ICOM7125 Digital Forensics

Due: 11pm, 27 Jun 2024

Name:___Yu Chung Ping_________ Student ID: __3036202678________

Part 2:
Table of Contents
1. Abstract
2. Background of the case
3. Evidence Acquisition
4. Procedure of examination
5. Analysis of files
5.1 Deleted files

5.2 Hidden files

5.3 Password protect files

 5.4 7-zip files

5.5 Cryptocurrency Related Files

5.6 Other Notable findings

6. Conclusion
7. Reference
8. Appendix

1. Abstract
The purpose of this report is to outline the procedures conducted and
present the findings related to the digital evidence collected in the case
involving the discovery of an improvised explosive device inside an office
building. Specifically, this report focuses on the analysis of the digital
evidence obtained from an USB thumb drive belonging to the suspect,
Teddy, who was arrested by the police agency following the incident.

To ensure the integrity of the digital evidence, industry-standard digital

forensic software was utilized. A bit-for-bit verified forensic image of the
thumb drive was created, adhering to widely accepted practices in the
field of digital forensics. This verified forensic image served as the basis
for subsequent analysis.

Investigators diligently followed established protocols to thoroughly

examine the files present within the forensic image. This included a
comprehensive exploration of hidden files and recovering data from
deleted files. Specialized tools and techniques were employed to extract
relevant information and reconstruct any potentially crucial evidence.

Based on the analysis of the digital evidence collected from the thumb
drive, the investigator drew conclusions regarding Teddy's potential
involvement in committing a criminal offense. The examination aimed to
determine if Teddy had engaged in any actions that would suggest his
culpability in the incident involving the improvised explosive device.

The findings from the analysis of the thumb drive's contents were critical
in forming a judgment on Teddy's alleged criminal activities. The
investigator meticulously reviewed the files, timestamps, and any other
pertinent information that could shed light on Teddy's intentions and
actions leading up to the discovery of the explosive device.

It is important to note that this report focuses solely on the digital

evidence obtained from the thumb drive and its implications in the case.
The ultimate determination of Teddy's guilt or innocence rests with the
legal system, which will consider all available evidence and conduct a
thorough examination of the facts presented.

In conclusion, the digital evidence collected from the USB thumb drive
belonging to Teddy was subjected to comprehensive analysis using
established forensic procedures. The findings derived from this
examination will contribute to the overall investigation, aiding in the
determination of Teddy's potential involvement in any criminal offense
related to the discovery of the improvised explosive device.

2.Background of the case

On June 19, 2024, a device containing a contract that didn't match the
records of Teddy's company's finance department was discovered. As
soon as the head of the finance department noticed this discrepancy,
they immediately reported the case to the police.
The police agency swiftly initiated an investigation into the matter. They
carefully reviewed the footage from all the nearby CCTV cameras to
gather any relevant information. After thorough analysis, they identified
a suspect who had been seen near the building hours before the
incident occurred. The suspect was none other than Teddy, a 32-year-
old employee of the company. One day after the incident, Teddy was
arrested by the authorities.

Following Teddy's arrest, search warrants were obtained to conduct a

thorough search of his premises. Investigators meticulously combed
through Teddy's belongings, including his computer. During the search,
they came across a USB thumb drive on his computer desk. Recognizing
its potential significance, the police followed proper protocol and
procedures to ensure the device was appropriately sealed and
transferred to the investigators for digital forensics examination.

Upon further investigation, it was discovered that Teddy had allegedly

engaged in the creation or possession of an edited contract, aiming to
secure a higher salary for himself. This revelation brought serious
accusations against Teddy, raising questions about his integrity and
actions within the company.

The digital forensics examination of the USB thumb drive became a

crucial part of the investigation. Investigators carefully analyzed the
contents of the device, searching for any evidence that could
substantiate the allegations against Teddy. They meticulously examined
the files, timestamps, and any modifications made to the contract.

As the investigation progressed, the police and the prosecution built

their case against Teddy. They gathered additional evidence, including
testimony from colleagues and supervisors, to strengthen their claims.
The altered contract file found on the USB thumb drive served as a
significant piece of evidence, supporting the allegations of Teddy's
involvement in manipulating his employment terms.

The case against Teddy began to take shape, and the prosecution
prepared to present their findings in court. Teddy's actions, if proven,
would have serious legal consequences, as tampering with official
documents and attempting to deceive the company would be
considered a breach of trust and potentially fraudulent behavior.

As the legal process unfolded, Teddy faced the consequences of his

alleged actions. The company, too, took appropriate measures to rectify
the situation and ensure the integrity of their employment contracts.
They reviewed their internal procedures, implementing stricter security
measures to prevent similar incidents in the future.

Teddy's arrest and subsequent legal proceedings served as a stern

reminder that unethical actions within the workplace can have severe
repercussions. The case highlighted the importance of maintaining
transparency, integrity, and trust in the corporate environment,
emphasizing the need for robust systems to prevent and detect
fraudulent activities.

Ultimately, the resolution of Teddy's case would depend on the evidence

presented in court and the judgment of the legal system.

3. Evidence Acquisition
A USB thumb drive confiscated from the accused is submitted for
analysis.

Details about the device and its forensic image are as follows:

Device Type Imation Flash drive USB Device

Device USB
Interface

Evidence 001

Volume SN C857-F6CE

Examination FTK image

Tool

SHA1 d43c2fa30ae7bb215ff3da9fb3a00405c8bfa2a3
checksum

MD5 checksum 73fad9c6d1022fea4dd53fbbd9b7c0da

Examiniation 19/06/2024 16:15 Obtained the forensic Image

Procedure
20/06/2024 16:16 Located transcation images and
videos

24/06/2024 18:30 Identified all files in the USB

thumb drive

Physical USB thumb drive:

Objective Description
Evidence No 002

Exhibit ID Dev2

Device Type Teddy computer

Serial No PC1CP0WT

OS version Windows 10 22H2

Acuisition On the desk in the room of the flat

Tool used AccessData FTK Imager 4.7.1.2

MD5 checksum 248DAA59061F37D6D88DEA6C67DF1ABC

SHA1 checksum 8298AD9B82ABD234F316B0480231313F8D72C8C8

Examiniation 19/06/2024 16:15 obtained the forensic Image

Procedure
20/06/2024 16:35 Located transaction details
Including

AccessData FTK Image 4.7.1.2 of usb thumb drive:

Autospy capture screen and report:
4.Procedure of examination

Tools: Access Data FTK imager 4.7.1.2

HxD Hex Editor (version 2.5.0.0)

Microsoft office 365 (word,Excel)

Notepad(version 21H2)

Autospy 4.21.0
7-Zip 22.01(X64)

The digital forensic imaging process captured the entire content in the
thumb drive,including the hidden files,deleted files and unallocated
spaces which may contain deleted contract.

With the created forensic image of the thumb drive,FTK imager 4.7.1.2
and Autopsy 4.20.0 are employed to analyze the files retrieved from the
Thumb drive confiscated from the accused.All subsequent analysis was
performed on the created image on a dedicated forensic workstation.

Focus of investigation

The investigation will focus on finding digital evidence relevant to the

case,i.e evidence related to deleted files or edit contract or hidden
files.Evidence related to the targeted organization,and information
about the accused will also be analyzed.

Keyword search was the key technique used to identify relevant

information related to the focus mentioned above.By employing the
forensics investigation tools of FTK imager and Autospy,the following
types of files were identified for detailed analyze.

- Deleted files

- Hidden files

- Image files

- Password protected files

- 7 zip files

5. Analysis on Files

5.1 Deleted Files

The Deleted Files has recovered.The Files contains original information

of contract and recover.

Evidence ID File Name Path Is Deleted

004 Contract- :\7125 homework\ True

teddy.doc
Eviden #4 ,Contract-Teddy revealed that Teddy has deleted the original
files on 19/06/2024

5.2 Hidden Files

The Deleted Files has recovered.The Files contains original information

of contract was hidden by Teddy same name as delted files by Teddy

Evidence ID File Name Path Is Delted

005 Contract- :\7125 homework\ Fulse

teddy.doc
From evidence #05, it shows that a hidden file name : contract-
teddy,which is the original one was hidden by someone on 19/06/2024

5.3 Password Protected Files

The Password Protected Files contain the security information by HR,

But no information was edit
 Evidence ID File Name Path Is
Deleted

006 Passwordsafe.doc :\7125 homework\ Fulse

5.4 7-zip files

7-zip files has been archieved ,No edit since 12/06/2024

5.5 Cryptocurrency Related Files

A directory named “data" was discovered in the image. This is believed
to be the working directory of an application named “data" which is a
tool to manage the wallet of cryptocurrency and perform transaction
with cryptocurrency.

5.6 Other notable findings

There are more files from the image that may not be directly related to
the incident but the investigator still believe they are relevant to the
case. Including video comparing pipe bombs with pressure cooker
bombs, PDF

ICOM7125 Digital Forensics - Digital Forensics Analysis Report document

on pistol shooting technique, and multiple images of weapons and
bombs. The full list of the files mentioned can be found in the table as
below:

Evidence ID File Name Path Description

007 File4.txt E:\7125 Edit on

homework 19/06/2024

The same day

as edit contract
008 File5.txt E:\7125 Edit on
homework 19/06/2024

The same day

as edit contract

009 File6.txt E:\7125 Edit on

homework 19/06/2024

The same day

as edit contract

010 File7.txt E:\7125 Edit on

homework 19/06/2024

The same day

as edit contract

011 File8.txt E:\7125 Edit on

homework 19/06/2024

The same day

as edit contract

012 File9.txt E:\7125 Edit on

homework 19/06/2024

The same day

as edit contract

013 File10.txt E:\7125 Edit on

homework 19/06/2024

The same day

as edit contract

Upon further examination of the thumb drive image, the team

discovered that there were contract-teddy viewable but has edit on
19/06/2024, while the original file of “contract-Teddy” same name was
edit on the same day. It was suspected that these files were not the
original contract of HR and finance department one.

After investigating the files by HxD Hex Editor,it was discovered that all
file same name with “contract-Teddy” was not the original one.

6.Conclusion

1. Relation with the company

Teddy was a office employee. His contract was being terminated by

the company on 19/06/2024

2. Possess of information related to the thumb drive.

One files of original contract was deleted,One File was create and
edit to the same name as the original one. One File was hidden.

With the evidence collected and the facts concluded above, Teddy is
very likely to be the editor of making his contract from 32,000 to 34,000
for higher salary without the notice of HR and Finance Department

Based on the availbe evidence,it is apparent that the crime process

occurred according to the provided timeline. The edit time was
confirmed on 19/06/2024,and took place on the same day.

The evidence also indicated that Teddy done in the same day of leave
day of HR and Finance Department on 19/06/2024.

The investigation has revealed that the victim had planned to edit his
contract and hidden the original one and try to deleted it.It is believed
that the victim executed his plan by higher salary at the same day of
absence of HR and finance department in 19/06/2024.
To conclude,Teddy as the originator of this case due to the higher salary
of the contract found on the thumb drive.

Furthermore, as the analysis of the digital evidence from the USB thumb
drive belonging to Teddy progresses, it becomes imperative to conduct a
thorough investigation to ascertain the motive behind Teddy's actions.
Understanding the motive can provide crucial insights into his intentions
and shed light on the underlying factors that led to the alleged criminal
offense.

In addition to determining Teddy's motive, it is vital to explore the

possibility of any accomplices or individuals who may have been
involved in the crime. Collaborators or co-conspirators could have
played a significant role in planning or executing the act involving the
improvised explosive device. Uncovering any additional individuals
involved can help establish a comprehensive picture of the event and
ensure that all responsible parties are held accountable.

By conducting a comprehensive investigation, including interviews,

gathering witness statements, and examining any other available
evidence, the authorities can seek to uncover the complete truth
surrounding the incident. The motive behind Teddy's actions and any
potential involvement of other individuals will be crucial components in
building a comprehensive case and ensuring that justice is served
accordingly.

7.Reference

ICOM 7125 –Digital Forensics Analysis Report

Homework example 1
8.Appendix

1.case scene of office

3. SN of thumb drive

SN of Teddy’s computer:
4. FTK image before Edit contract of the thumb drive
5. FTK image after edit contract of thumbe drive

6. Autospy of usbedit time

7.

8. USB Thumb drive