Case Background
An experienced Internal Auditor, XYZ, employed by an organization was conjectured of being intricate in fraudulent activities, cyber surveillance, and theft of organization’s confidential data. The support of digital forensics together with the legal associate was hired by the enterprise to absolve the suspected person XYZ. XYZ removed the illegitimate documents, images, and databases from his USB Flash Drive used at his office before he was exiled from his administration work. He asserted that he has not committed the cyber crime but his fraudulent activities are established through the utilization of his unlawful assets for his personal purposes.
According to the estimation of College of Policing, from half of all the crimes announced to front end staff has a cyber component (Kara, Brian, & Matt, 2009). Police experts stated that there are occurrence of 7 million cyber crimes per year and 3 millions of other type of online frauds. Most of them are unreported incidents.
In order to perform an efficient investigation on this digital crime, I have deployed the Forensic Tool Kit Image software for recuperating the essential files removed by the suspect from his USB Flash Drive. The files that are removed from the USB Flash Drive will be saved somewhere in the space that is not yet allocated in the drive.
Besides investigating the criminal case, situation analysis were done on the criminal (Ana, Javier & Ahmed, 2007). He was questioned certain enquiries confirmed to the criminal investigation for acquiring the legitimacy of information contained in USB Flash Drive. The following investigation questions are asked.
Do the USB Flash Drive or any other digital devices employed by him were for his personal use or proffered to him by the organization?
Have any other employees in the organization contain access to the above provided devices or the desktop computer or laptop allocated to the suspect XYZ?
If these aforementioned digital devices are offered by the organization to XYZ, were these devices are used earlier by the criminal, during or after the allocation of the USB drive to the suspect?
The legal associates applied for an appeal and got the warrant to enter into residence of the suspect. The warrant was provided for searching, confiscating and investigating the devices that can be examined and isolated as digital proof for the criminal activities, for the pronouncement of his guilt. After observing and confiscating the investigated USB driver or other external devices that act as digital proofs, the acquired proofs are carefully wrapped and a series of defence or security was activated to make sure the integrity or probity of the proofs of digital devices. Protecting the data on the computer is important rather than protecting the physical hardware. The invisible data is also captured by the computer forensics. For the purpose of capturing even the invisible data from the digital devices, the investigator who confiscated the USB flash drives and other devices should be very careful not to erase any data.
|
Material Model, Color, and Description |
Serial Number |
|
359756756533573 |
|
|
Wi-Fi Enabled Mobile Phone |
455454545456866 |
|
Grey and Black USB Flash Drive |
346673365664345 |
|
Grey Compaq Laptop |
CEV36532RHS |
|
Black Dapeng Mobile Phone |
4465545434424464 |
Do all the three mobile phones (Cell Phone, Wi-Fi enabled Mobile Phone, Black Dapeng Mobile Phone) are utilized to make call to single persons, or for browsing the details that are homologous to this criminal investigation?
Questions on Digital Criminal Case
Did any individual other than the suspect have accessed the evidence 3 (USB Flash Drive)?
Did the suspect utilize other external drives or devices other than the USB Flash Drive to keep track of the fraudulent activities?
Where the monetary benefits obtained from the fraudulent activities are placed?
Based on the difficulty of the investigation and all the proofs that are collected against the suspect, for beginning the investigation of the procured proofs, the information of high fiscal value correlated to the analysis should be found out in the provinces of
- Possessing the surfed data from mobile phone browser and laptop web browsers.
- Enquiring the prevailing locations, dialled, and received phone calls from the cell phones.
- The files or documents that are erased from the laptop, most phone, and most essentially from the USB Flash Drive are obtained.
The offences faced by the cyber criminal ‘XYZ’ are: money robbing, sensitve information, counterfeit, and diddling. The criminal annoyances include digital devices misuse, technologies, amenities, and systems for editing, aiding or committing to agitate, facilitate, or conceal the crime commission for digital crime proceedings.
- 4 Folders having files to this investigation were confiscated from the USB Flash Drive. These documents contain clues for key codes, ciphered files, stenographic files, invalid documents, credit card information that are purloined, details of the receipt, information on fake lottery conquerors.
- From the acquisition of files from these folders, the back account details of the suspect, user-name, his personal address, mobile numbers, and credit card details of users who have conquered the fake lottery, together with the staff information of the organization from which he was elected.
- 3 Notepad text files analyzed by means of stenographic technology were unfurled from the USB Flash Drive of the criminal XYZ. The 3 concealed text files have user names, their private addresses, mobile numbers, and credit card details of the individuals. These documents also comprise indications for the encoded information.
- 2 Microsoft Excel files were also confiscated from the USB drive. One excel file that recognizes those files are imitated and conveyed to another firm, and another excel file has personal account number of XYZ.
- Six Microsoft word documents were also unveiled having the Swiss bank account numbers of XYZ, Transaction details, and lottery or contract fake documents.
- A single Microsoft Access database is also estimated, which has user and staff detailed report on user names, employee positions, Identity numbers, bill payments, and account numbers, accounts containing more than 5000 dollars.
- 20 Image files are diagnosed, where some files contain account number of bank account contained in Swiss Bank, Transaction details, and fake lotteries.
The digital criminal XYZ have also performed the security breaches in the organization like breach of legal agreements to preserve the reliability of data, and organizational sensitivity, illegitimacy of information, and fraudulent data.
I have employed the FTK imaging method for confiscating the files that are erased from the USB Flash Drive obtained from the accused. The Sha1 and MD5 hash values are acquired for conforming the confidentiality of the confiscated files. From the redeemed files, there prevails a database called ‘lot.mdb’ that contains the details like user names and their bank account numbers, Employee names, their Identity numbers, and Personal Address, Bill cycle and employee accounts below and above 5000 dollars.
|
MD5 Hash Values |
SHA1 Hash Values |
|
4516bc7e2b4df4548dcf3fbc1a256256e |
1d899c89e8224b022ed9cb3619d036ea08195bf6 |
|
422e327a54b49ed3c50f0ef3dd218795 |
ce75b695ae3e78bd78f1fbe41d21da895823c077 |
|
bccb74803cdad52a4f0eadec9er03e4a |
7f4f6ea48edf0bb8722b4a68b499293216f0887b |
|
5e2b09eb0b05d9e124613eb1ffac27ee |
0132d6aa5a581a179c16fe19bedf426a77031120 |
|
d0db850ad982b1640182acec9b75aa35 |
3606629d1f8d3314832423ba101c3f08d14834b2 |
|
421c6a356358ca20ef750e7cbb04c140 |
49b48ab09d0f2542a7f0012542c530c36ded7caf |
|
1be6c5be960851477469fca61e86dc3f |
8f2074940ee5056a8ecafebf2a28bd1d055fe702 |
|
4418fe61f16bebf1dd7b22d7d1a67a9e |
0184a98c612f235d32f8053b5d47eefc6f65ada9 |
|
bec831382b2c37f09f115e23d3067afa |
1df94e0d71ba9d30c77c821abb674f48167b60e8 |
|
718ba18fd768df5f814d1d12ec3d9d4b |
8f51fac1b506936523be5143c66fc34b379eb506 |
|
b4b9e59b1ca6d9ae04bf5f45127e52af |
916c05d397b36761bc016b080b76c57fe0420906 |
|
bacadf3e9df696f96446db014295e8d8 |
d39aff4ea5061e52e9fa4f6142700fc9ae02738d |
|
55496c77e2c0532c0310c69dadsd30f21 |
a8b566da5d9142a33da1cdae3b67b064dd016eaf |
|
0b9a0f3d3b36af6f38762cc9544e92a0 |
97cd0235451ee6a32e4602973ac41c756b7d291e |
|
2d5255508134339804177c037cf086b8 |
c93fdec71dea265093d8311146babc286dcb9fc8 |
|
eb8731db825e01260761fed95d16c77a |
3b049f654804ba89d3d976f7bf99e8c8f627b276 |
|
9d8f063b3cfaca03b0be7b3c39fc09b8 |
39a9446af56fccd92d65ffe3852bbd49b613847d |
|
f5aa1d1da28224ee0dd8e55fc40bcc53 |
029643f9c426a1d396372398874f4cdd3b4f745d |
|
3470d5c0746deeb68484c8fd69225a8a |
4be2d7b990714f574923c8d355c381d9d7536382 |
|
34956da8ec293972513ba1d0943d4479 |
e6e15f29daeca48003ccbc448a256053bd674198 |
|
d34d89cd328f6edd410273988d68a483 |
d39c90a5d1017097069f327f93db2c77b4d3e76c |
|
e27938ff3830fa6ed5a4bc0775484fb2 |
3d0091bceb32bb0f99090407d36d968e28a2b59b |
|
0fa71c70567d26092615435c86830827 |
b9509292fd0f1cd08ab7725bc854c9f81eb319da |
|
ef0bd6deb4f04e241eefff19e80cc82d |
851026c80bb1122c6b9d2094447d90e05e185cc3 |
|
b5f45ed1c3f331df2962005f485bfa48 |
ec870d4cab1800a707028596bfdb488927bde6e9 |
|
4d24b2f799fe007239df880ec3aaf051 |
78767a5c3978b8c266ea1eda98221e572f2ff3cb |
|
12f1e05d2bc553bf981721229818e6ec |
d936bb81ef45b1e03aa71040c9a11e1d94c0010f |
Over 40 files of several formats were erased by XYZ. From the concealed documents, 3 files and one folder was encoded. The files that are encoded are exploited by means of stenographic files that have passwords and clues for breaking the encryption. The encoded passwords and files having .RAR extensions that contains: 1) database documents of users and staff details i.e. Employee names, Identity numbers, Employee Positions in company, bill payments, bank account numbers, and accounts having above 5000 dollars. 2) Excel files named as “Dollars” having a Microsoft excel file with the XYZ’s bank account number. 3) Word file named as “Secret-Encoded” having XYZ’s Swiss bank account details.
The procured stenographic files were encoded in some hidden formats like .txt, .zip, .jpg, .png, etc. All the investigation documents related to important passwords are given below:
- Password for XYZ’s Personal Account Number and it was made to hide for resembling like a .mp3 file named ‘XYZ.mp3’.
- Password for XYZ’s bank account number contained in Swiss bank was enclosed in a jpeg file called ‘sample.jpg’.
- A file was named “Corrupt” that looks like a .ZIP folder having a map picture depicting the fraudulent activities.
- The hash documents had certain random images that are irrelevant or unessential to the investigation of the crime. The fraudulent activities are encoded in the .zip folder.
The mobile phones confiscated from the suspect for investigating process, their IMEI numbers are checked and verified by estimating the check digits of the mobile phone in order to reveal their make, date, model, origin, and other details of these mobile phones.
The check digit of Wi-FI enabled mobile phone check digit was estimated as 5.
The check digit of another mobile phone was found to be 4.
The check digit of black coloured mobile phone remains unaltered i.e. 0.
Furthermore investigation is continued and the identified metadata information is essential for this fraudulent activity. The clues for the secret passwords that are needed to unclose the accused .RAR file named ‘X’ that contains fraudulent details are masked (Frederic, Solal, Jeremy & Francois, 2010). The passwords were made masked in the stenography documents leading to XYZ personal bank account and Swiss bank account.
Conclusion:
- The recovery of all investigated data in folders and files related to the investigation is performed and I also managed to ensure the data reliability and integrity of the data deleted by XYZ during its recovery and the evidence materials are secured and verified by detecting the hash values and estimating the check digits again during the forgery analysis.
- Moreover, as a forensic examiner, I was able to identify the fake lottery related files, pitch files, list of leads, cheque details, and other files enclosing the fraudulent activities.
- The digital devices that are recognized and investigated here have displayed more involvement of the criminal in unlawful and illegal activities
References:
Kara, N., Brian, H., & Matt, B. (2009).Digital forensics: defining a research agenda. In Proceedings of the 42nd Hawaii international conference on system sciences, 4(2), 56-58.
Frederic, B., Solal, J., Jeremy, M., & Francois, P. (March 10, 2010). Digital forensics framework. Retrieved from https://www.digital-forensic.org/.
Ana, I., Javier, L., & Ahmed, P. (2007). International cooperation to fight transnational cybercrime. In: Second international workshop on digital forensics and incident analysis, 3(2), 13-27.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
