Digital Forensic
Computers are bad in keeping secrets. Right Turn Security use this weakness to protect Business Assets and Investigate Cyber Crime & Fraud . Our Team is X.R.Y Certified for mobile and other digital device investigations. Our Team is trained by UK law Firm Bond Solon for Report writing and Court room skills
Mobile Forensics
Decryption Services
Password Recovery
DVR/Video Forensics
Network Forensics
Cloud Forensics
Digital Forensic Training
- Syllabus based on MSAB
- UK Certified Trainers
- Job Training
- UK Law Based Court Room Skills
- Professional Report Writing
Our Techniques and Tools Used in Digital Forensic
- FTK-Imager: This tool creates the single image file of the complete disk, to perform a forensic investigation on it.
- Write Blocker: This tool helps to maintain the integrity of the seized device during the acquisition of data from the device to the system.
- Autopsy: This software is used by Forensic investigators to find the hidden evidence from seized digital artefacts.
- Encrypted codes: A document written in special codes to make information secure.
- Master Boot Record(MBR): It is a record present in the first sector of the Hard disk. It gives information about the Operation System.
- Hex editor: It is a tool used to edit the binary data of a file. It supports most of the file formats.
- Virtual Box: It is a tool used to run different operating systems at the same time in a system
- Phishing Email: These are the emails send by cybercriminals to trick the people. These attacks are performed to gain personal information.
- Ransomware: It is a form of malicious program, which stops the user to access their system and demands for money to regain access.
Digital Forensic Case Study
(Step 1 )Write Blocker
In the field of digital forensic, it is very important to perform any investigation without damaging the original evidence. Write blocker is one a tool, which is used in most of the forensic investigations. This device stops the inadvertent disk writes, to maintain the integrity of the device. It provides an interface to connect digital artefacts with the user system. It is of two types of software and hardware. In this investigation hardware type was used. All seized digital artefacts from the crime scene were connected with the Lab
system through a Write blocker. Write blocker helped to create Images of the data without any loss of data.
(Step 2) Creating Images with FTK Imager
This software is used in the forensic investigation to create logical or physical disk images. It generates the MD5 and SHA checksum values before the imaging process, to validate the data integrity of the disk. In this case. FTK Imager is used to create images of 160 GB Hard disk, 80 GB hard disk, Hidden USB and Bottle opener shaped USB. The Image format selected for 160 GB Hard Disk was RAW DD. On the other side, the E01 format was selected for Both USB and 80 GB Hard disk images. After the imaging process, MD5 and SHA-1 values of all the images were checked to confirm their integrity. It is safe to perform an investigation with the created images, if anything goes wrong during the investigation we can create a new image from original evidence.
(Step 3) Autopsy
This tool is based on investigating the data inside the created disk images. Most of the investigators, use autopsy tool, to perform an investigation on cases. This tool sorts the disk data in the proper structural form, which makes it easy to use. The basic functions of this tool are Timeline analysis, Hash Filtering, Keyword Search, Web Artefacts, Data Carving, Multimedia and Indicator of compromise. In this case, I used autopsy to analyse disk images created by FTK Imager. I created the case and load the disk images of 160 GB hard disk, 80 GB Hard disk, 2GB hidden Pendrive and Bottle opener shaped USB Drive. During analysation, my aim was to retrieve every single evidence from the disk images. The easy user interface with default subcategories helps to deeply investigate the evidence. All the evidence was found from160 GB Hard disk and 2 GB
hidden USB Drive. This evidence was further analysed by extracting from the image file. In the investigation of hidden USB, autopsy tool used to find the hidden partitions with the help of MBR files. Which further results in finding the Virtual machine in 160 GB Hard Disk. It also contains Ransomware files and phishing templates. All these files were the main evidence for the case. The 80 GB Hard Disk and Bottle opener shaped USB were also analysed by autopsy tool. But both did not contain any evidence. This tool helped to find all the major evidence in this case