MBIS5005 Cyber Intelligence Report 3 Sample

MBIS5005 Cyber Intelligence Report 3

Overview

Assume a USB drive have been found in the company working site whereas none of the employee is supposed to carry a pen drive. The employees are allowed to use only company supplied USB. The manager suspects that some crucial information have been leaked or illegally downloaded. The USB contains different types of files including excel, image files of various formats, doc files and few text files. Your manager assigns you the role to investigate and produce a forensics report based on your investigation. As part of the investigation, you will work on two phases, i.e. phase A and phase B. The details of phase A and phase B are described below:

Phase A

In this phase, you are required to conduct research on the current computer forensics tool that can be used for this kind of case study. Prepare a report containing the following information for each tool and state you would prefer to use:

• Forensics vendors name

• Tool name and latest version number

• Features of the product

• Pros and cons of the products

Phase B

Data Formulation

Get a USB of your own, approximately 8 to 16 Gb and follow the steps:

1. You will create six files type (pdf, excel and word documents). Name these files in a proper convention such as: groupnumber_unitcode_AssessmentNo_*, where “*” depends on the file type. Furthermore, the attributes of these files need to be changed to describe the Metadata which holds data such as your groupno as an author, organization name (any preferred name; could be AIH), computer name based on your terminal name, date/time created and comments such as “created for Assesment3”.

2. Modify the extension of one of the doc file to .jpeg

3. Then delete 3 files including the file you have modified its extension, one of each type.

4. Take the necessary screenshots of each steps to be included in your report.

Part 1: Data Acquisition

1. Based on the installed tools, prepare a forensics image (bit stream copy) with the record of deleted data.

2. Include the screenshots of each step in the report.

3. Use this image to carry out the next part of activities.

4. In your report, cover the challenges to make successful acquisition and what are the relevant format to use and why.

5. Describe steps required for search and seizure.

Part 2: Data Recovery

As part of data recovery, consider the scenario where three image files of the USB have been deleted.

1. Recover the deleted images and explain the method based on the tool you use.

2. Provide sufficient screenshots.

3. In addition, recover the data from recycle bin, explain the procedure with screenshots. Recover the metadata of these files.

Part 3: Data Analysis

1. Use a hex editor and inspect all the files.

2. Check if there is any hidden files.

3. Take necessary screenshots of your working method.

4. Discuss about the tool, which can used for analysing the deleted files.

5. Would you be doing any windows registry analysis? Why?

Part 4 : Data Validation

1. Discuss different methods of data validation.

2. Use one the methods to validate the data of your USB.

3. How to verify file extension? Remember you have modified a file extension.

4. Validate and use screenshots to proof file extension alteration.

Solution

Introduction:

The aim of this report is to perform digital forensics investigation. Preliminary findings suggested that some documents contained proprietary information, employee records, and confidential information about projects (Saleh et al., 2021). This situation had risks from competitors and regulatory scrutiny that seriously threatened the situation by demanding immediate action. Recommendations given to the outcomes comprised of changing the data security policies, where stricter access controls were to be implemented over the sensitive information, training of the workers on the data protection policies, and development of advanced technologies of encryptions for the storage of data. Further, recommendations for MBA Assignment Expert comprised of a review process of any existing and previous usage policies that covered USBs to prevent such incidents in the future whereby unauthorized devices may automatically get connected to the company systems. Overall, this incident really shows that excellent practices of data management with strong security should be vigilantly in place for the prevention of unauthorized access and breaches of sensitive information.

Phase A:

It all started when a USB was found in one common area within the company site. This exposed immediate reaction from the management on the matter because the organization had a strict policy concerning the no usage of non-company-issued USB devices. The policy was drafted to maintain sensitive information and prevent unauthorized access to crucial data. That is why as soon as the manager heard that there was a USB in the company site, he decided to investigate the thing, suspecting that some sensitive information might be leaked out. The USB was collected and taken for analytical purposes. Preliminary inspection revealed that these were leakage incidents (Rizal et al., 2020). Every type of file type was available in the drive, including Excel sheets, Word documents, photographs, and text files. This was seemingly sending alarms towards unauthorized access or extraction of data. The fears of the manager came to be realized as review in advance showed that some files, which included financial reports, employee details, and strategic plans, contained sensitive information about the firm. This development being as serious as it is, a critical point would be to identify where this USB originated, the contents of data held in it, and whether those data have been illegally accessed. Such an incident has shown how weak handling practices are now in comparison to the requirements of safeguarding in data handling.

There were also Word documents that seemed to be drafts of internal reports, containing employee evaluations and project outlines with proprietary information. The USB also contained a directory full of photographs; some of these were taken during company events and presentations. As they did not seem sensitive on the face of them, there may have been pictures associated with internal branding policy and marketing promotions. These would appear valuable to the competition. Text files containing speech snippets and memo points were also present-there rather sensitive leaks of secret discussions. Besides, forensic software tools were used to conduct a comprehensive analysis of the USB to obtain metadata pertaining to files: creation dates and modification dates and identities of users who can be traced or reviewed as having accessed or modified the documents. This information had to be critical in identifying possible breach sources whether information has been accessed by unauthorized users. Therefore, findings obtained on the USB are free from much danger posed to the security of data in the company and a sharp need for a deep investigation to avoid such an incidence in future.

For the analysis FTK imager and Winhex will be used. The forensic analysis on the USB was done meticulously as well as in a coordinated manner in order to ensure evidence integrity and accuracy of the result: The USB was sealed in an environment inaccessible to altering or losing data. Connecting the USB for the first time using a write-blocker device prevented alteration of the data during the course of examination. The clone was taken directly as a bit-by-bit copy whereby the forensic imaging software was used right after acquisition (Makura et al., 2020).

1. FTK (Forensic Toolkit)

• Developer: AccessData

• Purpose: Comprehensive forensic investigation tool primarily used for disk imaging, file analysis, and email parsing.

• Key Features:

o Disk Imaging and Analysis: Supports full-disk forensic imaging and analysis of various file systems (FAT, NTFS, EXT, etc.).

o Registry Analysis: Provides in-depth registry analysis to investigate user activities and system modifications.

o Memory Forensics: Capable of analyzing RAM captures for malware detection and user session activity.

• Latest Version: 7.6.0 (as of 2023)

2. WinHex

• Developer: X-Ways Software Technology

• Purpose: Hex editor and disk editor widely used for manual forensic analysis and low-level data recovery.

• Key Features:

o Hexadecimal Editing: Allows viewing and editing raw data in hexadecimal format, which is critical for investigating hidden or corrupted data.

o File Recovery: Recovers lost, deleted, or corrupt files through sector-level analysis and data carving based on file headers.

o RAM Forensics: Analyzes and edits the contents of memory dumps to investigate system processes, running applications, and malware presence.

o Data Interpretation: Interprets and displays file formats, structures, and file system parameters for FAT, NTFS, and other file systems.

• Latest Version: 20.5

This was to ensure that the investigation team would work with a clone instead of the original evidence, which could be retained and preserved for any possible future reference. For a forensic investigation, one needs to make sure that the chain of custody remains intact and does not alter the original information stored in the computer. Advanced forensic tools applied in the analysis include software such as EnCase and FTK Imager. This type of software was useful in the thorough extraction and recovery of data, and a more detailed analysis of files can be done with EnCase, wherein meta-data can be extracted and file types that have been specified can be searched for, whereas, with FTK Imager one can view data and examine file systems that seem to make it easier to determine what is on the USB. Analysis was based on a detailed investigation of the different types of files found within the USB. These include the applications of the Excel file, the Word application, images, and the text file. The collection of sensitive data by the forensic tool provided an opportunity for metadata analysis, including the date of creation, modification logs, and user access logs. This information was very fundamental in making sense of the context for the file while noticing any breach of data security. Therefore, the entire process was well noted in terms of every step followed, instruments applied, and the observations (Rudrakar and Rughani, 2022). That would be critical for documenting the reliability of the investigation and provide an accurate account of analytical steps taken-informative for potential legal or administrative consequences that might result from the event.

Phase B:

The primary purpose of the investigation conducted through the USB drive would be to know whether the classified company information was leaked and to know exactly where leakage took place. This kind of investigation procedure involves carrying out some sort of substantial analysis of which types of files the USB carries, what kinds of sensitivity they include, and this gives some idea of what kind of consequences are involved in the leakage of those files. One of the main objectives in this regard will be to distinctly establish a line of knowledge over how the USB device came onto company premises. Towards this goal, one would look to discover if there existed some individual who might have accessed or interacted with the device prior to its location (Seufitelli et al., 2022). This would serve to determine whether the event has derived from negligence, malice, or a mix of both. Secondly, the implementation of this policy will help identify the current data protection policies and procedures that are in place. This would pinpoint the loopholes or areas of the present policies and procedures, and result in focused recommendations that can be made to fortify the company's data protection planning. For instance, controls over USB ports should be tightened, training about security data policies should be enhanced, and implementation of the existing policies should be reminded to employees. In a nutshell, the investigation would ensure measures are adequately dealt with so that a similar breach would not occur in the future.

Data Acquisition:

For the data acquisition of the USB drive, I structured the process to ensure the integrity and reliability of the evidence during its acquisition. First, I placed the USB in a locked room. In that room, the write-blocker device was put so not to alter any accidental changes made on the data as it was being acquired. This only provides read access to the USB, a highly sensitive procedure that is carried out in forensic investigations to avoid compromising evidence. After mounting the write-blocker, forensic imaging software, such as FTK Imager in this example, was applied in order to create a bit-for-bit copy of the USB. It is notable that creating a forensic image captures everything deleted files and unallocated space, so nothing goes unrecorded. Image tool collected hash value of original USB drive and created image. That would at least give the team a basis on which to confirm whether or not that forensic image is the same as the original. Unfortunately, despite all the best practices taken to date in the acquisition process, it was not smooth sailing without many problems (Khan et al., 2021). One was that there was always a risk of malware on the USB and hence no proper use was made of it for the forensic workstations. The risk was mitigated by conducting all the acquisitions in an isolated network without any external connections. Another problem was that most of the files were in encrypted forms, making recovery and analysis a bit more complicated.

Data recovery and acquisition using FTK:

The formation of a forensic image or a bit-by-bit copy of the original data is one of the key data preservation techniques. The analysis of the original evidence is not changed, as detectives only work on the images that are guaranteed in this method. Verifying that the copied data remains unchanged, certifying its integrity which is accompanied by the calculation of cryptographic hash values (e.g., MD5, SHA-1) in this process (Protzenko et al. 2020).

Fig 2: Data Prevention Methods
(Source: https://iwmcybersec.com/cyber-forensic-investigation/)

Preventing any change to the storage media even though retrieving the data in the application of write-blocking devices is another method. The original indication on or after accidental or intentional changes throughout data withdrawal is essential in safeguarding these devices.

A fundamental feature of data preservation has also been the use of chain-of-custody documentation. Thereby sustains accountability and certifies the acceptability of the indication in legal proceedings which can deliver a detailed log of who has moved the suggestion, when, and under what conditions. At last, protected packing of both the original media and forensic images is essential. To ensure that it is both legally allowable and dependable instead of the analysis that sustains the integrity of digital evidence by the forensic investigators through the process. The efficacy of these preservation techniques in practice can supported by secondary data from forensic standards and real-world case studies.

Disk creation using FTK:

Data Recovery:

Data recovery employed various methods of recovery that would create copies of files found to be lost based on the forensic image from the USB. Frequently, file deletion leaves residue that exists on any storage media until overwritten. Consequently, data recovery tools were applied to scan for possible recovered data on the forensic image of the USB. Among the techniques deployed were very powerful digital tools such as EnCase, which enabled recovery of deleted files by scouring the slack space in the file system and unallocated clusters. Analysing such areas brought a probability of detecting remnants that could have been deleted, including documents and images and many other file types (Al-Dhaqm et al., 2020). This is very critical since information believed to be lost may appear; hence, one can get a better view of what is contained in the USB. Another technique employed was file carving. This procedure searches the raw copy of the USB image for known file signatures. This technique works quite effectively for recovering files even without the presence of matching entries in the file system. The file system may even be showing deleted files, not necessarily removed from the file system entirely. By this process, several deleted before the attack extremely important documents were recovered and are expected to be confidential.

Aimed at the subsequent analysis that involves the collection of digital evidence by the perilous methods of the acquisition of data in digital forensics investigations. Contingent on the nature of the case and the devices involved which are employed in several methods of data acquisition. Live data acquisition, static data acquisition, and also network-based acquisition are involved. The collection of data from a running system which is refers to the acquisition of live data.

Examples as RAM contents, running processes, and also network connections, are grave to the investigation which is used in volatile data. This technique certifies the protection of data that would or else be lost upon closure or resume.

Examples as hard drives or USBs, which are motorized tainted and include capturing data from storage devices in contrast to the acquisition of static data. Preserving its integrity even by performing further analysis on a bit-for-bit copy, somewhat than the original which can create a forensic image of the storage device by the investigators who are using tools similar to FTK Imager or EnCase. Network-based acquisition folds data directly as network traffic. Tracing unlawful access or malicious activities that involve the collection of logs, packet captures, or live network traffic as well as cyberattacks or malware which are typically used in cases.

Data analysis with Hex editor:

Data Analysis:

The recovered files have also been examined using a hex editor-that is, a specialized preview utility for previewing the raw binary information of files. Such an analysis gave an investigator access to detailed information regarding its contents as well as potential hidden information not retrievable through conventional access routes. This would then lead to the notion that the team can identify patterns-although embedded metadata, it might be possible for fragments of data that contain context relating to file creation and last modification to be recovered by studying the hexadecimal representation of the files (Lutta et al., 2021). Much focus in this analysis was given to the invisible files that mostly carry the burden of important information that is normally not seen through ordinary methods of file browsing. This included system-related data, temporary files, and user-specific settings that may possibly enlighten malicious activities. Indeed, this was made possible by the hex editor as the team could come across many previously overlooked documents and proof of user interaction over sensitive data. The inquiry also involved the examination of the registry, which aids in knowing the usage patterns and history of the USB drive on the host systems. The analysis of Windows registry entries enabled the team to draw out when the USB was last connected, what files were accessed, and all other related activities associated with the device.

The screenshot shows a file explorer window displaying the contents of a drive named "Drive F". The window lists various files and folders, including documents, images, and system files. The file system is FAT32, and the drive is almost full.

Hex values analysis:

Data Validation:

A key aspect of the forensic analysis is data integrity. Some of the methodologies that were applied to validate the integrity of files as retrieved from the USB drive include cryptographic hash functions such as MD5 and SHA-256. Hashing every single file acquired from the USB and then during the recovery, created unique hash values that helped in the digital fingerprinting of the files. The downloaded file would then be compared by the investigation team to the forensic image with which it originated for hash values, thus ensuring no changes had been made during the recovery of the data to ensure the integrity and authenticity of evidence. Except during the verification process, so that it would verify if, indeed those matched file extensions were owned by their respective contents, it would guarantee that the hash-check proved valid. It can be carried out through a hex editor and signature analysis of files in the dissection of file extensions of recovered documents against their actual contents. For example, the file must have either of the .xls or the .xlsx file extensions, which contain known data structures corresponding to spreadsheet formats (Stoyanova et al., 2020). The presence of inconsistency between the file extension and the content can trigger one to suspect that possible corruption or modification had been applied. Data validation also involved metadata checks in detail, including timestamps for creation and updating that were consistent with the timeline of the firm's activities.

Conclusion:

The results of the analysis of the USB drive reflected some significant findings that had shown weaknesses in the company's measures on data security. Different kinds of sensitive files indicated by the analysis of the drive were financial spread sheets, internal reports, and evaluations of personnel, indicating a high risk of leakage of the data. Various deleted files were recovered and included those that may contain classified information; thus, data monitoring and protection of the sensitive information were also ensured. Forensic analysis of the contents of the flash drive, combined with further application of forensic methods, revealed that indeed, hidden files do exist, and some insight into user-device interaction was required. Accessibility patterns from the registries determined who may have mishandled sensitive information. Through these results thus produced, several recommendations on risk mitigation are given. The company must stress policies concerning the use of external devices that store data on the workplace and allow only that done using the company-supplied USB drives that have been approved. Regular employee training sessions on best practice regarding how to protect data so that employees can increasingly be aware of the dangers hidden with inappropriate devices. Thus, the organization should invest in advanced DLP technologies that monitor and control transfers both ways from or to the USB drives, thus preventing a potential breach before the breach happens.

References:

Al-Dhaqm, A., Abd Razak, S., Ikuesan, R.A., Kebande, V.R. and Siddique, K., 2020. A review of mobile forensic investigation process models. IEEE access, 8, pp.173359-173375.

Kebande, V.R., 2022. Industrial internet of things (IIoT) forensics: The forgotten concept in the race towards industry 4.0. Forensic Science International: Reports, 5, p.100257.

Khan, A.A., Uddin, M., Shaikh, A.A., Laghari, A.A. and Rajput, A.E., 2021. MF-ledger: blockchain hyperledger sawtooth-enabled novel and secure multimedia chain of custody forensic investigation architecture. IEEE Access, 9, pp.103637-103650.

Lutta, P., Sedky, M., Hassan, M., Jayawickrama, U. and Bastaki, B.B., 2021. The complexity of internet of things forensics: A state-of-the-art review. Forensic Science International: Digital Investigation, 38, p.301210.

Makura, S.M., Venter, H.S., Ikuesan, R.A., Kebande, V.R. and Karie, N.M., 2020, February. Proactive forensics: Keystroke logging from the cloud as potential digital evidence for forensic readiness purposes. In 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT) (pp. 200-205). IEEE.

Rizal, R., Ruuhwan, R. and Chandra, S., 2020. Signature File Analysis Using The National Institute Standard Technology Method Base on Digital Forensic Concepts. Jurnal Informatika Universitas Pamulang, 5(3), pp.364-370.

Rudrakar, S. and Rughani, P., 2022. IoT based Agriculture (IoTA): Architecture, Cyber Attack, Cyber Crime and Digital Forensics Challenges.
Saleh, M.A., Othman, S.H., Al-Dhaqm, A. and Al-Khasawneh, M.A., 2021, June. Common investigation process model for Internet of Things forensics. In 2021 2nd International Conference on Smart Computing and Electronic Enterprise (ICSCEE) (pp. 84-89). IEEE.

Seufitelli, D.B., Brandão, M.A. and Moro, M.M., 2022. Exploring the intersection between databases and digital forensics. Journal of Information and Data Management, 13(3).

Stoyanova, M., Nikoloudakis, Y., Panagiotakis, S., Pallis, E. and Markakis, E.K., 2020. A survey on the internet of things (IoT) forensics: challenges, approaches, and open issues. IEEE Communications Surveys & Tutorials, 22(2), pp.1191-1221.