Analysis of Crime

Scene using Cyber

Forensic Tools To
Identify the
Evidences
Agenda
1. INTRODUCTION

2. CASE STUDY

3. COLLECTION & PRESERVATION

4. TOOLS & TECHNIQUE

5. ANALYSIS

6. FINDING & RESULTS

7. CONCLUSION

2
Team

Dr. Yasir Afaq Sir (Mentor)

Nicodemus Peter Sujal Kumar Vishal Yadav

Ngufuli(Examiner) Gupta(Examiner) (Examiner)

3
Introduction
• As a seasoned cyber forensic examiner, We’re currently investigating a suspected intellectual
theft case for a technology company. Analysing digital evidence, tracing origins of the theft,
and collaborating with law enforcement and legal experts, We employ cutting-edge forensic
tools and my expertise in cyber forensics to uncover the truth. With a commitment to
pursuing justice and safeguarding intellectual property rights, We strive to bring the
responsible party to justice and protect the victimized company's proprietary designs
and trade secrets.
4
Case Study
Overview
Scenario Overview
Case Overview: Intellectual Theft by an Employee from a Technology Company

 The victim company, a leading technology firm, reported a suspected case of intellectual theft by one of their employees. The
perpetrator, who held a key position in the company's research and development department, was found to have illicitly accessed and
stolen important data, including proprietary designs and blueprints. Further investigation revealed that the employee had shared the
stolen information with a competitor company in exchange for financial gain.

 The theft of the intellectual property has serious implications for the victim company, as it could compromise their competitive
advantage and disrupt the market. The stolen data is crucial to the company's research and development efforts and represents years
of innovation and investment. The case requires swift and thorough investigation to identify the extent of the theft, determine the
motive behind the employee's actions, and establish the identity of the competitor company involved.

 As the cyber forensic expert leading the investigation, I am tasked with analyzing digital evidence, including logs, network activity,
and computer systems, to trace the unauthorized access and exfiltration of data. This involves meticulous examination of file
timestamps, metadata, and digital footprints to reconstruct the timeline of events and identify the methods used by the perpetrator to
cover their tracks.

 In collaboration with law enforcement agencies, legal experts, and technology specialists, I am working diligently to collect and
preserve evidence that can withstand legal scrutiny. This includes conducting interviews, analyzing communication records, and
conducting forensic examinations of digital devices. As the case progresses, I am utilizing my expertise in cyber forensics, digital
investigations, and intellectual property laws to unravel the complexities of the theft and determine the full extent of the damage
caused.
6
COLLECTION &
PRESERVATION
 Collection & Preseraton
 COLLECTION  PRESERVATION

Collecting the recording of the physical crime scene, physical In this stage, should works on isolation, securing and preserving the
evidence that relates to the crime scene and imaging, duplicating, or physical and digital evidence. This helps to maintain the integrity of
copying of the digital evidence. Should make documents contain the digital evidence and protect the digital evidence from the
information of the evidence like, name, model, made year etc. Also, modifications. Examiners should be responsible and must demonstrate
the audio recording, photographs, and other visual forms of the crime that the evidence should be preserved through all steps in the process
scenes should be collected and documented. like in collection phase, examine phase, analyse phase, etc.
Preservation of the digital and physical evidence should be done by
Digital evidence such as evidence such as desktop, smartphones, trained and skilled staff members that possess the required techniques
printers, digital cameras, etc. should be collected, in addition to the and the knowledge of using appropriate tools.
physical evidence, other relevant items like notes that include
passwords, suspect’s documents, suspect’s dairy etc. If the breach Methods to preserve the digital evidence with this section, following
initiated within the perimeter, it’s required to containment the crime methods are needed to consider preserving the digital evidence by
scene, preform the specialized procedures like if the device was ON forensic examiner.
or OFF when found, leave it in that state. If the found computer is
OFF, can take the photos of the computer, labelling cables, etc.…

8
Table of Collected Devices
Item Name Conditions Evidences Details
Company name – Dell
Item 1 Laptop Good NA Model name -10T
Serial no. – HG3FR12
Company name – WD
Model name –
WD1600AvvS
Item 2 Hard disk Good NA Serial no. – WCAUZ05
Space – 573M

Company name –
Sanbdisk
Item 3 Pen drive 1 Good YES size - 8GB
Serial no. – SDDC24

Company name –
Sanbdisk
Item 4 Pen drive 2 Good YES size - 32GB
Serial no. – SDDC24

9
TOOLS &
TECHNIQUE
Tools & Technique
We can perform any operation with a forensically sound bootable DVD/CD-
ROM, USB Flash drive or even a floppy disk, HDD, SSD. First, we need to
dump the memory, and this is preferred to be done with a USB Flash drive
with enough size. We must also undertake a risk assessment when we are
about to collect volatile data to evaluate if it’s safe and relevant to collect such
live data, which can be very useful in an investigation. We should use
forensics toolkits throughout the process, as this will help meet the
requirements of a forensics investigation. These tools should be trusted, and it
can be acquired from among the freely distributed ones to the commercial
ones.

Tools which used to investigate in this case are

1. GUYMAGER

2. 2. DC3DD

3. 3. FOREMOST

4. 4. EWF

5. 5. FTK imager
Need of Digital Forensics Tools
12
 Tools & Technique
 GUYAGER
 FTK IMAGER
The forensic imager contained in this package, guymager, was
designed to support different image file formats, to be most user- FTK Imager is a tool for creating disk images and is absolutely free to
friendly and to run really fast. It has a high-speed multi-threaded use. It was developed by The Access Data Group. It is a tool that helps
engine using parallel compression for best performance on multi- to preview data and for imaging.
processor and hyper-threading machines.
•Create forensic images or perfect copies of local hard drives, floppy
For solving cyber-crimes on digital materials, they have to be cloned. and Zip disks, DVDs, folders, individual files, etc. without making
Evidence must be copied in a valid and proper method that provides changes to the original evidence.
legal availability. If we do not copy in a valid way, it cannot be used
as evidence. Image acquisition of the materials from the crime scene •Preview files and folders on local hard drives, network drives, floppy
by using the proper hardware and software tools makes the obtained diskettes, Zip disks, CDs, and DVDs.
data legal evidence.
•You can also preview the contents of the forensic images that might
Choosing the proper format and verification function when image be stored on a local machine or drive.
acquisition affects the steps in the research process. Using this
•You can also mount an image for a read-only view that will also
method, we can clone a disk and do research on multiple systems
allow you to view the contents of the forensic image exactly as the
using multiple software and solve the case faster. Guymager is based
user saw it on the original drive.
on libewf and libguytools 13
 Tools & Technique
 FOREMOST TOOL  EWF TOOL

Foremost is a digital forensic application that is used to recover lost Expert Witness Format (EWF) files, often saved with an E01
or deleted files. Foremost can recover the files for hard disk, memory extension, are very common in digital investigations. Many forensic
card, pen drive, and another mode of memory devices easily. It can tools support E01 files, but many non-forensic tools don’t. This is a
also work on the image files that are being generated by any other problem if you are using other tools, like many Linux utilities to try to
Application. It is a free command-line tool that is pre-installed in Kali do an investigation.
Linux. This tool comes pre-installed in Kali Linux. Foremost is a very
useful software that is used to recover the deleted files, if some files
 DC3DD TOOL
are deleted accidentally or in any case files are deleted. You can
Using dc3dd in cyber forensic investigations is similar to using dcfldd,
recover the deleted files from foremost only if the data in the device
with some differences in the syntax and options available. Here is a general
is not overridden, which means after deleting the files no more data is outline of the steps involved in using dc3dd to create a forensically sound
added to the storage device because in that case data may be image of a storage device: Acquire the dc3dd tool: dc3dd can be
overridden and the chances of recovery also get reduced and data downloaded and installed on your forensic workstation. Identify the target
must get corrupted. storage device: You need to determine which storage device you want to
image. This can be done using a tool such as lsblk or fdisk, which will
show you the available storage devices and their properties. Determine the
output file: You need to specify the location where you want to save the
image file.
14
ANALYSIS
Timeline

 Copying or imaging the Pen drive

means making a copy of the files and Verifying all the hash file for image has been created, its
folders present on the Pen drive showing the data is tempered or integrity can be checked to verify
not. that it has not been tampered with.

Copying Hashing Verify Carving Image analysis

ensures data integrity which means Forensic program to recover lost

that no unintended changes are files based on their headers,
made in the data. E.g MD5, footers, and internal data
SHA256 structures..

Sample Footer Text 16

ANALYSIS
D ATA H I D I N G A N A LY S I S TI M E F RA ME A N A LY S I S F I L E A N A LY S I S
• Recovering the data can be hidden • The goal of this analysis is to get the • Analysing the metadata that
in these digital items could give the idea of when this crime happened embedded in the files and the
examiner a chance to know the with analysing the events on the applications and other information
significant information that may digital systems by reviewing the time may contain some hints leading to the
give the idea about the ownership, and data that has embedded into the crime scene like getting idea of the
etc. files as metadata. behaviour of the user.

17
To acquire image we need to right click on the disk and select the acquire option and a new window will pop up. Here we can choose the file format
and provide the case number and evidence number, examiner, descriptions and notes. Here we can also choose the image directory. We can also split
the size of disk.

Using this method we can clone a disk and do research on multiple systems using multiple software and solve the case faster. Guymager is based on
18
libewf and libguytools.
Here we can choose the file format and provide the case number and evidence number, examiner, descriptions and notes. Here
we can also choose the image directory. We can also split the size of disk. We can calculate MD% and SHA1. Then we must
check the verification process, because if the image acquisition was not valid then it can't be an evidence. So verification is a
good habit. Here we have done everything, and set the acquired image directory in our desktop, and we did not used the split
image because we are not acquiring large image. Following screenshot shows the process.
19
20
21
 EWFacquire is a utility to
acquire media data from a
source and store it in EWF
format (Expert Witness
Compression Format).
EWFacquire acquires media
data in a format equivalent to
EnCase and FTK imager,
including meta data. Under
Linux, FreeBSD, NetBSD,
OpenBSD, MacOS-X/Darwin
ewfacquire supports reading
directly from device files. On
other platforms ewfacquire can
convert a raw (dd) image into
the EWF format.

22
  . Identify the target storage device:
You need to determine which
storage device you want to image.
This can be done using a tool such
as lsblk or fdisk, which will show
you the available storage devices
and their properties. Determine
the output file: You need to
specify the location where you
want to save the image file. You
can specify either a local file or a
network share. Run the dc3dd
command: The dc3dd command is
used to create the image of the
target storage device. The basic
syntax of the command is:

dcfldd if=<input_device>
of=<output_file>

Tuesday, February 2, 20XX Sample Footer Text 23

  This disk image file will be carved
for .jpeg, .png, .zip, .pdf and .avi file
formats. We will not be instructing
Foremost to carve the .docx but, since
one exists in the .zip we have placed
inside the disk image, it will do so
automatically.

 To break this down “-t” is setting the

file types we want to carve out of the
disk image, here those are .jpeg
and .png.

 “-i” is specifying the input file, the

“disk.img” that is placed on the
desktop.

 “-o” is telling Foremost where we want

the carved files to be stored, for that
we have the “recov” folder on the
desktop that we made earlier.

 “-v” is to tell Foremost to log all the

messages that appear on screen as the
file is being carved into a text file in
the output folder (recov) as an audit
report.
Tuesday, February 2, 20XX Sample Footer Text 24
 In the menu navigation bar, you need to click on the File tab which will give you a drop-down, like given in the image
below, just click on the first one that says, Add Evidence Item.
 there will be a pop-up window that will ask you to Select the Source of the Evidence. If you have connected a physical hard
drive to the laptop/computer you are using to make the forensic image, then you will select the Physical Drive here. Click
on Next. Now, Select the Physical Drive that you would like to use. Please make sure that you are selecting the right drive,
or you will waste your time exporting a forensic image of your own OS drive.
 Now, we will export the forensic images.
Right-click on the Physical Drive that you would like to export in the FTK Imager window. Select Export Disk Image here.
 Click the Add button for the Image Destination.
 Select the Type of Forensic Image you would like to export. Select .E01 and Click Next.
 After that, you will have to enter information regarding the case now. You can either leave them blank or keep it general,
this part is totally upon you. 25
26
27
 Verified

Verifying

28
Lastly, you will need to wait for the Forensic Image to be created and then verified. The speed of creating
the forensic image will vary based on your hardware. Once both have occurred, you have your forensic
images ready.
29
RESULTS
RESULTS
 As a cyber forensic examiner, We conducted a
thorough analysis of the digital evidence
collected from the suspect's device. Among the
findings were several images depicting potential
evidence of illegal activities, including images of
suspicious financial transactions and confidential
documents. Additionally, there were PDF files
containing sensitive information related to a
business deal, as well as blueprints of a high-
security building. Furthermore, I discovered lines
of code that appeared to be malicious in nature,
Main Evidence
suggesting the suspect may have been involved in
cybercrime. The evidence revealed a complex
web of illicit activities, requiring further
investigation and expertise to unravel the full
scope of the suspect's actions.
Conclusion
 In conclusion, the case of intellectual property theft by a company employee has been successfully solved. The
discovery of a pendrive as the main evidence proved to be crucial in unraveling the mystery.

 Upon thorough investigation, the pendrive was found to contain a treasure trove of information, including
blueprints, bank transactions, and credit card information. These findings confirmed that the employee had
been stealing and misusing the company's intellectual property for personal gain.

 Furthermore, the pendrive also contained malicious code, indicating that the employee had engaged in
unauthorized activities to compromise the company's security and integrity. This malicious intent added
another layer of severity to the case, making it a serious offense.

 Through diligent forensic analysis, the team was able to track the employee's activities and establish a timeline
of events, ultimately leading to the identification and apprehension of the culprit. The evidence found on the
pendrive was pivotal in securing a conviction, as it provided irrefutable proof of the employee's illicit actions.

 As a result of the successful investigation, the stolen intellectual property was recovered, and the employee
was held accountable for their actions in a court of law. The company has since implemented robust security
measures to prevent similar incidents from occurring in the future, safeguarding their valuable intellectual
property. 34
THANK YOU

35