Forensic Data Acquisition, Recovery, And Analysis: A Case Study

Forensic Data Acquisition

In this task the investigator was assigned a case of recovering files that were deleted from a USB drive. Three files were created on the USB (a word document, an excel document, and a portrait image of the investigator). These files were then deleted. This report will explain the process of forensic data acquisition.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

The investigator will use EnCase imager to obtain the forensic image from the USB drive for the purpose of analysis and recovery.

In order to acquire the forensic image from the USB drive, the following steps were followed. After downloading the EnCase imager program, run it. On loading the program the main window will be displayed as shown in figure 3. From the menu on the left click on ‘add local device’

When you click on add local device a new window will pop-up as shown in figure 4 below. Select all the options except ‘only show write-blocked’ option; leave it unchecked and click next.

Upon clicking next, the program will read all the associated drive including logical partitions, physical drives, RAM, CD ROM, and process running on the system as shown in figure 5. From the options provided select the drive from which the evidence is to be obtained. In this case, drive 2 is selected because it is the USB drive that is under investigation. It is recommended that physical drives with logical partitions are selected because complete disk image can be obtained through physical drive [1]. Click on ‘Finish’.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

A ne window will be displayed as shown in figure 6. This window will display the list of the evidence that have been selected. If the case had more than one evidence then all of them would be listed.

Click on the evidence twice in quick succession in order to view the content of the drive. The investigator can skin on any file or folder that is not relevant to the case before acquiring the image.

From the submenu click on acquire and continue to obtain the forensic image from the evidence disk. On clicking ‘Acquire’, a window will pop-up asking the investigator to enter information that is related to the case being investigate as shown in figure 8 below. E01 is the format that has been selected for the image [2]. Fill in the information correctly and then click on ‘Format’ Tab select preferred image format and verification Hash.

Now click on ‘Ok’ for the image acquisition process to start. The window will also display image acquisition status and the bottom right and the remaining time for the process to complete

Data Recovery

Once the process of acquisition has completed, the image will be saved to the folder that the investigator had selected

The investigator then generated Hash value in order to prove the authenticity of the evidence. Click on ‘Device’ and select ‘Hash’ in order to generate the hash value.

Click on report once the process of hashing has completed. The report can be copied and pasted in a word document for future reference.

The data acquisition process has completed.

Data recovery is the process of restoring deleted or corrupted data from a physical drive or logical partition [3]. This process is very crucial in computer forensic as the recovered data will serve as the evidence that can be presented in a court of law. In the case that is being investigated, ProDiscover Basic software will be used to carry out the process of data recovery. ProDiscover Basic is a very simple and easy to use forensic tool. First, install the ProDiscover Basic and execute it. When the program has loaded it will ask the user to enter the information regarding the case [4].

Expand on the image in order to view the contents of the expand on the image by clicking on the plus sign and click on the image so as to display the content on the main display.

From the content that has been displayed, browse for the content that is relate to the case being investigated. To recover the files, select all the files related to the case, right click on them and select ‘Copy all selected files’.

A new window will pop-up asking the investigator to choose the location to recover the files to as shown in figure 19. Choose your preferred folder or drive and click on ‘ok’. The USB drive was selected as the preferred drive.  

On clicking ‘ok’ all the selected files will be restore/ recovered to the destination folder [5]. Navigate to the USB drive to see the recovered files. F

Data analysis in computer forensics is the process of examining data with regards to computer crime. The objective of data analysis is to find out and examine data patterns [6]. It is crucial to analyze recovered data so as to check on the relevance, validity, and accuracy of the data recovered. Different investigators have different ways of carrying out data analysis but in the case being investigated, the use of Hex editor was employed to analyze the data recovered for any hidden files [7]. To achieve this, the recovered data was loaded on the Hex editor and activating the ‘hidden’ which is a sub function of ‘file attribute’ located on the bottom right of the program window as shown in figure 21 below.

Data Analysis

 The analysis process did not identify any hidden files in the recovered files.

Data validation is a very crucial step in computer forensics. It ensures the data restored is meaningful, useful, and meets the data rules set out. Data validation fosters data integrity which is a key aspect in forensic investigation [8]. Investigator has to carry out several data validation processes in order to achieve data integrity. There exist several methods of data validation:

Require field: this is a validation technique that is used to validate data entered on online forms. This method ensures that the user cannot continue until the set fields have been filled with data.

Type Validation- a common validation technique for databases and excel files. This method check for the correctness of data type entered in a particular data field [9]. If a data field has been set to only allow text characters then it should not allow any other data type in the text field. Type validation technique can further be used to check for the file extensions to ensure it is of valid extension.

Range validation- this method checks to validate the data entered if it falls between a set ranges. When a range has been set on a particular data field, it must not allow any data outside the range.

In this case, the investigator applied type validation on the recovered files to ensure that they were of correct file extension and valid data [10]. The result was positive and the investigator concluded that the files were valid and contain relevant, correct, and complete data.

In forensic investigation, copying a drive is one of the critical process and requires skills and experience so as not to damage the evidence. Computer forensics requires that all the drive properties are copied correctly and should be complete [11]. There exist four methods of copying a drive but in this task only three will be discussed. They include sparse data copy, disk-to-disk copy, and logical disk-to-disk copy. The investigation circumstance and environment is what determines the copy method.

Sparse data copy- this is a type of drive copy that gathers fragments of data deleted specifically .PST and .OST files relating to mails and RAID servers [12]. AccessData FTK imager is a recommended software to carry out this type of copy.

Disk to disk copy- this is a common and flexible copy technique that is mostly used to prepare multiple copies of the original drive [13]. There are several tools that can be used to carry out this type of copy, they include The Sleuth Kit, FTK imager, ProDiscover basic, and Encase.

Logical disk to disk copy- this is a copy technique that is mostly used when there is limited time to copy the drive. This method enables the investigating officer to only copy the relevant content of the case. Encase is a recommended utility to achieve this type of copying a drive [14].

Conclusion

Computer forensics is becoming more critical in the current era. It requires skills and expertise in order to collect relevant, complete, and accurate evidence that can be submitted in a court of law. Order of evidence volatility is very important because this aspect allows the investigator to obtain evidence starting with the highly volatile and valuable evidence going down. Data acquisition is a crucial step that will determine the overall outcome of the investigation process and should be carried out correctly and using the appropriate tool.

References

[1] D. Hayes, A practical guide to computer forensics investigations. Indianapolis, Indiana: Pearson, 2015.

[2] M. Maras, Computer Forensics. Sudbury: Jones & Bartlett Learning, LLC, 2014.

[3] R. Sadgune, “ProDiscover Incident Response, ProDiscover Forensics, ProDiscover”, Hackforlab.com, 2014. [Online]. Available: https://hackforlab.com/prodiscover-incident-response-feature/. [Accessed: 27- Aug- 2018].

[4] B. ProDiscover, “ProDiscover Forensic Data Recovery”, Networkdefensesolutions.com, 2018. [Online]. Available: https://networkdefensesolutions.com/index.php/forensics/78-prodiscoverfilerecovery. [Accessed: 27- Aug- 2018].

[5] T. OTW, Hackers-arise.com, 2016. [Online]. Available: https://www.hackers-arise.com/single-post/2016/10/10/Digital-Forensics-Part-3-Recovering-Deleted-Files. [Accessed: 30- Aug- 2018].

[6] J. Marshall, “Examining the Raw Data on Your Hard Drive with a Hex Editor”, Tierradatarecovery.co.uk, 2014. [Online]. Available: https://tierradatarecovery.co.uk/examining-the-raw-data-on-your-hard-drive-with-a-hex-editor/. [Accessed: 30- Aug- 2018].

[7] M. Hörz, “HxD – Freeware Hex Editor and Disk Editor | mh-nexus”, Mh-nexus.de, 2018. [Online]. Available: https://mh-nexus.de/en/hxd/. [Accessed: 30- Aug- 2018].

[8] G. Wingate, Computer Systems Validation. Boca Raton, USA: CRC Press, 2016.

[9] N. Gilani, “Types of Validation Checks | Techwalla.com”, Techwalla, 2018. [Online]. Available: https://www.techwalla.com/articles/types-of-validation-checks. [Accessed: 27- Aug- 2018].

[10] G. Wingate, Computer Systems Validation. Boca Raton, USA: CRC Press, 2016.

[11] S. Moramarco, “Digital Forensics”, InfoSec Resources, 2016. [Online]. Available: https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/#gref. [Accessed: 30- Aug- 2018].

[12] C. Eoghan, “Focused digital evidence analysis and forensic distinguishers”, Digital Investigation, vol. 18, pp. A1-A3, 2016.

[13] E. Casey, “Digital Stratigraphy: Contextual Analysis of File System Traces in Forensic Science”, Journal of Forensic Sciences, 2017.

[14] B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. Mason, OH: Cengage Learning US, 2018. 

Place your order
(550 words)

Approximate price: $22

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our Guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more
Live Chat 1 {763} 309 4299EmailWhatsApp

Online Class Help Services Available from $100 to $150 Weekly We Handle Everything