FIP Report

88
CE00267-7 Forensic Investigation Project TPR Investigation Report By Paul Kevin Green, Ravindu Meegasmulla and Muhammad Taiyib Parvez MSc Digital Forensics and Cybercrime Analysis Staffordshire University Award Leader: Hatem Tammam Module Leader: Stilianos Vidalis 1 | Page

Transcript of FIP Report

Page 1: FIP Report

CE00267-7 Forensic

Investigation Project

TPR Investigation Report

By Paul Kevin Green, Ravindu Meegasmulla and Muhammad Taiyib Parvez

MSc Digital Forensics and Cybercrime Analysis

Staffordshire University

Award Leader: Hatem Tammam

Module Leader: Stilianos Vidalis

April 2013

Word Count – 5,265

1 | P a g e

Page 2: FIP Report

Key AcronymsTerm UseHDD Explains media known as a Hard Disc DriveCD Explains media known as a Compact DiscDVD Explains media known as a Digital Versatile DiscNTFS The file system use on the modern Windows operating systems –

stands for New Technology File SystemOS A generic term used to explain the Operating Systems installed

on a machineRAM Random Access Memory – the main area for devices to

temporarily store current processesROM Read Only Memory – permanent area of storage and used for

holding configuration detailsSID Security Identifier – used on Windows to identify a userMBR Master Boot Record – Used for indicating the primary partitionsVBR Volume Boot Record – Used for booting an OS from a volume

Form AbbreviationsTerm UseCEC1 Case Evidence CollectionCRR1 Case Report RequestCSR1 Case Scene ReportEAL1 Evidence Analysis LogETAG Evidence TagsHDA1 Hard Drive AnalysisUIP1 Use ID Profile

2 | P a g e

Page 3: FIP Report

Case SummaryTPR Group was called to investigate a case involving a computer laboratory at Staffordshire

University where a single hard disk was located unplugged in a machine. The Forensic Manager was

contacted by a member of Staffordshire University to attend the K113 laboratory, located in the

building called the Octagon, to analyse and acquire the evidential media located at the scene.

When briefed by the universities representative, the description of the case was as below:

The employee attended the laboratory to set up the room for a class they were conducting that day

and found a single computer that would not boot into the operating system. Upon further

investigation the employee opened the computer case to find the hard disk disconnected from the

motherboard. After deeper analysis they found the disk drive to be of not the one previously

connected to the laboratories machine. At this point the employee then contacted TPR Group to

conduct an investigation into the owner of the disk drive.

The scope of the crime scene was the single desk holding the computer system, which can be seen in

the Case Report documentation. The investigative team attended the scene and acquired all

evidential media that was deemed to be of use and took it back to the forensic laboratory to further

investigation by the Forensic Examiner.

3 | P a g e

Page 4: FIP Report

ContentsKey Acronyms.......................................................................................................................................2

Form Abbreviations...............................................................................................................................2

Case Summary.......................................................................................................................................3

Contents.................................................................................................................................................4

1 Phase One - Case Management.....................................................................................................6

1.1 Introduction............................................................................................................................6

1.2 Case Documentation..............................................................................................................6

1.3 Procedures..............................................................................................................................6

2 Phase Two - Evidence Analysis..................................................................................................11

2.1 Introduction..........................................................................................................................11

2.2 Analysis Process..................................................................................................................11

2.3 Validation and Verification.................................................................................................12

2.4 Partitions..............................................................................................................................12

2.5 Operating Systems...............................................................................................................13

2.6 User Accounts......................................................................................................................13

3 Phase Two - Findings..................................................................................................................17

3.1 Introduction..........................................................................................................................17

3.2 Partitions..............................................................................................................................17

3.3 Operating Systems...............................................................................................................17

3.4 Structure of the Drive..........................................................................................................17

3.5 User Accounts......................................................................................................................17

3.6 Timeline of Drive................................................................................................................19

4 Phase Three – Conclusion and Completion of Case....................................................................20

5 Bibliography................................................................................................................................21

5.1 Mobile Forensics.................................................................................................................21

5.2 MBR Information................................................................................................................21

5.3 User ID’s and SID’s.............................................................................................................21

5.4 Guidelines............................................................................................................................21

4 | P a g e

Page 5: FIP Report

6 References....................................................................................................................................22

Appendix A Case Management...........................................................................................................24

Appendix A.1 Authorisation Documentation..................................................................................24

Appendix A.2 Case Evidence Collection Form...............................................................................28

Appendix A.3 Crime Scene Management Diagrams.......................................................................31

Appendix A.4 Forensic Examiners Toolkit.....................................................................................36

Appendix A.5 Questions for Cases..................................................................................................38

Appendix B ACPO Guidelines – 2012 Edition...................................................................................41

Appendix C Analysis Procedures........................................................................................................42

Appendix C.1 Hard Drive Analysis Form.......................................................................................42

Appendix C.2 Evidence Analysis Log Form...................................................................................43

Appendix C.3 User ID Profile Form................................................................................................44

Appendix D Analysis Process Diagrams.............................................................................................45

Appendix D.1 Initial Analysis (MBR and VBR).............................................................................45

Appendix E Findings...........................................................................................................................48

Appendix E.1 Initial Acquisition.....................................................................................................48

Appendix E.2 Drive Structure.........................................................................................................52

Appendix E.3 Folder Structure........................................................................................................55

Appendix E.4 Volume Creation......................................................................................................56

Appendix E.5 Timeline of File........................................................................................................57

Appendix E.6 User Accounts..........................................................................................................60

Appendix E.7 Email.........................................................................................................................63

Appendix E.8 Internet History.........................................................................................................64

Figure 2.1 - Recycling Bin Naming Convention.................................................................................15

Table 2-1 - OS User Characteristics....................................................................................................14

Table 3-1 - Priority User Accounts......................................................................................................18

5 | P a g e

Page 6: FIP Report

1 Phase One - Case Management

1.1 IntroductionThe case in question, being managed by the TPR Group that has three members, has all agreed the

contract for team positions. The contract can be found attached to the report within the folder signed

at the start and end of the case. The case has three phases; Phase One – Case Request, Phase Two –

Case Analysis and Phase Three – Case Completion.

1.2 Case Documentation

1.2.1 Case Request and Authorisation

Prior to a case being created for a client, there must first be a consultation with the perspective

client to allow them to request the groups’ services. This consultation can be done using any

means, such as email or telephone.

Upon the client contacting TPR Group to handle a case, the Forensic Manager will create a

CRR1 form, initially starting the case. This then allows the Forensic Manager to formulise a

team to manage the investigation. The report will then be taken, by the Case Manager, to every

meeting to update TPR Groups’ records. Upon updating the report, the collected information

can be compiled and added to the case for the examiner to undertake a full investigation. The

report template can be located in Appendix A.1 and must be signed off by client to confirm the

investigation is being undertaken to their expectations.

To ensure that TPR Group has sufficient authorisation to access, assess, manage and acquire the

scene, including all evidence located at the scene the TPR Group Authorisation must be signed.

This document must be sign in ink and no photocopies are to be accepted. The template form

can be location within Appendix A.1. The authorisation documentation must state explicitly that

the group are entitled to access the machines and all hardware within them to be able to

successfully analyse the media. This must also state, with reference if needed the scope of the

scene in question.

1.3 ProceduresThe following procedures have been agreed by the TPR Group with accompanying diagrams located

in Appendix A.3. These procedures are to aid the Case Manager so that they are able to successfully

manage the search and seizure team to acquire the evidence and pass this media onto the examiner to

analyse for evidential data.

1.3.1 Preparation

There are general guidelines that are to be followed through any seizure of evidence which are:

6 | P a g e

Page 7: FIP Report

A consultation with the Case Officer is required to determine the equipment required to

take to each individual crime scene, the list can be seen in Appendix A.4.

Ensure the team will have sufficient search and seizure authorisation to access and

acquire evidence, if not this must be obtained; including the scope to go beyond the

scene if needed.

If the evidence is unable to be removed from the scene, it must be copied whilst at the

scene where safe to do so.

Upon entering the vicinity of the scene, all witnesses, suspects and other individuals not

directly related to the crime must be moved to a safe and secure location, ensuring they

do not hold possession of evidence.

Solicit information from members of staff (administrators, witnesses etc.) where

possible.

All scenes must be searched thoroughly and systematically for evidence.

All first responders (Search and Seizure) should understand the ability to locate hidden

evidence, including digital and non-digital evidence.

At all times each examiner must abide by the following procedures, which are the TPR Groups

interpretation of the ACPO Guidelines located in Appendix B :

Do not go beyond the scope of the authorisation.

Keep the chain of custody up-to-date when working with evidential media.

Keep a record of all evidence obtained, including descriptions, any communications

related to the evidence and condition upon receipt.

The examination documentation should always be case specific to ensure that any other

case examiner could continue with the work at any point.

All Examination Reports completed should:

o Meet TPR Groups standards using the formalised templates.

o Address the needs of the company/person who requested them.

o Provide all relevant information in a concise and clear manner.

7 | P a g e

Page 8: FIP Report

1.3.2 Assessing the Crime Scene & Managing

Upon entering the scene the following procedures are required to be followed. If at any time, a

member of the team is unsure, the Case Officer must be immediately contacted.

The initial phase of any scene is to ensure that the scene is safe to enter, if the scene is deemed

unsafe by the Case Officer, the investigation will immediately stop, until it is made safe.

1. Ensure the scene and surrounding areas are safe to enter;

2. Contact the main scene contact and conduct brief.

3. Secure and protect the scene, ensuring no unauthorised personnel are located at the

scene.

Upon successfully taking control of the scene, it now needs to be managed to ensure that the

collection, preservation and acquisition of evidence takes place to procedure. For a

diagrammatic breakdown of the steps when attending a scene, see Appendix A.3.1.

1.3.3 Collection and Preservation

Upon entering the crime scene, the following procedures are to be followed to acquire evidence.

This phase has been split into two sections; Acquisition of the Scene and Device Acquisition.

The kit mentioned in Appendix A.4 must also be used at every scene.

1.3.3.1 Acquisition of the Scene

The Case Officer, or Case Supervisor, will do the initial scene walk over to assess vital

equipment with the client. This process will ensure that media that cannot be shutdown is

highlighted prior to any acquisitions. This will also assess the evidence volatility to ensure that

the most volatile evidence is to be secured and protected as a priority. The steps for the

acquisition of the scene can be seen in diagrammatic form in Appendix A.3.2.

Upon the Case Officer completing the initial scene walkover, the following procedure is to be

followed by the team entering, using the accompanying diagrams.

1. Check the surrounding areas and scene is still safe to enter;

a. If the scene is unsafe, leave immediately and contact the Case Officer, to

ensure it is made safe prior to continuing.

2. Ensure all documents are to hand, including copies.

3. Search and Seizure team walkover scene to locate evidence;

a. Location of volatile media highlighted by Case Officer,

b. Document every piece of evidence including location,8 | P a g e

Page 9: FIP Report

c. Photograph and sketch the scene prior to moving items, photos will be attached

to case documentation in electronic form.

1.3.3.2 Device Acquisition

Upon locating the volatile media, the evidence acquisition is initiated. The following is to be

followed at every scene and is an overview of the diagrams and procedure located in Appendix

A.3.3 and Appendix A.3.4.

1. Secure devices of evidentiary value.

2. Assess the system status and acquire;

3. Check scene for further evidence

4. Document scene

5. Hand back to Case Officer

6. Case Officer to have final check of scene

7. Hand back to client

1.3.4 Questioning of Witnesses

Upon attending the scene, all witnesses should have been removed from the immediate scene

ready for questioning. There are several questions which are to be answered in relation to each

type of scene, found in Appendix A.5.

Each witness should be moved to a separate secure room to ensure that any talking and

swapping of evidential information is not undertaken. Ensuring that each witness is removed

from the immediate scene will ensure that they do not contaminate any of the evidence located

within the scene and the acquisition/examination teams are able to undertake their jobs

efficiently. The questions provided are a general overview and must be modified for each

individual scene.

1.3.5 Photography

When acquiring photographs of the scene, these will be stored in a manner relevant to the

evidential artefacts and provided to the case contact in digital form, not printed for economic

reasons. However, if requested they can be printed at no additional cost. For every photograph

taken, a digital copy will be saved in a photograph folder labelled with the evidence number.

1.3.6 Analysis and Examination

Upon all the evidence arriving at the forensic laboratory; the following procedures are to be

adhered to during analysis and examination phase:

9 | P a g e

Page 10: FIP Report

Any and all examiners should review the legal documentation to ensure they are

authorised to perform analysis on the media, if not they must contact the Case Officer

for authorisation.

Prior to starting any examination, the following should be considered:

o Are there any other forensic examinations scheduled to take place on this media

where it will be required?

o The priority this case has for information from the requestor.

o Are there any other evidentiary items which may offer a better choice for

evidence?

o A strategy must be agreed between the examiners undertaking the case and the

requestor, with all information documented and added to the case file.

If possible, examination should not be taken upon the original media and must be

conducted using forensically sound copies.

A Chain of Custody must be kept at all times with the evidence.

An Access Log must be kept for each individual piece of evidence to ensure an audit

trail can be followed.

Any examination undertaken should be taken in a systematically and logical manner.

o All examinations should be undertaken in a secure room with supervision if

required and note taking to ensure the same outcome can be accomplished by

another person.

The findings are to be confirmed using a spate forensic tool, if no difference is found no

additional documentation is required. If there are differences, they will need to be

pointed out and documented. This is to ensure evidence integrity and validation through

cross verification.

A template copy of the Evidence Log form can be found in Appendix A.2 which also

incorporates the Chain of Custody documentation for each piece of evidence.

10 | P a g e

Page 11: FIP Report

2 Phase Two - Evidence Analysis

2.1 IntroductionThis section of the report will detail the processes to be undertaken during the analysis phase of the

investigation. This section has been divided into several sections to enable the procedures to be

clearly identified.

2.2 Analysis ProcessAs an investigation is required to be undertaken on all evidential artefacts acquired at the scene,

procedures and guidelines are required to be created so that all examinations are undertaken in a

similar method.

As mentioned previously, TPR Group will be following the guidelines set down by the Association

of Chief Police Officers that have been interpreted and expanded. Additionally, several documents

have been created to aid the examiner during the analysis of the media. These forms are:

Hard Drive Analysis (HDA1) – See Appendix C.1

Evidence Analysis Log (EAL1) – See Appendix C.2

User Identification Profile (UIP1) – See Appendix C.3

The HDA1 form details the key points that need to be done during the analysis of a disk drive that

contains or suspected to contain the Windows Operating system. On this form is a checklist that

details the steps taken by the examiner. This ensures that the important steps are not overlooked.

The EAL1 form is used to plan each time the evidence is analysed. This document would be agreed

with the Case Officer in advance so that when the examiner undertakes any analysis, they are aware

of what is needed to be completed prior to the evidence being resubmitted back to the store room.

The UIP1 form is used in conjunction with the two forms above to document any user profiles that

are present on the system. The form will be used to log the SID details that will be found during the

analysis of a suspect machine. The details found and inserted onto this form will form part of the

main section of the report when identifying user actions on the system.

When the evidence is being analysed, the chain of access must be kept up-to-date. This can be found

under the CEC1 form, found under Appendix A.2. On this form, the times, dates and persons

analysing the drive can be logged to ensure the integrity of the evidence throughout. It can then be

referred back to in a court of law to validate the times the drive was out of the evidence storage

room.

11 | P a g e

Page 12: FIP Report

2.3 Validation and VerificationUpon acquiring the drive in question, the evidence needs to be hashed to enable the integrity to be

validated throughout the analysis process. This can be completed using a forensic application during

the acquisition phase. A hash will be created of the evidence drive and this will be stored with the

files on the target drive. This hash can then be used as a validation technique when analysing the

evidence at any stage.

During the analysis of an artefact, to aid the examiner, file signature analysis can be completed. This

is the process of checking the validity of a file against the file signature stored within the first few

bytes of the file. The process will check whether the signature has been edited from the original, if it

has this could have been a method used to hide data.

By undertaking a file signature analysis, it is possible to eliminate known good files, for example,

those that have not been altered since installation. This can be done by using add-ons within the

forensic application to remove the files from view to save the examiner analysing files that have no

evidential value.

2.4 PartitionsThe following section details the procedures relating to the location of partitions on the evidence

drive. Detailed here will are steps that are taken during the initial analysis with the evidence. The

diagrammatic representation of the process can be found in Appendix D

2.4.1 Locating the MBR

Part of the examination process is locating partitions on the storage device which can be

accomplished via a number of methods. The first method is to locate the MBR and within the

MBR will be a series of four partition tables. Typically the MBR would be located at the first

sector of the drive, as this is where the booting process will locate the instructions for booting

the device. However, if no MBR is present this would indicate that the drive is a non-bootable

drive.

2.4.2 No MBR

If the device is a non-bootable drive, then the partition analysis would need to be undertaken

using a different approach. This would be to locate the VBR, which on a non-bootable drive

should be stored in the first sector, the same place as where the MBR would be.

Upon locating the VBR, the backup VBR will then be located and is typically stored in the last

sector of the volume. The location of these elements can be undertaken using EnCases’ Disk

view application. Using this it is possible to view the entirety of the disk in one sector chunks

which can easily be scrolled through to locate the first and last sectors of the volume.

12 | P a g e

Page 13: FIP Report

2.4.3 Additional Partitions

If additional partitions tables are available, by analysing the MBR, then these will be analysed

individually to that of the main partition. This is as to concentrate the work onto the main

storage area that the user may have used for installing applications and actions undertaken on

the computer system.

2.4.4 Unallocated Space

When the drive is being analysed, there may be segments of the drive that are unallocated,

which is known as unallocated space. Unallocated space on the drive is the area of the drive that

has not been used, or contains files that have been deleted but not yet overwritten. This can be

analysed to identify remnants of lost or deleted files.

Using forensics tools, it is possible to analyse the unallocated space and rebuild parts of files,

with the possibility to rebuild complete files. However, complete files can only be rebuilt if the

cluster the file was using has not been overwritten since deletion.

2.5 Operating SystemsUpon locating the MBR, this indicates that the storage device in question is the primary booting

device. If this was not the main booting device this may indicate that the device in question in an

additional storage device attached to the system and only a VBR would be located.

If the device is the main bootable device, the operating system can be identified by locating the

primary partition, within the partition table entries, marked as active with hexadecimal 80 at byte

offset 446. The primary partition will then need to be analysed to locate the type of partition to

identify the file system. After locating the file system type, this will then narrow down the type of

operating systems available to be used. As an example, if the NT file system was located, this may

indicate that the operating system would be a Windows based operating system.

Once the primary partition and file system are identified, the starting sector can be located where the

partitions storage space begins. This could then be analysed to indicate the type of operating system

in question on the storage device. The structure and partition types can be located in Appendix D.1.

2.6 User AccountsOn a primary storage device, there will need to be an OS in which there will be user accounts to

access the OS. The types of user accounts and locations will depend upon the type of OS in question.

On a typical Windows based system, the user accounts would be in a similar location to all

variations of the OS, and this is normally located with the main C:\ drive under a folder call

‘Documents and Settings’ or ‘Users’ for the newer variations.

However, if the drive in question is not the primary bootable drive, this would indicate that there

may not be any user profiles stored on this drive, unless the user has redirected their account profiles

13 | P a g e

Page 14: FIP Report

to a secondary drive. In this instance, there may not be a standard location where the profile details

are stored.

2.6.1 Profile Characteristics

The characteristics of a profile will depend entirely upon the OS that has been used. The OS

type can be narrowed down by the type of file system in use.

A typical Windows based system would carry similar characteristics across all versions and as

previously mentioned the locations are typically standard. Additionally, by identifying the

location folder, the folders within can also be quickly identified, see Table 2-1.

Table 2-1 - OS User Characteristics

OS Version User Root Folder Typical sub folders

Windows 2000

Windows XP

C:\Documents and Settings\

ACCOUNT NAME

My Documents

My Music

My Pictures

Desktop

Cookies

Favourites

Windows Vista

Windows 7

Windows 8

C:\Users\ACCOUNT NAME Documents

Desktop

Favourites

Music

Pictures

However, in the later versions of Windows, the typical folders (Music, Documents etc.), have

been relocated to a directory called ‘Libraries’ which contains all folders for all users. This has

been done to enable a better sharing platform within the Windows OS.

An additional file that is of interest to an examiner is the NTUSER.DAT file which contains all

the users’ personalisation settings for both software installations and OS modifications. Upon

the user logging onto a system, this file becomes merged with the registry key

HKEY_CURRENT_USER to keep a record of modifications.

2.6.2 Windows Recycling Bin (Recycler)

On every device a folder will be located to keep track of deleted items. This folder, dependent

upon the OS version, will be named either Recycling Bin or Recycler. This folder is stored in

the root directory of every partition and contains deleted data by the user until emptied.

14 | P a g e

Page 15: FIP Report

The folder itself contains a folder for each user that logs onto the system, and this folder is

named using the users’ SID to uniquely identify the files deleted by a user. This SID will also

be used on additional storage devices that are not the primary drive. Using this information, an

examiner will be able to indicate which users have used and deleted files on the system.

Within each user folder, located in the recycling bin folder, are the files are stored when deleted

and use a standard naming convention to aid restoring if needed. The naming convention is as

shown in Figure 2.1.

Figure 2.1 - Recycling Bin Naming Convention

(Microsoft Support, 2007)

2.6.3 E-Mail Activity

Email recovery is dependent upon the type of email system used. If using an application such as

Outlook, then the email activity would be stored within the configuration files stored in the

folder ‘AppData’ in the user profile.

However, if the user has been using an online email system such a Gmail, Hotmail or

Outlook.com then the emails would not be stored locally. Due to this the emails may not be able

to be fully recovered. To overcome this, the internet history and cookies could be used to

identify commonly used sites and highlight email addresses stored within those files.

2.6.4 Internet Activity

As can be seen from Table 2-1, a folder within every user account contains all the cookies used

when the user has browsed the internet. However, in later versions this folder has been

relocated to a folder within the hidden ‘AppData’ folder that is also located within every user

account folder.

15 | P a g e

Page 16: FIP Report

This has been done to ensure that all the users’ data is secured within the user profile so that it

cannot be accessed by another profile without administrative privileges. If the drive in question

is not that of a primary drive, then there may not be many internet related files stored on the

drive due to the issue of the user profile not being located on that drive.

The internet history will depend upon the browser that has been used, such as Internet Explorer,

Google Chrome or Mozilla Firefox. The most common browser, by installation, is Internet

Explorer as this comes standard with all versions of Microsoft Windows. The internet history is

typically stored under the users’ folder and located within the ‘AppData’ folder, similar to that

of the cookies location. Within that folder will be the browser configuration folder that will then

contain the cookies and browsing history.

2.6.5 Personal Account Files

Within a user account directory are several important sub folders that can be used to identify the

type of user, their activities and the files they store. Under the main user directory within a

Windows system would be the folders such as Downloads, Documents, Pictures and Music.

Within these folders would be the personal documents that relate to a user. Analysing these

folders, it would be possible to locate possible pictures of users, documents they have created

and the timeline of possible events.

A timeline can be created of file creation and modification by analysing the metadata of each

file. The metadata can be used to determine when a file had been created and the user account

that created the file, with the retrospective details for modification.

16 | P a g e

Page 17: FIP Report

3 Phase Two - Findings

3.1 IntroductionThis section of this report will detail all the findings during the analysis of the evidential artefacts.

The initial steps, as per procedure, are to locate the partitions and boot records.

3.2 PartitionsDuring the initial analysis it was noted that the main drive itself is not of a bootable kind, as this can

be confirmed by the lack of an MBR in sector 0 of the drive. In the place where the MBR was to be

expected, the VBR had been located. By locating only a VBR, this indicates that the drive in

question is that of a secondary drive on a computer system.

3.2.1 VBR Analysis

Upon locating and analysing the VBR, located in sector 0 of the drive, it is noted that the drive

in question was formatted with the file system type NT, see Appendix E.2. Within the VBR it

can be seen that the entire drive is of the same partition with no additional partitions. This can

also be noted by the presence of a backup VBR located in the last usable sector of the drive, see

Appendix E.2.2.

Located in the first three bytes of the VBR it is noted that the bytes per sector are 512 and the

sectors per cluster are 8, confirmed in Appendix E.2.

3.3 Operating SystemsDuring the analysis of the drive, it was confirmed by the examiner that no operating system has been

installed onto this drive. The drive in question, confirmed to have the NT file system, does not

contain an MBR and therefore is a non-bootable device. However, if the drive were to have

contained remnants of an MBR, it would have indicated there may have been an OS at some point.

3.4 Structure of the DriveThe drive is structured in a way that the user has been saving files directly to the drive. It can be seen

there is no direct root folder of the drive and all folders are stored directly under the main volume.

This can be seen from Appendix E.3 which documents the top level folder structure.

3.5 User AccountsAs the drive in question is that not of an operating system drive, there is no user accounts folder.

Due to this factor it is not possible to identify usernames of users that have accessed the system.

However, it is possible to identify the SID of accounts that has accessed the drive. This can be done

by analysing the $MFT and $Recycler folder. Within Appendix E.6, are the accounts that were in

use on the volume, along with the breakdown SID information.

17 | P a g e

Page 18: FIP Report

3.5.1 Identified User SID Accounts

Table 3-2 shows the accounts that have been highlighted to be owners or creators of folders

located within the root of the drive. This can be confirmed from the analysis undertaken on the

folder creation and permissions shown in Appendix E.6.3. The user accounts highlighted below

indicate two users, who access the machine in two methods which are local and domain access.

Table 3-2 - Priority User Accounts

Name SID

S-1-5-21-1077148053-4198568005-59594

Domain Users S-1-5-21-1077148053-4198568005-513

Olga Angelopoulou S-1-5-21-725345543-1532298954-1003

None S-1-5-21-725345543-1532298954-513

Using the information above, it is indicated that the owners of the drive are that of either of the

account SID’s above. The SID that has a name alongside has been highlighted due to the fact

that several additional files have been noted to have been created under this username.

3.5.2 Profile Characteristics

As there are no user profiles on the volume, there is very little to indicate the characteristics of a

user. However, the characteristics found are that the drive was used by the indicated SID’s for

external storage.

3.5.3 E-Mail Activity

Using the above SID’s and names, a search was undertaken to highlight possible email

addresses and emails. After the initial analysis, two folders were highlighted, one deleted and

one live. Both of these folders were named ‘Email’ which indicated that these folders contained

possible emails.

Upon analysis of the live folder this was deemed to be empty and contained no files. The folder

that was deleted contained two sub folders that contained emails for a username of ‘oangelop’,

as can be seen from Appendix E.7. This username is a shortened version of the username, Olga

Angelopoulou, highlighted during the SID analysis. After analysing the folders, the permissions

were again checked with the owner of the folder being that of the SID for the unknown account

in Table 3-2.

3.5.4 Internet Activity

As the drive is that not of an operating system volume, there are no folders that stores cookies

or other internet related files. Typically the internet files on a Windows system, as the drive is

an NT file system, are stored under the user account folder to keep those files secure to that

18 | P a g e

Page 19: FIP Report

user. After undertaking several searches for web addresses, there were several results that had

been highlighted for searches of the internet. The majority of the searches were for that of

general use and searches relating to files stored on the drive. Several of the results have been

indicated in Appendix E.8.

3.5.5 Personal Account Files

Upon analysing the drive structure, it was indicated that a two users had been using the drive to

store files outside of their normal computer system. This was indicated by the presence of

folders called ‘Docs’ and ‘Email’. Analysing the docs folder indicated this was a storage

repository for documents that have been created, downloaded or copied. Within the deleted

Email folder, several emails containing pictures were found along with a folder with several

additional picture files.

3.6 Timeline of DriveUpon analysing the drive, the volume was created in 2004 when the volume was formatted with the

NT file system, as seen from Appendix E.4. Since this date the drive has had steady use with files

being created and stored, as seen from Appendix E.5. However, upon analysing the entire timeline of

the drive, it is seen that there has been files with dates prior to that of 2004. Analysis of these files

indicated they were copied from another source and saved to this drive by the user. The files located

date back towards the early 1990’s.

19 | P a g e

Page 20: FIP Report

4 Phase Three – Conclusion and Completion of CaseConcluding the analysis phase of the investigation, it was deemed that the drive in question is not a

booting drive and rather a storage drive, in the form of wired or caddy. This finding posed several

issues for the investigation as not being able to indicate it was an OS volume meant the analysis had

to indicate the creators and owners of folders stored within the volume.

By analysing the folders, both live and deleted, it was possible to find information relating to SID’s

that have access the drive. By also analysing the permissions of these folders it was possible to

pinpoint the actual creators and owners of these folders.

To conclude the findings of the investigation, it has been highlighted that the drive was used for

secondary storage only and not of OS use which means it is not possible to pinpoint a single owner

of the drive without access to a machine or domain of the same ID. However, the analysis indicated

that four SID’s were the primary users’ and can be pinpointed as the owners, or past owners of the

drive.

The drive was formatted with NTFS in 2004, but does contained files dated previous to this, which

indicated that the drive was used prior to this and was formatted since to be used again. However,

the ownership could have changed which may have caused the formatting to be undertaken.

The owner of the drive cannot be completely verified without the original computer that the drive

was used with. This means that further investigations need to be undertaken to highlight possible

computers or networks where the drive would have been used. It was also indicated that the drive in

question was used in conjunction with Glamorgan University which could be a starting point to

undertake further investigation.

Once a network is located with the same domain identification, the computers and users’ could be

located and then their computers analysed. Due to the lack of user information on the drive it is not

possible to identify who the actual volume creator is. However, due to the creation date stamps it is

indicated that the possible creator is that of one of the SID’s. The information regarding the findings

of SID’s through the investigation can be found in Appendix E.6 which states the different areas that

user ID’s were found. This also indicates the specific creators and owners of folders on the drive.

As can be indicated from the findings in phase 2, the drive does not contain an operating system due

to the lack of an MBR and that only a VBR is found on the drive as see in Appendix E.2. The

outcome of this indicated that the drive only contained a single partition, proved by the findings in

Appendix E.4.

Upon the analysis being completed, the Case Officer has now taken control of the report and will

submit it to the client upon agreeing the conclusions.

20 | P a g e

Page 21: FIP Report

5 Bibliography

5.1 Mobile Forensicshttp://www.cftt.nist.gov/AAFS-MobileDeviceForensics.pdf

http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf

http://csrc.nist.gov/publications/nistir/nistir-7387.pdf

5.2 MBR Informationhttp://superuser.com/questions/420557/mbr-how-does-bios-decide-if-a-drive-is-bootable-or-not

http://technet.microsoft.com/en-us/library/cc940349.aspx

http://books.google.co.uk/books?

id=wuUuTXMkNx8C&pg=PA72&lpg=PA72&dq=mbr+partition+popularity&source=bl&ots=Qan

CnIdhMD&sig=_731e1jnYlKChbxBJRu8BuuTCVY&hl=pt-

PT&ei=RpGgTb7EGY6FtgfMy7meAw&sa=X&oi=book_result&ct=result&redir_esc=y#v=onepage

&q&f=false

http://thestarman.pcministry.com/asm/mbr/mystery.htm

5.3 User ID’s and SID’shttp://support.microsoft.com/kb/136517/EN-US

http://support.microsoft.com/kb/243330

5.4 Guidelines

ACPO Guidelines - http://library.npia.police.uk/docs/acpo/digital-evidence-2012.pdf

21 | P a g e

Page 22: FIP Report

6 ReferencesPolice.uk (2012) ACPO Good Practice Guide for Digital Evidence: March 2012. [Online] Available

from: http://library.npia.police.uk/docs/acpo/digital-evidence-2012.pdf. [Accessed: 14th March 2013]

Microsoft Support (2007) How the Recycling Bin Stores File. [Online] Available from:

http://support.microsoft.com/kb/136517/EN-US. [Accessed: 17th March 2013]

22 | P a g e

Page 23: FIP Report

AppendicesThe follow section of this report documents all additional appendices that are attached to this case.

23 | P a g e

Page 24: FIP Report

Appendix A Case Management

Appendix A.1 Authorisation Documentation

TPR Group: Case Request Report

Case Request Report CRR1Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Critical Urgent Standard

Case officer Date & Time call

received

_ _ / _ _ / _ _ _ _

_ _ : _ _

Client Name Company Name

Contact Email Address Contact Phone No

Fax No Alternative Mobile No

Address of incident Address 1Address 2CountyPostcodeCountry

Size of organisation Small / Medium / Large National / International

Nature of incident

Date of incident: _ _ / _ _ / _ _ _ _

Number of Items

involvedIsolated / Un-isolated network

Operating system used

within the organisation

Windows / Unix Based / Mac OSX / Mobile

OS / Other……………………………

Shared devices /

Personal

Is the scene safe Yes / No If No please state:

Client Signature Name Printed

Date _ _ / _ _ / _ _ _ _ Time (HH:MM) _ _ : _ _

24 | P a g e

Page 25: FIP Report

25 | P a g e

Page 26: FIP Report

Case Request Report Initial Meet

Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Date _ _ / _ _ / _ _ _ _

Case officer Time _ _ : _ _

Client Name Company Name

Contact Email Address Contact Phone No

Fax No Alternative Mobile No

Any Additional new

information

Name of persons who

have access to items

Usernames for items involved (if relevant) Account passwords (if relevant)

Client Signature Date _ _ / _ _ / _ _ _ _

Case Officer Signature Date _ _ / _ _ / _ _ _ _

26 | P a g e

Page 27: FIP Report

TPR GROUPAUTHORISATION FOR RELEASE, ACQUISITION AND ANALYSIS

OF ALL RELATED MEDIA DURING THE FORENSIC INVESTIGATION

Please carefully read and understand this authorisation form to enable the release of information,

documentation and media for the reported case, then sign and date.

I Authorise any representative of the TPR Group to enter the scene of the incident; for the purpose to examine; and extract if required, media related to the reported case.

I Authorise any representative of the TPR Group entering the scene of the incident to; photograph, document and report all relevant details required for investigation.

I Authorise any representative of the TPR Group to gather additional information from witnesses at the scene of, or related the incident when reasonable and relevant.

I Authorise all media and evidence collected, including documentation found or created, to be released to relevant organisations if found to be related to terrorist or illegal activity.

I Authorise all media and evidence collected, including documentation found or created, to be released to relevant organisations upon request by any legally authorised parties.

This form is valid up until the point the case is released from TPR Group at which time release documents will be signed, and all case materials to the authorised person below, or their representative, if legally possible.

TPR Representative:

__________________________ ____________________ _ _ / _ _ / _ _ _ _Print Name Signature Date Signed

The Clients Authorised Representative:

__________________________ ____________________ _ _ / _ _ / _ _ _ _Print Name Signature Date Signed

__________________________ _____________________________________________Position within Organisation Organisation

27 | P a g e

Page 28: FIP Report

TPR Group: Case Scene ReportCLIENT AUTHORISATION

Signature Date _ _ / _ _ / _ _ _ _TPR DETAILS

Enter Date _ _ / _ _ / _ _ _ _ Enter Time _ _ : _ _ (HH:MM)Case No TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Case ManagerIs the scene safe to enter? Yes / No (state why)TEAM ATTENDING – (Cross out blank boxes)Name Position Time

(HH:MM)Signature

_ _ : _ __ _ : _ __ _ : _ __ _ : _ __ _ : _ _

ENTRANCE & EXITSNumber of Exits Are any Fire Exits Yes / NoSCENE DOCUMENTATIONPanoramic Photo Yes / No Witnesses Yes / No Secured Witnesses Yes / No

CCTV Available Yes / No CCTV Acquirable No / Yes --> CCTV Evidence No Case No +

_ _ _ _Draft Blueprint of Scene

TPR STAFF DETAILS

Exit Date _ _ / _ _ / _ _ _ _ Exit Time _ _ : _ _ (HH:MM)Signature

Case Officer Client

28 | P a g e

Page 29: FIP Report

Appendix A.2 Case Evidence Collection Form

TPR GROUP

Investigations Unit

This form is to be used for only one piece of evidenceFill out a separate form for each piece of evidence.

Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Evidence number Case No + _ _ _ _

Case Manager Original / Duplicate Original No _ _ _ _

Evidence Type

Evidence

Location:

Vendor Name Model No Serial No Additional Notes

Description of evidence:

Evidence

Recovered ByDate

_ _ / _ _ / _ _ _

_

Time

(HH:MM)_ _ : _ _

Signature

29 | P a g e

Page 30: FIP Report

Investigations UnitThis form is to be used for only one piece of evidence

Fill out a separate form for each piece of evidence.Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Evidence number Case No + _ _ _ _Case Manager Original / Duplicate Original No _ _ _ _Evidence TypeEvidence Location:

Vendor Name Model No Serial No Additional Notes

Description of evidence:

EvidenceRecovered By Date _ _ / _ _ / _ _ _ _ Time (HH:MM) _ _ : _ _

Signature

CHANGE OF CUSTODY

This form is to be used for only one piece of evidence

Fill out a separate form for each piece of evidence.

Who To Reason Comments Authorisations Signatures Date & Time

From_ _ / _ _ / _ _ _ _ _ _ : _ _To

From _ _ / _ _ / _ _ _ _ _ _ : _ _To

From _ _ / _ _ / _ _ _ _ _ _ : _ _To

From_ _ / _ _ / _ _ _ _ _ _ : _ _To

Additional Page Signature: __________________________ Page ___ Of ___

Initial ___ ___

30 | P a g e

Page 31: FIP Report

CHAIN OF ACCESS

This form is to be used for only one piece of evidence

Fill out a separate form for each piece of evidence.

Name Date & Time Out Reason Signature Date & Time In Signature

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

_ _ / _ _ / _ _ _

_ _ _ : _ _

_ _ / _ _ / _ _ _ _ _

_ : _ _

31 | P a g e

Page 32: FIP Report

Appendix A.3 Crime Scene Management Diagrams

Appendix A.3.1 Attending the Crime Scene

32 | P a g e

Page 33: FIP Report

Appendix A.3.2 Acquisition of the Scene

Appendix A.3.3 Device Acquisition

1. Secure devices of evidentiary value.

2. Assess the system status;

a. If the system is live;

i. Collect write block, if none available contact Case Officer,

ii. Set up Forensic Acquisition Workstation,

33 | P a g e

Page 34: FIP Report

iii. Connect Write blocker,

iv. Connect evidential device,

v. Start acquisition of volatile media,

vi. Confirm acquisition,

vii. Follow the procedure for the specific device and Operating System

type.

b. If the system is switched off;

i. Do not turn it on

ii. If the device is not openable, acquire entire device if possible

iii. If not possible, can the storage media be removed,

1. No, then image at the scene as a live system

2. Yes, acquire media if possible and continue

iv. Bag and Tag the evidence,

v. Store for transportation,

vi. Check for other evidential media within device and acquire,

vii. Close device and document

3. Check scene for further evidence

4. Document scene

5. Hand back to Case Officer

6. Case Officer to have final check of scene

7. Hand back to client

34 | P a g e

Page 35: FIP Report

35 | P a g e

Page 36: FIP Report

Appendix A.3.4 Device Specific Acquisition

36 | P a g e

Page 37: FIP Report

Appendix A.4 Forensic Examiners Toolkit

Appendix A.4.1 Specialist Forensic Hardware

All of the following equipment will be taken to every crime scene.

Check Item

Network Cables (Multiple) – Both straight through and crossover

Floppy Drive (External with USB connector)

CD/DVD Drive (External with USB Connector)

Hard Drives (Several Sizes) – with SATA, PATA, IDE connectors

EnCase Acquisition Kit

Digital Camera & Backup photographic device

Connection Cables (USB, HMDI, Firewire, VGA, IDE, etc.)

Female-Male Cable Convertors for all above

Compact Discs (CD) spindle with several discs

Digital Versatile Discs (DVD) spindle with several discs

Acquisition Machine with forensic software as below & Backup

Network Detector

Network Blocker

Internet Dongle

Write Blocker

Battery Power backup device

XRY Mobile Acquisition Kit

Card Reader

Mouse Giggler

Second Monitor

External Hard Disc Caddy (2.5inch and 3.5inch)

Appendix A.4.2 Specialist Forensic Software

Check Item

LinEn Disc or USB

EnCase 6 & 7

Linux Bootable

Personalised Windows Operating System Backup

Personalised Mac OS Backup

Forensic Tool Kit 4

Micro Systemation XRY (Latest stable version)

Backup of Forensic Software & Licences

37 | P a g e

Page 38: FIP Report

Appendix A.4.3 General Forensic Equipment

Check Item

Seizure Bags

Tags

Cable Ties

Archival- grade permanent marker

Voice Recorder

Magnifying Glass

Tools (Nonmagnetic and magnetic)

Straight head, Philips Screwdrivers and specialist head variations Pliers Wrench

Anti-static wrist band

Power Extension leads (5m, 10m, 15m, 20m, 25m)

Dust Brush

Gloves

Mirror

Faraday Bag

Evidence Forms

Keyboard

Mouse

Authorisation / Warrant

Identification

Bubble Rap

Certifications (Copies)

Contact Numbers

Photo Card & Numbers for photographing evidence

38 | P a g e

Page 39: FIP Report

Appendix A.5 Questions for Cases

Appendix A.5.1 Initial Contact Questions

Company and Contact Details

What is your name and position?

Are you in charge of day to day activities at the location of the device?

If not, do you have enough technical knowledge to answer preliminary questions

that are used to assess the situation for TPR to prepare for your specific case?

What is the name of and nature of the Company?

What is the Size of company?

How many people are employed

Over how many sites does the company span

What is the location of the company the enquiry is regarding, and who is the person in

charge?

Incident details

What is the nature of your call, and when did the incident occur?

Were there other members of staff or civilians involved?

If so who are they?

What is their position or authority at the time of the incident?

Device details

What are the devices?

Where is or are the devices in question located within the company?

Is the device(s) connected within a networked environment

If so what is the size of the network?

Is the device(s) isolated?

Do you know the Operating system of the machines?

39 | P a g e

Page 40: FIP Report

Explain that the devices in question should not be used for any reason at all, as any potential

evidence may be destroyed or changed.

Stop any persons from accessing the scene with any electronic devices.

Appendix A.5.2 At the Scene Questions

Initial questions

Is the computer networked to external sources?

To a server?

Intranet?

File server?

What access rights does this particular user hold?

To the internet?

Through a wireless connection?

Wired connection?

Security measure in place

Preliminary questions

Has anything changed from the last time we talked?

If so add these details to the CSR1 form.

Has anyone been or had access to the computer?

If so add these details to the CSR1 form.

Appendix A.5.3 Witness Questioning

The following questions are not case specific and must be tailored to suit each individual case

which will be managed and prepared by the Case Officer.

Before conducting an interview the case officer must explain the purpose of the interview and

introduce themself to the witness. Throughout the interview case office must be polite to the

witness and the punctuality is important all the time.

What are your role and responsibilities?

Who is your supervisor?

40 | P a g e

Page 41: FIP Report

Is there anyone else has the authorisation to this department except you?

What are the procedures relating to the IT equipment within this department?

What are the administrative passwords?

Are there any security measures currently in place protecting this equipment?

Explain the crime scene according to your knowledge?

Who did you contact first after seeing the incident?

Is there any wireless connection?

Would you provide your contact details?

41 | P a g e

Page 42: FIP Report

Appendix B ACPO Guidelines – 2012 EditionThe ACPO Guidelines is a document developed by 7Safe in conjunction with the Association of

Chief Police Officers. Within this document are four principles that are used as a guide which are:

Principle 1:

No action taken by law enforcement agencies, persons employed within those agencies or their

agents should change data which may subsequently be relied upon in court.

Principle 2:

In circumstances where a person finds it necessary to access original data, that person must be

competent to do so and be able to give evidence explaining the relevance and the implications of

their actions.

Principle 3:

An audit trail or other record of all processes applied to digital evidence should be created and

preserved. An independent third party should be able to examiner those processes and achieve the

same level.

Principle 4:

The person in charge of the investigation has overall responsibility for ensuring that the law and

these principles are adhered to.

The above principles were taken directly from the ACPO Good Practice Guide for Digital Evidence

document, (Police.uk, 2012).

42 | P a g e

Page 43: FIP Report

Appendix C Analysis Procedures

Appendix C.1 Hard Drive Analysis Form

TPR GroupExamination Process Procedure – Windows

Upon successful acquisition of the storage device, the drive is then required to be duplicated onto a

sterile storage drive.

This drive is then to be analysed and not the original artefact. The drive is then to be analysed using

the following procedure:

Task Notes Completion

Verify drive image against original hash ☐Locate Master Boot Record ☐Locate Volume Boot Record ☐Locate Backup Sectors ☐Locate Logical Size of Disc (Sectors) ☐Locate Physical Size of Disc (Sectors) ☐Locate Hidden Sectors ☐Locate Operating System Version ☐Locate Useful Windows Files (SWAP etc.) ☐Locate Installed Applications ☐Locate Unallocated Space ☐Locate Deleted Artefacts ☐Complete File Signature Analysis ☐Complete Hash of Every File ☐Complete Keyword Search`1 ☐Search for File Types ☐Search for Emails ☐Search for Email Addresses ☐Search for Internet History ☐Search for Folder Structure ☐Search for Timeframe of Artefacts ☐

43 | P a g e

Page 44: FIP Report

Appendix C.2 Evidence Analysis Log Form

TPR Group – Evidence Analysis LogDate Time Case Number Investigator

_ _ - _ _ - _ _ _ _ - _ _ TPR _ _ _ _ _ _ / _ _ - _ _ - _ _Requirements:

Notes

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

____________________________________________________________________________

44 | P a g e

Page 45: FIP Report

Appendix C.3 User ID Profile Form

TPR Group – User ID ProfileUser ID (SID)

Alias (Name of

Account)

Location Found

Description ____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

User ID (SID)

Alias (Name of

Account)

Location Found

Description ____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

____________________________________________________________

45 | P a g e

Page 46: FIP Report

Appendix D Analysis Process Diagrams

Appendix D.1 Initial Analysis (MBR and VBR)

46 | P a g e

Page 47: FIP Report

Appendix D.1.1 Partition Tables

Bytes

Offset

Name Description

446 Boot This will be either hexadecimal 80 for an

Active partition of 00 for non-active

447 Start Head This is the starting head for the partition

448 Start cylinder and

head

Starting cylinder (10 bytes) and sector (6

bytes)

450 Partition Type This will stipulate which type of partition

this is

451 End Head This is the ending head for the partition

452 End cylinder and

head

Ending cylinder (10 bytes) and sector (6

bytes)

454 Relative Sector Number of sectors prior to the start of the

partition

458 Total Sectors Total number of sections within the partition

47 | P a g e

Page 48: FIP Report

Appendix D.1.2 Partition Types (File Systems)

Hexadecimal

Code

Partition Type

00 Unused Partition Entry

01 FAT 12

04 FAT 16

06 FAT 16B

07 NTFS

A8 UFS

AF HFS (HFS+)

48 | P a g e

Page 49: FIP Report

Appendix E Findings

Appendix E.1 Initial AcquisitionCase Creation Details

Accessing the drive for acquisition

49 | P a g e

Page 50: FIP Report

Identification of the drive in question.

Confirmation that the drive was write blocked to prevent alteration.

50 | P a g e

Page 51: FIP Report

Parsing the details of the evidence drive.

Adding the acquisition files to the case.

51 | P a g e

Page 52: FIP Report

Acquisition details regarding the actual acquisition.

52 | P a g e

Page 53: FIP Report

Evidence added ready for analysis.

Hash confirmation of the drive confirming no alteration has occurred during acquisition.

53 | P a g e

Page 54: FIP Report

Appendix E.2 Drive StructureThe following details are regarding the drive in question and the acquisition machine. The first two

tables below detail the serial numbers for the evidence drives, the file system types and the drive

specification details.

The third table details the acquisition with regards to the storage locations, verification hashes and

whether the drive was write blocked during acquisition.

Serial Number 9683-E291Full Serial Number 29683F09683E291Driver Information NTFS 3.1

File System NTFSSectors per cluster 8Bytes per sector 512Total Sectors 37,190,412Total Capacity 19,041,488,896 Bytes (17.7GB)Total Clusters 4,648,801Unallocated 18,930,753,536 Bytes (17.6GB)Free Clusters 4,621,766Allocated 110,735,360 Bytes (105.6MB)Volume Name Data AreaVolume Offset 0Drive Type Fixed

Name TPR000001-27-02-13-0003Actual Date 04/03/13 16:43:04Target Date 04/03/13 16:43:04File Path D:\Cases\TPR000001-27-02-13\Evidence\TPR000001-27-02-13-0003.E01Case Number TPR000001-27-02-13Evidence Number TPR000001-27-02-13-0003Examiner Name P.Green

54 | P a g e

Page 55: FIP Report

Notes Investigation in Forensic Laboratory computer systemLabel FastBlocModel _FE_v2,_GuidanceDrive Type FixedFile Integrity Completely Verified, 0 ErrorsAcquisition MD5 824d4cc6e7aaae196a0f662d5c8a862eVerification MD5 824d4cc6e7aaae196a0f662d5c8a862eAcquisition SHA1 c168adaabd6acf4d0f699c1caf32569ef7f6a320Verification SHA1 c168adaabd6acf4d0f699c1caf32569ef7f6a320GUID d7d9cd26b0c1574bb7bd071f04d12c7aEnCase Version 6.19.4System Version Windows 7Write Blocked FastblocNeutrino FalseIs Physical FalseRaid RHS FalseRaid Stripe Size 0Error Granularity 64Process ID 0Index File D:\Cases\TPR000001-27-02-13\Index\TPR000001-27-02-13-0003-

d7d9cd26b0c1574bb7bd071f04d12c7a.IndexAcquisition Info FalseSources FalseSubjects FalseRead Errors 0Missing Sectors 0Disk Elements FalseCRC Errors 0Compression GoodTotal Size 19,041,490,944 Bytes (17.7GB)Total Sectors 37,190,412Disk Signature 00000000Partitions Valid

55 | P a g e

Page 56: FIP Report

Appendix E.2.1 Volume Boot Record

56 | P a g e

Page 57: FIP Report

Appendix E.2.2 Backup Volume Boot Record

Appendix E.3 Folder Structure└─TPR000001-27-02-13-0003 ├─$Extend ├─b3020c27961fa086e56fff75 ├─b7a4536994c56db768be6df31111da80 ├─Docs ├─e5bfa4a130271a7db945be5d16d0 ├─Email ├─Email ├─msdownld.tmp ├─MSIb03d4.tmp ├─MSIbdd2c.tmp ├─MSIefae2.tmp ├─MSOCache ├─RECYCLER ├─System Volume Information ├─Temp ├─webmail └─Lost Files

57 | P a g e

Page 58: FIP Report

Appendix E.4 Volume CreationThe following table documents the creation, access and modification dates of the $MFT which is

created when the drive is formatted with the NT file system.

Bookmark Type Notable FileComment $MFT CreationPage Break FalseShow Picture TrueEntry Selected FalseFile Offset 0Name $MFTIn Report TrueDescription File, Internal, Hidden, SystemIs Deleted FalseLast Accessed 16/06/04 09:18:24File Created 16/06/04 09:18:24Last Written 16/06/04 09:18:24Entry Modified 16/06/04 09:18:24File Acquired 04/03/13 16:43:04Logical Size 5,931,008Initialized Size 5,931,008Physical Size 5,931,008Starting Extent 0TPR000001-27-02-13-0003-C786432File Extents 1Permissions TrueReferences 1Physical Location 3,221,225,472Physical Sector 6,291,456Evidence File TPR000001-27-02-13-0003File Identifier 0Code Page 0Hash Properties FalseFull Path TPR000001-27-02-13\TPR000001-27-02-13-

0003\$MFTIs Duplicate FalseIs Internal TrueIs Overwritten FalseBookmark Path Drive Specifications\NoNameBookmark Start 3,221,225,472Bookmark Sector 6,291,456Notable FalseExcluded FalseSequence ID 1

TPR000001-27-02-13\TPR000001-27-02-13-0003\$MFT

$MFT Creation

58 | P a g e

Page 59: FIP Report

Appendix E.5 Timeline of File

59 | P a g e

Page 60: FIP Report

60 | P a g e

Page 61: FIP Report

61 | P a g e

Page 62: FIP Report

Appendix E.6 User Accounts

Appendix E.6.1 User Account Structure

The user account structure is similar across all operating systems using the NT file system. The

structure is divided into five sections:

String Identifier – for user accounts this is always ‘S’.

Revision level of the string – the currently revision level is 1.

Identifier of the authority value – see table below.

Identifier of the local computer or domain – this depends upon the computer or domain.

Relative Identifier – typically used to identify a user or group that is not created as

default by the system.

Value Authority

0 None

1 World

2 Local

3 Creation

4 Non-unique

5 NT

9 Resource Manager

Appendix E.6.2 User Accounts with the $MFT

Name Preview Hit Text$MFT K3íÔxrÊ K3íÔxrÊ K3íÔxrÊ K3íÔxrÊ . S - 1 - 5 - 2 1 - 1

0 7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6S-1-5-

$MFT 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å S - 1 - 5 - ~ 3 - 1 0 0 ¸ \ 2ØÔnð#Å 2ØÔnð#Å

S-1-5-

$MFT 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å / S - 1 - 5 - 2 1 - 1 0 7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6

S-1-5-

$MFT µ> BHúÄ ? BHúÄ ? BHúÄ þ r '#Å , S - 1 - 5 - 2 1 - 8 5 4 2 4 5 3 9 8 - 1 5 6 3 9 8 5 3 4 4 - 8 3 9 5 2

S-1-5-

$MFT 2Û€„� SÄ à‡dl…SÄ à‡dl…SÄ þ r '#Å S - 1 - 5 - ~ 1 Q h R \ µ> BHúÄ ? BHúÄ ? BHúÄ

S-1-5-

$MFT µ> BHúÄ ? BHúÄ ? BHúÄ þ r '#Å S - 1 - 5 - ~ 2 ÿÿÿÿ‚yG

S-1-5-

$MFT 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ S - 1 - 5 - ~ 1 - 3 2 0 ° ˜ \ 2Û€„� SÄ 2Û€„� SÄ

S-1-5-

$MFT 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ + S - 1 - 5 - 2 1 - 3 2 9 0 6 8 1 5 2 - 1 9 7 2 5 7 9 0 4 1 - 7 2 5 3 4

S-1-5-

$MFT l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ S - 1 - 5 - ~ 4 - 1 0 S-1-5-

62 | P a g e

Page 63: FIP Report

0 ¸ \ l(4ÿ �NÆ l(4ÿ �NÆ$MFT l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ / S - 1 - 5 - 2 1 - 1 0

7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6S-1-5-

$MFT ¤€ ÕtãÉ ¤€ ÕtãÉ ¤€ ÕtãÉ ¤€ ÕtãÉ / S - 1 - 5 - 2 1 - 1 0 7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6

S-1-5-

$MFT µ> BHúÄ µ> BHúÄ µ> BHúÄ µ> BHúÄ S - 1 - 5 - ~ 2 - 8 5 0 ¸ š \ µ> BHúÄ µ> BHúÄ

S-1-5-

$MFT µ> BHúÄ µ> BHúÄ µ> BHúÄ µ> BHúÄ , S - 1 - 5 - 2 1 - 8 5 4 2 4 5 3 9 8 - 1 5 6 3 9 8 5 3 4 4 - 8 3 9 5 2

S-1-5-

$MFT P<Ó‰Š-Ë P<Ó‰Š-Ë P<Ó‰Š-Ë P<Ó‰Š-Ë - S - 1 - 5 - 2 1 - 7 2 5 3 4 5 5 4 3 - 1 5 3 2 2 9 8 9 5 4 - 1 6 0 6 9

S-1-5-

Appendix E.6.3 Owner of Folders

63 | P a g e

Page 64: FIP Report

Appendix E.6.4 User – Olga Angelopoulou

64 | P a g e

Page 65: FIP Report

Appendix E.6.5 Owner of Deleted Emails

Appendix E.7 Email└─Email ├─oangelop.PAB │ └─PST Volume │ ├─Lost Items │ └─Message store └─oangelop.pst └─PST Volume ├─Inbox props ├─Lost Items ├─Message store ├─name-to id-map └─Root folder

65 | P a g e

Page 66: FIP Report

Appendix E.8 Internet HistoryAvast Anti-virus

www.xamogelo.org

www.musicgr.com

www.greek-music-forum.com

66 | P a g e