10137743 Computer Forensics Assignment 2

1

Computer Forensics CSG4106

Amit Sharma10137743Master of Computer and Network Security

10137743, Amit Sharma

2010

Computer Forensics CSG4106Assignment-2

Submit To: Peter Hannay

Krishnun

2


Contents

Executive Summary...............................................................................................................................3

Tools Used For Analysing the Image......................................................................................................4

Chain of Custody....................................................................................................................................5

Running Sheet.......................................................................................................................................7

End of Part 1 (Running Sheet)..............................................................................................................18

Report on Findings...............................................................................................................................19

All evidence images searched and collected from C:\.........................................................................19

All findings of .bmp images under C: /.................................................................................................20

All findings of .gif images under C: /....................................................................................................20

All findings of .jpg images under C: /...................................................................................................21

All findings for the .mp4 video file under C: /......................................................................23

All findings for the .doc files under C: /................................................................................23

All findings for the .rar files under C: /.................................................................................24

All findings for the .zip files under C: /.................................................................................25

All findings for the .exe files under C: /................................................................................26

All findings for the .htm files under C: /...............................................................................27

End of Report FindingsInvestigation Process.......................................................................................27

Investigation Process...........................................................................................................................28

Investigation Findings..........................................................................................................................30

Conclusion...........................................................................................................................................39


3


Executive Summary

The main objective of this report is to explain all the procedures and methods for the computer forensics investigation from the given image i.e. Assignment2.dd. The main job is to find the Meerkats images which are strictly forbidden.

We have been contacted by the cooperate client who has asked us to examine the image that they have made of an employee computer system. Employee has been suspected of accessing images of Meerkats which are strictly prohibited in terms of use the employee has signed and in the particular jurisdiction may be against the law.

As we assumed, the seizure has been done properly on the site and they have followed all the relevant procedures. We also assumed that the VMware caine has been already installed successfully including all the tools on the host1 computer system to investigate the image Assignment2.dd. All the investigations have been done on caine VMware.

All the investigations were done by AMIT SHARMA on 2010-05-18. The investigate images has been downloaded from the Edith Cowan University (ECU, MT Lawley) in the university computer system. Downloaded image was named by Assignment2 and all investigation was made on this image, “Assignment2”. After investigating Assignment2, various images including Meerkats images, doc files, mp4 & avi video file and zip files were obtained. Hash function has been used cautiously to check all the found images still remains the same and to maintain the integrity of the found images.

This document is further divided into two categories shows:

First Category show Running Sheet which includes chain of custody, log events and what/how/where has been done during the forensic investigation.

Under second category, all the findings (Images, document files and videos) were shown.


4


Tools Used For Analysing the Image

Forensics O.S Caine 4.03

Forensics Software Autopsy, SDDUMPER

Virtual machine VMware Products 3.0.1

Hardware Used Lenovo S10e

RAM 1 GB

Hard Disk 40GB

Processor 1.60 GHZ

Host Operating System Microsoft Windows XP Home Edition with Service Pack3, Version 2002

Documenting Application Microsoft Word 2007

Other Hardware Used USB2.0 Thumb Drive Kingston 8 GB

Function used to check Integrity

MD5, SHA1


5


Chain of CustodySubmitting Activity

⃞ Evidence Description Employee has been suspected of accessing images of Meerkats which are strictly forbidden.

⃞ Evidence Collected From Peter HannayName of the Investigation Head

⃞ Evidence Collected By Amit SharmaName of the investigator

Name of the Case

Assgnmnt2

Email Id of the Investigator [email protected]

Location from Image obtained Edith Cowan University, Blackboard

Accessed Placed ECU, Forensic Lab

Name of the Image Assignment2.dd Date Started

2010-04-20

Name of Person Collecting Report Peter Hannay and Krishnun Time

5:17:24 PM

For Forensics Department Only

Go to Next Page for additional Chain of Custody blanks


6


Chain of Custody Continued....

Finish Date & Time

Document Released By Document Received By Purpose for Chain of Custody

2010-04-23

5:35 PM

Initial A Initial P To depict all the relevant information related to the forensic investigation.

Name, Title Amit Sharma, Mr Name, Title Peter Hannay, Mr

Final Disposal Action

Witness of Evidence

The document listed above was/were made by the evidence custodian, in presence, on the date indicated above.

Name, Title Initial Name as Signature

Vikas Sharma, Mr I

Srinivas Reddy, Mr S

I AMIT SHARMA hereby, declare that the above given information is correct to the best of my knowledge and belief.

Amit Sharma

10137743


7


Running SheetLog of Events

Sheet Number 1

Date & Day 20-04-2010, Tuesday

Date Time Action Motive behind taking action

Action Taken

By

Signature

20-April-10

5:17:24 PM

Download Assignment2.dd image file from ECU website i.e.

https://software.scss.ecu.edu.au/units/CSG2305/Assignment2/dd/

To start the investigation and to analyse the given image.

Amit A

20-April-10

5:52:13 PM

Hash function is used on the image i.e. Assignment2.dd

MD5 - 0c776f7c1ef092cdb9465fde80f4ea86

SHA1 - 4179cb30780358577c367a9e6e46708746ddcc53

To maintain the integrity of the image.

Amit A

20-May-10

5:55:20 PM

Create folder named ‘investigation’ in the caine. To save the Assignment2.dd file in the folder.

Amit A

20-May-10

5:58:36 PM

Mount the image and copy Assignment2.dd image file to virtual machine i.e. VMware, Caine

mount /dev/sdc1 Assignment2

To start mounting and analysing the files from the Assignment2.dd

Amit A




8


20-May-10

6:03:07 PM

Again, Hash function is used on the copied image in the virtual machine.

MD5 - 0c776f7c1ef092cdb9465fde80f4ea86

SHA1 - 4179cb30780358577c367a9e6e46708746ddcc53Both hash values are same. Integrity maintained.

To check the Assignment2.dd is not compromised while copying into the virtual machine.

Amit A

Continued Sheet 1...........


Action Taken

By

Signature

20-May-10

6:05:52 PM

Start Autopsy To browse the image in the autopsy.

Amit A

20-May-10

6:06:11 PM

Open new case in the Autopsy named Assgnmnt2.

Giving the name of the case for investigating.

Amit A

20-May-10

6:06:24 PM

Add host in the autopsy named host1. Name of the computer

Amit A

20-May-10

6:08:11 PM

Browsed the image ‘Assignment2.dd’ add it into the autopsy.

To know the path of the image and linked it with autopsy.

Amit A

20-May-10

6:10:34 PM

Rehash the browsed image in the autopsy. Same hash value. Integrity maintained.

To maintain the integrity.

Amit A

20-May-10

6:13:22 PM

Closed autopsy. To save the image file and can be opened next time to start analysing the images.

Amit A

20- 6:19:14 Unmount the images To closed the


9


May-10

PM autopsy and to maintain the image file in the original state

Sheet Number 2

Date & Day 22-04-2010, Thursday


Action Taken

By

Signature

22-April-10

9:17:54 AM

Start caine, mount the image again and start autopsy.

To start analysing the image.

Amit A

22-April-10

9:19:24 AM

Choose sorter files by type from the analysis in the autopsy.

To identify the files and images

Amit A

22-April-10

9:20:12 AM

Open the output directory under autopsy. All the identified files can be viewed under the given path i.e.

“/var/lib/autopsy/Meerkat_Investigation/host1/output/sorter-vol1/index.html”

To check the identified files

Amit A

22-April-10

9:20:44 AM

Analysis the file by clicking on File Analysis It is used to check and recover the deleted files.

Amit A

22-April-10

9:21:14 AM

Search for any file type such as .jpeg, .gif, .bmp, .doc etc

To check if there is any meerkats images are available or not.

Amit A

22-April-10

9:24:33 AM

Typed “.gif” in the file name search to find any file or document whose extension is .gif.

To find and examine all .gif file and images.

Amit A

22- 9:25:25 One image found named “jewel.gif” To maintain the Amit A


10


April-10

AM

Used Hash function on it

MD5 - bbdc61bcb09b70a92e2421aa3097afa7

SHA1 - f395a98bd52754562f1b513298e3547e6566baed

integrity of the found image i.e. jewel.gif.



Action Taken

By

Signature

22-April-10

9:28:53 AM

Typed “.bmp” in the file name search to find any file or document whose extension is .bmp.

To find and examine all .bmp file and images.

Amit A

22-April-10

9:29:17 AM

One image found named “Internet_Explorer_Wallpaper.bmp”

Used hash function on it

MD5 - 228f497c6e699de6df00387715441a1f

SHA1 - 717f06bdd84a687a4d015b25da8d1b1cd84d48c4

To maintain the integrity of the found image i.e. “15348-CHANGENAME_Internet_Explorer_Wallpaper.bmp”.

Amit A

22- April -10

9:30:31 AM

Typed “.jpeg” in the file name search to find any file or document whose extension is .jpeg.

To find and examine all .jpeg file and images.

Amit A

22- April -10

9:37:44 AM

Image found named “180px-Meerkats_foraging[1].jpg”


MD5 - d7276adb4dde8b90d853a7a886f97491

SHA1 -

To maintain the integrity of the found image i.e. 180px-Meerkats_foraging[1].jpg.

Amit A


11


0ca079eca141053f78652dcfc5fe5802138171d8

22- April-10

9:42:20 AM

Image found named “180px-Suricata[1].jpg”


MD5 - 1fc5c6d96f9994979498d0adb53de2c5

SHA1 - 88cf4e4005f029adff6f05c8867a142173b10f97

To maintain the integrity of the found image i.e. 180px-Suricata[1].jpg.

Amit A



Action Taken

By

Signature

22- April -10

9:50:59 AM

Image found named “GetAttachment[1].jpg”


MD5 - 1fc5c6d96f9994979498d0adb53de2c5

SHA1 - 88cf4e4005f029adff6f05c8867a142173b10f97

To maintain the integrity of the found image i.e. GetAttachment[1].jpg.

Amit A

22- April -10

10:02:04 AM

Image found named “images[1].jpg”


MD5 - 3d98cd156195e02c58f4ce238689120b

SHA1 - 76afa691556abed61c25651c896943d2e279a7ab

To maintain the integrity of the found image i.e. image[1].jpg.

Amit A

22- April -10

10:07:41 AM

Image found named “250px Suricata.suricatta.6861[1].jpg”

Hash function used on it

MD5 - 4535e831ae839dcedfd6360d5dbdf6fd

SHA1 - fa21977697c91c5fdabd9d33934563ed766eede6

To maintain the integrity of the found image i.e. 250px Suricata.suricatta.6861[1].jpg

Amit A

22- April -

10:09:2 Image found named “meerkats53[1].jpg” To maintain the integrity of the

Amit A


12


10 2 AM Hash function used on it

MD5 - 0f1984f5d17741e513b1bd5449fe076c

SHA1 - 1109b6d97e4c340744e7158de34b1f2fc9e65bef

found image i.e. meerkats53[1].jpg


13




Action Taken

By

Signature

22- April -10

10:18:24 AM

Image found named “180px-Meerkats_foraging.JPG”


MD5 - d7276adb4dde8b90d853a7a886f97491

SHA1 - 0ca079eca141053f78652dcfc5fe5802138171d8

To maintain the integrity of the found image i.e. 180px-Meerkats_foraging.JPG

Amit A

22- April -10

10:23:11 AM

Image found named “180px-Suricata.jpg”




To maintain the integrity of the found image i.e. 180px-Suricata.jpg

Amit A

22- April -10

10:26:24 AM

Image found named “250px-Suricata.jpg”




To maintain the integrity of the found image i.e. 250px-Suricata.jpg

Amit A

22- April -10

10:44:00AM

Image found named “meerkats-6.jpg”


MD5 - 08caf56c034c44487a60305cd71bdf6b

SHA1 - 849ff18b9a173455e5713bcf1719967592045c11

To maintain the integrity of the found image i.e. meerkats-6.jpg

Amit A


14




Action Taken

By

Signature

22- April -10

10:51:46 AM

Image found named “Loopy.jpg”


MD5 - 7921a439afdf3385bca2bd46fa0dadc9

SHA1 - ac5e6412a42e4a05306c4a247ca6f68a5462642a

To maintain the integrity of the found image i.e. Loopy.jpg

Amit A

22- April -10

11:01:04 AM

Typed “.zip” in the file name search to find any file or document whose extension is .zip.

To find and examine all .zip file and images.

Amit A

22- April -10

11:05:20 AM

File found named “Data.zip” which contains pictures of meerkats.


MD5 - da68930452efa3758db386ff380f990a

SHA1 - 27a5460741ab235f8d86644ea9914a8d5c7eadb6

To maintain the integrity of the found image file i.e. Data.zip

Amit A

22- April -10

11:13:39 AM

Image found named “Meerkats 09.jpg”


MD5 - e9a9fa7a8f32111ec0e5385c47e099a8

SHA1 - 2cf93dddb97b6cec123c5c5d7be55edb04634cc7

To maintain the integrity of the found image file i.e. Meerkats 09.jpg

Amit A

22- April -10

11:15:51 AM

Image found named “Meerkats-8.jpg”


MD5 - 889cdb2d2e952e7d481321a41222dea6

SHA1 - 2109aba9a0c807af9591d52c9a9e15d64e43828b

To maintain the integrity of the found image file i.e. Meerkats-8.jpg

Amit A



15



Action Taken

By

Signature

22- April -10

11:29:14 AM

Image found named “meerkats.jpg”


MD5 - 17510ee5a8df2eb5dc8e3d5141edc34d

SHA1 - 64b318255009d5e964cf0cfb999d1e9dc8514999

To maintain the integrity of the found image file i.e. meerkats.jpg

Amit A

22- April -10

11:41:37 AM

Typed “.mp4” in the file name search to find any file or document whose extension is .mp4.

To find and examine all .mp4 file and images.

Amit A

22- April -10

11:52:32 AM

Video file found named “60d80dd5032499bd4.mp4”

Hash Function used on it

MD5 - fdfb448514f5ed679951aee278ddae0d

SHA1 - c3e4a17c0d29c8196d0b9c8f0939af6cb32f1217

To maintain the integrity of the found mp4 video file i.e. 60d80dd5032499bd4.mp4

Amit A

22- April -10

12:17:23 PM


Amit A

22- April -10

12:19:08 PM

Unmount the images To maintain the image file in the original state

Amit A

22- April -10

12:20:26 PM

Rehash the Image to maintain the integrity.

MD5: 0c776f7c1ef092cdb9465fde80f4ea86

SHA1: 4179cb30780358577c367a9e6e46708746ddcc53

To compare the hash value with the original image to check integrity of the image.

Sheet Number 3


16


Date & Day 25-04-2010, Sunday


Action Taken

By

Signature

23- April -10

9:19:04 PM

Start caine, mount the image. To start analysing the image.

Amit A

23- April -10

9:20:21 PM

Hash the images again to check the integrity.

MD5: 0c776f7c1ef092cdb9465fde80f4ea86

SHA1: 4179cb30780358577c367a9e6e46708746ddcc53

To compare the hash value with the original image to check integrity of the image.

Amit A

23- April -10

9:20:57 PM

Start autopsy To analyse the image again.

Amit A

23- April -10

9:26:56 PM

Typed “.rar” in the file name search to find any file or document whose extension is .rar.

To find and examine all .rar file and images.

Amit A

23- April -10

9:27:44 PM

File found named “Mystery.rar”


MD5: 056c1a5d3f9d3b9e26064587000a28ca

SHA1: 25ef4820224699f6a33e2a38d41ba0fb2a9cf620

To maintain the integrity of the found file i.e. Mystery.rar

Amit A

23- April -10

9:33:44 PM

Image found named “meerkats_1024-8.jpg”


MD5 - 511d2036c3ad7aa66d82596c30cfa3a7

SHA1 - 11d2036c3ad7aa66d82596c30cfa3a7

To maintain the integrity of the found image file i.e. meerkats_1024-8.jpg

Amit A



17



Action Taken

By

Signature

23- April -10

9:40:44 PM

Image found named “meerkats_13sfw.jpg”


MD5 - d60a937985cc63d2806a99d33ca252c2

SHA1 - 1ce064b8352ee2596000a08085ece08223b6e399

To maintain the integrity of the found image file i.e. meerkats_13sfw.jpg

Amit A

23- April -10

9:44:17 PM

Image found named “meerkats_1024-8.jpg”


MD5 - ea2c53f3ddae1e8816d2f1d0b91776ae

SHA1 - 25ef4820224699f6a33e2a38d41ba0fb2a9cf620

To maintain the integrity of the found image file i.e. meerkats_1024-8.jpg

Amit A

23- April -10

9:47:14 PM

Typed “.htm” in the file name search to find any file or document whose extension is .htm.

To find and examine all .htm file and images.

Amit A

23- April -10

9:53:06 PM

File found named “Dc5.htm”


MD5 - 7424d54a59969623d2498633ea1c0687

SHA1 - da6fd25750279ec316bf0aa4d1ead3b263e9771c

To maintain the integrity of the found file i.e. Dc5.htm

Amit A

23- April -10

10:10:24 PM

Typed “.exe” in the file name search to find any file or document whose extension is .exe.

To find for .exe file and images.

Amit A

23- April -10

10:13:51 PM

File found named “Bo2k.exe”. Hash function used on it

MD5: 36fb2d9fe2d3e1ec1ee63dde02ad1b3f

SHA1: 551dc1b5a9cebc93a88e6806671b328349392f63

To maintain the integrity of the found executable file i.e. Bo2k.exe

Amit A



18



Action Taken

By

Signature

23- April -10

10:15:02 PM

Typed “.doc” in the file name search to find any file or document whose extension is .doc.

To find and examine all .doc file and images.

Amit A

23- April -10

10:20:47 PM

File found named “arrow.doc”


MD5 - 58def2449ed44b627b527b53ad42cf25

SHA1 - eb0fb202c87b2cfb1200d6f66499a09592c1ed1b

To maintain the integrity of the found document file i.e. arrow.doc

Amit A

23- April -10

10:27:29 PM

File found named “EBook 0Z 02.doc”


MD5 - 5a4b3c21d3f6eb8d349a87229aae14c2

SHA1 - cfd9e0c7d7a6704afad7a842aba4df52b92d05d0

To maintain the integrity of the found document file i.e. EBook 0Z 02.doc

Amit A

23- April -10

10:33:19 PM

File found named “meerkats in EBook of The Prince.doc”


MD5 - fa836b1b27514a4805c5e551398b17e4

SHA1 - d1e69f0962044748bc487b1b0ebc5104838512c7

To maintain the integrity of the found document file i.e. meerkats in EBook of The Prince.doc

Amit A

23- April -10

10:47:54 PM


Amit A

23- April -10

10:50:34PM

Unmount the images To maintain the image file in the original state

Amit A

23-April-

10:58:0 Rehash the Image to maintain the integrity. To compare the hash value with


19


10 4 PM MD5: 0c776f7c1ef092cdb9465fde80f4ea86

SHA1: 4179cb30780358577c367a9e6e46708746ddcc53

the original image to check integrity of the image.

End of Part 1 (Running Sheet)


20


Report on FindingsThe aim of this report is to explain about all the findings from the image i.e. Assignment2.dd during the forensics investigation. The main job is to find the Meerkats images which are against the law and employee has been suspected of accessing these images.

On 2010-04-22 Assignment2.dd image file has been downloaded from the Edith Cowan University to begin the investigation for Meerkats images. All the investigation was done using VMware caine and autopsy is used as forensic software.

All evidence images searched and collected from C:\


21


All findings of .bmp images under C: /

Directory Path Hash Values

MD5 & SHA1

Written Accessed Output of the Image Name of the

Image

Sign

C:/Documents and Settings/Administrator/Application Data/Microsoft/Internet Explorer/Internet Explorer Wallpaper.bmp

MD5 228f497c6e699de6df00387715441a1f

SHA1 717f06bdd84a687a4d015b25da8d1b1cd84d48c4

2008-05-01 11:53:49 (WST)

2008-05-01 11:53:49 (WST)

Internet Explorer Wallpaper.bmp

A

All findings of .gif images under C: /


MD5 & SHA1


Image

Sign

C:/WINDOWS/jewel.gif

MD5 bbdc61bcb09b70a92e2421aa3097afa7

SHA1 f395a98bd52754562f1b513298e3547e6566baed

2008-04-30 18:52:38 (WST)

2008-05-01 12:12:36 (WST)

Jewel.gif A


22


All findings of .jpg images under C: /


MD5 & SHA1


Image

Sign

C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/2VUHUZWD/180px-Meerkats_foraging[1].jpg

MD5 d7276adb4dde8b90d853a7a886f97491

SHA1 0ca079eca141053f78652dcfc5fe5802138171d8

2008-04-30

14:25:05 (WST)

2008-04-30

14:25:05 (WST)

180px-Meerkats_foraging[1].jpg

A

C:/WINDOWS/Loopy.jpg

MD5 7921a439afdf3385bca2bd46fa0dadc9

SHA1 ac5e6412a42e4a05306c4a247ca6f68a5462642a

2008-04-30 18:54:06 (WST)

2008-05-01 12:12:45 (WST)

Loopy.jpg

A

C:/RECYCLER/S-1-5-21-1935655697-1500820517-725345543-500/Dc6/250px-Suricata.jpg

MD5 4535e831ae839dcedfd6360d5dbdf6fd

SHA1 fa21977697c91c5fdabd9d33934563ed766eede6

2008-04-30 18:58:52 (WST)

2008-05-01 12:18:58 (WST)

250px-Suricata.jpg

A


23


C:/RECYCLER/S-1-5-21-1935655697-1500820517-725345543-500/Dc6/180px-Suricata.jpg



2008-04-30 18:58:52 (WST)

2008-05-01 12:18:58 (WST)

180px-Suricata.jpg

A

C:/WINDOWS/RegisteredPackages/{89820200-ECBD-11cf-8B85-00AA005B4383}/ieex/meerkats-6.jpg

MD5 08caf56c034c44487a60305cd71bdf6b

SHA1 849ff18b9a173455e5713bcf1719967592045c11

2008-04-30 18:54:32 (WST)

2008-05-01 12:05:24 (WST)

meerkats-6.jpg

A

C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/EZ2RGJIN/meerkats53[1].jpg

MD5 0f1984f5d17741e513b1bd5449fe076c

SHA1 1109b6d97e4c340744e7158de34b1f2fc9e65bef

2008-05-01 11:53:43 (WST)

2008-05-01 11:53:43 (WST)

meerkats53[1].jpg

A

C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/6HWZCZQD/images[1].jpg

MD5 3d98cd156195e02c58f4ce238689120b

SHA1 76afa691556abed61c25651c896943d2e279a7ab

2008-05-01 11:55:39 (WST)

2008-05-01 11:55:39 (WST)

images[1].jpg

A


24


C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/6HWZCZQD/250px Suricata.suricatta.6861[1].jpg



2008-04-30 14:25:05 (WST)

2008-04-30 14:25:05 (WST)

250px Suricata.suricatta.6861[1].jpg

A

C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/6HWZCZQD/GetAttachment[1].jpg

MD5 2463a4c4668748d3e5176a2da1bb8d87

SHA1 fbf5fa1e871b380d21d98c573d42148786af5ba7

2008-05-01 11:52:21 (WST)

2008-05-01 11:52:21 (WST)

GetAttachment[1].jpg

A

All findings for the .mp4 video file under C: /


MD5 & SHA1

Written Accessed Output of the file Name of the

video

Sign

C:/WINDOWS/system32/60d80dd5032499bd4.mp4

MD5 fdfb448514f5ed679951aee278ddae0d

SHA1 c3e4a17c0d29c8196d0b9c8f0939af6cb32f1217

2008-04-30 18:58:32 (WST)

2008-05-01 12:11:30 (WST)

60d80dd503249bd4.mp4

A

All findings for the .doc files under C: /


MD5 & SHA1

Written Accessed Output of the image in the document

Name of the

Document

Sign


25


C:/Documents and Settings/Administrator/My Documents/EBook of the Prince.doc

MD5 fa836b1b27514a4805c5e551398b17e4

SHA1 d1e69f0962044748bc487b1b0ebc5104838512c7

2008-04-30 19:03:44 (WST)

2008-05-01 12:07:38 (WST)

EBook OZ 02.doc

A

C:/Documents and Settings/Administrator/My Documents/arrow.doc

MD5 58def2449ed44b627b527b53ad42cf25

SHA1 eb0fb202c87b2cfb1200d6f66499a09592c1ed1b

2008-04-30 18:53:56 (WST)

2008-05-01 12:07:38 (WST)

Arrow.doc

A

C:/Documents and Settings/Administrator/My Documents/EBook of the Prince.doc

MD5 fa836b1b27514a4805c5e551398b17e4

SHA1 d1e69f0962044748bc487b1b0ebc5104838512c7

2008-04-30 19:03:44 (WST)

2008-05-01 12:07:38 (WST)

EBook OZ 02.doc

A

C:/Documents and Settings/Administrator/My Documents/EBook OZ 02.doc

MD5 5a4b3c21d3f6eb8d349a87229aae14c2

SHA1 cfd9e0c7d7a6704afad7a842aba4df52b92d05d0

2008-04-30 19:03:44 (WST)

2008-05-01 12:07:38 (WST)

EBook 0Z 02.doc

A

All findings for the .rar files under C: /


MD5 & SHA1

Written Accessed Output of the file Name of the file

Sign

C:/Program Files/uTorrent/Mystery.rar

MD5 056c1a5d3f9d3b9e2606

2008-04-30 20:52:12

2008-05-01 12:18:45

No Image Mystery.rar

A


26


4587000a28ca

SHA1 25ef4820224699f6a33e2a38d41ba0fb2a9cf620

(WST) (WST)


27


All findings for the .zip files under C: /


MD5 & SHA1

Written Accessed Output of the file Name of the files

Sign

C:/Program Files/uTorrent/Mystery.rar/ meerkats_1024-8.jpg

MD5 511d2036c3ad7aa66d82596c30cfa3a7

SHA1 61fe4c9f5630ab1e5853b74af046363ed1e9d003

2008-04-30 20:52:12 (WST)

2008-05-01 12:18:45 (WST)

meerkats_1024-8.jpg

A

C:/Program Files/uTorrent/Mystery.rar/ meerkats_1sfw.jpg

MD5 ea2c53f3ddae1e8816d2f1d0b91776ae

SHA1 25ef4820224699f6a33e2a38d41ba0fb2a9cf620

2008-04-30 20:52:12 (WST)

2008-05-01 12:18:45 (WST)

meerkats_1sfw.jpg

A

C:/Personal/Data.zip/Meerkats 09.jpg

MD5 e9a9fa7a8f32111ec0e5385c47e099a8

SHA1 2cf93dddb97b6cec123c5c5d7be55edb04634cc7

2008-04-30 21:01:50 (WST)

2008-05-01 12:10:36 (WST)

Meerkats 09.jpg

A

C:/Personal/Data.zip/Meerkats-8.jpg

MD5 889cdb2d2e952e7d481321a41222dea6

SHA1 2109aba9a0c807af9591d52c9a9e15d64e43828b

2008-04-30 21:01:50 (WST)

2008-05-01 12:10:36 (WST)

Meerkats-8.jpg

A


28


C:/Program Files/uTorrent/Mystery.rar/ meerkats_13sfw.jpg

MD5 d60a937985cc63d2806a99d33ca252c2

SHA1 1ce064b8352ee2596000a08085ece08223b6e399

2008-04-30 20:52:12 (WST)

2008-05-01 12:18:45 (WST)

meerkats_13sfw.jpg

A

All findings for the .exe files under C: /


MD5 & SHA1

Written Accessed Output of the file Name of the

executable file

Sign

C:/Documents and Settings/Administrator/Desktop/to install/Bo2k.exe

MD5 36fb2d9fe2d3e1ec1ee63dde02ad1b3f

SHA 551dc1b5a9cebc93a88e6806671b328349392f63

2008-04-30 18:52:54 (WST)

2008-05-01 12:09:09 (WST)

Bo2k.exe

A


29


All findings for the .htm files under C: /


MD5 & SHA1

Written Accessed Output of the file Name of the .htm

file

Sign

C:/RECYCLER/Dc5.htm

MD5 7424d54a59969623d2498633ea1c0687

SHA da6fd25750279ec316bf0aa4d1ead3b263e9771c

2008-04-30 18:58:52 (WST)

2008-04-30 18:58:52 (WST)

No Image Found Dc5.htm A

End of Report Findings


30


Investigation Process

After downloading the image file named Assignment2.dd from the Edith Cowan University website, I made a copy of the original image and copied into another folder for making the forensic copy, so that I can begin the forensic investigation with that image without affecting the original image. I used hash function with both original Assignment2.dd image and with the copied Assignment2.dd image and compared their hash values with each other during the investigation which was helping me to confirming that the image is not compromised yet and image is still the same. As a result, integrity has been maintained in the whole forensic investigation process.

Start Date and Time: 22-04-2010, 1:22 AM

Creating Directory: amit@sciss10oem:~$ sudo –s

[password] password for amit:

root@sciss10oem:~# cd Desktop

root@sciss10oem:~/Desktop# mkdir investigation

root@sciss10oem:~/Desktop# cd investigation

root@sciss10oem:~/Desktop/investigation#

Date and Time: 22-04-2010, 1:25 AM

Mount the image in investigation folder:

root@sciss10oem:~/Desktop# mount /dev/sdc1 investigation/

root@sciss10oem:~/Desktop# cd investigation

root@sciss10oem:~/Desktop/investigation# ls

Assignment2.dd lost+found

Date and Time: 22-04-2010, 1:26 AM

Hashing the image

root@sciss10oem:~/Desktop$ md5deep –b Assignment2.dd

0c776f7c1ef092cdb9465fde80f4ea86 Assignment2.dd

root@sciss10oem:~/Desktop$ sha1deep –b Assignment2.dd

4179cb30780358577c367a9e6e46708746ddcc53 Assignment2.dd


31


Date and Time: 22-04-2010, 1:28 AM

Open Autopsy

root@sciss10oem:~/Desktop# sudo autopsy

Click on the link to launch autopsy: http://localhost:9999/autopsy

Created new case named Meerkats_Investigation to start the forensic investigation of the image.

Date and Time: 22-04-2010, 1:40 AM

Creating NewCase


32


Add host named host1

Host1 has been added in the autopsy and afterwards image i.e. Assignment2.dd also has been added and generated its MD5 hash value to compare with the original image MD5 has value to maintain the integrity of the image and confirming that the image is not compromised.

Investigation FindingsA) .GIF:- When I searched for .gif files. I found certain list of files. And after looking into each

and every .gif files I found jewel.gif image.


33


B) .BMP:- When I searched for .bmp files. I found certain list of files. And after analysing each and every .bmp files I found Internet Explorer Wallpaper.bmp image.


34


C) .MP4:- When I searched for .mp4 files. I found certain list of files. And after looking into each and every .mp4 files I found 60d80dd5032499bd4.mp4 video file.


35


D) .ZIP:- When I searched for .zip files. I found certain list of files. And after analysing each and every .zip files I found meerkats_1024-8.jpg, meerkats_1sfw.jpg, Meerkats 09.jpg, Meerkats-8.jpg, meerkats_13sfw.jpg.


36


E) .EXE:- When I searched for .exe files. I found certain list of files. And after analysing each and every .exe files I found Bo2k.exe file.


37



38


F) .DOC:- When I searched for .doc files. I found certain list of files. And after analysing each and every .doc files I found arrow.doc, EBook 0Z 02.doc, EBook of the Prince.doc (EBook OZ 02.doc, EBook OZ 02.doc).

This above image screenshot shows one HTML document also which is about the Meerkats. That website shows some general information about the Meerkats. The existing HTML document looks like:


39



40


G) .RAR:- When I searched for .doc files. I found certain list of files. And after analysing each and every .doc files I found Mystery.rar file.


41


Conclusion

After investigating the Assignmnent2.dd image file, we were successful to recover 23 images of meerkats, one video file and some of the document files including websites which mainly discussing about the meerkats. All these investigation and evidence clearly proves that the employee offended the rules and regulations and he took all the actions against the law for which he should be penalised.


10137743 Computer Forensics Assignment 2

Documents

findings images

investigation findings

evidence images

meerkats images

images of meerkats

various images

bmp images

gif images