Objectives
m57.biz is a patent company newly set up with four main employees; the CEO(Pat McGoo), IT Administrator (Terry), and Jo and Charlie, the two patent researchers. The employees work on site and mainly communicate through e-mail in a windows environment. A workstation used originally at m57.biz is sold to a customer (Greene) in the second hand market; Greene realizes the previous owner did not erase the hard drive and suspicious videos and documents related to metmphetamine drug use; a real problem drug in Singapore and Australia. Greene reports this to the police who start forensics investigations. The provided information include the hard drive sold with the computer and other hard drives as listed below;
|
Hard drive |
Origin |
|
E01-11 |
Hard drive image 2009; the original sold with computer (Jo) |
|
AD1, AD2 |
Hard drive image purported to be from same computer |
|
E01-12 |
Jo’s replacement PC seized by police from M57 |
|
AD1,AD2, AD3 |
Second hard drive image purported to be from the same computer (used by Jo) |
The two additional images are provided I different format and while they have no problem with logging, there is suspicion of police negligence and even foul play which is yet to be determined.
The team is given the task of determining and uncovering any evidence either prove or disprove allegations of illegal drug use. The other objective is to determine whether there is evidence of tampering with the provided evidence and possible cover up of the situation. The main objective is to determine whether there was illegal drug use activity involving metamphetamine based on evidence. The evidence is to be presented in a time line format sign posting times when there is belief evidence an offense was committed and comparisons made between evidence found and the dates/ times. Different tools to be used and their relative pros and cons to be discussed. Determine if there are differences between the two provided sets of hard drives because it is purported the two hard drives are from the same computer. The objective is to establish which of the two hard drives is an original. The other objective is to address how to respond to the common defense that the actions were unintentionally committed. To determine, through research, how image files could have been tampered with and ascertain if there are methods that are difficult or even undetectable.
Jo is a patent researcher and is also the main suspect in the case. As a researcher, he is not very well versed with the concept of computer forensics and as such, did not envisage a situation where some information would lead back to him. He therefore did not erase the files and hence the information was uncovered after Greene bought the hard disk in the second hand market. Jo is therefore responsible for the meth videos and literature. To try and cover these actions, m57 finds a way to influence one of the cops to submit a different disk image to save the company reputation.
That the IT administrator (Terry) having access to all these computers, took advantage and downloaded and delved into metamphetamine use and had the information saved on Jo’s office computer. Upon realizing the information has been unearthed, Terry, being proficient in IT, submits a different image to help throw the cops off track during investigations.
|
S/N |
Name |
Description |
|
Major suspects |
||
|
1 |
Jo, a patent researcher |
Jo is the prime suspect in the use of meth Works as a patent researcher at m57 Not being IT savvy, had information relating to drugs on his computer and did not bother to remove it |
|
2 |
Terry |
The IT administrator at M57 An IT expert, is involved in meth literature and save d the files on Jo’s computer Gave a different, but wrong image file to police for instigations to throw them off the track |
|
Minor suspects |
||
|
3 |
Pat |
Company CEO Is not involved in any of the cases being investigated (meth literature or an attempt to cover up) |
|
4 |
Charlie |
A colleague of Jo’s and also a patent researcher There is no evidence linking him to the crime |
|
5 |
Police |
Involved in evidence mix up; either accidentally or deliberately Trying to influence case outcome by a deliberate act of either omission or commission |
|
Hard drive |
type |
Size |
|
E01-11 |
Raw split.00 |
3.7 GB |
|
AD1, AD2 |
Raw split01 |
3.7 GB |
|
E01-12 |
Raw split.02 |
3.5 GB |
|
AD1,AD2, AD3 |
Raw split.03 |
3.5 GB |
|
Thumb drive |
Raw split.04 |
1.5 GB |
|
Name |
Origin |
Description |
|
Autopsy |
Sleuth Kit |
An open source digital forensics software interface that allows forensic research from a variety of plug ins and open source software used in the Sleuth kit. In enables important sections of data being investigated to be flagged easily |
|
Forensic Tool Kit (FTK) v 6.1 |
Access Data Solutions |
Software for scanning hard drives to seek specific information. It has an imaging tool to save hard disk image in segments that can be reconstructed |
|
Forensic Explorer |
Get Data Forensics |
A commercial forensics tool that can be used to parse NTFS, FAT, EXT, and HFS file systems. Can use files created using DD, AFF, NUIX, SMART, Safeback, and XWAYS. It has the mount image pro software fr analyzing forensic images of Windows files in VMWare |
|
File name |
Hash |
Hash value |
|
Raw split.00 |
MD5 |
008646bbfb7dcbe2822c6cd1acc790b1ee6e3abc |
|
Raw split01 |
MD5 |
fcd37fdb5af2c6ff925fd402c0a97d8a45affb45 |
|
Raw split.02 |
MD5 |
7fd876654f23d1c676b189a9oda5eafe4918 |
|
Raw split.03 |
MD5 |
8acad582d7664c754cf417887d77bcf892b76a6c |
|
Raw split.04 |
MD5 |
dcfd5434bbea677a761a689c34d96008ca299d16 |
Using the Autopsy software, the images were mounted as virtual drives and hash values generated based on the MD5 algorithm. To ensure there was no hash collisions, another set of hashes based on the MD5 were generated.
The OSF was used to obtained from the provided images and to know the owner of the PC alleged to have been Jo’s; the following information was found
Registry File: C:WindowsSystem32ConfigSYSTEM
Registry Hive: HKEY_LOCAL_MACHINESYSTEM
Computer Name : Jo-PC
The other information verified to have been from the same PC include the operating system being used and the service pack, as well as the memory information and hard disk size and the file system (which was NTFS). User account information was also obtained using the OSF application as well as the log in details and the list of installed software. Of importance was the VLC media player which was used to play and view the metamphetamine related files found on the PC. Using OSF, files were searched on the meth and a positive feedback returned using the string search
References
Camer, D. (2015). Education Exposing tampered recordings using forensic tools. Forensicprotection.com. Retrieved 2 April 2017, from https://forensicprotection.com/Education_Exposing_tampered_recordings.html
Casey, E. (2011). Digital evidence and computer crime (1st ed.). Waltham: Academic Press.
Goodin, D. (2017). Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC. Ars Technica. Retrieved 2 April 2017, from https://arstechnica.com/security/2016/01/fatally-weak-md5-function-torpedoes-crypto-protections-in-https-and-ipsec/
Lillard, T. (2010). Digital forensics for network, Internet, and cloud computing (1st ed.).Burlington, MA: Syngress.
Liu, H., Sung, W., & Wenli-Yao.,. (2013). Information technology and computer application engineering (1st ed.). Hoboken: Wiley.
Weaver, R., Weaver, D., & Farwood, D. (2013). Guide to network defense and countermeasures (3rd ed., p. 166). Boston: Cengage Learning.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
