Data Recovery: How to recover a deleted document?

Download Data Recovery: How to recover a deleted document?

Post on 23-Oct-2015

200 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

The project entails recovering crucial documents that an unsatisfied employee, Jonathan deleted before leaving the company. Jonathans crime was evaluated and analyzed to determine how he committed the crime in order to craft proficient ways of recovering the lost file. Proper planning was done before conducting the investigation in order to ensure strict adherence to investigation procedure.Finally the investigation evidence proved that Jonathan did delete the important documents which the investigation team managed to recover.

TRANSCRIPT

<ul><li><p>2011 </p><p>YUSUPH KILEO </p><p>DATA RECOVERY </p><p>10/4/2011 </p><p>DATA RECOVERY: TO RECOVER DELETED DATA FROM A COMPUTER </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 1 </p><p>Contents ABSTRACT ...................................................................................................................................................... 2 </p><p>CHAPTER ONE: INTRODUCTION TO THE PROJECT ........................................................................................ 3 </p><p>1.1 PROJECT OVERVIEW ...................................................................................................................... 3 </p><p>1.2 PROJECT AIMS AND OBJECTIVES ................................................................................................... 3 </p><p>1.3 ASSUMPTIONS .............................................................................................................................. 4 </p><p>1.4 EVALUATION OF JONATHANS COMPUTER CRIME ....................................................................... 5 </p><p>CHAPTER TWO: THE INVESTIGATION PROCESS ............................................................................................ 6 </p><p>2.1 OVERVIEW OF THE FORENSIC INVESTIGATION PROCESS ................................................................... 6 </p><p>2.2 AUTHORIZATION AND PREPARATION ................................................................................................. 7 </p><p>2.2.1 AUTHORIZATION .......................................................................................................................... 7 </p><p>2.2.2 PREPARATION .............................................................................................................................. 8 </p><p>2.3 IDENTIFICATION .................................................................................................................................. 9 </p><p>2.4 COLLECTION AND PRESERVATION .................................................................................................... 10 </p><p>2.5 EXAMINATION AND ANALYSIS .......................................................................................................... 18 </p><p>2.5.1 RECOVERING ANY DELETED MATERIALS .................................................................................... 19 </p><p>2.5.2 RECOVERED MATERIALS ............................................................................................................ 21 </p><p>2.5.3 EXTRACTION OF THE MATERIAL FOUND .................................................................................... 21 </p><p>2.6 RECONSTRACT ................................................................................................................................... 22 </p><p>2.7 REPORT .............................................................................................................................................. 24 </p><p>FORENSICS REPORT ............................................................................................................................. 24 </p><p>INVESTIGATION FINDINGS .................................................................................................................. 24 </p><p>EXAMINATION SUMMARY .................................................................................................................. 24 </p><p>CONCLUSION ....................................................................................................................................... 25 </p><p>3.0 EXECUTIVE SUMMARY .......................................................................................................................... 25 </p><p>4.0 Appendix. .............................................................................................................................................. 26 </p><p>5.0 REFERENCES .......................................................................................................................................... 28 </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 2 </p><p>ABSTRACT </p><p>The project entails recovering crucial documents that an unsatisfied employee, Jonathan deleted </p><p>before leaving the company. Jonathans crime was evaluated and analyzed to determine how he </p><p>committed the crime in order to craft proficient ways of recovering the lost file. Proper planning </p><p>was done before conducting the investigation in order to ensure strict adherence to investigation </p><p>procedure. </p><p>Finally the investigation evidence proved that Jonathan did delete the important documents </p><p>which the investigation team managed to recover. </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 3 </p><p>CHAPTER ONE: INTRODUCTION TO THE PROJECT </p><p>1.1 PROJECT OVERVIEW </p><p>This project is segregated into three main chapters which are the introduction, Investigation </p><p>process and conclusion. The introduction highlights the main aspects of the thesis; the </p><p>investigation process describes in detail the steps that the investigation team would take in </p><p>investigating the above highlighted case and the forensic tools used. It must be noted that </p><p>different tools would be used at different phases of the investigation process; therefore for clarity </p><p>usable tools for specific phases would be explained when describing activities of that particular </p><p>phase. </p><p>The conclusion as the name suggests would summarize the main contents of the project as well </p><p>as briefly outline the deducted lessons from the project and the challenges faced and how they </p><p>were mitigated. </p><p>1.2 PROJECT AIMS AND OBJECTIVES </p><p>AIMS </p><p>This project is aimed at evaluating, analyzing Jonathans crime and procedurally recovering all </p><p>the lost crucial files to save Bukit Enterprises from immense loss. </p><p>OBJECTIVES </p><p>In order to achieve the set aim the investigator has formulated the following objectives: </p><p> Strictly adhere to the procedures of forensic investigation. </p><p> Prepare a time management schedule and strictly abide to it so as to timely recover the </p><p>crucial files. </p><p> Encourage team work amongst case investigators. </p><p> Be flexible such that any emerging technologies that may be useful to the investigation </p><p>would be tried in order to acquire accurate evidence. </p><p> Ensure the authenticity and accuracy of all tools to be used in the investigation. </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 4 </p><p>1.3 ASSUMPTIONS </p><p> Bukit Enterprises is a company located in the United Kingdom. </p><p> Investigators found Jonathans computer on. </p><p> Jonathan was using win XP as an operating system. </p><p> Jonathan has installed WinRAR software to his computer (Encryption tool). </p><p> Jonathan has no personal data left in the computer. </p><p> Jonathan saved the research documents using word pad. </p><p> Jonathan encrypted the documents before deleted them. </p><p> Jonathan protected the documents with password using his name. </p><p> Jonathan did not first enquire about reasons for management escalating Steven over him. </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 5 </p><p>1.4 EVALUATION OF JONATHANS COMPUTER CRIME </p><p>Jonathan was actively involved in the research for years, but that doesnt allow him to delete the </p><p>research documents when he left the job. The research documents he deleted were not his </p><p>property but rather Bukit Enterprises property. It is apparent that Jonathan did not enquire with </p><p>the management reasons as to why Steven was promoted over him. Jonathan rather decided to </p><p>take the law into his hands and delete the Companys documents which as stated if not recovered </p><p>would endure the company a massive loss. </p><p>The question remains, does Jonathans involvement in the research give him the right to delete </p><p>the documents. According to the company regulations and rules the companys document should </p><p>be returned when employee resigned, Like wise on (Akerman, 2011), it highlights a case where </p><p>an employee deleted company files. The court ruling was that an employee should return all </p><p>company documents before resignation. </p><p>Furthermore on (McCullagh.D, 2007) highlights that Jonathan would be found guilty in a court </p><p>of law for as long as the evidence obtained is authentic and accurate. This is due to the fact that </p><p>with the obtained evidence, Jonathan would be prosecuted for violating the Computer Fraud and </p><p>Abuse Act which finds guilty whoever knowingly acquires information from q computer without </p><p>obtain authorization or whoever who exceeds their authorization level to illegally access data and </p><p>causes damage or loss to it. Jonathan had authorized access to the documents, but he exceeded </p><p>his authority scope by deleting the documents. </p><p>Conclusively, (Radcliffe, 2010) further proves that Jonathan would be proven guilty, according </p><p>to the United Kingdom copyright laws, any research or discovery that an employee makes or </p><p>achieves within their scope of employment belongs to the employer. Therefore Jonathan illegally </p><p>deleted Bukit Enterprises crucial documents and hence would be accordingly prosecuted. </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 6 </p><p>CHAPTER TWO: THE INVESTIGATION PROCESS </p><p>2.1 OVERVIEW OF THE FORENSIC INVESTIGATION PROCESS </p><p>Forensic investigation is to collect evidence that would prove a crime in a court of law. Same as </p><p>all other projects it has steps to be followed while undergoing the forensic investigations. This is </p><p>to ensure that the gathered evidence is authentic and accurate. Moreover some practices are </p><p>expected of forensic investigators by courts of law. </p><p>In that respect, the steps of forensic investigation would be properly followed and adherence to </p><p>the laws of forensic investigation would be ensured at every phase before proceeding to another. </p><p>The aforementioned phases of investigation are namely: </p><p>1. Authorization and preparation </p><p>2. Identification </p><p>3. Collection and Preservation </p><p>4. Examination </p><p>5. Analysis </p><p>6. Reconstruct </p><p>7. Reporting </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 7 </p><p>2.2 AUTHORIZATION AND PREPARATION </p><p>2.2.1 AUTHORIZATION </p><p>The focus of forensic investigation is to acquire evidence that would be used in a legal </p><p>proceeding, forensic investigators must have authorization to carry out the investigation </p><p>otherwise the evidence would as aforementioned not be admissible (Kleiman et al, 2007 P.8 of </p><p>939). </p><p>The forensic investigator has been appointed by the Companys IT department as the head of the </p><p>investigation team to search and recover deleted materials from the computer that Jonathan used </p><p>while still working for Bukit Enterprises. For formalization, the investigator should request from </p><p>the company a written permission thats allow the investigator to search Jonathans computer </p><p>which would outline reasons as to why Jonathans previously used computer is searched and </p><p>investigated. </p><p>It is also common knowledge that before any forensic investigation, investigators must foremost </p><p>obtain a judicial permission, search warrant that gives them a go ahead with the investigation. </p><p>For example if forensic investigators are investigating a case where someone is suspected of </p><p>selling drugs, a search warrant must be obtained from the authority concerned to allow the </p><p>investigator to procedure with the searching and investigating the case. </p><p>Since Jonathan was no longer a part of the company there was no reasons for search warrantee </p><p>and instead the investigator would request for a formal written authorization from the Company </p><p>management to carry out the investigation. The letter must entail that the investigator is hired to </p><p>search Jonathans computer and justification as to why the search must be conducted must also </p><p>be provided. To further validate the investigation procedure, the investigator should have a third </p><p>party present for example an attorney to certify that the investigators have been hired by Bukit </p><p>Enterprises to conduct a search on Jonathans former computer while still with the Company. </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 8 </p><p>2.2.2 PREPARATION </p><p>The preparation phase is where the investigator finalizes on the formation of the investigation </p><p>team. The team would be divided into the phases of investigation so as to have an investigator </p><p>responsible for a specific phase of investigation. Though the appointed investigators would be </p><p>working with the team, they would be in charge of those phases to ensure that proper procedures </p><p>are followed throughout the investigation process. </p><p>A chain of custody would also be created at this stage, not all investigation team members will </p><p>be in the chain custody, this is because the fewer people to handle the investigations crucial </p><p>documents the better; it increases accountability. The chain of custody would be documented </p><p>outlining all handlers of important investigation documents including the evidence. </p><p>ELECTRONIC EVIDENCE CHAIN OF CUSTODY FORM </p><p>COLLECTED EVIDENCE CATEGORY NAME TRACKING </p><p>NUMBER </p><p>COLLECTED FROM </p><p> CHAIN OF CUSTODY TRACKING </p><p>NUMBER </p><p>FROM(Location) DATE AND </p><p>TIME </p><p>REASON TO(Location) </p><p>Case No: Page: Of: </p><p>Fig. 01 shows the chain of custody for the case. </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 9 </p><p>The preparation phase also entails highlighting the investigation team on the case and what is </p><p>expected to them during the investigation, this is to enable the investigation team to </p><p>psychologically prepare for the case as well as to be familiar with the laws of the United </p><p>Kingdom where the forensic investigation is taken place. </p><p>The investigation team would also prepare any materials that may be useful in the case, hardware </p><p>and software. Even though, the investigation team have not assessed Jonathans computer, due to </p><p>their experiences in the field, the investigation team would prepare materials that are likely to be </p><p>required in the investigation such as necessary software application and hardware that might be </p><p>helpful during the investigation process. </p><p>2.3 IDENTIFICATION </p><p>The identification phase is the phase that will allow investigators to spot any materials that may </p><p>be suspicious and may contain evidence. This materials may be hardware such as compact discs, </p><p>floppy disks hard disks etc. or it may be fragile data in digital form such as emails, log files, </p><p>images etc. </p><p>The investigation team would check the log files of the computer which was used by Jonathan </p><p>where they would recognize that he has deleted some files just a few hours before he left the </p><p>Company. They would also find digital images in his computer and due to their experience in the </p><p>field; the team would suspect them of being steganography images. </p><p>The last phase of the identification team is whereby the investigation team identifies the </p><p>investigation requirements. This pertains to tools or software that would be useful in the </p><p>investigation process. This is because having identified this items the team would have an idea of </p><p>what Jonathan actually did and hence would know what forensic tools to prepare which will </p><p>allow the investigation process to be carried out smoothly. </p></li><li><p>DATA RECOVERY </p><p>YUSUPH KILEO Page 10 </p><p>2.4 COLLECTION AND PRESERVATION </p><p>COLLECTION </p><p>Having identified items that may contain the evidence of Jonathans crime, the investigation </p><p>team would proceed to collecting the evidence. Conducting forensic investigations procedurally </p><p>is aimed at acquiring accurate evidence....</p></li></ul>