Scribd
Upload
453 views

Cyber Foresics - Tools

Rishi G.G. was given a digital forensics assignment to recover deleted pictures from a USB drive and analyze a disk image. For the first question, Rishi recovered 207 deleted pictures from the USB drive by using forensic tools. For the second question, Rishi analyzed a disk image and found 4 files, including documents with metadata showing they belonged to Emma Crook of Really Big Company and were last modified between 2:22PM and 2:28PM on September 15, 2004, corresponding to the timeframe in which Emma Crook is suspected of stealing company information. The analysis provided evidence that Emma Crook may have copied sensitive company documents onto the disk shortly before disappearing from her office.

Uploaded by

vaishnavi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
453 views

Cyber Foresics - Tools

Rishi G.G. was given a digital forensics assignment to recover deleted pictures from a USB drive and analyze a disk image. For the first question, Rishi recovered 207 deleted pictures from the USB drive by using forensic tools. For the second question, Rishi analyzed a disk image and found 4 files, including documents with metadata showing they belonged to Emma Crook of Really Big Company and were last modified between 2:22PM and 2:28PM on September 15, 2004, corresponding to the timeframe in which Emma Crook is suspected of stealing company information. The analysis provided evidence that Emma Crook may have copied sensitive company documents onto the disk shortly before disappearing from her office.

Uploaded by

vaishnavi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

CYBER FORENSICS DIGITAL ASSIGNMENT:

NAME: RISHI.G.G
REG. NO. : 18BCI0125.

QUESTION 1:

Recovery of some pictures that was


deleted in an USB.

Step 1 : Insertion of a pendrive. As we can see the


pendrive was inserted.
Step 2 : Open terminal and type “fdisk -l” to get the
location of the external USB.

Step 3 : Now that we have the details of the USB go to


the location where we want the pictures to be
restored. I have created a separate empty folder
called ‘forensics’ in desktop. That folder is now
empty(i have shown it using ls command which shows
there is no files in that). After the recovery file
forensics will contain the recovered pictures. We use
a command “recoverjpeg dev/sdb”. Wait for few
minutes.
Step 4 : We can see that 207 pictures was recovered.
Now we go to the file directly to check whether the
pictures were restored or not.
RESULT : WE HAVE RECOVERED 207 PICTURES WHICH WAS
DELETED ALREADY IN THE USB. WE CAN SEE THAT IN THE
SCREENSHOT ABOVE.
QUESTION 2:

A DISK IMAGE WAS DOWNLOADED RANDOMLY FROM ONLINE.


Case Scenario
Today is September 15, 2004.  The time is 3:15 PM. Mr. Jim Boss, the owner of
the Really Big Company called and you responded to his office.  Mr. Boss
advised that he suspected that his assistant, Emma Crook, was providing
company sensitive material to some of his competitors. At 2:00 PM today he
confronted Ms. Crook with his suspicions. He told her that he would be back at
3:00 PM for an explanation. When Mr. Boss arrived back at Ms. Crook's office at
3:00 PM, she was gone.  Her office was completely cleaned out of all of her
belongings. Mr. Boss tried to turn on Ms. Crook's computer, but it would not
boot. Mr. Boss found a floppy diskette in the trash can.  Mr. Boss wants you to
examine the computer and the floppy diskette and to tell him exactly what Ms.
Crook was up to.  He is willing to pay for a 100% thorough examination.  "Leave
no stone unturned" as he said.

You examined the computer and found that the hard drive was missing.  The
computer was not networked.  Your only evidence, if any, will be on the floppy
diskette.  You checked the system clock and it was accurate to within one
minute.

I used a carving tool called “foremost” which is a carving


utility tool. Using this on the above mentioned image file i
found 4 extracted files out of which 3 are docx file. Below
are screenshots that show the command used for using
foremost and the final results produced by foremost.
Now we use a tool called exiftool. ExifTool is a free and
open-source software program for reading, writing, and
manipulating image, audio, and video metadata. So we use
this tool to know more about.
I dont have this tool. So i install it first.

Exiftool on first document:


From this we can see the metadata and we see that the
document’s original name was “Magna Carta.doc”.
author’s name is “Emma crook”.
Company name is “Really Big Company”.
The document was last saved on 9/15/04 at 2:22 PM.

Exiftool on second document:


We used the same tool and we identified that
Document was originally called as "Gettysburg Address.docx"
it was lastly modified at 2:25 pm on 9/15/04.
author and the company was same as the first document’s
metadata that is emma crook and really big company.

Exiftool on third document:


we can see the meta data again. This document has more
suspicious data . Thus we have the metadata of the
document.

Exiftool on fourth file:

nothing much suspicious in this fourth file.

CONCLUSIONS :
ALL THE ABOVE MENTIONED METADATA IS RECORDED AND
DOCUMENTED AND GIVEN TO THE BOSS OF THE COMPANY. MAJOR
PROOF IS “formatting of the disk happened on 9/15/04 between
2:28 PM and 3:00 PM.”
THIS CAN BE FOUND FROM THE ABOVE SCREENSHOTS.
PS:
NOTE:
THE WEBSITE THAT PROVIDED THE DISK EXPECTED SOME
ANSWERS. THOSE ARE GIVEN IN BELOW SCREENSHOT.

RESULTS:
THE REQUIRED EXPECTATIONS HAVE BEEN MET BY MY
INVESTIGATIONS.
---------------------CASE CLOSED-----------------------

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy