Digital Forensics Investigation Report On WiFi Hacking With Prodiscover, WinHex And Osforensic Tools

About the Report

Digital forensics is about the examining and recovering data from seized evidence in digital criminal investigation process.   In The field of the digital forensics it is important to select a suitable tool to extract and analyse the digital information from the collected evidence.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

 For this part we have selected the WinHex and Osforensic that are frequently used   for the digital forensic tool.  

 Install and Deploy: Following is the screenshot of the installed application on a windows 10 based system.

 Using the WinHex tool we can change the hex values for disk images through which we can edit the values of the data set in the disk image.  This is depicted in the following image;

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Winhex is one of digital forensic tool that is used as hex and disk editor for data recovery in any digital crime.  This tool can be used   for only windows operating system. It can recover data from floppy disks, hard disks, ZIP, CD-ROM & DVD, Flash drives and so on.

Supported file formats: This tool can work with the FAT12/16/32, exFAT, NTFS, Ext2/3/4, Next3®, CDFS, UDF, ReiserFS file systems. In addition to that the it is also able to edit data structures using templates through which it can repair boot sector or partition table.  In addition to that concatenation, splitting of data files, dividing and combining odd and even bytes of the files can be done using this.  Furthermore, it also provides help in disk cloning with the help of X-Ways Replica, 256-bit checksums, AES encryption, wiping confidential files securely from the disk. The application also provides automated editing features. Using this feature any user can automate file editing process using scripts in order to accelerate routine tasks.

Support from the vendors:  The vendors provides certification program and user forum in order to support the users to mitigate their issues.

OSForensics

This forensic tool is also a windows based digital forensic tool which can extract evidence from digital systems such as laptops and computers. In addition to that it can perform file indexing and search.

This scan helps in the identification of the suspicious activity    on files through the use of hash matching of the files, comparing drive signature, binary data and e-mails. Moreover, this tool is capable of managing the digital investigation process along with the generation of report from the collected digital forensic evidences.  

Supported file formats are provided by,Advanced Forensics Format Images* (AFF), AFM (Advanced Forensics Format Images w/ meta data), Split Raw Image (.00n), EnCase EWF (.E01), VMWare Image (.VMDK), EnCase 7 EWF (.EX01), SMART EWF (.S01) ,EnCase Logical EWF (.L01) , VHD Image (.VHD), AFD (Advanced Forensics Format Directories)

Forensic Tools Used in Investigation

Support from the vendor:  The vendor, PASSMARK software provides video tutorials, FAQ and document based tutorials and finally a related forum for the user to get help from other experienced users.

Following is the screen shot of finding a deleted file from a USB device to find out the recently delete file.  The screenshot depicts the result after use of the “Deleted File Search”.

 For the disc image the MD5 hash value is given by à 052a6bc388f30572fa27e58d52f03d09

 On the other hand, the SHA-1 hash value is given byà 4553c87b818518f9dfe13add1dbc334edd7b31b9

 For the given file it is found that the installed OS was Windows XP.  Installed on 20th August, 2004.  The product ID is given by, with the version ID 5.1 with the build number 2600. Furthermore, the product ID is given by, 55274-640-0147306-23486.

 

 The date of installation of the OS is provided by, Friday, August 20, 2004.

The Registered owner of the computer is given by, Greg Schardt and the last recorded shut down date and time is provided by 08/27/2004 at 9:16:28 PM. Following is the evidence using the Prodiscover tool. For this question, we have use eventID for shutdown process in the Windows XP operating system.

   From the given evidence file, we found that the account name that mostly uses the compute is Mr.Evil  

The time zone setting found in the investigation is Central standard time which is available   in the windows for the central time of USA and Canada. Screen shot is provided below;

The name of the computer is given by, N-1A9ODN6ZXK4LQ, supporting screen shot is provided below;

In the given disc image, the list of users except Administrator, Guest, system profile, Local Service, Network Service are given by, Mr. Evil, HelpAssistant and support_ 388945a0.  Following is the evidence of the user account analysis.

  The suspect installed the following list of software’s after installing the operating system,

123 Write All Stored Passwords;

Anonymizer Bar 2.0;

Clain & Abel v2.5 beta;

CuteFTP;

CuteHTML;

Etheral  0.10.6;

FaberToys  published by FaberBox;

Forte agent;

[email protected]_1.0;

mIRC;

Network Stumbler;

WinPcap 3.01alpha;

Following is the screenshot of the analysed disk image;

The last logged on user was Mr.Evil on the system ;

From the registry we found the hex value of the time at which the is given in hex value which is decoded using the Dcode digtal forensic tool. The hex value and the actual time of last shutdown is given by;

Tasks Performed during the Investigation

Hex value: C4928E51868BC401

Time and date of last shut down: Thu, 26 August 2004 16:04:08 UTC

The IP address assigned to the machine is given by 0.0.0.0 and the explanation for the interfaces available in the provided disk image. The value for the EnableDeadGWDetect is set to 1 or true. Setting the value of this specific parameter to 1 indicated that TCP utilizes Dead Gateway Detection feature.  Though the use of feature, TCP asks for change of assigned IP address to another backup gateway. This happens in case the port retransmits a data segment multiple times deprived of receiving a response from the receiver.

Used browsers by the suspect are internet explorer and MSN explorer.

 The directory or the path related to the web browser history related data is given by;

HKEY_USER-> CURRENT USER->SOFTWARE->MICROSOFT->MICROSOFT->INTERNET EXPLORER->TYPED URLS.

 

 The visited URL by the suspect is given by;

www.maktoob.com

www.ethereal.com

www.wardriving.com

www.4.12.220.25/temp

www.drudgereport.com/

www.majorgeeks.com

www.yahoo.com

www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

related screen shot is provided below;

 The last assigned DHCP IP Address to the system is provided below along with the screen shot;192.168.1.111  

The Outlook was used as the email communication tool as discovered in the investigation of the given disk image.

From the previously listed installed software’s, following are some of the tools that can be used for hacking purposes are;

123 Write All Stored Passwords (Provides all  the passwords of  logged on user stored in  Microsoft PWL file.);

Anonymizer Bar 2.0 (this tool helps the hacker in making the activity on the Internet untraceable);

Clain & Abel v2.5 beta (Password recovery tool);

Etheral  0.10.6;

Network Stumbler (helpful in detection of unauthorized or “rogue” access points);

WinPcap 3.01alpha;

The IRC or the internet relay chat is  the service  that is based on the client-server architecture. This application is suitable for running on many machines in a distributed system. A typical setup of mIRC includes a single process for server forming a central communication point for multiple clients to connect and communicate with each other.

In the analysis of the recycle bin it is found that there are two files with extension. MAP.  usually this files are Debugging maps. Typically, this are plain text files that require the relative offsets of concerned functions.  This functions are gain are some version of a compiled binary.

[1]H. Mohammed, N. Clarke and F. Li, “An Automated Approach for Digital Forensic Analysis of Heterogeneous Big Data”, Journal of Digital Forensics, Security and Law, 2016.

[2]A. Irons and H. Lallie, “Digital Forensics to Intelligent Forensics”, Future Internet, vol. 6, no. 3, pp. 584-596, 2014.

[3]M. Anobah, S. Saleem and O. Popov, “Testing Framework for Mobile Device Forensics Tools”, Journal of Digital Forensics, Security and Law, 2014.

[4]C. Grajeda, F. Breitinger and I. Baggili, “Availability of datasets for digital forensics – And what is missing”, Digital Investigation, vol. 22, pp. S94-S105, 2017.

[5]P. H. Rughani, “Data Recovery from Ransom ware Affected Android Phone using Forensic Tools”, International Journal of Computer Sciences and Engineering, vol. 5, no. 8, pp. 67-70, 2017.

[6]C. Hargreaves and J. Patterson, “An automated timeline reconstruction approach for digital forensic investigations”, Digital Investigation, vol. 9, pp. S69-S79, 2012.