Recovery of Digital Evidence


The University suspects that a circumstance of wrongdoing has been performed by a member of staff within Advantage Hill College or university and the computer forensic team, which you are part of, has been asked to investigate.

You and your team have been asked to kick off a study into alleged misuse of the University's IT system. The office used a worker has been isolated, closed and guaranteed.

The employee has been interviewed because of it services as well as the Dead of faculty and HR and has eventually refused all wrongdoing. Items from the staff office have been recovered by your team. The data restoration has been conducted in a demanding secure manner in lines with a rigorous methodology.

The Concepts of Digital Evidence

Evidence Recovery Process

From the start of the process there must be a placed way to perform the investigation, the crime picture is an extremely delicate devote terms of collection of critical vital data, which if remaining unsecure could be easily be modified or corrupted, therefore it is critical to follow several key levels, the first being;

The Plan of the Inspection

  • Where are, we heading to get the suspected evidence, i. e. on Computer system, Smartphone, USB, floppy disc, Hard Drive.
  • Should social advertising i. e. , Twitter, Facebook, Chat Message boards, be checked for relevant proof they may keep.
  • Contact of end user ISP for track history
  • Mobile network contact, may have on online profile with online storage area.

How to conduct the Inspection - My Flow Plan

Right to find and Seizure

In order to execute a study there are Legal and honest aspects that are extremely important and should always be adhered to key points that could continually be considered when its chose that evidence will need to be received;

  • Just because there are several personal computers inside your home doesn't necessary imply that they need to all be seized for forensic inspection, the individual attending the criminal offense scene must have Reasonable grounds to remove possessions and there must be justified reasons for carrying out this.
  • Due to the sensitive character of the analysis it would always be a required moral feature that the investigator would be genuine and truthful.
  • Consideration concerning whether what items will probably hold key information, i. e. there would no point in seizing a microwave when we are looking at some type of computer related offense.
  • Consider the offence, small down the period of time of suspected criminal offenses.
  • Items found that are linked to internet are likely to contain key information and should be seized.
  • Documents/booklets, notepads to be seized as they may hold online storage accounts and passwords where information is organised.

Approach Strategy

This all would be achieved by using a Flow arrange for the team to check out as reviewed in Assignment 1,

Capture of relevant information

One of the most important steps within the complete process, if problem is made here then the whole research is under risk.

  • The room was secured and isolated to associated risk the impact of any tampering with proof.
  • This could fundamentally fail directly into a very similar category, this may involve the collection of volatile time frame.
  • Volatile data is the data that people have at the plan of the criminal offense which may be lost if the investigator doesn't follow the correct treatment, i. e. recording what express the computer is on at that time. The Volatile data would be stored for example over a Laptop or computer in the Ram (Random Access Storage area) and would contain key information such as website data, chat history etc. that may be key to overall success of the inspection.
  • Bagging in secure hand bags that are tamper facts insuring that they are labelled acutely with a reference amount for later inspection.
  • Suspected employee interviewed refused any wrong doing.

Analyse of Facts

Evidence has been retrieved from the staff office by a colleague within the forensic team, we've found the next;

  • A USB pen drive seized bagged up in secure zipper bag
  • Feedback to get to give information on where to exploration in going.
  • Each step to be recorded
  • Time scales available
  • Resources open to investigator
  • Tools that are available for the forensic evaluation.

Data recovered from the USB drive, appears to you need to be Standard information but further analysis is required to establish fact.

Evidence Seized

Note pad with 3 passwords on;

  • Cabbage
  • Apple
  • Pear

USB device seized from any office. From everything we can see on the USB is

  • 3 PDF's
  • 3 Images
  • A word document Titled "Payments for paper4you"

Files present on USB Un touched

On the next step of my investigation I will open up each file without the interference from any Encryption programs.

File - Payments for documents4you. docx

File - 30037888. pdf

File - AUP. pfd


File - do. pdf

Chocolate 1. jpg. png

Even more chocolate. jpg. png

More Chocolates. jpg. png

Investigation of the Evidence

For the pupose of the exploration I am going to now check to see if the things sesiued are extactly as they appear. I really do think this step is necessary aspart of the on going investigatiion.

In order to check individual files, I will use OpenSteg request, the reason to do this could it be will check each induvual data file in order to determine any hidden files located on the the USB.

To do that I am going to use a programe called OpenSteg that may highlight any hidden information

OpenStego Menu, - As you can plainly see we can Cover or Remove Data from a any data file, in cases like this we will be Extracting the info from the chosen file.

Menu of the data file which I desire to look at though OpenStego - Delicious chocolate 1

On checking out the data file, it is clear the it needs a password to open it, I'll try the 3-security password on paper on the word pad recovered from the picture, that are
  • Apple
  • Cabbage
  • Pear

It would appear that there is a file in this particular picture titled;Expert_Sheet. xlsx

Upon beginning the Excel Data file it appers that it requires a password of which I've 3 ;

  • Apple
  • Pear
  • Cabbage

Apple and Pear are unsuccessful, but Cabbage has grated me access to the Excel file

It appears to show Financial transactions from Documents 4 you dated from 2008 to 2016










The same was finished with the file Even more chocolate. jpg. png

Upon carrying out this it is clear there's a file hidden within the picture entitled Invoice Jan-16. docx As per below;

Picture 3 to be examined using OpenStego file name - More Chocolate Using security password - Pear

Information from record Jan-15

Bring the evidence together as one we're able to use Encase this would give us a specific understanding of all the data together in a single file format I've confirmed in a walk through via screenshots

Landing Webpage Encase

New circumstance Location and name

File is currently given name "Task 2 and location.

Adding Facts to the case

Locate relevant record to add the info needed for the exploration.

Section of key data files to use as evidence.

Summary of the Evidence

From performing this research certain tips must be founded when investigating the case

  • Facts or fiction and can demonstrate this with hard information.
  • Prove so it did happen in the first place.
  • Are we considering the right person who is accused?
  • Have any errors been made. , things been overlooked or thigs been altered.

Forming the complete investigation, we can see from enough time Range, what information and by what process was followed

It has been my Advice that the Case be referred to CPS for Felony Proceedings. Because of the many breach's with in the law, (Data Security, Computer misuse action, It Computer Insurance policy) and the and the great amounts of money received, it is improbable that internal College or university formal proceedings would bring accountability for the thief.

In Conclusion, it could also be advised that upon Offender Proceedings being initiated, that an order for the "Proceeds of Offense Take action" be form to recover the ill-gotten benefits.

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)