Advanced digital investigation techniques and tools

Advanced Digital Investigation Techniques and Tools

Expert Witness Statement

This statement (consisting of 11 pages) is true to the best of my knowledge and it has been produced knowing that. If by any chance it is tendered as evidence I shall be liable to prosecution if I have stated anything within this document as false or do not believe is true. I also confirm that this document has been prepared in accordance with the Code of Guidance on Expert Evidence.


Currently undergoing a degree within Computer Forensics at Glamorgan University. Have been within the field of computing for over 10 years. Very self motivated and have personal experiences in all aspects of computing. Very able to use own initiative and can work within a team. Also an effective communicator.

Qualifications and Education

2007-Current;---------------University Of Glamorgan

----------------------------BSc Computer Forensics

Cryptography, Programming, Forensics Investigation, Forensics Evidential Practise, Computer and the Law, Criminology

2005-2007-------------------Swansea Institute

----------------------------HND Computing-----------------------Grade: Pass

----------------------------System Analysis and Design, Web Design, Object Orientated Programming.

2003-2004-------------------Queen Elizabeth Maridunum Secondary School

----------------------------A Level

Computing-------------------Grade: D

2002-2003-------------------AS Level

----------------------------Comptuing---------------------------Grade: B

----------------------------ICT---------------------------------Grade: E


----------------------------Mathematics-------------------------Grade: C

English Literature--------------------------Grade: C

English Language----------------------------Grade: B

DT Systems and Control----------------------Grade: D

Business Studies----------------------------Grade: C

Welsh---------------------------------------Grade: D

History-------------------------------------Grade: E

Science Double Award:-----------------------Grade: CC


Other than undergoing topics within Computing by education, has been working with the same company for over 10 years which shows commitment. By helping this company; 1st KMH Computers has learned all areas of computing including networking, repairing and building of both laptops and personal computers. Web design, CCTV and IP cameras.



I have been instructed by the South Wales Police as a private contractor to "To analyse the suspects system for evidence that the owner of the system has attacked and penetrated BO's systems." I will do this by keeping within the chain of evidence and by using specific tools and items of software.


As shown above is the Curriculum Vitae of Robert Mudd, I have gained fantastic understanding and experience of forensics and digital evidence from being within the field of computing for over 10 years and pursuing a degree within Computer Forensics. My placement within companies that function within the field of computing have also built my confidence and knowledge. Furthermore a course in Excellence in Written Evidence has increased my abilities to present information clear and professional within the guidelines and codes of practise.

As shown above a thorough analysis of the "image" that was supplied will be undertaken. This will include a comprehensive examination which is not carried out on the original hard drive to ensure the integrity of the original evidence as the following statement in the Association of Chief Police Officer (ACPO) clarifies:

"No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court" - The ACPO Good Practice Guide for Computer-Based Electronic Evidence.

Chain of Evidence Issues

Acquiring the Evidence

On the 4th of December 2009 I and a few colleagues were given an assignment to carry out on behalf of the South Wales Police. The following steps were taken as a precaution not to break the integrity of the evidence.

Firstly after signing the evidence out, the hard drive that was confiscated by the police was placed within a write block using a standard IDE lead and a four pin power cable. By connecting these items to a write block it stops information being written to the hard drive and evidence possibly being altered. Next an exact image of the hard drive was created and this image would be used to carry out the investigation. By using a piece of software known as FTK Imager 2.7.0 and the items mentioned above we were able to create the image that was needed. The type of file that was created by FTK Imager is .E01. Once this procedure had been completed, we were able to make as many copies, alter and move the image any way possible. It was then opened within a piece of software known as Forensic Toolkit 1.81 which allows users to be able to carry out search procedures and explore the image of the hard drive. By using this piece of software the integrity of the evidence remains intact as the original hard drive never gets tampered with. To guarantee this, after signing it back over to the police it is placed within a fireproof box which is locked by a key and only a minimal amount of people have access to.

As mentioned before Forensic Toolkit 1.81 was used to carry out the thorough investigation and here are the findings:

Information of Evidential Value on the Computer

Once the E01 image was placed into Forensic Toolkit 1.81 it was expanded to the original size which is 20GB. The amount of files in question was the most I have personally processed before which are over 95,000 files and 15906 actual files. After quickly browsing and exploring through the image a number of files did flag as suspicious but more will be mentioned on them later on within the report.

The next step is to adopt specific tools. One of which is data carving, this is built in to FTK 1.81. Data carving is described to be a "technique used in the field of Computer Forensics when data can not be identified or extracted from media by "normal" means due to the fact that the desired data no longer has file system allocation information available". (Dickerman, July 2006)

Once data carving was carried out, it gathered all the files that were images, acrobat reader, hypertext mark-up language (HTML), instant message buddy lists and office documents. This produced a large number of files, making the total 99,442 files but none were suspicious in particular. They were mainly just pictures and so forth.

Indexed Searching was the next step. Due to the fact the company is known as Board Optimisation Ltd (BO) the first search that was carried out on the phrase "BO" which produced 1240 results. Many of the files were not relevant and were openoffice and program information files. Something that was suspicious within the results was the history browsing within Mozilla Firefox. It seemed the user in question did a lot of research on software cracking, burning software, and hacking tools. Appendix A shows the location of this file. One particular file name came up known as "Back Orifice" program. By carrying out research Back Orifice or BO, which is funnily enough the same name as the company, is a computer program that is designed for remote administration to Microsoft Windows operating systems. This item of software and many others were found within the image.

Due to the fact that Back Orifice is within several locations on the image, another indexed search was carried out on the phrase "Back Orifice" which produced 226 results. One result that flagged up was within "uni cw" folder and a word document called hackingstuff.doc. Appendix B is the document mentioned

The next step is to explore the image to find out anything suspicious. Within the "orphan" file of the image there are two files that show significance to the investigation. First of all is an email that is in a text file called "Bob.txt". Appendix C is the email mentioned.

By looking at this email it is possible that the user's name of the attacked computer in question is Robert Cash. The second file is a design of PCB board which could possibly be one of the files in question that has been intercepted. Appendix D is the picture of the PCB Board

The final step that was taken was using a program known as Mount Image Pro to scan the image for viruses. Mount Image Pro allows you to "mount" the image as another hard drive and allow you to physically manipulate the data. As mentioned before this does not interfere with the chain of evidence. Appendix E is the results of the virus scan using AVG Virus scanner. As you can see from the results six viruses are present on the computer in question including "bodrive.sys" which is a mutation of Back Orifice.

Within the my Documents folder of Administrator there are many suspicious items that are relevant to hacking including game cracks, downloads of certain tools and the coursework file mentioned before which is appendix B. Appendix F is a screen shot of the location and the files included. Within the downloads file is many versions of Back Orifice. Appendix G shows a screen shot of the location.

Discussion and Expert Opinion

From the research that has been carried out it is unclear on the situation of the intrusion. There is a large amount of evidence to show that the system in question has been attacked and breached but the main question is for how long? The "orphan" folder within FTK is at ignorable status which within the manual states; files that are a KFF ignorable hash or a duplicate file or that are marked ignorable. This could possibly indicate that this Ashley Lewis was using Robert Cash's computer within Board Optimisation as a storage system or as a test subject for hacking. This assumption is mainly based due to the fact there are many suspicious items within this particular folder. Also some of the files created within the folder were present almost a year before the intrusion was reported. Appendix D which is the new board design for the Game girl console is present with also an email discussing the board between Robert Cash and Anthony Brush. Also Appendix E shows many viruses or back door hacking tools present on the system and could allow someone to gain access at any time.


Access Data Forensic Toolkit User Manual

Advanced Data Carving, Dickerman, D.

The ACPO Good Practice Guide for Computer-Based Electronic Evidence.

Please be aware that the free essay that you were just reading was not written by us. This essay, and all of the others available to view on the website, were provided to us by students in exchange for services that we offer. This relationship helps our students to get an even better deal while also contributing to the biggest free essay resource in the UK!