Scribd Logo
Upload

Welcome to Scribd!

  • Final Exam

    Uploaded by

    lorenze salas
    419 views6 pages
    CFR225

    Copyright

    © © All Rights Reserved

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    CFR225

    Copyright:

    © All Rights Reserved
    Flag for inappropriate content
    419 views6 pages

    Final Exam

    Uploaded by

    lorenze salas
    CFR225

    Copyright:

    © All Rights Reserved
    Flag for inappropriate content
    of 6

    Running head: KERICU, INC.

    Kericu, Inc.

    Lorenze Salas

    Professor Keith Swanson


    KERICU, INC. 2

    Kericu, Inc.

    In this Final Project, I downloaded the “Lewis-USB.dd” in the CFR225 files on the

    Canvas website. After downloading the file, I search .dd on the web browser. DD (.dd) is a disk

    image file in a Unix and Linux operating system environment of a hard disk drive. I used

    AccessData FTK Imager and Autopsy for this case.

    I opened AccessData FTK Imager, add physical drive as

    my evidence tree, went to partition 3 file until I find the “Lewis-

    USB.dd” in the downloads folder. After finding the .dd file, it shows FAT16, a file allocation

    table that has 2 bytes per cluster with a cluster limit between 4087 and 65526 clusters, file

    system in the USB drive. In the root folder, it has 6 deleted files containing 2 documents, 2

    excels, and 2 tmp files. TMP is another file extension that creates an invisible file and is often

    deleted when the program is closed… created to contain information temporarily while a new

    file is being generated” ("TMP file extension," n.d.).The files were modified between 4 th and 8th

    of July 2013 at approximately around 12:55 PM.

    To do the hash values, I simply right clicked the 6 deleted files, then exported file hash list, and

    name the file “LewisUSB”. It shows a excel spread sheet included the MD5, SHA1, FileNames

    files in the 6 deleted files.


    KERICU, INC. 3

    Lastly, I opened Autopsy, then created a case, and add “Lewis-usb.dd” as my data source

    in the Disk Image or VM File. I configured the first 11 ingest modules, clicked next, and the

    results were finalized. When the results were finished, I

    went to the email icon (by the keyword lists and

    searches), there was hash lookup and other modules that

    have ingested. After browsing through the hash lookups,

    they matched the same MD5 hash files that were in the

    FTK Imager exported hash files.

    In the extracted content, on the metadata section, there is 5 source files that was owned by Aiden

    Paluchi and Lewis in the Kericu, Inc. organization. In the S column, there is 4 red indicators,

    meaning that the hash lookup is bad and unallocated. With the mission statement document, the

    hash lookups are unknown and allocated.


    KERICU, INC. 4

    To export the files, I right clicked the 6

    deleted files, exported them at the

    export file under the LEWISUSB case.

    Then I opened both earning excel

    spreadsheets and there was an interesting piece when scanning through.

    Between these two earning spreadsheets, they have the same sales expenses, development

    expenses, HR expenses, legal expenses, IT expenses, security expenses, and consulting income.

    With the original earnings spreadsheets (on the right), it has the following:

     $122,698.93 USD on Document Destruction Expenses

     $24,422,152.26 USD on Products Income

     $1,250,000 USD on Legal Settlements Income

    With the editing earnings spreadsheets (on the left), it has the following:

     $0 USD on Document Destruction Expenses

     $31,422,152.26 USD on Products Income


    KERICU, INC. 5

     $1,500,000 USD on Legal Settlements Income

    There is a $7 million USD difference between these two spreadsheets. In Lewis’s USB, Aiden

    Paluchi tampered to change the documentation destruction expenses, product income, and legal

    settlements income to make it more standout. Mr. Paluchi can be charged with an accounting

    fraud, which a “company can falsify its financial statements by overstating its revenue, not

    recording expenses, and misstating assets and liabilities” (Nickolas, 2021).


    KERICU, INC. 6

    References

    Fat12, fat16, fat32. File system structure. (n.d.). Find and Restore Lost Files: Undelete deleted

    files and recover damaged disks. https://www.file-recovery.com/recovery-understanding-

    file-system-fat.htm

    NICKOLAS, S. (2021, January 7). What is accounting

    fraud? Investopedia. https://www.investopedia.com/ask/answers/032715/what-

    accounting-fraud.asp

    TMP file extension. (n.d.). FileInfo.com - The File Information

    Database. https://fileinfo.com/extension/tmp

    What Is File Extension. (n.d.). What is DD file extension? Understanding forensic DD image.

    What Is File Extension™ – An Extensive Database of File

    Extensions. https://www.whatisfileextension.com/dd/

    You might also like