Tuesday, May 5, 2020
Digital Forensic Investigation Of USB Flash Drive- Free sample
Question: Discuss about a Report on Digital Forensic Investigation of USB Flash Drive? Answer: Introduction The aim of the report is to analyze a particular scenario based on digital forensics and the various investigation tools and techniques utilized for forensically analyzing the evidence items found in the particular situation. The scenario involves a crime scene committed by an ex-employee who was selling the organizations customer details such as bank account numbers, credit card details and other confidential information (Ali 2012). However, a USB flash drive that belongs to the man contains evidence that he used the credit card details of those customers to become a vendor of an individual website that required, at least, fifty credit card details for vendor ship approval. The report carries out a detail forensic investigation of the digital image of a USB flash drive for evidence relating to the above mentioned incident items. In this report, the above case has been investigated using digital forensic imager tool Encase software. It also involves description of the facts about the data hiding methods discovered during investigation of the case. The process also tries to identify the evidence found and their individual purposes. Analysis Some well-known forensic tools and techniques can be applied for processing the digital image of the USB flash drive and some relevant files, and evidence items can be recovered (Solomon et al. 2011). As many theories and pieces of evidence suggest, there are significant possibilities for hiding data in USB hard drives. Data hiding can be achieved using the concept of clusters. Digital forms of data hiding techniques include watermarking, cryptography or steganography. These are most commonly referred to as non-physical data hiding approach. Nevertheless, there is also another approach known as the physical aspect of data hiding. However, the case study states that neither cryptography nor steganography have been used in the data hiding process (Karlsson 2012). Hence, it can be told that physical data hiding has been followed in the present study to hide the customers financial details such as credit cards details, bank account details and other confidential information referred to in the case study. It takes advantage of the physical characteristics of the digital storage for the hiding purpose. Report of the Emails, Picture and Account Number The email IDs found from the investigation has been used for conversation among the suspects. The two emails are relevant with the case. Specific date and time that those emails were active have been identified. Date Time Action Evidence Found Notes 15/01/2016 1:00 pm Looking for email ID owners avendor12@gmail.com ccstolen_gov@dptfrd.co.uk Date Time Action Evidence Found Notes 15/01/2016 12:00 pm Examination of pictures found It is one sample among the 50 cards provided to the website by the ex-employee. Date Time Action Evidence Found Notes 15/01/2016 1:00pm The case is loaded into Encase for verification. Bank account number 00-11-22 12345678 USB drives most commonly function as data carriers and, therefore, can be very efficiently utilized for transporting business related data out of the organization (Sencar and Memon 2012). There are two alternative approaches to connect a USB device to the companys computer where the customer database resides. The first method is relatively straightforward, which involves a USB cable connected to the computers USB port. On the other hand, the second alternative technique is to utilize a USB hub. In the case of data hiding, the second approach is to be followed using USB hub. To hide the data, the different devices (USB stick acting as the data carrier, USB mouse and the USB hub) are combined to form a single appliance (Roy and Jain 2012). This method shows as if only the USB mouse is connected to the computer, when in fact, the internally hidden hub and USB stick goes unsuspected and can secretly store data using the mouse. Apart from hiding data, this technique can also be used to spread malware items. Solomon et al. (2011) stated that combination of data hiding and malware with the utilization of a USB stick can be applied as a hidden malware infected data carrier to transport data out of the organization. Data hiding technique It can be assumed that the attacker utilized a USB mouse to protect a USB data carrier (USB stick and USB hub combined) inside it. To fit the connected parts in the limited space inside the mouse, the size of the USB hub can be reduced by only keeping the PCB (printed circuit board) hub chip and the cable components. After that, the striping of USB stick is to be performed (Kruse and Heiser 2010). After stripping the stick (removal of the outer casing), a small PCB along with the memory chip and other necessary components are left. Apart from that, to incorporate adequate room inside the mouse case, the size of PCBs can be further reduced and ultimately the PCB and USB cable are connected inside the mouse with the process of soldering or with help if a connector (Hoog 2011). After carefully stripping the components, it is necessary to modify the USB hub so as to put the two PCBs (hub PCB and mouse PCB) together on top of each other. It is a crucial step to execute as it can block the internal LED rays in case the mouse uses LED color. For this purpose, the adjustment of USB hub PCB with the mouse PCB is performed very carefully (Rahman and Khan 2015). The next step is to wire the mouse hardware for connecting the USB port to the USB hub. The parts or components are then put together with the aid of soldering the wires. When this process is complete, the mouse can be connected to the computer and can be used to perform standard functions. This method allows any data stored in the USB stick to be hidden inside the mouse. NTFS (new technology file system) facilitates with potential opportunities for hiding data. However, according to ACPO (2010), USB flash memory devices does not write data into the same location more than once. As flash memories are non-volatile in nature, and flash translation layer (FTL) protocol is responsible for providing an access transparency between the user of a flash drive and the system itself. Encase Forensics is a software tool used for forensic analysis purposes. This particular case can be analyzed using this imager tool that recovers the basic USB history for investigation (Nelson, Phillips and Steuart 2015). The USBSTOR reveals the brand, vendor and a serial number of the USB. Other than that, the Mounted Devices key is found to get information about the drive letter. Imaging the USB drive is, therefore, the particular forensic investigation methodology adopted to parse the information. It can be effectively utilized for proving that the USB flash drive was connected to the organizations computer, by matching the drive letter and the time and date of USB drive insertion, along with the serial number or PID. To retrieve this information a detail forensic analysis was performed on the USB flash storage device using accurate forensic analysis tools (Sansurooah et al. 2013). Evidence analysis and examination are the next steps that involve interpreting the recovered data. After obtaining the forensic image, Encase Forensics is applied on the disk view: The exact number of used nodes is retrieved which in turn provides information about the type of partition being employed in the device. This is because the disk view of Encase does not contain any direct blocks on the inode tables (Lee 2014). Common program for recovering data in this manner necessitates a thorough examination of the inode structure including the direct blocks. Thereby, this tool is mainly utilized for the purpose of recovering deleted, damaged or erased information kept on Ext2 / Ext3 partitions of USB flash storage drives. Forensic Analysis using FTK Imager The items found using this tool are a bank account number, two email addresses, a photograph of a credit card and a particular website text. This is mounted with an FTK imager to enable PCI File Recovery (Kamble, Jain and Deshpande 2015). The following command is followed: File Image Mounting. After that, the steps to be performed are shown in the snapshots below: Thereafter, the PC Inspector File Recovery Window is activated and Open Unit is chosen: The disk created by FTK imager is then selected and Find Logical Unit is chosen. Next, the latest option is selected. After this step, a list of file is displayed to be recovered with this tool. Hence, mainly text files and image file have been found using this tool. The process applied for hiding the data has been discussed in detail above. Disk imaging is a digital forensic technique that uses specific imager software. Encase and FTK both are familiar imager tools in this field (Hoog and Strzempka 2011). However, for this case, FTK imager is used for analyzing the USB flash drive found in the ex-employee's jacket pocket. According to the ACPO (Association of Chief Police Officers) digital evidence analysis, data can be hidden using other tools except steganography or encryption. It can be referred to as generic data hiding technique. Other alternative methods are discussed in the below paragraph. Knowing how data is being hidden in the USB flash drive file system structure essentially enables useful means to find that data. For this reason, various forensic analysis tools are used. However, besides steganography, encryption, or any other similar types of data hiding techniques, there are forensic analysis measures that can be applied to generic methods also (Roy and Jain 2012). For example, using FS, slacker, USB hub and stick combination with USB mouse / USB keyboard / USB printer can also be achieved to hide data. Finding hidden data is becoming quire complex with passing days as the number of anti-forensic tools and techniques are increasing. However, concerning the present case study, it is much easier to strip the components of a USB hub and a USB stick to fit the PCBs together so as to enable them to function in the desired manner. After that, they can be easily incorporated in a USB mouse and can be kept secretly hidden in the internal part of the mouse. Following whic h, anyone handling the mouse would in no way suspect the present of the USB hub and stick inside of it. Alternative technique The data hiding process discussed above was based on utilizing a USB mouse for data hiding (Dezfouli et al. 2012). However, there are possible alternative variations that can be implemented to perform a similar job as data hiding. Combining a USB stick and an USB hub for data transport can also be achieved using a USB keyboard. USB keyboards are usually equipped with USB hubs built internally. Therefore, the job can easily be performed even without the need for an extra USB hub. Metasploits Slacker is a useful tool for data hiding purposes that can be applied onto an USB flash drive having to operate on an FAT (file allocation table) or NTFS / new technology file system (Casey 2011). The slack space on a USB drive can be effectively utilized to hide data to make it inaccessible and unreachable. Slacker is a useful tool for such activities. The method adopted by Metaspoilts slacker depends on fragmenting the data into numerous segments and distributing the fragmented data across the USB drives slack space. Therefore, slacker utilizes the slack space o a hard disk by file splitting and slack space hiding. This process makes it more difficult for the forensic analysis tools to trace the hidden files and folders. In addition to that, there can be other alternative tools and techniques. However, Vacca (2012) states that extensive knowledge of the characteristics and structural specifications of hard drives or more precisely, USB drives can be helpful in figuring out the exact process used for hiding those particular data. Moreover, the implications also suggest that the type and characteristics of the area, the nature of disk activity after that information has been already written on the disk also hold significant impact on the overall approach of forensic analysis as the degree of persistence of the hidden data is influenced. Conclusion The various data hiding techniques that could have been applied for the purpose of hiding those data and information are discussed in this paper. The possible approaches to hide data using a USB flash drive, a USB stick and USB hub combined, acting as a data carrier have also been analyzed in this paper. It can be said that the employee could have used an of the above mentioned techniques for hiding data in the USB drive. For example, MetaSpolits slacker could have been used for hiding data in the slack space. Besides, there is a possibility that other types of data hiding techniques were applied. However, using some particular forensic analysis tools and methods, the digital image of the concerned USB flash drive has been captured for performing the forensic activities. The forensic imager tools such as FTK or Encase are usually applied for this purpose. However, for this particular study, the FTK imager has been chosen to analyze the image of the USB hard drive. References ACPO, 2012.ACPO Good Practice Guide for Digital Evidence. [online] Available at: https://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf [Accessed 10 Jan. 2016]. Ali, K.M., 2012, July. Digital Forensics Best Practices and Managerial Implications. InComputational Intelligence, Communication Systems and Networks (CICSyN), 2012 Fourth International Conference on(pp. 196-199). IEEE. Casey, E., 2011.Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press. Dezfouli, F.N., Dehghantanha, A., Mahmoud, R., Sani, N.F.B.M. and Bin Shamsuddin, S., 2012, June. Volatile memory acquisition using backup for forensic investigation. InCyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on(pp. 186-189). IEEE. Hoog, A. and Strzempka, K., 2011.iPhone and iOS forensics: Investigation, analysis and mobile security for Apple iPhone, iPad and iOS devices. Elsevier. Hoog, A., 2011.Android forensics: investigation, analysis and mobile security for Google Android. Elsevier. Kamble, D.R., Jain, N. and Deshpande, S., 2015. Cybercrimes Solutions using Digital Forensic Tools.International Journal of Wireless and Microwave Technologies (IJWMT),5(6), p.11. Karlsson, K.J., 2012. Android anti-forensics at the operating system level. Kruse II, W.G. and Heiser, J.G., 2010.Computer forensics: incident response essentials. Pearson Education. Lee, J., 2014, October. Cyber incident forensics as a forward lean security. InInformation and Communication Technology Convergence (ICTC), 2014 International Conference on(pp. 872-873). IEEE. Nelson, B., Phillips, A. and Steuart, C., 2015.Guide to computer forensics and investigations. Cengage Learning. Rahman, S. and Khan, M.N.A., 2015. Review of Live Forensic Analysis Techniques.International Journal of Hybrid Information Technology,8(2), pp.379-388. Roy, T. and Jain, A., 2012. Windows registry forensics: an imperative step in tracking data theft via USB devices.IJCSIT) International Journal of Computer Science and Information Technologies,3, pp.4427-4433. Sansurooah, K., Hope, H., Almutairi, H., Alnazawi, F. and Jiang, Y., 2013. An Investigation Into The Efficiency Of Forensic Data Erasure Tools For Removable Usb Flash Memory Storage Devices. Sencar, H.T. and Memon, N. eds., 2012.Digital image forensics: There is more to a picture than meets the eye. Springer Science Business Media. Solomon, M.G., Rudolph, K., Tittel, E., Broom, N. and Barrett, D., 2011.Computer forensics jumpstart. John Wiley Sons. Vacca, J.R., 2012.Computer and information security handbook. Newnes.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.