CJ317 Unit 7 Project
CJ317 Unit 7 Project
Kaplan University
1/3/2010
Unit 7 Project 2
You are investigating a case involving an employee who is allegedly sending inappropriate photos via e-mail in
attachments that have been compressed with a zip utility. As you examine the employee’s hard disk drive, you will
find a file named orkty.zip, which you suspect is a graphic file. When you try to open the file in an image viewer, a
message is displayed indicating that the file is corrupt. Write a 2-3 page report explaining how to recover the file,
An initial assessment would be among the first steps I would take to address this case. I
would need to outline the details and inquire about the nature of the inappropriate photos to give
me better insight for what to look for during my investigation. Among what I would look for is
any information derived from the circumstances of the allegations and its sources, like testimony
from those who have potentially viewed the inappropriate picture files. Along with documenting
my investigation, I would ensure that current warrants cover my investigation, and that any
further needed warrants are obtained to reasonably continue; it is important that any inquiries and
Building a profile on the suspect may also be helpful in my assessment to determine the
level of technical skill, which would help me gauge the potential of the suspect purposefully
corrupting or altering the file. Questions I might seek to answer are: Did the suspect merely
rename the image file extension? Did the suspect compress the image file using a zip utility, and
the data became corrupted? Did the suspect use a hex editor to alter the file header? Or what is a
combination of methods?
I would document any predominating graphic file types, graphics programs and viewers,
and zip utilities found on the suspect’s computer; although I would compile as comprehensive
Unit 7 Project 3
list of graphics file extensions and zip utilities as I can, if any are present on the suspect’s
Multiple forensic copies of the orkty.zip file should be made before testing or modifying.
Each graphics file has a header with instructions for displaying the image, so I would attempt a
comparison of the file header with headers of known graphic types (for example, all JPEG files
start from offset 0 with hexadecimal FFD8). I would also check for any modifications or
inconsistencies to the header or the end of image (EOI) that may indicate an attempt to conceal
its nature; using information in a known file header can provide the means to properly render the
image. Metadata, such as the camera’s make and model, and the time and date of the image’s
creation, may also be retrieved using a hex editor; if present, this information would be valuable
in determining the tools likely used, as well as the likely format of the image file. It may also be
investigation, and would require some experimentation on my part. I would to attempt to view a
copy of the orkty.zip file in a variety of graphic programs and viewers, trying a different graphics
file extension with each attempt. I would pay close attention to any errors in rendering, strange
behavior in the viewer utilities, or prompts I receive because they may provide an insight to the
nature of the file. Another approach I could take is to determine whether the source of corruption
is from a zip utility; from personal experience, different zip utilities may use alternate algorithms
for compression and you may varying results between the utilities when uncompressing files. I
would then attempt to view the newly uncompressed files in a variety of viewers and graphics
utilities.
Unit 7 Project 4
A comparison of the orkty.zip hash value with the values of other known graphics files
on the suspect’s computer, or a cross-reference of the hash value with directories maintained by
government and law enforcement agencies containing known contraband file hash values
(depending on the nature of the case). Keyword searches of the hard drive and files might also
You work for a mid-sized corporation known for its inventions that does a lot of copyright and patent work. You are
investigating an employee suspected of selling and distributing animations created for your corporation. During your
investigations of the suspect’s drive, you find some files with an unfamiliar extension of “.cde.” The network
administrator mentions that other “.cde” files have been sent through an FTP server to another site. Describe your
the company’s appropriate parties (department manager, human resources, and the company’s
observance of law. After my initial assessment of the case, I would take an inventory of any
potential graphics-oriented programs on the suspect’s computer; they may provide an insight to
the alleged selling and distribution of company animations. I will also need to make and validate
An initial step is to identify the file extension and the program used for its file type. There
are a number of ways to zero in on potential programs and files; a general search engine (such as
Google.com, Yahoo!, or Bing) may yield results. Since the internet is too large for single search
Unit 7 Project 5
engines to fully index content, it may be more effective to use a meta-search engine (which
references several search engines to achieve wider results). One popular meta-search engine is
Metacrawler, which indexes the top search engines (Google.com, Yahoo!, Bing, and Ask).
Using Metacrawler for my search, a result from eHow.com identifies the .cde file
extension as a dynamic file used by a 3-D wireframe computer-aided drafting program called
CADKEY; a .cde (CADKEY dynamic extension) file contains a set of instructions that
CADKEY uses to edit or modify a drawing created with the program. A free CADKEY file
viewer is available from Kubotek (the proprietary company of CADKEY software), making the
the Honeywell Hybrid Control Designer, is a type of systems configuration software (particularly
for configuring HC900 control systems); due to the nature of this program, it is an unlikely
If for some reason the .cde file can’t be viewed in Kubotek’s file viewer, the file will
need closer examination using a hex editor to see if the file was modified, misidentified, or
renamed. If the file headers were modified, it is possible to repair them using the header of a
verified .cde file. A comparison and cross-reference of file headers and file hash values may be
possible (or even necessary) to identify the .cde file if they prove to be unassociated with the
Another important part of the investigation is the FTP server traffic involving .cde files. It
will be necessary to work with the administrator to review the server logs to trace the route of the
file transfers. The times of file transmission, the source and destination of the files can be
Once I have compiled and documented my findings, I will present them to the
investigation is necessary.
Unit 7 Project 7
References
File Extension CDE. (2010). Retrieved December 30, 2010 from Uniblue, FILExt:
http://filext.com/file-extension/cde
Harrison, H. (2010). What Is the File Extension CDE? Retrieved December 30, 2010 from
eHow.com: http://www.ehow.com/facts_5751785_file-extension-cde_.html
HC900 Hybrid Control Designer PC Software. (2010). Retrieved December 30, 2010 from
Honeywell: http://hpsweb.honeywell.com/cultures/en-us/products/instrumentation/
softwaretools/hc900software/default.htm
Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2008). Guide to Computer Forensics and
The Official CADKEY Page. (2010). Retrieved December 30, 2010 from Kubotek:
http://www.kubotekusa.com/products/cadkey.html