Contents

Introduction of the tools used ___________________________________________________ 3

Some features of Autopsy ______________________________________________________ 3
Additional features of Autopsy __________________________________________________ 4
Fast ____________________________________________________________________________________ 4
Cost Effective ____________________________________________________________________________ 4

Walkthrough of the analysis ____________________________________________________ 5

Analysis of the disc image file of Lewis’s USB stick___________________________________ 6
Deletion of the excel sheets _____________________________________________________ 8
Mission statement with a different size value ______________________________________ 8
Comparing the MD5 hash values of both excel sheets _______________________________ 10
Analysing Lewis’s laptop disc image file __________________________________________ 13
Attachment of USB devices ____________________________________________________ 14
Finding the DC1.xls file ________________________________________________________ 16
Web search history ___________________________________________________________ 18
Doc files in autopsy.png _______________________________________________________ 19
Exporting documents in autopsy ________________________________________________ 21
Hash_Dc1.xls.png ____________________________________________________________ 22
Data Deletion Software (Anti Tracks) ____________________________________________ 23
HTML_FILE SHOWING ANOTHER METADATA ______________________________________ 24
Data deletion software 2 (Window Washer) ______________________________________ 25
HTML file showing another data deletion software. ________________________________ 26
HTML_FILE _SHOWING_HISTORY_ERASER ________________________________________ 27
The E-mail addresses _________________________________________________________ 29
Evaluation __________________________________________________________________ 31
FINDINGS / Evidence ________________________________________________________ 32
References _______________________________________________________________________ 35
Name: Marsad Kibria

Course: APUF1911 Level 1- Bsc Computer Science (Cyber Security)

Tp Number- TP058327

Introduction to Forensic Tools and Techniques (Individual Assignment)

Introduction of the tools used

Autopsy, a digital forensics tool and graphical interface to the Sleuth Kit . It is
used to investigate what happened on a computer by forensic investigators from
police and military and corporate examiners. It can be an effective tool to be used
for retrieval of data including data that is erased .

Autopsy will scan for keywords, retrieve website objects from various web
providers, including Chrome , Firefox or IE. Autopsy's ability to generate real-time
results and display key word results when searched for data is a useful feature. The
file opens with a fast right click. That means little or no time to find out whether
those search words are present on the searched file, phone or device.

Some features of Autopsy

• Timeline analysis:-Advanced interface graphical event display (video tutorial

included).

• Filtering hash-Flagging of known bad files.

• Keyword Search-Searching for an indexed keyword to locate specific terms-

related data.

• Web Artifacts-Download Firefox, Chrome, and IE data, bookmarks and cookies.

• Carving data — Recovery of deleted space files with PhotoRec

• Multimedia — Extraction of EXIF files from images and watching video.

• Indicators of a Compromise— Scanning a computer using STIX

Additional features of Autopsy

Fast

Autopsy runs tasks concurrently with the use of several cores and gives the tests as
soon as they are detected. It could take hours to scan the drive full, but the keys to
the users home folder can be found in minutes.

Cost Effective

This is free of charge for autopsy. With budgets falling, cost-effective solutions for
digital forensics are crucial. Autopsy provides the same core features as other
digital forensics tools, providing other essential features such than other
commercial tools such as web artifact analysis and registry analysis.
Walkthrough of the analysis

Figure 1

Fig.1- Firstly, as can be seen in the screenshot above, it is shown the MD-5, SHA1
and SHA-256 hash values of the lewis-laptop.dd evidence file thus, ensuring the
fact that the evidence extracted from the rar file has not been tampered with or
modified as the hash values match with those provided by the agent handling the
evidence files.

In this investigation, the two Disc image files from Kericu’s laptop and hard drive
need to be analyzed through Autopsy toolkit , as they can hold a large volume of
data that is necessary to gather evidence of his corruption.
Analysis of the disc image file of Lewis’s USB stick

Figure 2

Figure 3

Fig.2 & 3- A new case needs to be opened for the USB and the laptop separately
Figure 4

Fig.4- As the disc image file of the flash drive is imported into Autopsy, the system
analyzes the findings and they can be viewed by the directory tree on the left where
the information is categorized and organized for clarity of the investigation.
Figure 5

Fig.5- Upon clicking on the disc image file, on the listing pane a lot of deleted
files can be found which are marked with a red cross (‘x’) .

Deletion of the excel sheets

Among the deleted files, the most suspicious ones are the Kericu Mission
statement andthe excel files of earnings original and earnings2 . The orphan files
might be a part of a program which was uninstalled previously and is no longer in
use.

Mission statement with a different size value

There is another document called Kericu Mission statement which is not deleted
(marked with red cross) and the file size of it is bigger than the one that was
deleted.
Figure 6

Fig.6- The files can be further viewed according to the characteristics of the
contents by clicking on File Types and extensions.

Figure 7

Fig.7- From the file types there are 4 image files found.
Figure 8

Comparing the MD5 hash values of both excel sheets

As mentioned previously, the two excel files: earningoriginals and earnings2 ,
among the deleted files, can be found with it’s MD5 hash information. The
difference in the hash files can indicate that there has been tampering with the
information and it has to be compared with the files of the USB.
Figure 9

Figure 10
Figure 11

Figure 12

Fig.12- As shown above, the two hash values are different. This proves that one of
the files have been modified.
Figure 13

Analysing Lewis’s laptop disc image file

Now the laptop disc image file is opened

Figure 14
Figure 15

Attachment of USB devices

As seen above , From the menu on the left, we can select the menu item labelled
“USB Device Attached”, following which we can see the history of the devices
previously attached to said laptop.
Figure 16

Analysis of the hex code of the file selected above in the screenshot shows that the
device attached to system was a generic floppy disc drive, this is unusual in the
fact that these disc drives have mostly been phased out since the introduction of
CD/DVD and Flash memory drives along with portable external hard drives.
Finding the DC1.xls file

Figure 17

Figure 18
Figure 19

Figure 20
Web search history

Figure 21

On the Web search option, the search history of the offender can be seen and most
of them are related to wiping digital evidence with entries such as “free wipe
digital evidence” , “eliminate digital evidence”, this proves that he was adamant
on covering his footprints.

Figure 22
Doc files in autopsy.png

Figure 23

Fig.23- These are all the document files, including excel, word and power point
files that were located on the laptop image. This section also includes the
documents that were deleted from the pc but were not erased from the disk.
Retrieval of the related documents are possible
Figure 24

Fig.24- This is the screenshot of the sidebar which shows the location of the office
documents
Exporting documents in autopsy

Figure 25

This is the screenshot of the popup box that allows us to export the files from the
disc image using autopsy.
Hash_Dc1.xls.png

Figure 26

Fig.26- This image shows the hash file for the excel file retrieved from the recycle
bin from the laptop image.

It shows the hashes for MD5, SHA1 and SHA256. There are options to show more
hashes as well.
Data Deletion Software (Anti Tracks)

Figure 27

This image shows the HTML page previewed inside the autopsy software. The
page shows a download page for a software used to *erase* internet tracks and
delete other hidden information
HTML_FILE SHOWING ANOTHER METADATA

Figure 28
Data deletion software 2 (Window Washer)

Figure 29

Fig.29- This screenshot shows the HTML file or the history of the web browser in
which we can see that the user has either downloaded or used this software to
delete information that was stored on the computer system
HTML file showing another data deletion software.

Figure 30
HTML_FILE _SHOWING_HISTORY_ERASER
Internet browser history eraser + Metadata

Figure 31
Figure 32

Figure 33
The E-mail addresses
Fig.33- The email addresses shows a list of entities that Lewis might be in touch
with. The most suspicious one is andy@evidence-eliminator.com . This can be a
potential lead and Lewis might have hired someone to do cover up his own tracks.

Figure 34
Figure 35
Evaluation

EVIDENCE ANALYSIS

The analysis shows that the Dcl.xls file is identical to the earningsoriginals.xls file
so it can be deduced that Earnings2.xls file is the one that has been modified

Figure 36
Fig.36- Earningsoriginals.xls and dcl.xls being identical
Figure 37
Fig.37- Earningsoriginals.xls and earnings2.xls being different, indicating that
earnings2.xls is the altered file

Offender Characteristics

Due to accessibility and availability of the internet, it can be very easy to tamper
with files and generate incorrect data.

Lewis failed to be discreet in his act of corruption as the analysis indicates that he
was somehow not aware of the small breadcrumb trails that he left such as his
search history , which can be traced back to him. It also showed that he might have
hired someone to do the dirty work for him without his knowledge that a lot can
be used against him in court.

FINDINGS / Evidence

Deletion of the excel sheets

Among the deleted files, the most suspicious ones are the Kericu Mission
statement andthe excel files of earnings original and earnings2 . The orphan files
might be a part of a program which was uninstalled previously and is no longer in
use.

Attachment of USB devices

As seen above , From the menu on the left, we can select the menu item labelled
“USB Device Attached”, following which we can see the history of the devices
previously attached to said laptop.

Mission statement with a different size value

There is another document called Kericu Mission statement which is not deleted
(marked with red cross) and the file size of it is bigger than the one that was
deleted.

Comparing the MD5 hash values of both excel sheets

As mentioned previously, the two excel files: earningoriginals and earnings2 ,

among the deleted files, can be found with it’s MD5 hash information. The
difference in the hash files can indicate that there has been tampering with the
information and it has to be compared with the files of the USB.

Web search history

On the Web search option, the search history of the offender can be seen and most
of them are related to wiping digital evidence with entries such as “free wipe
digital evidence” , “eliminate digital evidence”, this proves that he was adamant
on covering his footprints.

The E-mail addresses

The email addresses shows a list of entities that Lewis might be in touch with. The
most suspicious one is andy@evidence-eliminator.com . This can be a potential
lead and Lewis might have hired someone to do cover up his own tracks.

Generic Floppy disc drive

Analysis of the hex code of the file selected above in the screenshot shows that the
device attached to system was a generic floppy disc drive, this is unusual in the
fact that these disc drives have mostly been phased out since the introduction of
CD/DVD and Flash memory drives along with portable external hard drives.

Data deletion softwares (Wipe it and Window washer)

The internet history showed that Lewis either downloaded or used two data
deletion software in order to cover his tracks.

Data deletion softwares (Anti tracks)

The HTML page previewed inside the autopsy software leads to the page which
shows a download page for a software used to *erase* internet tracks and delete
other hidden information.
RECOMMENDATIONS

The jury should consider Lewis as the originator of the crime for altering the
quarterly statements of Kericu.inc , due to the high volume of evidence collected
on his laptop and USB disc image. The evidence collected show that Lewis can
be classified as a composed social engineer who attempts to manipulate but has
poor technical skills in case of evidence elimination.

The evidence demonstrated a few elements in which he worked, judging from the
search history and the emails, he is very unsure about what to take into account in
order to pull off this alteration of statements. Further knowing the whereabouts and
information about his contact “andy@evidence-eliminator.com” can get this
further leads but his motives were clear from the findings that were listed in this
report. Furthermore , the Earningsoriginals.xls and earnings2.xls files were
different which indicates that the latter was the modified version.

References

Sleuthkit.org. 2020. Autopsy. [online] Available at: <https://www.sleuthkit.org/autopsy/>

[Accessed 4 September 2020].