Coursework C

8/2/2019 Coursework C

1/30

Page | 1

Digital Forensics

Dr. Qin Zhou

Coursework C

CASE #001-122011

AbdulHasib Osmani


2/30

Page | 2

Table of ContentsABSTRACT ................................................................................................................................................ 3

OVERVIEW ............................................................................................................................................... 4

1. Crime scene investigation ................................................................................................................... 5

2.1 Seizing evidence ......................................................................................................................... 5

2.2 What evidence was found and seized from the crime scene .................................................. 10

2. Imaging the evidence ........................................................................................................................ 11

2.1 Imaging the CD ............................................................................................................................ 11

2.2 Imaging the USB Memory Stick ................................................................................................... 13

3. Summary ........................................................................................................................................... 14

3.1 Log Book ...................................................................................................................................... 14

3.2 General Case Intake Form ........................................................................................................... 15

3.3 Chain of Custody ......................................................................................................................... 16

Appendix A Crime Scene ................................................................................................................ 18

Appendix B Tools Used ................................................................................................................... 30


3/30

Page | 3

ABSTRACT

I, AbdulHasib Osmani, a computer forensics analyst, had been contacted by Example

University in the Kingdom of Example Land (KEL) on the 2nd

December 2011,

regarding an incident which occurred in one of the Universitys laboratories. The

incident was picked up by a network administrator who noticed there was some

illegal rhino traffic and he alerted the Universitys management. A network

administrator had linked this incident to a computer which is primarily used by a PhD

student.

I arrived at the scene where the alleged offence took place on the 13th

February 2012

at 11:00 am to acquire any evidence which could help in the investigation. I took a

series of photographs of the crime scene and then proceeded to seize the physicalevidence and placed them in anti-static bags and boxes; i.e. a CD, CD case with a

cover, and the desktop computer, monitor and its peripherals.

After leaving the crime scene, I went to the laboratory and placed all the related

evidence in protected evidence lockers.

As part of the investigation, I made exact bit copies of the CD and USB memory stick which

were seized from the scene of the crime scene. I used Masterkey Linuxfor the CD and

AccessData FTKImagerfor the USB memory stick.

Thereafter, I did MD5 checksums to confirm that I made perfect copies of both pieces ofevidence.

This process needed to be observed properly to make the evidence valid in court.

Throughout the procedure, I observed the chain of custody and kept a log of events which is

included in the report.


4/30

Page | 4

OVERVIEW

On the 2nd

December 2011, I was contacted by Dr. Qin Zhou, a manager at Example

University, regarding suspected unlawful usage of the universitys equipment to

facilitate the possession and distribution of pictures of unique rhinos.

After a good discussion with the Universitys management over the phone, I have

decided to take on the case and investigate this incident.

The primary objective of this investigation is to see whether the Universitys

equipment was used to facilitate the possession and distribution of the unique rhino

pictures in excess of the legal limit, which is 8.

This report contains a complete analysis of the crime scene and the details of thedigital media which was also acquired from the crime scene.

The first chapter of the report contains the initial phase of the investigation, outlining

what was found and what was seized from the scene of the crime. Pictures of the

crime scene and evidence are also portrayed alongside a description of the items.

The second chapter of the report explains the procedures of imaging and how I went

about making exact bit copies of the evidences seized.

In the final chapter of the report summarises the sequence of events and my findings

including the appendices which contains the images, Chain of Custody, Case Intake

Form and any more information on the evidence obtained.


5/30

Page | 5

1. Crime scene investigation

2.1 Seizing evidence

I arrived at the crime scene in lab room JAG18, situated in the Jaguar building inExample University at 11am on the 13

thFebruary 2012. I was told by the head of the

faculty, Dr. Qin Zhou, that the scene had been secured as soon as the alleged

incident was discovered and access was closed to all personnel. Dr Zhou informed

me that the computer was only used by the suspect, a PhD student. This suggests

that the scene has been secured properly and nobody else has come to the room to

imply that any evidence has been tampered with since the suspect had left.

Firstly, I took photographs of the crime scene. There was a off-white Viglen Genie

desktop PC, with a 15 TFT monitorand Compaq keyboard of the same colour and an

IBM black mouse. (Figure 1)

Figure 1 Crime Scene

There was also 2GO 2GB USB memory stick inserted to the front USB slot of the PC.

(Figure 2)


6/30

Page | 6

Figure 2 2GO USB Memory Stick

Upon reviewing the area of the crime scene, I also discovered a CD case, with an

article on steganography contained within it, but no CD. (Figure 3 & Figure 4)

Fi ure 3 CD Case with article Figure 4

Exploring Steganography: Seeing the unseen


7/30

Page | 7

Upon inspection of the rear of the PC, I realised there was only one screw which held

the cover in place instead of 2 (figure 5), which suggests that the cover was removed

and the hardware possibly tampered with.

Figure 5 Rear of the PC

Only 1 screw at the bottom of the

case is in place, the other screw at

the top is missing.


8/30

Page | 8

I decided to remove the side of the cover to see if the hardware inside had been

tampered with and discovered that the hard disk drive had been removed. (Figure 6)

Figure 6 No hard disk drive (HDD)

After discovering that the HDD was removed, I put the cover back on and booted the

computer to see if the CD was in the CD drive and to check the BIOS settings.

I found that the CD was still in the CD drive. (Figure 7)

Figure 7 TDK CD labelled Collection of papers, images.. P.


9/30

Page | 9

I then checked the BIOS settings and established that the time on the BIOS was

incorrect. It was forward by about 1 hour and 10 minutes. (Figure 8)

Figure 8 BIOS Settings

Time is incorrect


10/30

Page | 10

2.2 What evidence was found and seized from the crime scene

(Evidence number/Item Description/Serial#)

001)

Viglen Genie Desktop PC / #21509852002) 15 TFT monitor / #21509843003) Compaq Keyboard004) Black IBM mouse005) 2GO 2GB USB Memory Stick / B000VZ4KIM006) TDK CD-R007) Power cables for PC and Monitor008) CD case with article on steganography


11/30

Page | 11

2. Imaging the evidence

My primary task upon returning to the lab was to remove the CD and USB Memory

Stick from the evidence locker and image them.

2.1 Imaging the CD

I installed the inserted the CD into a forensics workstation which was running Masterkey Linux. This

distribution would allow me to create an exact-bit copy of the CD.

Once I started running Masterkey Linux, the first thing I did was make use the #fdisklto see which

whether the CD which needed to be imaged was present, which it was as /dev/hdc.

I then created a primary partition on the target drive (/dev/sdc) to add an ntfs file system to it using

GParted.

This created a new directory named/mnt/sdc1. I then proceeded to make sure that the directorywasnt mounted by using the #mountshell prompt, and I wasnt.

The next step was to mount the RhinoEvidenceDisk for data acquisition. This was done by entering

the following shell prompt #mount -t ntfs-3g /dev/sdc1 /mnt/sdc and this resulted in me

mounting the drive successfully.

After that, I changed the directory to the target disks mount point by using the shell prompt

#cd /mnt/sdc1.

I then used the shell prompt #md5sum /dev/hdc which generated the MD5 hash for the

original CD evidence. This gave the hash: a675cf425ee43622d75b18e0528ad2c7 .

Figure 9 MD5 CD original evidence


12/30

Page | 12

The next task was to image the original evidence CD (/dev/hdc) and save the target disks

NTFS partition (/mnt/sdc1) as an image file named RhinoEvidenceDisk.dd.

Once that had completed, I checked to see if the image file created existed by using the shell

prompt #ls l /mnt/sdc1/, and it was.

The final thing which needed to be done was an MD5 hash on the image created to make

sure that it is a perfect copy of the original evidence CD.

The MD5 hash generated was a675cf425ee43622d75b18e0528ad2c7 , which was exactly the

same as the original.

Figure 10 MD5 CD image file


13/30

Page | 13

2.2 Imaging the USB Memory Stick

Once I had completed imaging the CD, the next task was to do the same for the USB memory stick.

Before I made an image file of the USB, I had to disable write access to the USB ports on the work

station as this will prevent any risk of the evidence on the memory stick from getting tampered with.This was done by editing the registry files.

Figure 11 Write protection enabled

To do the imaging for the USB, I used a tool namedAccessData FTK Imager. The process of imaging

the USB was not as long as it was with the CD.

I simply created a new disk image from the physical drive the memory stick was inserted and the

tool generated the MD5 hash of both, the original and imaged data and they matched as shown in

figure 12.

Figure 12 USB Memory stick image MD5 match


14/30

Page | 14

3. Summary

3.1 Log Book

Time Events11:00 Arrived at Crime Scene

11:02 Interviewed Dr. Qin Zhou to gain understanding of the crime scene and situation

11:14 Took a picture of the front of the crime scene

11:18 Took a picture of the rear of the Crime Scene

11:19 Found CD case with steganography article

11:25 Removed case to check inside PC, only 1 screw

11:27 No hard drive installed in the PC

11:30 Put the case back on the PC

11:32 Switched PC on

11:35 Removed inserted USB and bagged evidence in anti-static bag

11:36 Found CD in CD drive, seized, bagged and tagged11:38 Checked BIOS Settings Recorded wrong time

11:42 Switched machine off

11:47 Left Crime Scene


15/30

Page | 15

3.2 General Case Intake Form

CASEINTAKEFORMDetails of client

Case# #001-122011Company Name DG Forensics Ltd.

Address Line 1 24 Dilly Dally Street

Address Line 2 Betchley

Town/City Narnia

Postcode N4 8FR

Phone 0144 557 9996

Inquiry date 02/12/2011

Report given in by AbdulHasib Osmani

ReferralName Dr. Qin Zhou

Company/Location Example University / Kingdom of Example Land

Plaintiff Name(s) Dr. Qin Zhou

Defendant name(s) N/A

Other Parties N/A

Client type Plaintiff

Case Type Criminal

Location JAG 18, Example University, Kingdom of Example Land

Date of incident 02/12/2011


16/30

Page | 16

3.3 Chain of Custody

Electronic Evidence

Chain of Custody Form

Case No: #001-122011 Page 1 of 2

Investigating Organisation: DG Forensics Ltd.

Investigator: AbdulHasib OsmaniLocation Where Evidence

Was Obtained:

JAG18, Jaguar Building, Example University, Kingdom of Example Land

Electronic Media/Computer Details

Item No:001 Description: Flash Memory

Manufacturer: 2GO Model No: M2G-PEN-2 0-2GB Serial No: B000VZ4KIM

Image Details

Date/Time:

17/02/2012

12:26PM

Created By:

AbdulHasib

Osmani

Method Used:

AccessData FTKImager

Image Name:

USBMemoryStick

Segments:

No

Storage Drive: HASH:

Chain of Custody

Tracking No: Date/Time

:

From: To: Reason:

001 Date:

13/02/201

2

Name:/Org:

Jeremy Guy /

Example

University

Name:/Org:

Abdulhasib Osmani /

DG Forensics Lrd

Seizure of evidence

Time:

11:00am

Signature: Signature:

002 Date:

13/02/201

2

Name:/Org:

Abdulhasib

Osmani / DG

Forensics Ltd

Name:/Org:

Sherlock Knomes / DG

Forensics Ltd

Store evidence in secured

locker

Time:

12:10pm


003 Date:

17/02/201

2

Name:/Org:

Sherlock

Knomes / DG

Forensics Ltd

Name:/Org:

AbdulHasib Osmani /

DG Forensics Ltd

Obtain evidence from locker to

image them

Time:

12:15pm


004 Date:

13/02/201

2

Name:/Org:

AbdulHasib

Osmani / DG

Forensics Ltd

Name:/Org:


Forensics Ltd

Return the evidence to secured

locker

Time:

14:30



17/30

Page | 17

Electronic Evidence

Chain of Custody Form

Case No: #001-122011 Page 1 of 2

Investigating Organisation: DG Forensics Ltd.

Investigator: AbdulHasib Osmani

Location Where Evidence

Was Obtained:

JAG18, Jaguar Building, Example University, Kingdom of Example Land

Electronic Media/Computer Details

Item No:002 Description: Storage object

Manufacturer: TDK Model No: CD-R80CBA100-B Serial No: B00067ID7O

Image Details

Date/Time:

17/02/2012

13:06

Created By:

AbdulHasib

Osmani

Method Used:

Masterkey Linux

Image Name:

RhinoEvidenceDisk

Segments:

No

Storage Drive: HASH:

Chain of Custody

Tracking No: Date/Time

:

From: To: Reason:

005 Date:

13/02/201

2

Name:/Org:

Jeremy Guy /

Example

University

Name:/Org:

Abdulhasib Osmani /

DG Forensics Lrd

Seizure of evidence

Time:

11:00am


006 Date:

13/02/201

2

Name:/Org:

Abdulhasib

Osmani / DG

Forensics Ltd

Name:/Org:


Forensics Ltd

Store evidence in secured

locker

Time:

12:11pm


007 Date:

17/02/201

2

Name:/Org:

Sherlock

Knomes / DG

Forensics Ltd

Name:/Org:

AbdulHasib Osmani /

DG Forensics Ltd

Obtain evidence from locker to

image them

Time:

12:48pm


008 Date:

13/02/201

2

Name:/Org:

AbdulHasib

Osmani / DG

Forensics Ltd

Name:/Org:


Forensics Ltd

Return the evidence to secured

locker

Time:

14:30



18/30

Page | 18

Appendix A Crime Scene

Figure 1 Crime Scene


19/30

Page | 19

Figure 2 2GO 2GB USB memory stick


20/30

Page | 20

Fi ure 3 CD Case with article


21/30

Page | 21

Figure 4

Exploring Steganography: Seeing the unseen


22/30

Page | 22

Figure 5 Rear of the PC


23/30

Page | 23

Figure 6 No Hard Disk Drive (HDD)


24/30

Page | 24

Figure 7TDK CD labelled Collection of papers, images.. P.


25/30

Page | 25

Figure 8 BIOS Settings


26/30

Page | 26

Figure 9 MD5 CD original evidence


27/30

Page | 27

Figure 10 MD5 CD image file


28/30

Page | 28

Figure 11 Write protection enabled


29/30

Page | 29

Figure 12 USB Memory stick image MD5 match


30/30

Appendix B Tools Used

1. VirtualBox (http://www.virtualbox.org/)2. 7-Zip (http://www.7-zip.org/)3.

Adobe Reader (http://get.adobe.com/uk/reader/)4. FTK1.81.6 (http://www.accessdata.com/downloads.html)

5. Microsoft Word 2010 (http://office.microsoft.com/en-gb/word/)
http://www.virtualbox.org/http://www.7-zip.org/http://get.adobe.com/uk/reader/http://www.accessdata.com/downloads.htmlhttp://office.microsoft.com/en-gb/word/http://office.microsoft.com/en-gb/word/http://office.microsoft.com/en-gb/word/http://www.accessdata.com/downloads.htmlhttp://get.adobe.com/uk/reader/http://www.7-zip.org/http://www.virtualbox.org/

Date post:	06-Apr-2018
Category:	Documents
Upload:	sibby-osmani
View:	220 times
Download:	0 times

Coursework C

Documents