WordPress.com



839470-10795COMPUTER FORENSICSCSEB 554ASSIGNMENT 7(FORENSIC INVESTIGATOR) N0GROUP MEMBERSN0 ID1.MUHAMMAD AQIL BIN TAJUDDINSW 0906012.FAIZUL BIN BABASW 0907163.NANI HARYATI BINTI SW 0890084.KARTHIGA A/P RAJANDRANSW 0889075.KAVITHA A/P SANKAL SW 0889086.NIZAR MOHAMMED YAMANI7MOHD RIDZUWANN BIN CHE HALIMSN 0889998.MARHANUM BINTI MOHAMED SW 0907509SITI HARYANI BINTI CHE AWANGSW 09062210SITI MARIAM BINTI AB RAHIMSW 090806LECTURER:DR YUNUS BIN YUSOFFFORENSIC SCENARIODenso Corporation is a global automotive components manufacturer headquartered in the city of Kariya, Aichi Prefecture, Japan. Denso Corporation consisted of 184 subsidiaries with a total of 132,276 employees. The company is known for developing and manufacturing various auto-parts including gasoline and diesel engine components, hybrid vehicle components, climate control systems, instrument clusters, air-bag systems, pre-crash radar systems and spark plugs. Moreover, Denso also develops and manufactures non-automotive components such as household heating equipment, industrial robots and QR Code.Mr Henry is one of the staff working in Denso plant based in Malaysia. He is 35 years old and holds the position as head of the finance department. He has the full access and privileged to access the company private data.The audit department suspected that someone from the finance department is selling out the tender information to the competitor company based on the data evaluated.After a closed meeting with the board directors, a group of forensic investigator is hired to investigate the evidence and the suspected crime scene which is Mr Henry workstation at his office.After the company lodge a report, based on the facts stated and supported with valid reason the forensic team are able to obtain a search warrant to investigate mentioned premise. After assigning each member tasks to be done, the investigation begins.EVIDENCES FOUND IN WORKPLACE1. Samsung External DVD WriterThe person that was at charge, he would use it to copy and run suspicious software to copy all important files to the company with grantee that CD/DVD will not hang inside the PC if that happen and he can make as product from workplace without take back to his house to do that.2. TDS Meter (hold) HM DigitalThe measurement of impurities and dissolved salts degree in drinking water that he need it to hide sleeping pills after solubility in water if show him there are something different in water/juice without test it to give his teammate in workplace to steel freely.3. Microsoft LifeCam VX-2000It is s webcams that use it to do conversation with buyers to deal about the information from workplace and he can also use it to check who’s near to their office as monitor.4. Rambo, Strontium-8GB, Cruzer Edge USB flash drive SanDisk and Imation C-DR.Are storage media that the defendant backup of secret information of the company and information about their customers.5. HP PC with his components?The defendant was connect to the server and from servers was steeling the information about the company and their customers and copy it into storage media’sTYPE OF EVIDENCE1. Samsung External DVD Writer SE-S084SE-S084C/RSBNOctober 20092. Rambo 128 mb3. TDS Meter (hold) HM Digital4. Microsoft LifeCam VX-2000Model : 1381Made in China5. Strontium-8GBRed color6. Cruzer Edge USB flash drive SanDiskBlue color8GBMade in China7. HP Compaq Pro 6305 Small Form FactorWindows? 7 Home Basic8. Imation C-DR9. HP Compaq Monitor. - Hewlett Packard.SITUATION 2.50pm – search warrant2.52pm – start to snap a pictures at the location2.52pm – at location in BW-4-L04 found evidence 7 and 9.2.55pm – found 1 located at the right of keyboard and 4 located at the right side of monitor.2.57pm – found 3 and 8 in the keyboard holder.2.58pm – found 8 have a fingerprint.3.00pm – found 2 in the Nokia casing.3.04pm – justify the mouse contain the fingerprint3.05pm – justify the fingerprint at the power ON button of CPU3.06pm- justify the network cable still active3.08pm – the PC turn on and the last login is STUDENT\SN0903213.12pm – finish investigation.EVIDENCE NO.1- External DVD-RW Samsung As the case that we received from head management we are investigating the suspect location work without the suspect knowing. The first evidence that is found by investigator is Samsung External DVD drive rewritable model number SE-S084 and with serial number product is SE-S084C/RSBN release from factory on October 2009. This Samsung external DVD writer using USB 2.0 and it had a 6x maximum DVD+R DL and DVD-R DL write speed 8x maximum DVD+R and DVD-R write speed for fast disc burning. It also has 8x maximum DVD+RW and 6x maximum DVD-RW rewrite speeds to erase discs and write new data to them quickly. With those advantage in this hardware will make the suspect faster to write all data into the CD-R without knowing by others.584835129540FIGURE 1.1: Samsung External DVD drive found by an investigatorWe are suspecting the suspect using this External DVD rewritable to burn all data private confidential into the CD-R in evidence 8. We are suspecting the suspect are using the external DVD writer are because the suspect doesn’t want to be get caught from the history log file system computer that he had doing write data to CD-R from the internal drive DVD writer. If the suspect are using the external DVD writer the log file on the system just written known as removable device. EVIDENCE NO.2 - USB Flash Drive Rambo, EVIDENCE NO.5 - USB Flash Drive Strontium, EVIDENCE NO.6 - Cruzer Edge USB Flash Drive San DiskOn the criminal table, we as computer forensic investigator have found some evidences. At the criminal table, we have found three different type of USB flash drive. Those three different types of USB flash drive have been labelled by number. Here is list of USB flash drive that we found.Evidence No.2 : USB Flash Drive Rambo, size 128mbEvidence No.5 : USB Flash Drive Strontium, size 8GBEvidence No.6 : Cruzer Edge USB Flash Drive San Disk726440346075FIGURE 2.1: Evidence No.2: USB Flash Drive Rambo, size 128mb726440315595FIGURE 2.2: Evidence No.2: USB Flash Drive Rambo, size 128mb791845280670FIGURE 2.3: Evidence No.5: USB Flash Drive Strontium, size 8GB794385120015FIGURE 2.4: Evidence No.5: USB Flash Drive Strontium, size 8GB622935293370FIGURE 2.5: Evidence No.6: Cruzer Edge USB Flash Drive San Disk726440187325FIGURE 2.6: Evidence No.6: Cruzer Edge USB Flash Drive San DiskAll this physical evidence may be connected to criminal activities. The suspect may be use all the USB Flash Drive to selling out the tender information to the competitor company based on the data evaluated. We, as investigator only cannot access all the information inside the USB Flash Drive. The evidence need to return to its place as before we touch the evidence for more detail about the USB flash Drive. Some of the USB Flash Drive having extra information, some of them are just a plain USB Flash Drive. Here is some information that we all got for the accessing the evidence at the criminal suspect table:-USB Flash Drive Strontium8GB memoryRed colorCruzer Edge USB Flash Drive San DiskBlue color8GB memoryMade in ChinaUSB Flash Drive Rambo128mb memoryWe also cannot be so sure that all the USB Flash Drive is connected to the PCs on suspect table. The type of PCs is HP Compaq Pro 6305 Small Form Factor and run in Windows? 7 Home Basic. For our experience, the USB Flash Drive is compatible to the current operating system that runs inside those PCs. This can be very useful evidence when these case a brought into a court. EVIDENCE NO. 3 – TDS Meter (Hold) HM DigitalFIGURE 3.1: Location of TDS Meter (Hold) HM DigitalThe evidence, TDS Meter (Hold) HM Digital was found located at the left side of keyboard holder. The TDS Meter was seized, sealed in a static bag and delivered to the forensic lab for further investigation.FIGURE 3.2: TDS Meter (Hold) HM DigitalFIGURE 3.3: TDS Meter (Hold) HM DigitalFIGURE 3.4 : TDS Meter (Hold) HM DigitalTotal Dissolved Solids (TDS) meter is used to calculate the total amount of mobile charged ions, including minerals, salts or metals dissolved in a given volume of water, expressed in units of mg per unit volume of water (mg/L), also referred to as parts per million (ppm). This TDS meter is related to the purity of water and the quality of water purification systems and affects everything that consumes, lives in, or uses water, whether organic or inorganic, whether for better or for worse. AssumptionThe suspect might have used the TDS meter to detect the acidity of water that may cause corrosion that gradually eats away the pipes, appliances, heaters, boilers and air-conditioning units. As Denso is an industry specialist in high quality and technologically advanced automotive components, one of their products is car air-conditioning. The suspect must have been testing the acidity level of hard water in the air-conditioner and has been sending this result secretly to the competitor company as well.EVIDENCE NO.4 - Microsoft LifeCam VX-2000, MODEL: 13811800225109855FIGURE 4.1: Microsoft LifeCam VX-2000, model: 1381 (Front view)179260513970FIGURE 4.2: Microsoft LifeCam VX-2000, model: 1381 (Description)Product descriptionMicrosoft LifeCam VX-2000, model: 1381 is a Microsoft product where it comes with little important or unique functionality on its own. The product dimensions are it comes with 2.50 inches of webcam length, 1.81 inches of webcam width, 0.92 inches of webcam depth/ height, 2.98 ounces of its weight and 72.0 inches of its cable length.Other than that, this product’s interface was designed with High-speed USB compatible with the USB 2.0 specification. It has Microsoft Windows 7, Windows Vista, and Windows XP with Service Pack 2 (excluding Windows XP 64-bit) as its operating system. To use this product also, a PC should fulfilled some requirements, which is it must have been installed with Intel Platinium 4 3 GHz (dual Core 1.8 GHz recommended), 1GB of RAM (2GB RAM recommended), 1.5 GB hard drive space, Windows compatible speakers or headphones, USB 1.1 and few others more. This Microsoft LifeCam VX-2000, model: 1381 is a product manufactured from Republic of China (PRC). It also has ISO quality certified with ISI 9001 and ISO 14001. Item original position1829435154305FIGURE 4.3: Microsoft LifeCam VX-2000, model: 1381 (Original position- zoomed version)5632452298703955415316230FIGURE 4.4: Original scene view and the position of evidence number 4This evidence location: On the right hand side of the PC.It is still placed in packed.Very good conditionItem sealing and assumptionThis evidence also has been sealed and brought it back by the forensic investigators. First before start with the procedure, we all the investigators wear gloves to avoid fingerprints. We have taken whole scene picture before moving or touch any evidence. Then after taken pictures of the evidences, we have placed the Microsoft LifeCam VX-2000 into an envelope and then into forensically clean plastic bag. Then the evidence has been brought it back to investigation lab.The criminals can use this Webcam tool to communicate with outsiders to pass all the company’s information. Face to face communication is a simple way of transferring information’s and it can be done very fast. Even when they use the PC, they can still on the webcam and minimize the tab. So they can also record any sort of information even without anyone notice. EVIDENCE NO. 7 – PC, EVIDENCE NO. 9 HP Compaq Monitor. - Hewlett Packard.72644070485FIGURE 7.1: HP Compaq Pro 6305 Small Form Factor PC868045240665FIGURE 7.2: Screen, Keyboard and mouseThe HP Compaq Pro 6305 Small Form Factor and its components (shown in figures 7.1 and 7.2)?that were the media that connecting to servers in server room in Petronas company and that were from Hewlett-Packard (HP).With the AMD processor technology, advanced graphics and manageability, employees and the IT team are pleased. Customize your set up with multi-display support and loads of expansion options. Plus, your data has enhanced security with HP Client Security. With a long lifecycle and reliable warranty, even the boss is in a good mood. Deliver rich, effective presentations with stunning media-enhanced content on the affordably priced HP Compaq Pro 6305 Small Form Factor. Loaded with the AMD A-series processors, you'll also benefit from up to a 21 percent productivity gain. Browse the web and enjoy rich, smooth streaming webcast videos, trainings and video conferencing, thanks to the available AMD Accelerated File Converter. Avoid flipping back and forth between source documents and new files. Instead, multi-task by extending your view across multiple screens with a DisplayPort video output for multi-monitor support. Built-in intelligence makes things easier. Stay focused with less disruption, and let Bandwidth Manager prioritize critical applications. Run multiple applications smoothly and quickly with automatic system boosts from AMD Turbo Core 3.0 technology.Specification:CPU FamilyAMD (Dual Core) A4Processor Number5300BCPU Speed3.4 GHzL2 Cache1 MBMotherboardChipsetAMD A75Integrated NetworkYesPCI Express Slot2 x PCI Express x16 (Low Profile) ? 1 x PCI Express x1 (Low Profile) SlotsPCI 32 bit1 x Low Profile PCI SlotsMemoryMemory Size4096 MBMemory Bus Speed1600 MHzMemory TypeDDR3 SDRAMMemory Slot4 x DIMMStorageTotal Hard Disk Size500 GBNumber of Hard Disks1Hard Disk Size500 GBHard Disk Speed7200 RPMHard Disk TypeSerial ATA II (SATA 2.0) 3 Gbit/sInternal Expansion Bays1 x 3.5 inchExternal Expansion Bays1 x 3.5 inch ? 1 x 5.25 inchGraphics CardVideo CardAMD Radeon HD 7480DGraphics Form FactorDedicatedOptical Drive TypeDVD Writer Super MultiSoundSound CardRealtek ALC221 codec (all ports are stereo)Audio FeaturesHigh Definition AudioInterfaces/PortsVGA Port1 x 15-pin D-SubKeyboard Port1 x PS/2Mouse Port1 x PS/2USB Ports4 x USB 3.0 ? 6 x USB 2.0Serial Ports1 x Serial PortRJ-45 Ports1 x RJ-45Microphone In Port1 x Microphone InAudio Line In Ports1 x Audio Line InHeadphone Ports1 x Headphone JackAudio Line Out Ports1 x Audio Line OutDisplayPort1 x DisplayPortMedia AdaptorRemovable Flash Memory Adaptor22-in-1 Card ReaderNetworkNetwork CardBroadcom NetXtreme BCM 5761Network Card Data Link ProtocolGigabit EthernetNetwork Card Speeds10/100/1000 MbpsWired NetworkYesComplianceCertificationsBFR/PVC-freeSystemOperating SystemWindows? 7 Home BasicElectricalElectrical Power Available240 WEnvironmentalOperating Humidity10 to 90 %EVIDENCE NO. 8 – CD-R66103538735FIGURE 8.1: Imation CD-R held by an investigatorStorage devices vary in size and the manner in which they store and retain data. First responders must understand that, regardless of their size or type, these devices may contain information that is valuable to an investigation or prosecution. Removable media is one of storage devices available. Removable media are cartridges and disk-based data storage devices. They are typically used to store, archive, transfer, and transport data and other information. These devices help users share data, information, applications, and utilities among different computers and other devices. Floppy disks, Zip disks, Compact Discs (CD) and Digital Versatile Discs (DVD) are examples of removable media. Figure 8.1 shows an Imation CD-R found at the crime scene. CD-R (Compact Disc-Recordable) is a digital optical disc storage format. A CD-R disc is a compact disc that can be written once and read subjectively many times.CD-R disks (CD-Rs) are readable by most plain CD readers, i.e., CD readers manufactured prior to the introduction of CD-R. This is an advantage over CD-RW, which can be re-written but cannot be played on many plain CD readers.661035-217805FIGURE 8.2: Evidence No. 8Figure 8.2 shows the CD-R found in the keyboard holder. This evidence is labelled as number 8 and was found suspiciously in a location that appeared to hide the CD-R. The CD-R is with Imation brand. Imation is a data storage producer company with its Head Quarter in Oakdale, Minnesota, US. The CD-R has 700MB of data storage capacity. The CD-R might contain important data as it was observed that there is burnt CD line which shows that the CD has data in it. The burnt CD line shows the boundary between used disc space (inner side of the CD) and free disc space which is on the outer side of the CD as shown in figure 8.3. FIGURE 8.3: Burnt CD lineStorage devices such as hard drives, external hard drives, removable media, thumb drives, and memory cards may contain information such as e-mail messages, Internet browsing history, Internet chat logs and buddy lists, photographs, image files, databases, financial records, and event logs that can be valuable evidence in an investigation or prosecution. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download