I am Zayar student from MCC-Yangon learning International Advanced Diploma in Computer Studies offered by NCC education. I have to learn four core subjects and three elective subjects including the assignments and a project for my diploma.
The purpose of this assignment is to determine comprehensive understanding of computer forensics investigation and techniques.
To begin with, I would like to thank my parents to express my deep gratitude for their help, and all kinds of support throughout my assignment period. Next I am very grateful to U Tin Win Aung (Chairperson of MCC)
I also grateful to Lecturer U Win Hlaing (who teach as Computer Forensic), Lecturer U Nyein Oo(who teach as Database System), Lecturer U Yar Zar (who teach as Database System and Lecturer U Aung Thu Tun(who teach as Enterprise Networking). Our course manager, Daw , is also an unforgotten person to be grateful. And also thankfull all of my classmates.
Description : IT Department order to pursue given case.
I have some reasoned for about Jalitha's case. The report of case is;
-Type of case --- Employee violate company's policy case
-Nature of case---Side business during the company's time
I consider Jalitha's case is need to use the Computer Forensic investigation, may be she uses computer system and software of Disbury Mobile Entertainment. Because of Company produce mobile phone games. According to scenario, she has been spending her time on her friend Radasa's private business in the computer's time. There has many ways, company's software transfer to her friend. One way may be, she will be uses data storage device such as pen drive, CD and etc. Another way, she will be using Internet's email service. Computer forensics involves scientifically examining and analyzing data from computer storage media that data can be used as evidence in court.
ii). The following steps I would take to purse the investigation;
-Firstly, I want to get search warrant from the company.
-I want to interview her and search her business place to get suspect thing.
-Acquire the computer's hard disks and storage device from Jalitha.
-Fill out the evidence form, Jalitha sign it, and authorize person from company and I sign it.
-Store the evidence devices in an evidence bag and transport the evidence to my computer-forensic facility/lab.
- Secure the evidence devices in an approved secure container.
- Prepare my computer-forensic workstation and suitable Forensic Tools.
-Obtain the evidence from the secure evidence container.
-Analyze and recover and make a forensic copy of the evidence devices.
-Return the evidence devices to the secure evidence container.
-Process the copied evidence device with my computer-forensic tools.
Task-1(ii). Investigator Report
Description : To be sure the evidence holds up in court
- Need sufficient information that support a search warrant and an affidavit, the company's attorney may direct CF investigator to submit an affidavit, which is sworn statement of support of facts about the evidence of a crime to a judge requesting a search warrant prior to the seizure of evidence. After a judge approves and signs a search warrant, it is ready to be next.
- Gathering the Evidence, fill out evidence form, suspect employee sign it, authorize person from company sign it and sign CF investigator.
- Assessing the scope of case.
Situation-Employee violate the company's policy
Nature of case-Spending the company's time with her friend, and assume side business in the company's time
Specifics about the case-Her co-workers report to supervisor that employee has been spending her time on her friend's private business in the company's time.
Type of evidence-Hard Disk
Operating system-Microsoft Windows XP
Known disk Format-NTFS
Location of evidence-One 3.4-inch Hard Disk that it from employee's workstation at employee's business desk.
- The information is turned over to Head of department.
- Present the collected evidence with a report and evidence form to the company's attorney.
- The evidence is the presented in court after which a verdict is handed down either by judge, administrative law judge, or jury.
- CF Investigator should prepare to answer for questions of judge.
[Type a quote from the document or the summary of an interesting point. You can position the text box anywhere in the document. Use the Text Box Tools tab to change the formatting of the pull quote text box.]
'A file system provides an operating system uses determines how data is stored on the disk. A file system is usually directly related to an operating system.' Nelson B et al(2002: p74)
Directory is group of files. Directory is divided into two types:
-Root directory - Strictly speaking, there is only one root directory in system, which is denoted by / (forward slash). It is root of entire file system and can't be renamed or deleted.
-Sub directory - Directory under root (/) directory is subdirectory which can be created, renamed by the user.
i).The way the data is stored in Windows System
Microsoft makes the data to store easy in windows O/S for every user. In Microsoft file structure, sectors are grouped together to form clusters, which are storage allocation units of 512, 1024, 2048, 4096, or more bytes. Clusters combine to make larger blocks of data that work as one larger storage unit. Combining sectors minimizes the overhead of writing or reading files to a disk. The operating system groups one or more sectors into one cluster. Clusters are numbered sequentially starting at two because the first section of all disks contains a system area, the boot record, and a file structure database. Clusters are assigned by the operating systems and are referred to as logical addresses. Sectors, are referred to as physical addresses because they reside at hardware or firmware level. If a file is stored, combining sectors minimizes the overhead of writing files to a disk.
i).The way the data is stored in Linux System
In Linux file system divided into two categories:
User data - stores actual data contained in files
Metadata - stores file system structural information such as superblock, inodes, directories
Inode- Inodes provide a mechanixm that links data stored in data blocks. The block is he smallest amount of data that can be allocated in a UNIX or Linux file system.
A UNIX file system is a collection of files and directories stored. Each file system is stored in a separate whole disk partition. The following are a few of the file system:
/ - Special file system that incorporates the files under several directories including /dev, /sbin, /tmp etc
/usr - Stores application programs
/var - Stores log files, mails and other data
/tmp - Stores temporary files
All UNIX files are defined are as objects, which means that a file, like an object oriented programming language, has properties and methods (actions such as writing, deleting, and reading) that can be performed on the file. UNIX consists of four components that define the file system: the boot block, super block, inode, and data block. UNIX and Linux file system is a data block. As in the Microsoft file system structures, the Linux file system on a PC has 512-byte sectors. Typically a data block consists of 4096 or 8192 byes with clusters of hard disk sectors. If a file is stored, the data blocks are clustered and unique inode is assigned.
ii).The boot tasks and start up tasks for Window systems
In Window systems, perform the following steps when the computer is turned on;
- Power-On Self Test (POST)- A self-test is performed by the power supply to ensure that the volume and current levels are correct before the Power Good signal is sent to the processor. When this first stage is cleared, the microprocessor will then trigger the BIOS to perform a series of operations.
- Initial Startup- The system will now attempt to determine the sequence of devices to load based on the settings stored in the BIOS to start the operating system. It will start by reading from the first boot up device.
- Boot Loader- Control is then passed on to the partition loader code which accesses the partition table to identify the primary partition, extended partitions and active partition which is needed to determine the file system and locate the operating system loader file - NTLDR. NTLDR will call upon the boot.ini file which is located at the root directory to determine the location and entries of the operating system boot partition. NTLDR will pass all information from the Windows registry and Boot.ini file into Ntoskrnl.exe.
- Hardware Detection, Configuration and Kernel Loading - Ntoskrnl will begin to load the XP kernel, hardware abstraction layer and registry information. After this is completed, the control is passed over to the DOS based Ntdetect.com program which collects and configures all installed hardware devices such as the video adapters and communication ports and searches for hardware profiles information and load the essential software drivers to control the hardware devices
- User logon- Ntoskrnl.exe will start up Winlogon.exe which triggers the Lsass.exe or Local Security Administration.
In Window systems, the NT Loader (NTLDR) file loads the operating system. NTLDR is located in root folder of the system partition.
Boot.ini specifies the window system path installation. That file is located in the root folder of the system partition.
Ntoskrnl.exe is the Windows OS Kernel. It is located in system root\Windows\System32 folder.
ii).The Boot task and Start up task in Linux Systems
In Linux systems, perform the following steps when the computer is turn on;
- Start-up- BIOS(Basic Input/Output System)(Read-Only Memory) perform hardware-platform specific startup tasks. the BIOS loads and executes the partition boot code from the designated boot device, which contains Linux boot loader(LILO).
- Boot Loader- Linux boot loader(LILO) is called the O/S Kernel. When the kernel is loaded, the boot program transfers control of the boot process to the kernel. Another Linux boot loader is GRUB supports both direct and chain-loading boot methods, LBA, linux file system, and "a true command-based, pre-OS environment on x86 machines". It contains three interfaces: a selection menu, a configuration editor, and a command line console. The new Grub version 2, has support for ext4 file system.
- Hardware Detection and Configuration- The first task of the kernel is to identify all devices. It then configures the identified devices and starts the system and associated processes.
- User Logon- After the kernel becomes operational, the system is usually booted to user mode where user can log on. Typically single-user mode is an optional feature that allows the user to access various mode such as a maintaines mode. As the kernel finishes loading, it identifies the root directory, the system swap file, and dump file.
- Linux Loader(LILO) is the Linux utility that initiates the boot process, which usually runs from the disk's MBR(Master Boot Record).LILO is a boot manager that allows you to start Linux or other operating systems, including Windows.
The kernel in Linux handles all operating system processes, such as memory management, task scheduling, I/O, interprocess communication, and overall system control.
Task-3(a)Compare The EnCase and The Access Data's Forensic ToolKit, and The ProDiscover
Decription: The feature set I found to be most beneficial for my lab
I want to use two FTKs for my lab.That's are Access Data FTK® and ProDiscover®.
Firstly, I found the Access Data FTK® Search Technology Validated by Federal Court in Contested Electronic.And the technology and training that empower law enforcement, government agencies and corporations to perform thorough computer investigations of any kind with speed and efficiency. Recognized throughout the world as an industry leader, AccessData delivers court-validated, state-of-the-art computer forensic, password cracking and decryption solutions. AccessData's Forensic Toolkit([R]) and enterprise investigative solutions enable organizations to preview, search for, analyze, process and forensically preserve electronic evidence for the purposes of criminal and internal investigations, incident response, eDiscovery and information assurance. In addition, AccessData is a leading provider of digital forensics training and certification with its much sought after AccessData Certified Examiner([R]) (ACE([R])) program.
Second, ProDiscover® Forensics is a key tool for effective computer forensic analysis. It is not possible to hide data from ProDiscover® Forensics as it reads the disk at the sector level. This least intrusive approach also allows you to examine the files without altering any valuable metadata such as last time accessed. ProDiscover Forensics will not alter any data on the disk - period! ProDiscover® Forensics can recover deleted files, examine slack space and access Windows Alternate Data Streams. It can even dynamically allow you to preview, search and image the Hardware Protected Area (HPA) of the disk utilizing a patent pending process.
So, I can access many OS platform. And that's two features is enough and power full for my lab.
Task-3(b) Access Data FTK's File System Analysis
Access Data FTK File System Analysis(FAT32, NTFS, CDFS)
EnCase FTK's File System Analysis
FAT32 file system
NTFS File System
CDFS file System
Task-4(a)Generate MD5 hash value
a). Bmp file
And Bmp file generate hash value
After modify bmp file
And bmp file regenerate Hash Value
And Doc file generate hash value
After modify doc file
And doc file regenerate Hash Value
And xls generate Hash Value
After modify xls file
And xls file regenerate hash value
Task-4(b). Hash Values Report
A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum, usually a single integer that may serve as an index to an array. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.
MD5 Hash values known as chechsum for a file is 128-bits (such as figureprint). There is a very small possibility of getting two identical hashes of two different files. The MD5 hash consists of a small amount of binary data, typically no more than 128 bits.MD5 hash values length is determined by the type of use of the algoritham and its length does not depend on the size of the file. The most common hash value lengths are either 128 or 160 bits.
Hash values aren't the same. Because We compare the file and the modify file hash value(Task-4(a)),
MD5 Hash Values
After modify Bmp file
After modify Doc file
After modify Xls file
We can see, their MD5 hash values aren't same. Hash value is a kind of algorithem's value. They can be use both for comparing the files and their integrity control. This feature can be useful for computer forensic investigation. And each time a particular file is hashed using the same algorithm, the exact same hash value will be produced.
Task-4(c) Graphic Image Files Analyse The Hash Value
Before insert text using staneography tool Bitmapfile
And Hash Value
Insert message Using Staneography Tool
After Press the Hide buttonC:\Users\Zayar\Desktop\screenshot7.jpg
And then save as another file.
After insert message using staneography tool Bitmap file
We exract that image file using Staneography Tool
And press extract button.
After insert message using steganography tool Bitmap file's Hash value
Before insert using steganography tool Raster File
And Hash Value
Insert Message using stenography tool
Before insert using steganography tool Raster FileC:\Users\Zayar\Desktop\screenshot16.jpg
And hash value
Before insert message using steganography tool Vector FileC:\Users\Zayar\Desktop\screenshot4.jpg
And hash value
Insert message in Vector File Using Steganograpy Tool
After insert message in Vector file
And hash value
Before insert message in Meta file using steganography tool
And Hash Value
Insert message using steganography tool
And Extract it
After insert message in Meta file using steganography tool
And Hash Value
I used Steganography tool is the Steganography(hide your secrets) and MD5 hash value. We can compare before insert message in file's size and after insert message in file's size.
There size aren't same. After insert message image file size is larger than origanal image file size. And also MD5 hash values aren't same.
And I also used forensic analyse tool is the Hex Workshop. When I computer forensic compare and analyse that two file, we can see that two file are quite direffence bewteen than. But that two file's outer appear is not change.
Task-4(d) Image File Format Report
Bitmap Image File And Raster Image File(Format Extension name;bmp and rif)
Bitmap images are collections of dots, or pixels, that form an image. Bitmap images store graphic information as grids of individual pixels, short for picture elements. The quality of a bitmap image displayed on a computer monitor is governed by screen resolution, which determines the amount of detail displayed in the image. Raster images are also collections of pixels, but store these pixels in rows to make the images easy to print. In most cases, printing an image converts, or rasterizes, the image to print the pixels line by line instead of processing the complete collection of pixels. The following list indicates the number of bits used per colored pixel:
1 bit = 2 colors
4 bits = 16 colors
8 bits =256 colors
16 bits = 65,536 colors
24 bits = 16,777,216 colors
Vector Image File(Format Extension name; vsd)
Vector images are mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Vestor files are different from bitmap and raster files; araster image uses dots and the vector format uses lines. A vector files stores only the mathematics for drawing lines and shapes; a graphics program converts the calculation into the appropriate image.
Metafile Graphic(Format Extension name; wmf)
Metafile image files combine raster and vector graphic, and can have the characteristics of both image type.
Locate and recover these image files, if lost
When we lost these image file, we will use windows and DOS provide tools to recover image files, but using these tools is time- cosuming and their results are difficult to verify. Instead, we should use computer forensics tools dedicated to analyzing image files. Computer forensics investigative tools to analyze images based on information contained in the image file itself. An image file also contains a header with instructions for displaying the image. Each type of image file has its own header, and examining the header helps we identify the file format. We can compare a known good file header with that of a suspected file. Recovering pieces of a file is called salvaging, also known as carving. To carve an image file data form file slack space and free space, we should be familiar with the data patterns of known image file types. Most computer forensics programs recognize these data patterns so you can identify image file fragments, which is the first step in recovering deleted data. After we recover the pieces of a fragmented image file, we can restore, after that we can view the image file.
E-mail Abuse Investigation
Investigtor : Zayar
Case's Decription :Jezebel claims Naomi sent a series of offending email messages causing sexual harrassment to him
Victim : Jezebel (employee of Local City Hall)
Suspect : Naomi (employee of Local City Hall)
Email System : Local City Hall's email system
We need to copy and print the emails both of Jezebel's computer and Naomi's computer. We will need to recover files on computers, in this case there are deleted emails.
After copying and printing these emails messages. We will use the computer forensic email program that will created the message to find the email header. Email header helpful in gathering supporting evidence and the date and the time the message was sent, and track the originating email domain address or an IP address, message id and the filenames or any attachments.
- Received: from tes 1a623.OneMail.com.sg([220.127.116.11]) by visualroute.com (8.11.6) id f9CIVSk24480; Tue, 13 Dec 2009 12:31:29 -0600 (MDT)
- Message-Id: <200110121831.f9CIVSk24480@s2.domain.com>
- Recdived: from drb.com(IIM 1508 [18.104.22.168]) by tes1a623.OneMail.comsg with SMTP(Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
- From: email@example.com
- Subject: Long Distance - 4.9 cents permin -NOFEES!
- Date: Tue, 13 Dec 2009 13:24:26 -0400
- X-Sender: firstname.lastname@example.org
When the originating email address is found, the message to a suspect can be tracked by doing reverse lookups. This way, we can find out the originator of the emails.
Naomi's computer will also be accessed to pursue the sent emails to Jezebel's and deleted messages will also be recovered with computer forensic software. When we get the deleted email messages, we analyse these emails message (email header). And these emails will also be copied and printed. Then we will contact the email administrator of the Local City Hall's email system. And get the log file of email transactios during related case's day. Then the log file is received, these email messages will be compared with email logs, email account, IP address, email id, and date and time stamp will be verified to determine who really sent the emails.
Bills or logs will also be requested to make sure that the account from which the offending emails were sent is actually being used by Naomi or by Jezebel. After the steps completing, we will be able to determine whether it is Naomi or someone else who sent the offending emails to Panda. By this we can prove her innocence.
Guide to Computer Forensic and Investigation, Nelson B and el land, B & Jo Enterprise Pte Ltd in Singapor.