CYBER FORENSICS DIGITAL ASSIGNMENT:

NAME: RISHI.G.G
REG. NO. : 18BCI0125.

QUESTION 1:

Recovery of some pictures that was

deleted in an USB.

Step 1 : Insertion of a pendrive. As we can see the

pendrive was inserted.
Step 2 : Open terminal and type “fdisk -l” to get the
location of the external USB.

Step 3 : Now that we have the details of the USB go to

the location where we want the pictures to be
restored. I have created a separate empty folder
called ‘forensics’ in desktop. That folder is now
empty(i have shown it using ls command which shows
there is no files in that). After the recovery file
forensics will contain the recovered pictures. We use
a command “recoverjpeg dev/sdb”. Wait for few
minutes.
Step 4 : We can see that 207 pictures was recovered.
Now we go to the file directly to check whether the
pictures were restored or not.
RESULT : WE HAVE RECOVERED 207 PICTURES WHICH WAS
DELETED ALREADY IN THE USB. WE CAN SEE THAT IN THE
SCREENSHOT ABOVE.
QUESTION 2:

A DISK IMAGE WAS DOWNLOADED RANDOMLY FROM ONLINE.

Case Scenario
Today is September 15, 2004.  The time is 3:15 PM. Mr. Jim Boss, the owner of
the Really Big Company called and you responded to his office.  Mr. Boss
advised that he suspected that his assistant, Emma Crook, was providing
company sensitive material to some of his competitors. At 2:00 PM today he
confronted Ms. Crook with his suspicions. He told her that he would be back at
3:00 PM for an explanation. When Mr. Boss arrived back at Ms. Crook's office at
3:00 PM, she was gone.  Her office was completely cleaned out of all of her
belongings. Mr. Boss tried to turn on Ms. Crook's computer, but it would not
boot. Mr. Boss found a floppy diskette in the trash can.  Mr. Boss wants you to
examine the computer and the floppy diskette and to tell him exactly what Ms.
Crook was up to.  He is willing to pay for a 100% thorough examination.  "Leave
no stone unturned" as he said.

You examined the computer and found that the hard drive was missing.  The
computer was not networked.  Your only evidence, if any, will be on the floppy
diskette.  You checked the system clock and it was accurate to within one
minute.

I used a carving tool called “foremost” which is a carving

utility tool. Using this on the above mentioned image file i
found 4 extracted files out of which 3 are docx file. Below
are screenshots that show the command used for using
foremost and the final results produced by foremost.
Now we use a tool called exiftool. ExifTool is a free and
open-source software program for reading, writing, and
manipulating image, audio, and video metadata. So we use
this tool to know more about.
 I dont have this tool. So i install it first.

Exiftool on first document:

From this we can see the metadata and we see that the
document’s original name was “Magna Carta.doc”.
author’s name is “Emma crook”.
Company name is “Really Big Company”.
The document was last saved on 9/15/04 at 2:22 PM.

Exiftool on second document:

We used the same tool and we identified that
Document was originally called as "Gettysburg Address.docx"
it was lastly modified at 2:25 pm on 9/15/04.
author and the company was same as the first document’s
metadata that is emma crook and really big company.

Exiftool on third document:

we can see the meta data again. This document has more
suspicious data . Thus we have the metadata of the
document.

Exiftool on fourth file:

nothing much suspicious in this fourth file.

CONCLUSIONS :
ALL THE ABOVE MENTIONED METADATA IS RECORDED AND
DOCUMENTED AND GIVEN TO THE BOSS OF THE COMPANY. MAJOR
PROOF IS “formatting of the disk happened on 9/15/04 between
2:28 PM and 3:00 PM.”
THIS CAN BE FOUND FROM THE ABOVE SCREENSHOTS.
PS:
NOTE:
THE WEBSITE THAT PROVIDED THE DISK EXPECTED SOME
ANSWERS. THOSE ARE GIVEN IN BELOW SCREENSHOT.

RESULTS:
THE REQUIRED EXPECTATIONS HAVE BEEN MET BY MY
INVESTIGATIONS.
---------------------CASE CLOSED-----------------------