Midhurst Mobile Games is a company dealing with the production of games for mobile devices. Jonathan has been working with the firm for the last 3 years. His co-workers report to the supervisor that Jonathan has been spending his time on his friend William?s private business in the company?s time, and has been diverting his employer?s business to his friend?s company. The IT department of the company has been alerted about this case and wants to pursue a systematic investigation of the company?s policy violation case. The IT department assigns you to be the computer forensics investigator and requires you to do the following:
i) Write a report (approximately 300 words) covering:
? The reasons for a need for computer forensic investigation in the given case. (5 Marks)
? The steps you would take to pursue the investigation. (5 Marks)
ii) You are asked to conduct a search of the offices of Midhurst Mobile Games to find evidence of the suspected breach of trust by the employee.
? Write a report (approximately 300 words) outlining the procedures you have to follow to make sure the evidence holds up in court. (7 Marks)
? Create your own evidence form which would be considered valid in a court of law. (8 Marks)
(i (a))The reasons for a need for computer forensic investigation
Midhurst Games Mobile is a company that deals with the production of games for mobile devices. Jonathan has worked with the company for the past 3 years. His colleagues report that the supervisor Jonathan spent his time to his private business friend William in company time, and was diverting business from his employer to his friend. The corporate IT department has been alerted on this matter and wishes to pursue a systematic investigation of cases of violation of company policy. The IT department assigned me to be the computer forensics investigator.
Added ability to practice its computer forensics will help ensure the overall integrity and survival of your network infrastructure. I can help your organization if I consider computer forensics as a new basic element in what is known as a "defense in depth" approach to a network and computer security. For example, understanding the legal and techniques of computer forensics will help me to capture vital information if the network is compromised and will help me pursue the matter if the intruder is caught.
(i (b))Search Evidence for Jonathan?s case:
I will take permission to investigate form the owner of Midhurst Games Mobile Company.
I will check e-mails of the company and also e-mails of Jonathan and his co-workers.
I will checks the chat history of the Jonathan and his co-workers.
I will investigate the history of the Jonathan.
I will investigate the communication between Jonathan and his friend William I will investigate the communication between Jonathan and his co-workers.
I will detect attacks from intruders by using automated tools and the manual process of monitoring network firewall logs.
I will investigate the unauthorized user use or not uses the company network and trace the location of the user and blocking the user?s access.
I will enquire to the reported co-worker who report about Jonathan abusing.
I will also enquire to the Jonathan.
(ii [a])Outlining the procedures I have to follow to make sure the evidence holds up in court
The different applications used to work are complex and time to find digital evidence and to maintain his integrity a challenge. In fact, these experts are often confronted with conflicts when they discover that the information has been destroyed or is buried too deeply in the system for extraction. However, computer forensic investigator is to understand the process to find the impossible, then protecting it.
Of course, computers are the main target of digital evidence, but they are not the only device that stores information electronically. Criminals know all too well, which explains why they also pirate CDs, voice mail systems, and USB devices. After all, when I look at the new concept of copy machines and fax, I would see they are now manufactured with hard drives memory. Therefore, hackers have expanded their interest to retrieve information confidential; a computer forensic investigator will be on their tail, to work harder to stop criminals in their tracks.
The procedures I have to follow to ensure that evidence is to the court are as follows.
The company's policy violation evidence taken illegally from Jonathan's computer and mobile phone
Back up files and Google talk history VZO chart.
Record Yahoo mail and Gmail history files.
Collect files internet history.
Save short messages from a mobile phone Jonathan.
Restore data files from disk memory Jonathan.
Create the form of evidence to verify the proof holds court.
(ii [b])Creating my own evidence form which would be considered valid in a count of law
Figure (1.1) : My own evidence form
Depending on whether I am working in law enforcement or private corporate security, I can make schema for own evidence form to support to my environment. There are two types of evidence forms, a single-evidence form and a multi-evidence form to complete my investigation of administrative needs. Here I have used the multi-evidence.
Figure1 shows my own evidence form which would be considered valid in a court of law. My own evidence form typically contains the following information:
Case number
The number assigned by the organization when an investigation is initiated. (e.g.,CN001, CN002, etc.)
Investigating organization
The name of the organization
Investigator
The name of the investigator assigned to this case. If many investigators are assigned, the lead investigator?s name is inserted.
Nature of case
A short description of the case
Location where evidence was obtained
The exact location where the evidence was collected
Note: Here a new form for each location needs to be created if multi-evidence form is used.
Description of evidence
The evidence needs to be described. (e.g., Hard disk drive- 40GB, CDRW- 650MB)
Note: On a multi-evidence form, a description for each item of evidence acquired needs to be written.
Vendor name
The name of the manufacturer of the computer evidence (e.g., Hitachi - Hard Disk Drive)
Model number or serial number
The model number or serial number of the computer component needs to be listed.
Evidence recovered by
The name of the investigator who recovered the evidence. The chain of custody for the evidence starts with this information.
Date and time
The date and time the evidence was taken into custody. This information establishes exactly when the chain of custody starts.
Evidence placed in locker
Indication of which secure evidence container is used to sort the evidence and when the evidence was placed in the secure locker need to be written.
Evidence processed by item number
When it is time to analyze the evidence that is stored in the evidence locker, the name of every person who handled and processed it has to be indicated.
Item #/Evidence processed by/Disposition of evidence/Date/Time
Any authorized investigator have to list the specific item number, his/her name, and then describe what was done to the evidence when he/she obtains the evidence from the evidence locker for processing and analysis.
Page
The forms used to catalog all evidence for each location should have individual page numbers. The page number and the total number of pages associated with this group of evidence need to be indicated. (e.g., Page 1 of 2, Page 2 of 2)
Task 2
You have access to PCs with MS Windows XP and Ubuntu Linux. You need to conduct a thorough study and produce a report with necessary screen dumps covering the following:
The way the data is stored in Windows and Linux systems.(10 Marks)
The Boot tasks and Start up tasks for Windows and Linux systems.(10 Marks)
I have access to PCs with MS Windows XP and Ubuntu Linux. I need to conduct a thorough study and produce a report with necessary screen dumps covering:
i) The way the data is stored in Windows and Linux systems.
File System under Window
Hierarchical file system
The hierarchical file system is a substantial part of research Unix previous implementations were restricted to only a few levels.
Secure access
Secure access can be based on a system of access control. Research has shown checklists access difficult to set the correct capacity. Today's file systems Commercial use of access control lists.
Disk file systems
A disk file is a filesystem designed for storage of files that may be directly or indirectly connected to the computer.
Flash file systems
A filesystem is a flash filesystem designed for flash memory to store files on devices. These are becoming more frequent as the number of mobile devices are increasing.
Database file systems
The concept of a file system database based on a new concept for file management. These files are identified by their characteristics.
Transactional file systems
Each disk operation may involve changes to a number of different files and disk structures. In many cases, these changes are linked, meaning that it is important that all are running at the same time. Transaction processing brought the assurance that at any point in running, a transaction can be completely finished. This means that if a power failure, after recovery, the stored state will comply.
Network file systems
A network file system is a client for a remote file access protocol, providing access to files on a server.
Shared Disk file systems
A shared disk file system is one in which a number of machines that all of these machines have access to the same external disk subsystem.
Special purpose file systems
A special purpose file system is not a disk file system or network file system. This includes systems where the files are arranged dynamically by software.
File systems and operating systems
Most operating systems provide a file system that is an integral part of any modern operating system.
Flat file systems
There are no subdirectories in a flat file that is stored while at the same level on the media, a hard disk, floppy disk, etc. It is deliberately simple to allow users to customize how their data is stored. Buckets and objects were the only constructs. All characters in the name of the object and the ability to select subsets of the contents of the bucket has advanced file management.
File systems under Linux
The operating system of Linux supports many different file systems, that is ext2, ext3, ext4 and so on. The open-source Linux operating system was always the target to implement, test and use different concept of file systems. The most popular Linux file systems nowadays are:
Ext2/Ext3
The file system is actively developed and improved. The Ext3 file system is just an extension to Ext2 that uses transactional file write operations with so-called journal. This file system is very often used as 'root' file system for most Linux installations.
ReiserFS
The alternative Linux file system with the main purpose to store huge amount of small files. It has good capability of files search and it allows to 'compact' files allocation by storing file tails or small file along with metadata and to not use large file system blocks for this.
XFS
The file system of the company that originally use SGI for their IRIX servers. XFS specifications are now open it support the file system has been implemented in Linux. The XFS file system has excellent performance and thus widely used as a file system for storing files.
The common property of most Linux file systems is the name of the file is not considered a file attribute and is designed as an alias for a file in a specific directory. The reason is the concept of "hard links" used in this kind of operating system: the file object may be linked to many places, even several times from the same directory under different names. This is one reason why the names of files recovered after deletion of files or file system damage may be difficult or impossible.
ii) The Boot tasks and Start up tasks for Windows and Linux systems.
Booting process for Windows
When you turn on your PC, it goes through a startup to develop processes. It begins when the computer performs the POST, followed by mail to each card has a BIOS. The BIOS then reads the Master Boot Record that is in the first sector of the first hard disk and transfers control to the code in the MBR which is created by installing Windows XP.
The MBR reads the boot sector which is the first sector of the active partition. This sector contains the code that starts NTLDR are the boot strap loader for Windows XP. The primary role is to enable full memory Ntldr face, start the file system, read the boot.ini and set up the boot menu.
Selecting XP from the boot menu to run causes NTLDR Ntdetect.com for information on equipment installed. Ntldr then uses the ARC path specified in the boot.ini file to find the boot partition. NTLDR reads the registry files, selects a hardware profile, control set and loads device drivers, in that order. Then Ntoskrnl.exe takes over and begins winlogon.exe lsass.exe beginning, the program displays the Welcome screen and allows the user to login with their username and password.
Figure [2.1]: Boot process for Window
Startup Tasks for Windows
IO.SYS
This is the first file that is loaded after the ROM bootstrap loader finds the disk drive. IO.SYS then resides in RAM and provides the basic input and output service for all of MS-DOS functions.
MSDOS.SYS
This file is the second program to load RAM immediately after IO.SYS. This original MSDOS.SYS file is the actual kernel for MS-DOS.SYS, not a text file.
COMMAND.COM
COMMAND.COM for MS-DOS provides the same internal DOS commands.
CONFIG.SYS
This is a text file containing commands that are typically run only at system startup. These unique commands enhance the computer configuration.
AUTOEXEC.BAT
This is an automatically executed batch file and contains customized settings for MS-DOS. In this batch file, we can define the default path and set environmental variables such as temporary directories.
Figure [2.2]: Starting Window XP
Figure [2.3]: Window Log on
Booting process for Linux
As another operating system, when you turn the power of a Linux workstation, instruction code located in the firmware on the CPU load of the system RAMS. This firmware is called code residing in memory.
Once the code residing in memory is loaded into RAM, the instruction code checks the hardware. Typically, the code first tests all components such as RAM chips to ensure they are available and able to run the startup program when such a hard disk, a floppy or CD boot device locates it begins to read the boot program into memory. The boot loader, in turn, reads the kernel memory. When the kernel is loaded, the boot program transfers control of the boot process to the kernel.
Since the kernel has finished loading, it identifies the root directory, the file system paging and dump files. It also defines the area of host name and time, perform consistency checks on the file system, mount all partitions, network service daemons start, sets up the network interface card (NIC), and establishes user accounts and system and quotas.
Figure [2.4]: Linux boot process
Startup Tasks for Linux
UNIX and Linux, everything is a file, including disk drives, the screen of a workstation connected tape drives, network interface, memory system, the actual files and directories. All UNIX files are defined as objects, which mean that a file as an object in an object-oriented programming language has properties and methods (actions such as writing, deleting and reading) that can be performed on the file.
Linux consists of four elements that define the file system: the boot block, super, inode and data blocks. A block is a unit of disk allocation ranging in size from 512 bytes or more. The boot code is located in the boot block. A UNIX or Linux computer has only one boot block, located on the main hard drive. The superblock contains vital information about the system and is considered part of the meta-data.
Review Linux disk structures indicates the disk geometry, space, and location of the inode first. It also keeps track of all the inodes. Linux maintains multiple copies of the superblock at various locations on the disk to avoid losing vital information.
The superblock manages Linux file system, including configuration information about the file system, such as the block size for the disk drive, the file system names, blocks reserved for the inodes, free inode list, free block starting chain, volume name, and the last update time and backup time inodes.
The first data after the superblock on Linux file system are the inode blocks. An inode is assigned to every file allocation unit. As files or directories are created or deleted, inodes are also created or deleted. The link between the inodes associated with files and directories controls access to those files or directories.The final component in Linux file system is a data block. Typically a data block consists of 4096 or 8192 bytes with clusters of hard disk sectors. Inodes provide a mechanism that links data stored in data blocks. The block is the smallest amount of data that can be allocated in Linux file system. The size of the block depends on how the disk volume was initiated.
The Linux Ext2 file system (Ext2fs) and Ext3 file system (Ext3fs) are improvements over the original Ext file system implemented when Linux was first released. One significant improvement with Ext3fs is that it adds linking information to each inode.
Figure [2.5]: Linux start up
Figure [2.6]: Ubuntu Linux
Task 3
a) Research the following GUI tools, Guidance Software?s EnCase and Access Data?s Forensic Toolkit, and compare their features to other products, such as ProDiscover. Create a chart that outlines each tool?s current capabilities, and write a 300 word report on the feature set you found to be most beneficial for your lab. (10 Marks)
b) You can use any Forensic Tool Kit. Perform a forensic analysis on any three of the following file systems FAT12, FAT32, NTFS and CDFS. You need to generate al least two FTK reports using the report wizard. (5 Marks)
3. a Different Between Forensics Products
EnCase
Access Data Forensics Toolkit
Pro Discover
WinHex Specialist Edition
Easy to Use
Best
Best
PRTK function
Best
File & E-mail recovery
Best
Best
Better
Data extraction
Good
Better
File filtering
Best
NTFS compression
Best
Better
Creation image
Best
Best
Best
Spanning multiple RAID
Best
Advanced language supporting
Best
Keyword searching
Better
Best
Generating a summary report
Photo Recovery
Better
Good
Disk Editing
Better
Best
Table 3.1: Compare the Forensics tools
EnCase
EnCase program pioneered the GUI tools for forensic investigations of computer science. Guidance Software and sets the standard for function and quality of computer forensic software. Guidance Software has developed a DOS disk acquisition and demonstration tool called en.exe, part of the EnCase product. En.exe is small enough to fit on a floppy boot disk legal. En.exe predefined keyword search on a suspect drive. EnCase use in Windows to create keywords on a floppy disk.
The program en.exe is one of the best compression options available today, even if it fails to copy a disk to disk, and other tools to do forensic acquisition. The EnCase GUI and DOS programs en.exe only create disk images of a suspect. EnCase can also acquire the record of a suspect on a network. The suspect's computer can be set up so that you can do your bit-stream copy on a disk server.
Some features of EnCase ?
Extracts messages from Microsoft PST files
Spans multiple Redundant Array of Inexpensive Disk (RAID) volumes
Supports NTFS compression and Access Control List (ACL) of files
Provides advanced language support
Recover deleted files/folders
Access Data Forensics Toolkit
Accessing Data Forensics Toolkit is an easy to use, intuitive computer forensics software tool and also a familiar user. This software is compatible with Password Recovery Toolkit (PrtK) so that you can create lists of passwords, which are collections of words that seem to be strings of characters independently. Generator password list collects these strings to create an independent list PrtK used to crack passwords.
Some features of Access Data Forensics Toolkit ?
Text indexing to produce instant search results
Data recovery from file systems including NTFS, NTFS compressed, all FAT, and Linux Ext2fs and Ext3fs
E-mail recovery from the leading e-mail services and products along with the recovery of deleted messages
Data extraction from PKZip, WinZip, WinRAR, GZIP, and TAR archive files
File filtering that eliminates known files and bad files, based on NIST, NSRL and Hash Keeper
ProDiscover
Created by Technology Pathways, ProDiscover which is provides a full line of services for the computing investigator.
Some Features of Pro Discover
Creates an image file of the suspect?s disk, and can read the image files it creates
Reads images created with the UNIX or Linux dd command
Accesses a suspect disk through a write-blocking device for previewing purposes
Displays alternative data streams for Windows NT and 2000 NTFS file systems
Integrates Bates numbers for your evidence for recovered data lists
WinHex Specialist Edition
WinHex is a powerful disk editing. We can choose three different versions. The special edition that best suits the interviewer calculation because it provides many basic computer forensics features and functions in addition features standard disk editor. We can use WinHex to inspect and repair the data files on a disk. Unlike other publishers? disk, WinHex can access compact disc (CDs), which allows us to visually inspect how the data is written on them.
Some features of WinHex ?
Disk cloning
Disk sector imaging with or without compression, an encryption option, and a save set volume size
Saving to a separate data file all file slack space and unallocated space
Keyword searching and text gathering
(b) Analysis and Report creation process using FTK
NTFS
NTFS offers significant improvements over the old FAT file systems. NTFS provides much more information about a file, including security devices, file ownership, and other attributes of the file. NTFS also allows more control over files and folders older FAT filesystems.
FAT12
FAT12 is used specifically for floppy disks and thus has a limited amount of storage. It was originally designed for MS-DOS 1.0, the first Microsoft operating system, which used floppy drives
FAT32
FAT32 is used on the newer operating system like Microsoft Windows 95 (second version), 98, ME, 2000 and XP. FAT32 can access up to 2 terabytes of disk storage
Analysing the NTFS File system using FTK software
Fig [3-12] - Overview of the NTFS file system
Fig [3-13]- Case information for the NTFS file system
Fig [3-14] - File overview of my NTFS files System
Fig [3-15]- Evidence list of my NTFS files System
Analysing the CDFS File system using FTK software
Fig [3-16]- Overview of the CDFS File System
Fig [3-17]- Case information for the CDFS file system
Fig [3-18]- File overview of my CDFS files System
Fig [3-19]- Evidence list of my CDFS files System
Task 4
a) You need to create a bmp file, doc file and an xls file. Generate MD5 hash values for each of these files. Make modifications in all these files. Regenerate the hash value again and compare the values. (5 Marks)
b) Explain why the hash values are the same or different (approximately 300 words) (5 Marks)
c) You need to create a variety of graphic image files (Bitmap, raster, vector and metafile). Use an image viewing utility and a steganography tool. You will be inserting short messages into each image file. Using any computer forensic software, analyze the hash values. Produce a brief report (approximately
200 words) detailing your findings. (15 marks)
d) Write a report (approximately 300 words) on the differences in these image formats. Include a description of how would you locate and recover these image files, if lost. (5 marks)
4.a. Generate MD5 hash value comparison
Windows bitmap file (. BMP files), Microsoft Excel spreadsheet files (. Xls) and Microsoft Word files to (. Doc) and MS Paint, Microsoft Excel 2007 and Microsoft Word 2007 is created using the application. The content of the file is displayed in the picture.
Differences of image files
Bitmap format is a picture file format that stores graphic information as grids of individual pixels (picture elements).
Raster format is also a kind of bitmap format but the format stores the pixels in rows to make the images easy to print. Both bitmap and raster formats show pixilation when enlarged.
Vector format is a picture file format that stores lines, curves, text, ovals and other geometric shapes using mathematical instructions. The pictures in vector file format can be scaled without losing quality.
Meta file format is a combination of bitmap and vector images.
Recovery of image files
Steps to recover image files are as follows
Identify image file fragments
Reconstructing File Fragments
Repair damaged headers
To perform the above steps, the following kind of tools are used
Hex editor
Data recovery tool
Picture viewer
In this assignment, Hex Workshop, Drive Spy and IrfanView are used.
Identify image file fragments
The bit?stream copy of the disk from which image is to be recovered is search in unallocated file space for the following file header fragment. Image command is used to create bit-stream copy. Output, search command and modified drivespy.ini are used to search and record the result.
Header fragment
File format
Extension
Hex
text
4A 46 49 46
JFIF
Joint Photographic Expert Group
jpg/jpeg
42 4D
BM
Windows Bitmap graphics
bmp
47 49 46
GIF
Graphics Interchange Format
gif
50 4E 47
PNG
Portable Network Graphic
png
Reconstruct file fragments
After identifying unallocated file with image header, file fragments have to be reconstructed. The cluster found in step one is used as basic for discovering linked clusters that are used to hold picture information. On having all the link clusters, absolute sector values are calculated and saved as file.
CFE is used to search for the linked cluster. Cluster command used to view the cluster data and absolute sector position. SaveSect command is used to save sectors to file and Script command is used here for saving dispersed sectors to one file (by writing script file).
Repair damaged headers
The recovered picture is viewed using image viewer. If it is a damaged image file, file header has to be rebuilt.
First 6 or 8 hexadecimal value of the file is replaced with correct value of the respective file header. Following table list the hexadecimal value of file headers.
File header (hexadecimal value)
File type
FF D8 FF E0 00 10 4A 46 49 46 00
jpg/jpeg
42 4D
bmp
47 49 46
gif
89 50 4E 47
png
Commands of DriveSpyused for recovering image are -
Image: Create a Forensic Image of the Current Object (Drive or Partition)
Output: Specify/Identify an output file to log activity
Part: Selects PARTITION Mode/View
Search: Search a Drive, Partition, or File(s) for text or data
Cluster: Display raw disk data for a cluster
CFE: List all the clusters in a chain that start at the specified cluster
SaveSect: Create an Image of a Partition
Script: Process a series of commands as listed in the specified DRIVESPY command file
4. b why the hash values are the same or different
A hash function is a deterministic procedure that takes an arbitrary block of data and returns a bit string of fixed size is called the hash value, so that changes accidental or intentional data will change the hash value. The data to be encoded is called the "message", and the hash value.
in 1991, found MD5 Rivest. MD5 was basically MD4 with "safety belts" and while MD5 is slightly slower than MD4, MD5 is more secure. The algorithm consists of four distinct cycles, which have a slightly different design from that of MD4. Message-digest size, and fill requirement remains the same. Den Boer and Bosselaers found collisions for MD5 nickname, but there are no other known cryptanalytic results.
Hash function MD5 processes a variable length message into a fixed length output. Its length is 128 bits. The input message is broken into pieces of 512-bit blocks, the message is filled so that its length is divisible by 512. The padding works as follows: first, a bit simple, 1, is added at the end of the message. It was followed by as many zeros as necessary to bring the message length to 64 bits at least a multiple of 512 bits. The remaining bits are filled with a 64-bit integer representing the length of the original message in bits.
When compared with the hashes of a file and copy file, we will see these two values are the same and also the moment of creation and file name are the same. The hash function MD5 to create the hash once when creating a new file. But when we copy this file, the hash values are not changed because the copies file-copy binary data from the original file. When we change the location of one bit of data from a file copy. The MD5 hash function recreates the hash values for file copying. Thus, the original file and copying files are same but the file name and size are still the same.
4.c Steganography and hashing values
Steganography is the word derived from combination of two words Steganos and Graphy. Steganos means covered or secret and Graphie means writing. The term is used in information technology to describe hiding of data inside another file. In this assignment, 4 images file format is used to hide data and then tested for MD5.
4 type of images files are created using Inkscape and Microsoft Paint programs. Steganography is done by Steaganography 1.8.1 program. MD5 message digests are created by MD5Sum program.
?IADCS NCC Education? message is inserted into each file and saved.
After modifying and rehashing, the following findings are found.
Bitmap
Raster
Vector
Meta
Size (bytes)
Before
43308
22140
5595
13964
After
43568
22400
5855
5871
14224
Changes in appearance
No
No
Yes *
No **
No
Identical MD5
No
No
No
No
No
MD5 of those files are as follows
Bitmap: before: 2b6924764e59dd13b5f405806ad96c7c
after: ed1f70b3f3987550799a8b7a9534555a
Raster: before: d617e6772dc5b936c5e4771818a7e6dc
after: 047f3ec9acd71e0515c2d048887ada08
Vector: before: 2c0e954a67a432979b1f2a5658788658
after *: 80834528f55ad9fb9caf4bb14a7c6674
after **: 2C0E954A67A432979B1F2A5658788658
Meta: before: aad4cbf3e921fd3b2271a40df69873f8
after: c8efeaa7451e0c3c51514f5de14cb8fb
* hide with the application ?steganography?; modified image cannot be shown in Inkscape
** hide with non standard tag using the following elements
<steganography>
<subject>Hidden message in Vector file</subject>
<text>IADCS<br />NCC Education</text>
</steganography>
** modified image can be viewed using Inkscape with no change in appearance
The sizes of the files are changed by around 300 bytes. However there is no change in external appearance of the files and no way to find out there is a message hidden in each picture. The steganography tool must use the insertion technique to hide the message in the pictures rather than substitution technique.
But there are significant changes in MD5 digests compared with the original one of the files. Following screenshots are comparison between before and after images in appearance and in hexadecimal view.
Figure 4-1 Bitmap files: before and after steganography
Figure 4-2 Raster files: before and after steganography
Figure 4-3 Vector files: before and after steganography
Figure 4-4 Meta files: before and after steganography
Figure 4 -5 Comparison of Bitmap files
Figure 4-6 Comparison of Raster files
Figure 4-7 Comparison of Vector files
Figure 4-8 Comparison of Meta files
4.d Difference between Image File Format
4.d.1 Bitmap and Raster
And raster bitmap pixels are in store, but the frame is stored in rows so that the images that are easy to print. The quality of a bitmap image displayed on a computer screen is governed by the display resolution. The resolution is related to the density of pixels on your screen depends on a combination of hardware and software. Computers also use a VGA card. As the memory of the VGA card, superior quality images result.
And raster bitmap pixels are in store, but the frame is stored in rows so that the images that are easy to print. The quality of a bitmap image displayed on a computer screen is governed by the display resolution. The resolution is related to the density of pixels on your screen depends on a combination of hardware and software. Computers also use a VGA card. As the memory of the VGA card, superior quality images result.
Image files can contain different amounts of colour per pixel, but each must support the colours with bits of space.
Bitmap and raster image files use as much of the colour palette as possible. However, when you save a bitmap or raster image file, the resolution and colour may change depending on the colours contained in the original file and whether the file format supports those colours.
4.d.2 Vector
A vector file stores only the mathematics for drawing lines and shapes. Vector files are different from bitmap and raster files. Raster file image uses dots, but the vector uses lines. A graphics editing software converts the calculation into the appropriate image because vector files store mathematical calculations but not images. Vector files are generally smaller than bitmap files. We can also enlarge a vector image without affecting the image quality. A graphics editing program multiplies by two instead of manipulating pixels. The vector file can be created by using draw-type software such as Coral Draw.
4.d.3 Metafile
Metafile image files format is the combination of raster file format and vector file format. The metafile file format can have the characteristics of both image types. While metafile images provide the features of both bitmap and vector files, metafiles also share their limitations. For example, if you enlarge a metafile image, the area that was created with a raster format loses some resolution, while the vector formatted area remains sharp and clear.
4.d.4 Locate and Recover Image File
Images are not always stored in standard image file formats such as JPEG format; we should determine the image files. Windows provide tools to recover image files, but these tools have some disadvantages.
So we can use computer forensics tools dedicated to analyzing images. As we work with these tools develop standard procedures for our organization and continue to refine them. We should also follow the standard procedures for every case to provide a thorough analysis.
An image contain about information itself. An image file also contains header like e-mail message with instructions for displaying the image. Each type of image file has its own header, and it helps us to identify the file format. We can compare a known good file header with that of a suspected file.
Task 5
Sophie at the local city hall contacts the shift supervisor, Elizabeth, with a complaint of harassment using the city?s e-mail system. You are assigned to find the suspect and to build a case to terminate the employment of the city hall employee. When interviewing the victim Sophie, you discover that she was involved with the suspect, James, but ended the relationship against James wishes. Both she and the suspect still work for city hall. Sophie has kept a series of offending e-mail messages and offers those for your review. When you interview James, he denies any wrong doing and claims he is being set up. After your investigation, you confirm that he is being set up - the alleged victim is actually the one sending the offensive e-mail.
1. Report on investigation to prove innocence
Outline
Getting electronic copy of offending e-mail message
The offending e-mail messages are obtained from victim for inspection of email headers. From which connecting server IP, sending server IP, date and time, message id and service name of message sending server are obtained.
Inspecting E-mail server log records
Base on sending server IP, date and time, message id and service name of message sending server, concerned E-mail server is identified. By the aid of server administrator, server log is obtained to inspect for the user name of the sender and to find out the user name is actually operated by whom.
Getting users messages on email server
In addition to copy of offending messages from victim computer, the e-mail files on the server are also obtained to check for any tempering that might be made to the former e-mail file. MD5 checksum is carried out to determine the message fingerprints.
Craving original email file from suspected person
Once the person who committed the crime is identified, the original email file will be salvaged from his/her workstation.
2.Actions to take
The offending messages are received from victim Jezebel. The files are again obtained in person and printed. The e-mail file headers are then examined.
File headers suggested that the offending messages are sent from city hall email server with reply to header filled with Naomi address.
Message ID and Received header revealed (Barbara) the unique identification number and date and time the message is sent.
By tracing back to e-mail server log using message ID and date time stamp, the user name responsible for sending the offending messages is found out. Moreover, the reply-to header is found to be spoofed or faked by intention.
Registration information stated that the user account is created by victim Jezebel.
E-mail message files on the server are obtained again to check against the victim submission.
On checking router log and tracing, the e-mail messages are originating from Jezebel computer. More evidence can be obtained by craving the original offending message from Jezebel computer using data recovery tools. Then the messages can be checked against the email message file obtained from server.
Then professional report on finding of the digital evidence will be produced and submitted to local city hall law officer.
Need an essay? You can buy essay help from us today!
Please rate the quality of this essay:
Thanks for your rating :)
Struggling with your essay?
You can get your essay custom written by an expert in your subject area. Fully researched and referenced, the perfect model answer...
Get a quote here
Request the removal of this essay.
melissa mccarthy Andy Dick Tim Hardaway Anne Smedinghoff jana kramer carrie underwood garth brooks
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.