Digital Forensic Lab - Jeet Bangoria Submission Date: 1st Feb 2022

Submitted to: Jayakumar S Reg. No.- 19BCE0874

LAB ASSIGNMENT -1

AIM:

The aim of this experiment is to analyze, identify and prepare a Forensics Report based on the given files of
Mantooth.E01 and Washer.E01

MANTOOTH:

1) What type of file is Mantooth.E01

 Mantooth. E01 is a compressed disk image created using Encase software.

Fig 1: Mantooth is an Image file

2) What is the Operating System?

 The operating system used in the computer was windows vista™ ultimate with 32 bit processor
3) What is the File System?

 The file System used was NTFS/exFAT + DOS FAT12 (4 partitions, 2 unallocated)

Fig 3: Various File Systems

4) Provide the account name and last login information for each account present in Mantooth

 There were various users including the guest and administrator of the system which included users with
username Laurent,Dracula,Wes Mantooth

Fig 4: Username of the account

Fig 5: Last accessed date

5) If there is any evidence of .exe file being deleted, describe the artifact name and
document your findings

 There are 4 .exe files found in recycle bin namely $RTHDU55.exe , $R61QDFF.exe ,$ITHDU55.exe and
$I61QDFF.exe
$RTHDU55.exe and $ITHDU55.exe were deleted exe files for FileZilla_2_2_32_setup.exe
And
$R61QDFF.exe and $I61QDFF.exe were deleted exe files for CameraShy.exe

Fig 6: Deleted .exe files in the Recycle Bin

6) Find proof of communication with Gladiator

 A message with Gladiator was found in past messages also the terms and agreement were found in stuffs
that corresponds with link to gladiator

Fig 7: Message with Gladiator

 Fig 8: Terms and Condition agreement with Gladiator

7) What is a "Pranic Vampire"? In which document is it mentioned? When was the document created?

“Pranic Vampire” is a term used for psychic vampire and means “life energy” in Sanskrit. This is mentioned in 3
documents:

Fig 9: Documents mentioning Pranic Vampire

Created time for Astral.doc was : 2008-02-13 06:23:11 IST

Fig 10:Created time,accessed time and Modified Time

8) What is present in happy.mpeg?

 It is a video, of a security camera, in which shows a frustrated person working on computer gets who suddenly
starts breaking the monitor and crashing the keyboard which is witnesses by his colleague as well.

Fig 11:Happy.mpeg

9) Check if picture of any drugs are present? If so name the drugs.

 There were pictures that showed presence of drugs

Some of their names were:

 Seconal  Valium
 Nembutal  Xanax
 Tuinal  Amphetamine
 Diazepam

Fig 12.1: Drugs found

 Fig 12.2:Drugs found

10) Find the list of criminal activities Mantooth was involved in and the associated artifacts.

 The criminal activities Mantooth was involved in are listed below :

 Drug Trafficking
 ATM card and cars stealing
 Child Exploitation

Fig 13.1: Drug Trafficking evidence 1

 Fig 13.1.1: Preparation of Drugs

Fig 13.2: Car Stealing evidence

Fig 13.2.1: ATM Card stealing evidence

 Fig 13.3: Child Exploitation planning

11) Summarize the finding against Mantooth

 Downloaded html files having drug images and some having content on how to make some types of drugs depict
that he wanted to make drugs
He tried to steal ATM IDs of people which was found in some files that he tried to search about, in addition to that he
also tried to steal car
He also has documents regarding how to get away from stealing a car, along with the US rules and regulations for such
breach.
His Browser history having the preparation of drugs depicts he was indeed preparing
The fact that he has child exploitation with various severities somehow indicates he was planning to start a trafficking
racket, which can’t be deduced without proper proof.

12) Mantooth received one Text Internet Email that had no subject about a stolen ATM. Who sent it to him
(name and email) and when was it sent?

 E-Mail From : skimmerman27@hotmail.com ;

E-Mail To : dollarhyde86@comcast.net;
Date Received : 2007-07-24 04:29:26 IST Date Sent : 2007-07-24 04:29:26 IST

Fig 14: Unknown Mail

13) Find when and who deleted the file ValidCreditCard.jar
 Deleted By : Wes Mantooth
Time Deleted : 2007-07-14 23:27:06

Fig 15: Deleted file in user directory

WASHER:

1) What is the starting sector of Partition 2 and what is the size of it?
 Starting sector of partition 2 is 63 and the size of the partition is 120,456 KB.

Fig 16: Vol2 size and details

2) What is the file system of the disk image?
 The fle system used is NTFS/exFAT.

Fig 17: File System used for Washers

3) List the user names?

 The user names are :

a. The Wolf
b. Mr Smee
c. Guest
d. Captain Hook
e. Billy Bob Burbeck
f. Artimus
g. Administrator
 Fig 18: Names of the users

4) Does Washer know Mantooth?

 Yes , Washer and Mantooth knew each other .We can clearly see it by analyzing their by their email chat .

Fig 19: Conversation between Mantooth and Washer

5) How many .doc files are there? Extract all, document what is their content and their md5 values

 There are 15 .doc fles present listed below :

Fig 20.1: .doc files

 Fig 20.2: Metadata and MD5 example

6) Who are all involved in the discussion about "Special K"

 John Washer, Mantooth and Rasco Badguy were involved in the discussion about “Special K”

Fig 21: Special K discussion

7) Find the URL that is given for making drugs quickly
 http://www.totse.com/en/drugs/speedy_drugs/howtomanufactu172921.html

Fig 21: URL for Making Drugs

8) What is the AOL IM name of Washer?

 The AOL IM name of Washer is washergonebad

Fig 22: AOL IM name of Washer

CONCLUSION

Hence from this experiment we were able is to analyze, identify and prepare a Forensics Report based
on the given files of Mantooth.E01 and Washer.E01