MN624 Mr. Ben Walter Case Study Sample

• Subject Code : MN624
• University : Melbourne Institute of Technology My Assignment Services is not sponsored or endorsed by this college or university.
• Subject Name : Digital Forensics

Validating and Testing Digital Forensics Tools and Evidence

Introduction to Mr. Ben Walter Case Study 

My name is Mr. Ben Walter. I am an attorney co-owns the prestigious firm called Kirkland& Watkins located in New Mexico, United States. For the last 14 years, our firm has been helping the public through its law procedures. We are undertaking some Govt law matters too. I have a secretary called Hanks Miller. He is recently joined, my secretary. It was a week before the afternoon a certain client whom I have helped in the past came to my office. He is serving as a manager in the Marine and Engineering Dept. of the USA. He discussed the matters in hurry and explained some employee provident fund transaction problems he is facing. He wants my firm to take care of the matter. The fund should be wired to all respective employees within 2 days by taking care of the law activities. To my astonishment, he handed me a picture in a pen drive which includes the employee details and necessary information for fund transfer like transaction ID, passwords.

Even though I am a little reluctant initially I took the matter and assured my friend that our firm will take care of the legal matters and make sure the fund will reach all the persons within the stipulated time. I passed over these details to my secretary and informed him to get all the information from the pen drive and move to the procedures by tomorrow. The next morning when I reached the office my secretary was not present, it was a little bit odd because it was well past his morning time. I saw the pen drive on his table. I connected it to my laptop and saw it is empty. My secretary has done petty theft by stealing people's money and vanished. To prove he is guilty I have to show that the pen drive contains the information which he has used for his theft. But he wiped out all information. How to take the deleted files back from a memory device. Finally, I decided to meet some Forensic experts. Fortunately, my client has taken a picture of the contents of the pen drive on his cell phone. I placed these photos in front of the forensic peoples that I am attaching below for reference.

The points to consider when choosing a data acquisition method

The following points are considered before going for a data acquiring method.

Digital Footprint

Data recovery is the term used by forensic experts to recover deleted, formatted, damaged, or hidden data from any memory devices. In this case, data is purposefully deleted. But if the data is deleted it will not immediately go from the physical drive. This is called a digital footprint. The references to the file are removed and space is later used for overwriting by another data. So if the files are not overwritten then the chances of getting them back are good. Some data recovery methods may overwrite files which could cause loss of data.

File System

The original file may exist as fragments that can be recovered by complex methods. This requires an understanding of the file system, partition size used by the pen drive. There are two main file system formats called File allocation Table (FAT) and New Technology File System (NTFS). Both file systems use different methods to represent the data stored. So understanding the file system is important before going to acquire the deleted files.

The Physical Characteristic of Flash Memory

Understanding the physical characteristic of Flash memory or pen drive is also important. The information is written in flash memory like Electrically Erasable Programmable Read-Only Memory (EEPROM) but erasing happens in blocks. Erasing a block fills the area with binary 1's. Blocks are then divided into pages or zones. The block or zone can be erased many times but they may leave behind clues to the data erased [1].

Methods to Preserve the Data

Encrypt the Pen Drive

One of the methods to prevent data loss from the pen drive is to use a good encryption method. Encryption blocks accidental deletion of data as well as protect unauthorized use of it. There are many encryption methods available such as BitLocker, FileVault, KriptOS, Truecrypt are some examples.

Bit locker id developed for Windows operating system only. It uses the Advanced Encryption Standard (AES) for data encryption. It encrypts the entire volume of the flash drive. Fire Vault is designed for MAC OS and it encrypts the home directory only. True crypt encrypts the files before it was written and decrypts before it is loaded. It uses the AES method for encryption and particularly suitable for flash drives.

Create an Image of The Pen Drive

Another method to preserve data is to create a clone of the pen drive. Many free tools are available such as MiniTool ShadowMaker to make an image of the flash drive. It is possible to write it back to the pen drive if the data is erased accidental or in purpose.

Methods for acquiring images

Magnetic Force Microscope

This method is useful if the flash drive is overwritten by some other data. The data is written on a magnetic memory on a pen drive. The magnetic force microscope [2] contains a magnetic tip and measure the interaction between the tip and the stray magnetic field from the magnetic memory. The magnetic servo handles writes the data on the magnetic memory. It is possible while overwriting a pen drive some of the earlier data exist. This is because of the servos placement and the spindle run out. It is possible to detect these changes and recover the previous data. Figure 2 shows the MFM image. The MFM method is a very slow process and complex image processing algorithms are still required to finally reconstruct the data.

File Recovery Through Analysis of The Info About Files and FoldErs

It is evident that the deleted data is not actually deleted from the physical medium but only its references are removed. The actual data space is reserved for overwriting. If the files are overwritten then the MFM method described above can be used. If data is not overwritten then the file recovery uses the info about files and folders. The info about files and folders is information about the file while writing it to the pen drive. It contains the records filename, size, address, and exact physical location of the data in the pen drive. The recovery process uses this information to recover the actual data. If the info files are damaged then the method searches additional information about the files in the data part of the disk. By collecting all the information the recovery process recreates the original file [3].

References for Mr. Ben Walter Case Study 

[1]. Y. Guo and J. Slay, “Data Recovery Function Testing for Digital Forensic Tools”. Advances in Digital Forensics, Volume. VI, pp. 297-311, Jan. 2010.

[2]. L. Abelmann, A. van den Bos and C. Lodder, “Magnetic Force Microscopy — Towards Higher Resolution,” in Magnetic Microscopy of Nanostructures, Berlin: Springer, 2005, pp. 253-283.

[3]. r-studio, “File Recovery Basics” in How Data Recovery Works, January 2020. [Online]. Available: https://www.r-studio.com/file-recovery-basics.html. [Accessed: August 04, 2020]

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Digital Forensics Assignment Help