Annexure-I:

Student Declaration

To whom so ever it may concern

We, Sujal Kumar Gupta, 12107390 : Vishal Yadav, 12115267 :

Nicodemus Peter Ngufuli, 12111145. hereby declare that the work done
by

me on “Cyber forensics Case study Report on Murder Case in

Phagwara” from 28-march-2023 to 07-April-2023 is a record of original

work

for the partial fulfilment of the requirements for the award of the degree,
“Masters in Computer application”.

Sujal Kumar Gupta (12107390)

Nicodemus Peter Ngufuli, (12111145)
Vishal Yadav (12115267)

Signature of the student

Dated: 07/April/2023
Disclaimer: I have not performed any live investigation. This was a part of our university assignment,
CONTENTS
where I assumed the roles of forensics investigator, determining what methods were applicable.

Page
1. Case Study
1.1 Scenario overview --------------------------------- 3
1.2 Deliverables ---------------------------------------- 4
1.3 Methodology --------------------------------------- 4 - 5
1.4 Guidelines and Principle ------------------------ 5 - 6

2. Collection and Preservation

2.1 Collection ------------------------------------------- 7
2.1.1 Photographs ------------------------------------------- 8 - 9
2.2 Preservation --------------------------------------- 9 - 10
2.3 Examination --------------------------------------- 10

3. Tools and Technique --------------------------- 11 - 13

4. Analysis ------------------------------------------- 14

5. Results -------------------------------------------- 15 - 19
5.1 Findings ------------------------------------------ 19 - 20

6. Conclusion --------------------------------------- 20.

1. Case Study
1.1 Scenario Overview:
Case Overview: Intellectual Theft by an Employee from a Technology
Company
The victim company, a leading technology firm, reported a suspected case of
intellectual theft by one of their employees. The perpetrator, who held a key
position in the company's research and development department, was found
to have illicitly accessed and stolen important data, including proprietary
designs and blueprints. Further investigation revealed that the employee had
shared the stolen information with a competitor company in exchange for
financial gain.
The theft of the intellectual property has serious implications for the victim
company, as it could compromise their competitive advantage and disrupt
the market. The stolen data is crucial to the company's research and
development efforts and represents years of innovation and investment. The
case requires swift and thorough investigation to identify the extent of the
theft, determine the motive behind the employee's actions, and establish the
identity of the competitor company involved.
As the cyber forensic expert leading the investigation, I am tasked with
analyzing digital evidence, including logs, network activity, and computer
systems, to trace the unauthorized access and exfiltration of data. This
involves meticulous examination of file timestamps, metadata, and digital
footprints to reconstruct the timeline of events and identify the methods used
by the perpetrator to cover their tracks.
In collaboration with law enforcement agencies, legal experts, and
technology specialists, I am working diligently to collect and preserve
evidence that can withstand legal scrutiny. This includes conducting
interviews, analyzing communication records, and conducting forensic
examinations of digital devices. As the case progresses, I am utilizing my
expertise in cyber forensics, digital investigations, and intellectual property
laws to unravel the complexities of the theft and determine the full extent of
the damage caused.
1.2 DELIVERABLES
My approach to investigate this case is into two task part where I’m going to
use some cyber forensics tools for investigate. With that we can get what is
my intention and scope of this investigation.
Case Study – Task1:
 Create an image using the Guymager tool
 Open the hex value of an image using terming to analyse the data.
 Verify the integrity of the data by verifying the log file of an image.

Case Study – Task2:

 Creating an image file specifying the necessary information from the
source of evidence using FTK imager.
 Collect the possible meta information such as PNG/JPEG if any.
 Determine the deleted files and folders.
 Generate the hex value of the data found as evidence.

1.2.1 Scope of investigation

The scopes of the forensic investigations for this case are as follows:
 To identify the malicious activities with respect to 5Ws (Why, When,
Where, What, Who)
 To identify the security lapse in their disk
 To find out the impact if the disk system was compromised
 To identify the legal procedures, if needed
 To provide the remedial action in order to harden the system

1.3 Methodology
I started the project running a desktop with Ryzen 5 4000 Series and 8GB of
RAM. The computer ran a 64-bit Windows 10 Enterprise edition operating
system with Service Pack 1. The computer was given the final name of
PhagwaraMcase.
After set-up was complete, we were given a 250GB internal hard drive
containing Fire. Fire was the result a previous project where information was
generated on a hard drive from Windows, Mac, and Linux. Our team utilizes
this hard drive when working on other forensic research projects in order to
set a base line. Using this hard drive, we can create an image to test all the
programs using the same example.
Most computers will have programs that will lengthen the time it takes to
image the drive, so we decided to use the Fire II drive to comply with time
constraints.
The chosen framework, Digital Forensic Research Conference (DFRWS)
Investigative Model (2001) – Palmer, proposing a well-known digital
forensic investigation process consists of seven components such as:

1.4 Guidelines and Principle

According to the National Crimes Record Bureau, the confluence of two
legal paradigms, i.e., the law of evidence and that of information technology
has made the legal domain at par with the contemporary challenges of the
cyber space.
 The traditional law defining the term “Evidence” has been amended to
include electronic evidence in Section 3, The Evidence Act, 1872. The
 other parallel legal recognition appeared in Section 4, The Information
Technology (Amendment) Act, 2008, with the provision for
acceptance of matter in electronic form to be treated as “written” if the
need arises. These show a prima facie acceptability of digital evidence
in any trial.
 Further, Section 79A of the IT (Amendment) Act, 2008 has gone
aboard to define electronic evidence as any information of probative
value that is either stored, or transmitted in electronic form and
includes computer evidence, digital audio, digital video, cell phones
and digital fax machines.
 Since digital evidence ought to be collected and preserved in certain
form, the admissibility of storage devices imbibing the media content
from the crime scene is also an important factor to consider. Reading
Section 3 and Section 65-B, The Evidence Act, 1872 cumulatively, it
can be inferred that certain computer outputs of the original electronic
record, are now made admissible as evidence “without proof or
production of the original record. Thus, the matter on computer
printouts and floppy disks and CDs become admissible as evidence.”
[2]
. The summary of those principles are as follows:
 Principle 1: Data stored in a computer or storage media must not
be altered or changed, as those data may be later presented in the
court.
 Principle 2: A person must be competent enough in handling the
original data held on a computer or storage media if it is necessary,
and he/she also shall be able to give the evidence explaining the
relevance and course of their actions.
 Principle 3: An audit trail or other documentation of all processes
applied to computer-based electronic evidence should be created
and preserved. An independent third party should be able to
examine those processes and achieve the same result.
 Principle 4: A person who is responsible for the investigation must
have overall responsibility for accounting that the law and the
principles are adhered to.
 2. Collection and Preservation
2.1 Collection
Collecting the recording of the physical crime scene, physical evidence that
relates to the crime scene and imaging, duplicating, or copying of the digital
evidence. Should make documents contain information of the evidence like,
name, model, made year etc. Also, the audio recording, photographs, and
other visual forms of the crime scenes should be collected and documented.
Digital evidence such as evidence such as desktop, smartphones, printers,
digital cameras, etc. should be collected, in addition to the physical evidence,
other relevant items like notes that include passwords, suspect’s documents,
suspect’s dairy etc. If the breach initiated within the perimeter, it’s required
to containment the crime scene, preform the specialized procedures like if
the device was ON or OFF when found, leave it in that state. If the found
computer is OFF, can take the photos of the computer, labelling cables, etc.
…
From Company I got a hard disk which is in good condition. As per the
company the hard disk is full of sensitive information. Mode. The disk are
under Preservation.
Here is the list of the evidences and its conditions:
ITEM CONDITION DETAILS
Company name – Sanbdisk
size - 8GB
Pen drive 1 Accessible (Good) Serial no. – SDDC24

Pen drive 2 Accessible (Good) Company name – Sanbdisk

size - 32GB
Serial no. – SDDC24

2.1.1 Photographs
2.2 Preservation
In this stage, should works on isolation, securing and preserving the physical
and digital evidence. This helps to maintain the integrity of the digital
evidence and protect the digital evidence from the modifications. Examiners
should be responsible and must demonstrate that the evidence should be
preserved through all steps in the process like in collection phase, examine
phase, analyse phase, etc. Preservation of the digital and physical evidence
should be done by trained and skilled staff members that possess the required
techniques and the knowledge of using appropriate tools.
Methods to preserve the digital evidence with this section, following
methods are needed to consider preserving the digital evidence by forensic
examiner.
 Drive Imaging
Imaging the drives can help to keep the evidence side and use the images for
the analysis. To perform this imagining, professional make a duplicate of the
drive with completing the sector by sector. There are many tools that to use
for imaging like Acronis, Barracuda etc.
 Making copies of the evidence
Copies of the evidence could also help to retain the evidence; copies
should be encrypted with hash values like MD5 in the label of the copies
so can distinguish from Original. Along with that, critical information
like name of the personnel, the date and time and place would be added
with. This helps to verify the authenticity and helps to protect the
integrity. These hash values could be useful in the court case.
 Chain of custody
When forensic examiners extract the media from the business and do
transfer their media if it required, should document all the transfer on a
 form called Chain of Custody (CoC) and track down all the dates, under
whose supervision etc. If the suspected evidence found, it should be
immediately isolated and keep under the Chain of Custody so the
examiner can create an image later. This is crucial because once if the
evidence not being preserved properly, this might be invalid in court case.
This will motivate GDPR to impose more fines on the business which
may be unable to afford.

3. Tools and Technique

We can perform any operation with a forensically sound bootable DVD/CD-
ROM, USB Flash drive or even a floppy disk, HDD, SSD. First, we need to
dump the memory, and this is preferred to be done with a USB Flash drive
with enough size. We must also undertake a risk assessment when we are
about to collect volatile data to evaluate if it’s safe and relevant to collect
such live data, which can be very useful in an investigation. We should use
forensics toolkits throughout the process, as this will help meet the
requirements of a forensics investigation. These tools should be trusted, and
it can be acquired from among the freely distributed ones to the commercial
ones.
Tools which used to investigate in this case are:
 Guymager
 FTK imager
 EWF verify
 DC3DD
 Foremost Tool

 Guymager - The forensic imager contained in this package, guymager,

was designed to support different image file formats, to be most user-
friendly and to run really fast. It has a high-speed multi-threaded engine
using parallel compression for best performance on multi-processor and
hyper-threading machines.
For solving cyber-crimes on digital materials, they have to be cloned.
Evidence must be copied in a valid and proper method that provides legal
availability. If we do not copy in a valid way, it cannot be used as
evidence. Image acquisition of the materials from the crime scene by
 using the proper hardware and software tools makes the obtained data
legal evidence.
Choosing the proper format and verification function when image
acquisition affects the steps in the research process. Using this method,
we can clone a disk and do research on multiple systems using multiple
software and solve the case faster. Guymager is based on libewf and
libguytools. The features of guymager is following:
 Very easy GUI user interface in different language.
 Really fast process due to multi-threaded, pipelined design and
multi-threaded data compression.
 makes full usage of multi-processor machines.
 Generates flat (dd), EWF(E01) and AFF images, supports disk
cloning.
For becoming open source, it is completely free of charges.
Now we run guymager in our Kali Linux system. To run this tool, we
simply use guymager command in our terminal window.

 FTK imager tools - FTK Imager is a tool for creating disk images and is
absolutely free to use. It was developed by The Access Data Group. It is a
tool that helps to preview data and for imaging.

With FTK Imager, you can:

 Create forensic images or perfect copies of local hard drives,

floppy and Zip disks, DVDs, folders, individual files, etc. without
making changes to the original evidence.
 Preview files and folders on local hard drives, network drives,
floppy diskettes, Zip disks, CDs, and DVDs.
 You can also preview the contents of the forensic images that
might be stored on a local machine or drive.
 You can also mount an image for a read-only view that will also
allow you to view the contents of the forensic image exactly as the
user saw it on the original drive.
 Export files and folders from forensic images.
 View and recover files that have been deleted from the Recycle
Bin, but have not yet been overwritten on the drive.
Approach:
To create a forensic image with FTK imager, we will need the following:
  FTK Imager from Access Data, which can be downloaded using the
following link: FTK Imager from Access Data
 A Hard Drive that you would like to create an image of.

 EWF tool - EWF Tools: working with Expert Witness Files in Linux 2
minute read Expert Witness Format (EWF) files, often saved with an E01
extension, are very common in digital investigations. Many forensic tools
support E01 files, but many non-forensic tools don’t. This is a problem if
you are using other tools, like many Linux utilities to try to do an
investigation.
ewfverify — verifies media data stored in EWF files
ewfverify is a utility to verify media data stored in EWF files.
ewfverify is part of the libewf package. libewf is a library to access the
Expert Witness Compression Format (EWF).
ewf_files the first or the entire set of EWF segment files.

 DC3DD Tool - dc3dd is a patched version of GNU dd with added

features for computer forensics:
 on the fly hashing (md5, sha-1, sha-256, and sha-512);
 possibility to write errors to a file;
 group errors in the error log;
 pattern wiping;
 progress report;
 possibility to split output.
Installed size: 489 KB
How to install: sudo apt install dc3dd
Use of DC3DD to solve the Problem with the help of Example:
Write a binary image from the source (if=/var/log/messages) to the destination
(of=/tmp/dc3dd) and calculate the SHA512 sum (hash=sha512):
Using dc3dd in cyber forensic investigations is similar to using dcfldd, with
some differences in the syntax and options available. Here is a general outline
of the steps involved in using dc3dd to create a forensically sound image of a
storage device: Acquire the dc3dd tool:
 dc3dd can be downloaded and installed on your forensic workstation. Identify
the target storage device: You need to determine which storage device you want
to image. This can be done using a tool such as lsblk or fdisk, which will show
you the available storage devices and their properties. Determine the output file:
You need to specify the location where you want to save the image file. You
can specify either a local file or a network share. Run the dc3dd command: The
dc3dd command is used to create the image of the target storage device. The
basic syntax of the command is:
dc3dd if=<input_device> of=<output_file>
Verify the image: After the image has been created, it is important to verify its
integrity to ensure that the data has been captured correctly. This can be done by
computing the hash of the original storage device and the image file, and
comparing the results. Replace <input_device> with the name of the target
storage device (e.g., /dev/sdb), and <output_file> with the location where you
want to save the image file.
 Foremost Tool - Foremost is a forensic program to recover lost files
based on their headers, footers, and internal data structures.
Foremost can work on image files, such as those generated by dd,
Safeback, Encase, etc, or directly on a drive. The headers and footers can
be specified by a configuration file or you can use command line switches
to specify built-in file types. These built-in types look at the data
structures of a given file format allowing for a more reliable and faster
recovery.
Installed size: 102 KB || How to install: sudo apt install foremost
4. Analysis
Understand the significant, collect all the pieces of the data and arrange them
together and specify some conclusions are the major goal of this step. This
helps to understand the incident very well by reconstructing the crime scene.
Fundamentally, there are three kinds of ways to reconstruct, temporal
analysis, relational analysis, and functional analysis. Temporal analysis helps
to find the factors that likely cause this incident and who may should be
responsible for. Relative analysis refers finding the baseline of the crime
scene by corresponding the actions of the victim and functional analysis is
about finding the actions that caused this.
In this Case (Phagwara murder case) main evidence is hard disk of desktop.
So, with help of the tools, we can identify some of the files like img files, log
files.
Now we create an image file for analysis and checking any meta file is there
or not. Because of in this case culprit’s main target after business man is the
Desktop machine so the nature of this case we have to analyses and gather
all evidence and present with cruciality of the evidence by using different
analysis mechanisms.
 Data hiding analysis:
Recovering the data can be hidden in these digital items could give
the examiner a chance to know the significant information that may
give the idea about the ownership, etc.
 Log files analysis:
This analysis uses logs to get the idea of the behaviour of system pre
crime and find out the possibilities that lead to this crime. Analysing
some important log files like Intrusion Detection system logs and
scan the security events are one of examples of log files analysis.
 Time frame analysis:
The goal of this analysis is to get the idea of when this crime
happened with analysing the events on the digital systems by
reviewing the time and data that has embedded into the files as
metadata.
 File analysis:
Analysing the metadata that embedded in the files and the
applications and other information may contain some hints leading
to the crime scene like getting idea of the behaviour of the user.
5. Results
In this phase’s my result will be final presentation with containing
conclusions and summary of the investigation process with results. The
information that provides with this presentation is clear and precise so the
business and victims can understand very well and get better knowledge and
get closer to the culprit.
As per mentioned above we have divided the case into two tasks (Task1 and
Task2) so I’ll show you as per it.
TASK 1
1. Create an image using the Guymager tool
I connect the hard drive and click on Rescan or simply press F5 button.
Here I can see the disk name and other information of our hard disk. Now I
can acquire image or clone the hard disk by right click on the disk. For
imaging the hard disk, I click on acquire image and anther window will
opens.
What is imaging in forensics?
A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy
of a physical storage device, including all files, folders and unallocated, free
and slack space. Forensic images include not only all the files visible to the
operating system but also deleted files and pieces of files left in the slack and
free space. Not all imaging and backup software create forensic images.
Windows backup, for example, creates image backups that are not complete
copies of the physical device. Forensic images can be created through
specialized forensic software. Some disk imaging utilities not marketed for
foren Here we can choose the file format and provide the case number and
evidence number, examiner, descriptions and notes. Here we can also choose
the image directory. We can also split the size of disk. We can calculate MD
% and SHA1. Then we must check the verification process, because if the
image acquisition was not valid then it can't be an evidence. So verification
is a good habit. Here we have done everything, and set the acquired image
directory in our desktop, and we did not used the split image because we are
not acquiring large image. Following screenshot shows the process.sic use
also make complete disk images.
 Here I choose the file format and provide the case number and evidence
number, examiner, descriptions and notes. Here we can also choose the
image directory. We can also split the size of disk. We can calculate MD
% and SHA1 and SHA-256. Then we must check the verification process,
because if the image acquisition was not valid then it can't be evidence.
So, verification is a good habit. Here we have done everything, and set
the acquired image directory in our desktop, and we did not used the split
image because we are not acquiring large image. Following screenshot
shows the process.

 Then I just click on start option and the process will be started. You can
see all the information also.
After finished imaging

 Checking the pen drive is cloned or not by using (HEXEDIT)

Run command – sudo hexedit “file name”
TASK 2
2. Open the hex value of an image using terming to analyze the data.

Now I have to verify also the file for that I’m using ewfverify tool so we can see
all the verified hash files
DESCRIPTION
ewfverify is a utility to verify media data stored in EWF files.
ewfverify is part of the libewf package. libewf is a library to access the Expert
Witness Compression Format (EWF).
ewf_files the first or the entire set of EWF segment files.

3. Verify the integrity of the data by verifying the log file of an image.
TASK 3
Identify the target storage device: You need to determine which storage device
you want to image. This can be done using a tool such as lsblk or fdisk, which
will show you the available storage devices and their properties. Determine the
output file: You need to specify the location where you want to save the image
file. You can specify either a local file or a network share. Run the dc3dd
command: The dc3dd command is used to create the image of the target storage
device. The basic syntax of the command is:
Task 4
Data carving

This disk image file will be carved for .jpeg, .png, .zip, .pdf and .avi file
formats. We will not be instructing Foremost to carve the .docx but, since one
exists in the .zip we have placed inside the disk image, it will do so
automatically.
To break this down “-t” is setting the file types we want to carve out of the disk
image, here those are .jpeg and .png.
“-i” is specifying the input file, the “disk.img” that is placed on the desktop.
“-o” is telling Foremost where we want the carved files to be stored, for that we
have the “recov” folder on the desktop that we made earlier.
“-v” is to tell Foremost to log all the messages that appear on screen as the file
is being carved into a text file in the output folder (recov) as an audit report.
Task 5
FTK imager analysis
1. Create an image file specifying the necessary information from the
source of evidence.
In the menu navigation bar, you need to click on the File tab which will give
you a drop-down, like given in the image below, just click on the first one
that says, Add Evidence Item.
After that, there will be a pop-up window that will ask you to Select the
Source of the Evidence. If you have connected a physical hard drive to the
laptop/computer you are using to make the forensic image, then you will
select the Physical Drive here.
Click on Next. Now, Select the Physical Drive that you would like to use.
Please make sure that you are selecting the right drive, or you will waste
your time exporting a forensic image of your own OS drive.
In the menu navigation bar, you need to click on the File tab which will give
you a drop-down, like given in the image below, just click on the first one that
says, Add Evidence Item.
there will be a pop-up window that will ask you to Select the Source of the
Evidence. If you have connected a physical hard drive to the laptop/computer
you are using to make the forensic image, then you will select the Physical
Drive here. Click on Next. Now, Select the Physical Drive that you would like
to use. Please make sure that you are selecting the right drive, or you will waste
your time exporting a forensic image of your own OS drive.
Now, we will export the forensic images.
Right-click on the Physical Drive that you would like to export in the FTK
Imager window. Select Export Disk Image here.
Click the Add button for the Image Destination.
Select the Type of Forensic Image you would like to export. Select .E01 and
Click Next.
After that, you will have to enter information regarding the case now. You can
either leave them blank or keep it general, this part is totally upon you.

Fill
ed all the details Below as Screenshots
And, there you have it – a bit-by-bit image of the device! You’ve just captured
everything on the device, including deleted files and slack space data. Next
time, we’ll discuss Adding an Evidence Item to look at contents or drives or
images (including the image we created here).
2. Collect the possible meta information such as PNG/JPEG if any.
There is some file also where some information is regarding company which is
trying to disclose but some image, I found is the following:
3. Generate the hex value of the data found as evidence.

 Findings
As a cyber forensic examiner, We conducted a thorough analysis of the
digital evidence collected from the suspect's device. Among the findings
were several images depicting potential evidence of illegal activities,
including images of suspicious financial transactions and confidential
documents. Additionally, there were PDF files containing sensitive
information related to a business deal, as well as blueprints of a high-security
building. Furthermore, I discovered lines of code that appeared to be
malicious in nature, suggesting the suspect may have been involved in
cybercrime. The evidence revealed a complex web of illicit activities,
requiring further investigation and expertise to unravel the full scope of the
suspect's actions.
 6. Conclusion
In conclusion, the case of intellectual property theft by a company employee has
been successfully solved. The discovery of a pendrive as the main evidence
proved to be crucial in unraveling the mystery.
Upon thorough investigation, the pendrive was found to contain a treasure trove
of information, including blueprints, bank transactions, and credit card
information. These findings confirmed that the employee had been stealing and
misusing the company's intellectual property for personal gain.
Furthermore, the pendrive also contained malicious code, indicating that the
employee had engaged in unauthorized activities to compromise the company's
security and integrity. This malicious intent added another layer of severity to
the case, making it a serious offense.
Through diligent forensic analysis, the team was able to track the employee's
activities and establish a timeline of events, ultimately leading to the
identification and apprehension of the culprit. The evidence found on the
pendrive was pivotal in securing a conviction, as it provided irrefutable proof of
the employee's illicit actions.
As a result of the successful investigation, the stolen intellectual property was
recovered, and the employee was held accountable for their actions in a court of
law. The company has since implemented robust security measures to prevent
similar incidents from occurring in the future, safeguarding their valuable
intellectual property.
The resolution of this case highlights the importance of protecting intellectual
property and maintaining stringent security protocols within organizations. It
serves as a reminder that intellectual property theft is a serious crime with
severe consequences, and that thorough investigation and forensic analysis are
critical in uncovering the truth and bringing the perpetrators to justice.
In conclusion, the discovery of the pendrive and the critical information it
contained, along with the identification of malicious activities, were key factors
in solving the case of intellectual property theft by the company employee,
ensuring that justice was served and the company's intellectual property
was safeguarded.

____________ Thank You ______________