Digital Forensics Assignment: Reflection on Lessons Learned
Task 1: Reflection on digital forensics assignment on Hands-on Projects
Complete the following hands-on projects from your textbook:
Hands-on activity from Chapter 1, page 43 - 52 including analysing digital evidence using Autopsy and exploring additional features of Autopsy
Hands-on Project 1-3
Hands-on Project 1-6
Deliverable: Write a 1000 - 1500 words (up to five A4 pages) report on lessons learned from these projects. Comment on some of the features you learnt using Autopsy in hands-on activity 1 and reflect on lessons learnt for remaining two hands-on projects. You can write at least two lessons learned from each of the hands-on projects.
Task 2: Case Projects (5 marks)
Complete the Hands-on Projects 4-4 and 4-5 from your textbook (Nelson, Phillips, &Steuart, 6th edition, 2019, p. 191-192). In these projects you will be working with FTK Imager Lite and will be exploring hash values of text files. Once complete these projects using FTK Imager Lite, repeat the hash value calculations using WinHex editor as well. Compare the hashing results from any two tools, i.e. FTK Imager, WinHex editor and Get-FileHash.
Deliverable: Write a 500-1000 words paper after completing these projects and report what have you learned about the hashing functions and also the digital forensics tool, FTK Imager Lite and WinHex editor. Provide screenshots of the steps completed in the projects showing the results of hash values of files used. Show your results of the hash values on MS Word document.
For tasks 1 and 2 deliverables:
When you work on Hands-on project and screenshots to support the progress or steps, the screenshot must include at least your Interact 2 login name and date as a proof of your work. For each task or Hands-on, one snapshot of your working screen showing i2 site, your login and date will suffice the requirements. Mark will be reduced or will be awarded zero for any tasks or Hands-on projects that do not comply with this requirements. An exemplar screenshot will be available on subject i2 site.
Task 3: Research Project
Research at least three hex editors available for digital forensics investigations that you can use for your investigations. Write a one to two page paper describing different features of these three hex editors. Also, describe how these hex editors can be used to validate the digital evidence. Deliverable: Write a 500-1000 word report that outlines various features of hex editors and their digital evidence validation capabilities.
Hands-on Activities & projects – Lessons Learned
It is evident in the digital forensics assignment that the use of digital media and data has massively increased with the developments in the technology. I was able to be a part of the Digital Forensics projects and the numerous activities and project that I was involved with enabled me to learn about the processes executed, steps involved, and the overall flow (Parasram, 2017). There are certain improvements that I could do and I have been able to identify all of these with the reflective exercise that I carried out.
Autopsy was one of the primary processes and techniques that were involved in the hands-on projects and activities that I conducted. It is a critical process that involves a series of steps. I could not understand the process followed in Autopsy since it was my first experience with the same. However, I could assist in the investigation process by following the defined set of steps and instructions that were provided to me in order to carry out the Autopsy. There were several projects that I conducted and there were specific results that were attached to each of these projects. In some of these projects, such as the first activity that included the investigation of the suspicious death, I was expecting the results that were different from the ones that I had obtained. On consultation with the other experienced officials, I could understand the reasoning behind the same (Sammons, 2015).
For any of the role or responsibility that is conducted, there is a skill set and the specific set of traits that are associated. Being an investigation officer, there is a great degree of responsibility that is provided and must be fulfilled. It is essential that the results obtained are not biased and are completely reliable. I could learn that my personal opinion cannot have any influence and must not impact the case that I investigate. I could learn that it is of utmost importance to keep the personal beliefs and viewpoints aside while conducting the investigations as these may impact the overall outcome. I did not new any of the new techniques or mechanisms. I was particularly involved in the convenient tree-style filter that is present in the Autopsy sidebar which provides the ability to categorize and arrange the artefacts as per these categories. It was of a great help in the investigation process.
Documentation is one of the activities that are conducted and play an important role in the investigation process. I could determine that the level of documentation that I had used in the case was not up to the mark. I could have ensured that the documentation that was carried out was elaborate and there was a formal approach that was followed in the same (Karampidis&Papadourakis, 2017).
Autopsy lessons learned
1. It got the opportunity to be a part of a number of hands-on projects. There are various lessons that I learnt with respect to the autopsy tool that was used. Initially, I faced a lot of challenges as I was using the tool for the first time. Also, I was not aware of the entire process and methodology that is involved in the autopsy. However, with the passage of time, I could learn that the tool was designed in a defined layout and had a major role for the associated professionals. The increased usage of the tool enabled me to get accustomed with the features that were present within the tool. It also provided me with the ability to have an understanding of the non-functional aspects that were present in the tool, such as error resolution, reliability, and performance.
2. I could also learn that there are a number of other tools that are available in the market and have a richer feature set as compared to the tool that I was using. For instance, Encase is one of the tools that provides top to bottom or vice versa technique to conduct the investigations. The level of flexibility and customization that comes with Encase is better when compared with Google Autopsy tool.
I could learn that autopsy is a process that has its own share of complexities. It is with training, knowledge exchange, and experience that the effective conduction of the process can be done in order to investigate the cases.
What is the role of Hashing functions in Digital Forensics discussed within this digital forensics assignment?
The digital forensics investigation is a process that is composed of a number of steps and features. Each of the steps that are involved in the process of digital forensics has its own share of relevance(Tamma&Ahamad, 2018). One of the important processes that are involved is data acquisition. It is the process in which the data sets are gathered and the evidence is collected on the basis of the collected information. Now, in this process, it is essential that the evidence disk is used and its exact copy is developed.
The investigation process must not corrupt or modify the evidence disk. Therefore, it is stated in this digital forensics assignment that the copy of the disk is created which is the exact replica and the rest of the investigations are conducted on the same. There are several benefits that are attached with such an approach. The original information and evidence is not corrupted at any instance. There are multiple copies that can always be created so that the fresh investigations can be done using a new copy(Wei et al., 2015).
It is necessary that the copy must not have any gaps from the original evidence disk as the results of the investigations can transform the lives of the people involved in the case. To ensure the exact copy, the use of hash values and the matching of these hash values are done. This provides the mechanism to make sure that the overall integrity is maintained and the gaps are also identified, if any(Neuner et al., 2016).
Hash functions - FTK Imager Lite and WinHex
There are several disk editor tools that are now available in the market and Winhex is one of such tools that are being aggressively used in the digital forensics projects. There are numerous features and benefits that are included with this tool and the primary is associated with the hash functions. There is a wide range of hash functions that are now present and Winhex is one of the few tools that support the most out of them. These include SHA-256, SHA-1, MD4, MD5, Tiger Tree Hash, Tiger 160, RipeMD series, and the list goes on.
FTK Imager Lite
FTK Imager Lite is the tool that mainly supports the two hashes as MD-5 and SHA-1. There is a wide range of features that come with the tool, for example, there are hash functions and hash reports that can be generated using the tool. These hash values that are created are used to verify that the match is present between the images and the drive. In the case of the variation, there is a mismatch that is spotted and is immediately resolved (Mohan, 2020).
Features and Comparison
Winhex is a tool that comes with a lot many features. Some of these features include the following:
- The tool is a disk editor that provides editing functionalities on a number of platforms, such as hard disk drives, ZIP files, flash drives, floppy disks, and many more.
- Advanced data recovery mechanisms are included in the tool
- There is detailed file and data analysis that can be done along with the comparison of multiple files
- Data interpretation and disk cloning features are present in the tool
- Easy switch between the windows can be done
FTK Imager Lite is also a front-runner and comes with an abundant feature set.
- The image development using the tool can be done with the aid of the files from hard drives, flash drives, CDs, DVDs, etc.
- There are multiple recovery mechanisms and options that are present in the tool.
- Hash functions and values can be developed with the aid of the tool
- Image mounting options
There are differences between the two tools examined in this task of digital forensics assignment. For example, encryption is one area that is different as FTK supports EFS encryption while Winhex supports AES encryption. The UI of Winhex is complex as compared with that of FTK.
Hex Editors and their use in Digital Forensics
The recovery of the deleted files is an important aspect and the use of the hex editor tools can be done to conduct the same. There is a lot of data that may be stored on the files and it may be further distributed to the different sectors. The hex editor tools can be utilized to recover the files from all of these areas and make sure that the integrity and the efficiency of the digital forensics process is preserved and improved at all times.
There is a defined process that is associated with the malware tools. The determination of the code involved and the associated behaviour can be done using the tool. Also, the data can be acquired directly from the hard drives rather than obtaining the access to the operating system in the case of the hex editor tools. With the increased number of benefits that come with this tool, there are also several automated tools and options that are now available in the market. The use of these tools shall be done so that the overall effectiveness and efficiency of the digital forensics processes can be enhanced.
WxHex Editor Tool
WxHex editor tool is the hex editor tool that is open-source and it has been specifically developed for the Linux systems and platforms.
There are numerous features that are included in this tool and some of these are listed below within this digital forensics assignment.
- Apart from being an efficient hex editor tool, the tool can also be used as a low level data recovery tool. There may be issues in the hard drive or the specific partitions and the use of the tool can be done to recover the data from these areas.
- The tool offers XOR encryption to be used and applied
- The tool does not copy the complete files on RAM. As a result, the tool comes with an exceptional speed (Wxhexeditor, 2019)
- The easy comparison of the binary files can be done using the tool
- There are multiple files that can be viewed using the multiple views that are offered and are supported by the tool
VEDIT Hex Editor
The hex editor tools come with a wide range of features and options. The vEdit tool is one such tool that has an exception feature set which makes it ones of the most popular hex editor tools available in the market.
- There is an easy edit option that comes with this tool with the ability to edit the files in any format and of any size. The tool supports, hex, decimal, binary, and many other formats.
- There is advanced platform independence and interoperability that comes along with the tool. It can convert the files to and from Mac, Windows, DOS, and many other operating systems (Vedit, 2020).
- There are files of massive size and numbers that can be easily sorted and filtered with the aid of the tool.
- Customization and flexibility are some of the aspects that are included in the tool resulting in the enhanced user experience levels.
Hex Workshop Tool
This is the tool that provides the ability to carry out the hex editing functionalities and it comes with the following functionalities and features presented below within this digital forensics assignment.
- There are easy modes and execution options that come with the tool that can enrich the user experience levels. For example, drag and drop is a simple yet very useful feature of the tool(Hexworkshop, 2020)
- The tool supports multiple formats and platforms.
- Search, replace, and go to options that are offered by the tool have a number of sub-options that enhance the overall utility of the tool.
- Automatic scaling and zoom visualizer is included in the tool so that the easy visualization options and mechanisms can be included
- The embedded operations can be used in order to modify the data sets
- The manipulation of an active document can also be done using the tool
Hexworkshop. (2020). Hex Workshop Features: Hex Editor, Sector Editor, Base Converter and Hex Calculator for Windows.Digital forensics assignment Www.Hexworkshop.Com. http://www.hexworkshop.com/features.html
Karampidis, K., &Papadourakis, G. (2017). File Type Identification - Computational Intelligence for Digital Forensics. The Journal of Digital Forensics, Security and Law. https://doi.org/10.15394/jdfsl.2017.1472
Mohan, A. K. (2020). Forensically Sound Piecewise Hashing: Integrity checks with DEIC. Digital Forensics (4n6) Journal, 63–70. https://doi.org/10.46293/4n6/2020.02.02.14
Neuner, S., Schmiedecker, M., &Weippl, E. R. (2016). PeekaTorrent: Leveraging P2P hash values for digital forensics. Digital Investigation, 18, S149–S156. https://doi.org/10.1016/j.diin.2016.04.011
Parasram, S. V. N. (2017). Digital forensics with Kali Linux?: perform data acquisition, digital investigation, and threat analysis using Kali Linux tools. Packt Publishing.
Sammons, J. (2015). The basics of digital forensics?: the primer for getting started in digital forensics. Syngress.
Tamma, L. N. D., & Ahamad, S. S. (2018). A novel chaotic hash-based attribute-based encryption and decryption on cloud computing. International Journal of Electronic Security and Digital Forensics, 10(1), 1. https://doi.org/10.1504/ijesdf.2018.10009829
Vedit. (2020). Editing and Conversion Features | vEdit. Www.Vedit.Com. https://www.vedit.com/features.html
Wei, H., Yang, G., & Xia, M. (2015). A Digital Video Tampering Forensics Scheme Based on Forensics Hash. Journal of Electronics & Information Technology, 35(12), 2934–2941. https://doi.org/10.3724/sp.j.1146.2013.00296
Wxhexeditor. (2019). wxHexEditor - a Free Hex Editor / Disk Editor for Huge Files or Devices on Linux, Windows and MacOSX.Digital forensics assignment Www.Wxhexeditor.Org. http://www.wxhexeditor.org/home.php