I am a student studying IADCS (International Advanced Diploma n Computer Studies) Offered by NCC Education at Myanma Computer Company Ltd. (MCC) in Yangon. This assignment is for Computer Forensics which is the first elective subject featuring in my second module course. In this assignment, we have to investigate the company violation case of Didsbury Mobile Entertainments Ltd. being a new to this subject, I found so much difficulties but I coped them little by little. Throughout researching for this assignment, I found out interesting in this subject and realize this is really essential an vital in most of the case. This assignment drives me to the insight of computer forensics I get to know new stuffs and policies which I did not know before.
No wok is done without getting supports, inspiration and motivation. I found so much difficulties and hard time during investigation for my assignment even thought I put much effort in researching. I am so much grateful to U Win Hlaing who showed us insight view of computer forensics. His guidance are really helpful and keen to learn in this subject. And my thanks also go to Daw Aung Thandar LynnMyit who is line manager.
The reasons for a need for computer forensic investigation in the given case.
Computer forensics as a scientific method will be defined in order to solve the crime. This includes the acquisition, to appear in court as evidence later in the process of analyzing the digital information. Using the computer world, the Internet, we also need to conduct surrounding the computer forensics.
Computer Forensics can make obtaining and analyzing digital information for the use as evidence in civil, criminal or administrative cases. The role of computer forensic investigation has been vital part in solving crimes nowadays. It is also desire to the people who is innocence or doing the crime. It is really needed for truth.
In the given case computer forensics investigation is a must since it involves diverting business using the company's system and the time. In the given case has mean that Jalitha is spending the company's time of her friend's business and diverting business to her friend. This is company's policy violation case. To suppress her from harming the company and to punish the intruder, evidence is an essential thing. If evidence collection is done correctly, it is much more useful in appending the policy violator, and stands a much greater chance of being admissible in the event of a prosecution. For these reasons, computer forensics if needed to find evidence of, or completely recover, hidden, lost or delete information, even if it was intentionally hidden or deleted. From a technical standpoint, the main goal of computer forensics is to preserver, identify, collect, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case.
The steps I would take to pursue the investigation
- It must understand the current laws on crimes relating to information technology, including the standard legal process and how to build a case, under the local rules, avoid the conflicts of interest with authorized people of that firm and learn the polices defined according to line of authority for conducting internal investigations.
- Make an initial assessment about the type of case by talking others involved in the case and asks questions about incident. (Example. How did you know that Jalitha has been spending her time on her friend Radasa's private business in the company's time?)
- Determine a preliminary design or approach to investigate the case and develop the detailed design or checklist of the step details and an estimate o time needed for each step.
- Collect the resources which available and use other specialist, support teams, tools and software to process all of the evidence like reviving, determine and analyzing the evidence.
- Copy and obtain any associating storage media along with her personal computer such as (removable media, Compact Disc and related computer device) and organize the data to help prove her guilt or innocence.
- Identify how we can minimize the risks. I am working with a computer where convicted criminals have likely password-protected the hard-disk drive, I can make multiple copies of the original media before I am starting. And then I can destroy one or more copies during the investigations. But, I still achieve the goal of retrieving information from those disks.
- I need to review the decisions I have made and the steps already finished. If I have already copied the original media, a standard part of testing design involves comparing hash signatures to ensure that I have made a proper copy of the original media.
- I need to write a complete report detailing what we do and what we found daily.
Procedures to make sure Evidence hold up in court
To ensure and correct evidence, investigator can be done by the following procedures -
- The computer forensics investigator must ensure that the evidences are not changed by anybody. People accessing the evidence must be expertise enough to do so and can take responsibility for their actions.
- Investigators examine file and directory date and time stamps and locate, extract all log files and recover the temporary print spool files.
- The man who is the charge of the investigation has responsibility for ensuring that the law and these principles are met.
- In making a forensic copy of a hard disk, for example, suitable precautions should first be taken to prevent any data being written to the disk, which is to write-protect the media so that the data will be kept unchanged from the attack of other malicious software or viruses.
- Be secure the evidence in an approved secure container such as evidence container bags, tape, tags, labels, safe-boxes and other products available from police-supply vendors or bank containers.
- It is also important to know what has happened to the system or storage media from this time there was seized to the moment it was examined by a forensic examiner. Any gap in the chain of evidence could mean that one or more unknown persons could have gained access.
- From the point of view of prosecution, the main objective is to provide strong evidence for each legal point to prove for a given offence. The role of computer forensics investigator is to face with the challenge of technical complexity of such case and experience of the court.
- Not Like a file, raw computer evidence must be presented with an accurate interpretation or report, which clearly identifies its significance in the context of where it was found, what it contains or what is recovered.
A computer forensic expert should also be prepared to answer reliability questions relating to the software that they have used.
i) The way the data stored in Windows and Linux systems
Windows Data Stored
Windows operation systems support two types of hard disk storage on desktop computers: basic disks and dynamic disks. The most using file system are FAT32 (File Allocation Table) and NTFS (New Technology File System). Basic disks are the default storage type in Windows operation systems, so all hard disks begin as basic disks. Windows can recognizes all disks as basic by default, including all new installations and upgrades from previous versions of Windows. To use a dynamic disk, must convert a basic disk to a dynamic disk. Four primary partitions can create on a computer running a Windows operating system any primary partition as the active (or bootable) drive.
An extended partition provides a way to exceed the four primary partition limits. It cannot format an extended partition with any file system. Rather, extended partitions serve as a shell in which can create any number of logical partitions.
Logical can create any number of inside an extended partition. Logical partitions are normally used for organizing files. All logical partitions are visible, no matter which operating system is started.
Spanned volume can contain disk space from 2 or more (up to a maximum of 32) disks. The amount of disk space from each disk can vary. If spanned volumes when a simple volume is running low on disk space and it need to extend the volume by using space on another hard disk. When Windows writes data to a spanned volume, it writes data to the area on the first disk until the area is filled, and then writes data to the area on the second disk, and so on. If any of the disks containing the spanned volume fail, user loses all data in the entire spanned volume.
Striped volume A striped volume can contain disk space from 2 or more (up to a maximum of 32) disks. Striped volumes require that user use an identical amount of disk space from each disk. When Windows writes data to a striped volume, it divides the data into 64 KB chunks and writes to the disks in a fixed order. Thus, Windows will split a 128 KB file into two 64 KB chunks, and then stores each chunk on a separate disk. Striped volumes provide increased performance because it is faster to read or write two smaller pieces of a file on two drives than to read or write the entire file on a single drive.
Window data store
Linux Data Stored
The Linux file system is organized as a hierarchy of directories.
Linux file system is a data block. As in the Microsoft file system structures, the Linux file system on a PC has 512-byte sectors. Typically a data block consists of 4096 or 8192 byes with clusters of hard disk sectors. If a file is stored, the data blocks are clustered and unique node is assigned.
The ext3 file systems were designed to be files which include names of the locations of those files, and the files to be found in that directory. The ext2/3/4 file system assigns blocks of space for files based on their parent directories; these spaces files out all over the physical disk, leaving room to keep files contiguous and reduce fragmentation. Besides it provides availability, data integrity, and speed similar to other file system choices, it is also potentially possible to recover a deleted file without having to do defragmenting due to dynamic allocation of resources and contiguous rearranging the files.
Linux data store
The boot tasks and start up tasks for Windows and Linux systems
Windows Boot Tasks and Start Up Tasks
When user hit the power button on computer a whole lot of stuff happens. We call this the boot process .For Windows XP following task will doing-
- When the first POST in the self-test, this means power to the computer. This process of memory tests, the number of other subsystems. Typically, this monitoring is done all the tests. After, POST has completed, the system, BIOS (Basic Input-Output System) will work with any device. The AGP card has its own BIOS to the other devices and several network adapters.
- Once the integration, BIOS and verified that all the work, BIOS and the MBR (master boot record) tries to load. This is the first sector of the first hard drive (or master hd0) is called. When the MBR takes over, it is Windows is that under control.
- MBR is the active partition (first sector) will inspect the boot sector. Here, NTLDR is found, NTLDR is the Windows XP boot loader. NTLDR memory, user starts the file system, read files, boot.ini to address and load the boot menu. NTLDR NTDETECT.COM and do, you will need to root directory of the active partition, BOOT.INI, BOOTSECT.DOS (for multi-OS booting) and NTBOOTDD.SYS (if it have SCSI adapters)
- Once XP, click Start menu has been selected, it is NTDETECT.COM NTLDR, Boot.ini file BOOTSECT.DOS running the operating system is selected to obtain the appropriate loads. This system blows real start bit and 16 days, are protected by 32-bit mode.
- NTLDR will then load NTOSKRNL.EXE and HAL.DLL. Effectively, that files are windows XP. It is in %SystemRoot%System32.
- NTLDR reads the registry, choice a hardware detail and authorizes device drivers, in that sure order.
At this point NTOSKRNL.EXE takes over. It starts WINLOGON.EXE that in turn starts LSASS.EXE; this is the program that displays the Logon screen so that user can logon.
Window Boot Tasks Start up Tasks
Window Boot Screen 01
Window Boot Screen 02
Linux Boot Tasks and Start up Tasks
In Linux, the flow of control during a boot is from BIOS, to boot loader, to kernel. The kernel then starts the scheduler and runs first user land program Init (which sets up the user environment and allows user interaction and login), at which point the kernel goes idle unless called externally.
- BIOS perform specific tasks when you start the hardware platform.
- Once the hardware is recognized, the system is working properly, BIOS will load, and Linux bootloader for the first phase includes one to run from the boot device specified Butokodopatishon. The Stage 1 Stage 2 (most of the bootloader). Without adding the code may not be read from the disk completely to get a modern large shipper, some intermediate stage (stage 1.5) may be used to.
- Users will be using the boot option menu can be a lot of the boot loader. E 'and then load the operating system, start_kernel paging devices and memory needed to decompress before you call a memory function that defines the start_kernel(). Start_kernel () and to perform most system configuration (before laying eggs, memory management, device drivers and initialization) to stop the rest of the planning process and inactivate the init process (this is user space) is executed.
- This is the kernel (idle) effective planning has been suspended will be managed on the system.
The init process, the script is running the OS all you need to implement to enable the user to create an environment of services and facilities, provide the user with the login screen.
Linux boot task and start up
Linux Boot Screen
Linux Boot Screen
Guidance Software's EnCase
Guidance Software's EnCase Overview
Evidence Disk Overview
Function of EnCase
Access Data's Forensic Toolkit
Access Data's FTK Options
Access Data's FTK Process to Perform
Access Data's FTK Function
ProDiscover Evidence Disk View
Guidance Software's EnCase Features
- Acquisition Granularity:
- Link file parser - find in unallocated space
- Compound (e.g., zipped) document and file
- File Signature analysis Hash analysis
- File finder - find files in unallocated space
- Reporting - Automatic Reports
- Listing of all files and folders in a case
- Detailed listing of all URLs and corresponding dates and times of web sites visited
- Document incident response report
- Log Records
- System Support
- Hardware and software RAIDs.
- Dynamic disk support for Windows 2000/XP/2003 Server
- Interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image formats.
- File systems: Windows FAT12/16/32, NTFS; Macintosh HFS, HFS+;
- Sun Solaris UFS, ZFS; Linux EXT2/3; Reiser; BSD FFS, FreeBSD's
- Fast File System 2 (FFS2) and FreeBSD's UFS2; Novell's NSS &
- NWFS; IBM's AIX jfs, JFS and JFS with LVm8; TiVo Series One and
· Two; CDFS; Joliet; DVD; UDF; ISO 9660; and Palm
Access Data's Forensic Toolkit Features
- Supported File Systems and Image Formats
- AccessData Corp.
- FTK can analyze the following types of file systems and image formats:
- File Systems FAT 12, FAT 16, FAT 32 NTFS Ext2, Ext3
- Hard Disk Image Formats
- CD and DVD Image Formats
- Encase SnapBack Safeback 2.0 and under Expert Witness Linux DD ICS Ghost (forensic images only) SMART
- Alcohol (*.mds) CloneCD (*.ccd) ISO IsoBuster CUE Nero (*.nrg) Pinnacle (*.pdi) PlexTools (*.pxi) Roxio (*.cif) Virtual CD (*.vc4)
Features and Benefits:
- Make a copy of the disk bit stream, the hidden HPA section (patent pending) to maintain such evidence is very original, to be analyzed.
- Search the entire disk space or file containing the disk, and a complete forensic analysis of Windows NT/2000/XP Alternate Data Stream section of the HPA's hot springs.
- Even if all the files in the preview, without changing the data on the disk that contains the metadata of a hidden or deleted files.
- The popular UNIX ® to maintain the image of the instrument to read and write compatibility with multiple images please dd and E01.
- Support for VMware to run a captured image.
- Examine the cluster to make sure there is not information or data, the cross is hidden in slack space.
- Automatically generate and record MD5, SHA1 or SHA256 hashes to prove data integrity.
- Utilize user provided or National Drug Intelligence Center Hashkeeper database information to positively identify files.
- Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for maximum flexibility.
- Examine Sun Solaris UFS file system and Linux ext2 / ext3 file systems.
- About integrated graphics, Internet, event history logs, to facilitate the process of investigation and registry viewers.
- Integrated viewer to examine .pst /.ost and .dbx e-mail files.
- Use, Perl scripts to automate the process of investigation.
- Extracts EXIF information from JPEG files to identify file creators.
- Automated report generation in XML format saves time, improves accuracy and compatibility.
Start easily and integrated Help features a graphical interface, easy to use and secure.
I have been use three FTK tools kit. They are Guidance Software's EnCase, Access Data's Forensic tool kit and ProDiscover. This three tool kits are professional took kits for computer forensics. All three are ready to use for enterprise level. I have found the different GUI of tool kits. EnCase can be analyze most file structure and already deleted files and most file system. Other two can be analyze these too. But I am analyzing the same evidence device with three of these. EnCase is the fastest analyze in three. Second fastest took kit is ProDiscover and the last thing is Access Data's Forensic Took Kit.
But Access Data's Forensic Took Kit have the most functions include in these took kits. It can be analyze the most things, such as FAT32, NTFS, EXT3, EXT4, CDFS, and some other thing. It can be report case and evidence events, error messages, bookmarking events, searching events, Data Carving/ Internet searches and other events. Not only this report, MD5 has, SH1 hash and other kind hash value can be performs. Access Data's FTK tool kit can be perform as like other tool kit. It can be process other thing cannot do. Such as Store Thumbnails, KFF ignorable file.
I want to use Access Data's Forensic tool kit for my lab. Because it can be process many things, so many file system and also it can be report the most kind of report form.
I am using Access Data's Forensic Took Kit and analysis to CDFS, FAT32 and NTFS file system.
For CDFS File System
File System CDFS
Analyzing the CDFS
FTK Report For CDFS
File Overview in Report
Evidence List in Report
File System FAT32
Analyzing the FAT32
Case Information in Report
File Overview in Report
Evidence List in Report
For NTFS File System
File System NTFS
Analyzing the NTFS
Case Information in report wizard
File Overview in report wizard
Evidence List in report wizard
Createing a bitmap file and generate MD5 hash value
Creating Bitmap with MS Paint
Open original bitmap image with image viewing utility
Generate MD5 Hash value for original file using hex workshop
Original bitmap image file MD 5 Hash value is -7A237D3015190AF74EC3AC1D0B538320
Modify bitmap file and regenerate MD 5 hash value
Open modify bitmap file with image viewing utility
Generate MD5 hash value for modify file using hex workshop
Modify bitmap image file hash value is 95661FD83ABF0792A69EC25A3F9103A6
Comparer of original and modify bitmap image file's MD 5 hash value
Original bitmap image file MD 5 Hash value is -
Modify bitmap image file hash value is -
Create doc file and generate MD5 hash value
Create doc file using Microsoft office
Generate MD 5 hash value for original doc file using Hex Workshop
Modify to original doc file
Generate MD5 hash value for modify doc file with Hex workshop
Compare of original and modify doc file's MD 5 hash value
Original doc file MD5 hash value is
Modify doc file MD 5 hash value is
Create xls file using Microsoft Office
Create xls file using Microsoft Word
Generate MD 5 hash value for original file using hex workshop
Modify xls file using Microsoft Office
Generate MD 5 hash value for modify xls file using Hex workshop
Compare of original and modify xls file's MD 5 hash value
Original xls file MD 5 hash value is
Modify xls file Md 5 hash value is
I have found the different MD5 (Message-Digest algorithm 5) hash value in original fie and modify file.
MD5 hash value is a widely used in cryptographic. MD5 hash value is a 128-bit. MD5 is a wide variety of security applications; it is standard by (RFC1321). It is also used to check the integrity of files. MD5 hash value is 32 digits hexadecimal number formats. Fingerprint, signature is as like MD5. It is integrity for data. In hash value a smell possibility of getting two identical hashes of different files. It can be control comparing the files for integrity.
In the digital life we have many other problems for integrity. Example email sender and receiver have two similar image file. We should know that they are different without sending these two images to each other. This is the easy way to calculate the MD5 hashes of the two image files and compare the value. The MD5 algorithm processes a variable length message into a fixed-length output to 128 bits. MD5 is a mathematical formula that translates a file into a unique hexadecimal code value, or a hash value. If a bit or byte changes, it alters the digital signature, a unique value that identifies a file.
If it is the same as the original signature, user can be verified the integrity of their digital evidence wit mathematical proof that the file cannot change. After generate the MD5 hash value, copying the file that is containing the value to other place.
The length of the hash value is depend on type of the user what he using algorithm, and it length does not determined on the size of the file. Common hash value length is 128 bits or 160 bits.
So we will see the original image file hash value using with hash generator tools. This value is not depending on file size. After we have modified the file the hash value is change because the algorithm is regenerate the file mechanism, file structure. The algorithm is correctly output the value. In modify file the mechanism is changed. The MD5 hash value of original and modify file is different.
Bitmap Image Create and Viewing
Original Bitmap file's size and hash value
Inserting short message to bitmap
After inserting short message, file size and hash value
Jpeg Image file create and viewing
Original jpeg image file size and hash value
Inserting short message to jpeg file
After inserting short message file size and hash value
rif image create and viewing
Original rif image file size and hash value
Inserting short message to rif image file
After inserting short message file size and hash value
wmf image file creating and viewing
Original wmf image file size and hash value
Inserting short message to wmf image file
After inserting short message file size and hash value
The image file contains a graphic, such as a digital photograph, line art, three-dimensional image, or scanned replica of a printed picture. The common image file types are Vector image, Bitmap image and Meta file. The following list indicates the number of bits used per colored pixel:
1 bit = 2 colors
4 bits = 16 colors
8 bits = 256 colors
16 bits = 65536 colors
24 bits = 16,777,216 colors
Bitmap images store graphic information as grids of individual pixels, short for picture elements. The quality of a bitmap image displayed on a computer monitor is governed by screen resolution which determines the amount of detail displayed in the image.
Raster image is collections of pixels, store these pixels in rows to make the images easy to print. In most cases, printing an image converts, or rasterizes, the image to print the pixels line by line instead of processing the complete collection of pixels.
Vector image are different with bitmap and raster. Vector image uses lines. A vector file stores only the mathematics for drawing lines and shapes; a graphics program converts the calculating into the appropriate image. Vector files store mathematical calculation and not images, vector files are generally smaller then bitmap files, thereby saving disk space.
Metafile image files combine raster and vector graphics, and can have the characteristics of both image types. For example, if scan a photographic (a bitmap image) and the add text or arrows vector drawings, create a metafile. Metafile provide the features of both bitmap and vector files.
Report to prove Naomi's innocence by my investigation
Investigation crimes or policy violations involving e-mail is similar to investigating other types of computer abuse and crimes. My goal is to find the suspect and terminate the employment of the city employee, build a case according to my assignment.
Nowadays, email is the essential tools for people and it becomes one of the essential tools for the business. Using email in two environments through that can be distributed data and e-mail messages from one central server to many connected client computers.
In this case Jezebel at the local city hall contacts the shift supervisor, Benbber, with a complaint of harassment using the city's e-mail system. The goal is to find out the suspect according to the case. We have t interviewing both Jezebel and Naomi not only for them but also of offending e-mail messages and offers for us to review for that case. When we interview Naomi, she denies she didn't do any wrong things and claims that she is being set-up. Firstly, we must need to investigate the victim's computer to recover the evidence that is contained in the e-mail. If it can be possible, we need physically access the victim's computer and we must use the e-mail program on the computer that we can find a copy of offending e-mail messages that the victim us received.
Before we starting e-mail investigations, we must need a copy and print all the e-mail messages that are related files of crime or policy violations. We need to control forward messages to another e-mail address depending our departments' guidelines. After copying data, print e-mail messages that we use the email program that can create the message that we find the e-mail header to gather supporting the evidence and ultimately track the suspect to the originating locations of the email domain address or IP address. The date and time that message was sent, the filenames, of any attachments and the unique message number for the message that can be supplied for our investigations because knowing date and time we know when it was sending and investigate at that time that used the computer.
After copying and printing e-mail messages, we need to be used the e-mail program to find the e-mail header that can make supporting evidences an ultimately track the suspect to the originating locations of the email by finding the originating e-mail domain address or an IP address. The date and time can be helpful that the message can be sent at what time, the filenames of any other attachments, and the unique message number for the message and what IP address they are using, when we find the originating email address, we can trace the message to suspect by doing reversing lookup. We have done about IP, e-mail header tracing and we can't find about Naomi crime work.
By making these processes, we show that Naomi is innocence by showing of our investigation report at the court.