Computer Forensics Assignment 2

Computer Forensics CSG4106
Amit Sharma
1
10137743
Master of Computer and Network Security
Computer Forensics
CSG4106
Assignment-2
Submit To: Peter Hannay
Krishnun
2010
10137743, Amit Sharma

Contents
Executive Summary...............................................................................................................................3
Tools Used For Analysing the Image......................................................................................................4
Chain of Custody....................................................................................................................................5
Running Sheet.......................................................................................................................................7
End of Part 1 (Running Sheet)..............................................................................................................18
Report on Findings...............................................................................................................................19
All evidence images searched and collected from C:\.........................................................................19
All findings of .bmp images under C: /.................................................................................................20
All findings of .gif images under C: /....................................................................................................20
All findings of .jpg images under C: /...................................................................................................21
All findings for the .mp4 video file under C: /......................................................................23
All findings for the .doc files under C: /................................................................................23
All findings for the .rar files under C: /.................................................................................24
All findings for the .zip files under C: /.................................................................................25
All findings for the .exe files under C: /................................................................................26
All findings for the .htm files under C: /...............................................................................27
End of Report FindingsInvestigation Process.......................................................................................27
Investigation Process...........................................................................................................................28
Investigation Findings..........................................................................................................................30
Conclusion...........................................................................................................................................39

Executive Summary 3
The main objective of this report is to explain all the procedures and methods for the computer
forensics investigation from the given image i.e. Assignment2.dd. The main job is to find the
Meerkats images which are strictly forbidden.
We have been contacted by the cooperate client who has asked us to examine the image that they
have made of an employee computer system. Employee has been suspected of accessing images of
Meerkats which are strictly prohibited in terms of use the employee has signed and in the particular
jurisdiction may be against the law.
As we assumed, the seizure has been done properly on the site and they have followed all the
relevant procedures. We also assumed that the VMware caine has been already installed successfully
including all the tools on the host1 computer system to investigate the image Assignment2.dd. All
the investigations have been done on caine VMware.
All the investigations were done by AMIT SHARMA on 2010-05-18. The investigate images has been
downloaded from the Edith Cowan University (ECU, MT Lawley) in the university computer system.
Downloaded image was named by Assignment2 and all investigation was made on this image,
Assignment2. After investigating Assignment2, various images including Meerkats images, doc files,
mp4 & avi video file and zip files were obtained. Hash function has been used cautiously to check all
the found images still remains the same and to maintain the integrity of the found images.
This document is further divided into two categories shows:
First Category show Running Sheet which includes chain of custody, log events and
what/how/where has been done during the forensic investigation.
Under second category, all the findings (Images, document files and videos) were shown.

Tools Used For Analysing the Image 4
Forensics O.S Caine 4.03
Forensics Software Autopsy, SDDUMPER
Virtual machine VMware Products 3.0.1
Hardware Used Lenovo S10e
RAM 1 GB
Hard Disk 40GB
Processor 1.60 GHZ
Host Operating System Microsoft Windows XP Home Edition with Service Pack3, Version
2002
Documenting Application Microsoft Word 2007
Other Hardware Used USB2.0 Thumb Drive Kingston 8 GB
Function used to check MD5, SHA1

Integrity

Chain of Custody 5
Submitting Activity
Evidence Description Employee has been suspected of accessing images of Meerkats which
are strictly forbidden.
Evidence Collected From Peter Hannay

Name of the Investigation Head
Evidence Collected By Amit Sharma

Name of the investigator
Name of the Case
Assgnmnt2
Email Id of the Investigator asharma2@our.ecu.edu.au
Location from Image obtained Edith Cowan Accessed Placed ECU, Forensic Lab
University,
Blackboard
Name of the Image Assignment2.dd Date Started
2010-04-20
Name of Person Collecting Report Peter Hannay and Krishnun Time
5:17:24 PM
For Forensics Department Only
Go to Next Page for additional Chain of Custody blanks

Chain of Custody Continued....

6
Finish Document Released By Document Received By Purpose for Chain of

Date & Custody
Time
2010-04-23 Initial A Initial P To depict all the relevant

Name, Title Amit Sharma, Mr Name, Title Peter Hannay, Mr information related to the
7:48 PM
forensic investigation.
Final Disposal Action
Witness of Evidence
The document listed above was/were made by the evidence custodian, in presence, on the date indicated above.
Name, Title Initial Name as Signature
Vikas Sharma, Mr I
Srinivas Reddy, Mr S
I AMIT SHARMA hereby, declare that the above given information is correct to the best of my knowledge and
belief.
Amit Sharma
10137743

Running Sheet 7
Log of Events
Sheet Number 1
Date & Day 20-04-2010, Tuesday
Date Time Action Motive behind Action Signature

taking action Taken
By
20- 5:17:24 Download Assignment2.dd image file from ECU To start the Amit A
April- PM website i.e. investigation
10 and to analyse
https://software.scss.ecu.edu.au/units/CSG2305/ the given image.
Assignment2/dd/
20- 5:52:13 Hash function is used on the image i.e. To maintain the Amit A
April- PM Assignment2.dd integrity of the
10 image.
MD5 - 0c776f7c1ef092cdb9465fde80f4ea86
SHA1 -
4179cb30780358577c367a9e6e46708746ddcc53
20- 5:55:20 Create folder named investigation in the caine. To save the Amit A
May- PM Assignment2.dd
10 file in the folder.
20- 5:58:36 Mount the image and copy Assignment2.dd To start Amit A
May- PM image file to virtual machine i.e. VMware, Caine mounting and
10 analysing the
mount /dev/sdc1 Assignment2 files from the
Assignment2.dd
20- 6:03:07 Again, Hash function is used on the copied image To check the Amit A
May- PM in the virtual machine. Assignment2.dd
10 is not
MD5 - 0c776f7c1ef092cdb9465fde80f4ea86 compromised
SHA1 - while copying
4179cb30780358577c367a9e6e46708746ddcc53 into the virtual
Both hash values are same. Integrity maintained. machine.
Continued Sheet 1...........

8
taking action Taken
By
20- 6:05:52 Start Autopsy To browse the Amit A

May- PM image in the
10 autopsy.
20- 6:06:11 Open new case in the Autopsy named Giving the name Amit A
May- PM Assgnmnt2. of the case for
10 investigating.
20- 6:06:24 Add host in the autopsy named host1. Name of the Amit A
May- PM computer
10
20- 6:08:11 Browsed the image Assignment2.dd add it into To know the Amit A
May- PM the autopsy. path of the
10 image and
linked it with
autopsy.
20- 6:10:34 Rehash the browsed image in the autopsy. Same To maintain the Amit A
May- PM hash value. Integrity maintained. integrity.
10
20- 6:13:22 Closed autopsy. To save the Amit A

May- PM image file and
10 can be opened
next time to
start analysing
the images.
20- 6:19:14 Unmount the images To closed the

May- PM autopsy and to
10 maintain the
image file in the
original state
Sheet Number 2
Date & Day 22-04-2010, Thursday


taking action Taken 9
By
22- 9:17:54 Start caine, mount the image again and start To start analysing Amit A
April- AM autopsy. the image.
10
22- 9:19:24 Choose sorter files by type from the analysis in To identify the Amit A
April- AM the autopsy. files and images
10
22- 9:20:12 Open the output directory under autopsy. All To check the Amit A
April- AM the identified files can be viewed under the identified files
10 given path i.e.
/var/lib/autopsy/Meerkat_Investigation/host1/
output/sorter-vol1/index.html
22- 9:20:44 Analysis the file by clicking on File Analysis It is used to check Amit A
April- AM and recover the
10 deleted files.
22- 9:21:14 Search for any file type such as .jpeg, .gif, To check if there Amit A
April- AM .bmp, .doc etc is any meerkats
10 images are
available or not.
22- 9:24:33 Typed .gif in the file name search to find any To find and Amit A
April- AM file or document whose extension is .gif. examine all .gif
10 file and images.
22- 9:25:25 One image found named jewel.gif To maintain the Amit A
April- AM integrity of the
Used Hash function on it
10 found image i.e.
MD5 - bbdc61bcb09b70a92e2421aa3097afa7 jewel.gif.
SHA1 -
f395a98bd52754562f1b513298e3547e6566bae
d

taking action Taken
By

22- 9:28:53 Typed .bmp in the file name search to find any To find and Amit A
April- AM file or document whose extension is .bmp. examine all 10
10 .bmp file and
images.
22- 9:29:17 One image found named To maintain the Amit A

April- AM Internet_Explorer_Wallpaper.bmp integrity of the
10 found image i.e.
Used hash function on it 15348-
MD5 - 228f497c6e699de6df00387715441a1f CHANGENAME_
Internet_Explor
SHA1 - er_Wallpaper.b
717f06bdd84a687a4d015b25da8d1b1cd84d48c4 mp.
22- 9:30:31 Typed .jpeg in the file name search to find any To find and Amit A
April AM file or document whose extension is .jpeg. examine all
-10 .jpeg file and
images.
22- 9:37:44 Image found named 180px- To maintain the Amit A

April AM Meerkats_foraging[1].jpg integrity of the
-10 found image i.e.
Used hash function on it 180px-
MD5 - d7276adb4dde8b90d853a7a886f97491 Meerkats_foragi
ng[1].jpg.
SHA1 -
0ca079eca141053f78652dcfc5fe5802138171d8
22- 9:42:20 Image found named 180px-Suricata[1].jpg To maintain the Amit A

April- AM integrity of the
10 Used hash function on it found image i.e.
MD5 - 1fc5c6d96f9994979498d0adb53de2c5 180px-
Suricata[1].jpg.
SHA1 -
88cf4e4005f029adff6f05c8867a142173b10f97

taking action Taken
By

22- 9:50:59 Image found named GetAttachment[1].jpg To maintain the Amit A

April AM integrity of the 11
Used hash function on it
MD5 - 1fc5c6d96f9994979498d0adb53de2c5 GetAttachment[
1].jpg.
SHA1 -
88cf4e4005f029adff6f05c8867a142173b10f97
22- 10:02:0 Image found named images[1].jpg To maintain the Amit A

April 4 AM integrity of the
-10 Used hash function on it found image i.e.
MD5 - 3d98cd156195e02c58f4ce238689120b image[1].jpg.
SHA1 -
76afa691556abed61c25651c896943d2e279a7ab
22- 10:07:4 Image found named 250px To maintain the Amit A

April 1 AM Suricata.suricatta.6861[1].jpg integrity of the
Hash function used on it 250px
MD5 - 4535e831ae839dcedfd6360d5dbdf6fd Suricata.suricatt
a.6861[1].jpg
SHA1 -
fa21977697c91c5fdabd9d33934563ed766eede6
22- 10:09:2 Image found named meerkats53[1].jpg To maintain the Amit A

Hash function used on it
MD5 - 0f1984f5d17741e513b1bd5449fe076c meerkats53[1].j
pg
SHA1 -
1109b6d97e4c340744e7158de34b1f2fc9e65bef


12
taking action Taken
By
22- 10:18:2 Image found named 180px- To maintain the Amit A

April 4 AM Meerkats_foraging.JPG integrity of the
Hash function used on it 180px-
MD5 - d7276adb4dde8b90d853a7a886f97491 Meerkats_foragi
ng.JPG
SHA1 -
0ca079eca141053f78652dcfc5fe5802138171d8
22- 10:23:1 Image found named 180px-Suricata.jpg To maintain the Amit A

MD5 - 4535e831ae839dcedfd6360d5dbdf6fd 180px-
Suricata.jpg
SHA1 -
22- 10:26:2 Image found named 250px-Suricata.jpg To maintain the Amit A

-10 Hash function used on it found image i.e.
MD5 - 4535e831ae839dcedfd6360d5dbdf6fd 250px-
Suricata.jpg
SHA1 -
22- 10:44:0 Image found named meerkats-6.jpg To maintain the Amit A

April 0AM integrity of the
MD5 - 08caf56c034c44487a60305cd71bdf6b meerkats-6.jpg
SHA1 -
849ff18b9a173455e5713bcf1719967592045c11


13
taking action Taken
By
22- 10:51:4 Image found named Loopy.jpg To maintain the Amit A

MD5 - 7921a439afdf3385bca2bd46fa0dadc9 Loopy.jpg
SHA1 -
ac5e6412a42e4a05306c4a247ca6f68a5462642a
22- 11:01:0 Typed .zip in the file name search to find any To find and Amit A
April 4 AM file or document whose extension is .zip. examine all .zip
-10 file and images.
22- 11:05:2 File found named Data.zip which contains To maintain the Amit A
April 0 AM pictures of meerkats. integrity of the
-10 found image file
Hash function used on it i.e. Data.zip
MD5 - da68930452efa3758db386ff380f990a
SHA1 -
27a5460741ab235f8d86644ea9914a8d5c7eadb6
22- 11:13:3 Image found named Meerkats 09.jpg To maintain the Amit A
MD5 - e9a9fa7a8f32111ec0e5385c47e099a8 i.e. Meerkats
09.jpg
SHA1 -
2cf93dddb97b6cec123c5c5d7be55edb04634cc7
22- 11:15:5 Image found named Meerkats-8.jpg To maintain the Amit A

-10 Hash function used on it found image file
MD5 - 889cdb2d2e952e7d481321a41222dea6 i.e. Meerkats-
8.jpg
SHA1 -
2109aba9a0c807af9591d52c9a9e15d64e43828b

taking action Taken

By 14
22- 11:29:1 Image found named meerkats.jpg To maintain the Amit A
MD5 - 17510ee5a8df2eb5dc8e3d5141edc34d i.e. meerkats.jpg
SHA1 -
64b318255009d5e964cf0cfb999d1e9dc8514999
22- 11:41:3 Typed .mp4 in the file name search to find any To find and Amit A
April 7 AM file or document whose extension is .mp4. examine all
-10 .mp4 file and
images.
22- 11:52:3 Video file found named To maintain the Amit A

April 2 AM 60d80dd5032499bd4.mp4 integrity of the
-10 found mp4
Hash Function used on it video file i.e.
MD5 - fdfb448514f5ed679951aee278ddae0d 60d80dd503249
9bd4.mp4
SHA1 -
c3e4a17c0d29c8196d0b9c8f0939af6cb32f1217

April 3 PM image file and
-10 can be opened
next time to
start analysing
the images.
22- 12:19:0 Unmount the images To maintain the Amit A

April 8 PM image file in the
-10 original state
22- 12:20:2 Rehash the Image to maintain the integrity. To compare the
April 6 PM hash value with
MD5: 0c776f7c1ef092cdb9465fde80f4ea86
-10 the original
SHA1: image to check
4179cb30780358577c367a9e6e46708746ddcc53 integrity of the
image.
Sheet Number 3
Date & Day 25-04-2010, Sunday


taking action Taken 15
By
23- 9:19:04 Start caine, mount the image. To start Amit A

April PM analysing the
-10 image.
23- 9:20:21 Hash the images again to check the integrity. To compare the Amit A
April PM hash value with
-10 the original
image.
23- 9:20:57 Start autopsy To analyse the Amit A

April PM image again.
-10
23- 9:26:56 Typed .rar in the file name search to find any To find and Amit A
April PM file or document whose extension is .rar. examine all .rar
23- 9:27:44 File found named Mystery.rar To maintain the Amit A

April PM integrity of the
-10 found file i.e.
MD5: 056c1a5d3f9d3b9e26064587000a28ca Mystery.rar
SHA1:
25ef4820224699f6a33e2a38d41ba0fb2a9cf620
23- 9:33:44 Image found named meerkats_1024-8.jpg To maintain the Amit A

-10 Hash function used on it found image file
MD5 - 511d2036c3ad7aa66d82596c30cfa3a7 i.e.
meerkats_1024-
SHA1 - 11d2036c3ad7aa66d82596c30cfa3a7 8.jpg

taking action Taken
By
23- 9:40:44 Image found named meerkats_13sfw.jpg To maintain the Amit A

April PM Hash function used on it integrity of the

-10 found image file 16
MD5 - d60a937985cc63d2806a99d33ca252c2 i.e.
SHA1 - meerkats_13sfw
1ce064b8352ee2596000a08085ece08223b6e399 .jpg
23- 9:44:17 Image found named meerkats_1024-8.jpg To maintain the Amit A

MD5 - ea2c53f3ddae1e8816d2f1d0b91776ae i.e.
meerkats_1024-
SHA1 - 8.jpg
25ef4820224699f6a33e2a38d41ba0fb2a9cf620
23- 9:47:14 Typed .htm in the file name search to find any To find and Amit A
April PM file or document whose extension is .htm. examine all .htm
23- 9:53:06 File found named Dc5.htm To maintain the Amit A

-10 found file i.e.
MD5 - 7424d54a59969623d2498633ea1c0687 Dc5.htm
SHA1 -
da6fd25750279ec316bf0aa4d1ead3b263e9771c
23- 10:10:2 Typed .exe in the file name search to find any To find for .exe Amit A
April 4 PM file or document whose extension is .exe. file and images.
-10
23- 10:13:5 File found named Bo2k.exe. Hash function used To maintain the Amit A
April 1 PM on it integrity of the
-10 found
MD5: 36fb2d9fe2d3e1ec1ee63dde02ad1b3f executable file
SHA1: i.e. Bo2k.exe
551dc1b5a9cebc93a88e6806671b328349392f63

taking action Taken
By
23- 10:15:0 Typed .doc in the file name search to find any To find and Amit A
April 2 PM file or document whose extension is .doc. examine all .doc
23- 10:20:4 File found named arrow.doc To maintain the Amit A

April 7 PM Hash function used on it integrity of the

-10 found 17
MD5 - 58def2449ed44b627b527b53ad42cf25 document file
SHA1 - i.e. arrow.doc
eb0fb202c87b2cfb1200d6f66499a09592c1ed1b
23- 10:27:2 File found named EBook 0Z 02.doc To maintain the Amit A
April 9 PM integrity of the
-10 found
MD5 - 5a4b3c21d3f6eb8d349a87229aae14c2 document file
i.e. EBook 0Z
SHA1 - 02.doc
cfd9e0c7d7a6704afad7a842aba4df52b92d05d0
23- 10:33:1 File found named meerkats in EBook of The To maintain the Amit A
April 9 PM Prince.doc integrity of the
-10 found
Hash function used on it document file
MD5 - fa836b1b27514a4805c5e551398b17e4 i.e. meerkats in
EBook of The
SHA1 - Prince.doc
d1e69f0962044748bc487b1b0ebc5104838512c7

April 4 PM image file and
-10 can be opened
next time to
start analysing
the images.
23- 10:50:3 Unmount the images To maintain the Amit A

April 4PM image file in the
-10 original state
23- 10:58:0 Rehash the Image to maintain the integrity. To compare the
April- 4 PM hash value with
10 the original
image.

18
End of Part 1 (Running Sheet)

Report on Findings 19
The aim of this report is to explain about all the findings from the image i.e. Assignment2.dd during
the forensics investigation. The main job is to find the Meerkats images which are against the law
and employee has been suspected of accessing these images.
On 2010-04-22 Assignment2.dd image file has been downloaded from the Edith Cowan University to
begin the investigation for Meerkats images. All the investigation was done using VMware caine and
autopsy is used as forensic software.
All evidence images searched and collected from C:\

All findings of .bmp images under C: / 20
Directory Path Hash Values Written Accessed Output of the Image Name of Sign
the
MD5 & SHA1 Image
C:/Documents and MD5 2008-05- 2008-05- Internet A

Settings/Administra 228f497c6e699de6df00 01 01 Explorer
tor/Application 387715441a1f 11:53:49 11:53:49 Wallpap
Data/Microsoft/Int (WST) (WST) er.bmp
ernet SHA1
717f06bdd84a687a4d01
Explorer/Internet
Explorer 5b25da8d1b1cd84d48c
Wallpaper.bmp 4
All findings of .gif images under C: /
the
MD5 & SHA1 Image
C:/WINDOWS/jewe MD5 2008-04- 2008-05- Jewel.gif A

l.gif bbdc61bcb09b70a92e2 30 01
421aa3097afa7 18:52:38 12:12:36
(WST) (WST)
SHA1
f395a98bd52754562f1b
513298e3547e6566bae
d

All findings of .jpg images under C: / 21
the
MD5 & SHA1 Image
C:/Documents and MD5 2008-04- 2008-04- 180px- A

Settings/Administra d7276adb4dde8b90d85 30 30 Meerkat
tor/Local 3a7a886f97491 s_foragi
14:25:05 14:25:05
Settings/Temporary ng[1].jp
Internet SHA1 (WST) (WST) g
0ca079eca141053f7865
Files/Content.IE5/2
VUHUZWD/180px- 2dcfc5fe5802138171d8
Meerkats_foraging[
1].jpg
C:/WINDOWS/Loop MD5 2008-04- 2008-05- Loopy.jp A

y.jpg 7921a439afdf3385bca2 30 01 g
bd46fa0dadc9 18:54:06 12:12:45
(WST) (WST)
SHA1
ac5e6412a42e4a05306c
4a247ca6f68a5462642a
C:/RECYCLER/S-1-5- MD5 2008-04- 2008-05- 250px- A

21-1935655697- 4535e831ae839dcedfd6 30 01 Suricata.
1500820517- 360d5dbdf6fd 18:58:52 12:18:58 jpg
725345543- (WST) (WST)
SHA1
500/Dc6/250px-
Suricata.jpg fa21977697c91c5fdabd
9d33934563ed766eede
6
C:/RECYCLER/S-1-5- MD5 2008-04- 2008-05- 180px- A

21-1935655697- 4535e831ae839dcedfd6 30 01 Suricata.
1500820517- 360d5dbdf6fd 18:58:52 12:18:58 jpg
725345543- (WST) (WST)
SHA1
500/Dc6/180px-
Suricata.jpg fa21977697c91c5fdabd
9d33934563ed766eede
6

C:/WINDOWS/Regi MD5 2008-04- 2008-05- meerkat A

steredPackages/ 08caf56c034c44487a60 30 01 s-6.jpg 22
{89820200-ECBD- 305cd71bdf6b 18:54:32 12:05:24
11cf-8B85- (WST) (WST)
SHA1
00AA005B4383}/ie
ex/meerkats-6.jpg 849ff18b9a173455e571
3bcf1719967592045c11
C:/Documents and MD5 2008-05- 2008-05- meerkat A

Settings/Administra 0f1984f5d17741e513b1 01 01 s53[1].j
tor/Local bd5449fe076c 11:53:43 11:53:43 pg
Settings/Temporary (WST) (WST)
Internet SHA1
1109b6d97e4c340744e
Files/Content.IE5/E
Z2RGJIN/meerkats5 7158de34b1f2fc9e65bef
3[1].jpg
C:/Documents and MD5 2008-05- 2008-05- images[ A

Settings/Administra 3d98cd156195e02c58f4 01 01 1].jpg
tor/Local ce238689120b 11:55:39 11:55:39
Internet SHA1
76afa691556abed61c25
Files/Content.IE5/6
HWZCZQD/images[ 651c896943d2e279a7a
b
1].jpg
C:/Documents and MD5 2008-04- 2008-04- 250px A

Settings/Administra 4535e831ae839dcedfd6 30 30 Suricata.
tor/Local 360d5dbdf6fd 14:25:05 14:25:05 suricatta
Settings/Temporary (WST) (WST) .6861[1]
SHA1
Internet .jpg
Files/Content.IE5/6 fa21977697c91c5fdabd
9d33934563ed766eede
HWZCZQD/250px
Suricata.suricatta.6 6
861[1].jpg
C:/Documents and MD5 2008-05- 2008-05- GetAtta A

Settings/Administra 2463a4c4668748d3e51 01 01 chment[
tor/Local 76a2da1bb8d87 11:52:21 11:52:21 1].jpg
Internet SHA1
fbf5fa1e871b380d21d9
Files/Content.IE5/6
HWZCZQD/GetAtta 8c573d42148786af5ba7
chment[1].jpg

23
All findings for the .mp4 video file under C: /
Directory Path Hash Values Written Accessed Output of the file Name of Sign
the
MD5 & SHA1 video
C:/WINDOWS/syste MD5 2008-04- 2008-05- 60d80d A

m32/60d80dd5032 fdfb448514f5ed679951 30 01 d50324
499bd4.mp4 aee278ddae0d 18:58:32 12:11:30 9bd4.m
(WST) (WST) p4
SHA1
60d80dd503249bd4.mp4
c3e4a17c0d29c8196d0b
9c8f0939af6cb32f1217
All findings for the .doc files under C: /
Directory Path Hash Values Written Accessed Output of the image in the Name of Sign
document the
MD5 & SHA1 Docume
nt
C:/Documents and MD5 2008-04- 2008- EBook A

Settings/Administra fa836b1b27514a4805c5 30 05-01 OZ
tor/My e551398b17e4 19:03:44 12:07:3 02.doc
Documents/EBook (WST) 8 (WST)
of the Prince.doc SHA1
d1e69f0962044748bc48
7b1b0ebc5104838512c
7
C:/Documents and MD5 2008-04- 2008- Arrow.d A

Settings/Administra 58def2449ed44b627b5 30 05-01 oc
tor/My 27b53ad42cf25 18:53:56 12:07:3
Documents/arrow. (WST) 8 (WST)
SHA1
doc
eb0fb202c87b2cfb1200
d6f66499a09592c1ed1b


Settings/Administra fa836b1b27514a4805c5 30 05-01 OZ 24
tor/My e551398b17e4 19:03:44 12:07:3 02.doc
SHA1
of the Prince.doc
d1e69f0962044748bc48
7b1b0ebc5104838512c
7

Settings/Administra 5a4b3c21d3f6eb8d349a 30 05-01 0Z
tor/My 87229aae14c2 19:03:44 12:07:3 02.doc
OZ 02.doc SHA1
cfd9e0c7d7a6704afad7a
842aba4df52b92d05d0
All findings for the .rar files under C: /
the file
MD5 & SHA1
C:/Program MD5 2008-04- 2008-05- No Image Mystery. A

Files/uTorrent/Mys 056c1a5d3f9d3b9e2606 30 01 rar
tery.rar 4587000a28ca 20:52:12 12:18:45
(WST) (WST)
SHA1
25ef4820224699f6a33e
2a38d41ba0fb2a9cf620

All findings for the .zip files under C: / 25
the files
MD5 & SHA1
C:/Program MD5 2008-04- 2008-05- meerkat A

Files/uTorrent/Mys 511d2036c3ad7aa66d8 30 01 s_1024-
tery.rar/ 2596c30cfa3a7 20:52:12 12:18:45 8.jpg
meerkats_1024- (WST) (WST)
8.jpg SHA1
61fe4c9f5630ab1e5853
b74af046363ed1e9d003

Files/uTorrent/Mys ea2c53f3ddae1e8816d2 30 01 s_1sfw.j
tery.rar/ f1d0b91776ae 20:52:12 12:18:45 pg
meerkats_1sfw.jpg (WST) (WST)
SHA1
25ef4820224699f6a33e
2a38d41ba0fb2a9cf620
C:/Personal/Data.zi MD5 2008-04- 2008-05- Meerkat A

p/Meerkats 09.jpg e9a9fa7a8f32111ec0e5 30 01 s 09.jpg
385c47e099a8 21:01:50 12:10:36
(WST) (WST)
SHA1
2cf93dddb97b6cec123c
5c5d7be55edb04634cc7
C:/Personal/Data.zi MD5 2008-04- 2008-05- Meerkat A

p/Meerkats-8.jpg 889cdb2d2e952e7d481 30 01 s-8.jpg
321a41222dea6 21:01:50 12:10:36
(WST) (WST)
SHA1
2109aba9a0c807af9591
d52c9a9e15d64e43828
b


Files/uTorrent/Mys d60a937985cc63d2806a 30 01 s_13sfw. 26
tery.rar/ 99d33ca252c2 20:52:12 12:18:45 jpg
meerkats_13sfw.jp (WST) (WST)
SHA1
g
1ce064b8352ee259600
0a08085ece08223b6e3
99
All findings for the .exe files under C: /
the
MD5 & SHA1 executab
le file
C:/Documents and MD5 2008-04- 2008-05- Bo2k.ex A

Settings/Administra 36fb2d9fe2d3e1ec1ee6 30 01 e
tor/Desktop/to 3dde02ad1b3f 18:52:54 12:09:09
install/Bo2k.exe (WST) (WST)
SHA
551dc1b5a9cebc93a88e
6806671b328349392f63

All findings for the .htm files under C: / 27
the .htm
MD5 & SHA1 file
C:/RECYCLER/Dc5.h MD5 2008-04- 2008-04- No Image Found Dc5.htm A

tm 7424d54a59969623d24 30 30
98633ea1c0687 18:58:52 18:58:52
(WST) (WST)
SHA
da6fd25750279ec316bf
0aa4d1ead3b263e9771
c
End of Report Findings

Investigation Process 28
After downloading the image file named Assignment2.dd from the Edith Cowan University website, I
made a copy of the original image and copied into another folder for making the forensic copy, so
that I can begin the forensic investigation with that image without affecting the original image. I used
hash function with both original Assignment2.dd image and with the copied Assignment2.dd image
and compared their hash values with each other during the investigation which was helping me to
confirming that the image is not compromised yet and image is still the same. As a result, integrity
has been maintained in the whole forensic investigation process.
Start Date and Time: 22-04-2010, 1:22 AM
Creating Directory: amit@sciss10oem:~$ sudo s
[password] password for amit:
root@sciss10oem:~# cd Desktop
root@sciss10oem:~/Desktop# mkdir investigation
root@sciss10oem:~/Desktop# cd investigation
root@sciss10oem:~/Desktop/investigation#
Date and Time: 22-04-2010, 1:25 AM
Mount the image in investigation folder:
root@sciss10oem:~/Desktop# mount /dev/sdc1 investigation/
root@sciss10oem:~/Desktop# cd investigation
root@sciss10oem:~/Desktop/investigation# ls
Assignment2.dd lost+found
Date and Time: 22-04-2010, 1:26 AM
Hashing the image
root@sciss10oem:~/Desktop$ md5deep b Assignment2.dd
0c776f7c1ef092cdb9465fde80f4ea86 Assignment2.dd
root@sciss10oem:~/Desktop$ sha1deep b Assignment2.dd
4179cb30780358577c367a9e6e46708746ddcc53 Assignment2.dd

Date and Time: 22-04-2010, 1:28 AM
Open Autopsy 29
root@sciss10oem:~/Desktop# sudo autopsy
Click on the link to launch autopsy: http://localhost:9999/autopsy
Created new case named Meerkats_Investigation to start the forensic investigation of the image.
Date and Time: 22-04-2010, 1:40 AM
Creating NewCase

Add host named host1 30
Host1 has been added in the autopsy and afterwards image i.e. Assignment2.dd also has been added
and generated its MD5 hash value to compare with the original image MD5 has value to maintain the
integrity of the image and confirming that the image is not compromised.
Investigation Findings
A) .GIF:- When I searched for .gif files. I found certain list of files. And after looking into each
and every .gif files I found jewel.gif image.

B) .BMP:- When I searched for .bmp files. I found certain list of files. And after analysing each
and every .bmp files I found Internet Explorer Wallpaper.bmp image. 31

C) .MP4:- When I searched for .mp4 files. I found certain list of files. And after looking into each
and every .mp4 files I found 60d80dd5032499bd4.mp4 video file. 32

D) .ZIP:- When I searched for .zip files. I found certain list of files. And after analysing each and
every .zip files I found meerkats_1024-8.jpg, meerkats_1sfw.jpg, Meerkats 09.jpg, Meerkats- 33
8.jpg, meerkats_13sfw.jpg.

E) .EXE:- When I searched for .exe files. I found certain list of files. And after analysing each and
every .exe files I found Bo2k.exe file. 34

F) .DOC:- When I searched for .doc files. I found certain list of files. And after analysing each and
every .doc files I found arrow.doc, EBook 0Z 02.doc, EBook of the Prince.doc (EBook OZ 02.doc, 35
EBook OZ 02.doc).
This above image screenshot shows one HTML document also which is about the Meerkats. That
website shows some general information about the Meerkats. The existing HTML document looks
like:

36

G) .RAR:- When I searched for .doc files. I found certain list of files. And after analysing each and
every .doc files I found Mystery.rar file. 37

Conclusion 38
After investigating the Assignmnent2.dd image file, we were successful to recover 23 images of
meerkats, one video file and some of the document files including websites which mainly discussing
about the meerkats. All these investigation and evidence clearly proves that the employee offended
the rules and regulations and he took all the actions against the law for which he should be
penalised.

Computer Forensics Assignment 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Forensics Assignment 2

Uploaded by

Copyright:

Available Formats

Computer Forensics CSG4106

Submit To: Peter Hannay

10137743, Amit Sharma

Tools Used For Analysing the Image......................................................................................................4

End of Part 1 (Running Sheet)..............................................................................................................18

All evidence images searched and collected from C:\.........................................................................19

All findings of .bmp images under C: /.................................................................................................20

All findings of .gif images under C: /....................................................................................................20

All findings of .jpg images under C: /...................................................................................................21

All findings for the .mp4 video file under C: /......................................................................23

All findings for the .doc files under C: /................................................................................23

All findings for the .rar files under C: /.................................................................................24

All findings for the .zip files under C: /.................................................................................25

All findings for the .exe files under C: /................................................................................26

All findings for the .htm files under C: /...............................................................................27

End of Report FindingsInvestigation Process.......................................................................................27

10137743, Amit Sharma

This document is further divided into two categories shows:

10137743, Amit Sharma

Tools Used For Analysing the Image 4

Forensics O.S Caine 4.03

Forensics Software Autopsy, SDDUMPER

Virtual machine VMware Products 3.0.1

Hardware Used Lenovo S10e

Hard Disk 40GB

Processor 1.60 GHZ

Documenting Application Microsoft Word 2007

Other Hardware Used USB2.0 Thumb Drive Kingston 8 GB

Function used to check MD5, SHA1

10137743, Amit Sharma

Evidence Collected From Peter Hannay

Evidence Collected By Amit Sharma

Name of the Case

Name of the Image Assignment2.dd Date Started

Name of Person Collecting Report Peter Hannay and Krishnun Time

For Forensics Department Only

Go to Next Page for additional Chain of Custody blanks

10137743, Amit Sharma

Chain of Custody Continued....

Finish Document Released By Document Received By Purpose for Chain of

2010-04-23 Initial A Initial P To depict all the relevant

Final Disposal Action

Name, Title Initial Name as Signature

10137743, Amit Sharma

Date & Day 20-04-2010, Tuesday

Date Time Action Motive behind Action Signature

Continued Sheet 1...........

10137743, Amit Sharma

20- 6:05:52 Start Autopsy To browse the Amit A

20- 6:13:22 Closed autopsy. To save the Amit A

20- 6:19:14 Unmount the images To closed the

Date & Day 22-04-2010, Thursday

10137743, Amit Sharma

Date Time Action Motive behind Action Signature

Continued Sheet 2...........

Date Time Action Motive behind Action Signature

10137743, Amit Sharma

22- 9:29:17 One image found named To maintain the Amit A

22- 9:37:44 Image found named 180px- To maintain the Amit A

22- 9:42:20 Image found named 180px-Suricata[1].jpg To maintain the Amit A

Continued Sheet 2...........

Date Time Action Motive behind Action Signature

10137743, Amit Sharma