Department of Computer Science and Engineering

CASE STUDY REPORT

for
21UITV402
DIGITAL AND MOBILE FORENSICS

CASE NAME: Security breach in IT systems

Submitted by
D.PRAISY HEPHZIBAH (921722102118)
RA. PRATIBHA (921722102122)
G.M. PARVITA (921722102115)
A. NATCHIYAMMAL (921722102109)
S. NAGAJOTHI (921722102106)
M. KAVIYA (921722102068)

1
 TABLE OF CONTENTS

S.NO CONTENTS PAGE NO

1. Incident Overview 3

2. Introduction 3

3. The Identification phase 4

4. The Collection phase 6

5. The Examination phase 8

6. The Analysis phase 9

7. The Presentation phase 11

8. Conclusion 11

2
INCIDENT OVERVIEW
Incident Description:
The national chief of defense has been murdered. Shortly after the murder, a security breach is
detected in the IT systems of the department of defense. Evidence suggests involvement of an
external hacker.
Hypothesis:
The murder and security breach are connected. The hacker might have accessed sensitive defense
information, which could have led to the murder.

INTRODUCTION
Digital forensics plays a critical role in investigating complex incidents that involve both
physical and cybercrimes. In this scenario, a murder has occurred involving the national chief of
defense, followed by a security breach in the IT systems of the department of defense. Given the
sensitive nature of the breach and its potential connection to the murder, a comprehensive digital
forensics investigation is necessary to uncover evidence, reconstruct events, and identify the
perpetrator.
This study outlines the application of the five phases of the digital forensics process:
Identification, Collection, Examination, Analysis, and Presentation. Each phase is systematically
applied to ensure the investigation is forensically sound, maintaining the integrity of evidence
and adhering to best practices. It highlights the tools, technologies, and methodologies used to
gather, process, and present evidence that links the cyber intrusion and the murder.
By leveraging advanced forensic tools like EnCase, FTK Imager, and Maltego, and following
strict procedures such as maintaining a chain of custody and analyzing volatile data, this report
demonstrates a structured approach to solving the case. The objective is to deliver actionable
insights and provide a clear, evidence-backed narrative for legal and investigative purposes.

3
1. THE IDENTIFICATION PHASE:
The task of detecting, recognizing, and determining the incident or crime to investigate. Incidents
can be identified based on complaints, alerts, or other indications. For example, it can be used to
identify which evidence or objects to look for during the investigation. The identification of an
incident or a crime leads to the formation of a hypothesis about what might have happened. An
investigation can focus on identifying supporting information to prove a case, identifying
information that refutes a case, or verifying the validity of any given information. The questions
defined by the 5WH model should always be raised during the identification phase. They help us
to establish a hypothesis based on the information triggering the investigation.
As investigators, we operate with a preliminary hypothesis about a digital device or system that
may contain potential digital evidence. In the case of computer and file system analysis, the
identification step includes making a determination about which files on a volume are available,
active, or deleted.
Preparation and Deployment of Tools and Resources:
 Deploy forensic tools like FTK Imager, EnCase, and Wireshark to secure and analyze
evidence.
 Set up a secure forensic lab with write blockers, imaging stations, and isolated networks.
The First Responder:
 First responder ensures the scene and digital evidence are not tampered with.
 Primary tasks:
a) Secure crime scene and systems.
b) Document all observations.
First Responder Mistakes:
 Possible mistakes:
a) Handling live systems improperly, altering timestamps.
b) Failing to document the chain of custody.
 Mitigation: Use write blockers and follow standard protocols for evidence handling.
At the Scene of the Incident:
 Physical evidence: victim’s mobile devices, laptops, and other digital devices.
 Digital evidence: server logs, network activity records, and system backups.

4
Preservation Task:
 Ensure integrity of data by creating bit-by-bit images of systems.
 Document all evidence in the chain of custody form.
Dealing with Live and Dead Systems:
 Live systems: Capture volatile data (RAM, running processes, network traffic).
 Dead systems: Create disk images for analysis.
Chain of Custody:
 Maintain a detailed record of every interaction with the evidence:
 Who collected it,why,how, when, and what was done.
 Tools: CaseNotes, Chain-of-Custody Software.

5
2. THE COLLECTION PHASE:
Collection of data from digital devices to make a digital copy using forensically sound methods
and techniques.
In a digital forensics investigation, the collection phase refers to the acquisition or copying of the
data. This is when a forensic investigator gains access to the electronic device(s) containing raw
data that has been identified as relevant for the specific case. The collection phase of the digital
forensics process is common to most literature and scientific research in digital forensics. The
majority of literature that discusses the forensics process uses the term collection, whereas more
technically oriented literature refers to an acquisition and /or extraction.
The data being investigated should always be copied to a separate media, and the forensic
examination and analysis should always work on a copy. This ensures that there are no
accidental data changes to the original during the forensic process. Finally, a digital signature (a
cryptographic hash) is calculated both for the original media and for the copy. Metadata about a
case should be tied to the potential evidence, whether it be a physical device or a data file. Such
metadata can include the case name, case number, examiner (the digital forensics investigator or
investigators), timestamps, case and seizure location, and time zone. Potential digital evidence
can be quickly made ready for use in a forensic investigation. This kind of preparedness is
known as forensic readiness.
Sources of Digital Evidence:
 Victim’s mobile and computing devices.
 Department of Defense servers, firewalls, and network devices.
 Surveillance cameras at the crime scene.
Systems Physically Tied to a Location:
Collect desktop systems, storage media, and any IoT devices linked to the crime scene.
Multiple Evidence Sources:
 Network logs from the department's servers.
 Communication data from victim’s devices.
 CCTV footage and GPS data.
Reconstruction:
Reconstruct the breach timeline by analyzing logs, IP addresses, and malware signatures.

6
 Evidence Integrity and Cryptographic Hashes:
 Use MD5 or SHA-256 hashing algorithms to verify integrity.
 Maintain hash values for every piece of evidence collected.
Order of Volatility:
 Prioritize collecting:
a) RAM data.
b) Network connections.
c) Hard drives (least volatile).
Dual Tool Verification:
Use tools like EnCase and Autopsy to cross-verify evidence findings.
Remote Acquisition:
 Acquire data remotely if physical access is limited.
 Use tools like F-Response for network-based acquisition.
External Competency and Forensic Cooperation:
Collaborate with network security teams and law enforcement cybercrime units.

7
3. THE EXAMINATION PHASE:
Preparation and extraction of potential digital evidence from collected data sources.
All data collected must be examined and prepared for later analysis as part of the examination
phase. As with all phases in the digital forensics process, it is important to document your actions
and handling of the data to support the chain of custody. The examination often requires
restructuring, parsing, and preprocessing of raw data to make it understandable for a forensic
investigator in the upcoming analysis. To facilitate this phase, an analyst typically uses forensic
tools and techniques appropriate for extracting relevant information.
Initial Data Source Examination and Preprocessing:
 Examine raw data from logs, system images, and memory dumps.
 Identify relevant artifacts for deeper analysis.
Forensic File Formats and Structures:
Use tools supporting formats like E01 (EnCase evidence format) and raw images.
Data Recovery:
Recover deleted files using tools like Recuva or TestDisk.
Data Reduction and Filtering:
Filter large datasets using keyword searches and timestamps.
Timestamps:
Analyze timestamps to correlate events such as unauthorized system access and the murder.
Compression and Encryption:
 Decrypt encrypted files using tools like Passware Kit.
 Extract data from compressed archives.
Data Carving:
Recover file fragments from unallocated disk space using tools like Scalpel.
Automation:
Automate repetitive tasks like keyword searches with Autopsy or Magnet AXIOM.

8
4. THE ANALYSIS PHASE:
In the analysis phase, forensic investigators determine the digital objects to be used as digital
evidence to support or refute a hypothesis of a crime, incident, or event.
The processing of information that addresses the objective of the investigation with the purpose
of determining the facts about an event, the significance of the evidence, and the person(s)
responsible.
Following the examination phase, the data is prepared for analysis. Statistical methods, manual
analysis, techniques for understanding protocols and data formats, linking of multiple data
objects (e.g., through the use of data mining), and timelining are some of the techniques that are
used for analysis. Computational methods are applied for the purpose of automating analysis
tasks and for recognizing patterns through machine learning. The analysis phase is an iterative
process in itself.
Layers of Abstraction:
Examine data at multiple levels (e.g., application logs, operating system traces, network packets).
Evidence Types:
 Volatile evidence: RAM dumps, network activity.
 Non-volatile evidence: Hard drive data, server logs.
String and Keyword Searches:
Search for keywords like "chief of defense," breach-related terms, or specific malware
identifiers.
Anti-Forensics:
Detect and counter measures like data wiping or steganography using tools like StegDetect.
Automated Analysis:
Use AI-driven tools to identify patterns in large datasets (e.g., Cellebrite Pathfinder).
Timelining of Events:
 Create a detailed timeline of:
a) Breach occurrence.
b) Data accessed.
c) The murder.

9
 Graphs and Visual Representations:
Tools like Maltego for visualizing connections between devices, accounts, and IPs.
Link Analysis:
 Correlate relationships between:
a) Breached data.
b) Victim’s activities.
c) Hacker's IP or user accounts.

10
5. THE PRESENTATION PHASE:
The presentation phase involves the final documentation and presentation of the results of the
investigation to a court of law or other applicable audiences, such as a corporation’s top
management or crisis management team. The presentation is based on objective findings with a
sufficient level of certainty, based on the analysis of digital evidence.
The process by which the examiner shares results from the analysis phase in the form of
reports to the interested party or parties. It is important that the findings are summarized and that
all actions performed during the investigation are accounted for and described in a fashion
understandable by the audience.
The Final Reports:
 Summarize findings, including:
a) Evidence collected.
b) Methodologies applied.
c) Analysis results.
Presentation of Evidence and Work Conducted:
 Provide clear documentation for court proceedings:
a) Chain of custody forms.
b) Technical and layman-readable reports.
The Chain of Custody Circle Closes:
Submit all evidence and reports to legal authorities while maintaining chain-of-custody
documentation.

CONCLUSION:
This case study outlines a comprehensive digital forensics process to investigate the incident,
linking the murder and the breach. By maintaining a methodical approach and leveraging
advanced tools, the findings can ensure a forensically sound investigation and provide admissible
evidence for legal proceedings.

11
Evaluation by Faculty:

Name of the Student: D.PRAISY HEPHZIBAH

Register Number: 921722102118

Case Understanding and Scope (10)

Forensic Analysis Techniques (10)
Technical Proficiency (10)
Report Writing and Presentation (10)
Team Work (10)
Total (50)

Remarks (by Faculty):

Faculty Signature:

Name of the Student: RA.PRATIBHA

Register Number: 921722102122

Case Understanding and Scope (10)

Forensic Analysis Techniques (10)
Technical Proficiency (10)
Report Writing and Presentation (10)
Team Work (10)
Total (50)

Remarks (by Faculty):

Faculty Signature:

12
Name of the Student: G.M. PARVITA
Register Number: 921722102115

Case Understanding and Scope (10)

Forensic Analysis Techniques (10)
Technical Proficiency (10)
Report Writing and Presentation (10)
Team Work (10)
Total (50)

Remarks (by Faculty):

Faculty Signature:

Name of the Student: A. NATCHIYAMMAL

Register Number: 921722102109

Case Understanding and Scope (10)

Forensic Analysis Techniques (10)
Technical Proficiency (10)
Report Writing and Presentation (10)
Team Work (10)
Total (50)

Remarks (by Faculty):

Faculty Signature:

13
Name of the Student: S.NAGAJOTHI
Register Number: 921722102106

Case Understanding and Scope (10)

Forensic Analysis Techniques (10)
Technical Proficiency (10)
Report Writing and Presentation (10)
Team Work (10)
Total (50)

Remarks (by Faculty):

Faculty Signature:

Name of the Student: M. KAVIYA

Register Number: 921722102068

Case Understanding and Scope (10)

Forensic Analysis Techniques (10)
Technical Proficiency (10)
Report Writing and Presentation (10)
Team Work (10)
Total (50)

Remarks (by Faculty):

Faculty Signature:

14