FTK is one of the most efficient image investigation tools.

To investigate an image, the image has to be loaded to FTK first and then it can be investigated respectively. To load the image, run FTK as an administrator, and since we have already created evidence image, we will choose: open an existing case in the prompt screen that appears Fig 12 Image shows FTK open an existing case

Since FTK is load as administrator and after that need to select /open an existing case because image acquisition have already created

After open an existing case, the investigator has to browse to the location of the image and add it.

Encrypted files found

Deleted files found

Fig 13.FTK after open the image file as shown above

Computer forensic is a broader concept which is mainly related to the crimes happening in computer which is against law. Various laws have been imposed to check out the crimes but still they exist and are difficult to find the criminal due to lack of evidence. The main motto of computer forensic experts is not only to find the criminal but also to find out the evidence and the presentation of the evidence in a manner that leads to legal action of the culprit. The major reasons for criminal activity in computers are: -Unauthorized use of computers mainly stealing a username and password -Accessing the victims computer via the internet -Releasing a malicious computer program that is virus -Harassment and stalking in cyberspace -E-mail Fraud -Theft of company documents.

This research based on case study provides a description of the general approach taken to develop the test methodology for computer forensic investigator on taking and the rationale approach on analysis of procedure. The development of a test methodology was complicated by the lack of standards or specifications that describe what forensic investigator should do and the need for these to survive the scrutiny of a judicial process. Nature of incident Base on case Bukit Enterprises is a pharmaceutical company; it manufactures human vaccines for polio treatment. Jonathan was a research scientist who was involved in a 6 years research which could finally make a breakthrough in the project, the research files had 270 pages of sensitive formulae. Unfortunately, Jonathan had a fight with the management because he was not promoted as Senior Scientist instead of Steven. After all the effort and time that he put in, Jonathan was not rewarded. This made him furious, and so he decided to quit the company. He did not want to part with the formulae that he had come up with his 6 years of work. In a fit of rage he deleted all the critical and research documents so that no one could access them. With today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threat, industrial espionage, Theft of company documents and phishing. In addition, government agencies are now performing media exploitation to recover key intelligence kept on adversary systems. In order to help solve this type of case study, organization is hiring digital forensic professionals and calling cybercrime law enforcement agents to piece together what happened in this case study. Hence after organisation hires forensic investigator professionals, there are number of stage/methodologies needed to be taken before start takes any act of investigation.

Preparation; after receiving legal authority with warrant embedded on their hands, the forensic professional, they will need to prepare tools, techniques, search warrants, and monitoring authorizations and management support inoder to acquire and identify the forensic evidence.

Assuming they have already given right to conduct investigation, hence the investigation will be conducted with five (5) members, forensic professionals. The investigation is going to take them about a week so as to complete the given task of collecting the forensic evidence. Since they are about five members in group of professional forensic everyone will be assigned with his duty like;

1. Collection and preservation Collection-: Collection stage consists in collecting the evidence that was obtained from the stage of identification, after identify the evidence that the Jonathan has committed digital crime and next step is to collect digital information that may be relevant to the investigation. Since digital information is stored in computers, collection of digital information means either collection of the equipment containing the information, or recording the information on some medium. Collection may involve removal of personal computers from the crime scene, copying or printing out contents of les from a server, recording of network track, Preservation: - Preservation stage corresponds to \freezing the crime scene". It consists in stopping or preventing any activities that can damage digital information being collected. Preservation involves operations such as preventing people from using computers during collection, stopping ongoing deletion processes, and choosing the safest way to collect information. And in this case of Jonathan who was the staff of Bukit enterprise found he has deleted very crucial document for Research and therefore all of related evidence should be preserved for the purpose of present it to the management.

2. Examination and analysis Analysis determines significance, reconstruct fragments of data and draw Conclusions based on evidence found. It may take several iterations of Examination and analysis to support a crime theory. The distinction of analysis is that it may not require high technical skills to perform and thus more people can work on this case 3. Reconstruct and Reporting Presentation After making the examination and analysis the investigators need to summarize and provide explanation of conclusions. This should be written in a laypersons terms using abstracted terminology. All abstracted terminology should reference the specific details. And apart from that report should be handle out to the management for further action of the person who committed crimes.

VICTIMS If the data is not retrieved, the firm (Bukit enterprise) stands to lose few million in various contracts with the suppliers, since his most recent work which contained the final formula was not backed up. This is because the enterprise central backup machine was under repair due to which his machine was not backed up during a regular backup cycle. THE CRIMES The company policy states y Hardware, software, Internet access, etc. are to be used for Company business only. Personal use is prohibited. y All files should be stored in designated directories; network users should store files on network drives to ensure backups and access from other stations if their computer is down.

All information, including email, created or stored on Company equipment or using Company accounts, is the property of Bukit Enterprise.

Clearly it shows that by deleting the files which were part of a sensitive project initiated by the company, Jonathan should be prosecuted for misconduct in connection with his job by violating the company policy. According to the Virginia Supreme court, an employee is guilty of misconduct when he deliberately violates a company rule reasonably designed to protect the legitimate business interests of his employer. Just like Jonathans case, many reports have proved that most employee commit computer crimes as they feel that the company owe them something as Jonathan thought he deserve the promotion. Furthermore this is also supported by Clarke and Cornish (2000) who advocated Rational Choice Perspective included assumptions that crimes are deliberate and purposive: that is, those who commit crimes do so with the intention of deriving some type of benefit from such acts.

RECOMMENDED TOOLS Mohay, G et al (1998) noted that the growth of data recovery and electronic evidence discovery industries has been accompanied by similar strong growth in the number of computer forensic tools available and in use. More importantly, there has been a trend towards sophisticated tools or integrated packages that perform a greater range of forensic functions.

Conclusion
The aim of this paper is to establish a clear guideline of what steps should be followed in a forensic process. These steps, in turn, should enable us to clearly define a framework that can be used in a forensic investigation. A study of previously proposed frameworks revealed that a number of steps or phases overlapped one another and that the difference was mainly one of terminology. No new steps were added in the framework proposed in this paper. Instead, similar tasks were grouped into the stages required by a forensic investigation. The stages required are preparation, investigation and presentation. This framework can easily be expanded to include any number of additional phases required in the future. It is, however, important to note that there are several levels of abstraction in the process. Nonetheless, two requirements were identified as needed at every level: the legal requirements of a specific system and documentation of all the steps taken.

Reference
http://www.computerforensics1.com/

Computer forensics: computer crime scene investigation, Volume 1 By John R. Vacca-2005 Carrier, B. and Spafford, EH.: Getting Physical with the Investigation Process International Journal of Digital Evidence. Fall 2003, Volume 2, Issue 2, 2003. Casey, E.: Digital Evidence and Computer Crime, 2nd Edition, Elsevier Academic Press, 2004. National Institute of Justice. Results from Tools and Technologie Working Group, Goverors Summit on Cybercrime and Cyberterrorism, Princeton NJ, 2002. Reith, M., Carr, C. and Gunsch, G.:An Examination of Digital Forensic Models, International Journal of Digital Evidence. Fall 2002, Volume 1, Issue 3, 2002. Ciardhuin, SO.: An Extended Model of Cybercrime Investigations, International Journal of Digital Evidence. Summer 2004, Volume 3, Issue1, 2004. Van Solms, SH. and Lourens, CP.: A Control Framework for Digital Forensics, IFIP 11.9, 2006. After open an existing case, the investigator has to browse to the location of the image and add it.

Encrypted files found

Deleted files found

Fig 13.FTK after open the image file as shown above

Computer forensic is a broader concept which is mainly related to the crimes happening in computer which is against law. Various laws have been imposed to check out the crimes but still they exist and are difficult to find the criminal due to lack of evidence. The main motto of computer forensic experts is not only to find the criminal but also to find out the evidence and the presentation of the evidence in a manner that leads to legal action of the culprit. The major reasons for criminal activity in computers are: -Unauthorized use of computers mainly stealing a username and password -Accessing the victims computer via the internet -Releasing a malicious computer program that is virus -Harassment and stalking in cyberspace -E-mail Fraud -Theft of company documents. This research based on case study provides a description of the general approach taken to develop the test methodology for computer forensic investigator on taking and the rationale

approach on analysis of procedure. The development of a test methodology was complicated by the lack of standards or specifications that describe what forensic investigator should do and the need for these to survive the scrutiny of a judicial process. Nature of incident Base on case Bukit Enterprises is a pharmaceutical company; it manufactures human vaccines for polio treatment. Jonathan was a research scientist who was involved in a 6 years research which could finally make a breakthrough in the project, the research files had 270 pages of sensitive formulae. Unfortunately, Jonathan had a fight with the management because he was not promoted as Senior Scientist instead of Steven. After all the effort and time that he put in, Jonathan was not rewarded. This made him furious, and so he decided to quit the company. He did not want to part with the formulae that he had come up with his 6 years of work. In a fit of rage he deleted all the critical and research documents so that no one could access them. With today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threat, industrial espionage, Theft of company documents and phishing. In addition, government agencies are now performing media exploitation to recover key intelligence kept on adversary systems. In order to help solve this type of case study, organization is hiring digital forensic professionals and calling cybercrime law enforcement agents to piece together what happened in this case study. Hence after organisation hires forensic investigator professionals, there are number of stage/methodologies needed to be taken before start takes any act of investigation.

Preparation; after receiving legal authority with warrant embedded on their hands, the forensic professional, they will need to prepare tools, techniques, search warrants, and monitoring authorizations and management support inoder to acquire and identify the forensic evidence. Assuming they have already given right to conduct investigation, hence the investigation will be conducted with five (5) members, forensic professionals.

The investigation is going to take them about a week so as to complete the given task of collecting the forensic evidence. Since they are about five members in group of professional forensic everyone will be assigned with his duty like;

4. Collection and preservation Collection-: Collection stage consists in collecting the evidence that was obtained from the stage of identification, after identify the evidence that the Jonathan has committed digital crime and next step is to collect digital information that may be relevant to the investigation. Since digital information is stored in computers, collection of digital information means either collection of the equipment containing the information, or recording the information on some medium. Collection may involve removal of personal computers from the crime scene, copying or printing out contents of les from a server, recording of network track, Preservation: - Preservation stage corresponds to \freezing the crime scene". It consists in stopping or preventing any activities that can damage digital information being collected. Preservation involves operations such as preventing people from using computers during collection, stopping ongoing deletion processes, and choosing the safest way to collect information. And in this case of Jonathan who was the staff of Bukit enterprise found he has deleted very crucial document for Research and therefore all of related evidence should be preserved for the purpose of present it to the management.

5. Examination and analysis

Analysis determines significance, reconstruct fragments of data and draw Conclusions based on evidence found. It may take several iterations of Examination and analysis to support a crime theory. The distinction of analysis is that it may not require high technical skills to perform and thus more people can work on this case 6. Reconstruct and Reporting Presentation After making the examination and analysis the investigators need to summarize and provide explanation of conclusions. This should be written in a laypersons terms using abstracted terminology. All abstracted terminology should reference the specific details. And apart from that report should be handle out to the management for further action of the person who committed crimes.

VICTIMS If the data is not retrieved, the firm (Bukit enterprise) stands to lose few million in various contracts with the suppliers, since his most recent work which contained the final formula was not backed up. This is because the enterprise central backup machine was under repair due to which his machine was not backed up during a regular backup cycle. THE CRIMES The company policy states y Hardware, software, Internet access, etc. are to be used for Company business only. Personal use is prohibited. y All files should be stored in designated directories; network users should store files on network drives to ensure backups and access from other stations if their computer is down.

All information, including email, created or stored on Company equipment or using Company accounts, is the property of Bukit Enterprise.

Clearly it shows that by deleting the files which were part of a sensitive project initiated by the company, Jonathan should be prosecuted for misconduct in connection with his job by violating the company policy. According to the Virginia Supreme court, an employee is guilty of misconduct when he deliberately violates a company rule reasonably designed to protect the legitimate business interests of his employer. Just like Jonathans case, many reports have proved that most employee commit computer crimes as they feel that the company owe them something as Jonathan thought he deserve the promotion. Furthermore this is also supported by Clarke and Cornish (2000) who advocated Rational Choice Perspective included assumptions that crimes are deliberate and purposive: that is, those who commit crimes do so with the intention of deriving some type of benefit from such acts.

RECOMMENDED TOOLS Mohay, G et al (1998) noted that the growth of data recovery and electronic evidence discovery industries has been accompanied by similar strong growth in the number of computer forensic tools available and in use. More importantly, there has been a trend towards sophisticated tools or integrated packages that perform a greater range of forensic functions.

Conclusion
The aim of this paper is to establish a clear guideline of what steps should be followed in a forensic process. These steps, in turn, should enable us to clearly define a framework that can be used in a forensic investigation. A study of previously proposed frameworks revealed that a number of steps or phases overlapped one another and that the difference was mainly one of terminology. No new steps were added in the framework proposed in this paper. Instead, similar tasks were grouped into the stages required by a forensic investigation. The stages required are preparation, investigation and presentation. This framework can easily be expanded to include any number of additional phases required in the future. It is, however, important to note that there are several levels of abstraction in the process. Nonetheless, two requirements were identified as needed at every level: the legal requirements of a specific system and documentation of all the steps taken.

Reference
http://www.computerforensics1.com/

Computer forensics: computer crime scene investigation, Volume 1 By John R. Vacca-2005 Carrier, B. and Spafford, EH.: Getting Physical with the Investigation Process International Journal of Digital Evidence. Fall 2003, Volume 2, Issue 2, 2003. Casey, E.: Digital Evidence and Computer Crime, 2nd Edition, Elsevier Academic Press, 2004. National Institute of Justice. Results from Tools and Technologie Working Group, Goverors Summit on Cybercrime and Cyberterrorism, Princeton NJ, 2002. Reith, M., Carr, C. and Gunsch, G.:An Examination of Digital Forensic Models, International Journal of Digital Evidence. Fall 2002, Volume 1, Issue 3, 2002. Ciardhuin, SO.: An Extended Model of Cybercrime Investigations, International Journal of Digital Evidence. Summer 2004, Volume 3, Issue1, 2004. Van Solms, SH. and Lourens, CP.: A Control Framework for Digital Forensics, IFIP 11.9, 2006.