CS 537 (Cybercrime and Forensics) · Encase Final Project Report by Abu Shoeb: Page 1 of 30 CS 537...

Encase Final Project Report by Abu Shoeb: of 30

CS 537 (Cybercrime and Forensics)

Final Assignment: Part One – Individual Forensic Examiner’s Log

Case Name: Tdurden (Tyler Durden)

Submitted By

Abu Awal Md Shoeb (BlazerID – shoeb) Dept. of Computer and Information Sciences

University of Alabama at Birmingham

April 15, 2015


Contents Problem Description ..................................................................................................................................... 3

TASK 1: System description, including size of hard drive(s), number of files present, and Operating

system installed ............................................................................................................................................ 4

TASK 2: Identify primary users and create a timeline for their use of the system. ...................................... 5

TASK 3: Registry review for installed programs. ........................................................................................... 6

Installed Applications ................................................................................................................................ 7

Installed Microsoft Programs .................................................................................................................... 8

Uninstalled Programs ................................................................................................................................ 9

TASK 4: List of installed programs from “Program Files”. ........................................................................... 10

TASK 5: Review of Significant Programs ..................................................................................................... 11

TASK 6: Review data files created by subject for evidence. ....................................................................... 13

Download Folder ..................................................................................................................................... 13

List of files after the extraction of steg.zip ............................................................................................. 14

Image found for Encryption Software .................................................................................................... 14

TASK 7: Review images created or downloaded by the subject for evidence ............................................ 15

TASK 8: Review internet history for evidence............................................................................................. 18

Search: How to make fake ID .................................................................................................................. 18

Download: Easy-Hide-IP .......................................................................................................................... 18

Download: Gimp ..................................................................................................................................... 19

Download: OST to PST Converter ........................................................................................................... 19

Search: Hiding Text in Text Steganography ............................................................................................ 20

Download: TrueCrypt .............................................................................................................................. 20

Search: Free Encryption Software .......................................................................................................... 20

TASK 9: Review Emails for evidence ........................................................................................................... 21

Screenshot of the location of Outlook file - User Account: tyler.durden ............................................... 22

Screenshot of the location of Outlook file - User Account: Tyler.Durden.ZEROBIT ............................... 23

Proof of Two Email IDs of The German ................................................................................................... 24

Proof of Attachment: Employee Monitoring .......................................................................................... 24

Email Evidence: Employee Monitoring Tools .......................................................................................... 25

Email Evidence: Use of TrueCrypt ........................................................................................................... 26

Email Evidence: Employee Monitoring.doc as attachment .................................................................... 27

Email Evidence: Welcome email from Norman ...................................................................................... 27


Email Evidence: Pornography image as attachment .............................................................................. 28

TASK 10: Search drive for keywords discovered during investigation so far .............................................. 29

Case Narrative ............................................................................................................................................. 30

Problem Description PART ONE – INDIVIDUAL FORENSIC EXAMINER’S LOG

Every time you touch the evidence, it is important that you document your activities. As

you build your examiner’s log, make the following entries for every session:

DATE/TIME: When did you begin your exam and when did you complete your

exam?

OBJECTIVE: What are you trying to accomplish in this session?

ACTIVITIES: What did you do in order to accomplish those objectives?

RESULTS: What did you find in support of your objectives?

Tasks - Each Forensic Examiner’s Log should include at least the following objectives:

1. System description, including size of hard drive(s), number of files present, and

Operating system installed.

2. Identify primary users and create a timeline for their use of the system.

3. Registry review for installed programs.

4. List of installed programs from “Program Files”.

5. If there are “significant programs” found (such as a chat program, an encryption

program, etc.) a new objective section should be created for each, such as: “Review

usage of Yahoo Instant Messenger for Evidence” or “Review usage of Kazaa File

Sharing for evidence” (I’m not saying either of these is involved in this case. These

are just examples.)

6. Review data files created by subject for evidence.

7. Review images created or downloaded by the subject for evidence.

8. Review Internet history for evidence.

9. Review Emails for evidence.

10. Search drive for keywords discovered during investigation so far.


TASK 1: System description, including size of hard drive(s), number of files present, and Operating system installed

DATE/TIME: Begin – March 18, 2015 05:10 PM Central Time

End – March 18, 2015 07:10 PM Central Time

OBJECTIVE: Getting familiar with the evidence file and finding basic information about the

evidence.

ACTIVITIES: Once we process the evidence, click on Tdurden.

It shows ‘C’ drive and ‘Unused Disk Area’ under the Table View.

View the logical size and description there.

View the evidence in Records format then follow:

Records > Evidence Processor Module Results > System Info Parser Records >

SYS > Windows > Tdurden (C) > Operating System > System Articrafts

RESULTS: System description = Volume, Sector 2048-27258879, 13 GB, Folder, Internal,

Overwritten, Hidden, System.

Size of Hard Drive = 13 GB

Number of files present = 134779

Operating System Installed =

o Product Name – Windows 7 Ultimate

o Product ID – 00426-068-6081695-86561

o Current Version – 6.1

Last Written – 04/20/11 03:05:07 PM


TASK 2: Identify primary users and create a timeline for their use of the system.

DATE/TIME: Begin – March 18, 2015 05:10 PM Central Time

End – March 18, 2015 07:10 PM Central Time

OBJECTIVE: Getting familiar with how user accounts are located in Windows system.

ACTIVITIES: Go to C Drive Users Then we will find the list of the users.

RESULTS: Two primary users account are:

1. tyler.durden (associated email address is [email protected])

2. Tyler.Durden.ZEROBIT (associated email address is Tyler.Durden@zero-

bit.com)

mailto:[email protected]




TASK 3: Registry review for installed programs.

DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time

End – April 14, 2015 10:10 PM Central Time

OBJECTIVE: Getting familiar with Windows Registry system.

ACTIVITIES: View the evidence in Records format then follow:

Records > Evidence Processor Module Results > System Info Parser Records > SYS > Windows > Tdurden (C) > Software > Three options are available:

o Installed Applications o Installed Microsoft Applications o Uninstalled Applications

RESULTS: Total 184 programs installed during the life of the hard drive. Some suspicious programs are: Gimp, VMWare


Installed Applications


Installed Microsoft Programs


Uninstalled Programs


TASK 4: List of installed programs from “Program Files”. DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time


OBJECTIVE: Getting familiar with how installed programs are located in Program Files.

ACTIVITIES: Go to C Drive, then we will see two Program File folders

Two folders are:

o Program Files

o Program Files (x86)

RESULTS: Four major suspicious programs found in Program Files. They are:

μ torrent (freeware software to download programs, executables, books,

pictures, videos etc.)

Vmware (software that creates a virtual environment inside the main system)

Gimp (GNU Image Manipulation Program – is an image editing software)

Hide Easy IP (software that hides your IP address when accessing the internet)


TASK 5: Review of Significant Programs

If there are “significant programs” found (such as a chat program, an encryption program, etc.) a

new objective section should be created for each, such as: “Review usage of Yahoo Instant

Messenger for Evidence” or “Review usage of Kazaa File Sharing for evidence” (I’m not saying

either of these is involved in this case. These are just examples.)

DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time


OBJECTIVE: Getting relevant evidence from suspicious installed programs.

ACTIVITIES: Layered Images were opened in photo editing software to see different layers.

RESULTS: μ torrent - No significant information found for this software

Vmware – It is used to download files and then saved a copy of the executables

or relevant information on external hard drives.

Gimp – Some images were found and had Layered View when it is opened in

Gimp. Tdurden might have used the pictures to hide some codes. Tdurden

might also be dealing in counterfeit bills. Two images are:

o Layered 20 Front

o Layered 20 Back

Image: Layered 20 Front (Layer 1)


Image: Layered 20 Front (Layer 2)

Image: Layered 20 Back (Layer 1)

Image: Layered 20 Back (Layer 2)


TASK 6: Review data files created by subject for evidence. DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time


OBJECTIVE: Getting relevant evidence from data files located in different locations such as

Downloads, My Documents, My Pictures, etc.

ACTIVITIES: Go to C drive > Users > Tyler.Durden.ZEROBIT > Downloads Then two executable files and one zip file found as suspicious. They are:

o steg.zip (Steganography) o easy-hide-ip-3.7.6.exe o TrueCrypt Setup 7.0.a.exe

RESULTS: Steganography is used for hiding images, files, passwords, etc. Steg.zip was found

in download folder which was also extracted to see other files inside it. A program named ‘Hide Password’ was also found after extracting steg.zip folder. So it is suspected that Tdurden might use this stuff to hide his personal or sensitive information. True Crypt software is used to encrypt a partition or to create a virtual encrypted disk. So there is possibility that Tdurden could use this software to exchange personal or sensitive information with others in encrypted way.

Download Folder


List of files after the extraction of steg.zip

Image found for Encryption Software


TASK 7: Review images created or downloaded by the subject for evidence DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time


OBJECTIVE: Getting relevant images from different locations downloaded or exchanged by

users on that machine.

ACTIVITIES: Gallery view was used to see all images together. However, gallery view was also applied to some other specific folder such as Downloads, Temporary Internet Files, etc. to view less number of images at a time.

RESULTS: Many images found on the hard drive were related to child pornography. Some images were related to counterfeit, and fake id cards.

rename1.xxx rename2Technet.xxx


v12.jpg v23.jpg


Layered Image Front

Layered Image Back


TASK 8: Review internet history for evidence DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time


OBJECTIVE: Getting relevant evidence from internet history by examining web history,

internet searches, etc.

ACTIVITIES: Internet history can be retrieved as follows: Records > Internet > Internet Explorer (Windows) > typed URL Records > Internet > Internet Explorer (Windows) > Visited Link Records –> Internet –> Mozilla 3 (Windows/Mac)

RESULTS: Tdurden searched and visited many websites. It includes followings: How to make a fake ID Hiding Text in Text Steganography Free Encryption Software

He also downloaded some software such as TrueCrypt, Gimp, etc. These downloads and searches make him a real suspect.

Search: How to make fake ID

Download: Easy-Hide-IP


Download: Gimp

Download: OST to PST Converter


Search: Hiding Text in Text Steganography

Download: TrueCrypt

Search: Free Encryption Software


TASK 9: Review Emails for evidence DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time


OBJECTIVE: Look into email histories of all user accounts and find relevance with other

keywords and findings

ACTIVITIES: Checked Microsoft Outlook data for following users:

User Account 1: tyler.durden

Location C:\Users\

tyler.durden\AppData\Local\Microsoft\Outlook\[email protected]

m.pst

User Account 2: Tyler.Durden.ZEROBIT

Location C:\Users\

Tyler.Durden.ZEROBIT\AppData\Local\Microsoft\Outlook\outlook.ost

RESULTS: Tyler Durden used two email addresses for communication

His email addresses are [email protected] and

[email protected]

[email protected] was created on April 08, 2011 02:44:11 PM

Norman Peterson [email protected] sent welcome email to

[email protected]

Tyler Durden mostly communicated with The German

<[email protected]>

The German has yahoo address with same id

[email protected]

Their company decided to develop Employee Monitoring Tools that makes

their personal communication difficult for them. As a result, they decided

to encrypt their stuff and wanted to use Instant Messenger (IM) instead of

using company phones.

They use Truecrypt for encryption.

Tyler Durden used his two different email address and send/receive email

to his own address to check whether it works through Gmail or not. He also

sent attachments to check his mail configuration.









Screenshot of the location of Outlook file - User Account: tyler.durden

Location: C:\Users\

tyler.durden\AppData\Local\Microsoft\Outlook\[email protected]\


Screenshot of the location of Outlook file - User Account:

Tyler.Durden.ZEROBIT

Location: C:\Users\

Tyler.Durden.ZEROBIT\AppData\Local\Microsoft\Outlook\outlook.ost


Proof of Two Email IDs of The German

Proof of Attachment: Employee Monitoring


Email Evidence: Employee Monitoring Tools


Email Evidence: Use of TrueCrypt


Email Evidence: Employee Monitoring.doc as attachment

Email Evidence: Welcome email from Norman


Email Evidence: Pornography image as attachment


TASK 10: Search drive for keywords discovered during investigation so far DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time


OBJECTIVE: Getting relevant evidence based on keywords.

ACTIVITIES: Search was done based on keywords provided in results below.

RESULTS: Potential keywords are: Tdurden tyler.durden Tyler.Durden.ZEROBIT tdurden1263 steganography steg crypt truecrypt hide hide-easy-ip porn VMware GIMP μ torrent zip layered .jpg .doc .docx .txt


Case Narrative

As a requirement of CS 537, we were given a case named Tdurden for investigation. The

case file contained a hard drive from Tyler Durden’s computer. Our task was to perform

forensics analysis of the hard drive. EnCase software was also given to perform the

analysis.

At the very beginning, we had to process the evidence in EnCase. Once it is processed, the

hard drive is ready for analyses. EnCase helps us to search, collect, preserve, and analyze

data from hard drives.

I performed all given tasks (presented in this report) on the Tdurden hard drive. After

carefully analyzing the evidence, it is likely true that Tdurden is involved in some illegal

activities such as child pornography, counterfeiting, credit card misusing, fake id creation,

etc. His internet usage history, download history and email conversation proved these

activities. He had email conversation to use software for encrypting data and images for

communication. Later he downloaded and installed the software to perform the encryption.

Similarly, a folder (steg.zip) was found in download folder related to steganography.

Steganography is used for hiding images, files, passwords, etc. I also found few layered

images that actually related to counterfeiting. Once the images were opened in image

editing software, the second layer of those images was found as twenty dollar bills.

Moreover, some images and documents, exchanged over email, have match with Bill

Basher’s files. Bill Basher is also a suspect for child pornography.

Finally, the case has enough evidence to suspect Tdurden as guilty. However, we should

perform additional investigation to be concluded it as a complete suspect.

CS 537 (Cybercrime and Forensics) · Encase Final Project Report by Abu Shoeb: Page 1 of 30 CS 537...

Documents

Transcript of CS 537 (Cybercrime and Forensics) · Encase Final Project Report by Abu Shoeb: Page 1 of 30 CS 537...