CASE STUDY

Drug Dealer Case:

Based on the following case-study, you need to compile a FULL forensics report that answers
following questions (please note that you can only use any Hex editor program for this
investigation):

1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
2. What crucial data is available within the coverpage.jpg file and why is this data crucial?
3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
4. For each file, what processes were taken by the suspect to mask them from others?
5. What processes did you (the investigator) use to successfully examine the entire contents
of each file?
6. What program was used to create the Cover Page file. What is your proof (Proof is the key
to getting this question right, not just making a guess).

Joe Jacobs, 28, was arrested yesterday on charges of selling illegal drugs to high school
students. A local police officer posed as a high school student was approached by Jacobs in
the parking lot of Smith Hill High School. Jacobs asked the undercover cop if he would like to
buy some marijuana. Before the undercover cop could answer, Jacobs pulled some out of his
pocket and showed it to the officer. Jacobs said to the officer "Look at this stuff, Colombians
couldn't grow it better! My supplier not only sells it direct to me, he grows it himself."

Jacobs has been seen on numerous occasions hanging out at various local high school parking
lots around 2:30pm, the time school usually ends for the day. School officials from multiple
high schools have called the police regarding Jacobs' presence at their school and noted an
increase in drug use among students, since his arrival.

The police need your help. They want to try and determine if Joe Jacobs has been selling drugs
to students at other schools besides Smith Hill. The problem is no students will come forward
and help the police. Based on Joe's comment regarding the Colombians, the police are
interested in finding Joe Jacob's supplier/producer of marijuana.

Jacobs has denied selling drugs at any other school besides Smith Hill and refuses to provide
the police with the name of his drug supplier/producer. Jacobs also refuses to validate the
statement that he made to the undercover officer right before his arrest. Upon issuing a search
warrant and searching of the suspect's house the police were able to obtain a small amount of
marijuana. The police also seized a single floppy disk, but no computer and/or other media was
present in the house.

The police have imaged the suspect's floppy disk and have provided you with a copy. They
would like you to examine the floppy disk and provide answers to the following questions. The
police would like you to pay special attention to any information that might prove that Joe
Jacobs was in fact selling drugs at other high schools besides Smith Hill. They would also like

1
ZICT
you to try and determine if possible who Joe Jacob's supplier is. Jacob's posted bail set at
$10,000.00. Afraid he may skip town, the police would like to get him locked up as soon as
possible. To do so, the police have asked that you have the results fully completed and
submitted by MARCH 25, 2020. Please provide the police with a strong case consisting of
your specific findings related to the questions, where the findings are located on the disk,
processes and techniques used, and any actions that the suspect may have taken to intentionally
delete, hide and/or alter data on the floppy disk.

2
ZICT
This will be the example of the search warrant that issued based on the request from the
undercover police in order to search Joe’s house.

3
ZICT
1 Broad Assumption

When Joe Jacobs denied the fact that he told to the undercover police, the supplier must have
a field or more of drugs and transportation should be somehow easy to track. After clearing his
house with the search warrant, the found evidence; the floppy disk might contain critical
evidence that will prove that he been selling drugs to multiple schools and also the identity of
his supplier.

2 Evidence Identification

Currently, the only evidence that covered after the seized of Joe’s house is one floppy disk.
That is why the usage of the tools that can be use are limited. Some are as below.

• FTK Imager
“FTK Imager is a data preview and imaging tool that lets you quickly assess electronic
evidence to determine if further analysis with AccessData® Forensic Toolkit® (FTK™)
is warranted. FTK Imager can also create perfect copies (forensic images) of computer
data without making changes to the original evidence.” (Access Data, 2012)

• PC Inspector File Recovery

According to PC inspector website, this freeware utility can be used to detect and
recover deleted files. It supports file recovery from FAT 12/16/32 and NTFS file
systems; recovers files, even when a header entry is no longer available. Competition
products cannot recover such files. The "Special Recovery Function" supports the
following disk formats: DOC XLS EXE JPG PDF RTF ZIP, and many others.

• HexEditor
By using hex editor, there are some evidences was found which are store inside the
image file that covered from Joe’s floppy disk.

By doing that, the copy of the original floppy disk will maintain at secure place. Also
investigators will do the analysis on the exact copy. Then we might recover some

4
ZICT
 documents and images files from Joe’s floppy disk that will help to say that he is selling
drugs at multiple schools and might also the contact to his supplier.

3 Evidences Preservation

After gathering evidences from floppy disk, the evidences should keep constant. To do that,
there are some steps.

All evidence taken from the Joe’s Floppy disk will have to copy the entire thing into a perfect
same copy of the content and without altering the original evidences itself. The image file
then extracted to the investigator machine; and some investigation is done using the image
copy.

The steps taken in order to preserve the evidence are followed carefully, first the investigator
will configure Joe’s floppy disk to be slave then the investigator can run the FTK Imager
from the investigator equipment to make the exact copy of the slave drive without altering or
using the operating system in the floppy disk. Once the image file has been created the
investigator will take the evidence, both original and copy evidence together and store it in a
special case which will protect the evidence from drop damage, magnetic area which might
alter the data inside the hard disk. Then the investigator will bring the evidence to their
computer forensics lab which is a certified safe environment for investigation and
investigation will be started there.

4 Evidence Analysis

From the image that covered from the floppy disk has a document file in there which can
open as .xls file as well. The message was as below.

Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111

Jimmy:

Dude, your pot must be the best – it made the cover of High Times Magazine! Thanks for
sending me the Cover Page. What do you put in your soil when you plant the marijuana
seeds? At least I know your growing it and not some guy in Columbia.

These kids, they tell me marijuana isn’t addictive, but they don’t stop buying from me. Man,
I’m sure glad you told me about targeting the high school students. You must have some
experience. It’s like a guaranteed paycheck. Their parents give them money for lunch and
they spend it on my stuff. I’m an entrepreneur. Am I only one you sell to? Maybe I can

5
ZICT
become distributor of the year!

I emailed you the schedule that I am using. I think it helps me cover myself and not be
predictive. Tell me what you think. To open it, use the same password that you sent me
before with that file. Talk to you later.

Thanks,

Joe

That message include the critical evidence that can send Joe to behind bar. We can accuse
Joe that he been selling drugs to students from multiple schools and also the name of his
supplier, “Jimmy Jungle” and address as well. After that we have other evidences.

pw=goodtimes Scheduled Visits.xls

This also the evidence that Joe tried to remove the evidences and delete the image file which
he store data. There will be one .xls file that might be able to recover from floppy disk name
“Scheduled Visits” and the password to access the file is “goodtimes”. If we can recover that
file and use the password, we will have another solid evidence to lock up both of them will
emerge.

5 Conclusion

So in the end, Joe can no longer denied the fact he was selling drugs to students from
different schools and also discover his supplier’s name, “Jimmy Jungle” and address “626
Jungle Ave Apt 2, Jungle, NY 11111”. That will give the police the hard evidences to lock
and Joe and for the Jimmy, Scheduled Visits.xls file will required to show solid evidence.

6
ZICT