Forensics Analysis for Vamos Solution- CO4514

Name of the Student: …

Preview text

Name of the Student:
Name of the Author:
Author Note:
Table of Conte nts
Introd uc tio n: ………………………….. ………………………….. ………………………….. ………………………….. …. 2
Answe r to the q uestio ns: ………………………….. ………………………….. ………………………….. …………….. 2
Cont e mporary no tes: ………………………….. ………………………….. ………………………….. ………………….. 9
Conc lusio n: ………………………….. ………………………….. ………………………….. ………………………….. … 12
Re fe re nces: ………………………….. ………………………….. ………………………….. ………………………….. …. 13
As a digita l forensics investor of UCLAN High tech Crime Unit, the task is to investigate the case
of VAMOS Solutions as one of their employees has been accused of stealing the secrets of the
company. For the investiga tio n Autopsy tool will be used and off line forensics analysis metho d
will be utilized for answering the origina l questions asked by manageme nt. The employee has
made attempts for smuggling the secrets of the company through copying the secrets on to a USB
data storage device, the USB drive has been imaged and acquired so that further investiga tio n can
be done. In this report the acquired image will be processed and analyzed using Autopsy tool.
Answer to the questions:
Que stion1 –Is the re any e vide nce to sugge st that the company se cre ts have be e n copie d onto
the USB pe n?
The evidence has been achieved using the disk acquisitio n method for making the
technic ia n’s storage readable. The technicia n’ s hard drive has been turned into writable mode. The n
using the autopsy framework, the full disk acqui sitio n is performed. Then the Configure Incest
Module system has been configured (Grispos & Bastola 2020). Then by performing a ma nua l
investigatio n the evidence has been collected. However, there is not much evidence that has been
acquired in front of the suspect’s USB pen. The Autopsy applicatio n puts a file of interest in the
“extracted content” segment.
The doc file and excel files given above can show that the secrets of the company was stolen and
copied to the USB drive as the secret informatio n and salary informa tio n are there in the evide nc e
Informatio n about employee salary was the matter of c oncern in this scenario. “income .xlsx” file
was copied three times. The metadata of the files is noticeable in the above figure. Hash database
has been saved in the “HashSet Hits” Hash Data database refers to a list of MD5 Hash value s.
This file can be use d as digita l evidence. “Vol2 (Win 95 FAT32 (0x0b): 63 -208844)” partitio n
has been opened . In this partition, a lot of interestin g informa tio n is here. However, most of the
evidence is way too detailed for usage.
As per the availab le evidence, the suspect disk contains important data regarding the salary of the
employees. The evidence is in WYSIWYG format. This format helps in naviga ting the evide nc e
rapidly. With the help of the forensic software, the data have been arranged first, for analyt ic a l
purposes. All the files have been identified as a configuring module (Patil et al., 2022). It is found
that the retrieved file was in .doc format and created in Microsoft word, on 24th March. The file
was edited by the person John Dempsey. Knowing the last editor o f the file is essential for
plagiarism detection.
Then the hex tab is open for providing an alternative process for evaluating the WYSIWYG forma t.
It is essential to read the obtained data. However, the informa tio n obtained in the process is
encrypted. In the version of the Microsoft office, character count everything becomes visib le .
Apart from that, the informatio n about content type is also visible while looking at the metadata
Que stion2 –Is the re any e vide nce to sugge st that the suspe ct has tr ie d to hide any data?
Yes, there is evidence that suggests that the suspect is trying to hide some informatio n. The
autopsy has identified that data has been arranged in the WYSIWYG format. Therefore, there’s a
chase and the suspect drive has hidden conte nt. Some of the modules of the autopsy software were
running quietly in the background (Koul, Raj & Koul 2020). The keyword salary has been used
for searching the evidence. There Are three copies of the same file thus the file was copied. This
action has b een identified by observing the presence of the file. Apart from that, the time of the
operations is monitored in the process.
The above given deleted files can show that the suspect tried to hide the data as some of the dataha s
been deleted from the re. In the research file named $, and $ $$ were found. These files are not
opening using the file system. These file formats are not generally viewable by forensic software .
This is going into the FAT 32 partition of the hard drive. The $ is an unallo cate d portion. The data
is overwritte n. Therefore, the data has been replaced as well. These actions can be used for track ing
down the actions of the suspect. Following the viewpoint of Sachdeva, Raina & Sharma (2020),
tracking the actions are important for un derstand ing the motive of the suspect. It helps in furthe r
investigatio n.
Que stion3 –Any e vide nce to sugge st the re ason why the suspe ct has atte mpte d to ste al this
Yes, there is evidence that proves that the suspect is trying to steal data. When the forensic expert
enters the extracted content section then the keyword salary has been used. The doc file and exce l
files given above can show that the secrets of the comp any was stolen and copied to the USB drive
as the secret informa tio n and salary informatio n are there in the evidence file. Their doc2.xlsx file s
have been found that contain the keyword of salary. The doc2.xlsx file is being added to the searc h
list multi p le times while entering the same keyword.
The suspect hard disk was divided into three parts. First was created by the operating system tha t
contains the residual and replicant data. Volume 2 contained stored files by the user. Volume there
was nothin g but a bit of space that had been created by the hard disk itself (Ferreira, Antunes &
Correia 2021). While volume 2 is an open document and a picture has been found. Unalloc a te d
and overwritte n data was present in this section. Within The document folder , doc1.docx is found .
By entering the content view informatio n is found. Therefore, the evidence of this action is
considered evidence of stealing. By entering the doc1.docx the content and the metadata of the
content became visible. The metadata suggests that the last editor of the doc is john Dempsey and
it was created on 24th March 2015. Another piece of evidence that is found in the doc3.txt.
Que stion4 –What furthe r e vide nce may be ne e de d by the inve stigation te am to support any
of the facts discove re d during your inve stigation?
For further investiga tio n the PC used by the suspect employee will be needed so that it canbe
analyzed with the RAM data and recent activities for getting further evidences. Analog ic a l
evidence helps in identifying the facts by c omparing two similar cases. According to the
consideratio n of Amato et al., (2019), this evidence cannot be shown in the courts. This evide nc e
helps in leading credibility during formal searches. Along with that, the forensic expert can
determine active da ta as the mean of the evidence. Evaluating residual and Replicant data can be
considered the most significa nt technique of digita l forensics. Residual data is the deleted data
present in a disk. This data is present in the disk but not visib le. However, th e presence of the
president atta can be identified by observing the space. Many times, the data can be deleted as
well. In such a scenario ingest modulatio n is configured for retrieving the presence of the resid ua l
Many times, processor creates a te mporary copy of an applicatio n inside the machine memo ry.
This data field inside the replicant data helps in the last action of the suspect. As per the
consideratio n of Arshad, Jantan & Abiodun (2018), files are retrievable even after the permane nt
deletio n of the real file. It is like a printed proof of the main copy. This file also has a backup
option for crucial evidence. Some of the residual data frequently turned into replicant data are web
cache, temporary dictionary, or data blocks due to an operatio nal move. If the data is dire c tly
accessed from the internet, then the chances of having a URL become significa ntly strong.
Another great means of digita l evidence is volatile data. The data present in the ram is considere d
the volatile data. For the pract ical task, the user has defined the suspect hard drive or USB pen
manually (Efendi, 2019) . This is the most important data as this is stored in the operatio na l
memory. While multip le applicatio ns are running simulta neo usly then multip le volatile data ma y
be generated. These data are a good means of identifying the actions of the suspects. Anecdota l
evidence can be used for digita l forensic investigatio n. Anecdotal evidence translates to stories or
accounts by individ ua ls of specific incidents. Apart from t hat, a thorough systematic analysis can
be helpful for the investiga tio n as well. Identifying the relationship between the fragme nt data,
unalloca ted data, and overwritte n data can be determined using this process. Reconstructing the
hidden data is the mos t important segment of the systematic analysis process (Kumar et al., 2021).
While using autopsy Recent activity detection is used along with hash loop determinatio n for
gathering digita l evidence. Identifying the hash value is essential for identifying th e digita l
footprint. Extensio n mismatc h detector, EXIF (Exchangeable Image File Format) phaser can be
incorporated in the process. Email phaser encryption detection is required for identify in g
post/post files, using which digita l footprints can be detected . For calculating the hash value Data
source Integrity feature can be used (Casino et al., 2022). Otherwise, this functio n will find the
hash value with the database. If this technique is used for the mentio ned process, then the
authentic ity of the process will increase. Apart from that, it will help in understand ing the potentia l
actions of the suspect. Plasa can also be used for timestamp detection purposes (Amato et al.,
2020). What events have been done while using a computer or database are found using the
mentioned feature. It is represented graphica lly, therefore, evaluating digita l footprints will be
Contemporary notes:
For the investigatio n Autopsy tool has been used, which is very much useful for timeline analysis
and offline forensics anal ysis and email analysis, for this scenario of VAMOS Solutio n the USB
drive has been investigated using this tool to find the hidden and deleted informa tio n, exif metadata
or deleted and hidden files so that the activities of the suspect can be proved to th e court ( Akbal et
al., 2021 ). Firstly the acquired image has been be loaded to Autopsy then offline analysis has been
performed for find ing the useful informatio n from the evidence image file. The chain of custod y
will be also mainta ined for further invest igatio n as well as it will be presented to court for sho wing
the progress of the investiga tio n.
Case creation:
Loading image file in Autopsy:
Timeline of the imaged USB:
Files and data found:
Informatio n about the evidence file found:
Thus, it can be concluded that in this paper the forensics analysis for Vamos Solution has been
performed using Autopsy and the answer to the questions have been provided. The screenshots for
analysis and contemporary notes have also been prove d for better understand ing. Apart from that,
Timeline is considered another important feature that can be used for the betterment of the solutio n.
References :
Akbal, E., YAKUT, Ö.F., Dogan, S., TUNCER, T. & Ertam, F., 2021. A Digita l Forensic s
Approach f or Lost Secondary Partitio n Analysis using Master Boot Record Structured Hard Disk
Drives. Sak arya Univ ersity Journal of Computer and Information Sciences , 4(3), pp.326 -346.
Amato, F., Cozzolino, G., Moscato, V., & Moscato, F. (2019). Analyse digita l foren sic evidenc e s
through a semantic -based methodology and NLP techniques. Future Generation Computer
Systems , 98, 297 -307.
Amato, F., Castiglio ne, A., Cozzolino, G., & Narducci, F. (2020). A semantic -based methodo lo g y
for digita l forensics analysis. Journal o f Parallel and Distributed Computing , 138, 172 -177.
Arshad, H., Jantan, A. B., & Abiodun, O. I. (2018). Digita l forensics: review of issues in scientific
validatio n of digita l evidence. Journal of Information Processing Systems , 14(2), 346 -376.
Casino, F. , Dasaklis, T.K., Spathoulas, G., Anagnostopoulos, M., Ghosal, A., Borocz, I., Solanas,
A., Conti, M. and Patsakis, C., 2022. Research trends, challenges, and emerging topics in digita l
forensics: A review of reviews. IEEE Access .
Efendi, T. F. (2019). The Manageme nt of Physical Evidence and Chain of Custody (CoC) in
Digita l Forensic Laboratory Storage. International Journal of Seocology , 001 -010.
Ferreira, S., Antunes, M. & Correia, M.E., (2021). Exposing Manipulated Photos and Vid eos in
Digita l Forensics Analysis. 7(7), 102.
Grispos, G., & Bastola, K. (2020, July). Cyber autopsies: the integratio n of digita l forensics into
medical contexts. In 2020 IEEE 33rd International Symposium on Computer -Based Medical
Systems (CBMS) (pp. 510 -513). IEEE.
Koul, S., Raj, Y., & Koul, S. (2020). Analyzing Cyber Trends in Online Financial Frauds using
digital Forensics Techniques . 9(9), 1 -6
Kumar, G., Saha, R., Lal, C. and Conti, M., 2021. Internet -of-Forensic (IoF): A blockchain based
digita l foren sics framework for IoT applicatio ns. Future Generation Computer Systems, 120,
pp.13 -25.
Patil, A., Banerjee, S., Jadhav, D., & Borkar, G. (2022). Roadmap of Digita l Forensic s
Investigatio n Process with Discovery of Tools. Cyber Security and Digital Forensi cs, 241 -269.
Sachdeva, S., Raina, B. L., & Sharma, A. (2020). Analysis of digita l forensic tools. Journal of
Computational and Theoretical Nanoscience , 17(6), 2459 -2467.


Leave a Reply

Your email address will not be published.