Professional Documents
Culture Documents
In this task our purpose is to analyze the provided image file and extracted evidences to support our case.
It is also required to make evidence report and notes of the forensic analysis of image file.
Forensic Analysis
First of all, hash of the original evidence is calculated before forensic investigation process. As we are
using Encase tool to find the evidences, so when image file “Hunter XP” is loaded in the tool, it
automatically calculate hashes as shown below.
After loading evidence image file, we have recovered “Recycle Bin” because it contains delete data.
There are many picture of JPG format in it. After extraction of pictures, it seems that someone is secretly
taking pictures of females. I have pasted two images from the recycle bin that someone is taking image
secretly.
User Account:
As shown below snapshot, under the “All users” directory, only one user “Bob Hunter” setting is found.
After further analysis of the user “Bob Hunter”, a pics directory is found under “My pictures”’ and
contains two sub directories “Christina Detsiwt” and “Sabrina and Christina” and many deleted JPG files.
Recent Folder of the “Hunter XP” shows following information. All these files will be check for further
useful information.
By further analysis using Encase it is found that Bank Information.dbx file is also exist under Local
Setting directory. Following snapshot shows the Billy.dbx, Bank Information.dbx and hotmail-bank
information.dbx files seems important for this case.
We need dbx converter of SysInfo tools to see the content of the important files. So, content of Bank
information.dbx shows below. It contains Bank Name,, Account and Routing number.
1.
2.
Following are the content of the Billy.dbx and this indicate that Bob Hunter is not alone in this activity.
1.
2.
3.
4.
5.
CD Burning folder
Following snapshot shows that pictures of “Christina Detsiwt” and “Sabrina Dewercs”. This artifact
indicates that Bob Hunter burned pictures of Christina adn Sabrina written into CD/DVD drive for
ransom activity.
A sub directory “bobhunter1191” is found in the “My Documents” directory. It further contain receive
and shared directory.
I have search “bobhunter1191” in the image file and found it in different *.dat and IM (yahoo and AIM )
files
s/name: chaser1191@aol
p/w: bigjake
Billy
I followed Kim and her friend. I think her friends name is Sabrina. We need to decide how to proceed. We need to be
careful. We don't need the police involved
.Hotmail
chaser1191@hotmail.com
p/w: bigjake
-Yahoo information
Following content also shows bob_hunter1191 and “billyray150” also communicated over messenger for
their activities.
Messenger.billyray150.1023122422036copernic2001basic.exe [Info]
Name=F:\Documents and Settings\Bob Hunter\My Documents\
bob_hunter1191\receive\copernic2001basic.exe
Version=MSG1.0
URL=http://172.137.77.10/Messenger.billyray150.1023122422036copernic2001basic.exe?AppID=Messenger&Use
rID=billyray150&K=lc9lml3rko4b2y5ov5ga7
App=Messenger
User=billyray150
Timestamp=06/03/102 11:40:22.036
W=132100
M=1054
Post=1
After analysis of the evidence file using Encase, we found that main suspects in the case Bob and Billy.
We have found many evidences related to both suspect by examining the pictures and conversation. Both
Bob and Billy planned to blackmail father of both victims and in return get money. As per our analysis of
the email, John Detsiwt is the father of victim.
Appendix A