Digital Forensic Investigation Of Clown Content In Western Australia

Background of the Investigation

This a project which ensures the investigation of the digital forensics images, with the help of an effective tool. The states present in Western Australia are not allowed to provide access for the digital content with respect to the clowns. The reason behind this is that it is an illegal access, which owns and distributes the digital content to the clowns. Malware are used for accessing the digital content of the clown. Thus, the following investigation is carried on the digital content related to the clowns. Mostly, the allegation were to construct the law enforcement where the witness would claim accessing the clown related data inside the workplace. However, it is possible to access certain content of the clown, without being in the workplace. Sadly, the junior digital investigator got the forensics image from the computer which is the content of the clown which performed the logical acquisition. Thus, this specific circumstance let the junior digital forensics investigator to wipe out the original hard drive from the computer, as forensically sound logical acquisitions were carried out here. Hence, with ease the junior investigator was capable of determining the forensic image. The suspect, Clark demies accessing the clown content, moreover there is no confirmation from Clark that the computer belongs to him. Clark says, he does not always take the computer home or lock it. So, senior investigator needs to examine the forensic image of the lap which was seized with correct warrants. On the other hand, Clark has given a statement that, “The computer was infected with malware and this led various potential content to appear on the computer.” It is an investigation carried out with the help of autopsy forensic tool, and this report will briefly discuss about this investigation.

Here, the presentation is required to be on the offence. The given case study states that, the allegation were to produce law enforcement, where the witness claims accessing the clown related data inside the workplace. However, it is possible to access certain content of the clown, without being in the workplace. Unluckily, from the computer the junior digital investigator got the forensics image, which is clown’s content that performed the logical acquisition. Hence, from the computer, the original hard drive was wiped by the junior digital forensics investigator, as the accurate logical acquisition were carried out. The forensic image was determined easily by the junior investigator and this the reason that the senior investigator should examine the forensic image that was seized with appropriate warrants. The autopsy forensics tool is used for the investigation (“Basics of Computer Forensics”, 2016).

Extraction of 7 Zip

For extracting the given case file, 7 zip  must be used by the user. The following figures represent the extraction processes.

Finally, the provided case file will be extracted by the user. As, the autospy software tool can provide  valuable investigation related to digital forensics, it is suggested that the user must download and install the autospy software tool (Budowle, 2011). Once, this tools is completed installing, the autopsy tool must be opened and click on the new case, as exhibited in the following screenshot.

Task Overview

As shown in the below screenshot, a new case window will be displayed that comprises of, case name, base directory, case type and case data storage directory. Enter the requested information as revealed in the below screen and save the case file by browsing the directory. Proceed by pressing the Next button (Carlton & Worthley, 2010).

Important information must be entered by the user. For instance, the case number, case type, base directory, case storage directory and so on. Then, press the Next button and finally press the Finish button, only then the case file will be created. This step is shown in the below screenshot.

Include the data source, as the case file creation completes. Remember, it will have raw bit data so choose unallocated disk image, as exhibited in the following screenshot.

As shown in the below screenshot, browse and select the forensic image files and proceed by pressing the Next button.

In the ingest modules, the provided case file must be configured and proceed by pressing the Next button (“Digital Forensics – Elsevier”, n.d.).

The data sources will be added to the recently created case file. This step is unveiled in the below screenshot.  

Similarly, to the digital forensics case all the provided forensics image should be included.

The user is required to identify the evidence once the complete data sources are added in the created case that relates to the digital forensic investigation.

Here, the identification of information related to forensics image file will take place to continue digital forensics analysis.

182.7z.002 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot (Federici, 2013).

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted file, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed.

To view the results of the case file, use the below listed information.

182.7z.003 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot (“Forensic Examination of Digital Evidence: A Guide for Law …”, n.d.).  

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information (Hannay, 2011)

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed.

To view the results of the case file, use the below listed information (HU, LIU & HE, 2010).

182.7z.004 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

Tools and Processes Used

As shown in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed (Kearns, 2010)

To view the results of the case file, use the below listed information

182.7z.005 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file (Kessler, 2012).

To view the deleted files, use the below listed information.

To view the results of the case file, use the below listed information.

182.7z.006 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.

As demonstrated in the below screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

Thecase file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed (“Open Source Digital Forensics Tools – digital evidence”, n.d.).

To view the results of the case file, use the below listed information.

182.7z.007 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the folowing screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed (Science needs for microbial forensics, n.d.).

To view the results of the case file, use the below listed information.

182.7z.008 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file (Wright, 2012).

To view the deleted files, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed (Zawoad & Hasan, 2016).

To view the results of the case file, use the below listed information.

182.7z.009 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

Extraction of Case File using 7-Zip

182.7z.010 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed.

To view the results of the case file, use the below listed information.

182.7z.011 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed.

To view the results of the case file, use the below listed information.

182.7z.012 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed. 

To view the results of the case file, use the below listed information.

182.7z.013 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file. 

To view the deleted files, use the below listed information.

The case file contains keyword search information as follows- Single regular expression, single literal keyword search and email address. As evident in the below screenshot, the three files from the email address key search file are displayed. 

To view the results of the case file, use the below listed information.

182.7z.014 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

182.7z.015 Case File Identification

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains one deleted file.

To view the deleted files, use the below listed information.

Creating a New Case File in Autopsy tool

As determined in the below shown screenshot, the provided digital content file can be utilized, accessed and deleted by the investigation. This is a step which aims to showcase the information of the deleted files.

182.7z.002 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot (Larson, 2014).

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.003 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information (Marshall, 2009

182.7z.004 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.005 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.006 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot (Parasram, n.d.).

Just a single deleted file is available in this case file, as illustrated in the following figure.

From the case file, to view the deleted files, use the below listed information.

182.7z.007 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file (Pollitt & Shenoi, 2010).

From the case file, to view the deleted files, use the below listed information.

182.7z.008 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.009 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.

As exhibited in the following screenshot, this case file contains only one deleted file (Ray & Shenoi, 2011).

From the case file, to view the deleted files, use the below listed information.

182.7z.010 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

Configuring the Ingest Modules

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information (Sammons, 2015).

182.7z.011 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.   

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.012 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.013 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.014 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

182.7z.015 Case File Indent

The right data file must be selected to identify the case file information. This step is revealed in the below screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

From the case file, to view the deleted files, use the below listed information.

The forensics image file helps to accurately show the total files shown in the system, and this step is revealed in the below screenshot.

182.7z.002 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.  

The case file that is given contains the email address key search. As evident in the below screenshot, the three files are displayed.

182.7z.003 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file that is given contains the email address key search. As evident in the below screenshot, the three files are displayed.

182.7z.004 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file that is given contains the email address key search. As evident in the below screenshot, the three files are displayed.

Identification of Evidence

182.7z.005 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file doesn’t contain any file in the system.

182.7z.006 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.    

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file that is given contains the email address key search. As evident in the below screenshot, the two files are displayed.

182.7z.007 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.    

As exhibited in the following screenshot, this case file contains only one deleted file.

The ase file that is given contains the email address key search. As evident in the below screenshot, one file is displayed.

182.7z.008 Quantity of Case File

As exhibited in the following screenshot, this case file contains only one deleted file.

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file that is given contains the email address key search. As evident in the below screenshot, one file is displayed.

182.7z.009 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.

As exhibited in the following screenshot, this case file contains only one deleted file.

In the system, the case file has no file in it.

182.7z.010 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.   

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file that is given contains the email address key search. As evident in the below screenshot, just one file is displayed.

182.7z.011 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.  

Only one deleted file is available in the given case file, as illustrated in the following figure.

The case file that is given contains the email address key search. As evident in the below screenshot, just one file is displaye

182.7z.012 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file that is given contains the email address key search. As evident in the below screenshot, the three files are displayed.

182.7z.013 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.    

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file that is given contains the email address key search. As evident in the below screenshot, the two files are displayed.

182.7z.014 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.  

As exhibited in the following screenshot, this case file contains only one deleted file.

On the system, there exists no file in the case file.

182.7z.015 Quantity of Case File

The right data file must be selected by the user, to identify the case file information like quantity. This specific step is revealed in the below represented screenshot.    

As exhibited in the following screenshot, this case file contains only one deleted file.

The case file doesn’t contain any file on the system.

Finally, the digital forensics investigation is utilized for delivering the details of forensics images which are raw bit data. The given case file comprises of only one deleted file and has various email key word search files. A third party is used for illegal access.

However, it is seen that the conducted investigation did not install any type of software on the system.

References

Basics of Computer Forensics. (2016). Vestnik Policii, 7(1). doi: 10.13187/vesp.2016.7.20

Budowle, B. (2011). Microbial forensics. Burlington, MA: Elsevier/Academic Press.

Carlton, G., & Worthley, R. (2010). Identifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2010.1069

Digital Forensics – Elsevier. Retrieved from https://booksite.elsevier.com/samplechapters/9780123742681/Chapter_1.pdf

Federici, C. (2013). AlmaNebula: A Computer Forensics Framework for the Cloud. Procedia Computer Science, 19, 139-146. doi: 10.1016/j.procs.2013.06.023

Forensic Examination of Digital Evidence: A Guide for Law … Retrieved from https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

HU, Y., LIU, B., & HE, Q. (2010). Survey on techniques of digital multimedia forensics. Journal Of Computer Applications, 30(3), 657-662. doi: 10.3724/sp.j.1087.2010.00657

Kearns, G. (2010). Computer Forensics for Graduate Accountants: A Motivational Curriculum Design Approach. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2010.1076

Kessler, G. (2012). Advancing the Science of Digital Forensics. Computer, 45(12), 25-27. doi: 10.1109/mc.2012.399

Open Source Digital Forensics Tools – digital evidence. Retrieved from https://www.digital-evidence.org/papers/opensrc_legal.pdf

Science needs for microbial forensics.

Wright, N. (2012). DNS in Computer Forensics. Journal Of Digital Forensics, Security And Law. doi: 10.15394/jdfsl.2012.1117

Zawoad, S., & Hasan, R. (2016). Trustworthy Digital Forensics in the Cloud. Computer, 49(3), 78-81. doi: 10.1109/mc.2016.89