Assessment Details and Submission Guidelines
Homework 2 (Individual Assessment)
Validating and Testing Computer Forensics Tools and Evidence
Purpose of the assessment (with ULO Mapping)
This assignment assesses the following Unit Learning Outcomes; students should be able to demonstrate their achievements in them.
a. Document evidence and report on computer forensics findings;
c. Exhibit and understand forensics ethical behaviour and professional conduct;
d. Implement a process to support the administration and management of computer forensics
The objectives of this assignment are to gain theoretical and practical knowledge and skills in different computer forensics and anti-forensics techniques such as image acquiring, analysis of email headers, temporary internet files and low-level text search of entire contents of the computer hard drive. The students should apply appropriate computer forensics tools and techniques, and write a report on their findings. Marks will be awarded based on the sophistication and in-depth exploration of the selected techniques.
A suspect was under investigation by police for a serious offence. The suspect based his innocence on an alibi stating that he could not have been present at the scene of the crime as he was at work using his computer to surf the internet when the crime took place. The validity of this alibi was questioned. Computers were forensically imaged and examined. Five sources of information were used to identify user activity. These included file data and time properties, program log files, email data files, internet usage, and text files containing relevant dates. Analysis of times and dates in email headers on the computer and the server failed to show any activity for the specific times. Examination of temporary internet files revealed that none had been created with the relevant time stamps. A low-level text search was conducted across the entire contents of all the computer hard drives to locate any reference to these critical dates. No records or test references could be found on any areas of the hard drive to support use of the computer for the times in question. In conclusion, the analysis strongly indicated that the computer was not used during the critical period. This was corroborated by records from the suspect’s Internet Service Provider (ISP). The individual was convicted at trial of the criminal offence. The electronic evidence was a key factor in the proceedings
Prepare a report and video demonstration on the following sections related to the case study. You can use your own files for data hiding and analysis. Provide the list of references using IEEE referencing style at the end of the report.
Section 1: Forensic imaging and examinations
Do an Internet search to list out effective tools for the above case study. Choose one of the tools to examine the forensic image and explain with screenshots how the tool can be useful. (250 words)
Section 2: Forensic analysis and validation
Write a report describing the procedures to retrieve the evidence with your selected forensics tools. Explain how to identify and analyse file data and time properties, program log files, email data files, internet usage, and text files containing relevant dates. Also explain how temporary internet files and low level text search were carried out in this investigation. (500 words)
Section 3: Anti-forensics
Research on anti-forensics techniques and write a report on your findings on these techniques. Compare the pros and cons of these techniques in different contexts. Use one of the anti-forensic technique on your files and explain how useful it is. Please explain your methods with the help of screenshots. (750 words)
Demonstrate your work. You should appear in the video (You Tube or similar) at the first and last 30 secs to introduce yourself and draw a conclusion on your experience with the different computer forensics and anti-forensics techniques.
We have conducted an internet research to find out the most useful forensic imaging and examination tools. While searching, we have found many tools in which some are free and some are paid tools. From them, Autopsy (The Sleuth Kit) is seeming appropriate among all which will have all the features to find out the possible logs, internet artifacts, timestamp and more needed to find the clues according to this scenario. Autopsy is one of the most popular forensic examination tools and used by so many forensic investigators. It is designed to analyse images of disk and conduct in-depth analysis of file system to find out various features as evidences. It has the functionality and features of many other tools and provide a better interface, indent to find different artifacts as a good starting point for an investigation. It is available for both Linux and Windows based systems and can be downloaded for free, can be seen at .
The above figure is the representation of the Autopsy tool with added a forensic case image. As it provides a graphical interface to find artifacts from the added forensic image file. It has the unique features such as analysis of time stamp, hash check, analysis of file system and offer keyword search option with default settings. We can also add multiple forensic images in a single created case. Soe key features of
Autopsy are graphical interface, registry view, email analysis, support many types of file systems, can extract details and data from logs, contacts, word files and perform analysis for that also, can be seen at .
Autopsy is a free digital forensic tool with graphical interface which is easier to use by most forensic investigators such as military, law administration agencies and corporate analyst who involve in the forensic investigation procedures. As this tool is available for free, so that it can be used to recover our personal files like photos or any important file from hard disk or memory card or USB drive. Because of its extensible use there are so many modules available for it by the third-party. These modules are related to analysis of timestamp, hash checksum, web, internet and email artifacts, carving of data and multimedia contents, can be seen at . The autopsy tool has two analysis modes, as dead analysis and live analysis. Dead analysis can be performed when a dedicated disk is available to examine and live analysis is performed on the running system. We are going to perform a dead analysis with a forensic test image. Here are the steps with all the relevant finding, according to the provided case study and requirements –
Create case – as the first step, we have to create a case to start the examination of our desired forensic disk. A disk image is then added to the created case and it will start an ingest to retrieve the data from the forensic image.
Data and time properties – when the disk image is added to the tool is will show all the files and data contained in it, like shown in the below figure.
We will have a detailed hierarchical file structure of the forensic disk which shows all the partitions and other related contents of a hard disk of a system. When scrolling through a file, go to file metadata, it will show the time properties of that particular file with size, path, MD5 and complete time stamp. A particular file can also be extracted to the local hard drive by right clicking and Extract.
Program logs file – from the ingested hierarchy, go to Program Files (x86). It will show a list of installed programs with their modified, change, last accessed and created time. Where we can estimate last use of a particular program.
Email data files – email data is retrieved by autopsy itself and shows as individual artifact I the file hierarchy. We can see all the email data with detailed message and its properties to find any evidence, like shown in the below figure.
Internet usage data – from the file hierarchy, autopsy automatically search and show the internet usage data. Here we can see, web bookmarks, web cookies, web downloads, wen history and web searches with detailed time stamp, accessed URL and search text, as seen in the below figure.
Text files searches – all types of files like html, office, PDF and text files are retrieved by Autopsy tool and shows in the file hierarchy. Here we will have all the files with their names, location from the disk, complete time stamp, metadata and text contained in it.
Temporary internet files and low-level text search – temporary internet files are shown in the form of wen cookies, searches, bookmark, etc. in the right-side panel of this tool, also discussed in the previous section. To perform a low level keywork search, there is an option on the top left corner, named as Keyword Search. Here we can type a keyword and perform search of that keyword.
Section 3: Anti-forensics
Anti-forensic techniques are the method used by cyber criminals to harden the process of evidence collection and analysis of contents using forensic tools. The major purpose of using an anti-forensic technique is to make it tougher or somehow intolerable to perform a digital forensic analysis on that media or to destroy the evidences. By using these anti-forensic tools, cyber criminals can perform a vast variety of activities such as deletion of web history, cache data, cookies and other footprints. These techniques are mainly used to hide, remove and hamper forensic analysis. There are so many ways and methods to be used in this way, that are, can be seen at   –
From the above discussed anti-forensic techniques, we choose stenography technique to hide some secret data behind an image file. Quick Stego is the tools used for this purpose. This tool is free to use and can hide text in a picture and the other user who will have Quick Stego can only retrieve that hidden message behind that picture. When any text is hide behind a picture, the picture will look like a normal picture and will load just like a normal picture file on the other side or to the forensic analyst while in investigation process, can be seen at .
To use this tool, we will download a picture and save it to the local drive. We also need a text file in which the secret text is written. Now, here are the steps, to do stenography with Quick Stego tool, can be seen at  –
Now this stenography file can be sent to anyone with the secret message hidden inside it.
To get the secret message, we need to open this file with Quick Stego and just click on Get Text. It will show the secret text message on the left side panel.