CE00267-7 Forensic Investigation Project TPR Investigation Report By Paul Kevin Green, Ravindu Meegasmulla and Muhammad Taiyib Parvez MSc Digital Forensics and Cybercrime Analysis Staffordshire University Award Leader: Hatem Tammam Module Leader: Stilianos Vidalis 1 | Page
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CE00267-7 Forensic
Investigation Project
TPR Investigation Report
By Paul Kevin Green, Ravindu Meegasmulla and Muhammad Taiyib Parvez
MSc Digital Forensics and Cybercrime Analysis
Staffordshire University
Award Leader: Hatem Tammam
Module Leader: Stilianos Vidalis
April 2013
Word Count – 5,265
1 | P a g e
Key AcronymsTerm UseHDD Explains media known as a Hard Disc DriveCD Explains media known as a Compact DiscDVD Explains media known as a Digital Versatile DiscNTFS The file system use on the modern Windows operating systems –
stands for New Technology File SystemOS A generic term used to explain the Operating Systems installed
on a machineRAM Random Access Memory – the main area for devices to
temporarily store current processesROM Read Only Memory – permanent area of storage and used for
holding configuration detailsSID Security Identifier – used on Windows to identify a userMBR Master Boot Record – Used for indicating the primary partitionsVBR Volume Boot Record – Used for booting an OS from a volume
Form AbbreviationsTerm UseCEC1 Case Evidence CollectionCRR1 Case Report RequestCSR1 Case Scene ReportEAL1 Evidence Analysis LogETAG Evidence TagsHDA1 Hard Drive AnalysisUIP1 Use ID Profile
2 | P a g e
Case SummaryTPR Group was called to investigate a case involving a computer laboratory at Staffordshire
University where a single hard disk was located unplugged in a machine. The Forensic Manager was
contacted by a member of Staffordshire University to attend the K113 laboratory, located in the
building called the Octagon, to analyse and acquire the evidential media located at the scene.
When briefed by the universities representative, the description of the case was as below:
The employee attended the laboratory to set up the room for a class they were conducting that day
and found a single computer that would not boot into the operating system. Upon further
investigation the employee opened the computer case to find the hard disk disconnected from the
motherboard. After deeper analysis they found the disk drive to be of not the one previously
connected to the laboratories machine. At this point the employee then contacted TPR Group to
conduct an investigation into the owner of the disk drive.
The scope of the crime scene was the single desk holding the computer system, which can be seen in
the Case Report documentation. The investigative team attended the scene and acquired all
evidential media that was deemed to be of use and took it back to the forensic laboratory to further
AppendicesThe follow section of this report documents all additional appendices that are attached to this case.
23 | P a g e
Appendix A Case Management
Appendix A.1 Authorisation Documentation
TPR Group: Case Request Report
Case Request Report CRR1Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Critical Urgent Standard
Case officer Date & Time call
received
_ _ / _ _ / _ _ _ _
_ _ : _ _
Client Name Company Name
Contact Email Address Contact Phone No
Fax No Alternative Mobile No
Address of incident Address 1Address 2CountyPostcodeCountry
Size of organisation Small / Medium / Large National / International
Nature of incident
Date of incident: _ _ / _ _ / _ _ _ _
Number of Items
involvedIsolated / Un-isolated network
Operating system used
within the organisation
Windows / Unix Based / Mac OSX / Mobile
OS / Other……………………………
Shared devices /
Personal
Is the scene safe Yes / No If No please state:
Client Signature Name Printed
Date _ _ / _ _ / _ _ _ _ Time (HH:MM) _ _ : _ _
24 | P a g e
25 | P a g e
Case Request Report Initial Meet
Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Date _ _ / _ _ / _ _ _ _
Case officer Time _ _ : _ _
Client Name Company Name
Contact Email Address Contact Phone No
Fax No Alternative Mobile No
Any Additional new
information
Name of persons who
have access to items
Usernames for items involved (if relevant) Account passwords (if relevant)
Client Signature Date _ _ / _ _ / _ _ _ _
Case Officer Signature Date _ _ / _ _ / _ _ _ _
26 | P a g e
TPR GROUPAUTHORISATION FOR RELEASE, ACQUISITION AND ANALYSIS
OF ALL RELATED MEDIA DURING THE FORENSIC INVESTIGATION
Please carefully read and understand this authorisation form to enable the release of information,
documentation and media for the reported case, then sign and date.
I Authorise any representative of the TPR Group to enter the scene of the incident; for the purpose to examine; and extract if required, media related to the reported case.
I Authorise any representative of the TPR Group entering the scene of the incident to; photograph, document and report all relevant details required for investigation.
I Authorise any representative of the TPR Group to gather additional information from witnesses at the scene of, or related the incident when reasonable and relevant.
I Authorise all media and evidence collected, including documentation found or created, to be released to relevant organisations if found to be related to terrorist or illegal activity.
I Authorise all media and evidence collected, including documentation found or created, to be released to relevant organisations upon request by any legally authorised parties.
This form is valid up until the point the case is released from TPR Group at which time release documents will be signed, and all case materials to the authorised person below, or their representative, if legally possible.
TPR Representative:
__________________________ ____________________ _ _ / _ _ / _ _ _ _Print Name Signature Date Signed
The Clients Authorised Representative:
__________________________ ____________________ _ _ / _ _ / _ _ _ _Print Name Signature Date Signed
__________________________ _____________________________________________Position within Organisation Organisation
27 | P a g e
TPR Group: Case Scene ReportCLIENT AUTHORISATION
Signature Date _ _ / _ _ / _ _ _ _TPR DETAILS
Enter Date _ _ / _ _ / _ _ _ _ Enter Time _ _ : _ _ (HH:MM)Case No TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Case ManagerIs the scene safe to enter? Yes / No (state why)TEAM ATTENDING – (Cross out blank boxes)Name Position Time
(HH:MM)Signature
_ _ : _ __ _ : _ __ _ : _ __ _ : _ __ _ : _ _
ENTRANCE & EXITSNumber of Exits Are any Fire Exits Yes / NoSCENE DOCUMENTATIONPanoramic Photo Yes / No Witnesses Yes / No Secured Witnesses Yes / No
CCTV Available Yes / No CCTV Acquirable No / Yes --> CCTV Evidence No Case No +
_ _ _ _Draft Blueprint of Scene
TPR STAFF DETAILS
Exit Date _ _ / _ _ / _ _ _ _ Exit Time _ _ : _ _ (HH:MM)Signature
Case Officer Client
28 | P a g e
Appendix A.2 Case Evidence Collection Form
TPR GROUP
Investigations Unit
This form is to be used for only one piece of evidenceFill out a separate form for each piece of evidence.
Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Evidence number Case No + _ _ _ _
Case Manager Original / Duplicate Original No _ _ _ _
Evidence Type
Evidence
Location:
Vendor Name Model No Serial No Additional Notes
Description of evidence:
Evidence
Recovered ByDate
_ _ / _ _ / _ _ _
_
Time
(HH:MM)_ _ : _ _
Signature
29 | P a g e
Investigations UnitThis form is to be used for only one piece of evidence
Fill out a separate form for each piece of evidence.Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Evidence number Case No + _ _ _ _Case Manager Original / Duplicate Original No _ _ _ _Evidence TypeEvidence Location:
Vendor Name Model No Serial No Additional Notes
Description of evidence:
EvidenceRecovered By Date _ _ / _ _ / _ _ _ _ Time (HH:MM) _ _ : _ _
Signature
CHANGE OF CUSTODY
This form is to be used for only one piece of evidence
Fill out a separate form for each piece of evidence.
Who To Reason Comments Authorisations Signatures Date & Time
From_ _ / _ _ / _ _ _ _ _ _ : _ _To
From _ _ / _ _ / _ _ _ _ _ _ : _ _To
From _ _ / _ _ / _ _ _ _ _ _ : _ _To
From_ _ / _ _ / _ _ _ _ _ _ : _ _To
Additional Page Signature: __________________________ Page ___ Of ___
Initial ___ ___
30 | P a g e
CHAIN OF ACCESS
This form is to be used for only one piece of evidence
Fill out a separate form for each piece of evidence.
Name Date & Time Out Reason Signature Date & Time In Signature
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
31 | P a g e
Appendix A.3 Crime Scene Management Diagrams
Appendix A.3.1 Attending the Crime Scene
32 | P a g e
Appendix A.3.2 Acquisition of the Scene
Appendix A.3.3 Device Acquisition
1. Secure devices of evidentiary value.
2. Assess the system status;
a. If the system is live;
i. Collect write block, if none available contact Case Officer,
ii. Set up Forensic Acquisition Workstation,
33 | P a g e
iii. Connect Write blocker,
iv. Connect evidential device,
v. Start acquisition of volatile media,
vi. Confirm acquisition,
vii. Follow the procedure for the specific device and Operating System
type.
b. If the system is switched off;
i. Do not turn it on
ii. If the device is not openable, acquire entire device if possible
iii. If not possible, can the storage media be removed,
1. No, then image at the scene as a live system
2. Yes, acquire media if possible and continue
iv. Bag and Tag the evidence,
v. Store for transportation,
vi. Check for other evidential media within device and acquire,
vii. Close device and document
3. Check scene for further evidence
4. Document scene
5. Hand back to Case Officer
6. Case Officer to have final check of scene
7. Hand back to client
34 | P a g e
35 | P a g e
Appendix A.3.4 Device Specific Acquisition
36 | P a g e
Appendix A.4 Forensic Examiners Toolkit
Appendix A.4.1 Specialist Forensic Hardware
All of the following equipment will be taken to every crime scene.
Check Item
Network Cables (Multiple) – Both straight through and crossover
Floppy Drive (External with USB connector)
CD/DVD Drive (External with USB Connector)
Hard Drives (Several Sizes) – with SATA, PATA, IDE connectors
Digital Versatile Discs (DVD) spindle with several discs
Acquisition Machine with forensic software as below & Backup
Network Detector
Network Blocker
Internet Dongle
Write Blocker
Battery Power backup device
XRY Mobile Acquisition Kit
Card Reader
Mouse Giggler
Second Monitor
External Hard Disc Caddy (2.5inch and 3.5inch)
Appendix A.4.2 Specialist Forensic Software
Check Item
LinEn Disc or USB
EnCase 6 & 7
Linux Bootable
Personalised Windows Operating System Backup
Personalised Mac OS Backup
Forensic Tool Kit 4
Micro Systemation XRY (Latest stable version)
Backup of Forensic Software & Licences
37 | P a g e
Appendix A.4.3 General Forensic Equipment
Check Item
Seizure Bags
Tags
Cable Ties
Archival- grade permanent marker
Voice Recorder
Magnifying Glass
Tools (Nonmagnetic and magnetic)
Straight head, Philips Screwdrivers and specialist head variations Pliers Wrench
Anti-static wrist band
Power Extension leads (5m, 10m, 15m, 20m, 25m)
Dust Brush
Gloves
Mirror
Faraday Bag
Evidence Forms
Keyboard
Mouse
Authorisation / Warrant
Identification
Bubble Rap
Certifications (Copies)
Contact Numbers
Photo Card & Numbers for photographing evidence
38 | P a g e
Appendix A.5 Questions for Cases
Appendix A.5.1 Initial Contact Questions
Company and Contact Details
What is your name and position?
Are you in charge of day to day activities at the location of the device?
If not, do you have enough technical knowledge to answer preliminary questions
that are used to assess the situation for TPR to prepare for your specific case?
What is the name of and nature of the Company?
What is the Size of company?
How many people are employed
Over how many sites does the company span
What is the location of the company the enquiry is regarding, and who is the person in
charge?
Incident details
What is the nature of your call, and when did the incident occur?
Were there other members of staff or civilians involved?
If so who are they?
What is their position or authority at the time of the incident?
Device details
What are the devices?
Where is or are the devices in question located within the company?
Is the device(s) connected within a networked environment
If so what is the size of the network?
Is the device(s) isolated?
Do you know the Operating system of the machines?
39 | P a g e
Explain that the devices in question should not be used for any reason at all, as any potential
evidence may be destroyed or changed.
Stop any persons from accessing the scene with any electronic devices.
Appendix A.5.2 At the Scene Questions
Initial questions
Is the computer networked to external sources?
To a server?
Intranet?
File server?
What access rights does this particular user hold?
To the internet?
Through a wireless connection?
Wired connection?
Security measure in place
Preliminary questions
Has anything changed from the last time we talked?
If so add these details to the CSR1 form.
Has anyone been or had access to the computer?
If so add these details to the CSR1 form.
Appendix A.5.3 Witness Questioning
The following questions are not case specific and must be tailored to suit each individual case
which will be managed and prepared by the Case Officer.
Before conducting an interview the case officer must explain the purpose of the interview and
introduce themself to the witness. Throughout the interview case office must be polite to the
witness and the punctuality is important all the time.
What are your role and responsibilities?
Who is your supervisor?
40 | P a g e
Is there anyone else has the authorisation to this department except you?
What are the procedures relating to the IT equipment within this department?
What are the administrative passwords?
Are there any security measures currently in place protecting this equipment?
Explain the crime scene according to your knowledge?
Who did you contact first after seeing the incident?
Is there any wireless connection?
Would you provide your contact details?
41 | P a g e
Appendix B ACPO Guidelines – 2012 EditionThe ACPO Guidelines is a document developed by 7Safe in conjunction with the Association of
Chief Police Officers. Within this document are four principles that are used as a guide which are:
Principle 1:
No action taken by law enforcement agencies, persons employed within those agencies or their
agents should change data which may subsequently be relied upon in court.
Principle 2:
In circumstances where a person finds it necessary to access original data, that person must be
competent to do so and be able to give evidence explaining the relevance and the implications of
their actions.
Principle 3:
An audit trail or other record of all processes applied to digital evidence should be created and
preserved. An independent third party should be able to examiner those processes and achieve the
same level.
Principle 4:
The person in charge of the investigation has overall responsibility for ensuring that the law and
these principles are adhered to.
The above principles were taken directly from the ACPO Good Practice Guide for Digital Evidence
document, (Police.uk, 2012).
42 | P a g e
Appendix C Analysis Procedures
Appendix C.1 Hard Drive Analysis Form
TPR GroupExamination Process Procedure – Windows
Upon successful acquisition of the storage device, the drive is then required to be duplicated onto a
sterile storage drive.
This drive is then to be analysed and not the original artefact. The drive is then to be analysed using
the following procedure:
Task Notes Completion
Verify drive image against original hash ☐Locate Master Boot Record ☐Locate Volume Boot Record ☐Locate Backup Sectors ☐Locate Logical Size of Disc (Sectors) ☐Locate Physical Size of Disc (Sectors) ☐Locate Hidden Sectors ☐Locate Operating System Version ☐Locate Useful Windows Files (SWAP etc.) ☐Locate Installed Applications ☐Locate Unallocated Space ☐Locate Deleted Artefacts ☐Complete File Signature Analysis ☐Complete Hash of Every File ☐Complete Keyword Search`1 ☐Search for File Types ☐Search for Emails ☐Search for Email Addresses ☐Search for Internet History ☐Search for Folder Structure ☐Search for Timeframe of Artefacts ☐
43 | P a g e
Appendix C.2 Evidence Analysis Log Form
TPR Group – Evidence Analysis LogDate Time Case Number Investigator
Confirmation that the drive was write blocked to prevent alteration.
50 | P a g e
Parsing the details of the evidence drive.
Adding the acquisition files to the case.
51 | P a g e
Acquisition details regarding the actual acquisition.
52 | P a g e
Evidence added ready for analysis.
Hash confirmation of the drive confirming no alteration has occurred during acquisition.
53 | P a g e
Appendix E.2 Drive StructureThe following details are regarding the drive in question and the acquisition machine. The first two
tables below detail the serial numbers for the evidence drives, the file system types and the drive
specification details.
The third table details the acquisition with regards to the storage locations, verification hashes and
whether the drive was write blocked during acquisition.
Serial Number 9683-E291Full Serial Number 29683F09683E291Driver Information NTFS 3.1
File System NTFSSectors per cluster 8Bytes per sector 512Total Sectors 37,190,412Total Capacity 19,041,488,896 Bytes (17.7GB)Total Clusters 4,648,801Unallocated 18,930,753,536 Bytes (17.6GB)Free Clusters 4,621,766Allocated 110,735,360 Bytes (105.6MB)Volume Name Data AreaVolume Offset 0Drive Type Fixed
Name TPR000001-27-02-13-0003Actual Date 04/03/13 16:43:04Target Date 04/03/13 16:43:04File Path D:\Cases\TPR000001-27-02-13\Evidence\TPR000001-27-02-13-0003.E01Case Number TPR000001-27-02-13Evidence Number TPR000001-27-02-13-0003Examiner Name P.Green
54 | P a g e
Notes Investigation in Forensic Laboratory computer systemLabel FastBlocModel _FE_v2,_GuidanceDrive Type FixedFile Integrity Completely Verified, 0 ErrorsAcquisition MD5 824d4cc6e7aaae196a0f662d5c8a862eVerification MD5 824d4cc6e7aaae196a0f662d5c8a862eAcquisition SHA1 c168adaabd6acf4d0f699c1caf32569ef7f6a320Verification SHA1 c168adaabd6acf4d0f699c1caf32569ef7f6a320GUID d7d9cd26b0c1574bb7bd071f04d12c7aEnCase Version 6.19.4System Version Windows 7Write Blocked FastblocNeutrino FalseIs Physical FalseRaid RHS FalseRaid Stripe Size 0Error Granularity 64Process ID 0Index File D:\Cases\TPR000001-27-02-13\Index\TPR000001-27-02-13-0003-