Professional Documents
Culture Documents
Amit Sharma
1
10137743
Master of Computer and Network Security
Computer Forensics
CSG4106
Assignment-2
Krishnun
2010
Contents
Executive Summary...............................................................................................................................3
Chain of Custody....................................................................................................................................5
Running Sheet.......................................................................................................................................7
Report on Findings...............................................................................................................................19
Investigation Process...........................................................................................................................28
Investigation Findings..........................................................................................................................30
Conclusion...........................................................................................................................................39
Executive Summary 3
The main objective of this report is to explain all the procedures and methods for the computer
forensics investigation from the given image i.e. Assignment2.dd. The main job is to find the
Meerkats images which are strictly forbidden.
We have been contacted by the cooperate client who has asked us to examine the image that they
have made of an employee computer system. Employee has been suspected of accessing images of
Meerkats which are strictly prohibited in terms of use the employee has signed and in the particular
jurisdiction may be against the law.
As we assumed, the seizure has been done properly on the site and they have followed all the
relevant procedures. We also assumed that the VMware caine has been already installed successfully
including all the tools on the host1 computer system to investigate the image Assignment2.dd. All
the investigations have been done on caine VMware.
All the investigations were done by AMIT SHARMA on 2010-05-18. The investigate images has been
downloaded from the Edith Cowan University (ECU, MT Lawley) in the university computer system.
Downloaded image was named by Assignment2 and all investigation was made on this image,
Assignment2. After investigating Assignment2, various images including Meerkats images, doc files,
mp4 & avi video file and zip files were obtained. Hash function has been used cautiously to check all
the found images still remains the same and to maintain the integrity of the found images.
First Category show Running Sheet which includes chain of custody, log events and
what/how/where has been done during the forensic investigation.
Under second category, all the findings (Images, document files and videos) were shown.
RAM 1 GB
Host Operating System Microsoft Windows XP Home Edition with Service Pack3, Version
2002
Chain of Custody 5
Submitting Activity
Evidence Description Employee has been suspected of accessing images of Meerkats which
are strictly forbidden.
Assgnmnt2
Email Id of the Investigator asharma2@our.ecu.edu.au
Location from Image obtained Edith Cowan Accessed Placed ECU, Forensic Lab
University,
Blackboard
2010-04-20
5:17:24 PM
Witness of Evidence
The document listed above was/were made by the evidence custodian, in presence, on the date indicated above.
Vikas Sharma, Mr I
Srinivas Reddy, Mr S
I AMIT SHARMA hereby, declare that the above given information is correct to the best of my knowledge and
belief.
Amit Sharma
10137743
Running Sheet 7
Log of Events
Sheet Number 1
20- 5:17:24 Download Assignment2.dd image file from ECU To start the Amit A
April- PM website i.e. investigation
10 and to analyse
https://software.scss.ecu.edu.au/units/CSG2305/ the given image.
Assignment2/dd/
20- 5:52:13 Hash function is used on the image i.e. To maintain the Amit A
April- PM Assignment2.dd integrity of the
10 image.
MD5 - 0c776f7c1ef092cdb9465fde80f4ea86
SHA1 -
4179cb30780358577c367a9e6e46708746ddcc53
20- 5:55:20 Create folder named investigation in the caine. To save the Amit A
May- PM Assignment2.dd
10 file in the folder.
20- 5:58:36 Mount the image and copy Assignment2.dd To start Amit A
May- PM image file to virtual machine i.e. VMware, Caine mounting and
10 analysing the
mount /dev/sdc1 Assignment2 files from the
Assignment2.dd
20- 6:03:07 Again, Hash function is used on the copied image To check the Amit A
May- PM in the virtual machine. Assignment2.dd
10 is not
MD5 - 0c776f7c1ef092cdb9465fde80f4ea86 compromised
SHA1 - while copying
4179cb30780358577c367a9e6e46708746ddcc53 into the virtual
Both hash values are same. Integrity maintained. machine.
8
Date Time Action Motive behind Action Signature
taking action Taken
By
20- 6:06:11 Open new case in the Autopsy named Giving the name Amit A
May- PM Assgnmnt2. of the case for
10 investigating.
20- 6:06:24 Add host in the autopsy named host1. Name of the Amit A
May- PM computer
10
20- 6:08:11 Browsed the image Assignment2.dd add it into To know the Amit A
May- PM the autopsy. path of the
10 image and
linked it with
autopsy.
20- 6:10:34 Rehash the browsed image in the autopsy. Same To maintain the Amit A
May- PM hash value. Integrity maintained. integrity.
10
Sheet Number 2
22- 9:17:54 Start caine, mount the image again and start To start analysing Amit A
April- AM autopsy. the image.
10
22- 9:19:24 Choose sorter files by type from the analysis in To identify the Amit A
April- AM the autopsy. files and images
10
22- 9:20:12 Open the output directory under autopsy. All To check the Amit A
April- AM the identified files can be viewed under the identified files
10 given path i.e.
/var/lib/autopsy/Meerkat_Investigation/host1/
output/sorter-vol1/index.html
22- 9:20:44 Analysis the file by clicking on File Analysis It is used to check Amit A
April- AM and recover the
10 deleted files.
22- 9:21:14 Search for any file type such as .jpeg, .gif, To check if there Amit A
April- AM .bmp, .doc etc is any meerkats
10 images are
available or not.
22- 9:24:33 Typed .gif in the file name search to find any To find and Amit A
April- AM file or document whose extension is .gif. examine all .gif
10 file and images.
22- 9:25:25 One image found named jewel.gif To maintain the Amit A
April- AM integrity of the
Used Hash function on it
10 found image i.e.
MD5 - bbdc61bcb09b70a92e2421aa3097afa7 jewel.gif.
SHA1 -
f395a98bd52754562f1b513298e3547e6566bae
d
22- 9:28:53 Typed .bmp in the file name search to find any To find and Amit A
April- AM file or document whose extension is .bmp. examine all 10
10 .bmp file and
images.
22- 9:30:31 Typed .jpeg in the file name search to find any To find and Amit A
April AM file or document whose extension is .jpeg. examine all
-10 .jpeg file and
images.
SHA1 -
76afa691556abed61c25651c896943d2e279a7ab
SHA1 -
849ff18b9a173455e5713bcf1719967592045c11
SHA1 -
ac5e6412a42e4a05306c4a247ca6f68a5462642a
22- 11:01:0 Typed .zip in the file name search to find any To find and Amit A
April 4 AM file or document whose extension is .zip. examine all .zip
-10 file and images.
22- 11:05:2 File found named Data.zip which contains To maintain the Amit A
April 0 AM pictures of meerkats. integrity of the
-10 found image file
Hash function used on it i.e. Data.zip
MD5 - da68930452efa3758db386ff380f990a
SHA1 -
27a5460741ab235f8d86644ea9914a8d5c7eadb6
22- 11:13:3 Image found named Meerkats 09.jpg To maintain the Amit A
April 9 AM integrity of the
Hash function used on it
-10 found image file
MD5 - e9a9fa7a8f32111ec0e5385c47e099a8 i.e. Meerkats
09.jpg
SHA1 -
2cf93dddb97b6cec123c5c5d7be55edb04634cc7
SHA1 -
64b318255009d5e964cf0cfb999d1e9dc8514999
22- 11:41:3 Typed .mp4 in the file name search to find any To find and Amit A
April 7 AM file or document whose extension is .mp4. examine all
-10 .mp4 file and
images.
22- 12:20:2 Rehash the Image to maintain the integrity. To compare the
April 6 PM hash value with
MD5: 0c776f7c1ef092cdb9465fde80f4ea86
-10 the original
SHA1: image to check
4179cb30780358577c367a9e6e46708746ddcc53 integrity of the
image.
Sheet Number 3
23- 9:20:21 Hash the images again to check the integrity. To compare the Amit A
April PM hash value with
MD5: 0c776f7c1ef092cdb9465fde80f4ea86
-10 the original
SHA1: image to check
4179cb30780358577c367a9e6e46708746ddcc53 integrity of the
image.
23- 9:26:56 Typed .rar in the file name search to find any To find and Amit A
April PM file or document whose extension is .rar. examine all .rar
-10 file and images.
SHA1:
25ef4820224699f6a33e2a38d41ba0fb2a9cf620
23- 9:47:14 Typed .htm in the file name search to find any To find and Amit A
April PM file or document whose extension is .htm. examine all .htm
-10 file and images.
SHA1 -
da6fd25750279ec316bf0aa4d1ead3b263e9771c
23- 10:10:2 Typed .exe in the file name search to find any To find for .exe Amit A
April 4 PM file or document whose extension is .exe. file and images.
-10
23- 10:13:5 File found named Bo2k.exe. Hash function used To maintain the Amit A
April 1 PM on it integrity of the
-10 found
MD5: 36fb2d9fe2d3e1ec1ee63dde02ad1b3f executable file
SHA1: i.e. Bo2k.exe
551dc1b5a9cebc93a88e6806671b328349392f63
23- 10:15:0 Typed .doc in the file name search to find any To find and Amit A
April 2 PM file or document whose extension is .doc. examine all .doc
-10 file and images.
23- 10:27:2 File found named EBook 0Z 02.doc To maintain the Amit A
April 9 PM integrity of the
Hash function used on it
-10 found
MD5 - 5a4b3c21d3f6eb8d349a87229aae14c2 document file
i.e. EBook 0Z
SHA1 - 02.doc
cfd9e0c7d7a6704afad7a842aba4df52b92d05d0
23- 10:33:1 File found named meerkats in EBook of The To maintain the Amit A
April 9 PM Prince.doc integrity of the
-10 found
Hash function used on it document file
MD5 - fa836b1b27514a4805c5e551398b17e4 i.e. meerkats in
EBook of The
SHA1 - Prince.doc
d1e69f0962044748bc487b1b0ebc5104838512c7
23- 10:58:0 Rehash the Image to maintain the integrity. To compare the
April- 4 PM hash value with
MD5: 0c776f7c1ef092cdb9465fde80f4ea86
10 the original
SHA1: image to check
4179cb30780358577c367a9e6e46708746ddcc53 integrity of the
image.
18
End of Part 1 (Running Sheet)
Report on Findings 19
The aim of this report is to explain about all the findings from the image i.e. Assignment2.dd during
the forensics investigation. The main job is to find the Meerkats images which are against the law
and employee has been suspected of accessing these images.
On 2010-04-22 Assignment2.dd image file has been downloaded from the Edith Cowan University to
begin the investigation for Meerkats images. All the investigation was done using VMware caine and
autopsy is used as forensic software.
Directory Path Hash Values Written Accessed Output of the Image Name of Sign
the
MD5 & SHA1 Image
Directory Path Hash Values Written Accessed Output of the Image Name of Sign
the
MD5 & SHA1 Image
Directory Path Hash Values Written Accessed Output of the Image Name of Sign
the
MD5 & SHA1 Image
23
All findings for the .mp4 video file under C: /
Directory Path Hash Values Written Accessed Output of the file Name of Sign
the
MD5 & SHA1 video
Directory Path Hash Values Written Accessed Output of the image in the Name of Sign
document the
MD5 & SHA1 Docume
nt
Directory Path Hash Values Written Accessed Output of the file Name of Sign
the file
MD5 & SHA1
Directory Path Hash Values Written Accessed Output of the file Name of Sign
the files
MD5 & SHA1
Directory Path Hash Values Written Accessed Output of the file Name of Sign
the
MD5 & SHA1 executab
le file
Directory Path Hash Values Written Accessed Output of the file Name of Sign
the .htm
MD5 & SHA1 file
Investigation Process 28
After downloading the image file named Assignment2.dd from the Edith Cowan University website, I
made a copy of the original image and copied into another folder for making the forensic copy, so
that I can begin the forensic investigation with that image without affecting the original image. I used
hash function with both original Assignment2.dd image and with the copied Assignment2.dd image
and compared their hash values with each other during the investigation which was helping me to
confirming that the image is not compromised yet and image is still the same. As a result, integrity
has been maintained in the whole forensic investigation process.
root@sciss10oem:~# cd Desktop
root@sciss10oem:~/Desktop# cd investigation
root@sciss10oem:~/Desktop/investigation#
root@sciss10oem:~/Desktop# cd investigation
root@sciss10oem:~/Desktop/investigation# ls
Assignment2.dd lost+found
0c776f7c1ef092cdb9465fde80f4ea86 Assignment2.dd
4179cb30780358577c367a9e6e46708746ddcc53 Assignment2.dd
Open Autopsy 29
Created new case named Meerkats_Investigation to start the forensic investigation of the image.
Creating NewCase
Host1 has been added in the autopsy and afterwards image i.e. Assignment2.dd also has been added
and generated its MD5 hash value to compare with the original image MD5 has value to maintain the
integrity of the image and confirming that the image is not compromised.
Investigation Findings
A) .GIF:- When I searched for .gif files. I found certain list of files. And after looking into each
and every .gif files I found jewel.gif image.
B) .BMP:- When I searched for .bmp files. I found certain list of files. And after analysing each
and every .bmp files I found Internet Explorer Wallpaper.bmp image. 31
C) .MP4:- When I searched for .mp4 files. I found certain list of files. And after looking into each
and every .mp4 files I found 60d80dd5032499bd4.mp4 video file. 32
D) .ZIP:- When I searched for .zip files. I found certain list of files. And after analysing each and
every .zip files I found meerkats_1024-8.jpg, meerkats_1sfw.jpg, Meerkats 09.jpg, Meerkats- 33
8.jpg, meerkats_13sfw.jpg.
E) .EXE:- When I searched for .exe files. I found certain list of files. And after analysing each and
every .exe files I found Bo2k.exe file. 34
F) .DOC:- When I searched for .doc files. I found certain list of files. And after analysing each and
every .doc files I found arrow.doc, EBook 0Z 02.doc, EBook of the Prince.doc (EBook OZ 02.doc, 35
EBook OZ 02.doc).
This above image screenshot shows one HTML document also which is about the Meerkats. That
website shows some general information about the Meerkats. The existing HTML document looks
like:
36
G) .RAR:- When I searched for .doc files. I found certain list of files. And after analysing each and
every .doc files I found Mystery.rar file. 37
Conclusion 38
After investigating the Assignmnent2.dd image file, we were successful to recover 23 images of
meerkats, one video file and some of the document files including websites which mainly discussing
about the meerkats. All these investigation and evidence clearly proves that the employee offended
the rules and regulations and he took all the actions against the law for which he should be
penalised.