Forensic Investigation Of Mr. Fredrick Gleason’s Involvement In Defrauding Members Of The Public
Case Study’s Background
This investigation researches about Mr. Fredrick Gleason’s involvement in defrauding the members of the general public and check his involvement in this issue. The spot light of this investigation is on Mr. Fredrick Gleason’s involvement in defrauding the members of the general public and checks his involvement in the case. The investigation takes place in Mr. Gleason’s office, as it is considered as the crime scene. In his office, all the digital artefacts are seized as evidence, and are examined in the forensic lab. The examination helps to reveal whether any data is present in theses artefacts or not, which could be helpful for carrying out the investigation.
In this investigation I am a forensic practitioner, who has the responsibility of seizing and handling the digital evidence artefacts along with its analysis, to finding the useful evidences related to the case. My complete qualification details and experience is presented in the Appendix, based on which I have been selected as to provide expert opinion on the collected evidences. Thus, I will be seizing the digital artefacts from the crime scene based on the court’s order. Here, the case is booked under Section 2 of the 2006 Fraud Act.
This report will represent the conclusion, according to my professional opinion. Thus, it is essential to know all my qualification and experience details, for cross-examination. The handout provides outlines of the case which contains general requirements of the forensic analysis to be analyzed for this case.
The tasks included in this cases includes- Attending the crime scene to seize the evidences (if any) that could be related to the case and in the handout it will be outlined; To complete forensic examination of the evidence based on the instructions provided in the handout; To represent a report which can be submitted to the court of law with the important aspects like, the followed processes for analyzing the digital evidence, the collected findings as per the instructions in the handout, and my opinion depending on the determined findings; and finally mention the utilized techniques for examining the evidences.
1.1 Case Study’s Background
The concern of this case represents case’s outline, where it is found that, Mr. Gleason is being questioned under Section 2 of the 2006 Fraud Act. Then, his office is suspected to be the crime scene, where he might have committed the suspected offences. According to the part of the investigation the court ordered and gave permission to seize and take the digital artefacts from his office for the forensic lab for determining the results. The court granted permission of the investigation in Mr. Gleason’s office. As, it is necessary for the forensic practitioner to take appointment from the court to conduct the investigation, the date and time appointed is on, 11th of May, 2018 at 5:00 pm.
1.2 Summary of my Conclusions
The Civil Procedure Rules needs the report to have the summary of the conclusion. (Civil Experts Practice Direction 35 para 3.2(7). Protocol para 13.14) (Criminal experts CPS Disclosure Manual Annexe K, CrPR 33.3(1)(h))(Family Experts Practice Direction para3.3(g))
Summary of my Conclusions
1.4 Objective
The objective of this investigation is to resolve the fraud case on Mr. Fredrick Gleason. To carry out this investigation, suitable tools will be used. The digital artefacts from the crime scene will be seized depending on the orders of the court, for checking useful evidences which proves who is involved in this case.
1.5 Those involved
The people and company involved in the case are represented below:
Mr. Fredrick Gleason is the only suspects involved in this case.
1.6 Technical Terms and Explanations
The technical terms are listed in the glossary part present in the appendix. The photographs related to the evidences are represented in the appendix’s Photographs section, for helping to understand the case.
1.7 Tools used for Examination of the evidence
To carry out this investigation and help in examining the evidence, the Wireshark and xry are the tools used.
Addressed Problems
This investigation’s primary objective refers to retrieving the USB data storage device’s forensic image. As per the provided case, the USB storage device should be processed by the forensic imaging technician, for obtaining the forensic image. Thus, here the USB data storage device’s forensic image should be recovered. Further, the copied Data in the USB will be determined. The required investigations will be conducted for determining that the hidden data is present in the USB storage device, along with the facts and reasons for the theft.
2.1 Purpose
To find the problems which will be addressed in this report. The first problem is about Mr. Fredrick Gleason’s involvement in defrauding the members of the general public and check his involvement in this issue. The spot light of this investigation is on Mr. Fredrick Gleason’s involvement in defrauding the members of the general public and checks his involvement in the case. The investigation takes place in Mr. Gleason’s office, as it is considered as the crime scene. So, this project retrieves the forensic image from the device like, the USB data storage. Because, Mr. Fredrick Gleason’s was used that USB device. So, as per the provided case, the storage device like USB was processed by the forensic imaging technician, for obtaining the forensic image.
My Investigation of the Facts
It is a fact that despite the investigations, recordings and methodology are conducted correctly, the facts as separate when compared to the opinions. It has to be noted that, generally the LAWYERS CROSS-EXAMINE THE EXPERT WITNESS FOR DISCREDITING the information, analysis, strategy, records, examinations, estimations, presumptions and so forth. This section builds up the establishment of actuality whereupon you will base your finial opinion.
I have investigated certain facts from the seized digital artefacts, the following are the collected facts:
Case Information are shown below.
Case Information:
Acquired using: ADI3.4.0.1
Case Number: ctec5806-17
Evidence Number: USB1
Unique description: DMU 2 GB usb dd image
Examiner: jf
Notes:
————————————————————–
Information for I:DMU usb dddmudd:
Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Physical
[Drive Geometry]
Cylinders: 252
Tracks per Cylinder: 255
Objective
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 4,057,088
[Physical Drive Information]
Drive Model: USB 2.0 Flash Disk USB Device
Drive Serial Number:
Drive Interface Type: USB
Removable drive: True
Source data size: 1981 MB
Sector count: 4057088
[Computed Hashes]
MD5 checksum: 1e9cdfe18e631fa87157499f56325683
SHA1 checksum: 9bcd096b83bd64e43d072da8f655a2d0e2d66fed
Image Information:
Acquisition started: Thu Feb 16 10:03:50 2017
Acquisition finished: Thu Feb 16 10:05:26 2017
Segment list:
I:DMU usb dddmudd.001
I:DMU usb dddmudd.002
Image Verification Results:
Verification started: Thu Feb 16 10:05:26 2017
Verification finished: Thu Feb 16 10:05:33 2017
MD5 checksum: 1e9cdfe18e631fa87157499f56325683: verified
SHA1 checksum: 9bcd096b83bd64e43d072da8f655a2d0e2d66fed: verified
First, user needs to open the DD image file on digital forensics tool. The below screenshot is used to shows the case information details. Here, enter the case name as ctec5806-17. After, click the next button to proceed the analysis.Once case information are checked, after select the type of data source to add the information in the tool. Here, we are choose the image file which has unallocated space. Next, press the button Next for selecting the data source, as illustrated below.
Here, we are select the data source that is browse the data source path. It is shown below.After, click the next button configure the ingest modules for the case. Here, we are check the all the file are selected. Once, files are selected then press on the button Next for adding data sources, as represented in the below image.
Then, we are add the data sources successfully to click the finish button to proceed the analysis. After, click the OK button to open the DD image file on digital forensics tool. It is illustrated as below.
The DD image file is successfully opened on digital forensics tool. It is shown below.
User first needs to identify the MD5 hash number to proceed the analysis but, the provided the DD image file doesn’t contain MD5 hash number. For identification of MD5 hash number by using the WinHD5 tool. This tool is used to recognize by utilizing the hash number on DD image file. So, WinHD5 tool should be downloaded and installed. Next, winHD5 tool must be opened. Followed by uploading the provided DD images, as represented in the below image.After, winHD5 tool gives MD5 hash value for the given DD image file, as represented in the below image
3.1 First Investigation
We are going to outline the proof for the provided DD image. So, user needs to create the keyword for the DD images to determine the related files on the provided DD images. The Identified keywords are illustrated as below.
On Autopsy Creating the Keyword List
To create the keyword list on forensic tool by clicking the keyword list and select the manage lists. It is represented as below.
After, click the new keyword list to enter the identified the keyword and it is demonstrated as below.
Once enter the keyword, after select the type of keywords as substring match. Then, click the Ok button. It is represented as below.Finally, keyword list is successfully created and it is represented as below.After, enter the created keyword as, keyword list. Then, ISIC keyword must be entered, which is given in the file related to ISIC. It is illustrated as below.
Those involved
After, user needs to run the ingest module on the device. It is represented as below. Here, we are click the tools to select the ingest modules.After, user needs to unselect the all the modules, only select the ingest modules and also select the created keyword lists. Then, click the Finish button. It is represented as below.
After, view the DD images file with the help of the keyword list like unallocated file. It is provide unallocated related files. It is represented as below.
The, use the DD image file to click information sources, as represented in the below image.
Right click on the information sources on selected file. Then, select the properties. This process is sued to display the information sources related data. It is shown below.
The last analysis stage identifies whether all the file relate with the carried out investigation or not, as shown in the below image.
3.2 Phase of Documentation on the Provided DD image file
The important documents are represented in the appendix containing the list of documents (Criminal experts (CPS Disclosure Manual Annexe K).
Here, we are going to utilized the document are presented in the provided DD image file. To use keyword list to identify the related document in the image file. The provided DD image file has three word document where the initial word document record comprises of 20480 records and 15 is the Internal ID, which is demonstrated as follows.58368 file is the size of the second word document and 20 denotes the internal ID, as represented below.most 11477 files are present in the third word document and 9 refers to the internal ID, as illustrated below.The specified DD image file covers 6 images, which are analysed in the underneath image.
3.3 Evidence Searching
` Here, we are going the searching the evidence for encrypt and identify the imported advanced proof to analysis the provided the DD image file by using the keyword list. It is represented as below.In keyword lists type the SIC pictures record is demonstrates the accompanying picture (Sammons, 2015).
This process is used to utilize the totally important analysis concerning with fake ISIC cards. Once utilization of advanced proof is completed, after this information will be added to the book mark. To book mark a proof by right click the selected file and choose the outcomes and also choose the label records for click the book mark. It is shown below.Likewise, the counterfeit ISIC cards must be examined as illustrated below.With the help of keyword search, search the ISIC counterfeit cards, as illustrated below.
Open in the external viewer, so as to open the image files.Next, again check the file to generate new keyword list, as it is beneficial in the digital investigation. The below figure illustrates the creation of keyword list.This keyword list is presented in the Later, on the keyword search identify a keyword such as sheetal, which denotes a customer. This step is illustrated in the below figure.Finally, all the proofs are placed in the USB drive and researched the documents are copied and transferred into the USB drive through the computer. So, this computer is requires to explore and uncover the important proof.
Technical Terms and Explanations
My opinion
According to my investigation, the following are the points which show my opinion: The recovery of data could be beneficial to examine the large range of methods. Some of the data stays introduced though the Data is erased or the USB repartitioning takes place. Moreover, there exists various substitutional methods for the offenders who are specialized are aware how the data can be shrouded, for the utilizing the most part of the USB administration, encryption, stenography etc. Discovering, recuperation and remaking of concealed data could be highly difficult and complex process, but at times it could be proved easily, when the case is split.
Thus, to completely see how and why Data stay on a plate, one must find out the idea to put away the data on the USB storage device. USB part refers to a unit of settled size which is characterized when the record framework is made (basically 512 bits). More seasoned hard USBs might contain certain ‘squandered’ storage room outwardly tracks, as each track intelligently is separated to break divisions of even number. At times it is conceivable to shroud the data in the space among the areas on the bigger outside tracks, called as division hole. Some of the data recuperation administrations could contain the capacity of finding and recovering the data which is covered up in this hole, such as the deleted records and the slack space.
While the working framework composes the document for the USB, it dispenses some particular segment number. The quantity of areas designated depends on the working framework’s restrictions as well as the choices of setup taken by the overseer of the framework. The areas assigned and their area on the plate are recorded in the registry table for future access. During the situation where the record is deleted, the space initially dispensed to it is essentially set apart as unallocated. The genuine Data stays on the USB.
Compliance Statement
I comprehend my obligations as the specialist witness for the court. I followed the obligation and will continue to keep on consenting. The following report incorporates all the issues important to for the issues on which my master proof is provided. I have tended this answer for the court. Additionally, I comprehend that my obligation to the court repels any form of commitment for gathering from whom I got the guidelines.
Conflicts Statement
I affirm that I have no irreconcilable situation of any type, other than which I have officially set out in this report. I don’t consider that any intrigue which I have unveiled influences my reasonableness to give master proof on any issue on which I have given proof and I will prompt the gathering by whom I am told if, between the date of this report and the preliminary, there is any adjustment in conditions which influences this announcement.
I affirm that I have no irreconcilable circumstance of any sort, other than any which I have officially set out in this report. I don’t consider that any intrigue which I have revealed influences my reasonableness to give master proof on any issue on which I have given proof and I will prompt the gathering by whom I am told if, between the date of this report and the preliminary, there is any adjustment in conditions which influences this announcement.
{{This statement of conflicts is mandatory. Practice Direction 25, Family Procedure Rules 2011 I affirm that I have clarified which actualities and matters alluded in the following report are my insights and they are not definitely not others insights. The insight which are within me, I affirm to be valid. The following assessments which I have communicated speak to my actual and finish the proficient sentiments of the issues to which they allude.