Unit 7 Project 1

Unit 7: Case Projects 10-3 & 10-4

CJ317: Computer Forensics

Kaplan University

1/3/2010
 Unit 7 Project 2

Case Project 10-3:

You are investigating a case involving an employee who is allegedly sending inappropriate photos via e-mail in

attachments that have been compressed with a zip utility. As you examine the employee’s hard disk drive, you will

find a file named orkty.zip, which you suspect is a graphic file. When you try to open the file in an image viewer, a

message is displayed indicating that the file is corrupt. Write a 2-3 page report explaining how to recover the file,

orkty.zip, for further investigation.

An initial assessment would be among the first steps I would take to address this case. I

would need to outline the details and inquire about the nature of the inappropriate photos to give

me better insight for what to look for during my investigation. Among what I would look for is

any information derived from the circumstances of the allegations and its sources, like testimony

from those who have potentially viewed the inappropriate picture files. Along with documenting

my investigation, I would ensure that current warrants cover my investigation, and that any

further needed warrants are obtained to reasonably continue; it is important that any inquiries and

further data carving from the suspect’s hard drive is admissible.

Building a profile on the suspect may also be helpful in my assessment to determine the

level of technical skill, which would help me gauge the potential of the suspect purposefully

corrupting or altering the file. Questions I might seek to answer are: Did the suspect merely

rename the image file extension? Did the suspect compress the image file using a zip utility, and

the data became corrupted? Did the suspect use a hex editor to alter the file header? Or what is a

combination of methods?

I would document any predominating graphic file types, graphics programs and viewers,

and zip utilities found on the suspect’s computer; although I would compile as comprehensive
 Unit 7 Project 3

list of graphics file extensions and zip utilities as I can, if any are present on the suspect’s

system, they will be the focus for initial testing.

Multiple forensic copies of the orkty.zip file should be made before testing or modifying.

Each graphics file has a header with instructions for displaying the image, so I would attempt a

comparison of the file header with headers of known graphic types (for example, all JPEG files

start from offset 0 with hexadecimal FFD8). I would also check for any modifications or

inconsistencies to the header or the end of image (EOI) that may indicate an attempt to conceal

its nature; using information in a known file header can provide the means to properly render the

image. Metadata, such as the camera’s make and model, and the time and date of the image’s

creation, may also be retrieved using a hex editor; if present, this information would be valuable

in determining the tools likely used, as well as the likely format of the image file. It may also be

possible to repair damage or modification if known hexadecimal patterns are recognized.

Reverse engineering the corruption in the file would be another strategy in my

investigation, and would require some experimentation on my part. I would to attempt to view a

copy of the orkty.zip file in a variety of graphic programs and viewers, trying a different graphics

file extension with each attempt. I would pay close attention to any errors in rendering, strange

behavior in the viewer utilities, or prompts I receive because they may provide an insight to the

nature of the file. Another approach I could take is to determine whether the source of corruption

is from a zip utility; from personal experience, different zip utilities may use alternate algorithms

for compression and you may varying results between the utilities when uncompressing files. I

would then attempt to view the newly uncompressed files in a variety of viewers and graphics

utilities.
 Unit 7 Project 4

A comparison of the orkty.zip hash value with the values of other known graphics files

on the suspect’s computer, or a cross-reference of the hash value with directories maintained by

government and law enforcement agencies containing known contraband file hash values

(depending on the nature of the case). Keyword searches of the hard drive and files might also

yield results for the investigation.

Case Project 10-4:

You work for a mid-sized corporation known for its inventions that does a lot of copyright and patent work. You are

investigating an employee suspected of selling and distributing animations created for your corporation. During your

investigations of the suspect’s drive, you find some files with an unfamiliar extension of “.cde.” The network

administrator mentions that other “.cde” files have been sent through an FTP server to another site. Describe your

findings after conducting an Internet search for “.cde” files.

Documentation is essential throughout the investigation, with regular updates provided to

the company’s appropriate parties (department manager, human resources, and the company’s

legal representation); my procedure may be influenced by company policy, as well as by

observance of law. After my initial assessment of the case, I would take an inventory of any

potential graphics-oriented programs on the suspect’s computer; they may provide an insight to

the alleged selling and distribution of company animations. I will also need to make and validate

forensic copies of the .cde files before viewing or examining them.

An initial step is to identify the file extension and the program used for its file type. There

are a number of ways to zero in on potential programs and files; a general search engine (such as

Google.com, Yahoo!, or Bing) may yield results. Since the internet is too large for single search
 Unit 7 Project 5

engines to fully index content, it may be more effective to use a meta-search engine (which

references several search engines to achieve wider results). One popular meta-search engine is

Metacrawler, which indexes the top search engines (Google.com, Yahoo!, Bing, and Ask).

Using Metacrawler for my search, a result from eHow.com identifies the .cde file

extension as a dynamic file used by a 3-D wireframe computer-aided drafting program called

CADKEY; a .cde (CADKEY dynamic extension) file contains a set of instructions that

CADKEY uses to edit or modify a drawing created with the program. A free CADKEY file

viewer is available from Kubotek (the proprietary company of CADKEY software), making the

examination of the file readily available. Another candidate, identified by file-extensions.org as

the Honeywell Hybrid Control Designer, is a type of systems configuration software (particularly

for configuring HC900 control systems); due to the nature of this program, it is an unlikely

candidate (although should not be completely ruled out).

If for some reason the .cde file can’t be viewed in Kubotek’s file viewer, the file will

need closer examination using a hex editor to see if the file was modified, misidentified, or

renamed. If the file headers were modified, it is possible to repair them using the header of a

verified .cde file. A comparison and cross-reference of file headers and file hash values may be

possible (or even necessary) to identify the .cde file if they prove to be unassociated with the

CADKEY or Honeywell Control Designer programs.

Another important part of the investigation is the FTP server traffic involving .cde files. It

will be necessary to work with the administrator to review the server logs to trace the route of the

file transfers. The times of file transmission, the source and destination of the files can be

determined with the logs, and will be valuable to the investigation.

 Unit 7 Project 6

Once I have compiled and documented my findings, I will present them to the

appropriate company authorities and legal representation to determine whether further

investigation is necessary.
 Unit 7 Project 7

References

File Extension CDE. (2010). Retrieved December 30, 2010 from Uniblue, FILExt:

http://filext.com/file-extension/cde

Harrison, H. (2010). What Is the File Extension CDE? Retrieved December 30, 2010 from

eHow.com: http://www.ehow.com/facts_5751785_file-extension-cde_.html

HC900 Hybrid Control Designer PC Software. (2010). Retrieved December 30, 2010 from

Honeywell: http://hpsweb.honeywell.com/cultures/en-us/products/instrumentation/

softwaretools/hc900software/default.htm

Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2008). Guide to Computer Forensics and

Investigations (3rd ed.) (pp 398-425). Boston, MA: Cengage Learning.

The Official CADKEY Page. (2010). Retrieved December 30, 2010 from Kubotek:

http://www.kubotekusa.com/products/cadkey.html