Digital Forensics and Cyber Law

1.1.Introduction:
Computer forensics involves the preservation, identification, extraction, documentation and
interpretation of computer data. The three main steps in any computer forensic investigation are
acquiring, authenticating, and analyzing of the data. Acquiring the data mainly involves creating a
bit-by-bit copy of the hard drive. Authentication is the ensuring that the copy used to perform the
investigation is an exact replica of the contents of the original hard drive by comparing the
checksums of the copy and the original. Analysis of the data is the most important part of the
investigation since this is where incriminating evidence may be found.

I became involved in conducting forensic investigations involving Email based investigation, Data
acquisition, and how to conduct an investigation.

A computer forensics professional is to gather evidence from a suspect’s computer and determine
whether the suspect committed a crime or violated a company policy. If the evidence suggests that a
crime or policy violation has been committed, you begin to prepare a case, which is a collection of
evidence you can offer in court or at a corporate inquiry.

Data acquisition is the process of copying data. For computer forensics, it’s the task of collecting
digital evidence from electronic media. There are two types of data acquisition: static acquisitions
and live acquisitions.

In addition to encryption concerns, collecting any data that’s active in a suspect’s computer RAM is
becoming more important to digital investigations. Your goal when acquiring data for a static
acquisition is to preserve the digital evidence. Many times, you have only one chance to create a
reliable copy of disk evidence with a data acquisition tool.

E-mail has become a primary means of communication, and most computer users have e-mail
programs to receive, send, and manage e-mail.

These programs differ in how and where they store and track e-mail. Some are installed separately
from the OS and require their own directories and information files on the local computer.

1.2. Background Study

For 1st Case, I work with forensic disk images from small USB drives to perform the activities and
projects in this case. After that Isearch how to find data on a small storage device, apply the same
techniques to a large disk.

For 2nd Case, I learn how to perform static acquisitions from digital media.
The future of data acquisitions is shifting toward live acquisitions because of the use of disk
encryption with newer operating systems (OSs).

For 3rd Case, I learn how to trace, recover, and analyze e-mail messages by using forensics tools
designed for investigating e-mail and general-purpose tools, such as disk editors, special E-mail
forensic tool.

1
Digital Forensics and Cyber Law

2.Case Project 2-4

A desperate employee calls because she has accidentally deleted crucial files from her hard drive and
can't retrieve them from the Recycle Bin. What are your options? Write one to two pages that explain
your capabilities and list the questions you need to ask her about her system.

2.1. Project Notes:

The options we have are to let the employee know that we are capable of doing the work but
that we need to have the machine to start the process. We would inform this user that we can recover
the files for a fee. The employee would need to fill out a form letting us know the exact names of the
files missing so that there are no misunderstandings. From our perspective this is a business
opportunity and our questions would really only pertain to the recovering of the data.

The issue of the employee deleting the files can happen to anyone. The retrieval of data that has been
accidentally deleted or a hard drive, storage device or cd/dvd that has been damaged is a three step
process. The client should be questioned, the data recovered and the information should be delivered
to the client.

The first step in data recovery is to question the client. It is vital to find out what operating
system the employee is using and if it was a laptop or a desktop. By asking what programs the client
uses, the type of files to look for can be determined.

For example if the client was using Microsoft Word, the .doc would be included. Also the client
should have a general idea of the name of the directory that was deleted and the amount of files that
were deleted. Another question to ask the client would be if they are working on a network. In some
cases the client might be saving files on a network drive.

If so, identify if it is Novell or Active Directory. The directory may be recovered using a salvage
function within the network utility. Finally, we would need to know how soon the employee needs
the restored files.

Once a general idea of what the client deleted is obtained, the data can be recovered using a
recovery software. There are many different free recovery software applications from which to
choose. Some examples are Foremost, Scalpel, Magic Rescue and Sleuth Kit.

After the data is recovered, it is turned over to the client.

2
Digital Forensics and Cyber Law

2.1. Questions to ask employee who accidentallydeleted crucial files:

What is the operating system?
What type of machine – laptop, desktop?
Who is the manufacture?
What applications do you usually use?
What was the name of the directory that was deleted?
When was the last time you accessed it before today?
How many documents were in the directory?
Do you log into a domain or a tree?
Do you have a home drive?

3. Case Project 4-5

You’re investigating a case involving a 2 GB drive that you need to copy at the scene. Write one to two
pages describing three options you have to copy the drive accurately. Be sure to include your software
and media choices.

3.1. Data Acquisition:

Data acquisition means acquiring the data from the place of crime to solve the case. In the computer
forensics tool evidences are stored as the image file one of three formats. Out of three formats two
are open source and third is proprietary.Proprietary format was different because each
vendor have different unique feature. Data acquisition takes place in four methods:

1. Create disk to image file.

2. Creating disk-to-disk copy.
3. Creating logical disk to disk or disk-to-data file.
4. Creating a sparse copy of a folder or file.

Disk imaging
Included in the Recover My Files installation folder is the stand alone drive imaging program
“Forensic Imager”. Forensic Imager is a Windows based program that will acquire a sector copy
(“image”) of a drive into one of the following common forensic file formats:
 DD /RAW (Linux “Drive Dump”)
 AFF (Advanced Forensic Format)
 E01 (EnCase) [Version 6.xx format]

3
Digital Forensics and Cyber Law

3.2. Running Forensic Imager

Forensic Image is run from the Recover My Files drop down menu by selecting the “Disk Image”
Image” option:

Or by selecting the Disk Imager shortcut from the “Windows Start > All Programs > Recover My
Files v5 > Disk Imager” shortcut.

When Forensic Imager is run the wizard presents 3 options:

Acquire:: The acquire option is used to take a forensic image (an exact copy) of the target media into
an image file on the investigators workstation;
Convert:: The convert option is used to copy an existing image file from one image format to
another, e.g. DD to E01;
Hash or verify:: The hash or verify option is
is used to calculate a hash value for a device or an existing
image file.

When the “Acquire”, “Convert” or “Hash or Verify” button is selected, the source selection screen is
displayed enabling selection of the source media:

1. When “Acquire”” is selected, the source window shows the available physical devices (hard
drives, USB drives, camera cards, etc.) and logical devices (partitions or volumes on the
physical devices, e.g. "C:" drive) attached to the forensic workstation.
2. When “Convert”” is selected, the source
source window allows the selection of the source image file.
Click the “Add Image” button to add the required image file to the selection list.
3. When the “Hash Verify” button is selected, the source window allows the selection of
Hash or Verify”
either a physical or logicall drive, or an image file.

4
Digital Forensics and Cyber Law

Label:
Physical drives are listed with their Windows device number.
Logical drives display the drive label (if no label is present then "{no label}" is used). Image
files show the path to the image.
Size:
The size column contains the size of the physical or logical device, or the size of the image
file. Note that the actual size of the drive is usually smaller than what the drive is labeled.
Drive manufactures usually round up the drive capacity, so a 2 GB drive in this screen may be
sold as 2 GB+.
FS:
The File-system on the drive, e.g. FAT, NTFS or HFS;
Type:
Describes the way in which the drive is connected to the computer. An image file will show
the type of image (e.g. EnCase or RAW).

Copy a Disk to a Disk

The Copy Disk to Disk Wizard steps you through the process of transferring data from one disk or
partition to another with an option to resize partitions. Essentially it is like creating a disk image of
one partition or a whole disk and subsequently restoring it to another disk or partition except there is
no intermittent image created.

5
Digital Forensics and Cyber Law

You may use the Copy Disk to Disk Wizard to make a copy of the same configuration from one hard
drive onto multiple other hard drives. For example, you may duplicate a hard drive configuration
over several workstations on a network. If you are trying to recover data from a damaged hard drive
or partition, you may clone the damaged partition to a number of other hard drives in order to
experiment with different data recovery techniques on the copy rather than on the original.

To open the Copy Disk to Disk Wizard, do one of the following:

 In the main program window, double-click Copy Disk to Disk.

 From the Tools menu, choose Copy Disk to Disk

A logical disk, logical volume or virtual disk (VD or vdisk for short) is a virtual device that
provides an area of usable storage capacity on one or more physical disk drives in a computersystem.
The disk is described as logical or virtual because it does not actually exist as a single physical entity
in its own right. The goal of the logical disk is to provide computer software with what seems a
contiguous storage area, sparing them the burden of dealing with the intricacies of storing files on
multiple physical units. Most modern operating systems provide some form of logical volume
management.

A sparse file is a type of computer file that attempts to use file system space more efficiently when
the file itself is mostly empty.

This is achieved by writing brief information (metadata) representing the empty blocks to disk
instead of the actual "empty" space which makes up the block, using less disk space. The full block
size is written to disk as the actual size only when the block contains "real" (non-empty) data.

Sparse file in UNIX -Creation theUNIX command

dd of=sparse-file bs=.5k seek=2560 count=0

Will create a file of 2 GB in size, but with no data stored on disk (only metadata). (GNU dd has this
behavior because it calls truncate to set the file size; other implementations may merely create an
empty file.)

6
Digital Forensics and Cyber Law

Detection

The -s option of the ls command shows the occupied space in blocks.

ls -ls sparse-file

Copying

Normally, the GNU version of cp is good at detecting whether a file is sparse, so

cp sparse-file new-file

Creates new-file, which will be sparse. However, GNU cp does have a --sparse=WHEN option. This
is especially useful if a file containing long zero blocks is saved in a non-sparse way (i.e. the zero
blocks have been written out to disk in full). Disk space can be saved by doing:

cp --sparse=always file1 file1_sparsed

Some cp implementations, like FreeBSD's cp, do not support the --sparse option and will always
expand sparse files. A partially viable alternative on those systems is to use sync with its own --
sparse option instead of cp. unfortunately --sparse cannot be combined with --in place, so syncing
huge files across the network will always be wasteful of either network bandwidth or disk bandwidth.

cp --sparse=always /proc/self/fd/0 new-sparse-file <somefile

7
Digital Forensics and Cyber Law

3.3. Sets the segment size of the created forensic image file:
This setting enables the forensic image file to be broken into segments of a specific size. Setting an
image segment size is primary used when the forensic image files will later be stored on fixed length
media such as CD or DVD.

For the EnCase-.E01 image format, Forensic Imager uses the EnCase-v6 standard 2 GB and is not
limited to a 2 GB segment size. However, if an investigator plans to use larger file segments they
should give consideration to the limitations (RAM etc.) of the systems on which the image files will
be processed.

3.4. Sets the destination path and file name for the image file:
The output file name is the name of the forensic image file that will be written to the investigators
forensic workstation. Click on the folder icon to browse for the destination folder.

3.5. Calculates an MD5 and/or SHA256 acquisition hash of the imaged data:
A hash value is a mathematical calculation that is used for identification, verification, and
authentication of file data. A hash calculated by Forensic Imager during the acquisition of a device
(the “acquisition hash”) enables the investigator, by recalculating the hash at a later time (the
“verification hash”), to confirm the authenticity of the image file, i.e. that the file has not changed.
Any change to the acquired image will result in a change to the hash value.

3.6. Report

This guide describes best practices for copying file and investigating a case involving a 2 GB
drive. These include

 Evaluating the scene.

 Using media storage for the scene.
 Coping the drive accurately.
 Completing and recording the scene investigation.
 Sets the destination path and file name for the image file.
 Sets the segment size of the created forensic image file.
 Calculates an MD5 and/or SHA256 acquisition hash of the imaged data.

8
Digital Forensics and Cyber Law

4. Case Project 12-4

Billy Williams at the local city hall contacts your supervisor, Mike Mackenzie, with a complaint of sexual
harassment that involves the city’s e-mail system. You’re assigned to find the suspect and build a case to
terminate the city employee. When interviewing Billy, you discover he was involved with the suspect,
Mary Jane, but ended the relationship against Mary Jane’s wishes. Both he and Mary Jane still work for
the city. Billy has kept several e-mails from Mary Jane and offers them for your review. When you
interview Mary Jane, she denies any wrongdoing and claims she is being set up. After your investigation,
you confirm that the e-mails Billy submitted were falsified and Mary Jane was set up. Write a brief report
on how your investigation would prove Mary Jane’s innocence.

4.1. Project report

Step 1:
In the case Billy Williams contacts to the supervisor of investigator with a complaint of sexual
harassment involving the city’s email system. I am assigned to find the suspect and build a case to
terminate the guilt city employee.
While interviewing Billy I have found that there is a relationship between Billy and Mary and ended
up against Mary’s wishes.
Billy has complained for sexual harassment from Mary along with the emails received from the
Mary. While investigating Mary Jane she had not sent any such email.
In this situation I reached the Billy’s computer and investigated if the information given by the Billy
was genuine or he had spoofed to receive an email.

Step 2:
Before I work with a Mary, 1st I create written procedures for opening and printing an e-mail header
and message text with a variety of e-mail programs, according to her company’s laws or policies.
These steps help me to give consistent instructions and can be useful when training new
investigators.

In this case, I might have to recover e-mail after a suspect has deleted it and tried to hide it. You
know that how to recover those messages in Using Access Data FTK to Recover E-mail.
Step 3:
Copying an E-mail Message Before I start an e-mail investigation, need to copy and print the e-mail
involved in the crime or policy violation. I also want to forward the message as an attachment to
another e-mail address, depending on your organizationsguidelines.
The following activity shows how to use Outlook 2007 or 2007+, included with Microsoft Office:
To copy an e-mail message to a USB drive. (Note: Depending on the Outlook version you use, the
steps might vary slightly.) Use a similar procedure to copy messages in other e-mail programs, such
as Outlook Express and Evolution.

9
Digital Forensics and Cyber Law

If Outlook or Outlook Express is installed on your computer, follow these steps:

1. Insert a USB drive into a USB port.
2. Open Windows Explorer or the Computer window, navigate to the USB drive, and
Leave this window open.
3. Start Outlook by clicking Start, pointing to All Programs, pointing to Microsoft
Office, and clicking Microsoft Office Outlook 2007.
4. In the Mail Folders pane (see Figure 12-2), click the folder containing the message you
Want to copy. For example, click the Inbox folder. A list of messages in that folder is displayed in
the pane in the middle. Click the message you want to copy.
5. Resize the Outlook window so that you can see the message you want to copy and the USB drive
icon in Windows Explorer or the Computer window.
6. Drag the message from the Outlook window to the USB drive icon in Windows Explorer or the
Computer window.
7. Click File, Print from the Outlook menu to open the Print dialog box. After printing the e-mail so
that you have a copy to include in your final report, exit Outlook.

Step 4:
This section includes instructions for viewing e-mail headers in a variety of e-mail programs,
including Windows GUI clients, a UNIX command-line e-mail program, and some common Web-
based e-mail providers. After you open e-mail headers, copy and pastethose into a text document so
that you can read them with a text editor, such as WindowsNotepad, Linux KEdit or gedit, Pico (used
with UNIX), or Apple TextEdit.

As part of the investigation, I determine an e-mail’s origin by further examining the header with one
of many free Internet tools. Determining message origin is referred to as tracing. In this section,
Itrace aboutsuspect computer by Internet lookup tools that can be used to trace where an e-mail
originated. I get more information about Billy’s email is false.

10
Digital Forensics and Cyber Law

Step 5:
To get more information to prove Mary Jane’s is innocence and Billy was a suspect I use Specialized
E-mail forensics tools.
I can rely on e-mail message files, e-mail headers, and e-mail server log files. However, when I can’t find
an e-mail administrator willing to help with the investigation, or encounter a highly customized e-mail
environment, Iuse data recovery tools and forensics tools designed to recover Mary’s e-mail files.
As technology has progressed in e-mail and other services, so have the tools for recovering information
lost or deleted from a hard drive. Ireviewed many tools for data recovery, such as ProDiscover Basic and
Access Data FTK. I also use these tools to investigate and recover e-mail files.
Finally I got the suspect like Billy’s and proved that Mary Jane’s was right about her complaint.

5. Conclusion
We discuss here how to recover delete file or data by using computer forensics tools and get form
any size of disk drive by using computer forensics imaging tools. Providing brief description about
E-mail investigation under computer forensics.
You see how e-mail programs on the server interact with e-mail programs on the client, and vice
versa. You also see how to recover deleted e-mail from a client computer, regardless of the e-mail
program used, and how to trace an e-mail back to the sender.

11