Professional Documents
Culture Documents
Tp Number- TP058327
Autopsy, a digital forensics tool and graphical interface to the Sleuth Kit . It is
used to investigate what happened on a computer by forensic investigators from
police and military and corporate examiners. It can be an effective tool to be used
for retrieval of data including data that is erased .
Autopsy will scan for keywords, retrieve website objects from various web
providers, including Chrome , Firefox or IE. Autopsy's ability to generate real-time
results and display key word results when searched for data is a useful feature. The
file opens with a fast right click. That means little or no time to find out whether
those search words are present on the searched file, phone or device.
Fast
Autopsy runs tasks concurrently with the use of several cores and gives the tests as
soon as they are detected. It could take hours to scan the drive full, but the keys to
the users home folder can be found in minutes.
Cost Effective
This is free of charge for autopsy. With budgets falling, cost-effective solutions for
digital forensics are crucial. Autopsy provides the same core features as other
digital forensics tools, providing other essential features such than other
commercial tools such as web artifact analysis and registry analysis.
Walkthrough of the analysis
Figure 1
Fig.1- Firstly, as can be seen in the screenshot above, it is shown the MD-5, SHA1
and SHA-256 hash values of the lewis-laptop.dd evidence file thus, ensuring the
fact that the evidence extracted from the rar file has not been tampered with or
modified as the hash values match with those provided by the agent handling the
evidence files.
In this investigation, the two Disc image files from Kericu’s laptop and hard drive
need to be analyzed through Autopsy toolkit , as they can hold a large volume of
data that is necessary to gather evidence of his corruption.
Analysis of the disc image file of Lewis’s USB stick
Figure 2
Figure 3
Fig.2 & 3- A new case needs to be opened for the USB and the laptop separately
Figure 4
Fig.4- As the disc image file of the flash drive is imported into Autopsy, the system
analyzes the findings and they can be viewed by the directory tree on the left where
the information is categorized and organized for clarity of the investigation.
Figure 5
Fig.5- Upon clicking on the disc image file, on the listing pane a lot of deleted
files can be found which are marked with a red cross (‘x’) .
Fig.6- The files can be further viewed according to the characteristics of the
contents by clicking on File Types and extensions.
Figure 7
Fig.7- From the file types there are 4 image files found.
Figure 8
Figure 10
Figure 11
Figure 12
Fig.12- As shown above, the two hash values are different. This proves that one of
the files have been modified.
Figure 13
Figure 14
Figure 15
Analysis of the hex code of the file selected above in the screenshot shows that the
device attached to system was a generic floppy disc drive, this is unusual in the
fact that these disc drives have mostly been phased out since the introduction of
CD/DVD and Flash memory drives along with portable external hard drives.
Finding the DC1.xls file
Figure 17
Figure 18
Figure 19
Figure 20
Web search history
Figure 21
On the Web search option, the search history of the offender can be seen and most
of them are related to wiping digital evidence with entries such as “free wipe
digital evidence” , “eliminate digital evidence”, this proves that he was adamant
on covering his footprints.
Figure 22
Doc files in autopsy.png
Figure 23
Fig.23- These are all the document files, including excel, word and power point
files that were located on the laptop image. This section also includes the
documents that were deleted from the pc but were not erased from the disk.
Retrieval of the related documents are possible
Figure 24
Fig.24- This is the screenshot of the sidebar which shows the location of the office
documents
Exporting documents in autopsy
Figure 25
This is the screenshot of the popup box that allows us to export the files from the
disc image using autopsy.
Hash_Dc1.xls.png
Figure 26
Fig.26- This image shows the hash file for the excel file retrieved from the recycle
bin from the laptop image.
It shows the hashes for MD5, SHA1 and SHA256. There are options to show more
hashes as well.
Data Deletion Software (Anti Tracks)
Figure 27
This image shows the HTML page previewed inside the autopsy software. The
page shows a download page for a software used to *erase* internet tracks and
delete other hidden information
HTML_FILE SHOWING ANOTHER METADATA
Figure 28
Data deletion software 2 (Window Washer)
Figure 29
Fig.29- This screenshot shows the HTML file or the history of the web browser in
which we can see that the user has either downloaded or used this software to
delete information that was stored on the computer system
HTML file showing another data deletion software.
Figure 30
HTML_FILE _SHOWING_HISTORY_ERASER
Internet browser history eraser + Metadata
Figure 31
Figure 32
Figure 33
The E-mail addresses
Fig.33- The email addresses shows a list of entities that Lewis might be in touch
with. The most suspicious one is andy@evidence-eliminator.com . This can be a
potential lead and Lewis might have hired someone to do cover up his own tracks.
Figure 34
Figure 35
Evaluation
EVIDENCE ANALYSIS
The analysis shows that the Dcl.xls file is identical to the earningsoriginals.xls file
so it can be deduced that Earnings2.xls file is the one that has been modified
Figure 36
Fig.36- Earningsoriginals.xls and dcl.xls being identical
Figure 37
Fig.37- Earningsoriginals.xls and earnings2.xls being different, indicating that
earnings2.xls is the altered file
Offender Characteristics
Due to accessibility and availability of the internet, it can be very easy to tamper
with files and generate incorrect data.
Lewis failed to be discreet in his act of corruption as the analysis indicates that he
was somehow not aware of the small breadcrumb trails that he left such as his
search history , which can be traced back to him. It also showed that he might have
hired someone to do the dirty work for him without his knowledge that a lot can
be used against him in court.
FINDINGS / Evidence
As seen above , From the menu on the left, we can select the menu item labelled
“USB Device Attached”, following which we can see the history of the devices
previously attached to said laptop.
There is another document called Kericu Mission statement which is not deleted
(marked with red cross) and the file size of it is bigger than the one that was
deleted.
On the Web search option, the search history of the offender can be seen and most
of them are related to wiping digital evidence with entries such as “free wipe
digital evidence” , “eliminate digital evidence”, this proves that he was adamant
on covering his footprints.
Analysis of the hex code of the file selected above in the screenshot shows that the
device attached to system was a generic floppy disc drive, this is unusual in the
fact that these disc drives have mostly been phased out since the introduction of
CD/DVD and Flash memory drives along with portable external hard drives.
The internet history showed that Lewis either downloaded or used two data
deletion software in order to cover his tracks.
The HTML page previewed inside the autopsy software leads to the page which
shows a download page for a software used to *erase* internet tracks and delete
other hidden information.
RECOMMENDATIONS
The jury should consider Lewis as the originator of the crime for altering the
quarterly statements of Kericu.inc , due to the high volume of evidence collected
on his laptop and USB disc image. The evidence collected show that Lewis can
be classified as a composed social engineer who attempts to manipulate but has
poor technical skills in case of evidence elimination.
The evidence demonstrated a few elements in which he worked, judging from the
search history and the emails, he is very unsure about what to take into account in
order to pull off this alteration of statements. Further knowing the whereabouts and
information about his contact “andy@evidence-eliminator.com” can get this
further leads but his motives were clear from the findings that were listed in this
report. Furthermore , the Earningsoriginals.xls and earnings2.xls files were
different which indicates that the latter was the modified version.
References