Introduction

In this task our purpose is to analyze the provided image file and extracted evidences to support our case.
It is also required to make evidence report and notes of the forensic analysis of image file.

Forensic Analysis

First of all, hash of the original evidence is calculated before forensic investigation process. As we are
using Encase tool to find the evidences, so when image file “Hunter XP” is loaded in the tool, it
automatically calculate hashes as shown below.

Hash of the evidence file:

After loading evidence image file, we have recovered “Recycle Bin” because it contains delete data.
There are many picture of JPG format in it. After extraction of pictures, it seems that someone is secretly
taking pictures of females. I have pasted two images from the recycle bin that someone is taking image
secretly.
User Account:

As shown below snapshot, under the “All users” directory, only one user “Bob Hunter” setting is found.

After further analysis of the user “Bob Hunter”, a pics directory is found under “My pictures”’ and
contains two sub directories “Christina Detsiwt” and “Sabrina and Christina” and many deleted JPG files.

Recent Folder of the “Hunter XP” shows following information. All these files will be check for further
useful information.

 JPG Images files

 Txt files such as Banking Information.txt
 Internet files such as Index.html
 Billy (C)
 Removable Disk
 Zip files (Currex and hours11)
Following snapshot shows that recent activity of the Bob Hunter helped us to find “Banking
Information.txt” file in the documents.

Content of the banking information.txt file is shown below.

Email:

By further analysis using Encase it is found that Bank Information.dbx file is also exist under Local
Setting directory. Following snapshot shows the Billy.dbx, Bank Information.dbx and hotmail-bank
information.dbx files seems important for this case.

We need dbx converter of SysInfo tools to see the content of the important files. So, content of Bank
information.dbx shows below. It contains Bank Name,, Account and Routing number.

1.

2.
Following are the content of the Billy.dbx and this indicate that Bob Hunter is not alone in this activity.

1.

2.
3.

4.
5.

So Email analysis shows that

 Billy is the partner of the Bob Hunter

 Billy shared pics of Christina with Bob Hunter and
 Planning to send photos to Her Father for money
 Bank information is also shared for transfer of money
 Both are using Hotmail, IM like Yahoo for communication for ransom type activity

CD Burning folder
 Following snapshot shows that pictures of “Christina Detsiwt” and “Sabrina Dewercs”. This artifact
indicates that Bob Hunter burned pictures of Christina adn Sabrina written into CD/DVD drive for
ransom activity.

Instant Messenger (IM like AIM,yahoo)

A sub directory “bobhunter1191” is found in the “My Documents” directory. It further contain receive
and shared directory.

I have search “bobhunter1191” in the image file and found it in different *.dat and IM (yahoo and AIM )
files

Memopad.dat file content

s/name: chaser1191@aol
p/w: bigjake
Billy
I followed Kim and her friend. I think her friends name is Sabrina. We need to decide how to proceed. We need to be
careful. We don't need the police involved
.Hotmail
chaser1191@hotmail.com
p/w: bigjake
-Yahoo information

bob_hunter1191 p/w bigjake

)AIM Information
chaser1191 p/w bigjake
bX Drive
chaser1191@hotmail.com
1191
http://plus.xdrive.com/XDRequestDispatcher?action=OpenLogin
Bill
I am leaving soon so I thought I would jot this note down to send later. I will be flying to LA to confirm the work
address and find and confirm the friends name. I want to be able to send the information to the family soon. I agree
that 500,000 is a good amount to start out with.
I think the daughters safety is worth that don't you?
I can't believe that they did not even know that it was us taking the photos. She even talked to me once.
I will let you know as soon as I learn anything.

Following content also shows bob_hunter1191 and “billyray150” also communicated over messenger for
their activities.

Messenger.billyray150.1023122422036copernic2001basic.exe [Info]
Name=F:\Documents and Settings\Bob Hunter\My Documents\
bob_hunter1191\receive\copernic2001basic.exe
Version=MSG1.0
URL=http://172.137.77.10/Messenger.billyray150.1023122422036copernic2001basic.exe?AppID=Messenger&Use
rID=billyray150&K=lc9lml3rko4b2y5ov5ga7
App=Messenger
User=billyray150
Timestamp=06/03/102 11:40:22.036
W=132100
M=1054
Post=1

TimeLine based on Evidences

Evidence Name Date Time

Recycle Bin 05/06/02 01:49:46
Recent Folder Last written 05/06/02 01:24:33
Email (Bank Information.dbx) 1 June 04 2002 01:15:03
Email (Bank Information.dbx) 2 June 04 2002 01:18:33
Email (Billy.dbx) 1 May 22 2002 19:01:21
Email (Billy.dbx) 2 May 23 2002 19:37:22
Email (Billy.dbx) 3 May 23 2002 19:02:43
Email (Billy.dbx) 4 May 31 2002 05:11:11
Email (Billy.dbx) 5 June 03, 2002 20:38:25
IM (Palm) May 14, 2002 15:13:29
IM (Yahoo) June 03, 2002 20:46:21
Conclusion

After analysis of the evidence file using Encase, we found that main suspects in the case Bob and Billy.
We have found many evidences related to both suspect by examining the pictures and conversation. Both
Bob and Billy planned to blackmail father of both victims and in return get money. As per our analysis of
the email, John Detsiwt is the father of victim.

Appendix A

Attached Encase Generated Report here