I am a pupil analyzing IADCS ( International Advanced Diploma n Computer Studies ) Offered by NCC Education at Myanma Computer Company Ltd. ( MCC ) in Yangon. This assignment is for Computer Forensics which is the first elected topic having in my 2nd faculty class. In this assignment, we have to look into the company misdemeanor instance of Didsbury Mobile Entertainments Ltd. being a new to this topic, I found so much troubles but I coped them small by small. Throughout researching for this assignment, I found out interesting in this topic and recognize this is truly indispensable an critical in most of the instance. This assignment drives me to the penetration of computing machine forensics I get to cognize new materials and policies which I did non cognize before.
No wok is done without acquiring supports, inspiration and motive. I found so much troubles and difficult clip during probe for my assignment even thought I put much attempt in researching. I am so much grateful to U Win Hlaing who showed us insight position of computing machine forensics. His counsel are truly helpful and acute to larn in this topic. And my thanks besides go to Daw Aung Thandar LynnMyit who is line director.
The grounds for a demand for computing machine forensic probe in the given instance.
Computer forensics as a scientific method will be defined in order to work out the offense. This includes the acquisition, to look in tribunal as grounds subsequently in the procedure of analysing the digital information. Using the computing machine universe, the Internet, we besides need to carry on environing the computing machine forensics.
Computer Forensics can do obtaining and analysing digital information for the usage as grounds in civil, condemnable or administrative instances. The function of computing machine forensic probe has been critical portion in work outing offenses today. It is besides desire to the people who is artlessness or making the offense. It is truly needed for truth.
In the given instance computing machine forensics probe is a must since it involves deviating concern utilizing the company ‘s system and the clip. In the given instance has mean that Jalitha is passing the company ‘s clip of her friend ‘s concern and deviating concern to her friend. This is company ‘s policy misdemeanor instance. To stamp down her from harming the company and to penalize the interloper, grounds is an indispensable thing. If grounds aggregation is done right, it is much more utile in add oning the policy lawbreaker, and stands a much greater opportunity of being admissible in the event of a prosecution. For these grounds, computing machine forensics if needed to happen grounds of, or wholly retrieve, hidden, lost or delete information, even if it was deliberately concealed or deleted. From a proficient point of view, the chief end of computing machine forensics is to preserver, place, roll up, and analyze informations in a manner that preserves the unity of the grounds collected so it can be used efficaciously in a legal instance.
The stairss I would take to prosecute the probe
- It must understand the current Torahs on offenses associating to information engineering, including the standard legal procedure and how to construct a instance, under the local regulations, avoid the struggles of involvement with authorised people of that house and larn the constabularies defined harmonizing to line of authorization for carry oning internal probes.
- Make an initial appraisal about the type of instance by speaking others involved in the instance and asks inquiries about incident. ( Example. How did you know that Jalitha has been passing her clip on her friend Radasa ‘s private concern in the company ‘s clip? )
- Determine a preliminary design or attack to look into the instance and develop the elaborate design or checklist of the measure inside informations and an estimation O clip needed for each measure.
- Roll up the resources which available and utilize other specializer, support squads, tools and package to treat all of the grounds like reviving, determine and analysing the grounds.
- Transcript and obtain any associating storage media along with her personal computing machine such as ( removable media, Compact Disc and related computing machine device ) and form the information to assist turn out her guilt or artlessness.
- Identify how we can minimise the hazards. I am working with a computing machine where convicted felons have likely password-protected the hard-disk thrust, I can do multiple transcripts of the original media before I am get downing. And so I can destruct one or more transcripts during the probes. But, I still achieve the end of recovering information from those discs.
- I need to reexamine the determinations I have made and the stairss already finished. If I have already copied the original media, a standard portion of proving design involves comparing hash signatures to guarantee that I have made a proper transcript of the original media.
- I need to compose a complete study detailing what we do and what we found daily.
Procedures to do certain Evidence hold up in tribunal
To guarantee and rectify grounds, research worker can be done by the undermentioned processs –
- The computing machine forensics research worker must guarantee that the groundss are non changed by anybody. Peoples accessing the grounds must be expertise plenty to make so and can take duty for their actions.
- Research workers examine file and directory day of the month and clip casts and locate, pull out all log files and retrieve the impermanent print bobbin files.
- The adult male who is the charge of the probe has duty for guaranting that the jurisprudence and these rules are met.
- In doing a forensic transcript of a difficult disc, for illustration, suited safeguards should foremost be taken to forestall any informations being written to the disc, which is to write-protect the media so that the informations will be kept unchanged from the onslaught of other malicious package or viruses.
- Be secure the grounds in an sanctioned secure container such as grounds container bags, tape, tickets, labels, safe-boxes and other merchandises available from police-supply sellers or bank containers.
- It is besides of import to cognize what has happened to the system or storage media from this clip there was seized to the minute it was examined by a forensic tester. Any spread in the concatenation of grounds could intend that one or more unknown individuals could hold gained entree.
- From the point of position of prosecution, the chief aim is to supply strong grounds for each legal point to turn out for a given offense. The function of computing machine forensics research worker is to face with the challenge of proficient complexness of such instance and experience of the tribunal.
- Not Like a file, natural computing machine grounds must be presented with an accurate reading or study, which clearly identifies its significance in the context of where it was found, what it contains or what is recovered.
A computing machine forensic expert should besides be prepared to reply dependability inquiries associating to the package that they have used.
I ) The manner the informations stored in Windows and Linux systems
Windows Data Stored
Windows operation systems support two types of difficult disc storage on desktop computing machines: basic discs and dynamic discs. The most utilizing file system are FAT32 ( File Allocation Table ) and NTFS ( New Technology File System ) . Basic discs are the default storage type in Windows operation systems, so all difficult discs begin as basic discs. Windows can acknowledge all discs as basic by default, including all new installings and ascents from old versions of Windows. To utilize a dynamic disc, must change over a basic disc to a dynamic disc. Four primary dividers can make on a computing machine running a Windows runing system any primary divider as the active ( or bootable ) thrust.
An drawn-out divider provides a manner to transcend the four primary divider bounds. It can non arrange an drawn-out divider with any file system. Rather, extended dividers serve as a shell in which can make any figure of logical dividers.
Logical can make any figure of inside an drawn-out divider. Logical dividers are usually used for forming files. All logical dividers are seeable, no affair which runing system is started.
Spanned volume can incorporate disk infinite from 2 or more ( up to a upper limit of 32 ) discs. The sum of disc infinite from each disc can change. If spanned volumes when a simple volume is running low on disc infinite and it need to widen the volume by utilizing infinite on another difficult disc. When Windows writes informations to a spanned volume, it writes informations to the country on the first disc until the country is filled, and so writes informations to the country on the 2nd disc, and so on. If any of the discs incorporating the spanned volume fail, user loses all informations in the full spanned volume.
Striped volume A striped volume can incorporate disk infinite from 2 or more ( up to a upper limit of 32 ) discs. Striped volumes require that user use an indistinguishable sum of disc infinite from each disc. When Windows writes informations to a stripy volume, it divides the information into 64 KB balls and writes to the discs in a fixed order. Therefore, Windows will divide a 128 KB file into two 64 KB balls, and so shops each ball on a separate disc. Striped volumes provide increased public presentation because it is faster to read or compose two smaller pieces of a file on two thrusts than to read or compose the full file on a individual thrust.
Window informations shop
Linux Data Stored
The Linux file system is organized as a hierarchy of directories.
Linux file system is a information block. As in the Microsoft file system constructions, the Linux file system on a Personal computer has 512-byte sectors. Typically a information block consists of 4096 or 8192 passs with bunchs of difficult disc sectors. If a file is stored, the information blocks are clustered and alone node is assigned.
The ext3 file systems were designed to be files which include names of the locations of those files, and the files to be found in that directory. The ext2/3/4 file system assigns blocks of infinite for files based on their parent directories ; these infinites files out all over the physical disc, go forthing room to maintain files immediate and cut down atomization. Besides it provides handiness, informations unity, and speed similar to other file system picks, it is besides potentially possible to retrieve a deleted file without holding to make defragmenting due to dynamic allotment of resources and immediate rearranging the files.
Linux informations shop
The boot undertakings and get down up undertakings for Windows and Linux systems
Windows Boot Tasks and Start Up Tasks
When user hit the power button on computing machine a whole batch of material happens. We call this the boot procedure.For Windows XP following undertaking will doing-
- When the first POST in the self-test, this means power to the computing machine. This procedure of memory trials, the figure of other subsystems. Typically, this monitoring is done all the trials. After, POST has completed, the system, BIOS ( Basic Input-Output System ) will work with any device. The AGP card has its ain BIOS to the other devices and several web arrangers.
- Once the integrating, BIOS and verified that all the work, BIOS and the MBR ( maestro boot record ) tries to lade. This is the first sector of the first difficult thrust ( or master hd0 ) is called. When the MBR takes over, it is Windows is that under control.
- MBR is the active divider ( first sector ) will inspect the boot sector. Here, NTLDR is found, NTLDR is the Windows XP boot stevedore. NTLDR memory, user starts the file system, read files, boot.ini to turn to and lade the boot bill of fare. NTLDR NTDETECT.COM and make, you will necessitate to root directory of the active divider, BOOT.INI, BOOTSECT.DOS ( for multi-OS booting ) and NTBOOTDD.SYS ( if it have SCSI arrangers )
- Once XP, click Start bill of fare has been selected, it is NTDETECT.COM NTLDR, Boot.ini file BOOTSECT.DOS running the operating system is selected to obtain the appropriate tonss. This system blows existent start spot and 16 yearss, are protected by 32-bit manner.
- NTLDR will so lade NTOSKRNL.EXE and HAL.DLL. Efficaciously, that files are windows XP. It is in % SystemRoot % System32.
- NTLDR reads the register, pick a hardware item and authorizes device drivers, in that certain order.
At this point NTOSKRNL.EXE takes over. It starts WINLOGON.EXE that in bend starts LSASS.EXE ; this is the plan that displays the Logon screen so that user can logon.
Window Boot Tasks Start up Undertakings
Window Boot Screen 01
Window Boot Screen 02
Linux Boot Tasks and Start up Undertakings
In Linux, the flow of control during a boot is from BIOS, to boot stevedore, to kernel. The meat so starts the scheduler and runs foremost user land plan Init ( which sets up the user environment and allows user interaction and login ) , at which point the meat goes idle unless called externally.
- BIOS perform particular undertakings when you start the hardware platform.
- Once the hardware is recognized, the system is working decently, BIOS will lade, and Linux bootloader for the first stage includes one to run from the boot device specified Butokodopatishon. The Phase 1 Phase 2 ( most of the bootloader ) . Without adding the codification may non be read from the disc wholly to acquire a modern big shipper, some intermediate phase ( present 1.5 ) may be used to.
- Users will be utilizing the boot option bill of fare can be a batch of the boot stevedore. E ‘and so load the operating system, start_kernel paging devices and memory needed to uncompress before you call a memory map that defines the start_kernel ( ) . Start_kernel ( ) and to execute most system constellation ( before puting eggs, memory direction, device drivers and low-level formatting ) to halt the remainder of the planning procedure and demobilize the init procedure ( this is user infinite ) is executed.
- This is the meat ( idle ) effectual planning has been suspended will be managed on the system.
The init procedure, the book is running the OS all you need to implement to enable the user to make an environment of services and installations, provide the user with the login screen.
Linux boot undertaking and get down up
Linux Boot Screen
Linux Boot Screen
Guidance Software ‘s EnCase
Guidance Software ‘s EnCase Overview
Evidence Disk Overview
Function of EnCase
Access Data ‘s Forensic Toolkit
Access Data ‘s FTK Options
Access Data ‘s FTK Process to Perform
Access Data ‘s FTK Function
ProDiscover Evidence Disk View
Guidance Software ‘s EnCase Features
- Acquisition Granularity:
- Link file parser – discovery in unallocated infinite
- Compound ( e.g. , zipped ) papers and file
- File Signature analysis Hash analysis
- File finder – discovery files in unallocated infinite
- Reporting – Automatic Reports
- List of all files and booklets in a instance
- Detailed listing of all URLs and matching day of the months and times of web sites visited
- Document incident response study
- Log Records
- System Support
- Hardware and package RAIDs.
- Dynamic disc support for Windows 2000/XP/2003 Server
- Interpret and analyze VMware, Microsoft Virtual Personal computer, DD and SafeBack v2 image formats.
- File systems: Windows FAT12/16/32, NTFS ; Macintosh HFS, HFS+ ;
- Sun Solaris UFS, ZFS ; Linux EXT2/3 ; Reiser ; BSD FFS, FreeBSD ‘s
- Fast File System 2 ( FFS2 ) and FreeBSD ‘s UFS2 ; Novell ‘s NSS & A ;
- NWFS ; IBM ‘s AIX jfs, JFS and JFS with LVm8 ; TiVo Series One and
· Two ; CDFS ; Joliet ; DVD ; UDF ; ISO 9660 ; and Handle
Access Data ‘s Forensic Toolkit Features
- Supported File Systems and Image Formats
- AccessData Corp.
- FTK can analyse the undermentioned types of file systems and image formats:
- File Systems FAT 12, FAT 16, FAT 32 NTFS Ext2, Ext3
- Hard Disk Image Formats
- Cadmium and DVD Image Formats
- Encase SnapBack Safeback 2.0 and under Expert Witness Linux DD ICS Ghost ( forensic images merely ) SMART
- Alcohol ( *.mds ) CloneCD ( *.ccd ) ISO IsoBuster CUE Nero ( *.nrg ) Pinnacle ( *.pdi ) PlexTools ( *.pxi ) Roxio ( *.cif ) Virtual CD ( *.vc4 )
Features and Benefits:
- Make a transcript of the disc spot watercourse, the concealed HPA subdivision ( patent pending ) to keep such grounds is really original, to be analyzed.
- Search the full disc infinite or file incorporating the disc, and a complete forensic analysis of Windows NT/2000/XP Alternate Data Stream subdivision of the HPA ‘s hot springs.
- Even if all the files in the prevue, without altering the informations on the disc that contains the metadata of a hidden or deleted files.
- The popular UNIX ® to keep the image of the instrument to read and compose compatibility with multiple images please dd and E01.
- Support for VMware to run a captured image.
- Analyze the bunch to do certain there is non information or information, the cross is hidden in slack infinite.
- Automatically generate and record MD5, SHA1 or SHA256 hashes to turn out informations unity.
- Utilize user provided or National Drug Intelligence Center Hashkeeper database information to positively place files.
- Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for maximal flexibleness.
- Examine Sun Solaris UFS file system and Linux ext2 / ext3 file systems.
- About incorporate artworks, Internet, event history logs, to ease the procedure of probe and register viewing audiences.
- Integrated spectator to analyze.pst /.ost and.dbx e-mail files.
- Use, Perl scripts to automatize the procedure of probe.
- Infusions EXIF information from JPEG files to place file Godheads.
- Automated study coevals in XML format saves clip, improves truth and compatibility.
Start easy and integrated Help features a graphical interface, easy to utilize and procure.
I have been use three FTK tools kit. They are Guidance Software ‘s EnCase, Access Data ‘s Forensic tool kit and ProDiscover. This three tool kits are professional took kits for computing machine forensics. All three are ready to utilize for endeavor degree. I have found the different GUI of tool kits. EnCase can be analyze most file construction and already deleted files and most file system. Other two can be analyze these excessively. But I am analysing the same grounds device with three of these. EnCase is the fastest analyze in three. Second fastest took kit is ProDiscover and the last thing is Access Data ‘s Forensic Took Kit.
But Access Data ‘s Forensic Took Kit have the most maps include in these took kits. It can be analyze the most things, such as FAT32, NTFS, EXT3, EXT4, CDFS, and some other thing. It can be report instance and grounds events, mistake messages, bookmarking events, seeking events, Data Carving/ Internet hunts and other events. Not merely this study, MD5 has, SH1 hash and other sort hash value can be performs. Access Data ‘s FTK tool kit can be perform as like other tool kit. It can be process other thing can non make. Such as Store Thumbnails, KFF ignorable file.
I want to utilize Access Data ‘s Forensic tool kit for my lab. Because it can be process many things, so many file system and besides it can be report the most sort of study signifier.
I am utilizing Access Data ‘s Forensic Took Kit and analysis to CDFS, FAT32 and NTFS file system.
For CDFS File System
File System CDFS
Analyzing the CDFS
FTK Report For CDFS
File Overview in Report
Evidence List in Report
File System FAT32
Analyzing the FAT32
Case Information in Report
File Overview in Report
Evidence List in Report
For NTFS File System
File System NTFS
Analyzing the NTFS
Case Information in study ace
File Overview in study ace
Evidence List in study ace
Making a electronic image file and generate MD5 hash value
Making Bitmap with MS Paint
Open original electronic image image with image sing public-service corporation
Generate MD5 Hash value for original file utilizing jinx workshop
Original electronic image image file MD 5 Hash value is -7A237D3015190AF74EC3AC1D0B538320
Modify electronic image file and renew MD 5 hash value
Open modify electronic image file with image sing public-service corporation
Generate MD5 hash value for modify file utilizing jinx workshop
Modify bitmap image file hash value is 95661FD83ABF0792A69EC25A3F9103A6
Comparer of original and modify electronic image image file ‘s MD 5 hash value
Original electronic image image file MD 5 Hash value is –
Modify bitmap image file hash value is –
Create physician file and generate MD5 hash value
Create physician file utilizing Microsoft office
Generate MD 5 hash value for original physician file utilizing Hex Workshop
Modify to original physician file
Generate MD5 hash value for modify physician file with Hex workshop
Compare of original and modify physician file ‘s MD 5 hash value
Original physician file MD5 hash value is
Modify physician file MD 5 hash value is
Create xls file utilizing Microsoft Office
Create xls file utilizing Microsoft Word
Generate MD 5 hash value for original file utilizing jinx workshop
Modify xls file utilizing Microsoft Office
Generate MD 5 hash value for modify xls file utilizing Hex workshop
Compare of original and modify xls file ‘s MD 5 hash value
Original xls file MD 5 hash value is
Modify xls file Md 5 hash value is
I have found the different MD5 ( Message-Digest algorithm 5 ) hash value in original fie and modify file.
MD5 hash value is a widely used in cryptanalytic. MD5 hash value is a 128-bit. MD5 is a broad assortment of security applications ; it is standard by ( RFC1321 ) . It is besides used to look into the unity of files. MD5 hash value is 32 figures hexadecimal figure formats. Fingerprint, signature is as like MD5. It is unity for informations. In hash value a smell possibility of acquiring two indistinguishable hashes of different files. It can be control comparing the files for unity.
In the digital life we have many other jobs for unity. Example email transmitter and receiving system have two similar image file. We should cognize that they are different without directing these two images to each other. This is the easy manner to cipher the MD5 hashes of the two image files and compare the value. The MD5 algorithm processes a variable length message into a fixed-length end product to 128 spots. MD5 is a mathematical expression that translates a file into a alone hexadecimal codification value, or a hash value. If a spot or byte alterations, it alters the digital signature, a alone value that identifies a file.
If it is the same as the original signature, user can be verified the unity of their digital grounds humor mathematical cogent evidence that the file can non alter. After generate the MD5 hash value, copying the file that is incorporating the value to other topographic point.
The length of the hash value is depend on type of the user what he utilizing algorithm, and it length does non determined on the size of the file. Common hash value length is 128 spots or 160 spots.
So we will see the original image file hash value utilizing with hash generator tools. This value is non depending on file size. After we have modified the file the hash value is alteration because the algorithm is renew the file mechanism, file construction. The algorithm is right end product the value. In modify file the mechanism is changed. The MD5 hash value of original and modify file is different.
Bitmap Image Create and Viewing
Original Bitmap file ‘s size and hash value
Inserting short message to bitmap
After infixing short message, file size and hash value
Jpeg Image file create and screening
Original jpeg image file size and hash value
Inserting short message to jpeg file
After infixing short message file size and hash value
rif image create and screening
Original rif image file size and hash value
Inserting short message to rif image file
After infixing short message file size and hash value
wmf image file making and sing
Original wmf image file size and hash value
Inserting short message to wmf image file
After infixing short message file size and hash value
The image file contains a in writing, such as a digital exposure, line art, 3-dimensional image, or scanned reproductions of a printed image. The common image file types are Vector image, Bitmap image and Meta file. The undermentioned list indicates the figure of spots used per colored pel:
1 spot = 2 colourss
4 spots = 16 colourss
8 spots = 256 colourss
16 spots = 65536 colourss
24 spots = 16,777,216 colourss
Bitmap images store in writing information as grids of single pels, short for image elements. The quality of a bitmap image displayed on a computing machine proctor is governed by screen declaration which determines the sum of item displayed in the image.
Raster image is aggregations of pels, shop these pels in rows to do the images easy to publish. In most instances, publishing an image converts, or rasterizes, the image to publish the pels line by line alternatively of treating the complete aggregation of pels.
Vector image are different with electronic image and raster. Vector image uses lines. A vector file shops merely the mathematics for pulling lines and forms ; a graphics plan converts the ciphering into the appropriate image. Vector files store mathematical computation and non images, vector files are by and large smaller so electronic image files, thereby salvaging disc infinite.
Metafile image files combine raster and vector artworks, and can hold the features of both image types. For illustration, if scan a photographic ( a electronic image image ) and the add text or pointers vector drawings, create a metafile. Metafile provide the characteristics of both electronic image and vector files.
Report to turn out Naomi ‘s artlessness by my probe
Investigation offenses or policy misdemeanors affecting electronic mail is similar to look intoing other types of computing machine maltreatment and offenses. My end is to happen the suspect and end the employment of the metropolis employee, construct a instance harmonizing to my assignment.
Presents, electronic mail is the indispensable tools for people and it becomes one of the indispensable tools for the concern. Using electronic mail in two environments through that can be distributed informations and e-mail messages from one cardinal waiter to many connected client computing machines.
In this instance Jezebel at the local metropolis hall contacts the displacement supervisor, Benbber, with a ailment of torment utilizing the metropolis ‘s e-mail system. The end is to happen out the suspect harmonizing to the instance. We have t questioning both Jezebel and Naomi non merely for them but besides of piquing e-mail messages and offers for us to reexamine for that instance. When we interview Naomi, she denies she did n’t make any incorrect things and claims that she is being set-up. First, we must necessitate to look into the victim ‘s computing machine to retrieve the grounds that is contained in the electronic mail. If it can be possible, we need physically entree the victim ‘s computing machine and we must utilize the e-mail plan on the computing machine that we can happen a transcript of piquing e-mail messages that the victim us received.
Before we get downing e-mail probes, we must necessitate a transcript and print all the e-mail messages that are related files of offense or policy misdemeanors. We need to command frontward messages to another e-mail reference depending our sections ‘ guidelines. After copying informations, print e-mail messages that we use the electronic mail plan that can make the message that we find the e-mail heading to garner back uping the grounds and finally track the suspect to the arising locations of the electronic mail sphere reference or IP reference. The day of the month and clip that message was sent, the file names, of any fond regards and the alone message figure for the message that can be supplied for our probes because cognizing day of the month and clip we know when it was directing and look into at that clip that used the computing machine.
After copying and publishing e-mail messages, we need to be used the e-mail plan to happen the e-mail heading that can do back uping groundss an finally track the suspect to the arising locations of the electronic mail by happening the arising e-mail sphere reference or an IP reference. The day of the month and clip can be helpful that the message can be sent at what clip, the file names of any other fond regards, and the alone message figure for the message and what IP reference they are utilizing, when we find the arising electronic mail reference, we can follow the message to surmise by making change by reversaling search. We have done about IP, e-mail heading tracing and we ca n’t happen about Naomi offense work.
By doing these procedures, we show that Naomi is innocence by demoing of our probe study at the tribunal.