Scribd Logo
Upload

Welcome to Scribd!

  • Ellis Lab10 2

    Uploaded by

    api-323337716
    25 views13 pages

    Original Title

    ellis lab10 2

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    25 views13 pages

    Ellis Lab10 2

    Uploaded by

    api-323337716

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    UNIT 10 LAB CFR101:

    USE THIS TEMPLATE TO REPORT YOUR FINDINGS ON THE PROVIDED


    IMAGE FILE
    Forensic Analysis Report
    Jonathan Ellis
    Report #: 11302015811
    Case Agent: Ellis
    Examiner: Jonathan Ellis
    Description:
    REQUESTED EXAMINATION
    On 11/30/2015 at approximately 08:00 hours, I was working in my capacity
    as a police detective in the Computer Crimes Unit when I received a request
    from Detective Griffits #007 to search A Toshiba Laptop contained in items of
    digital evidence seized pursuant to search warrant #PHX11302015811 and
    Phoenix Cyber Investigation Office report #11302015811.
    CHAIN OF CUSTODY
    On 11/30/2015, I took custody of item #EVID11302015811 from Detective
    Griffits #007 and transported it to a secured facility for examination. The
    property remained in my custody at the secured facility until the completion
    of the examination. On 11/30/2015, I returned item #EVID11302015811 to
    Evidence e Locker: #6.
    ITEMS EXAMINED
    Item Number: #EVID11302015811
    Device Description: Black Toshiba Laptop
    Make: Toshiba
    Model: Satellite Radius
    IMEI: N/A
    SIM: N/A
    Item Number: #EVID11302015811
    Device Description: Black Toshiba Laptops Hard Drive
    Make: Western Digital
    Model: Unknown
    Number of HDD: 1
    Total Capacity: 80GB
    Phoenix Cyber Investigation Office

    Page 1 of 13

    ACQUISITION
    On 11/30/2015, I at 08:20 hours utilized FTK Imager 3.1.2.0 to acquire Item
    #EVID11302015811, with the following description:
    HDD: 1
    Drive Type: Physical Drive
    Drive Make: Western Digital
    Drive Model: Unknown
    Image File Name: WinXp_NTFS
    Verified MD5 Hash: bce3d2a088b15a398183e2b603ab920a
    PREVIEW/INITIAL EXAMINATION
    I utilized FTK Imager 3.1.2.0 to examine the forensic copies of each piece of
    evidence acquired. The initial examination included looking in both allocated
    space (areas of the hard drive assigned specific files) and unallocated space
    (areas of the hard drive containing files that have been deleted from the file
    system and no longer accessible to the user).
    I previewed the file structure of the drive and identified the following
    partitions and corresponding partition sizes. The total number of partitions
    on Item #EVID11302015811 is 1. The total bytes allocated to the visible
    partitions are 4194856960. The total bytes unallocated to a partition are
    8,192 bytes. I also identified the non-default user account names and
    related SID-RID numbers. I examined the primary user account library
    folders, including documents, pictures, videos, and downloads. I noted the
    following:
    Partition 1 Name: NONAME
    Partition 1 Size: 4,194,856,960
    Partition 2 Name: N/A
    Partition 2 Size: N/A
    User Account 1 Name: Administrators: Anonymous2013
    SID-RID: S-1-5-18
    Notable User Account Documents, Pictures, etc.: Documents: 19, Family
    Pictures: 9, Work Pictures 12, Encrypted files: 24 (with CryptNet)
    Phoenix Cyber Investigation Office

    Page 2 of 13

    User Account 2 Name: Dom Cobb


    SID-RID: S-1-5-18
    Notable User Account Documents, Pictures, etc.:
    User Account 2 Name: Default User
    SID-RID: N/A
    Notable User Account Documents, Pictures, etc.:
    NOTABLE APPLICATIONS
    Item #EVID11302015811 contains more than 29 folders in the Program Files
    directory with user applications. I looked for known encryption, anti-forensic
    software, and steganographic applications. I found the found the following
    applications to be of evidentiary value and I noted the following:

    CCleaner
    CyoHash
    Eraser
    Cryptnet

    FILE SIGNATURE ANALYSIS


    Using Autopsy 3.1.3, I examined 46 items marked with Extension
    Mismatch, thus indicating a possible mismatch of the file extension with
    known file signatures. I reviewed the file extensions and found nothing of
    evidentiary value OR noted the following:
    TIMELINE ANALYSIS
    Using Autopsy 3.1.3, I sorted all files on items #EVID11302015811 by the
    Created date/time stamp. I examined files created between 11/30/2015 and
    12/1/2015 and I noted the following:

    Phoenix Cyber Investigation Office

    Page 3 of 13

    NOTABLE LINK FILES


    Using Autopsy 3.1.3, I sorted all files on the system by file type and searched
    for link files (LNK) and discovered notable files during the course of my
    examination.
    LINK FILE 1: Ariadne2010.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My
    Pictures\Ariadne2010.jpg

    Notable MAC time: 2013-12-04 09:02:00


    LINK FILE 2: Arthur2010.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My
    Pictures\Arthur2010.jpg

    Notable MAC time: 2013-12-04 09:02:25


    LINK FILE 3: daniel-tarullo.lnk
    Filepath/directory:C:\Documents and Settings\Anonymous2013\My Documents\Downloads\Family Pics\da
    niel-tarullo.jpg

    Notable MAC time: 2013-12-04 09:03:46


    LINK FILE 4: decoded.lnk
    Phoenix Cyber Investigation Office

    Page 4 of 13

    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\decoded.pdf


    Notable MAC time: 2013-12-04 08:55:43
    LINK FILE 5: faith.txt.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\faith.txt
    Notable MAC time: 2013-12-04 09:25:09
    LINK FILE 6: false flag exposed.lnk
    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\false flag exp

    Notable MAC time: 2013-12-04 09:11:27


    LINK FILE 7: false flag.lnk
    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\false flag.bmp

    Notable MAC time: 2013-12-04 09:10:09


    LINK FILE 8: Family Pics.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\Downloads\Family Pics
    Notable MAC time: 2013-12-04 09:03:46
    LINK FILE 9: feinstein false flag.lnk
    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\feinstein false flag.bmp

    Notable MAC time: 2013-12-04 09:14:44


    LINK FILE 10: Google2.lnk
    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\Google2.bmp

    Notable MAC time: 2013-12-04 08:55:08


    LINK FILE 11: health care false flag.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work
    Pics\health care false flag.bmp

    Notable MAC time: 2013-12-04 09:16:16


    LINK FILE 12: Janet_Yellen.lnk
    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\Downloads\Family Pics\Janet_Yellen

    Notable MAC time: 2013-12-04 09:03:51


    LINK FILE 13: more false flags.lnk
    Phoenix Cyber Investigation Office

    Page 5 of 13

    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\more false flags.bmp

    Notable MAC time: 2013-12-04 09:17:36

    LINK FILE 14: My Pictures.lnk


    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures
    Notable MAC time: 2013-12-04 08:55:08
    LINK FILE 15: pw.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\pw.txt
    Notable MAC time: 2013-12-04 08:58:34
    LINK FILE 16: the list cobbdominic2010@gmail.lnk
    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\the list - cobbdominic2010@gmail.pdf

    Notable MAC time: 2013-12-04 08:54:19


    LINK FILE 17: wake up.lnk
    File path/directory:
    C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\wake up.bmp

    Notable MAC time: 2013-12-04 09:17:01


    LINK FILE 18: Work Pics.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics
    Notable MAC time: 2013-12-04 09:10:09
    LINK FILE 19: my favorite movies.txt.lnk
    File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\my favorite movies.txt
    Notable MAC time: 2013-12-04 10:17:17
    LINK FILE 20: WinXP_NTFS.E01.txt.lnk
    File path/directory: J:\WinXP_NTFS\WinXP_NTFS.E01.txt
    Notable MAC time: 2013-12-04 10:59:47
    LINK FILE 21: WinXP_NTFS.lnk
    File path/directory: J:\WinXP_NTFS
    Notable MAC time: 2013-12-04 10:59:47
    NOTABLE INTERNET ARTIFACTS
    I searched the suspect device for notable internet usage artifacts, including
    Internet Explorer index.dat files, Temporary Internet cache files, and cookies.
    In addition to Internet Explorer, I searched for artifacts related to other
    browsers such as Firefox, Chrome, Safari, etc.
    Phoenix Cyber Investigation Office

    Page 6 of 13

    I recovered the following notable index.dat files.


    INDEX.DAT
    Username: Anonymous2013
    File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
    Settings/History/History.IE5/index.dat

    Notable MAC time:


    2013-12-04 08:50:53 MST
    ..
    INDEX.DAT
    Username: Anonymous2013
    File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
    Settings/History/History.IE5/MSHist012013120420131205/index.dat

    Notable MAC time:


    2013-12-04 08:54:02 MST

    INDEX.DAT
    Username: Anonymous2013
    File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
    Settings/Temp/History/History.IE5/index.dat

    Notable MAC time: 2013-12-04 10:47:54 MST

    INDEX.DAT
    Username: Anonymous2013
    File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
    Settings/Temp/History/History.IE5/MSHist012013120420131205/index.dat

    Notable MAC time: 2013-12-04 09:08:08 MST

    COOKIES:

    Phoenix Cyber Investigation Office

    Page 7 of 13

    I recovered the following (368) notable cookie files. Seen in attached


    cookies document separate from this document.
    File path/directory:
    Notable MAC time:
    File path/directory:
    Notable MAC time:
    NOTABLE HTML FILES:
    I utilized Autopsy 3.1.3 to sort all entries by file type and searched for HTML
    files, and discovered 314 HTML files but only 2 notable files during the course
    of my examination.
    HTML FILES

    Name: main.html

    File path/directory: /img_WinXP_NTFS.E01/Documents and


    Settings/Anonymous2013/Local Settings/Application Data/Google/Chrome/User
    Data/Default/Extensions/aohghmighlieiainnegkcijnfilokake/0.5_0/main.html
    Notable MAC time: 2013-12-03 21:18:33 MST
    Name: craw_window.html
    File path/directory: /img_WinXP_NTFS.E01/Documents and
    Settings/Anonymous2013/Local Settings/Application Data/Google/Chrome/User
    Data/Default/Extensions/nmmhkkegccagdldgiimedpiccmgmieda/0.0.5.0_0/html/craw_window.ht
    ml
    Notable MAC time: 2013-12-03 21:18:31 MST

    Phoenix Cyber Investigation Office

    Page 8 of 13

    NOTABLE COMPOUND FILES


    I reviewed the evidence for compound files and discovered twenty office files
    including MS word documents, excel and power point files none of which
    were notable files. I also discovered 4 PDF files, one of which was notable
    (see below).
    COMPOUND FILES
    Name: The List
    File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/My
    Documents/Downloads/The List.zip
    Notable MAC time: 2013-12-04 09:06:57 MST
    Name: Eraser Documentation
    File path/directory: /img_WinXP_NTFS.E01/Program Files/Eraser/Eraser
    Documentation.pdf Notable MAC time: 2012-03-29 18:09:56 MST

    Unallocated Space /CARVED FILES


    I utilized Autopsy 3.1.3 to search unallocated space and carved files based
    on the known file extensions, file signatures, and or hash values. I recovered
    the following file types with respective quantities:
    CARVED FILES:
    Type of File: Exchange Database Files
    File Signature: application/octet-stream
    File Path: /img_WinXP_NTFS.E01/$CarvedFiles/f0000000.edb
    Unallocated Files:
    Type of File: EO1
    File Signature: application/octet-stream
    File Path: /img_WinXP_NTFS.E01//$Unalloc/Unalloc_15854_15187968_2083790848
    NOTABLE GRAPHIC FILES
    I utilized Autopsy 3.1.3 to review approximately 713 graphic image files. I
    bookmarked two graphic images due to content related to the investigation
    Phoenix Cyber Investigation Office

    Page 9 of 13

    within the scope of this search, including depictions of persons who appear
    to be under the age of eighteen years engaged in sexually exploitative acts.
    The complete list of bookmarked items is included in the HTML or PDF
    version of this report and includes exported graphic images.
    GRAPHIC FILES
    Name: 0D63CL2J/17DD5487C27FDCE8C26AB7BACD2681[1].jpg
    File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
    Settings/Temp/Temporary Internet Files/Content.IE5/0D63CL2J/17DD5487C27FDCE8C26AB7BACD2681[1].jpg

    Notable MAC time: 2013-12-04 09:07:36 MST


    Name: img004b.jpg
    File path/directory:
    /img_WinXP_NTFS.E01/WINDOWS/Help/Tours/htmlTour/img004b.jpg
    Notable MAC time: 2006-02-28 05:00:00 MST

    NOTABLE VIDEO FILES


    I utilized Autopsy 3.1.3 to review approximately twenty video files. I
    bookmarked two video files due to content related to the investigation within
    the scope of this search, including depictions of persons who appear to be
    under the age of eighteen years engaged in sexually exploitative acts.
    The complete list of bookmarked items is included in the HTML or PDF
    version of this report and includes exported graphic images.
    VIDEO FILES
    Name: mdlib.wmv
    File path/directory:
    /img_WinXP_NTFS.E01/WINDOWS/Help/Tours/WindowsMediaPlayer/Video/mdlib.wmv

    Notable MAC time: 2006-02-28 05:00:00 MST


    Name: nuskin.wmv
    File path/directory:
    /img_WinXP_NTFS.E01/WINDOWS/Help/Tours/WindowsMediaPlayer/Video/nuskin.wmv
    Notable MAC time:
    Phoenix Cyber Investigation Office

    Page 10 of 13

    2006-02-28 05:00:00 MST

    NOTABLE ENCRYPTED FILES


    I utilized Autopsy 3.1.3 to review approximately one encrypted files. I
    bookmarked the (1) encrypted files due to file names or directories that
    appear to be related to the investigation within the scope of this search.
    ENCRYPTED FILES
    Name: The List
    File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/My
    Documents/Downloads/The List.zip
    Notable MAC time: 2013-12-04 09:06:57 MST

    NOTABLE RECYCLE BIN FILES


    I utilized Autopsy 3.1.3 to review approximately 32 in the recycle bin. I
    bookmarked two recycled files due to content related to the investigation
    within the scope of this search, including depictions of persons who appear
    to be under the age of eighteen years engaged in sexually exploitative acts.
    RECYCLED FILES
    USER SID-RID: S-1-5-21-1390067357-1547161642-725345543-1004
    Notable MAC time: 2013-12-04 07:35:43 MST
    USER SID-RID:
    S-1-5-21-1390067357-1547161642-725345543-1004
    Notable MAC time: 2013-12-04 07:42:00 MST
    MEMORY ACQUISITION AND ANALYSIS
    On 11/30/2015, I utilized Autopsy 3.1.3 to acquire one item , with the
    following description:
    RAM and VOLATILE SYSTEM DATA
    Phoenix Cyber Investigation Office

    Page 11 of 13

    Name: AcLayers.dll
    File path/directory: /img_WinXP_NTFS.E01/WINDOWS/AppPatch/AcLayers.dll
    Notable MAC time: 2006-02-28 05:00:00 MST

    VOLUME SHADOW COPIES


    I utilized Autopsy 3.1.3 to review approximately 18 in the volume shadow
    storage.

    Phoenix Cyber Investigation Office

    Page 12 of 13

    Phoenix Cyber Investigation Office

    Page 13 of 13

    You might also like