BN309 Validating And Testing Computer Forensics Tools And Evidence Homework 2 Answer

pages Pages: 4word Words: 890

Question :

Assessment Details and Submission Guidelines
Unit Code
Unit Title
Computer Forensics
Assessment Type
Homework 2 (Individual Assessment)
Assessment Title
Validating and Testing Computer Forensics Tools and Evidence
Purpose of the assessment (with ULO Mapping)
This assignment assesses the following Unit Learning Outcomes; students should be able to demonstrate their achievements in them.
a. Document evidence and report on computer forensics findings;
c. Exhibit and understand forensics ethical behaviour and professional conduct;
d. Implement a process to support the administration and management of computer forensics
Total Marks
Submission Guidelines
  • All work must be submitted on Moodle by the due date along with a completed Assignment Cover Page.
  • The assignment must be in MS Word format, 1.5 spacing, 11-pt Calibri (Body) font and 2 cm margins on all four sides of your page with appropriate section headings.
  • Reference sources must be cited in the text of the report, and listed appropriately at the end in a reference list using IEEE referencing style.

Assignment Questions:


The objectives of this assignment are to gain theoretical and practical knowledge and skills in different computer forensics and anti-forensics techniques such as image acquiring, analysis of email headers, temporary internet files and low-level text search of entire contents of the computer hard drive. The students should apply appropriate computer forensics tools and techniques, and write a report on their findings. Marks will be awarded based on the sophistication and in-depth exploration of the selected techniques.

Case Study:

A suspect was under investigation by police for a serious offence. The suspect based his innocence on an alibi stating that he could not have been present at the scene of the crime as he was at work using his computer to surf the internet when the crime took place. The validity of this alibi was questioned. Computers were forensically imaged and examined. Five sources of information were used to identify user activity. These included file data and time properties, program log files, email data files, internet usage, and text files containing relevant dates. Analysis of times and dates in email headers on the computer and the server failed to show any activity for the specific times. Examination of temporary internet files revealed that none had been created with the relevant time stamps. A low-level text search was conducted across the entire contents of all the computer hard drives to locate any reference to these critical dates. No records or test references could be found on any areas of the hard drive to support use of the computer for the times in question. In conclusion, the analysis strongly indicated that the computer was not used during the critical period. This was corroborated by records from the suspect’s Internet Service Provider (ISP). The individual was convicted at trial of the criminal offence. The electronic evidence was a key factor in the proceedings

Assignment Specification:

Prepare a report and video demonstration on the following sections related to the case study. You can use your own files for data hiding and analysis. Provide the list of references using IEEE referencing style at the end of the report.

Section 1: Forensic imaging and examinations

Do an Internet search to list out effective tools for the above case study. Choose one of the tools to examine the forensic image and explain with screenshots how the tool can be useful. (250 words)

Section 2: Forensic analysis and validation

Write a report describing the procedures to retrieve the evidence with your selected forensics tools. Explain how to identify and analyse file data and time properties, program log files, email data files, internet usage, and text files containing relevant dates. Also explain how temporary internet files and low level text search were carried out in this investigation. (500 words)

Section 3: Anti-forensics

Research on anti-forensics techniques and write a report on your findings on these techniques. Compare the pros and cons of these techniques in different contexts. Use one of the anti-forensic technique on your files and explain how useful it is. Please explain your methods with the help of screenshots. (750 words)


Demonstrate your work. You should appear in the video (You Tube or similar) at the first and last 30 secs to introduce yourself and draw a conclusion on your experience with the different computer forensics and anti-forensics techniques.

Show More

Answer :

Section 1: Forensic imaging and examinations

We have conducted an internet research to find out the most useful forensic imaging and examination tools. While searching, we have found many tools in which some are free and some are paid tools. From them, Autopsy (The Sleuth Kit) is seeming appropriate among all which will have all the features to find out the possible logs, internet artifacts, timestamp and more needed to find the clues according to this scenario. Autopsy is one of the most popular forensic examination tools and used by so many forensic investigators. It is designed to analyse images of disk and conduct in-depth analysis of file system to find out various features as evidences. It has the functionality and features of many other tools and provide a better interface, indent to find different artifacts as a good starting point for an investigation. It is available for both Linux and Windows based systems and can be downloaded for free, can be seen at [1]. 

The above figure is the representation of the Autopsy tool with added a forensic case image. As it provides a graphical interface to find artifacts from the added forensic image file. It has the unique features such as analysis of time stamp, hash check, analysis of file system and offer keyword search option with default settings. We can also add multiple forensic images in a single created case. Soe key features of 

Autopsy are graphical interface, registry view, email analysis, support many types of file systems, can extract details and data from logs, contacts, word files and perform analysis for that also, can be seen at [2].  Forensic imaging and examinations

Section 2: Forensic analysis and validation

Autopsy is a free digital forensic tool with graphical interface which is easier to use by most forensic investigators such as military, law administration agencies and corporate analyst who involve in the forensic investigation procedures. As this tool is available for free, so that it can be used to recover our personal files like photos or any important file from hard disk or memory card or USB drive. Because of its extensible use there are so many modules available for it by the third-party. These modules are related to analysis of timestamp, hash checksum, web, internet and email artifacts, carving of data and multimedia contents, can be seen at [3]. The autopsy tool has two analysis modes, as dead analysis and live analysis. Dead analysis can be performed when a dedicated disk is available to examine and live analysis is performed on the running system. We are going to perform a dead analysis with a forensic test image. Here are the steps with all the relevant finding, according to the provided case study and requirements – 

Create case – as the first step, we have to create a case to start the examination of our desired forensic disk. A disk image is then added to the created case and it will start an ingest to retrieve the data from the forensic image. 

Data and time properties – when the disk image is added to the tool is will show all the files and data contained in it, like shown in the below figure.  Forensic analysis and validation

We will have a detailed hierarchical file structure of the forensic disk which shows all the partitions and other related contents of a hard disk of a system. When scrolling through a file, go to file metadata, it will show the time properties of that particular file with size, path, MD5 and complete time stamp. A particular file can also be extracted to the local hard drive by right clicking and Extract. 

Program logs file – from the ingested hierarchy, go to Program Files (x86). It will show a list of installed programs with their modified, change, last accessed and created time. Where we can estimate last use of a particular program. Program logs file

Email data files – email data is retrieved by autopsy itself and shows as individual artifact I the file hierarchy. We can see all the email data with detailed message and its properties to find any evidence, like shown in the below figure.Email data files

Internet usage data – from the file hierarchy, autopsy automatically search and show the internet usage data. Here we can see, web bookmarks, web cookies, web downloads, wen history and web searches with detailed time stamp, accessed URL and search text, as seen in the below figure. Internet usage data

Text files searches – all types of files like html, office, PDF and text files are retrieved by Autopsy tool and shows in the file hierarchy. Here we will have all the files with their names, location from the disk, complete time stamp, metadata and text contained in it.  

Temporary internet files and low-level text search – temporary internet files are shown in the form of wen cookies, searches, bookmark, etc. in the right-side panel of this tool, also discussed in the previous section. To perform a low level keywork search, there is an option on the top left corner, named as Keyword Search. Here we can type a keyword and perform search of that keyword.

Section 3: Anti-forensics

Anti-forensic techniques are the method used by cyber criminals to harden the process of evidence collection and analysis of contents using forensic tools. The major purpose of using an anti-forensic technique is to make it tougher or somehow intolerable to perform a digital forensic analysis on that media or to destroy the evidences. By using these anti-forensic tools, cyber criminals can perform a vast variety of activities such as deletion of web history, cache data, cookies and other footprints. These techniques are mainly used to hide, remove and hamper forensic analysis. There are so many ways and methods to be used in this way, that are, can be seen at [4] [5] – 

  1. Encryption – as one of the most traditional method, this technique is used to convert the normal data into unreadable or ciphertext or encrypted data. It can be done through some key pairs to encrypt and decrypt the data. The key motive behind this technique is to hide or protect the secret data from being identified or hide from the others. This encrypted or cipher text is only being decrypted using a particular key pair. Today, this method is using modern cryptographic techniques such as AES (advanced encryption standards) and DES (data encryption standard) with the use of symmetric and asymmetric encryption method. Where asymmetric encryption uses single key and symmetric encryption use two key pairs for encrypt and decrypt a data set.  
  2. Stenography – in this method, plain text data is hide behind an image or picture file. Then the image is altered so that it will not identifiable. The processed image file will look like a normal file. Physically, a message can be concealed using microdots or invisible ink. Digitally a hidden data will be a text, audio or video.
  3. Onion routing – this method uses multiple layers of encryption and create an onion like layers while sending messages. When the message reached at the receiving node, every layer of encryption is peeled off. Reverse routing is the process used against this method but is a time-consuming task. 
  4. Tunnelling – this process use encapsulation to allow secret communication to hide behind a public network. Data packets can flow from public network without any suspicious action. VPN or virtual private network is one of the best examples of this method which is used by many users today. This method also provide protection against cyber-attacks by encrypting packets in a network.
  5. Spoofing – it is an act of masking communication to gain access of an unauthorize system. There are so many ways to perform spoofing such as through email, web sites or phone calls. It is of two types, as MAC spoofing and IP spoofing. 
  6. Obfuscation – this technique can be use intentionally or unintentionally to makes a message hard to understand by converting it to ambiguous language. It uses ingroup and jargon phrases for this purpose and altering the file signature with malicious codes. The key purpose of using this method is to reduce the risk revelation. 

From the above discussed anti-forensic techniques, we choose stenography technique to hide some secret data behind an image file. Quick Stego is the tools used for this purpose. This tool is free to use and can hide text in a picture and the other user who will have Quick Stego can only retrieve that hidden message behind that picture. When any text is hide behind a picture, the picture will look like a normal picture and will load just like a normal picture file on the other side or to the forensic analyst while in investigation process, can be seen at [6]. 

To use this tool, we will download a picture and save it to the local drive. We also need a text file in which the secret text is written. Now, here are the steps, to do stenography with Quick Stego tool, can be seen at [7] – 

  • Open Quick Stego tool
  • Click on Open Image and browse the picture that we just download from the internet.
  • Now click on Open Text to open the text file containing secret message to be hide behind the picture.
  • Both picture and secret message will now see on the Quick Stego window, as seen in the below figure. Quick Stego window 1Now, just click on Hide Text and it will hide the secret text behind the picture and show a success message like this – Quick Stego window 2

           Now this stenography file can be sent to anyone with the secret message hidden inside it.

To get the secret message, we need to open this file with Quick Stego and just click on Get Text. It will show the secret text message on the left side panel.