Version



CFR106 NTFS AssignmentOctober 5, 2014CFR106: Understanding File Systems and Structures IIOdin SecShorey MangumPhillip RoseCurrent Version: 1Contents TOC \o "1-3" \h \z \u Version PAGEREF _Toc400473946 \h 4Case Overview PAGEREF _Toc400473947 \h 4Evidence PAGEREF _Toc400473948 \h 4Chain of Custody PAGEREF _Toc400473949 \h 4Initial Investigation PAGEREF _Toc400473950 \h 5Figure 1.1 PAGEREF _Toc400473951 \h 5Figure 1.2 PAGEREF _Toc400473952 \h 6Figure 1.3 PAGEREF _Toc400473953 \h 6Figure 1.4 PAGEREF _Toc400473954 \h 7Evidence Gathering PAGEREF _Toc400473955 \h 7Figure 2.1 PAGEREF _Toc400473956 \h 7Figure 2.2 PAGEREF _Toc400473957 \h 8Figure 2.3 PAGEREF _Toc400473958 \h 8Figure 2.4 PAGEREF _Toc400473959 \h 8Web Traffic PAGEREF _Toc400473960 \h 9Figure 3.1 PAGEREF _Toc400473961 \h 9Figure 3.2 PAGEREF _Toc400473962 \h 9Web Pages of Evidential Interest PAGEREF _Toc400473963 \h 10Figure 3.3 PAGEREF _Toc400473964 \h 10Figure 3.4 PAGEREF _Toc400473965 \h 11Figure 3.5 PAGEREF _Toc400473966 \h 11Figure 3.6 PAGEREF _Toc400473967 \h 11Resources PAGEREF _Toc400473968 \h 12VersionVersion NumberDate ModifiedModified By1October 5, 2014Odin SecCase OverviewSenior Executive manager of a midsized company Don Richie has contacted the police in regards to threats made against him and his family. The primary suspect at this time is Gary Stalker, a disgruntled ex-employee of Don Richie.EvidenceThe suspects Hard Drive is the sole piece of evidence at this time, but investigators suspect that will be enough to obtain further incriminating proof as to Mr. Stalker’s guilt.Chain of Custody Evidence ItemDate AccessedAccessed ByCondition of ItemSpecial NoteHard Drive9/29/2014Investigative TeamReported CleanHard Drive Imaged for further investigationHard Drive Image10/4/2014Odin SecSuspected untouched complete image of Suspects Hard DriveInvestigation InitiationInitial InvestigationUpon receipt and verification of Hard Drive Image, Odin Sec began investigation of the evidence by the use of the computer forensics tool Autopsy. Opening up the image in Autopsy for a simple overview and a cursory glance at the contents of the Hard Drive led to discover a number of objects of interest. The first item of interest to the case in question was a folder labeled “Revenge Folder.” This folder located on the primary C: drive contained a number of items of further interest. Located in this folder there were 3 random pictures, “Apple Pie.bmp”, “Blue Hills.jpg”, and “Bunny.bmp.” Upon further investigation of this folder and its contents one picture stands out as interesting. There are two seemingly identical images, “ChickShawarmaSandwich.jpg” and “secretsandwich.bmp.” The noteworthy thing about these two files, aside from them being seemingly the same, is that “secretsandwich.bmp” is actually larger by 3 megabytes, which leads the team to believe that this image possibly contains some hidden information. Upon investigation utilizing the steganography tool located on the suspect’s machine on the suspicious image file, Odin Sec was able to reverse the steganography process and recover the hidden text file. The text file “IKillYou” contained information about the location for which the suspect could hide a potential murder weapon, notably the building where the suspect was previously employeed.Figure 1.1Figure 1.2Figure 1.3Figure 1.4Further investigation into the Hard Drive presented the team with information that the suspect was possibly trying to hide information. Under the “Downloads” folder located at “C:\Documents and Settings\Gary Stalker\My Documents\Downloads” was an install file “AESCrypt_v309_win32.zip.” AESCrypt was discovered to be a free file encryption software that was available on several different operating systems that utilizes the industry standard Advanced Encryption Standard to encrypt files (AES Crypt). Upon discovery of the install files for AESCrypt under the suspects Downloads folder, the Odin Sec team decided to investigate whether the program had been installed on the machine. AESCrypt was located on the target machine under “C:\Program Files\” as was another program, “QuickStego.” Upon investigation “QuickStego” was revealed to be a Steganography tool. The presence of this tool, as well as the suspicious “secretsandwich.bmp” led the team to posit that this image was in fact a file used for steganography.Figure 1.5Part of the investigation resulted in the discovery of evidence pertaining to a hidden partition, Win95 FAT32 Hidden (0x1c): 15993600-18092759.Figure 1.6Evidence GatheringBy utilizing Autopsy, the team was able to extract content for Devices Attached which showcases that the hard drive was initially a virtual machine. System logs as well as device ID pointed the team to the fact that the virtualization software belonged to VMWare Inc. Located on the target image was the commonly utilized program CCleaner, which is primarily used to “clean” a Windows PC focusing on Registry and junk-cleaning utilities (CCleaner).Figure 2.1Figure 2.2Recently accessed files and folders contained a few intriguing potential evidence items. Don Riche Car – Cut the breaks ha ha.lnk points to an image of the same name stored in the previously located “Revenge Folder” whose names suggests that this is an item of interest, potentially even providing evidence of an actual crime; possibly stored through steganography or within an encrypted container. “prep-list – Don Richie.lnk” points to a txt document of the same name stored in the “Revenge Folder” which is another possible steganography file or encrypted file possibly containing criminal evidence. “Don Richie gym.lnk” is a pointer to a file stored in the “Revenge Folder.” “Idea.txt” is a file located in the “Revenge Folder” that also possesses an “.aes” variant that presents this file as being encrypted, most likely via AESCrypt.Figure 2.3Figure 2.4Due to the presence of CCleaner and possible Steganography, as well as encryption, there is a high chance that more in depth investigative means are required to access these files. Due to the presence of CCleaner, the chances of recovering deleted files in a typical manner are lessened.Web TrafficInvestigation of the web traffic of this machine revealed a number of possible evidence pieces. Four bookmarks stand out as important; “How to Kidnap Someone – What NOT to do!,” “How to Tie Someone up 6 Steps (with Pictures) – wikiHow.url,” “YOPmail – Disposable Email Address,” and “Top 10 Tips to Commit the Perfect Crime.” Those four bookmarks speak towards premeditation for illicit activity, specifically pointing to the intention of kidnapping and hostage taking. A cookie was found for “” which appears to be a cheap cell phone plan and cheap phones, potentially ideal for burner phones.Figure 3.1Figure 3.2The suspect’s web history also presented a number of interesting links. The suspect was looking at articles for Anti-Computer Forensics, Hard Drive Erasure, Steganography tools, and tor usage evidence. There were also a number of websites visited for the conversion of ASCII to Hex as well as hashing information.Web Pages of Evidential InterestFigure 3.3 website of very specific interest was that of a Google Map location. “” points to a random location in Kansas that seems to be a somewhat ideal location for the disposal of evidence, particularly a body. It seems to be isolated pretty well and any evidence deposited here would be difficult to locate. The nature of this specific location, as well as the various other evidence pieces located speaks towards a more nefarious purpose for the identification of this GPS Point.Figure 3.4Figure 3.5Figure 3.6ResourcesAES Crypt - Advanced File Encryption. (n.d.). Retrieved October 5, 2014.Free Steganography Software by QuickCrypto. Hide secret text in pictures and images. (n.d.). Retrieved October 5, leaner. (n.d.). Retrieved October 5, 2014. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download