Digital Forensics Assignment: Reflection On Hands-On Projects
Question
Task:
Task 1: Reflection on digital forensics assignment on Hands-on Projects (5 marks)
Complete the following hands-on projects from your textbook:
Hands-on activity from Chapter 1, page 43 - 52 including analysing digital evidence using Autopsy and exploring additional
features of Autopsy
Hands-on Project 1-3
Hands-on Project 1-6
Deliverable: Write a 1000 - 1500 words (up to five A4 pages) report on lessons learned from these projects. Comment on some of the features you learnt using Autopsy in hands-on activity 1 and reflect on lessons learnt for remaining two hands-on projects. You can write at least two lessons learned from each of the hands-on projects.
Task 2: Case Projects (5 marks)
Complete the Hands-on Projects 4-4 and 4-5 from your textbook (Nelson, Phillips, &Steuart, 6th edition, 2019, p. 191-192). In these projects you will be working with FTK Imager Lite and will be exploring hash values of text files. Once complete these projects using FTK Imager Lite, repeat the hash value calculations using WinHex editor as well. Compare the hashing results from any two tools, i.e. FTK Imager, WinHex editor and Get-FileHash.
Deliverable: Write a 500-1000 words paper after completing these projects and report what have you learned about the hashing functions and also the digital forensics tool, FTK Imager Lite and WinHex editor. Provide screenshots of the steps completed in the projects showing the results of hash values of files used. Show your results of the hash values on MS Word document.
For tasks 1 and 2 deliverables:
When you work on Hands-on project and screenshots to support the progress or steps, the screenshot must include at least your Interact 2 login name and date as a proof of your work. For each task or Hands-on, one snapshot of your working screen showing i2 site, your login and date will suffice the requirements. Mark will be reduced or will be awarded zero for any tasks or Hands-on projects that do not comply with this requirements. An exemplar screenshot will be available on subject i2 site.
Task 3: Research Project
Research at least three hex editors available for digital forensics investigations that you can use for your investigations. Write a one to two page paper describing different features of these three hex editors. Also, describe how these hex editors can be used to validate the digital evidence.
Deliverable: Write a 500-1000 word report that outlines various features of hex editors and their digital evidence validation capabilities.
Answer
Task 1
Hands-on Activities & projects – Lessons Learned
I could learn a number of lessons on Digital Forensics and Autopsy from the hands-on projectsexamined in this digital forensics assignment. I could also understand some of the areas that I would like to learn more about and improve in the future.
In the hands on project 1-1, I was involved in the crime scene investigation that involved suspicious death. I could determine that I must learn Autopsy in further detail. This is because there are several steps that are involved and with enhanced learning and training, I will be able to apply it better. I could learn about the possible use of Autopsy from the six hands-on projects(Parasram, 2017).
In a majority of the projects, the results that I witnessed were expected. There were some of the surprising outcomes in the hands-on project 1-3 that involved Superior Sailmakers. I had not expected the results to be as massive and detailed as they could be obtained. The autopsy cases; however, were developed as per the expectations.
I could also learn about some of the pre-requisites and considerations for an Investigation Officer. For instance, I must not have any pre-conceived notions associated with the case or the entities involved. It may lead to the bias. I could learn the significance of the clear mind in the investigation procedures. While studying the case studies, there is a specific viewpoint that tends to get involved with the case. However, it can result in the major variations in the outcomes and the way the investigation process is conducted. As a result, I could learn that the mind must be clear and free from any biases. It can provide the mechanism to understand the nature of the outcomes and conduct the investigation process as the case develops(Larson, 2014).
Another lesson that I could learn from the discussion on digital forensics assignment that would lead to the improvements in the performance in the future is the significance of the documentation. It is necessary that the documentation is detailed and is effectively carried out. The hands-on projects that I was a part of included a thorough case background which assisted me in the investigations that I conducted. It is also the responsibility of the investigation officer to provide the detailed and timely documents. This is one area that I need to work upon and must improve. This is because the evidences are recorded and showcased in the form of the documents. These can be submitted in the court and the intended outcomes can only be achieved thereafter. I believe that the documentation that I had submitted was not up to the mark and there are improvements that I can make in these aspects.
I also learnt that the feedback process must be conducted regularly during the investigations as there are certain areas and improvement scope that is identified in these exercises.
In terms of the techniques, I made sure that I followed the existing techniques so that the determined outcomes were achieved(Kavrestad, 2018). I did not use any new techniques. However, I did like the convenient tree-style filter given in the Autopsy sidebar that conveniently arranges all different artefacts by categories / types. It was convenient during my investigation.
Autopsy lessons learned
1. I was working on Autopsy for the first time and could learn a number of lessons. The use of the open source tool enabled me to understand the design aspects and the specific features that were present. Being an open-source tool, the functionalities were not the same as EnCase v.8.07; however, the purpose could be fulfilled. I could learn that the location consistency in terms of the features is important so that the future use can be done accordingly and with much ease(Karampidis&Papadourakis, 2017).
2. I could also learn that there are similar tools offered by Autopsy in varied formats. The reports and evidences can be extracted from the same. Dd/Raw format is the one in which the same data can be obtained in the desired format from the beginning of the features. These were some of the basic mechanisms that I could learn about
Task 2
Hashing functions in Digital Forensics
Data acquisitions are one of the most significant activities discussed in this digital forensics assignment that are conducted while carrying out the digital forensics investigation. It refers to the process of gathering digital facts and evidence using the digital media. It is essential that the exact copy is made from the source so that the evidences can be submitted and are valid (Mohan, 2020). The rest of the investigation is then conducted on the copy developed so that the original evidence is not disturbed at any instance. In the case of data loss, manipulation, or corruption, there is a new copy that can be developed from the evidence disk so that the investigation results are always accurate. The proceedings of such investigations occur in the court and there is massive implication that the verdict can have on the parties involved. Therefore, it is essential that the investigation is done on the exact copy of the evidence disk. The hash value is the mechanism through which the accuracy and integrity can be preserved.
It is stated in the digital forensics assignmentthat the use of hash value is normally done to make sure that the integrity is preserved. The integrity of the evidence disk is determined in the case of digital forensics with the use of the hash value. The disk image is developed for the purpose of analysis and the hash value shall provide a match. The value is generated in the format of hexadecimal notation(Renza et al., 2019).
Hash functions in FTK Imager Lite and WinHex
Winhex
Winhex is one of the popular commercial disk editor tools and software that is used. In the entire forensics process, there can be a lot of irrelevant files that may be collected. These are automatically eliminated using the Winhex tool. There are a number of hashes that are supported by Winhex, such as MD4, SHA-1, RipeMD-160, Tiger160, and many more. It also supported the TTH, Tiger Tree Hash and ed2k (X-Ways, 2015).
FTK Imager Lite
It provides the mechanism to create the hashes of the files to determine the data integrity with the use of the two hash functions available in FTK Imager. These include MD5 and SHA-1. FTK Imager Lite also generates the hash reports for the regular files and images that can be used as a benchmark to make sure that the integrity is preserved (Accessdata, 2019). One the entire drive is imaged, the use of the tool can be done to verify the image hash and match it with the drive hash. This assists in the verification of the integrity.
Features and Comparison
There are a number of features offered by Winhex:
- Numerous techniques for data recovery
- Disk editing tool – disk editors available for hard disks, floppy disks, ZIP, compact flash, and many others
- Data interpreter compatible with over 20 data types
- File analysis and the comparison of the files
- Disk cloning
- 256-bit AES encryption
- Windows switching and the generation of the random numbers
There are also several features as mentioned below within this digital forensics assignment that are included in FTK Imager Lite:
- Forensics image development from hard drives, thumb drives, CDs, and a lot more
- Preview – files, folders, contents
- Recovery of the files that have been deleted
- Development of the hashes for the files
- Image mounting
- Generation of hash reports
There are differences in terms of the features and the usage of the two tools. In terms of the user interface, the interface offered by FTK Imager Lite is extremely easy to use and understand. The level of complexity in terms of the UI is higher in Winhex. The encryption supported in FTK is EFS encryption while Winhex supports the 256-bit AES encryption. In terms of the flexibility, the level of flexibility offered by Winhex is better as compared to the FTK Imager Lite.
There are certain drawbacks that are also associated with both of these tools. The multi-tasking and scripting features and capabilities are not present in the case of FTK Imager Lite. FTK also does not support the timeline view and there is no progress bar included to determine the time that may be left. Bitlocker is not supported by Winhex which is one of the major drawbacks. Also, the tool does not work without the presence of the Dongle.
Task 3
Hex Editors and their use in Digital Forensics
Hex editors play an important role in the digital forensics projects and activities. There are scenarios wherein the suspects delete the files or modify the same on the system or the hard disk. The use of the hex editor tool can be done to view the data that is stored in the files and all the disk sectors. The access to the physical contents present in the disk can be done using the hex editor and the respective boundaries associated with the files and the directories do not impact the outcomes(Sammons, 2015).
The use of the hex editors is also done to crack the coy-protected software applications and to determine the ways in which malware codes and algorithms work. In order to determine and understand the functioning of the hex editors, it is essential to have an understanding of the information that is stored on the hard disk and the ways in which the information is recorded in tracks. These tracks are the concentric rings that are present on the hard disk and are further divided in sectors that usually comprise of 512 bytes of data. These are relevant as they store the keyboard buffer. The use of the hex editors can be done to determine the physical medium and do not require the access to the operating system and software for the same.
There are numerous hex editor tools that are now available in the market. These tools vary from each other in terms of the features included and the specific pros and cons associated with the tools.
What is the use of VEDIT Hex Editor mentioned in this digital forensics assignment?
There are numerous hex editor tools that are developed and vEdit hex editor is one such tool that is widely popular owing to the following sets of features that it comes with.
- The tool can edit almost any of the files. These may include binary, hexadecimal, EBCDIC, or any other file. It can also edit any size text.
- There is easy conversion of files that can be done across different platforms, such as Windows, DOS, UNIX, Mac, and so on.
- Over 400 commands are included in the extensive macros scripting and programming
- The tool can sort massive files with enhanced speed
- The tool comes with a great degree of flexibility. There are over 200 parameters that can be modified (Vedit, 2020)
Hex Editor Neo
Another popular hex editor tool that is used is Hex Editor Neo. The tool comes with a rich feature set that makes it a preferred choice.
- There is an instant data processing that can be conducted using the tool irrespective of the size of the file
- The UI offered by the tool is flexible and easy to understand (Hhdsoftware, 2019)
- There is a wide range of file manipulations that can be carried out using the tool
- The design of the tool is based on the most efficient algorithms offering enhanced performance and reliability at all times
- There is instant search, processing, and replacement of the data that can be done using the tool.
Hex Workshop Tool
Hex Workshop is another hex editor tool mentioned in the digital forensics assignment that comes with a broad range of features and functionalities.
- The tool provides the option to drag and drop the files in the tool for the purpose of editing (Hexworkshop, 2020)
- The tool offers the ability to view the offsets in the form of hex or decimal
- The user interface offered with the tool is very compatible, customizable, and flexible
- There are numerous search options that are included in the tool, such as search with the aid of hex strings, text strings, bitmasks, and a lot more
- There are a number of replace, and go to options that are included in the tool
- The tool provides the mechanism to view as well as edit the data in its natural structure without making any changes to the form
References
Accessdata. (2019). FTK Imager Lite 3.1.1. Marketing.Accessdata.Com. https://marketing.accessdata.com/ftkimagerlite3.1.1
Hexworkshop. (2020). Hex Workshop Features: Hex Editor, Sector Editor, Base Converter and Hex Calculator for Windows.Digital forensics assignment Www.Hexworkshop.Com. http://www.hexworkshop.com/features.html
Hhdsoftware. (2019). Free Hex Editor Neo: Fastest Binary File Editing Software for Windows OS. Hhdsoftware.Com; HHD Software. https://www.hhdsoftware.com/free-hex-editor
Karampidis, K., &Papadourakis, G. (2017). File Type Identification - Computational Intelligence for Digital Forensics. The Journal of Digital Forensics, Security and Law. https://doi.org/10.15394/jdfsl.2017.1472
Kavrestad. (2018). Fundamentals of digital forensics?: theory, methods, and real-life applications. Springer.
Larson, S. (2014). The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Journal of Digital Forensics, Security and Law. https://doi.org/10.15394/jdfsl.2014.1165
Mohan, A. K. (2020). Forensically Sound Piecewise Hashing: Integrity checks with DEIC. Digital Forensics (4n6) Journal, 63–70. https://doi.org/10.46293/4n6/2020.02.02.14
Parasram, S. V. N. (2017). Digital forensics with Kali Linux?: perform data acquisition, digital investigation, and threat analysis using Kali Linux tools. Packt Publishing.
Renza, D., Vargas, J., & Ballesteros, D. M. (2019). Robust Speech Hashing for Digital Audio Forensics. Applied Sciences, 10(1), 249. https://doi.org/10.3390/app10010249
Sammons, J. (2015). The basics of digital forensics?: the primer for getting started in digital forensics. Syngress.
Vedit. (2020). Editing and Conversion Features | vEdit. Www.Vedit.Com. https://www.vedit.com/features.html
X-Ways. (2015). WinHex: Hex Editor & Disk Editor, Computer Forensics & Data Recovery Software. Digital forensics assignmentX-Ways.Net. https://www.x-ways.net/winhex/