Computer Forensic Investigation Making an Research Paper

Download this Research Paper in word format (.doc)

Note: Sample below may appear distorted but all corresponding word document files contain proper formatting

Excerpt from Research Paper:

Typically, a database uses either the simple recovery model or the full recovery model. The full recovery model can be supplemented by switching to the bulk-logged recovery model before bulk operations." (Microsoft, 2010 P. 2).

Meanwhile, our company will need to implement the full back up safeguard all our data. Under the full recovery model, the first step is to back up the transaction log. Combination of full back-up with log back ups is equivalent of full database back up. Starting the back up from the log transaction is the best practice to perform a full database back-up. The illustration in Fig 2 reveals the strategy to implement a full back up. As being revealed in the Fig 2, the back up starts from the transaction logs and the next step is to schedule the full database back up and file backups at subsequent interval to satisfy our company requirements. From the illustrations in the Fig 2, the backup (a, C, B, a) is the order in which file back-ups are carried out to satisfy the business requirements. The next step is to place the data back up in separate devises to enhance business continuity.

Fig 2: Data Restore and Back-up Strategy for Our Company

1.4. Create a Detailed Checklist

This section provides detailed checklists t to safeguard our data from the hostile IP address.


Details Description

First Step

Identification of the Hostile IP address. The identification will include the country origin, and the website associated with IP address.

Second Step

The next step is to block the IP address from communicating with our systems. We will need to install IP address management software to achieve this objective. The strategy will assist our systems to stop exporting data to the hostile IP address.

Next Step

The next step is to recover our lost data as well as implementing the full back up strategy. The SQL Server 2008 R2 is effective in restoring our lost data.

Next Step

The next step is to put the recovered data at a separate devices

Next Step

Inspect the recovered data whether all the data are intact.

Next Step

Other step is to install the IPS to prevent unauthorized network into our systems.

Final Step

Final step is to install firewall to block all the unwanted traffic from our systems.

1.5. Determine the Resources Needed

Both financial resources and human resources will be needed to carry out the project. Typically, the company will need to set aside minimum of $30,000 dollars to carry out the task. The company could use an in-house staff or third part providers to carry out the tasks. To safeguard the data integrity, it is critical to use the in-house employees. The following resources will be needed for the project implementation:

Purchase of Forensic tool to recover the lost data exported to the hostile IP address,

Installation of SQL Server 2008 for the data backup,

Installation AutoShun technology or other IP Trace technology to block the hostile IP address getting access to our data,

Set aside skilled manpower in association with a forensic expert to implement the project.

1.6. Establishing the Chain of Custody.

The purpose of this chain of custody is to establish the electronic evidence that leads to the export of data to an identified IP address.

On 25 June 2013, Mr. James Anderson, a forensic expert in our organization collects the evidence that a hostile IP address has corrupted our system leading all our system to export data to the hostile IP address. Our intrusion detection system has notified us that our systems are exporting data to the hostile IP addresses.

The IP address is 58.1456.1246.1 hosted by a company having the major objective to commit criminal activities. The documented evidence reveals the file paths of the data lost from our systems to the hostile IP address.

The evidence of the data theft is from our hard drives and revealed as follows: We have made:

All the image copy of the data restored and data freshly wiped from our system.

Image copy of our operating system logs.

Typically, data are lost from the following systems to the hostile IP:

Data are lost from our server,

Data are lost from our database

Data are lost all from the hard disks of our computer systems,

Data are lost from all software,

Data are lost from all our storage devices, which include tapes, USB, and other storage devices that we use in storing our data.

The type of the data stolen from our system to the hostile IP address is as follows:

Credit card information of our clients,

Sensitive data such as SSN, health information, bank accounts, email, phone number, and addresses of our clients.

The strategy that we use to trace the hostile IP address is as follows:

Using of tracing tools include that include Netscan Pro and Neotrace.

We also Use IDS logs.

With the assistance of our computer forensic expert, the following professionals also assist in the investigation:

Incident team and corporate security,

Security investigator,

Emergency response core team,

Application owner,

Application developer,

System administrator,

Network administrator,

Firewall administrator,

Security consultants,

Document Signed

Forensic Expert of Data Tech Inc. Mr. James Anderson.

1.7. Obtaining and copying an evidence disk drive.

The report identifies that much of the evidence needed to support our forensic investigation is in the disks, hard drives and other storage devices in our systems. We have used forensic tool kits to locate the sample of this evidence. To collect the sample of evidence, our company will need to make the back up of all the data systematically restored. We also make the copy of all the following in the course of our investigation:

We make a copy of all our windows especially the Registry because it contains a wealth of information.

We also make a copy of our password files, the filesystem, and the shell,

We make copy of hard drive as an evidence disk drive,

From the hard drive, we make a copy of restore image and freshly wiped data.

We also make a copy of our operating system logs.

1.8. Analyzing and recovering the digital evidence.

Analysis phase involves gathering all data recovered in a central location for interpretation purpose. The data are recovered from the following:

data files, email, music files, application files,

Internet history files,

Hard disks web activity files, and the analysis of the recovered data revealed that the complete data are restored. The following file are recovered and data inside them are complete:

Serial Number

Files Recovered

Data in the application files are recovered

Operating systems

Hard disk drive

Card reader

Disk storage

USB mass storage device class

Network-attached storage?

Optical computer storage

Punched card?

flash drives smart cards, re-writable CDs and DVDs

1.9. Investigating the Data Recovered

The report uses the FTK recovery application to investigate the data recovered from the target drive. The application displayed the file recovered and the file recovered displayed a complete reconstruction of the data restored. Based on the investigation, it is revealed that there are noticeable evidence of the original file and data recovered. Typically, the structure of the files in the FAT 32 and NFST drives are different from the original data.

Despite the difference in the data structure of the original file and data recovered, the contents of the data are still the same. Thus, our company is able to retrieve all the data, which include:

credit card information of our client,

Bank account number,

Social security number of our client,



Health information,

Telephone number.

1.10. Completing the Case Report

The report carries out the incident response and computer forensic investigation that occurs in our systems. The detailed work carried out is adhered to the rigorous professional practice protocols in digital forensic handling. The forensic computer investigation carried our revealed that our systems are exporting data to a hostile IP address. Upon the investigation, the report has identified that the IP address is owned a company with the objective to carry out the criminal activities. The intension of the owner of the IP address is to steal sensitive information from our systems.

The report has used several forensic tools to stop our systems from exporting data to the hostile IP address, and communicating with the IP address. The AutoShun technology is used to block the IP address from communicating with our systems. Moreover, the report has taken step to recover the data exported to the IP address. Despite that many of the data that have been exported have been deleted from our systems, the report uses different forensic tools to recover the data, and the complete data are recovered.

Thus, the report uses a comprehensive approach to discover the evidence and store the digital evidence to assist our organization to track the criminals. The report also uses a standard digital evidence recovery procedure to restore the lost data exported to the hostile IP address. The evidence of the data captured is…[continue]

Cite This Research Paper:

"Computer Forensic Investigation Making An" (2013, June 26) Retrieved October 22, 2016, from

"Computer Forensic Investigation Making An" 26 June 2013. Web.22 October. 2016. <>

"Computer Forensic Investigation Making An", 26 June 2013, Accessed.22 October. 2016,

Other Documents Pertaining To This Topic

  • Computer Forensics Solving Crimes Using

    Such information is collected using packet sniffers which are programs that can access all information passing through a computer, and not only information particularly sent to the computer. The packet sniffer can either pick all the information, or just selected what is needed, and at the specific time when the information passed through the computer. This is then copied into a given memory. However, for the packet sniffers to

  • Computer Forensics Donning Your Detective

    Specialized forensic tools will be necessary to retrieve and analyze deleted, renamed and encrypted data that search tools will overlook. Further, forensic tools will help with complex information correlation. For example, to construct a timeline of events it may be necessary to tie network log stamps and data together with database access and usage logs. Reporting is the final phase of forensic investigation. Here, the article is weak, only recommending

  • Forensic Tools Computer Based Forensics Tools

    It is thus that technologies which work to yield that crucial data from the memory store of any such device have become so valuable to law enforcement in the age of terrorism. According to the Computer Forensics Tool Testing Program (CFTT), "a cellular forensic tool shall have the ability to logically acquire all application supported data elements present in internal memory without modification" (Ayers, 15) This is to indicate that

  • Forensic Accounting Is a Special Subsection of

    Forensic accounting is a special subsection of accounting that goes beyond the typical job description of an accountant. Forensic accountants use their work in courtroom and other legal settings to help. Their primary roles are litigation support and investigative accounting (Zysman, 2012). To do this, forensic accountants combine accounting, auditing, and investigative skills. However, conducting investigations is only one component of a forensic accountant's job description; they also have to

  • Computer Forensic Evidence

    2005, one file sent by the BTK killer to a Wichita television station led police to investigate Dennis Rader, a church president, and ended the 30-year murder spree of this serial killer. What evidence was pivotal in this case? Computer evidence has become increasingly pivotal in demonstrating the guilt or innocence of a suspect. This has recently been seen in the so-called BTK case. The case is testimony to the

  • Forensics Digital Evidence Forensics and the

    This phase is described by Carrier as the phase where we "...use the evidence that we found and determine what events occurred in the system" (Carrier, 2005). 2.2. The United States Department of Justice's (USDOJ) digital forensic analysis methodology The second methodology under review in this paper has been put forward by the United States Department of Justice. This consists of four basic phases: collection, examination, analysis and reporting (Shin, 2011).

  • Forensics Evidence Elimination Tools the

    DIBS Forensic Workstation - Complete solution for problems faced by investigator of computer crimes; FREDDIE - Forensic recovery of evidence deice diminutive interrogation equipment; EnCASE - Fully integrated forensic application for Windows; and ProDiscover DFT - completely integrated Windows ™ application for the collection, analysis, management and reporting of computer disk evidence. Designed specifically to meet NIST (National Institute of Standards and Technology) standards. (Timberline Technologies, 2005) Harris (2005) states that if anti-forensic

Read Full Research Paper
Copyright 2016 . All Rights Reserved