Scribd Logo
Upload

Welcome to Scribd!

  • Digital Forensics

    Uploaded by

    Prabal Sahoo
    13 views4 pages
    Dawn Bellwether logged into the system 16 times. USB devices connected included a USB flash drive, Lexar JumpDrive, and SanDisk Cruzer. Deleted files in the recycling bin included images files. The first three websites accessed were google.com.au, unsplash.com searching for rhino photos, and amazon.com.

    Original Description:

    A well known case.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Dawn Bellwether logged into the system 16 times. USB devices connected included a USB flash drive, Lexar JumpDrive, and SanDisk Cruzer. Deleted files in the recycling bin included images files. The first three websites accessed were google.com.au, unsplash.com searching for rhino photos, and amazon.com.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views4 pages

    Digital Forensics

    Uploaded by

    Prabal Sahoo
    Dawn Bellwether logged into the system 16 times. USB devices connected included a USB flash drive, Lexar JumpDrive, and SanDisk Cruzer. Deleted files in the recycling bin included images files. The first three websites accessed were google.com.au, unsplash.com searching for rhino photos, and amazon.com.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    1) Dawn Bellwether.

    Process  We use regripper tool. The plug in used is SAMPARSE to parse the Security Account
    Mananger File (SAM) in windows. The samparse plug in parse the SAM file for user and group
    member info.

    Reasoning  Here we can clearly see that Dawn Bellwether has logged in 16 times.

    2) USB Devices are:

    Disk&Ven_&Prod_USB_Flash_Memory&Rev_PMAP [Wed Aug 14 12:38:39 2019]

    Disk&Ven_Lexar&Prod_JumpDrive&Rev_1100 [Wed Aug 14 13:44:33 2019]

    Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20 [Wed Aug 14 13:45:47 2019]

    Process  we use the regrippler plug usbstor, usbstor2, and usbstor3 to extract the usb store key
    information from the ControlSet001 subkey.

    Reasoning  We can clearly see the names of the USB devices which were connected to the
    system.

    Screenshot is below
    3) The files are:
    images9.jpg
    images5.jpg
    images6.jpg
    images7.jpg
    images8.jpg

    Process  Go to the RECYCLER folder, and navigate to he folder for the primary user.
    We use the cat command to read the INFO2 file.

    Reasoning  Here we can see the details of the files which were deleted from the user’s My
    Documents directory, as shown below.

    4) The names of the files in the recycle bin are:


    Dc3.jpg
    Dc4.jpg
    Dc5.jpg
    Dc2.jpg
    Dc1.jpg

    Process  We have to navigate to the user’s recycler folder, the path is:
    /mnt/windows_mount/RECYCLER/S-1-5-21-839522115-1202660629-1343024091-1003

    The files in the recycle bin can be seen primary computer users recycle folder. These are the
    files in the recycle bin.

    5) The first three website (not folder) accessed by the primary computer user are:
    http://www.google.com.au/url?url=http://theconversation.com/rhinos-should-be-conserved-in-
    africa-not-moved-to-australia-72551&rct=j&frm=1&q=&esrc=s&sa=U&ved=0ahUKEwjrhb-
    JwILkAhVDJHIKHY9zA_gQwW4IFjAA&usg=AOvVaw2CNyZCRsyGeHSxSzVmWTob

    https://unsplash.com/search/photos/rhino

    https://www.amazon.com/s/ref=nb_sb_noss

    Process  The internet explorer history is stored in index.dat file in the history folder. We use pasco
    to read the contents of this file, we can redirect the output to a csv file. The csv file is shown below.

    Reasoning  Although we can see some local folders, in the index.dat, these are not websites. The
    urls which start https are treated as websites.

    You might also like