Scribd Logo
Upload

Welcome to Scribd!

  • Criminal Story:: Recover OPM Deleted Files Using Prodiscover 2018-19

    Uploaded by

    prajakta_mdr
    449 views10 pages
    cyber crime

    Original Title

    Prodiscover Report

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    cyber crime

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    449 views10 pages

    Criminal Story:: Recover OPM Deleted Files Using Prodiscover 2018-19

    Uploaded by

    prajakta_mdr
    cyber crime

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Recover OPM deleted files using Prodiscover 2018-19

    Criminal story:

    The office of personnel management, OPM for short, can be considered the US
    government’s HR Department. Among other things, it keeps records of employee personal
    information, such as height, weight, hair and eye color.

    The OPM got hacked, and the information of 22 million government employees
    leaked, most likely in the hands of a foreign government and the information related to
    employees are deleted which is great loss and time consuming to collect the data from each
    employee. This problem can be solved by recovering deleted data using ProDiscovery basic.

    Dept. of IS & E, NIE, Mysuru 1


    Recover OPM deleted files using Prodiscover 2018-19

    Chapter 1:

    INTRODUCTION

    ProDiscover Incident Response is a powerful information security tool that enables


    computer forensics professionals to find all of the digital information on a computer disk and
    subsequently protect digital evidence and produces good evidentiary reports for use in legal
    proceedings.
    ProDiscover Incident Response allows the invetigation of digital information without
    altering valuable metadata such as last-time accessed. it can recover HDD & deleted files,
    Investigation of slack space, Analysis of Windows Alternate Data Streams, and dynamically
    allow a preview, forensics search and data acquisition of the Hardware Protected Area (HPA)
    of the disk.It is very difficult to hide data from ProDiscover Incident Response because it
    reads the disk at the sector & cluster level.

    ProDiscover Incident Response allows a forensics search through the entire disk for
    keywords where regular expressions and phrases with full Boolean search capability to find
    the necessary digital information which is stored on digital device. Hash comparison feature
    can be used to find known illegal files or known-good files, e.g standard operating system
    files, by utilizing the included Hashkeeper database from the external sources. ProDiscover
    Incident Response is having best forensics search capability & it very fast and flexible,
    allowing a keyword search for words or phrases anywhere on the disk which includes the
    slack space.

    Dept. of IS & E, NIE, Mysuru 2


    Recover OPM deleted files using Prodiscover 2018-19

    Chapter 2:
    FEATURES OF PRODISCOVER

    • Search for keywords of interest in the case


    • Finds Open/Connected IP Ports…
    • The ability to image and conduct Live analysis of disks over any high speed TCP/IP
    network
    • Restore image files to disk
    • Search and analyze media from all of the different file systems simultaneously,
    including FAT12, FAT16, FAT32, exFAT, all NTFS versions, CDFS, Linux
    Ext.2/3/4, SUN Solaris UFS, and MAC OSX HFS+
    • Supports non-destructive direct disk analysis, Analysis is completely non-destructive
    and does not modify evidence in any way.
    • Recover deleted files contained in slack space
    • Report generation for all the activities on system.

    Dept. of IS & E, NIE, Mysuru 3


    Recover OPM deleted files using Prodiscover 2018-19

    Chapter 3:

    3.1 creating a new project


    1. Start ProDiscover.
    2. ProDiscover presents the launch dialog.
    3. Enter a project number, project name, and description of the project in the new project tab
    option, and then click the Open button.
    4. ProDiscover will then create a project and generate a template report in the work area.

    Dept. of IS & E, NIE, Mysuru 4


    Recover OPM deleted files using Prodiscover 2018-19

    3.2 Save a Project

    1. Select save project option from the file menu, or button bar.
    2. ProDiscover presents file Save As dialog if the current project has not yet been saved,
    otherwise
    the current project file will be updated without further action.
    3. Select the project file to open and click Open button.
    4. ProDiscover opens the project file and generates a template report in the work area.
    5. Select the Add Disk option from the action menu, or tree-view.

    Dept. of IS & E, NIE, Mysuru 5


    Recover OPM deleted files using Prodiscover 2018-19

    Chapter 4:
    Recover Deleted Files

    1. Ensure the desired evidence disk is connected to the ProDiscover system.


    2. Select the "Content View | Disk, or Image" option from the Menu or tree-view.
    ➢ right-click on the image file and click on "Add."

    3. ProDiscover displays a list of drives, or images available to the system.


    4. Select the desired disk, or image and navigate to the desired volume.

    Dept. of IS & E, NIE, Mysuru 6


    Recover OPM deleted files using Prodiscover 2018-19

    5. ProDiscover displays the contents of the disk.


    6. Select a file to recover from the work area.

    7. ProDiscover displays the contents of the selected file at the bottom of the main window.
    ➢ files that have been deleted, or were erased will be shown with a red-x
    8. Right click on a file that you want to create a copy of the file.
    9. ProDiscover a pop-up dialog with the choice to View or Recover the selected file. Select
    Copy File.
    10. Enter the desired location and file name to save the file as in the "Save As" dialog box
    that appears and click "Save".

    Dept. of IS & E, NIE, Mysuru 7


    Recover OPM deleted files using Prodiscover 2018-19

    Chapter 5:
    Adavantages and Disadvantages

    Advantages of ProDiscover
    • Provide compressed or uncompressed image files
    • No size restriction for disk-to-image files
    • Provide space in the image file or segmented files for metadata
    • Simple design with extensibility
    • Internal consistency checks for self-authentication

    Disadvantages of ProDiscover
    • Inability to share an image between different tools
    • File size limitation for each segmented volume

    Dept. of IS & E, NIE, Mysuru 8


    Recover OPM deleted files using Prodiscover 2018-19

    Chapter 6
    CONCLUSION

    1. Digital forensics is important for solving crimes with digital devices, Against digital
    devices, against people where evidence may reside in a device
    2. Several sound tools and techniques exist to search and analyze digital data
    3. Regardless of existing tools, evolving digital age and development of technology requires
    heavier research in digital forensics.
    To solve OPM related problem that is to recovery the data of employee which is
    deleted can be done using ProDiscovery basic efficiently with lesser time.
    This tool gives a general idea of how to create a disk image file, hash the file, write
    block the file, and perform a first-level analysis of the disk image in a Windows
    environment. This is the basis of any digital forensics investigation. Knowing these basics
    will enable you to focus on learning more involved and advanced aspects of digital forensics.

    Dept. of IS & E, NIE, Mysuru 9


    Recover OPM deleted files using Prodiscover 2018-19

    Chapter 7
    REFERENCES

    • http://nest.unm.edu/files/8113/9251/5519/Tutorial_4_-_FTK__ProDiscover_-
    _Viewing.pdf

    Dept. of IS & E, NIE, Mysuru 10

    You might also like