Digital forensic | My Assignment Tutor

Assessment: 1a MN624- Digital forensic Submitted by- Rupesh Bardewa MIT201716 [Question1]Answer: a. Larry Jo Thomas—2016 The man was found guilty of the killing of Rito Llamas-Juarez in a robbery attempt, as the men had come together to sell the iPhone used by Thomas via the Offer Up app. Each party was joined by two other parties and during the transaction, according to eyewitnesses. Thomas then took a pistol out and said, “Give us everything you have.” Testimonies state he then shot Juarez sitting in the car’s passenger seat. One of the relatives of Juarez sped away on foot and the other ran away in a car with him, the horrific killing of Juarez. b. Rito Llamas-Juarez, Larry Thomas and one of the relatives of Juarez was involved in this crime. According to the witness Juarez was in the passenger seat when three men came to the car in the early twenties, one of whom tried to hide an automated rifle under his jacket. After a few moments of conversation, witnesses said that one of the men took the rifle out of his jacket, pointed it to Juarez and shot Juarez in the thrust for one time. So the victim was Juarez. Electronic and mobile databases have been used to identify Thomas as a suspect in the killing. C. Because of the material he shared on his Facebook account, investigators were able to link Thomas to the murder. The IMPD could connect their Offer Up accounts to their Facebook account, using a “Slaughtaboi Larro” handle. He posted pictures showing that he was armed with an AR-15 attack rifle. In the assassination of Rito Llamas-Juarez it was found that the ammunition corresponding to Thomas’s arms had been destroyed. In addition, a bracelet matching Thomas’ bracelet was found on the criminal scene in one of the pictures. d. For this case I would use Logical and sparse data acquisition, which are the two data acquisition approaches. If there is a time constraint, investigators use logical or fragmented acquisition data copy methods to gather information from massive drives. Logical acquisition: Logical acquisition is the process of removing logical storage objects from a filesystem, such as files and folders. To synchronize the contents of a phone with a computer, logical acquisition is done using the system manufacturer’s application programming interface. A logical acquisition is performed by many forensic instruments. The data collected by logical acquisition is much easier for a forensic method to arrange and present. Sparse Acquisition: The process of sparse acquisition is close to that of logical acquisition. Investigators may use this tool to collect unallocated (deleted) data fragments. When it is not appropriate to examine the entire drive, this approach is very useful. e. Following are the technique to analyse some digital forensics crimes: Drive Imaging: Researchers must first imagine a source before they can start assessing the evidence. An investigator’s forensic method of producing a bit-by-bit copy of the drive is called drive imaging. This forensic image of all digital media helps to preserve evidence for the investigation. Investigators should be aware that the important data to be found and catalogued during examination can be present even wiped drives. Forensic techniques are used to recover all missing data in the best case scenario. Hash Values: When a researcher pictures an analytic machine, cryptographic hash values are created (MD5, SHA-1). The authenticity and credibility of the picture as an exact copy of the original media is validated with a hash value. Since changes even the smallest bit of data create a new hash value, it is important for hash values, especially in court admissions. It generates a new hash value for this file when you create a new file on your machine or edit the current one. This hash value is not accessible in the normal explorer window, along with other metadata files, but analysts can access it using special tools. Chain of Custody: Researchers should record all media transfers and proof of Chain of Custody forms and collect signatures and dates while gathering media from their customers and transferring it if required. The chain of custody paperwork should be tracked. This artifact shows that since it was created, the picture has been in someone’s possession. Any split in the custody chain overrides the legal validity of the picture and hence the review. There are some option below which is used to preserve the data are given below: Investigator must have to ask following question with witnesses: Who was interested in this?What happened?When was the crime committed?What was the location of the crime?How the suspect looks like? Which helps to understand details of the suspect. Electronic and mobile phone data can be used to track the information like this case [Question 2] Answer; The custody chain for digital proof should range from data collection to the analysis, investigation, reporting and submission to the courts. This is enough to remove the possibility of any manipulation of the evidence. While evidence can be handled correctly in the course of the forensic procedure, it can also be affected if it is then passed on to the Tribunal in such a way as to be altered, for example by altering the associated timestamps or metadata. Let’s go through each phase of the forensic procedure one by one: Data collection: The first piece of information collected starts with the custody chain. The source, how and when they were recovered, where they were held in stock and who had access to record must be ‘tagged’ for each piece. In my case, data are collected by the investigator from the witness who saw the crime live in 2016, the shooting took place near 3900 N. Post Road in a parking lot. The victim was killed while buying a mobile phone that had been advertised for sale online, according to IMPD investigators. Review: During the examination, the chain of custody records detailing the forensic procedure must be recorded. Taking screenshots in the process will help you keep track of the tasks you’ve completed and the proof you’ve found. Over 250 Facebook messages were identified as a source of digital information during a forensic investigation by the Indiana court of appeal. On his Facebook page, Suspect posted a photo of himself with an AR-15 attack rifle.Analysis: During the analysis stage, it may also be necessary to record the chain of custody details. Thomas was identified as a suspect in the murder using electronic and mobile phone data. The research that linked the defendant to the “Offer Up” post via his Facebook account was made possible by the IMPD Digital Forensics unit. Reporting: In a statement describing the instruments used, the data sources, the extraction methods used, the examination process, and issues found and how they were addressed at the time of the reporting process, the custody chain is reported. This declaration would finally declare that the custody chain was upheld and legally admissible during the forensic proceedings. A box containing.223 caliber live rifle ammunition, the same kind used to destroy Llamas-Juarez, was discovered in Thomas’ bedroom closet during the execution of a search warrant for his residence. Later, a finger print investigator noticed Larry Thomas’ prints on the interior of the iPhone box located in the victim’s car and identified them. In conclusion, On February 29, 2016, the Indianapolis Metropolitan Police Department arrested thomas, 20, in the shooting death of 50-year-old Rito Llamas Juarez. IMPD has given this information. [Question 3] Answer; Following are the types of forensic tools: Prodiscover: In computer forensics and incident response, ProDiscover is commonly used. For corporate policy enforcement audits and electronic discovery, the product suite also includes diagnostic and proof collection resources. ProDiscover aims to detect files and data of interest effectively. In quickly finding essential knowledge, machines, dashboards and clock views support. In order to explore evidence disks and retrieve objects relevant to an examination, researchers are provided with a wide range of resources and integrated viewers. ProDiscover blends speed, precision and ease of use at an affordable cost. Characteristics: Windows, Mac and Linux file systems are supported in this product.Suspicious files can be easily previewed and researched.It produces a copy of the whole alleged disk to safeguard the original document.You can see this tool in the background of the internet. X-Ways Forensics: X-Ways is a computer forensic investigator program that offers a work atmosphere. This software supports disk and imagery cloning. It allows you to work with others with this method. Characteristics: It can read partitioning and structures of filesystems into .dd image files.The RAIDs (Redundant Independent disk array) and more are available for access to disks.It detects missing or removed partitions automatically.NTFS (New technology file system) and ADS can easily be detected by this method (Alternate Data Streams).X-Ways Forensics allows annotations or bookmarks.It can study remote computers. It is possible. FTK Imager: FTK Imager is an Access Data forensic toolkit that can be used to obtain evidence. It can make copies of information without changing the original evidence. This tool will define parameters for reducing irrelevant data such as file size, pixel size and data sort. Characteristics: It offers an assistant approach to cybercrime detection.This software provides an improved view of data through a diagram.Passwords can be retrieved from over 100 applications. References: “5 Cases Solved Using Extensive Digital Forensic Evidence | EC-Council Official Blog”, EC-Council Official Blog, 2021. [Online]. Available: [Accessed: 11- Apr- 2021], 2021. [Online]. Available: [Accessed: 11- Apr- 2021].“Why the chain of custody is paramount to digital forensics | Lineal”, Lineal Services, 2021. [Online]. Available:,been%20compromised%20in%20any%20way. [Accessed: 11- Apr- 2021].[7]T. Wu, F. Breitinger and S. O’Shaughnessy, “Digital forensic tools: Recent advances and enhancing the status quo”, Forensic Science International: Digital Investigation, vol. 34, p. 300999, 2020. Available: 10.1016/j.fsidi.2020.300999.


Leave a Reply

Your email address will not be published. Required fields are marked *