Answer :

Section 1: Forensic imaging and examinations

We have conducted an internet research to find out the most useful forensic imaging and examination tools. While searching, we have found many tools in which some are free and some are paid tools. From them, Autopsy (The Sleuth Kit) is seeming appropriate among all which will have all the features to find out the possible logs, internet artifacts, timestamp and more needed to find the clues according to this scenario. Autopsy is one of the most popular forensic examination tools and used by so many forensic investigators. It is designed to analyse images of disk and conduct in-depth analysis of file system to find out various features as evidences. It has the functionality and features of many other tools and provide a better interface, indent to find different artifacts as a good starting point for an investigation. It is available for both Linux and Windows based systems and can be downloaded for free, can be seen at [1]. 

The above figure is the representation of the Autopsy tool with added a forensic case image. As it provides a graphical interface to find artifacts from the added forensic image file. It has the unique features such as analysis of time stamp, hash check, analysis of file system and offer keyword search option with default settings. We can also add multiple forensic images in a single created case. Soe key features of 

Autopsy are graphical interface, registry view, email analysis, support many types of file systems, can extract details and data from logs, contacts, word files and perform analysis for that also, can be seen at [2]. 

Section 2: Forensic analysis and validation

Autopsy is a free digital forensic tool with graphical interface which is easier to use by most forensic investigators such as military, law administration agencies and corporate analyst who involve in the forensic investigation procedures. As this tool is available for free, so that it can be used to recover our personal files like photos or any important file from hard disk or memory card or USB drive. Because of its extensible use there are so many modules available for it by the third-party. These modules are related to analysis of timestamp, hash checksum, web, internet and email artifacts, carving of data and multimedia contents, can be seen at [3]. The autopsy tool has two analysis modes, as dead analysis and live analysis. Dead analysis can be performed when a dedicated disk is available to examine and live analysis is performed on the running system. We are going to perform a dead analysis with a forensic test image. Here are the steps with all the relevant finding, according to the provided case study and requirements – 

Create case – as the first step, we have to create a case to start the examination of our desired forensic disk. A disk image is then added to the created case and it will start an ingest to retrieve the data from the forensic image. 

Data and time properties – when the disk image is added to the tool is will show all the files and data contained in it, like shown in the below figure. 

We will have a detailed hierarchical file structure of the forensic disk which shows all the partitions and other related contents of a hard disk of a system. When scrolling through a file, go to file metadata, it will show the time properties of that particular file with size, path, MD5 and complete time stamp. A particular file can also be extracted to the local hard drive by right clicking and Extract. 

Program logs file – from the ingested hierarchy, go to Program Files (x86). It will show a list of installed programs with their modified, change, last accessed and created time. Where we can estimate last use of a particular program. 

Email data files – email data is retrieved by autopsy itself and shows as individual artifact I the file hierarchy. We can see all the email data with detailed message and its properties to find any evidence, like shown in the below figure.

Internet usage data – from the file hierarchy, autopsy automatically search and show the internet usage data. Here we can see, web bookmarks, web cookies, web downloads, wen history and web searches with detailed time stamp, accessed URL and search text, as seen in the below figure. 

Text files searches – all types of files like html, office, PDF and text files are retrieved by Autopsy tool and shows in the file hierarchy. Here we will have all the files with their names, location from the disk, complete time stamp, metadata and text contained in it.  

Temporary internet files and low-level text search – temporary internet files are shown in the form of wen cookies, searches, bookmark, etc. in the right-side panel of this tool, also discussed in the previous section. To perform a low level keywork search, there is an option on the top left corner, named as Keyword Search. Here we can type a keyword and perform search of that keyword.

Section 3: Anti-forensics

Anti-forensic techniques are the method used by cyber criminals to harden the process of evidence collection and analysis of contents using forensic tools. The major purpose of using an anti-forensic technique is to make it tougher or somehow intolerable to perform a digital forensic analysis on that media or to destroy the evidences. By using these anti-forensic tools, cyber criminals can perform a vast variety of activities such as deletion of web history, cache data, cookies and other footprints. These techniques are mainly used to hide, remove and hamper forensic analysis. There are so many ways and methods to be used in this way, that are, can be seen at [4] [5] – 

1. Encryption – as one of the most traditional method, this technique is used to convert the normal data into unreadable or ciphertext or encrypted data. It can be done through some key pairs to encrypt and decrypt the data. The key motive behind this technique is to hide or protect the secret data from being identified or hide from the others. This encrypted or cipher text is only being decrypted using a particular key pair. Today, this method is using modern cryptographic techniques such as AES (advanced encryption standards) and DES (data encryption standard) with the use of symmetric and asymmetric encryption method. Where asymmetric encryption uses single key and symmetric encryption use two key pairs for encrypt and decrypt a data set.  
2. Stenography – in this method, plain text data is hide behind an image or picture file. Then the image is altered so that it will not identifiable. The processed image file will look like a normal file. Physically, a message can be concealed using microdots or invisible ink. Digitally a hidden data will be a text, audio or video.
3. Onion routing – this method uses multiple layers of encryption and create an onion like layers while sending messages. When the message reached at the receiving node, every layer of encryption is peeled off. Reverse routing is the process used against this method but is a time-consuming task. 
4. Tunnelling – this process use encapsulation to allow secret communication to hide behind a public network. Data packets can flow from public network without any suspicious action. VPN or virtual private network is one of the best examples of this method which is used by many users today. This method also provide protection against cyber-attacks by encrypting packets in a network.
5. Spoofing – it is an act of masking communication to gain access of an unauthorize system. There are so many ways to perform spoofing such as through email, web sites or phone calls. It is of two types, as MAC spoofing and IP spoofing. 
6. Obfuscation – this technique can be use intentionally or unintentionally to makes a message hard to understand by converting it to ambiguous language. It uses ingroup and jargon phrases for this purpose and altering the file signature with malicious codes. The key purpose of using this method is to reduce the risk revelation. 

From the above discussed anti-forensic techniques, we choose stenography technique to hide some secret data behind an image file. Quick Stego is the tools used for this purpose. This tool is free to use and can hide text in a picture and the other user who will have Quick Stego can only retrieve that hidden message behind that picture. When any text is hide behind a picture, the picture will look like a normal picture and will load just like a normal picture file on the other side or to the forensic analyst while in investigation process, can be seen at [6]. 

To use this tool, we will download a picture and save it to the local drive. We also need a text file in which the secret text is written. Now, here are the steps, to do stenography with Quick Stego tool, can be seen at [7] – 

• Open Quick Stego tool
• Click on Open Image and browse the picture that we just download from the internet.
• Now click on Open Text to open the text file containing secret message to be hide behind the picture.
• Both picture and secret message will now see on the Quick Stego window, as seen in the below figure.Now, just click on Hide Text and it will hide the secret text behind the picture and show a success message like this –

           Now this stenography file can be sent to anyone with the secret message hidden inside it.

To get the secret message, we need to open this file with Quick Stego and just click on Get Text. It will show the secret text message on the left side panel.