10137743 Computer Forensics Assignment 2
-
Upload
2007amitsharma -
Category
Documents
-
view
268 -
download
23
Transcript of 10137743 Computer Forensics Assignment 2
1
Computer Forensics CSG4106
Amit Sharma10137743Master of Computer and Network Security
10137743, Amit Sharma
2010
Computer Forensics CSG4106Assignment-2
Submit To: Peter Hannay
Krishnun
2
Computer Forensics CSG4106
Contents
Executive Summary...............................................................................................................................3
Tools Used For Analysing the Image......................................................................................................4
Chain of Custody....................................................................................................................................5
Running Sheet.......................................................................................................................................7
End of Part 1 (Running Sheet)..............................................................................................................18
Report on Findings...............................................................................................................................19
All evidence images searched and collected from C:\.........................................................................19
All findings of .bmp images under C: /.................................................................................................20
All findings of .gif images under C: /....................................................................................................20
All findings of .jpg images under C: /...................................................................................................21
All findings for the .mp4 video file under C: /......................................................................23
All findings for the .doc files under C: /................................................................................23
All findings for the .rar files under C: /.................................................................................24
All findings for the .zip files under C: /.................................................................................25
All findings for the .exe files under C: /................................................................................26
All findings for the .htm files under C: /...............................................................................27
End of Report FindingsInvestigation Process.......................................................................................27
Investigation Process...........................................................................................................................28
Investigation Findings..........................................................................................................................30
Conclusion...........................................................................................................................................39
10137743, Amit Sharma
3
Computer Forensics CSG4106
Executive Summary
The main objective of this report is to explain all the procedures and methods for the computer forensics investigation from the given image i.e. Assignment2.dd. The main job is to find the Meerkats images which are strictly forbidden.
We have been contacted by the cooperate client who has asked us to examine the image that they have made of an employee computer system. Employee has been suspected of accessing images of Meerkats which are strictly prohibited in terms of use the employee has signed and in the particular jurisdiction may be against the law.
As we assumed, the seizure has been done properly on the site and they have followed all the relevant procedures. We also assumed that the VMware caine has been already installed successfully including all the tools on the host1 computer system to investigate the image Assignment2.dd. All the investigations have been done on caine VMware.
All the investigations were done by AMIT SHARMA on 2010-05-18. The investigate images has been downloaded from the Edith Cowan University (ECU, MT Lawley) in the university computer system. Downloaded image was named by Assignment2 and all investigation was made on this image, “Assignment2”. After investigating Assignment2, various images including Meerkats images, doc files, mp4 & avi video file and zip files were obtained. Hash function has been used cautiously to check all the found images still remains the same and to maintain the integrity of the found images.
This document is further divided into two categories shows:
First Category show Running Sheet which includes chain of custody, log events and what/how/where has been done during the forensic investigation.
Under second category, all the findings (Images, document files and videos) were shown.
10137743, Amit Sharma
4
Computer Forensics CSG4106
Tools Used For Analysing the Image
Forensics O.S Caine 4.03
Forensics Software Autopsy, SDDUMPER
Virtual machine VMware Products 3.0.1
Hardware Used Lenovo S10e
RAM 1 GB
Hard Disk 40GB
Processor 1.60 GHZ
Host Operating System Microsoft Windows XP Home Edition with Service Pack3, Version 2002
Documenting Application Microsoft Word 2007
Other Hardware Used USB2.0 Thumb Drive Kingston 8 GB
Function used to check Integrity
MD5, SHA1
10137743, Amit Sharma
5
Computer Forensics CSG4106
Chain of CustodySubmitting Activity
⃞ Evidence Description Employee has been suspected of accessing images of Meerkats which are strictly forbidden.
⃞ Evidence Collected From Peter HannayName of the Investigation Head
⃞ Evidence Collected By Amit SharmaName of the investigator
Name of the Case
Assgnmnt2
Email Id of the Investigator [email protected]
Location from Image obtained Edith Cowan University, Blackboard
Accessed Placed ECU, Forensic Lab
Name of the Image Assignment2.dd Date Started
2010-04-20
Name of Person Collecting Report Peter Hannay and Krishnun Time
5:17:24 PM
For Forensics Department Only
Go to Next Page for additional Chain of Custody blanks
10137743, Amit Sharma
6
Computer Forensics CSG4106
Chain of Custody Continued....
Finish Date & Time
Document Released By Document Received By Purpose for Chain of Custody
2010-04-23
5:35 PM
Initial A Initial P To depict all the relevant information related to the forensic investigation.
Name, Title Amit Sharma, Mr Name, Title Peter Hannay, Mr
Final Disposal Action
Witness of Evidence
The document listed above was/were made by the evidence custodian, in presence, on the date indicated above.
Name, Title Initial Name as Signature
Vikas Sharma, Mr I
Srinivas Reddy, Mr S
I AMIT SHARMA hereby, declare that the above given information is correct to the best of my knowledge and belief.
Amit Sharma
10137743
10137743, Amit Sharma
7
Computer Forensics CSG4106
Running SheetLog of Events
Sheet Number 1
Date & Day 20-04-2010, Tuesday
Date Time Action Motive behind taking action
Action Taken
By
Signature
20-April-10
5:17:24 PM
Download Assignment2.dd image file from ECU website i.e.
https://software.scss.ecu.edu.au/units/CSG2305/Assignment2/dd/
To start the investigation and to analyse the given image.
Amit A
20-April-10
5:52:13 PM
Hash function is used on the image i.e. Assignment2.dd
MD5 - 0c776f7c1ef092cdb9465fde80f4ea86
SHA1 - 4179cb30780358577c367a9e6e46708746ddcc53
To maintain the integrity of the image.
Amit A
20-May-10
5:55:20 PM
Create folder named ‘investigation’ in the caine. To save the Assignment2.dd file in the folder.
Amit A
20-May-10
5:58:36 PM
Mount the image and copy Assignment2.dd image file to virtual machine i.e. VMware, Caine
mount /dev/sdc1 Assignment2
To start mounting and analysing the files from the Assignment2.dd
Amit A
10137743, Amit Sharma
8
Computer Forensics CSG4106
20-May-10
6:03:07 PM
Again, Hash function is used on the copied image in the virtual machine.
MD5 - 0c776f7c1ef092cdb9465fde80f4ea86
SHA1 - 4179cb30780358577c367a9e6e46708746ddcc53Both hash values are same. Integrity maintained.
To check the Assignment2.dd is not compromised while copying into the virtual machine.
Amit A
Continued Sheet 1...........
Date Time Action Motive behind taking action
Action Taken
By
Signature
20-May-10
6:05:52 PM
Start Autopsy To browse the image in the autopsy.
Amit A
20-May-10
6:06:11 PM
Open new case in the Autopsy named Assgnmnt2.
Giving the name of the case for investigating.
Amit A
20-May-10
6:06:24 PM
Add host in the autopsy named host1. Name of the computer
Amit A
20-May-10
6:08:11 PM
Browsed the image ‘Assignment2.dd’ add it into the autopsy.
To know the path of the image and linked it with autopsy.
Amit A
20-May-10
6:10:34 PM
Rehash the browsed image in the autopsy. Same hash value. Integrity maintained.
To maintain the integrity.
Amit A
20-May-10
6:13:22 PM
Closed autopsy. To save the image file and can be opened next time to start analysing the images.
Amit A
20- 6:19:14 Unmount the images To closed the
10137743, Amit Sharma
9
Computer Forensics CSG4106
May-10
PM autopsy and to maintain the image file in the original state
Sheet Number 2
Date & Day 22-04-2010, Thursday
Date Time Action Motive behind taking action
Action Taken
By
Signature
22-April-10
9:17:54 AM
Start caine, mount the image again and start autopsy.
To start analysing the image.
Amit A
22-April-10
9:19:24 AM
Choose sorter files by type from the analysis in the autopsy.
To identify the files and images
Amit A
22-April-10
9:20:12 AM
Open the output directory under autopsy. All the identified files can be viewed under the given path i.e.
“/var/lib/autopsy/Meerkat_Investigation/host1/output/sorter-vol1/index.html”
To check the identified files
Amit A
22-April-10
9:20:44 AM
Analysis the file by clicking on File Analysis It is used to check and recover the deleted files.
Amit A
22-April-10
9:21:14 AM
Search for any file type such as .jpeg, .gif, .bmp, .doc etc
To check if there is any meerkats images are available or not.
Amit A
22-April-10
9:24:33 AM
Typed “.gif” in the file name search to find any file or document whose extension is .gif.
To find and examine all .gif file and images.
Amit A
22- 9:25:25 One image found named “jewel.gif” To maintain the Amit A
10137743, Amit Sharma
10
Computer Forensics CSG4106
April-10
AM
Used Hash function on it
MD5 - bbdc61bcb09b70a92e2421aa3097afa7
SHA1 - f395a98bd52754562f1b513298e3547e6566baed
integrity of the found image i.e. jewel.gif.
Continued Sheet 2...........
Date Time Action Motive behind taking action
Action Taken
By
Signature
22-April-10
9:28:53 AM
Typed “.bmp” in the file name search to find any file or document whose extension is .bmp.
To find and examine all .bmp file and images.
Amit A
22-April-10
9:29:17 AM
One image found named “Internet_Explorer_Wallpaper.bmp”
Used hash function on it
MD5 - 228f497c6e699de6df00387715441a1f
SHA1 - 717f06bdd84a687a4d015b25da8d1b1cd84d48c4
To maintain the integrity of the found image i.e. “15348-CHANGENAME_Internet_Explorer_Wallpaper.bmp”.
Amit A
22- April -10
9:30:31 AM
Typed “.jpeg” in the file name search to find any file or document whose extension is .jpeg.
To find and examine all .jpeg file and images.
Amit A
22- April -10
9:37:44 AM
Image found named “180px-Meerkats_foraging[1].jpg”
Used hash function on it
MD5 - d7276adb4dde8b90d853a7a886f97491
SHA1 -
To maintain the integrity of the found image i.e. 180px-Meerkats_foraging[1].jpg.
Amit A
10137743, Amit Sharma
11
Computer Forensics CSG4106
0ca079eca141053f78652dcfc5fe5802138171d8
22- April-10
9:42:20 AM
Image found named “180px-Suricata[1].jpg”
Used hash function on it
MD5 - 1fc5c6d96f9994979498d0adb53de2c5
SHA1 - 88cf4e4005f029adff6f05c8867a142173b10f97
To maintain the integrity of the found image i.e. 180px-Suricata[1].jpg.
Amit A
Continued Sheet 2...........
Date Time Action Motive behind taking action
Action Taken
By
Signature
22- April -10
9:50:59 AM
Image found named “GetAttachment[1].jpg”
Used hash function on it
MD5 - 1fc5c6d96f9994979498d0adb53de2c5
SHA1 - 88cf4e4005f029adff6f05c8867a142173b10f97
To maintain the integrity of the found image i.e. GetAttachment[1].jpg.
Amit A
22- April -10
10:02:04 AM
Image found named “images[1].jpg”
Used hash function on it
MD5 - 3d98cd156195e02c58f4ce238689120b
SHA1 - 76afa691556abed61c25651c896943d2e279a7ab
To maintain the integrity of the found image i.e. image[1].jpg.
Amit A
22- April -10
10:07:41 AM
Image found named “250px Suricata.suricatta.6861[1].jpg”
Hash function used on it
MD5 - 4535e831ae839dcedfd6360d5dbdf6fd
SHA1 - fa21977697c91c5fdabd9d33934563ed766eede6
To maintain the integrity of the found image i.e. 250px Suricata.suricatta.6861[1].jpg
Amit A
22- April -
10:09:2 Image found named “meerkats53[1].jpg” To maintain the integrity of the
Amit A
10137743, Amit Sharma
12
Computer Forensics CSG4106
10 2 AM Hash function used on it
MD5 - 0f1984f5d17741e513b1bd5449fe076c
SHA1 - 1109b6d97e4c340744e7158de34b1f2fc9e65bef
found image i.e. meerkats53[1].jpg
10137743, Amit Sharma
13
Computer Forensics CSG4106
Continued Sheet 2...........
Date Time Action Motive behind taking action
Action Taken
By
Signature
22- April -10
10:18:24 AM
Image found named “180px-Meerkats_foraging.JPG”
Hash function used on it
MD5 - d7276adb4dde8b90d853a7a886f97491
SHA1 - 0ca079eca141053f78652dcfc5fe5802138171d8
To maintain the integrity of the found image i.e. 180px-Meerkats_foraging.JPG
Amit A
22- April -10
10:23:11 AM
Image found named “180px-Suricata.jpg”
Hash function used on it
MD5 - 4535e831ae839dcedfd6360d5dbdf6fd
SHA1 - fa21977697c91c5fdabd9d33934563ed766eede6
To maintain the integrity of the found image i.e. 180px-Suricata.jpg
Amit A
22- April -10
10:26:24 AM
Image found named “250px-Suricata.jpg”
Hash function used on it
MD5 - 4535e831ae839dcedfd6360d5dbdf6fd
SHA1 - fa21977697c91c5fdabd9d33934563ed766eede6
To maintain the integrity of the found image i.e. 250px-Suricata.jpg
Amit A
22- April -10
10:44:00AM
Image found named “meerkats-6.jpg”
Hash function used on it
MD5 - 08caf56c034c44487a60305cd71bdf6b
SHA1 - 849ff18b9a173455e5713bcf1719967592045c11
To maintain the integrity of the found image i.e. meerkats-6.jpg
Amit A
10137743, Amit Sharma
14
Computer Forensics CSG4106
Continued Sheet 2...........
Date Time Action Motive behind taking action
Action Taken
By
Signature
22- April -10
10:51:46 AM
Image found named “Loopy.jpg”
Hash function used on it
MD5 - 7921a439afdf3385bca2bd46fa0dadc9
SHA1 - ac5e6412a42e4a05306c4a247ca6f68a5462642a
To maintain the integrity of the found image i.e. Loopy.jpg
Amit A
22- April -10
11:01:04 AM
Typed “.zip” in the file name search to find any file or document whose extension is .zip.
To find and examine all .zip file and images.
Amit A
22- April -10
11:05:20 AM
File found named “Data.zip” which contains pictures of meerkats.
Hash function used on it
MD5 - da68930452efa3758db386ff380f990a
SHA1 - 27a5460741ab235f8d86644ea9914a8d5c7eadb6
To maintain the integrity of the found image file i.e. Data.zip
Amit A
22- April -10
11:13:39 AM
Image found named “Meerkats 09.jpg”
Hash function used on it
MD5 - e9a9fa7a8f32111ec0e5385c47e099a8
SHA1 - 2cf93dddb97b6cec123c5c5d7be55edb04634cc7
To maintain the integrity of the found image file i.e. Meerkats 09.jpg
Amit A
22- April -10
11:15:51 AM
Image found named “Meerkats-8.jpg”
Hash function used on it
MD5 - 889cdb2d2e952e7d481321a41222dea6
SHA1 - 2109aba9a0c807af9591d52c9a9e15d64e43828b
To maintain the integrity of the found image file i.e. Meerkats-8.jpg
Amit A
Continued Sheet 2...........
10137743, Amit Sharma
15
Computer Forensics CSG4106
Date Time Action Motive behind taking action
Action Taken
By
Signature
22- April -10
11:29:14 AM
Image found named “meerkats.jpg”
Hash function used on it
MD5 - 17510ee5a8df2eb5dc8e3d5141edc34d
SHA1 - 64b318255009d5e964cf0cfb999d1e9dc8514999
To maintain the integrity of the found image file i.e. meerkats.jpg
Amit A
22- April -10
11:41:37 AM
Typed “.mp4” in the file name search to find any file or document whose extension is .mp4.
To find and examine all .mp4 file and images.
Amit A
22- April -10
11:52:32 AM
Video file found named “60d80dd5032499bd4.mp4”
Hash Function used on it
MD5 - fdfb448514f5ed679951aee278ddae0d
SHA1 - c3e4a17c0d29c8196d0b9c8f0939af6cb32f1217
To maintain the integrity of the found mp4 video file i.e. 60d80dd5032499bd4.mp4
Amit A
22- April -10
12:17:23 PM
Closed autopsy. To save the image file and can be opened next time to start analysing the images.
Amit A
22- April -10
12:19:08 PM
Unmount the images To maintain the image file in the original state
Amit A
22- April -10
12:20:26 PM
Rehash the Image to maintain the integrity.
MD5: 0c776f7c1ef092cdb9465fde80f4ea86
SHA1: 4179cb30780358577c367a9e6e46708746ddcc53
To compare the hash value with the original image to check integrity of the image.
Sheet Number 3
10137743, Amit Sharma
16
Computer Forensics CSG4106
Date & Day 25-04-2010, Sunday
Date Time Action Motive behind taking action
Action Taken
By
Signature
23- April -10
9:19:04 PM
Start caine, mount the image. To start analysing the image.
Amit A
23- April -10
9:20:21 PM
Hash the images again to check the integrity.
MD5: 0c776f7c1ef092cdb9465fde80f4ea86
SHA1: 4179cb30780358577c367a9e6e46708746ddcc53
To compare the hash value with the original image to check integrity of the image.
Amit A
23- April -10
9:20:57 PM
Start autopsy To analyse the image again.
Amit A
23- April -10
9:26:56 PM
Typed “.rar” in the file name search to find any file or document whose extension is .rar.
To find and examine all .rar file and images.
Amit A
23- April -10
9:27:44 PM
File found named “Mystery.rar”
Hash function used on it
MD5: 056c1a5d3f9d3b9e26064587000a28ca
SHA1: 25ef4820224699f6a33e2a38d41ba0fb2a9cf620
To maintain the integrity of the found file i.e. Mystery.rar
Amit A
23- April -10
9:33:44 PM
Image found named “meerkats_1024-8.jpg”
Hash function used on it
MD5 - 511d2036c3ad7aa66d82596c30cfa3a7
SHA1 - 11d2036c3ad7aa66d82596c30cfa3a7
To maintain the integrity of the found image file i.e. meerkats_1024-8.jpg
Amit A
Continued Sheet 3...........
10137743, Amit Sharma
17
Computer Forensics CSG4106
Date Time Action Motive behind taking action
Action Taken
By
Signature
23- April -10
9:40:44 PM
Image found named “meerkats_13sfw.jpg”
Hash function used on it
MD5 - d60a937985cc63d2806a99d33ca252c2
SHA1 - 1ce064b8352ee2596000a08085ece08223b6e399
To maintain the integrity of the found image file i.e. meerkats_13sfw.jpg
Amit A
23- April -10
9:44:17 PM
Image found named “meerkats_1024-8.jpg”
Hash function used on it
MD5 - ea2c53f3ddae1e8816d2f1d0b91776ae
SHA1 - 25ef4820224699f6a33e2a38d41ba0fb2a9cf620
To maintain the integrity of the found image file i.e. meerkats_1024-8.jpg
Amit A
23- April -10
9:47:14 PM
Typed “.htm” in the file name search to find any file or document whose extension is .htm.
To find and examine all .htm file and images.
Amit A
23- April -10
9:53:06 PM
File found named “Dc5.htm”
Hash function used on it
MD5 - 7424d54a59969623d2498633ea1c0687
SHA1 - da6fd25750279ec316bf0aa4d1ead3b263e9771c
To maintain the integrity of the found file i.e. Dc5.htm
Amit A
23- April -10
10:10:24 PM
Typed “.exe” in the file name search to find any file or document whose extension is .exe.
To find for .exe file and images.
Amit A
23- April -10
10:13:51 PM
File found named “Bo2k.exe”. Hash function used on it
MD5: 36fb2d9fe2d3e1ec1ee63dde02ad1b3f
SHA1: 551dc1b5a9cebc93a88e6806671b328349392f63
To maintain the integrity of the found executable file i.e. Bo2k.exe
Amit A
Continued Sheet 3...........
10137743, Amit Sharma
18
Computer Forensics CSG4106
Date Time Action Motive behind taking action
Action Taken
By
Signature
23- April -10
10:15:02 PM
Typed “.doc” in the file name search to find any file or document whose extension is .doc.
To find and examine all .doc file and images.
Amit A
23- April -10
10:20:47 PM
File found named “arrow.doc”
Hash function used on it
MD5 - 58def2449ed44b627b527b53ad42cf25
SHA1 - eb0fb202c87b2cfb1200d6f66499a09592c1ed1b
To maintain the integrity of the found document file i.e. arrow.doc
Amit A
23- April -10
10:27:29 PM
File found named “EBook 0Z 02.doc”
Hash function used on it
MD5 - 5a4b3c21d3f6eb8d349a87229aae14c2
SHA1 - cfd9e0c7d7a6704afad7a842aba4df52b92d05d0
To maintain the integrity of the found document file i.e. EBook 0Z 02.doc
Amit A
23- April -10
10:33:19 PM
File found named “meerkats in EBook of The Prince.doc”
Hash function used on it
MD5 - fa836b1b27514a4805c5e551398b17e4
SHA1 - d1e69f0962044748bc487b1b0ebc5104838512c7
To maintain the integrity of the found document file i.e. meerkats in EBook of The Prince.doc
Amit A
23- April -10
10:47:54 PM
Closed autopsy. To save the image file and can be opened next time to start analysing the images.
Amit A
23- April -10
10:50:34PM
Unmount the images To maintain the image file in the original state
Amit A
23-April-
10:58:0 Rehash the Image to maintain the integrity. To compare the hash value with
10137743, Amit Sharma
19
Computer Forensics CSG4106
10 4 PM MD5: 0c776f7c1ef092cdb9465fde80f4ea86
SHA1: 4179cb30780358577c367a9e6e46708746ddcc53
the original image to check integrity of the image.
End of Part 1 (Running Sheet)
10137743, Amit Sharma
20
Computer Forensics CSG4106
Report on FindingsThe aim of this report is to explain about all the findings from the image i.e. Assignment2.dd during the forensics investigation. The main job is to find the Meerkats images which are against the law and employee has been suspected of accessing these images.
On 2010-04-22 Assignment2.dd image file has been downloaded from the Edith Cowan University to begin the investigation for Meerkats images. All the investigation was done using VMware caine and autopsy is used as forensic software.
All evidence images searched and collected from C:\
10137743, Amit Sharma
21
Computer Forensics CSG4106
All findings of .bmp images under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the Image Name of the
Image
Sign
C:/Documents and Settings/Administrator/Application Data/Microsoft/Internet Explorer/Internet Explorer Wallpaper.bmp
MD5 228f497c6e699de6df00387715441a1f
SHA1 717f06bdd84a687a4d015b25da8d1b1cd84d48c4
2008-05-01 11:53:49 (WST)
2008-05-01 11:53:49 (WST)
Internet Explorer Wallpaper.bmp
A
All findings of .gif images under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the Image Name of the
Image
Sign
C:/WINDOWS/jewel.gif
MD5 bbdc61bcb09b70a92e2421aa3097afa7
SHA1 f395a98bd52754562f1b513298e3547e6566baed
2008-04-30 18:52:38 (WST)
2008-05-01 12:12:36 (WST)
Jewel.gif A
10137743, Amit Sharma
22
Computer Forensics CSG4106
All findings of .jpg images under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the Image Name of the
Image
Sign
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/2VUHUZWD/180px-Meerkats_foraging[1].jpg
MD5 d7276adb4dde8b90d853a7a886f97491
SHA1 0ca079eca141053f78652dcfc5fe5802138171d8
2008-04-30
14:25:05 (WST)
2008-04-30
14:25:05 (WST)
180px-Meerkats_foraging[1].jpg
A
C:/WINDOWS/Loopy.jpg
MD5 7921a439afdf3385bca2bd46fa0dadc9
SHA1 ac5e6412a42e4a05306c4a247ca6f68a5462642a
2008-04-30 18:54:06 (WST)
2008-05-01 12:12:45 (WST)
Loopy.jpg
A
C:/RECYCLER/S-1-5-21-1935655697-1500820517-725345543-500/Dc6/250px-Suricata.jpg
MD5 4535e831ae839dcedfd6360d5dbdf6fd
SHA1 fa21977697c91c5fdabd9d33934563ed766eede6
2008-04-30 18:58:52 (WST)
2008-05-01 12:18:58 (WST)
250px-Suricata.jpg
A
10137743, Amit Sharma
23
Computer Forensics CSG4106
C:/RECYCLER/S-1-5-21-1935655697-1500820517-725345543-500/Dc6/180px-Suricata.jpg
MD5 4535e831ae839dcedfd6360d5dbdf6fd
SHA1 fa21977697c91c5fdabd9d33934563ed766eede6
2008-04-30 18:58:52 (WST)
2008-05-01 12:18:58 (WST)
180px-Suricata.jpg
A
C:/WINDOWS/RegisteredPackages/{89820200-ECBD-11cf-8B85-00AA005B4383}/ieex/meerkats-6.jpg
MD5 08caf56c034c44487a60305cd71bdf6b
SHA1 849ff18b9a173455e5713bcf1719967592045c11
2008-04-30 18:54:32 (WST)
2008-05-01 12:05:24 (WST)
meerkats-6.jpg
A
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/EZ2RGJIN/meerkats53[1].jpg
MD5 0f1984f5d17741e513b1bd5449fe076c
SHA1 1109b6d97e4c340744e7158de34b1f2fc9e65bef
2008-05-01 11:53:43 (WST)
2008-05-01 11:53:43 (WST)
meerkats53[1].jpg
A
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/6HWZCZQD/images[1].jpg
MD5 3d98cd156195e02c58f4ce238689120b
SHA1 76afa691556abed61c25651c896943d2e279a7ab
2008-05-01 11:55:39 (WST)
2008-05-01 11:55:39 (WST)
images[1].jpg
A
10137743, Amit Sharma
24
Computer Forensics CSG4106
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/6HWZCZQD/250px Suricata.suricatta.6861[1].jpg
MD5 4535e831ae839dcedfd6360d5dbdf6fd
SHA1 fa21977697c91c5fdabd9d33934563ed766eede6
2008-04-30 14:25:05 (WST)
2008-04-30 14:25:05 (WST)
250px Suricata.suricatta.6861[1].jpg
A
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/6HWZCZQD/GetAttachment[1].jpg
MD5 2463a4c4668748d3e5176a2da1bb8d87
SHA1 fbf5fa1e871b380d21d98c573d42148786af5ba7
2008-05-01 11:52:21 (WST)
2008-05-01 11:52:21 (WST)
GetAttachment[1].jpg
A
All findings for the .mp4 video file under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the file Name of the
video
Sign
C:/WINDOWS/system32/60d80dd5032499bd4.mp4
MD5 fdfb448514f5ed679951aee278ddae0d
SHA1 c3e4a17c0d29c8196d0b9c8f0939af6cb32f1217
2008-04-30 18:58:32 (WST)
2008-05-01 12:11:30 (WST)
60d80dd503249bd4.mp4
A
All findings for the .doc files under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the image in the document
Name of the
Document
Sign
10137743, Amit Sharma
25
Computer Forensics CSG4106
C:/Documents and Settings/Administrator/My Documents/EBook of the Prince.doc
MD5 fa836b1b27514a4805c5e551398b17e4
SHA1 d1e69f0962044748bc487b1b0ebc5104838512c7
2008-04-30 19:03:44 (WST)
2008-05-01 12:07:38 (WST)
EBook OZ 02.doc
A
C:/Documents and Settings/Administrator/My Documents/arrow.doc
MD5 58def2449ed44b627b527b53ad42cf25
SHA1 eb0fb202c87b2cfb1200d6f66499a09592c1ed1b
2008-04-30 18:53:56 (WST)
2008-05-01 12:07:38 (WST)
Arrow.doc
A
C:/Documents and Settings/Administrator/My Documents/EBook of the Prince.doc
MD5 fa836b1b27514a4805c5e551398b17e4
SHA1 d1e69f0962044748bc487b1b0ebc5104838512c7
2008-04-30 19:03:44 (WST)
2008-05-01 12:07:38 (WST)
EBook OZ 02.doc
A
C:/Documents and Settings/Administrator/My Documents/EBook OZ 02.doc
MD5 5a4b3c21d3f6eb8d349a87229aae14c2
SHA1 cfd9e0c7d7a6704afad7a842aba4df52b92d05d0
2008-04-30 19:03:44 (WST)
2008-05-01 12:07:38 (WST)
EBook 0Z 02.doc
A
All findings for the .rar files under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the file Name of the file
Sign
C:/Program Files/uTorrent/Mystery.rar
MD5 056c1a5d3f9d3b9e2606
2008-04-30 20:52:12
2008-05-01 12:18:45
No Image Mystery.rar
A
10137743, Amit Sharma
26
Computer Forensics CSG4106
4587000a28ca
SHA1 25ef4820224699f6a33e2a38d41ba0fb2a9cf620
(WST) (WST)
10137743, Amit Sharma
27
Computer Forensics CSG4106
All findings for the .zip files under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the file Name of the files
Sign
C:/Program Files/uTorrent/Mystery.rar/ meerkats_1024-8.jpg
MD5 511d2036c3ad7aa66d82596c30cfa3a7
SHA1 61fe4c9f5630ab1e5853b74af046363ed1e9d003
2008-04-30 20:52:12 (WST)
2008-05-01 12:18:45 (WST)
meerkats_1024-8.jpg
A
C:/Program Files/uTorrent/Mystery.rar/ meerkats_1sfw.jpg
MD5 ea2c53f3ddae1e8816d2f1d0b91776ae
SHA1 25ef4820224699f6a33e2a38d41ba0fb2a9cf620
2008-04-30 20:52:12 (WST)
2008-05-01 12:18:45 (WST)
meerkats_1sfw.jpg
A
C:/Personal/Data.zip/Meerkats 09.jpg
MD5 e9a9fa7a8f32111ec0e5385c47e099a8
SHA1 2cf93dddb97b6cec123c5c5d7be55edb04634cc7
2008-04-30 21:01:50 (WST)
2008-05-01 12:10:36 (WST)
Meerkats 09.jpg
A
C:/Personal/Data.zip/Meerkats-8.jpg
MD5 889cdb2d2e952e7d481321a41222dea6
SHA1 2109aba9a0c807af9591d52c9a9e15d64e43828b
2008-04-30 21:01:50 (WST)
2008-05-01 12:10:36 (WST)
Meerkats-8.jpg
A
10137743, Amit Sharma
28
Computer Forensics CSG4106
C:/Program Files/uTorrent/Mystery.rar/ meerkats_13sfw.jpg
MD5 d60a937985cc63d2806a99d33ca252c2
SHA1 1ce064b8352ee2596000a08085ece08223b6e399
2008-04-30 20:52:12 (WST)
2008-05-01 12:18:45 (WST)
meerkats_13sfw.jpg
A
All findings for the .exe files under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the file Name of the
executable file
Sign
C:/Documents and Settings/Administrator/Desktop/to install/Bo2k.exe
MD5 36fb2d9fe2d3e1ec1ee63dde02ad1b3f
SHA 551dc1b5a9cebc93a88e6806671b328349392f63
2008-04-30 18:52:54 (WST)
2008-05-01 12:09:09 (WST)
Bo2k.exe
A
10137743, Amit Sharma
29
Computer Forensics CSG4106
All findings for the .htm files under C: /
Directory Path Hash Values
MD5 & SHA1
Written Accessed Output of the file Name of the .htm
file
Sign
C:/RECYCLER/Dc5.htm
MD5 7424d54a59969623d2498633ea1c0687
SHA da6fd25750279ec316bf0aa4d1ead3b263e9771c
2008-04-30 18:58:52 (WST)
2008-04-30 18:58:52 (WST)
No Image Found Dc5.htm A
End of Report Findings
10137743, Amit Sharma
30
Computer Forensics CSG4106
Investigation Process
After downloading the image file named Assignment2.dd from the Edith Cowan University website, I made a copy of the original image and copied into another folder for making the forensic copy, so that I can begin the forensic investigation with that image without affecting the original image. I used hash function with both original Assignment2.dd image and with the copied Assignment2.dd image and compared their hash values with each other during the investigation which was helping me to confirming that the image is not compromised yet and image is still the same. As a result, integrity has been maintained in the whole forensic investigation process.
Start Date and Time: 22-04-2010, 1:22 AM
Creating Directory: amit@sciss10oem:~$ sudo –s
[password] password for amit:
root@sciss10oem:~# cd Desktop
root@sciss10oem:~/Desktop# mkdir investigation
root@sciss10oem:~/Desktop# cd investigation
root@sciss10oem:~/Desktop/investigation#
Date and Time: 22-04-2010, 1:25 AM
Mount the image in investigation folder:
root@sciss10oem:~/Desktop# mount /dev/sdc1 investigation/
root@sciss10oem:~/Desktop# cd investigation
root@sciss10oem:~/Desktop/investigation# ls
Assignment2.dd lost+found
Date and Time: 22-04-2010, 1:26 AM
Hashing the image
root@sciss10oem:~/Desktop$ md5deep –b Assignment2.dd
0c776f7c1ef092cdb9465fde80f4ea86 Assignment2.dd
root@sciss10oem:~/Desktop$ sha1deep –b Assignment2.dd
4179cb30780358577c367a9e6e46708746ddcc53 Assignment2.dd
10137743, Amit Sharma
31
Computer Forensics CSG4106
Date and Time: 22-04-2010, 1:28 AM
Open Autopsy
root@sciss10oem:~/Desktop# sudo autopsy
Click on the link to launch autopsy: http://localhost:9999/autopsy
Created new case named Meerkats_Investigation to start the forensic investigation of the image.
Date and Time: 22-04-2010, 1:40 AM
Creating NewCase
10137743, Amit Sharma
32
Computer Forensics CSG4106
Add host named host1
Host1 has been added in the autopsy and afterwards image i.e. Assignment2.dd also has been added and generated its MD5 hash value to compare with the original image MD5 has value to maintain the integrity of the image and confirming that the image is not compromised.
Investigation FindingsA) .GIF:- When I searched for .gif files. I found certain list of files. And after looking into each
and every .gif files I found jewel.gif image.
10137743, Amit Sharma
33
Computer Forensics CSG4106
B) .BMP:- When I searched for .bmp files. I found certain list of files. And after analysing each and every .bmp files I found Internet Explorer Wallpaper.bmp image.
10137743, Amit Sharma
34
Computer Forensics CSG4106
C) .MP4:- When I searched for .mp4 files. I found certain list of files. And after looking into each and every .mp4 files I found 60d80dd5032499bd4.mp4 video file.
10137743, Amit Sharma
35
Computer Forensics CSG4106
D) .ZIP:- When I searched for .zip files. I found certain list of files. And after analysing each and every .zip files I found meerkats_1024-8.jpg, meerkats_1sfw.jpg, Meerkats 09.jpg, Meerkats-8.jpg, meerkats_13sfw.jpg.
10137743, Amit Sharma
36
Computer Forensics CSG4106
E) .EXE:- When I searched for .exe files. I found certain list of files. And after analysing each and every .exe files I found Bo2k.exe file.
10137743, Amit Sharma
37
Computer Forensics CSG4106
10137743, Amit Sharma
38
Computer Forensics CSG4106
F) .DOC:- When I searched for .doc files. I found certain list of files. And after analysing each and every .doc files I found arrow.doc, EBook 0Z 02.doc, EBook of the Prince.doc (EBook OZ 02.doc, EBook OZ 02.doc).
This above image screenshot shows one HTML document also which is about the Meerkats. That website shows some general information about the Meerkats. The existing HTML document looks like:
10137743, Amit Sharma
39
Computer Forensics CSG4106
10137743, Amit Sharma
40
Computer Forensics CSG4106
G) .RAR:- When I searched for .doc files. I found certain list of files. And after analysing each and every .doc files I found Mystery.rar file.
10137743, Amit Sharma
41
Computer Forensics CSG4106
Conclusion
After investigating the Assignmnent2.dd image file, we were successful to recover 23 images of meerkats, one video file and some of the document files including websites which mainly discussing about the meerkats. All these investigation and evidence clearly proves that the employee offended the rules and regulations and he took all the actions against the law for which he should be penalised.
10137743, Amit Sharma