Professional Documents
Culture Documents
,
and AccessData Password Recovery Tool Kit.
Cyber security_Chapter 11.indd 705 2011-03-25 10:34:56 AM
706 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
Te case was processed in the manner described here. During the Assessment phase:
1. Documentation provided by the investigator was reviewed.
a. A special search warrant was obtained for the assessment of the computer in a laboratory
location legal authority was instituted for this.
b. Chain of custody was properly documented using appropriate forms dened by the concerned
departments.
c. Te appeal for service and a detailed summary explained the investigation, provided keyword
lists, and provided information about the person suspected, the stolen car, the forged doc-
uments and the Internet ad. Te investigator also provided photostat copies of the forged
documents.
2. Te computer forensics examiner set up discussion with the case agent to understand the possibilities
for additional investigation areas and also to understand potential evidence being sought in the
investigation.
3. Evidence input was completed.
a. Te evidence was noted and photographs were made.
b. A le was created and the case details were entered into the laboratory database.
c. Te computer was safely put in the laboratorys property room.
4. Te case was entrusted to a computer forensics investigator.
During the Imaging phase, the following steps were performed:
1. Te notebook computer was examined and photographed.
a. Te hardware was examined and documented.
b. A controlled boot disk was placed in the computers oppy drive. Te computer was powered
on and the BIOS setup program was entered. Te BIOS information was documented and the
system time was compared to a trusted time source and documented. Te boot sequence was
checked and documented; the system was already set to boot from the oppy drive rst.
c. Te notebook computer was powered o without making any changes to the BIOS.
2. EnCase
was used to create an evidence le containing the image of the notebook computers hard drive.
a. Te notebook computer was linked to a laboratory computer through a null-modem wire,
which connected to the computers parallel ports.
b. Te notebook computer was booted to the DOS prompt with a controlled boot disk and
EnCase
Windows
98.
Oense: Possession of child pornography (prima facie suspected).
Case agent: Investigating O cer Mankame Ulhas.
Evidence number: 052356
Chain of custody: See attached form.
Where examination took place: Criminal investigations unit.
Tools used in Forensics Operation: Disk acquisition utility, universal graphic viewer, command line.
Cyber security_Chapter 11.indd 709 2011-03-25 10:34:57 AM
710 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives
relating to children. Te last accessed time and date of the les indicated that the les were last accessed
10 days before the laptop was delivered to the computer repair shop. For Documentation and Reporting,
the forensics examiner was provided with a report describing the result of the preliminary examination. Te
investigator decided to conduct interviews.
During the next step, the employee who delivered the laptop computer to the computer repair shop was
interviewed. During the conversation, the employee indicated that he had never operated the computer.
Further, the employee stated that the SUBJECT had shown him images of a sexual nature involving children
on the laptop. As per the employees narration, the SUBJECT had once mentioned to the employee that he
keeps his pictures on oppy disks at home; he just forgot this one image on the laptop.
Te Advocate involved in this case (on behalf of police) was briefed in hope of obtaining a search warrant
for SUBJECTs home based on the examination of the digital evidence and the interview of the employee. A
warrant was drafted, presented to a judicial o cer, and signed. During the consequent search, oppy disks
were found at SUBJECTs house. Forensics inspection of the oppies showed additional evidences of child
pornography evidences included images in which SUBJECT was an accomplice. Tis resulted in the arrest
of SUBJECT. Te case brief report is in Table 11.12.
Table 11.12 |Case brief report
Case Brief Report
REPORT OF MEDIA ANALYSIS
MEMORANDUM FOR: Police O cer at the Police Station in Subjects geographical area Investigator
Mankame, Pune, Sahaj-Vihar Road.
SUBJECT: Forensic Media Analysis Report
SUBJECT: Amrish Deshpande
Case Number: 012345 052356
Status: Closed.
Summary of Findings:
327 les containing images of what looked like children depicted in a sexually explicit mode were recovered.
34 shortcut les that pointed to les on oppy disks with sexually explicit le names involving children were
recovered.
Items Analyzed:
TAG NUMBER ITEM DESCRIPTION
034489 One Generic laptop, Serial # CUFN 457-1
Details of Findings:
Findings in this paragraph related to the Generic Hard Drive, Model XTPS-30, Serial # 3456ABCD, recovered
from Tag Number 012345, One Generic laptop, Serial # 123456789.
1) Te examined hard drive was found to contain a Microsoft
Windows
98 operating system.
2) Te directory and le listing for the media was saved to the Microsoft