Module Code: UFCFP4-30-1 Student id-24059073
Date: March 2025 Module Details
·
Module Name: Computer Crime and Digital Evidence
·
Module Code: UFCFP4-30-1
Section 1: Overview of Assessment
Students are entrusted with performing comprehensive evaluations of forensic tools, applying them in practical scenarios, and meticulously documenting their observations. The key emphasis lies in ensuring evidence preservation, validating forensic tools, and maintaining strict adherence to established forensic standards to guarantee accurate and credible results.
Section 2: Task Specification
Functioning as forensic analysts within a Digital Forensics Unit (DFU), students will identify, evaluate, and validate forensic tools used for the retrieval and examination of digital evidence. They are required to produce a detailed forensic report that meticulously records their methodologies, findings, and interpretations in alignment with industry best practices.
Section 3: Deliverables
·
Testing and Validation Plan (TVP1): A structured and detailed plan documenting the approach, methodology, and verification procedures used to test the forensic tools.
·
Standard Operating Procedure (SOP): A precise, step-by-step manual providing detailed instructions for the appropriate usage of the selected forensic tools, ensuring repeatable and reliable outcomes.
Section 4: Marking Criteria
·
Completeness and Accuracy: Assessing the thoroughness and correctness of the testing procedures and documentation.
·
Knowledge Transfer: Evaluating the clarity and efficiency of the report in communicating findings and methodologies.
·
Adherence to Standards: Ensuring the report complies with forensic best practices and maintains high levels of procedural integrity.
·
Report Formatting: Analyzing the presentation and structure of the report, ensuring logical flow, coherence, and professional aesthetics.
Section 5: Feedback Mechanisms
·
Formative Feedback: Continuous feedback will be offered during lab and classroom sessions, providing opportunities for improvement before final submission.
·
Summative Feedback: Comprehensive written feedback will be provided post-submission, offering insights into strengths and areas needing improvement.
Section 6: Appendices
6.1 Starting and Managing Your Assessment
Initiate your work promptly and make the most of available lab facilities. Efficient time management is essential to meet deadlines. Don’t hesitate to seek guidance from tutors for clarifications or support.
6.2 Academic Integrity
Maintaining academic honesty is crucial. Acts of plagiarism, collusion, or data manipulation are strictly forbidden. Ensure all submissions are your original work and properly cited.
6.3 Restrictions on AI Use
Content generated using AI tools is not allowed. Your findings and reports should be based solely on hands-on forensic testing and genuine analysis.
6.4 Referencing Requirements
Adhere to the UWE Harvard referencing style when citing sources. Make sure all references are accurate and include appropriate credit for research materials, publications, and forensic tool documentation.
Forensic Toolkit Testing and Validation Report
Introduction
This document provides a comprehensive review and validation of forensic tools for the examination of digital evidence. The reasonable procedures, test results and verification processes are detailed in this document.
1.
Evidence Preservation
Tool Used: [FTK Imager v4.7.1]
This section captures the imaging and preservation of digital evidence, to provide verification of the integrity and authenticity of the original data.
The imaging process included creating a forensic image of the target drive using FTK Imager, specifically a raw (DD) image. Part of the process included calculating the MD5 and SHA-1 hash values of the source drive before and after imaging was complete, and those values were compared to confirm that the drive was not altered during the imaging process. The MD5 and SHA-1 hash values were successfully matched (e.g., MD5: Insert Calculated MD5 Hash Value, SHA-1: [Insert Calculated SHA-1 Hash Value]), which confirms that it is an accurate original bit-for-bit copy of the target drive. Once complete, the image was saved to a secure, write-protected location.
2.System Profiling
Tool Used: [Registry Explorer v1.6.0]
Description: Analyzing registry hives and validating findings using Access Data Registry Viewer to ensure accurate and complete data related to system configuration.
Description: Registry Explorer was employed to acquire key system configuration data from the target systems registry hives (e.g., SYSTEM, SOFTWARE, NTUSER.DAT) focusing on specific keys of interest such as user account data, installed software and system configurations. The findings from Registry Explorer then underwent verification compared to Access Data Registry Viewer; for instance, user account data, obtained through Registry Explorer was verified against the same user account data through Access Data Registry Viewer to ensure accuracy. Any discrepancies between the obtained data was noted and investigated. The use of successful dual verification of registry entries identified as the Insert Registry Key Path and Insert Registry Value, to validate the summarized findings of both tools.
Description: Analyzing registry hives and verifying results with Access Data Registry Viewer.
3. File Recovery
Tool Used: [PhotoRec v7.2]
Description: Recovery of deleted files using file carving techniques, with a particular focus on identifying and reconstructing fragmented files.
Description: PhotoRec was used to recover deleted files from unallocated space, and the tool’s ability to identify files based on file headers and footers, irrespective-file system metadata, proved useful. Rehabilitation efforts primarily focused on specific file types (e.g., JPEG, DOCX, ZIP) both file identification and reconstruction occurred. These recovered files were then validated through the examination of file contents and through comparison with known good copies. For example, when investigating for recovered JPEG images, we opened all images and visually checked each image for image integrity, while hash value comparisons confirmed file similarity with known good JPEG images. Successful and independent validation of Number JPEG files and Number DOCX files, demonstrates the effectiveness of PhotoRec.
Description: Recovery of deleted files through file carving techniques.
4. Internet-Based Evidence
Tool Used: [ Autopsy Web Artifacts]
Description: Parsing the Web browser history, cookies and cache files and confirming the findings by inspecting the original SQLite databases.
Description: Autopsy Web Artifacts allowed for parsing the Web browser artifacts from the target system’s browser profiles (Chrome, Firefox etc.). The parsed artifacts (browsing history, download history, and cookie information) were verified by directly opening the pertinent SQLite database files via a SQLite browser for several of the artifacts. An example was shown that certain entries in the history.db file were matched by the parsed history in Autopsy to demonstrate the tool was accurately parsing the data. A successful matched entry would have included “Web History: Site Visited here/ at insertTimestamp here”, which would verify the parsing of the tool was accurately retrieving the web history data parsed.
Description: We parsed web browser history and verified using SQLite.
5. Windows Artifacts
Tool Used: [LNK Explorer]
Description: Analysis of LNK files, prefetch, thumbnail databases, etc.
6. Hash Analysis and Filtering
Tool Used: [Autopsy Hash Lookup]
Description: The process of calculating and filtering hash values against known hash sets (e.g., NIST NSRL), in order to identify known files and remove non-user related data.
Description: Autopsy Hash Lookup was utilized to calculate hash values (MD5, SHA-1) of files from the suspect hard drive. The hash values calculated were then compared against the NIST National Software Reference Library (NSRL) hash set. The files with known hash values were accurately and successfully identified and filtered out from the dataset, allowing an enormous reduction of data that needed to be analyzed manually. For instance, by filtering out known operating system files from the dataset using the NSRL hash set, the amount of time it took to analyze the remaining data was drastically reduced. The filtration of *Number* known files verified the functionality of the hash lookup feature of the tool.
Description: Hash values were calculated and filtered.
7. File Extension Analysis
Tool Used:[TrID File Identifier]
Description: TrID analyzes the contents of files to determine the file type regardless of the file extension, allowing the accurate determination of files that have been mislabelled or disguised.
TrID is a tool utilized to analyze various files with suspicious file extensions or missing file extensions. The ability of the tool to determine the file type by examining the binary signatures of the file was of utmost importance. For example, a file assigned a text file extension, .txt, was examined using TrID and was verified to be a JPEG image file. This capability of being able to have the file type examined and determined to not be a text file avoids potentially misinterpreting the content of the file. Accurately identifying the File Name to be a JPEG file instead of a .txt file extension speaks to the abilities of TrID.
Conclusion
This report details the processes that have been used in testing, validating, and documenting using forensic tools for analysis of digital evidence. Each forensic tool has been thoroughly assessed to ensure quality through thorough and detailed testing, from repeated reliability to the ability to be replicated. Validation is essential to maintain the admissibility of the evidence in a courtroom, and performing validation is a formal process that incorporates more than one forensic method, process, and/or procedure that can repeatably use established industry standards. for each process for the proper standard operating procedures outlined in each description, forensic investigators can get accurate photographic results with a varied range of document examiners and or images achieving consistently a reliable process of each investigation. Continuous learning and adherence to forensic standards after documentation of reports is also necessary to maintain the credibility of forensic analysis.
