Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | sibby-osmani |
View: | 220 times |
Download: | 0 times |
of 30
8/2/2019 Coursework C
1/30
Page | 1
Digital Forensics
Dr. Qin Zhou
Coursework C
CASE #001-122011
AbdulHasib Osmani
8/2/2019 Coursework C
2/30
Page | 2
Table of ContentsABSTRACT ................................................................................................................................................ 3
OVERVIEW ............................................................................................................................................... 4
1. Crime scene investigation ................................................................................................................... 5
2.1 Seizing evidence ......................................................................................................................... 5
2.2 What evidence was found and seized from the crime scene .................................................. 10
2. Imaging the evidence ........................................................................................................................ 11
2.1 Imaging the CD ............................................................................................................................ 11
2.2 Imaging the USB Memory Stick ................................................................................................... 13
3. Summary ........................................................................................................................................... 14
3.1 Log Book ...................................................................................................................................... 14
3.2 General Case Intake Form ........................................................................................................... 15
3.3 Chain of Custody ......................................................................................................................... 16
Appendix A Crime Scene ................................................................................................................ 18
Appendix B Tools Used ................................................................................................................... 30
8/2/2019 Coursework C
3/30
Page | 3
ABSTRACT
I, AbdulHasib Osmani, a computer forensics analyst, had been contacted by Example
University in the Kingdom of Example Land (KEL) on the 2nd
December 2011,
regarding an incident which occurred in one of the Universitys laboratories. The
incident was picked up by a network administrator who noticed there was some
illegal rhino traffic and he alerted the Universitys management. A network
administrator had linked this incident to a computer which is primarily used by a PhD
student.
I arrived at the scene where the alleged offence took place on the 13th
February 2012
at 11:00 am to acquire any evidence which could help in the investigation. I took a
series of photographs of the crime scene and then proceeded to seize the physicalevidence and placed them in anti-static bags and boxes; i.e. a CD, CD case with a
cover, and the desktop computer, monitor and its peripherals.
After leaving the crime scene, I went to the laboratory and placed all the related
evidence in protected evidence lockers.
As part of the investigation, I made exact bit copies of the CD and USB memory stick which
were seized from the scene of the crime scene. I used Masterkey Linuxfor the CD and
AccessData FTKImagerfor the USB memory stick.
Thereafter, I did MD5 checksums to confirm that I made perfect copies of both pieces ofevidence.
This process needed to be observed properly to make the evidence valid in court.
Throughout the procedure, I observed the chain of custody and kept a log of events which is
included in the report.
8/2/2019 Coursework C
4/30
Page | 4
OVERVIEW
On the 2nd
December 2011, I was contacted by Dr. Qin Zhou, a manager at Example
University, regarding suspected unlawful usage of the universitys equipment to
facilitate the possession and distribution of pictures of unique rhinos.
After a good discussion with the Universitys management over the phone, I have
decided to take on the case and investigate this incident.
The primary objective of this investigation is to see whether the Universitys
equipment was used to facilitate the possession and distribution of the unique rhino
pictures in excess of the legal limit, which is 8.
This report contains a complete analysis of the crime scene and the details of thedigital media which was also acquired from the crime scene.
The first chapter of the report contains the initial phase of the investigation, outlining
what was found and what was seized from the scene of the crime. Pictures of the
crime scene and evidence are also portrayed alongside a description of the items.
The second chapter of the report explains the procedures of imaging and how I went
about making exact bit copies of the evidences seized.
In the final chapter of the report summarises the sequence of events and my findings
including the appendices which contains the images, Chain of Custody, Case Intake
Form and any more information on the evidence obtained.
8/2/2019 Coursework C
5/30
Page | 5
1. Crime scene investigation
2.1 Seizing evidence
I arrived at the crime scene in lab room JAG18, situated in the Jaguar building inExample University at 11am on the 13
thFebruary 2012. I was told by the head of the
faculty, Dr. Qin Zhou, that the scene had been secured as soon as the alleged
incident was discovered and access was closed to all personnel. Dr Zhou informed
me that the computer was only used by the suspect, a PhD student. This suggests
that the scene has been secured properly and nobody else has come to the room to
imply that any evidence has been tampered with since the suspect had left.
Firstly, I took photographs of the crime scene. There was a off-white Viglen Genie
desktop PC, with a 15 TFT monitorand Compaq keyboard of the same colour and an
IBM black mouse. (Figure 1)
Figure 1 Crime Scene
There was also 2GO 2GB USB memory stick inserted to the front USB slot of the PC.
(Figure 2)
8/2/2019 Coursework C
6/30
Page | 6
Figure 2 2GO USB Memory Stick
Upon reviewing the area of the crime scene, I also discovered a CD case, with an
article on steganography contained within it, but no CD. (Figure 3 & Figure 4)
Fi ure 3 CD Case with article Figure 4
Exploring Steganography: Seeing the unseen
8/2/2019 Coursework C
7/30
Page | 7
Upon inspection of the rear of the PC, I realised there was only one screw which held
the cover in place instead of 2 (figure 5), which suggests that the cover was removed
and the hardware possibly tampered with.
Figure 5 Rear of the PC
Only 1 screw at the bottom of the
case is in place, the other screw at
the top is missing.
8/2/2019 Coursework C
8/30
Page | 8
I decided to remove the side of the cover to see if the hardware inside had been
tampered with and discovered that the hard disk drive had been removed. (Figure 6)
Figure 6 No hard disk drive (HDD)
After discovering that the HDD was removed, I put the cover back on and booted the
computer to see if the CD was in the CD drive and to check the BIOS settings.
I found that the CD was still in the CD drive. (Figure 7)
Figure 7 TDK CD labelled Collection of papers, images.. P.
8/2/2019 Coursework C
9/30
Page | 9
I then checked the BIOS settings and established that the time on the BIOS was
incorrect. It was forward by about 1 hour and 10 minutes. (Figure 8)
Figure 8 BIOS Settings
Time is incorrect
8/2/2019 Coursework C
10/30
Page | 10
2.2 What evidence was found and seized from the crime scene
(Evidence number/Item Description/Serial#)
001)
Viglen Genie Desktop PC / #21509852002) 15 TFT monitor / #21509843003) Compaq Keyboard004) Black IBM mouse005) 2GO 2GB USB Memory Stick / B000VZ4KIM006) TDK CD-R007) Power cables for PC and Monitor008) CD case with article on steganography
8/2/2019 Coursework C
11/30
Page | 11
2. Imaging the evidence
My primary task upon returning to the lab was to remove the CD and USB Memory
Stick from the evidence locker and image them.
2.1 Imaging the CD
I installed the inserted the CD into a forensics workstation which was running Masterkey Linux. This
distribution would allow me to create an exact-bit copy of the CD.
Once I started running Masterkey Linux, the first thing I did was make use the #fdisklto see which
whether the CD which needed to be imaged was present, which it was as /dev/hdc.
I then created a primary partition on the target drive (/dev/sdc) to add an ntfs file system to it using
GParted.
This created a new directory named/mnt/sdc1. I then proceeded to make sure that the directorywasnt mounted by using the #mountshell prompt, and I wasnt.
The next step was to mount the RhinoEvidenceDisk for data acquisition. This was done by entering
the following shell prompt #mount -t ntfs-3g /dev/sdc1 /mnt/sdc and this resulted in me
mounting the drive successfully.
After that, I changed the directory to the target disks mount point by using the shell prompt
#cd /mnt/sdc1.
I then used the shell prompt #md5sum /dev/hdc which generated the MD5 hash for the
original CD evidence. This gave the hash: a675cf425ee43622d75b18e0528ad2c7 .
Figure 9 MD5 CD original evidence
8/2/2019 Coursework C
12/30
Page | 12
The next task was to image the original evidence CD (/dev/hdc) and save the target disks
NTFS partition (/mnt/sdc1) as an image file named RhinoEvidenceDisk.dd.
Once that had completed, I checked to see if the image file created existed by using the shell
prompt #ls l /mnt/sdc1/, and it was.
The final thing which needed to be done was an MD5 hash on the image created to make
sure that it is a perfect copy of the original evidence CD.
The MD5 hash generated was a675cf425ee43622d75b18e0528ad2c7 , which was exactly the
same as the original.
Figure 10 MD5 CD image file
8/2/2019 Coursework C
13/30
Page | 13
2.2 Imaging the USB Memory Stick
Once I had completed imaging the CD, the next task was to do the same for the USB memory stick.
Before I made an image file of the USB, I had to disable write access to the USB ports on the work
station as this will prevent any risk of the evidence on the memory stick from getting tampered with.This was done by editing the registry files.
Figure 11 Write protection enabled
To do the imaging for the USB, I used a tool namedAccessData FTK Imager. The process of imaging
the USB was not as long as it was with the CD.
I simply created a new disk image from the physical drive the memory stick was inserted and the
tool generated the MD5 hash of both, the original and imaged data and they matched as shown in
figure 12.
Figure 12 USB Memory stick image MD5 match
8/2/2019 Coursework C
14/30
Page | 14
3. Summary
3.1 Log Book
Time Events11:00 Arrived at Crime Scene
11:02 Interviewed Dr. Qin Zhou to gain understanding of the crime scene and situation
11:14 Took a picture of the front of the crime scene
11:18 Took a picture of the rear of the Crime Scene
11:19 Found CD case with steganography article
11:25 Removed case to check inside PC, only 1 screw
11:27 No hard drive installed in the PC
11:30 Put the case back on the PC
11:32 Switched PC on
11:35 Removed inserted USB and bagged evidence in anti-static bag
11:36 Found CD in CD drive, seized, bagged and tagged11:38 Checked BIOS Settings Recorded wrong time
11:42 Switched machine off
11:47 Left Crime Scene
8/2/2019 Coursework C
15/30
Page | 15
3.2 General Case Intake Form
CASEINTAKEFORMDetails of client
Case# #001-122011Company Name DG Forensics Ltd.
Address Line 1 24 Dilly Dally Street
Address Line 2 Betchley
Town/City Narnia
Postcode N4 8FR
Phone 0144 557 9996
Inquiry date 02/12/2011
Report given in by AbdulHasib Osmani
ReferralName Dr. Qin Zhou
Company/Location Example University / Kingdom of Example Land
Plaintiff Name(s) Dr. Qin Zhou
Defendant name(s) N/A
Other Parties N/A
Client type Plaintiff
Case Type Criminal
Location JAG 18, Example University, Kingdom of Example Land
Date of incident 02/12/2011
8/2/2019 Coursework C
16/30
Page | 16
3.3 Chain of Custody
Electronic Evidence
Chain of Custody Form
Case No: #001-122011 Page 1 of 2
Investigating Organisation: DG Forensics Ltd.
Investigator: AbdulHasib OsmaniLocation Where Evidence
Was Obtained:
JAG18, Jaguar Building, Example University, Kingdom of Example Land
Electronic Media/Computer Details
Item No:001 Description: Flash Memory
Manufacturer: 2GO Model No: M2G-PEN-2 0-2GB Serial No: B000VZ4KIM
Image Details
Date/Time:
17/02/2012
12:26PM
Created By:
AbdulHasib
Osmani
Method Used:
AccessData FTKImager
Image Name:
USBMemoryStick
Segments:
No
Storage Drive: HASH:
Chain of Custody
Tracking No: Date/Time
:
From: To: Reason:
001 Date:
13/02/201
2
Name:/Org:
Jeremy Guy /
Example
University
Name:/Org:
Abdulhasib Osmani /
DG Forensics Lrd
Seizure of evidence
Time:
11:00am
Signature: Signature:
002 Date:
13/02/201
2
Name:/Org:
Abdulhasib
Osmani / DG
Forensics Ltd
Name:/Org:
Sherlock Knomes / DG
Forensics Ltd
Store evidence in secured
locker
Time:
12:10pm
Signature: Signature:
003 Date:
17/02/201
2
Name:/Org:
Sherlock
Knomes / DG
Forensics Ltd
Name:/Org:
AbdulHasib Osmani /
DG Forensics Ltd
Obtain evidence from locker to
image them
Time:
12:15pm
Signature: Signature:
004 Date:
13/02/201
2
Name:/Org:
AbdulHasib
Osmani / DG
Forensics Ltd
Name:/Org:
Sherlock Knomes / DG
Forensics Ltd
Return the evidence to secured
locker
Time:
14:30
Signature: Signature:
8/2/2019 Coursework C
17/30
Page | 17
Electronic Evidence
Chain of Custody Form
Case No: #001-122011 Page 1 of 2
Investigating Organisation: DG Forensics Ltd.
Investigator: AbdulHasib Osmani
Location Where Evidence
Was Obtained:
JAG18, Jaguar Building, Example University, Kingdom of Example Land
Electronic Media/Computer Details
Item No:002 Description: Storage object
Manufacturer: TDK Model No: CD-R80CBA100-B Serial No: B00067ID7O
Image Details
Date/Time:
17/02/2012
13:06
Created By:
AbdulHasib
Osmani
Method Used:
Masterkey Linux
Image Name:
RhinoEvidenceDisk
Segments:
No
Storage Drive: HASH:
Chain of Custody
Tracking No: Date/Time
:
From: To: Reason:
005 Date:
13/02/201
2
Name:/Org:
Jeremy Guy /
Example
University
Name:/Org:
Abdulhasib Osmani /
DG Forensics Lrd
Seizure of evidence
Time:
11:00am
Signature: Signature:
006 Date:
13/02/201
2
Name:/Org:
Abdulhasib
Osmani / DG
Forensics Ltd
Name:/Org:
Sherlock Knomes / DG
Forensics Ltd
Store evidence in secured
locker
Time:
12:11pm
Signature: Signature:
007 Date:
17/02/201
2
Name:/Org:
Sherlock
Knomes / DG
Forensics Ltd
Name:/Org:
AbdulHasib Osmani /
DG Forensics Ltd
Obtain evidence from locker to
image them
Time:
12:48pm
Signature: Signature:
008 Date:
13/02/201
2
Name:/Org:
AbdulHasib
Osmani / DG
Forensics Ltd
Name:/Org:
Sherlock Knomes / DG
Forensics Ltd
Return the evidence to secured
locker
Time:
14:30
Signature: Signature:
8/2/2019 Coursework C
18/30
Page | 18
Appendix A Crime Scene
Figure 1 Crime Scene
8/2/2019 Coursework C
19/30
Page | 19
Figure 2 2GO 2GB USB memory stick
8/2/2019 Coursework C
20/30
Page | 20
Fi ure 3 CD Case with article
8/2/2019 Coursework C
21/30
Page | 21
Figure 4
Exploring Steganography: Seeing the unseen
8/2/2019 Coursework C
22/30
Page | 22
Figure 5 Rear of the PC
8/2/2019 Coursework C
23/30
Page | 23
Figure 6 No Hard Disk Drive (HDD)
8/2/2019 Coursework C
24/30
Page | 24
Figure 7TDK CD labelled Collection of papers, images.. P.
8/2/2019 Coursework C
25/30
Page | 25
Figure 8 BIOS Settings
8/2/2019 Coursework C
26/30
Page | 26
Figure 9 MD5 CD original evidence
8/2/2019 Coursework C
27/30
Page | 27
Figure 10 MD5 CD image file
8/2/2019 Coursework C
28/30
Page | 28
Figure 11 Write protection enabled
8/2/2019 Coursework C
29/30
Page | 29
Figure 12 USB Memory stick image MD5 match
8/2/2019 Coursework C
30/30
Appendix B Tools Used
1. VirtualBox (http://www.virtualbox.org/)2. 7-Zip (http://www.7-zip.org/)3.
Adobe Reader (http://get.adobe.com/uk/reader/)4. FTK1.81.6 (http://www.accessdata.com/downloads.html)
5. Microsoft Word 2010 (http://office.microsoft.com/en-gb/word/)
http://www.virtualbox.org/http://www.7-zip.org/http://get.adobe.com/uk/reader/http://www.accessdata.com/downloads.htmlhttp://office.microsoft.com/en-gb/word/http://office.microsoft.com/en-gb/word/http://office.microsoft.com/en-gb/word/http://www.accessdata.com/downloads.htmlhttp://get.adobe.com/uk/reader/http://www.7-zip.org/http://www.virtualbox.org/