Summary: The Investigation team has been able to detect and collect few pieces of evidence on which they would be able to find out the suspect of series of kidnappings happened lately. The international stuffed slave market has become the main source where all the illegal activities been taking up. The Toy story Investigation Response (TSIR) team has finally recorded all the evidence. The TSPD has collected few items from the suspect to which he claimed he is innocent. The possible objectives are the data which was stored and what data were stored in the Hard drive of the computer, also the registry and the browser history and files for which the data can collect of the last few days. The Investigation team can determine the suspicious activities by logging into the data and decoding the files by inserting commands that will give the exact information loaded into them. The TSIR team can investigate all the data which would help them more and will help them in reaching to the main suspect behind this kidnapping. Sherriff Woody has made the list of all possible suspects and is collecting data. The Investigation will clarify if the suspect they have detained is the main culprit behind it or other sources are also there which has been working on his system in his absence. The software which the investigation team has developed will be able to detect all the files and folders stored in the disks and registry that relates to the current event. The team requires tools to generate the metadata should have TSK( The Sleuth Kit) File system that would help to investigate metadata. The management system of TSK The TSK organizes the information in the database system in the 5 different classes: Data Unit, File System, Metadata, the name of File and the application of it. This chain stores all information such as recent access information of items required authorization and pointers to the information data that associated with the file directory of the system. The description of the file can be easily obtained but difficult to memorize the numeric code of it. Therefore, all the directory information which has been done in the system is stored and can be taken out with the help of TSK system. The Deleted files can be restored using the same tool which is advanced in retrieving information i.e. all the previously mentioned techniques can be merged alone by the TSK System. The System will detect all the directories and will flash all the names it detected. It will not display those names that are unallocated or marked unallocated even if they are and will hide them. The unallocated entries can be detected by FLS by scraping into the MFT that points back into the directory. It will be easier to explain and detect the files which were deleted and how they were displayed in data system of MFT. It is very easy to tell the difference between the files that were deleted because the files that were recovered from MFT shows a “-” sign in their name such as -/ab than ab/ab. The file carving of the fragmented file can be done by using the tool Scalpel. Based on the data fragment types or data file prototype, the operations are performed by Scalpel. These prototypes are based on general expressions and binary strings. Various default prototypes are stored in the configuration file which is stored in “scalpel.conf”. Scalpel supports the comments in the configuration file which is used to explain the structure of file carving prototypes. All information is extracted by the carver which reads data from header and footer which then match all raw files, images etc. It can easily carve all files types like NTFS, FATx or raw partitions as well. All kinds of services like file recovering or even investigation can be easily performed by the scalpel. Firefox SQLite Manager Addon can easily detect all those sites which have been used regularly without being informed by the actual user and can show all details loaded on the screen. It will inform the investigator about how many files were accidentally opened or casually opened. History file will also be detected during the same time. The intent and the frequency of the data searched will get loaded into it verifying the intent or the purpose from the history of the browser. Regripper is the tool that will help in identifying the registry information Win32R which is registry component which is used to access the registry information. This operation is done in an object-oriented manner. The Registry key nodes within the hive file can be detected including the data and value node as well. The last name can be easily retrieved by the key node access, and it enables after parsing it to an investigator in the easiest form to understand it. The best feature of this is that it enables the function and passes reports in a readable manner to understand easily. Wireshark has the immense good role in identifying activities inside the system. In the detection data such as emails and links inside them are generated by this system which could become the potential evidence for the digital forensics team. No one can be able to cheat ever by fraud like stealing someone’s connection by malfunctioning their IP address. The activities of a person can be easily detected by using Wireshark, it enables to detect IP and MAC addresses as well as any suspicious person. It will help in restoring all the information behind the screen such as emails and links that were used and deleted. The power of Wireshark can be enhanced by using tools like aircrack_ng which is used to examine the wireless network’s traffic, this enables Wireshark a powerful tool.