are important aspects to be considered. By following the above steps, we are proper in handling the evidence holds up in court.ii b) Evidence formDidsbury Mobile Entertainments LtdIT DepartmentComputer InvestigationCase No.005Investigation OrganizationGold StarInvestigatorWin Pa Pa AyeNature of CaseCompanys policy violation caseLocation where evidence was obtainedOn suspects office deskDescription of evidenceVendor NameModel No./ Serial No.Item 1One CDSonyItem 2A 4GB flash memory deviceKingston05360-374.A00LFItem 3Evidence Recovered byWin Pa Pa AyeDate Time10.12.20091000 AMEvidence Placed in LockerE2419Date Time15.12.20091100 AMItem Evidence Processed byDescription of EvidenceDate/ Time1Win Pa Pa AyeFully recovered deleted email on the drive which is sent to Radasas company, including data exchange between the businesses.13.12.2009300 PM2Win Pa Pa AyeEncrypted documen t hidden inside a bitmap file. Decrypted and saved on another media.18.12.2009900 AM3Win Pa Pa AyePassword-protected document covering the exchange of information with her friend. Password cracked and file saved on another media.22.12.2009200 PMTask 2Report for the way the data is stored, boot tasks and start up tasks for Windows and Linux systemsTo effectively investigate computer evidence, we must understand how the most popular operating systems work in general and how they store files in particular. The type of file system an operating system uses determines how data is stored on the disk. The file system is the general name given to the logical structures and software routines used to control access to the storage on a hard disk system and it is usually related to an operating system. To know the way the data is stored in Windows XP and Linux, we need to get into file systems of Windows and Linux.The way the data is stored in Windows XPIn Windows XP, although it supports severa l different file systems, NTFS is the primary file system for Windows XP. So, we will have a look in NTFS as the NTFS system offers better performance and features than a FAT16 and FAT 32 system.NTFS divides all useful places into clusters and supports almost all sizes of clusters from 512 bytes up to 64 Kbytes. And NTFS disk is symbolically divided into two parts MFT (Master File Table) area and files storage area. The MFT consumes about 12% of the disk and contains information about all files located on the disk. This includes the system file used by the operating system. MFT is divided into records of the fixed size (usually 1 Kbytes), and each record corresponds to some file. Records within the MFT are referred to as meta-data and the first 16 records are reserved for system files. For reliability, the first three records of MFT file is copied and stored exactly in the middle of the disk and the remaining can be stored anyplace of the disk. The remaining 88% of disk space is f or file storage. Below is the partition structure of NTFS system.After we know the file system of Windows XP, then we will move on to the file system of Linux.The way the data is stored in LinuxWhen it comes to Linux file system, ext2 has been the default file system as it main advantages is its speed and extremely robust. However, there is a risk of data loss when sudden crashes occur and take long time to recover. Sometimes the recovery may also end up with corrupt files. By using the advantage of ext2 and add some data loss protection and recovery speed led to the development of journaling file system ext3 and ReiserFs. Though ext2, ext3 and ReiserFs are the most popular file system, there are also some other file system used in the Linux world such as JSF and XFS.As Linux views all file systems from the perspective of a common set of objects, there are four objects superblock, inode, dentry and file. The superblock is a structure that represents a file system which includes vi tal information about the system. Moreover, it includes the file system name (such as ext2), the size of the file system and its state, a reference to the block device, and meta-data information. It also keeps track of all the nodes. Linux keeps multiple copies of the superblock in various locations on the disk to prevent losing such vital information.Every object that is managed within a file system (file or directory) is represented in Linux as an inode. The inode contains all the meta-data to manage objects in the file system. Another set of structures, called dentries, is used to translate between names and inodes, for which a directory cache exists to keep the most-recently used around. The dentry also maintains relationships between directories and files for traversing file systems. Finally, a VFS (Virtual file system) file represents an open file (keeps state for the open file such as the write offset, and so on).While the majority of the file system code exists in the kernel (except for user-space file systems), (2.3) shows the Linux file system from the point of view of high-level architecture and the relationships between the major file system-related components in both user space and the kernel.The boot task and start up task of Windows XPA good understanding of what happens to disk data at startup is also an important aspect as accessing to a computer system after it was used for illicit reasons can alter the disk evidence. First, we will discuss about the Windows XP startup and boot process, and then shift into the startup and boot process of Linux.Like any other PC system, Windows XP startup by running the POST test, performing an initialization of its intelligent system devices, and performing a system boot process. The boot process begins when the BIOS starts looking through the system for a master boot record (MBR). This record can reside on drive C or at any other location in the system. When the BIOS execute the master boot record on the har d drive, the MBR examines the disks partition table to locate the active partition. The boot process then moves to the boot sector of that partition located in the first sector of the active partition. There, it finds the code to begin loading the Secondary Bootstrap Loader from the root directory of the boot drive.In NTFS partition, the bootstrap loader is named NTLDR and is responsible for loading XP operation system into memory. When the system is powered on, NTLDR reads the Boot.ini file. If boot.ini contains more than one operating system entry, a boot menu is displayed to the user, allowing the user to choose which operating system is to be loaded. Fig (2.4) shows Boot.ini contains two operating systems and allows user to choose.After the user has selected the desired mode to boot to, NTLDR runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll and the startup device drivers. After the file system driver has loaded, control is then passed from NTLDR to the kernel. At this time, Wind ows XP display Windows logo.Virtually, all applications we installed using the default installation decide that they should start up when windows starts. Under Startup tab in the system configuration utility, a list of programs that run when our system boots is listed. Fig (2.6) shows the listed program when our system boots.The boot task and start up task of LinuxAfter we have get into the start up process of Windows XP, we will then shift into the startup process of Linux. In Linux, the flow of control during a boot is also from BIOS, to boot loader, to kernel. When you turn on the power, the BIOS perform hardware-platform specific startup tasks. Once the hardware is recognized and started correctly, the BIOS loads and executes the partition boot code from the designated boot device, which contains Linux boot loader.Linux Loader (LILO) is the Linux utility that initiates the boot process, which usually runs from the disks MBR. LILO is a boot manager that allows you to start Linux or other operating systems, including Windows. If a system has two or more operating systems, LILO gives a prompt asking which operating system the user wishes to initialize.When the user chooses the boot option, it then loads the choosing operating system into memory. The boot program, in turn, reads the kernel into memory. When the kernel is loaded, the boot program transfers control of the boot process to the kernel. The kernel then performs the majority of system setup (memory management, device initialization) before spawning separately, the idle process and scheduler and the init process which is executed in user space. The scheduler takes control of the system management. The init process executes scripts as needed that set up all non-operating system services and structures in order to allow a user environment to be created, and then presents the user with a login screen.We have described about the way the data stored, the boot task and startup task of Windows XP and Linux. After a thorough study of these areas, we can acquire or handle the evidence properly.Task 3a) Features comparison of EnCase, Access Datas Forensic and ProDiscoverFeatures of Guidance EnCase Forensic* In courts worldwide, forensically acquire data in a sound manner using software with an unparallel record* Using a single tool and investigate and analyze multiple platforms* With prebuilt EnScript modules such as initialized Case and Event Log analysis, it can automate complex and routine tasks, so it save time in analyzing* Find information despite efforts to hide, cloak or delete* Can easily handle large volumes of computer evidence, view all relevant files that includes deleted files, file slack and unallocated space* Directly transfer evidence files to law enforcement or legal representatives as necessary* Include review options that allow non-investigators to review evidence easily* Include report options that enable quick report preparationFeatures of Access Datas Forensic Toolk it* Provides integrated solution that is no need to purchase multiple tools to complete a case.* Provides integrated database that avoid application crashes, lost work and product instability.* Identify encrypted files automatically from more than 80 applications and crack those files.* Supports international language that allows us easily search and view foreign-language data in our native format* Include email analysis that can recover and analyze a wide range of email and web mail formats* Can generate different industry-standard report formats quickly and concisely* Collect key information from the registry that include user information, date of application installed, hardware, time zone and recently used information* While processing takes place, we can view and analyze dataFeatures of ProDiscover* To keep original evidence safe, it create bit-stream copy of disk for analyzing that includes hidden HPA section* For complete disk forensic analysis, it search files or entire disk including slack space, HPA section and Windows NT/2000/XP alternate data streams* Without alter data on the disk, it can preview all files including metadata and hidden or deleted files* Support for VMware to run a captured image.* In order to ensure nothing is hidden, it examine data at the file or cluster level* To prove data integrity, it can generate and record MD5, SHA1 and SHA256 hashes automatically.* Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for maximum flexibility.* Examine Sun Solaris UFS file system and Linux ext2 / ext3 file systems.* Integrated thumbnail graphics, internet history, event log file, and registry viewers to facilitate investigation process.* Integrated viewer to examine .pst /.ost and .dbx e-mail files.* Utilize Perl scripts to automate investigation tasks.* Extracts EXIF information from JPEG files to identify file creators.* Automated report generation in XML format saves time, improves accuracy and c ompatibility.* GUI interface and integrated help function assure quick start and ease of use.* Designed to NIST Disk Imaging Tool Specification 3.1.6 to insure high quality.AccessData FTK v2.0Guidance EnCase Forensic 6.0ProDiscover ForensicReport for Choosing Access Datas Forensic ToolkitI think Access Datas Forensic Toolkit is the most beneficial for our lab as it provides more forensic examination features than Encase and ProDiscover. In the evidence aspects, Access Data can acquire files and folders than others. So, it can be a powerful tool when we analyze files for evidence. Moreover, it uses database to support large volume of data that can avoid application crashes, lost work and product instability for our lab.As Access Data is a GUI-based utility that can run in Windows XP, 2000, Me, or 9x operating system and it demo version has most of the same features as full-licensed version, use multi-threading to optimize CPU usage, has task scheduler to optimize time and can view an d analyze data while processing takes place, it meets the requirements of our lab. What is more, it supports international language so we can retrieve data no matter which languages they are using.On top of that, it is powerful in searching, recovery, email and graphic analysis. Because of these reasons and by viewing the above forensic tools comparison chart, I can conclude that Access Datas Forensic Toolkit is the most beneficial for our lab.b) Forensic AnalysisReport for Analyzing FAT32, NTFS and CDFS file system Using Access Datas FTKTask 4a) MD5 hash values of bmp, doc, xls filesAll hash values generated by the MD5 before modification is not the same with the hash value generated after modification.b) Why hash values are same or differentA hash value is a numeric value of a fixed length that uniquely identifies data. Data can be compared to a hash value to determine its integrity. Data is hashed and the hash value is stored. At a later time or after the data has been received f rom mail, the data is hashed again and compared to the stored hash or the hash value it was sent to determine whether the data was altered.In order to compare the hash values, the original hashed data must be encrypted or kept secret from all untrusted parties. When it compared, if the compared hashed values are the same, then the data has not been altered. If the file has been modified or corrupted, the MD5 produces different hash values.In task 4 (a), first we created a doc file with data in this file, then we generated hash values of doc file with MD5. The hash value of info.doc file is da5fd802f47c9b5bbdced35b9a1202e6. After that, we made a modification to that info.doc file and regenerate the hash values. The hash value after modifying is 01f8badd9846f32a79a5055bfe98adeb. The hash value is completely different after modifying.Then we created a cv.xls file and generated the hash value. Before modifying, the hash value is ef9bbfeec4d8e455b749447377a5e84f. After that we add one re cord to cv.xls file and regenerated hash values. After modifying, ccfee18e1e713cdd2fcf565298928673 hash value is produced. The hash value changed in cv.xls file after data altered.Furthermore, we created fruit.bmp file to compare the hash value before and after modification. The hash value before modifying is 8d06bdfe03df83bb3942ce71daca3888 and after modifying is 667d82f0545f0d187dfa0227ea2c7ff6. So, the hash values comparison of bmp files is completely different after data has been modified.When we encrypted the text file into each image file, the text file is not visible in the image viewing utility and each image file is like its original image file. However, the comparison of the hash values of each image file before and after inserting short messages is completely different. As each image file has been altered by inserting short message, the regenerated hash value is totally different from the original hash values.On top of that, the original image file size has been changed a fter inserting short messages. The raster image file has slightly increased its file size after it has been modified. The raster image file size is increased from 50.5 KB to 50.7 KB. However, of the remaining three, two image files vector and metafile have decreased its file size a little sharply. The original file size of vector is 266 KB and has been decreased to 200 KB after modified. The metafile also decreased from 313 KB to 156 KB. Only the bitmap is remains stable as its file size does not increase or decrease.In a nut shell, we can conclude that the hash value would change if the file has been modified. However, depending on the file format, the file size can increase, decrease or remain stable.d) Report for differences of bitmap, raster, vector and metafileA bitmap image is a computer file and it is collected with dots or pixels that form an image. The pixel of bitmap is stored like a grid, tiny square. When we use the paint program, we can see the bitmap pixel is like a bl ock and it is draw or clear block by block. A raster image is also a collection of pixels but the image stored pixels in rows to make it easy to print. And raster image is resolution dependent. It cannot scale up to an arbitrary resolution without loss of apparent quality. This is overcome by the vector image.Vector image is made up of many individual, scalable objects. These objects are defined by mathematical equations rather than pixels, so it always render at the highest quality. There are many attributes in vector like color, fill and outline. The attributes can be changed without destroying the basic object.Metafile is a combination of raster and vector graphics, and can have the characteristics of both image types. However, if you create a metafile with raster and vector and enlarge it, the area of raster format will lose some resolution while the vector formatted area remains sharp and clear.If we have lost an image file, before doing anything, we should be familiar with the data patterns of known image file types. Then the recovery process starts. The first step in recovery is to recover fragments file from slack space and free space. The fragment file can locate the header data that is partially overwritten. So, we use Drivespy to identify possible unallocated data sets that contain the full or partial image header values.To locate and recover the image header, we need to know the absolute starting cluster and ending cluster. If not, we could collect the wrong data. Using Drivespy, we can know started cluster number and file size of image that we want to recover. To know the exact ending cluster, add the total number of clusters assigned to the starting cluster position. As we have known the size of image file, we can calculate the total number of clusters. Then, we can locate the image file and retrieve image header.After we get the header value, open the file with Microsoft Photo Viewer. If the file has been opened successfully, then recovery of im age file has been completed. If not, we need to use the Hex Workshop to examine the header of the file.Task 5Report for Investigation that prove Naomis innocenceBefore we begin tracing an email, we should know which email is illegal and what constitutes an email crime. Illegal email includes selling narcotics, extortion, sexual harassment, stalking, fraud, child abductions, and child pornography.As Jazebel has received an offensive email, so we need to access the victim computer and copy and print the offensive email to recover the evidence contained in the email. Microsoft Outlook, Outlook Express or any other GUI email programs supports for copying the email from inbox to the place that we want to by dragging the message to the storage place. When copying email, the header of the email must be included as it contains unique identifying numbers, such as IP address of the server that sent the message. This helps us when tracing the email.After copy and printing the message, we shoul d retrieve the email header to get the sender IP address. Right click on the message and choose message options to retrieve the email header. The following shows the header information that retrieved from the mail of the victim computer.At line 1(10.140.200.11) shows the IP address of the server sending the e-mail, and provides a date and time that the offending e-mails was sent. Although when we see at line 5, the victim is seemed to be Jezebel, however, line 1 identifies that the e-mail that is sent from the IP address (10.140.200.11) is the same as the victims computer IP address. So, we can conclude that Naomi does not include in sending offensive e-mail. She is innocence and the victim, Jezebel himself, is the one who send the offensive e-mails.ReferencesComputer Forensics Textbookhttp//www.computerforensicsworld.com/index.phphttp//www.crime-research.org/library/Forensics.htmhttp//ixbtlabs.com/articles/ntfs/www.wikipedia.com