Scribd
Upload
7K views

Computer Forensics Assignment 2

This document summarizes a computer forensics investigation of an employee suspected of accessing forbidden images of meerkats. The investigator downloaded the disk image file "Assignment2.dd" from Edith Cowan University for analysis using tools on a Caine 4.03 virtual machine. Various image, document, video, and archive files were discovered during the investigation, including images of meerkats.

Uploaded by

2007amitsharma
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
7K views

Computer Forensics Assignment 2

This document summarizes a computer forensics investigation of an employee suspected of accessing forbidden images of meerkats. The investigator downloaded the disk image file "Assignment2.dd" from Edith Cowan University for analysis using tools on a Caine 4.03 virtual machine. Various image, document, video, and archive files were discovered during the investigation, including images of meerkats.

Uploaded by

2007amitsharma
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 41

Computer Forensics CSG4106

Amit Sharma
10137743 1

Master of Computer and Network Security


Computer
Forensics
CSG4106
Assignment-2

Submit To: Peter Hannay


Krishnun

2010

10137743, Amit Sharma


Computer Forensics CSG4106

Contents

Contents................................................................................................................. 2

Executive Summary...............................................................................................3

Tools Used For Analysing the Image......................................................................4

Chain of Custody....................................................................................................5

Running Sheet........................................................................................................7

End of Part 1 (Running Sheet)..............................................................................21

Report on Findings...............................................................................................22

All evidence images searched and collected from C:\.......................................22

All findings of .bmp images under C: /...........................................................23

All findings of .gif images under C: /..............................................................23

All findings of .jpg images under C: /.............................................................24

All findings for the .mp4 video file under C: /.................................................26

All findings for the .doc files under C: /..........................................................26

All findings for the .rar files under C: /...........................................................27

All findings for the .zip files under C: /...........................................................28

All findings for the .exe files under C: /..........................................................29

All findings for the .htm files under C: /.........................................................30

End of Report Findings.........................................................................................30

Investigation Process...........................................................................................31

Investigation Findings..........................................................................................33

Conclusion............................................................................................................41

10137743, Amit Sharma


Computer Forensics CSG4106

Executive Summary 3

The main objective of this report is to explain all the procedures and methods for
the computer forensics investigation from the given image i.e. Assignment2.dd.
The main job is to find the Meerkats images which are strictly forbidden.

We have been contacted by the cooperate client who has asked us to examine
the image that they have made of an employee computer system. Employee has
been suspected of accessing images of Meerkats which are strictly prohibited in
terms of use the employee has signed and in the particular jurisdiction may be
against the law.

As we assumed, the seizure has been done properly on the site and they have
followed all the relevant procedures. We also assumed that the VMware caine
has been already installed successfully including all the tools on the host1
computer system to investigate the image Assignment2.dd. All the investigations
have been done on caine VMware.

All the investigations were done by AMIT SHARMA on 2010-05-18. The


investigate images has been downloaded from the Edith Cowan University (ECU,
MT Lawley) in the university computer system. Downloaded image was named by
Assignment2 and all investigation was made on this image, “Assignment2”. After
investigating Assignment2, various images including Meerkats images, doc files,
mp4 & avi video file and zip files were obtained. Hash function has been used
cautiously to check all the found images still remains the same and to maintain
the integrity of the found images.

This document is further divided into two categories shows:

• First Category show Running Sheet which includes chain of custody, log
events and what/how/where has been done during the forensic
investigation.

• Under second category, all the findings (Images, document files and
videos) were shown.

10137743, Amit Sharma


Computer Forensics CSG4106

Tools Used For Analysing the Image 4

Forensics O.S Caine 4.03

Forensics Software Autopsy, SDDUMPER

Virtual machine VMware Products 3.0.1

Hardware Used Lenovo S10e

RAM 1 GB

Hard Disk 40GB

Processor 1.60 GHZ

Host Operating Microsoft Windows XP Home Edition with Service


System Pack3, Version 2002

Documenting Microsoft Word 2007


Application

Other Hardware Used USB2.0 Thumb Drive Kingston 8 GB

Function used to MD5, SHA1


check Integrity

10137743, Amit Sharma


Computer Forensics CSG4106

Chain of Custody 5
Submitting Activity

⃞ Evidence Description Employee has been suspected of accessing images of


Meerkats which are strictly forbidden.

⃞ Evidence Collected From Peter Hannay


Name of the Investigation Head

⃞ Evidence Collected By Amit Sharma


Name of the investigator

Name of the Case

Assgnmnt2
Email Id of the Investigator [email protected]

Location from Image obtained Edith Cowan Accessed Placed ECU, Forensic Lab
University,
Blackboard

Name of the Image Assignment2.dd Date Started

2010-04-20

Name of Person Collecting Report Peter Hannay and Krishnun Time

5:17:24 PM

For Forensics Department Only

Go to Next Page for additional Chain of Custody blanks

10137743, Amit Sharma


Computer Forensics CSG4106

Chain of Custody Continued....


6

Finish Document Released By Document Received By Purpose for Chain of


Date & Custody
Time

2010-04-23 Initial A Initial P To depict all the relevant


Name, Title Amit Sharma, Mr Name, Title Peter Hannay, Mr information related to the
16:28 a7/p7
forensic investigation.

Final Disposal Action

Witness of Evidence

The document listed above was/were made by the evidence custodian, in presence, on the date indicated above.

Name, Title Initial Name as Signature

Vikas Sharma, Mr I

Srinivas Reddy, Mr S

I AMIT SHARMA hereby, declare that the above given information is correct to the best of my knowledge and
belief.

Amit Sharma

10137743

10137743, Amit Sharma


Computer Forensics CSG4106

Running Sheet 7
Log of Events

Sheet Number 1

Date & Day 20-04-2010, Tuesday

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

20- 5:17:2 Download Assignment2.dd image file To start the Amit A


April- 4 PM from ECU website i.e. investigation
10 and to
https://software.scss.ecu.edu.au/units/C analyse the
SG2305/Assignment2/dd/ given image.

20- 5:52:1 Hash function is used on the image i.e. To maintain Amit A
April- 3 PM Assignment2.dd the integrity
10 of the image.
MD5 -
0c776f7c1ef092cdb9465fde80f4ea86

SHA1 -
4179cb30780358577c367a9e6e467087
46ddcc53

20- 5:55:2 Create folder named ‘investigation’ in To save the Amit A


May- 0 PM the caine. Assignment2
10 .dd file in the
folder.

20- 5:58:3 Mount the image and copy To start Amit A


May- 6 PM Assignment2.dd image file to virtual mounting
10 machine i.e. VMware, Caine and
analysing
mount /dev/sdc1 Assignment2 the files from
the
Assignment2
.dd

20- 6:03:0 Again, Hash function is used on the To check the Amit A
May- 7 PM copied image in the virtual machine. Assignment2
10 .dd is not
MD5 - compromise

10137743, Amit Sharma


Computer Forensics CSG4106

0c776f7c1ef092cdb9465fde80f4ea86 d while
copying into
SHA1 - 8
the virtual
4179cb30780358577c367a9e6e467087 machine.
46ddcc53Both hash values are same.
Integrity maintained.

Continued Sheet 1...........

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

20- 6:05:5 Start Autopsy To browse Amit A


May- 2 PM the image in
10 the autopsy.

20- 6:06:1 Open new case in the Autopsy named Giving the Amit A
May- 1 PM Assgnmnt2. name of the
10 case for
investigating
.

20- 6:06:2 Add host in the autopsy named host1. Name of the Amit A
May- 4 PM computer
10

20- 6:08:1 Browsed the image ‘Assignment2.dd’ To know the Amit A


May- 1 PM add it into the autopsy. path of the
10 image and
linked it with
autopsy.

20- 6:10:3 Rehash the browsed image in the To maintain Amit A


May- 4 PM autopsy. Same hash value. Integrity the integrity.
10 maintained.

20- 6:13:2 Closed autopsy. To save the Amit A


May- 2 PM image file
10 and can be
opened next
time to start
analysing
the images.

20- 6:19:1 Unmount the images To closed the


May- 4 PM autopsy and
10 to maintain

10137743, Amit Sharma


Computer Forensics CSG4106

the image
file in the
9
original state

Sheet Number 2

Date & Day 22-04-2010, Thursday

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

22- 9:17:5 Start caine, mount the image again To start Amit A
April- 4 AM and start autopsy. analysing the
10 image.

22- 9:19:2 Choose sorter files by type from the To identify the Amit A
April- 4 AM analysis in the autopsy. files and
10 images

22- 9:20:1 Open the output directory under To check the Amit A
April- 2 AM autopsy. All the identified files can be identified files
10 viewed under the given path i.e.

“/var/lib/autopsy/Meerkat_Investigatio
n/host1/output/sorter-vol1/index.html”

22- 9:20:4 Analysis the file by clicking on File It is used to Amit A


April- 4 AM Analysis check and
10 recover the
deleted files.

22- 9:21:1 Search for any file type such as To check if Amit A
April- 4 AM .jpeg, .gif, .bmp, .doc etc there is any
10 meerkats
images are
available or
not.

22- 9:24:3 Typed “.gif” in the file name search to To find and Amit A
April- 3 AM find any file or document whose examine all
10 extension is .gif. .gif file and
images.

22- 9:25:2 One image found named “jewel.gif” To maintain Amit A

10137743, Amit Sharma


Computer Forensics CSG4106

April- 5 AM Used Hash function on it the integrity


10 of the found
MD5 - 10
image i.e.
bbdc61bcb09b70a92e2421aa3097afa jewel.gif.
7

SHA1 -
f395a98bd52754562f1b513298e3547
e6566baed

Continued Sheet 2...........

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

22- 9:28:5 Typed “.bmp” in the file name search to To find and Amit A
April- 3 AM find any file or document whose examine
10 extension is .bmp. all .bmp file
and images.

22- 9:29:1 One image found named To maintain Amit A


April- 7 AM “Internet_Explorer_Wallpaper.bmp” the integrity
10 of the found
Used hash function on it image i.e.
MD5 - “15348-
228f497c6e699de6df00387715441a1f CHANGENAM
E_Internet_E
SHA1 - xplorer_Wall
717f06bdd84a687a4d015b25da8d1b1c paper.bmp”.
d84d48c4

22- 9:30:3 Typed “.jpeg” in the file name search to To find and Amit A
April 1 AM find any file or document whose examine all
-10 extension is .jpeg. .jpeg file and
images.

22- 9:37:4 Image found named “180px- To maintain Amit A


April 4 AM Meerkats_foraging[1].jpg” the integrity
-10 of the found
Used hash function on it image i.e.
MD5 - 180px-
d7276adb4dde8b90d853a7a886f97491 Meerkats_for
aging[1].jpg.
SHA1 -

10137743, Amit Sharma


Computer Forensics CSG4106

0ca079eca141053f78652dcfc5fe58021
38171d8
11
22- 9:42:2 Image found named “180px- To maintain Amit A
April- 0 AM Suricata[1].jpg” the integrity
10 of the found
Used hash function on it image i.e.
MD5 - 180px-
1fc5c6d96f9994979498d0adb53de2c5 Suricata[1].j
pg.
SHA1 -
88cf4e4005f029adff6f05c8867a142173
b10f97

Continued Sheet 2...........

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

22- 9:50:5 Image found named To maintain Amit A


April 9 AM “GetAttachment[1].jpg” the integrity
-10 of the found
Used hash function on it image i.e.
MD5 - GetAttachme
1fc5c6d96f9994979498d0adb53de2c5 nt[1].jpg.

SHA1 -
88cf4e4005f029adff6f05c8867a142173
b10f97

22- 10:02: Image found named “images[1].jpg” To maintain Amit A


April 04 AM the integrity
-10 Used hash function on it of the found
MD5 - image i.e.
3d98cd156195e02c58f4ce238689120b image[1].jpg.

SHA1 -
76afa691556abed61c25651c896943d2
e279a7ab

22- 10:07: Image found named “250px To maintain Amit A


April 41 AM Suricata.suricatta.6861[1].jpg” the integrity
-10 of the found
image i.e.

10137743, Amit Sharma


Computer Forensics CSG4106

Hash function used on it 250px


Suricata.suri
MD5 - 12
catta.6861[1
4535e831ae839dcedfd6360d5dbdf6fd ].jpg
SHA1 -
fa21977697c91c5fdabd9d33934563ed7
66eede6

22- 10:09: Image found named To maintain Amit A


April 22 AM “meerkats53[1].jpg” the integrity
-10 of the found
Hash function used on it image i.e.
MD5 - meerkats53[
0f1984f5d17741e513b1bd5449fe076c 1].jpg

SHA1 -
1109b6d97e4c340744e7158de34b1f2fc
9e65bef

10137743, Amit Sharma


Computer Forensics CSG4106

Continued Sheet 2...........

Date Time Action Motive 13


Actio Signatur
behind n e
taking Take
action n By

22- 10:18: Image found named “180px- To maintain Amit A


April 24 AM Meerkats_foraging.JPG” the integrity
-10 of the found
Hash function used on it image i.e.
MD5 - 180px-
d7276adb4dde8b90d853a7a886f97491 Meerkats_for
aging.JPG
SHA1 -
0ca079eca141053f78652dcfc5fe58021
38171d8

22- 10:23: Image found named “180px- To maintain Amit A


April 11 AM Suricata.jpg” the integrity
-10 of the found
Hash function used on it image i.e.
MD5 - 180px-
4535e831ae839dcedfd6360d5dbdf6fd Suricata.jpg

SHA1 -
fa21977697c91c5fdabd9d33934563ed7
66eede6

22- 10:26: Image found named “250px- To maintain Amit A


April 24 AM Suricata.jpg” the integrity
-10 of the found
Hash function used on it image i.e.
MD5 - 250px-
4535e831ae839dcedfd6360d5dbdf6fd Suricata.jpg

SHA1 -
fa21977697c91c5fdabd9d33934563ed7
66eede6

22- 10:44: Image found named “meerkats-6.jpg” To maintain Amit A


April 00AM the integrity
-10 Hash function used on it of the found
MD5 - image i.e.
08caf56c034c44487a60305cd71bdf6b meerkats-
6.jpg
SHA1 -
849ff18b9a173455e5713bcf171996759

10137743, Amit Sharma


Computer Forensics CSG4106

2045c11

14

10137743, Amit Sharma


Computer Forensics CSG4106

Continued Sheet 2...........

Date Time Action Motive 15


Actio Signatur
behind n e
taking Take
action n By

22- 10:51: Image found named “Loopy.jpg” To maintain Amit A


April 46 AM the integrity
-10 Hash function used on it of the found
MD5 - image i.e.
7921a439afdf3385bca2bd46fa0dadc9 Loopy.jpg

SHA1 -
ac5e6412a42e4a05306c4a247ca6f68a5
462642a

22- 11:01: Typed “.zip” in the file name search to To find and Amit A
April 04 AM find any file or document whose examine
-10 extension is .zip. all .zip file
and images.

22- 11:05: File found named “Data.zip” which To maintain Amit A


April 20 AM contains pictures of meerkats. the integrity
-10 of the found
Hash function used on it image file
MD5 - i.e. Data.zip
da68930452efa3758db386ff380f990a

SHA1 -
27a5460741ab235f8d86644ea9914a8d
5c7eadb6

22- 11:13: Image found named “Meerkats 09.jpg” To maintain Amit A


April 39 AM the integrity
-10 Hash function used on it of the found
MD5 - image file
e9a9fa7a8f32111ec0e5385c47e099a8 i.e. Meerkats
09.jpg
SHA1 -
2cf93dddb97b6cec123c5c5d7be55edb0
4634cc7

22- 11:15: Image found named “Meerkats-8.jpg” To maintain Amit A


April 51 AM the integrity
-10 Hash function used on it of the found
MD5 - image file
889cdb2d2e952e7d481321a41222dea6 i.e.
Meerkats-

10137743, Amit Sharma


Computer Forensics CSG4106

SHA1 - 8.jpg
2109aba9a0c807af9591d52c9a9e15d6
16
4e43828b

Continued Sheet 2...........

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

22- 11:29: Image found named “meerkats.jpg” To maintain Amit A


April 14 AM the integrity
-10 Hash function used on it of the found
MD5 - image file
17510ee5a8df2eb5dc8e3d5141edc34d i.e.
meerkats.jpg
SHA1 -
64b318255009d5e964cf0cfb999d1e9dc
8514999

22- 11:41: Typed “.mp4” in the file name search to To find and Amit A
April 37 AM find any file or document whose examine
-10 extension is .mp4. all .mp4 file
and images.

22- 11:52: Video file found named To maintain Amit A


April 32 AM “60d80dd5032499bd4.mp4” the integrity
-10 of the found
Hash Function used on it mp4 video
MD5 - file i.e.
fdfb448514f5ed679951aee278ddae0d 60d80dd503
2499bd4.mp
SHA1 - 4
c3e4a17c0d29c8196d0b9c8f0939af6cb
32f1217

22- 12:17: Closed autopsy. To save the Amit A


April 23 PM image file
-10 and can be
opened next
time to start
analysing
the images.

22- 12:19: Unmount the images To maintain Amit A


April 08 PM the image
-10 file in the

10137743, Amit Sharma


Computer Forensics CSG4106

original state

22- 12:20: Rehash the Image to maintain the To compare 17


April 26 PM integrity. the hash
-10 value with
MD5: the original
0c776f7c1ef092cdb9465fde80f4ea86 image to
SHA1: check
4179cb30780358577c367a9e6e467087 integrity of
46ddcc53 the image.

Sheet Number 3

Date & Day 25-04-2010, Sunday

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

23- 9:19:0 Start caine, mount the image. To start Amit A


April 4 PM analysing
-10 the image.

23- 9:20:2 Hash the images again to check the To compare Amit A
April 1 PM integrity. the hash
-10 value with
MD5: the original
0c776f7c1ef092cdb9465fde80f4ea86 image to
SHA1: check
4179cb30780358577c367a9e6e467087 integrity of
46ddcc53 the image.

23- 9:20:5 Start autopsy To analyse Amit A


April 7 PM the image
-10 again.

23- 9:26:5 Typed “.rar” in the file name search to To find and Amit A
April 6 PM find any file or document whose examine
-10 extension is .rar. all .rar file
and images.

23- 9:27:4 File found named “Mystery.rar” To maintain Amit A


April 4 PM the integrity
-10 Hash function used on it of the found
MD5: file i.e.
056c1a5d3f9d3b9e26064587000a28ca Mystery.rar

10137743, Amit Sharma


Computer Forensics CSG4106

SHA1:
25ef4820224699f6a33e2a38d41ba0fb2
18
a9cf620

23- 9:33:4 Image found named “meerkats_1024- To maintain Amit A


April 4 PM 8.jpg” the integrity
-10 of the found
Hash function used on it image file
MD5 - i.e.
511d2036c3ad7aa66d82596c30cfa3a7 meerkats_10
24-8.jpg
SHA1 -
11d2036c3ad7aa66d82596c30cfa3a7

Continued Sheet 3...........

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

23- 9:40:4 Image found named To maintain Amit A


April 4 PM “meerkats_13sfw.jpg” the integrity
-10 of the found
Hash function used on it image file
MD5 - i.e.
d60a937985cc63d2806a99d33ca252c2 meerkats_13
sfw.jpg
SHA1 -
1ce064b8352ee2596000a08085ece082
23b6e399

23- 9:44:1 Image found named “meerkats_1024- To maintain Amit A


April 7 PM 8.jpg” the integrity
-10 of the found
Hash function used on it image file
MD5 - i.e.
ea2c53f3ddae1e8816d2f1d0b91776ae meerkats_10
24-8.jpg
SHA1 -
25ef4820224699f6a33e2a38d41ba0fb2
a9cf620

23- 9:47:1 Typed “.htm” in the file name search to To find and Amit A
April 4 PM find any file or document whose examine
-10 extension is .htm. all .htm file

10137743, Amit Sharma


Computer Forensics CSG4106

and images.

23- 9:53:0 File found named “Dc5.htm” To maintain Amit A 19


April 6 PM the integrity
-10 Hash function used on it of the found
MD5 - file i.e.
7424d54a59969623d2498633ea1c0687 Dc5.htm

SHA1 -
da6fd25750279ec316bf0aa4d1ead3b26
3e9771c

23- 10:10: Typed “.exe” in the file name search to To find for Amit A
April 24 PM find any file or document whose .exe file and
-10 extension is .exe. images.

23- 10:13: File found named “Bo2k.exe”. Hash To maintain Amit A


April 51 PM function used on it the integrity
-10 of the found
MD5: executable
36fb2d9fe2d3e1ec1ee63dde02ad1b3f file i.e.
SHA1: Bo2k.exe
551dc1b5a9cebc93a88e6806671b3283
49392f63

Continued Sheet 3...........

Date Time Action Motive Actio Signatur


behind n e
taking Take
action n By

23- 10:15: Typed “.doc” in the file name search to To find and Amit A
April 02 PM find any file or document whose examine
-10 extension is .doc. all .doc file
and images.

23- 10:20: File found named “arrow.doc” To maintain Amit A


April 47 PM the integrity
-10 Hash function used on it of the found
MD5 - document
58def2449ed44b627b527b53ad42cf25 file i.e.
arrow.doc
SHA1 -
eb0fb202c87b2cfb1200d6f66499a0959
2c1ed1b

23- 10:27: File found named “EBook 0Z 02.doc” To maintain Amit A


April 29 PM the integrity
-10 of the found

10137743, Amit Sharma


Computer Forensics CSG4106

Hash function used on it document


file i.e.
MD5 - 20
EBook 0Z
5a4b3c21d3f6eb8d349a87229aae14c2 02.doc
SHA1 -
cfd9e0c7d7a6704afad7a842aba4df52b
92d05d0

23- 10:33: File found named “meerkats in EBook of To maintain Amit A


April 19 PM The Prince.doc” the integrity
-10 of the found
Hash function used on it document
MD5 - file i.e.
fa836b1b27514a4805c5e551398b17e4 meerkats in
EBook of The
SHA1 - Prince.doc
d1e69f0962044748bc487b1b0ebc5104
838512c7

23- 10:47: Closed autopsy. To save the Amit A


April 54 PM image file
-10 and can be
opened next
time to start
analysing
the images.

23- 10:50: Unmount the images To maintain Amit A


April 34PM the image
-10 file in the
original state

23- 10:58: Rehash the Image to maintain the To compare


April- 04 PM integrity. the hash
10 value with
MD5: the original
0c776f7c1ef092cdb9465fde80f4ea86 image to
SHA1: check
4179cb30780358577c367a9e6e467087 integrity of
46ddcc53 the image.

10137743, Amit Sharma


Computer Forensics CSG4106

21
End of Part 1 (Running Sheet)

10137743, Amit Sharma


Computer Forensics CSG4106

Report on Findings 22
The aim of this report is to explain about all the findings from the image i.e.
Assignment2.dd during the forensics investigation. The main job is to find the
Meerkats images which are against the law and employee has been suspected of
accessing these images.

On 2010-04-22 Assignment2.dd image file has been downloaded from the


Edith Cowan University to begin the investigation for Meerkats images. All the
investigation was done using VMware caine and autopsy is used as forensic
software.

All evidence images searched and collected from C:\

10137743, Amit Sharma


Computer Forensics CSG4106

All findings of .bmp images under C: /


23

Directory Path Hash Values Written Accesse Output of the Name Sig
d Image of the n
MD5 & SHA1 Image

C:/Documents MD5 2008- 2008- Intern A


and 228f497c6e699de6 05-01 05-01 et
Settings/Admini df00387715441a1f 11:53:4 11:53:4 Explor
strator/Applicati 9 (WST) 9 (WST) er
on SHA1 Wallpa
Data/Microsoft/I 717f06bdd84a687a per.b
nternet 4d015b25da8d1b1 mp
Explorer/Intern cd84d48c4
et Explorer
Wallpaper.bmp

All findings of .gif images under C: /

Directory Path Hash Values Written Accesse Output of the Name Sig
d Image of the n
MD5 & SHA1 Image

C:/WINDOWS/je MD5 2008- 2008- Jewel. A


wel.gif bbdc61bcb09b70a 04-30 05-01 gif
92e2421aa3097afa 18:52:3 12:12:3
7 8 (WST) 6 (WST)

SHA1
f395a98bd5275456
2f1b513298e3547e
6566baed

10137743, Amit Sharma


Computer Forensics CSG4106

All findings of .jpg images under C: /


24

Directory Path Hash Values Written Accesse Output of the Name Sig
d Image of the n
MD5 & SHA1 Image

C:/Documents MD5 2008- 2008- 180px- A


and d7276adb4dde8b9 04-30 04-30 Meerk
Settings/Admini 0d853a7a886f9749 ats_for
strator/Local 1 14:25:0 14:25:0 aging[
Settings/Tempo 5 (WST) 5 (WST) 1].jpg
rary Internet SHA1
Files/Content.IE 0ca079eca141053f
5/2VUHUZWD/1 78652dcfc5fe5802
80px- 138171d8
Meerkats_foragi
ng[1].jpg

C:/WINDOWS/L MD5 2008- 2008- Loopy. A


oopy.jpg 7921a439afdf3385 04-30 05-01 jpg
bca2bd46fa0dadc9 18:54:0 12:12:4
6 (WST) 5 (WST)
SHA1
ac5e6412a42e4a0
5306c4a247ca6f68
a5462642a

C:/RECYCLER/S- MD5 2008- 2008- 250px- A


1-5-21- 4535e831ae839dc 04-30 05-01 Suricat
1935655697- edfd6360d5dbdf6fd 18:58:5 12:18:5 a.jpg
1500820517- 2 (WST) 8 (WST)
725345543- SHA1
500/Dc6/250px- fa21977697c91c5f
Suricata.jpg dabd9d33934563e
d766eede6

C:/RECYCLER/S- MD5 2008- 2008- 180px- A


1-5-21- 4535e831ae839dc 04-30 05-01 Suricat
1935655697- edfd6360d5dbdf6fd 18:58:5 12:18:5 a.jpg
1500820517- 2 (WST) 8 (WST)
725345543- SHA1
500/Dc6/180px- fa21977697c91c5f
Suricata.jpg dabd9d33934563e
d766eede6

10137743, Amit Sharma


Computer Forensics CSG4106

C:/WINDOWS/R MD5 2008- 2008- meerk 25A


egisteredPacka 08caf56c034c4448 04-30 05-01 ats-
ges/ 7a60305cd71bdf6b 18:54:3 12:05:2 6.jpg
{89820200- 2 (WST) 4 (WST)
ECBD-11cf- SHA1
8B85- 849ff18b9a173455
00AA005B4383 e5713bcf17199675
}/ieex/meerkat 92045c11
s-6.jpg

C:/Documents MD5 2008- 2008- meerk A


and 0f1984f5d17741e5 05-01 05-01 ats53[
Settings/Admini 13b1bd5449fe076c 11:53:4 11:53:4 1].jpg
strator/Local 3 (WST) 3 (WST)
Settings/Tempo SHA1
rary Internet 1109b6d97e4c340
Files/Content.IE 744e7158de34b1f2
5/EZ2RGJIN/me fc9e65bef
erkats53[1].jpg

C:/Documents MD5 2008- 2008- image A


and 3d98cd156195e02 05-01 05-01 s[1].jp
Settings/Admini c58f4ce238689120 11:55:3 11:55:3 g
strator/Local b 9 (WST) 9 (WST)
Settings/Tempo
rary Internet SHA1
Files/Content.IE 76afa691556abed6
5/6HWZCZQD/i 1c25651c896943d
mages[1].jpg 2e279a7ab

C:/Documents MD5 2008- 2008- 250px A


and 4535e831ae839dc 04-30 04-30 Suricat
Settings/Admini edfd6360d5dbdf6fd 14:25:0 14:25:0 a.suric
strator/Local 5 (WST) 5 (WST) atta.6
Settings/Tempo SHA1 861[1]
rary Internet fa21977697c91c5f .jpg
Files/Content.IE dabd9d33934563e
5/6HWZCZQD/2 d766eede6
50px
Suricata.suricat
ta.6861[1].jpg

10137743, Amit Sharma


Computer Forensics CSG4106

C:/Documents MD5 2008- 2008- GetAtt A


and 2463a4c4668748d 05-01 05-01 achme
26
Settings/Admini 3e5176a2da1bb8d 11:52:2 11:52:2 nt[1].j
strator/Local 87 1 (WST) 1 (WST) pg
Settings/Tempo
rary Internet SHA1
Files/Content.IE fbf5fa1e871b380d2
5/6HWZCZQD/ 1d98c573d421487
GetAttachment 86af5ba7
[1].jpg

All findings for the .mp4 video file under C: /

Directory Path Hash Values Written Accesse Output of the file Name Sig
d of the n
MD5 & SHA1 video

C:/WINDOWS/sy MD5 2008- 2008- 60d80 A


stem32/60d80d fdfb448514f5ed679 04-30 05-01 dd503
d5032499bd4. 951aee278ddae0d 18:58:3 12:11:3 249bd
mp4 2 (WST) 0 (WST) 60d 80d d 503249b d 44.mp4
.m p 4
SHA1
c3e4a17c0d29c819
6d0b9c8f0939af6c
b32f1217

All findings for the .doc files under C: /

Directory Path Hash Values Written Access Output of the image Name Sig
ed in the document of the n
MD5 & SHA1 Docum
ent

C:/Documents MD5 2008- 2008- EBook A


and fa836b1b27514a48 04-30 05-01 OZ
Settings/Admini 05c5e551398b17e 19:03:4 12:07: 02.doc
strator/My 4 4 (WST) 38
Documents/EBo (WST)
ok of the SHA1
Prince.doc d1e69f0962044748
bc487b1b0ebc510
4838512c7

10137743, Amit Sharma


Computer Forensics CSG4106

C:/Documents MD5 2008- 2008- Arrow. A


and 58def2449ed44b62 04-30 05-01 doc
27
Settings/Admini 7b527b53ad42cf25 18:53:5 12:07:
strator/My 6 (WST) 38
Documents/arr SHA1 (WST)
ow.doc eb0fb202c87b2cfb
1200d6f66499a095
92c1ed1b

C:/Documents MD5 2008- 2008- EBook A


and fa836b1b27514a48 04-30 05-01 OZ
Settings/Admini 05c5e551398b17e 19:03:4 12:07: 02.doc
strator/My 4 4 (WST) 38
Documents/EBo (WST)
ok of the SHA1
Prince.doc d1e69f0962044748
bc487b1b0ebc510
4838512c7

C:/Documents MD5 2008- 2008- EBook A


and 5a4b3c21d3f6eb8d 04-30 05-01 0Z
Settings/Admini 349a87229aae14c 19:03:4 12:07: 02.doc
strator/My 2 4 (WST) 38
Documents/EBo (WST)
ok OZ 02.doc SHA1
cfd9e0c7d7a6704a
fad7a842aba4df52
b92d05d0

All findings for the .rar files under C: /

Directory Path Hash Values Written Accesse Output of the file Name Sig
d of the n
MD5 & SHA1 file

C:/Program MD5 2008- 2008- No Image Myster A


Files/uTorrent/ 056c1a5d3f9d3b9e 04-30 05-01 y.rar
Mystery.rar 26064587000a28c 20:52:1 12:18:4
a 2 (WST) 5 (WST)

SHA1
25ef4820224699f6
a33e2a38d41ba0fb
2a9cf620

10137743, Amit Sharma


Computer Forensics CSG4106

 All findings for the .zip files under C: /


28

Directory Path Hash Values Written Accesse Output of the file Name Sig
d of the n
MD5 & SHA1 files

C:/Program MD5 2008- 2008- meerk A


Files/uTorrent/ 511d2036c3ad7aa 04-30 05-01 ats_10
Mystery.rar/ 66d82596c30cfa3a 20:52:1 12:18:4 24-
meerkats_1024 7 2 (WST) 5 (WST) 8.jpg
-8.jpg
SHA1
61fe4c9f5630ab1e
5853b74af046363e
d1e9d003

C:/Program MD5 2008- 2008- meerk A


Files/uTorrent/ ea2c53f3ddae1e88 04-30 05-01 ats_1s
Mystery.rar/ 16d2f1d0b91776ae 20:52:1 12:18:4 fw.jpg
meerkats_1sfw. 2 (WST) 5 (WST)
jpg SHA1
25ef4820224699f6
a33e2a38d41ba0fb
2a9cf620

C:/Personal/Dat MD5 2008- 2008- Meerk A


a.zip/Meerkats e9a9fa7a8f32111e 04-30 05-01 ats
09.jpg c0e5385c47e099a8 21:01:5 12:10:3 09.jpg
0 (WST) 6 (WST)
SHA1
2cf93dddb97b6cec
123c5c5d7be55edb
04634cc7

C:/Personal/Dat MD5 2008- 2008- Meerk A


a.zip/Meerkats- 889cdb2d2e952e7 04-30 05-01 ats-
8.jpg d481321a41222de 21:01:5 12:10:3 8.jpg
a6 0 (WST) 6 (WST)

SHA1
2109aba9a0c807af
9591d52c9a9e15d
64e43828b

10137743, Amit Sharma


Computer Forensics CSG4106

C:/Program MD5 2008- 2008- meerk A


Files/uTorrent/ d60a937985cc63d 04-30 05-01 ats_13
29
Mystery.rar/ 2806a99d33ca252c 20:52:1 12:18:4 sfw.jp
meerkats_13sf 2 2 (WST) 5 (WST) g
w.jpg
SHA1
1ce064b8352ee25
96000a08085ece0
8223b6e399

All findings for the .exe files under C: /

Directory Path Hash Values Written Accesse Output of the file Name Sig
d of the n
MD5 & SHA1 execut
able
file

C:/Documents MD5 2008- 2008- Bo2k.e A


and 36fb2d9fe2d3e1ec 04-30 05-01 xe
Settings/Admini 1ee63dde02ad1b3f 18:52:5 12:09:0
strator/Desktop 4 (WST) 9 (WST)
/to SHA
install/Bo2k.exe 551dc1b5a9cebc93
a88e6806671b328
349392f63

10137743, Amit Sharma


Computer Forensics CSG4106

All findings for the .htm files under C: /


30

Directory Path Hash Values Written Accesse Output of the file Name Sig
d of n
MD5 & SHA1 the
.htm
file

C:/RECYCLER/D MD5 2008- 2008- No Image Found Dc5.ht A


c5.htm 7424d54a5996962 04-30 04-30 m
3d2498633ea1c06 18:58:5 18:58:5
87 2 (WST) 2 (WST)

SHA
da6fd25750279ec3
16bf0aa4d1ead3b2
63e9771c

End of Report Findings

10137743, Amit Sharma


Computer Forensics CSG4106

Investigation Process 31

After downloading the image file named Assignment2.dd from the Edith Cowan
University website, I made a copy of the original image and copied into another
folder for making the forensic copy, so that I can begin the forensic investigation
with that image without affecting the original image. I used hash function with
both original Assignment2.dd image and with the copied Assignment2.dd image
and compared their hash values with each other during the investigation which
was helping me to confirming that the image is not compromised yet and image
is still the same. As a result, integrity has been maintained in the whole forensic
investigation process.

Start Date and Time: 22-04-2010, 1:22 AM

Creating Directory: amit@sciss10oem:~$ sudo –s

[password] password for amit:

root@sciss10oem:~# cd Desktop

root@sciss10oem:~/Desktop# mkdir investigation

root@sciss10oem:~/Desktop# cd investigation

root@sciss10oem:~/Desktop/investigation#

Date and Time: 22-04-2010, 1:25 AM

Mount the image in investigation folder:

root@sciss10oem:~/Desktop# mount /dev/sdc1 investigation/

root@sciss10oem:~/Desktop# cd investigation

root@sciss10oem:~/Desktop/investigation# ls

Assignment2.dd lost+found

Date and Time: 22-04-2010, 1:26 AM

Hashing the image

root@sciss10oem:~/Desktop$ md5deep –b Assignment2.dd

0c776f7c1ef092cdb9465fde80f4ea86 Assignment2.dd

root@sciss10oem:~/Desktop$ sha1deep –b Assignment2.dd

4179cb30780358577c367a9e6e46708746ddcc53
Assignment2.dd

10137743, Amit Sharma


Computer Forensics CSG4106

Date and Time: 22-04-2010, 1:28 AM

Open Autopsy 32

root@sciss10oem:~/Desktop# sudo autopsy

Click on the link to launch autopsy: http://localhost:9999/autopsy

Created new case named Meerkats_Investigation to start the forensic


investigation of the image.

Date and Time: 22-04-2010, 1:40 AM

Creating NewCase

10137743, Amit Sharma


Computer Forensics CSG4106

Add host named host1 33

Host1 has been added in the autopsy and afterwards image i.e. Assignment2.dd
also has been added and generated its MD5 hash value to compare with the
original image MD5 has value to maintain the integrity of the image and
confirming that the image is not compromised.

Investigation Findings
A) .GIF:- When I searched for .gif files. I found certain list of files. And after
looking into each and every .gif files I found jewel.gif image.

10137743, Amit Sharma


Computer Forensics CSG4106

B) .BMP:- When I searched for .bmp files. I found certain list of files. And
after analysing each and every .bmp files I found Internet Explorer
34
Wallpaper.bmp image.

10137743, Amit Sharma


Computer Forensics CSG4106

C) .MP4:- When I searched for .mp4 files. I found certain list of files. And
after looking into each and every .mp4 files I found
35
60d80dd5032499bd4.mp4 video file.

10137743, Amit Sharma


Computer Forensics CSG4106

D) .ZIP:- When I searched for .zip files. I found certain list of files. And after
analysing each and every .zip files I found meerkats_1024-8.jpg,
36
meerkats_1sfw.jpg, Meerkats 09.jpg, Meerkats-8.jpg, meerkats_13sfw.jpg.

10137743, Amit Sharma


Computer Forensics CSG4106

E) .EXE:- When I searched for .exe files. I found certain list of files. And after
analysing each and every .exe files I found Bo2k.exe file.
37

10137743, Amit Sharma


Computer Forensics CSG4106

F) .DOC:- When I searched for .doc files. I found certain list of files. And after
analysing each and every .doc files I found arrow.doc, EBook 0Z 02.doc,
38
EBook of the Prince.doc (EBook OZ 02.doc, EBook OZ 02.doc).

This above image screenshot shows one HTML document also which is about the
Meerkats. That website shows some general information about the Meerkats.
The existing HTML document looks like:

10137743, Amit Sharma


Computer Forensics CSG4106

39

10137743, Amit Sharma


Computer Forensics CSG4106

G) .RAR:- When I searched for .doc files. I found certain list of files. And after
analysing each and every .doc files I found Mystery.rar file.
40

10137743, Amit Sharma


Computer Forensics CSG4106

Conclusion 41

After investigating the Assignmnent2.dd image file, we were successful to


recover 23 images of meerkats, one video file and some of the document files
including websites which mainly discussing about the meerkats. All these
investigation and evidence clearly proves that the employee offended the rules
and regulations and he took all the actions against the law for which he should
be penalised.

10137743, Amit Sharma

You might also like