Digital Forensics in Practice

Module Code:
Student ID:
Submission Date:

1|Page
INTRODUCTION

Especially in legal, criminal and regulatory settings, increasing dependence on digital devices in

modern life has greatly increased the relevance of digital forensic investigation. This paper

provides a thorough story of forensic examination on a forensic photo supplied by customs as per

the official investigation. The case was assigned as a digital forensic analyst, my responsibility

included overseeing the investigation, configuring the forensic workstation to the results.

Following the best practices and professional guidelines, the integrity and continuity of evidence

were carefully placed throughout the research. Any forensic method depends on case

management as it shapes the basis of acceptance, reliability and dependence of digital evidence.

My first task was thus setting up a safe forensic workstation for this special example. Using

Autopsy, FTK Imaging, and Accessed Registry Viewer among other certified and approved

forensic tools, I ensured that my workstation had disconnected from the network. These devices

were selected for their proven ability to maintain forensic soundness, while still provides forensic

imaging, file system analysis, registry inspection and reporting.

After configuring the forensic workstation, I downloaded the forensic picture using the given

URL. I checked that the hash values of the picture matched the people shown in the attached

file, which included both MD5 and SHA1 Hash, which guaranteed continuity. Calculated hash

values came out:

o MD5: b66ca567bec6b0a195b99c57dfa0919f,

o SHA1: 57c9a704b09fbb50118da57f62546824e062a73a.

My manufactured Hash completely matches these numbers, so verification the integrity and

validity of the material. To preserve a full range of custody, all the tasks performed in this phase

2|Page
were recorded with contemporary notes. After official registration under the case ID DF-2025-

001, all analyzes were made within the controlled environment of the workstation.

CASE MANAGEMENT

Effective case management is necessary in digital forensic investigation to guarantee the validity,

reliability and legal acceptance of the conclusion. A careful setup of a safe and separate forensic

workstation begins to manage the digital forensic process correctly. This study focused on

creating an environment capable of sophisticated digital analysis while maintaining the integrity

of data. Industrial-recognized equipment, including Autopsy, FTK imagers, and EnCs, helped

set up forensic workstations. These devices were chosen due to their great standing among the

forensic community to support non-intrusive tests, allowing fully data recovery, and all data

integrity during investigation was preserved. To limit the possibility of contamination or illegal

access, the workstation was also established to disconnect from any external network.

After the workstation running, obtaining a forensic picture from a safe server supplied by

customs duty. Controlled procedures were used to maintain integrity during transfer, forensic

image- which shows duplicate to a uniform area-by-field of the hard drive of the suspect. The

integrity was checked just after downloading two cryptographically strong methods: MD5 and

SHA1. Hash Mann given with evidence (MD5: b66ca567bec6b0a195b99c57dfa0919f; SHA1:

57c9a704b09fbb50118da57f62546824e062a73a) then matched with these hash. Mated Hash

values verified that forensic paintings were analog and unbreakable during capture and transit, so

the data meets the main requirement to preserve authenticity. To defend the validity of evidence

in any legal process, this integrity investigation is a column of digital forensic practice.

After successful verification, autopsy and other devices were used to mount only a copy of the

forensic picture for the analysis phase. Every test was conducted without changing the original

image to maintain the forensic concept of non-conversion. Instead, to ensure that the original
3|Page
data was unlinked through research, the working copies of the confirmed photo were studied. A

part of contemporary notes, every action, observation and choice were recorded laborly.

Timstamps, tool details, instructions given instructions, and justification for each procedural

decision were between this materials. These contemporary records will be a verification record

to show the indispensable appendix of the report and the exhibition of the examiner and the

highest standards of the highest standards.

The series of custody was also kept in line with the digital forensic norms. From the moment the

forensic image was obtained until the final analysis was recorded, the movement of evidence and

handling was recorded, so to preserve the reliability of the material for possible use in the court.

Emphasizing openness, responsibility and professionalism, the case management approach laid a

strong base for the stages after the investigation.

EVIDENCE ANALYSIS

1. Disk Structure and File Systems:

Using both FTK Imager and Autopsy, the forensic study of the suspect's hard drive gave a

comprehensive picture of the disc structure and file system. The study showed that two in

the hard drive had a logical fragmented physical disk division. The first division was

designated as a system reserved disc; the second was the main division, usually known as

C: \ _ and most of the user's data and operating system are kept. The system reserved

partition was structured using the NTFS file system, incorporating information related to

important boot configuration data, recovery tools, and bitlocker. But Bitalocker encryption

was discontinued on this PC, suggesting that the full-disk encryption was not actively

protecting the data.

NTFS also formatted, corresponding to contemporary Windows Install, primary partition

(C: \). Running Windows 10 Pro in a semi-annual channel (SAC) setup with build number
4|Page
 19044.12, was recently upgraded just before taking the machine. This data was absolutely

important because it allowed researchers to identify chronology of the atmosphere and

system changes of the program. Originally seems specific to a traditional Windows

installation, the file system had folders such as the program file, user, Windows and

Recovery; Further studies revealed discrepancies in timstamps and user data that suggest

possible manipulation.

2. Time zone Configuration and Timestamp Manipulations:

The additional investigation of the configuration files and registry settings of the machine has

shown that it was set to run in the UTC+0 time area. On the cross-referencing system log,

file metadata, and event log, however, timestamps showed discrepancies. Some event logs

showed non-organizing and irregular timestamps, which means potentially intentional

timestamp modification. Especially in important folders, including documents, downloads

and system registry urticarial, these changes were discovered in file construction,

modification and access timing.

In addition, the registry, including the system and software, displayed signs of many changes

during the lifetime of the device. These differences correspond to anti-forensic methods,

suspected that systems change watches or file metadata to hide or rearrange the chronology

of events. Such abnormalities raised concerns during the investigation as they suggested

possible efforts to hide the trails or confuse the forensic reconstruction of operations.

3. Installed Software and Encryption Tools:

Assessment of established programs introduced a mixture of traditional productivity tools

such as Microsoft Office, Google Chrome, and VLC Media Player with multimedia utilities.

Nevertheless, the great forensic relevance was the discovery of Veracrypt, which is capable

of creating a famous open-source encryption application encrypted virtual drive and hidden
5|Page
 volume. The existence of Veracrypt on the system suggested that the user was able to safely

hide the data. The timeline analysis showed that Veracrypt was being used just before the

final recorded shutdown of the system. This link clearly suggested that the suspect would

have used Veracrypt to either hide or secure before the system seizure.

In addition, it was mentioned that there were many compression and collection equipment,

including the winner and 7-jips, both often produced compressed archives. These methods

can help in protecting and assume private data together with the encryption tool, so the plain-

reciting complicates forensic efforts to recover the data.

4. External Devices and USB Analysis:

Under the USBSTOR key, the registry entries indicated that many external storage

equipment were connected to the machine. The serial number and device details helped

identify at least two external hard drives and three USB flash devices. According to the

history of use, the most recent USB gadget was attached about two days before taking

forensic image. Direct access to the content of these devices was not unfortunately possible

that due to the absence of active Bitlocker encryption and lack of external device images at

the time of capture.

Nevertheless, these results suggested that external devices can be used for backup, data

transfer, or perhaps exfiltration of private data. Completely tracking of USB use helped

create a chronology connecting the user's behavior to the device connection, so supported

other research directions.

5. User Profiles and Account Activities:

Review of user accounts changed two main profiles: guests and administrators. With most

system activities, file changes, internet surfing, and software are associated with this user, the

administrator account used a lot. Comparatively, the guest account showed very little
6|Page
 activity and was mostly limited to the basic system access without any remarkable

interaction.

Analysis of email activities revealed regular correspondence with external parties using both

Microsoft Outlook Artifacts and Cashed Google Chrome browser data. Email and recovered

credential artifacts have shown that these exchanges, especially in relation to bitcoin, often

relate to interactions about financial transactions and crypto currency. These results showed

that the suspect was probably involved in financial activities that fit for the goals of

investigation.

6. Internet Usage and Web Artifacts:

The suspect established and used Tor Browser, an oblivion-oriented web browser means that

according to the web activity log and browser history, to hide user activities on the Internet.

Further evidence, data unknown forums, and bitcoin trading platform networks came from

traffic analysis and browser artifacts, pointing to the regular visits to the suspect for websites

associated with privacy-conservation technology. In particular, downloads of data wipe tools

and encryption-related applications were found, which suggest data protection and perhaps a

strong interest in removing it.

With Veracrypt installation and timestamp manipulations, these tasks raised questions about

the intention of the suspect to preserve suspected security and data confidentiality with the

intention of hiding the evidence of the suspect and engaging in operation..

7. File Recovery and Data Carving:

Recovering buried and destroyed data was an important part of the study. The forensic team

recovered partially erased documents from directions such as documents, desktops and

downloads through powerful data carving technologies. These included a list of bitcoin

wallet addresses, text files with PDF papers that refer to offshore financial accounts, and the
7|Page
 spreadsheet keeps an eye on virtual currency transactions. Many recovered data also added

foreign company companies, which probably participate in financial activities across the

border.

Although the suspect tried to hide or eradicate these sensitive data, his partial recovery

offered significant evidence, which enhances the principle that the system affects the system

in financial offenses, money laundering, or false bitcoin transactions.

FINDINGS AND CONCLUSIONS:

The results of this research means that the suspect participated in activities related to data

security, safe communication and crypto currency transactions. Encrypt containers, unknown

methods, and financial records indicate deliberately to the protection of private data taken

together, which may be associated with illegal activity. With irregular timestamps and timezone

adjustment, the existence of programs such as veracrypt and wiping data raises questions about

efforts to hide or eradicate evidence. The system log, file access timing and user activity,

exposes active data manipulation, which involves the construction of encrypted volumes and the

eradication to reduce the potentially reduced information just before the system is purchased by

the authorities.

The inquiry also changed the evidence of the suspect often using external storage equipment.

The lack of these devices at the imaging time is notable because it suggests that some data could

be removed from the system or transferred before seizing. Email traffic, including financial

conversation and bitcoin transactions, suggests that the suspect probably used these external

drives to save data or transfer money related to these activities. In the context of many foreign

accounts and crypto currency address, recovered records and browsing history gave a great

background for these financial works. The wallet indicates the active virtual asset management

of the spreadsheet system with information and transaction records.

8|Page
Finally, forensic data presents a picture of a suspect involved in technically competent efforts to

control and hide financial activities, which definitely uses crypto currency. Encryption

technologies, data wipe tools, and time zone discrepancies indicate objective hiding and

obfuscation because evidence indicates analysis. Despite this, attempts on obfuscation, yet, can

find remarkable marks of user activity and provide information about the conduct and intentions

of the suspect. Forensically sound, collected data is recorded in contemporary notes and hash

integrity is valid using tests. Further research on external storage devices is recommended as

they probably include more data to fully understand the range of activity of the suspect.

REFERENCES:

1. Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and

the Internet (3rd ed.). Academic Press.

2. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to Computer Forensics and

Investigations (6th ed.). Cengage Learning.

3. Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.

4. National Institute of Standards and Technology. (2014). NIST SP 800-101 Revision 1 -

Guidelines on Mobile Device Forensics. NIST.

5. Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to Integrating Forensic

Techniques into Incident Response. NIST.

APPENDIX:

1. 25-03-2025 09:00: Forensic workstation prepared, isolation confirmed, necessary forensic

tools installed and verified.

2. 25-03-2025 11:00: Forensic image downloaded. Computed MD5 and SHA1 hashes matched

provided values. Chain of custody initiated.

9|Page
3. 26-03-2025 09:00: Image mounted read-only via FTK Imager. Initial disk structure analysis

completed. Detected two partitions (System Reserved, C:\).

4. 26-03-2025 14:00: OS identified as Windows 10 Pro, build 19044.1288.

5. 27-03-2025 10:00: Software analysis completed. VeraCrypt and data wiping tools identified.

6. 27-03-2025 14:00: Timezone inconsistencies and timestamp manipulations discovered.

7. 28-03-2025 09:00: User profiles analyzed. Admin profile heavily active, Guest profile

minimally active.

8. 28-03-2025 11:00: Internet artifacts recovered. Cryptocurrency exchanges, Tor downloads,

anonymizing services observed.

9. 29-03-2025 09:00: Email artifacts analyzed. Recovered financial-related emails and

attachments.

10. 29-03-2025 13:00: External device usage confirmed. USBSTOR entries recorded multiple

removable storage devices.

11. 30-03-2025 10:00: Data carving performed. Recovered deleted spreadsheets, PDFs, and

documents related to financial operations.

12. 30-03-2025 14:00: Report writing initiated.

10 | P a g e