Computer Forensics Hacking Investigator Case Studies

Computer Hacking Forensic Investigator Exam 312-49
Case Studies
CHFIv8 Case Studies
Case Study 1: Child Pornography

GlobalDVD is a multinational company, headquartered in San Antonio, Texas; with branch offices
in Atlanta, Los Angeles, New York and Chicago. GlobalDVD manufactures DVD covers and
produces DVD discs for big movie companies such as Warner Brothers, Paramount Pictures and
Universal Studios. The company’s annual turnover exceeds USD 8 Billion.
The Atlanta Operations is headed by Robert Stevens. The CEO of GlobalDVD, Mathew Jacobson
suspected that Robert has been using the company’s disk duplicating machines for illegal purposes.
The disc duplicating machine consists of a rack of Dell servers with 10 DVD writers installed. It is
meant to produce multiple discs of DVD from a single ISO image.
Mathew confronted Robert about any illegal activity going around in the Atlanta manufacturing
plant because he had heard rumors about the same. Robert denied the accusations.
After two weeks Robert sent an email to Mathew saying that the disc duplicating machine has been
stolen. The insurance company was involved in the investigation.
Later, one of the office employee stated that the disc duplicating machine was on sale on eBay for
USD 5000. The picture of the machine posted on eBay confirmed that it was the GlobalDVD’s disc
duplicating machine. The seller was from Pakistan. Mathew bought the machine using his credit
card.
Mathew hired a forensic investigator Samuel Peterson to help him to nail Robert.
Forensic Methodology Used
1. Samuel visited Mathew’s office and packed the disk duplicating machine.
2. He carefully transported the machine to the forensics laboratory.
3. He opened the disc duplicating machine carefully and removed the hard disk which had a capacity
of 1.5 TB (1500 GB).
4. Samuel created a bit-stream image of the huge hard disk using dd command in Linux.
5. He generated MD5 hashes of the bit-stream image.
6. He also prepared a chain-of-custody document and stored the original hard disk in a secure
location.
7. In this case, Samuel was asked to retrieve evidence in support of Robert’s illegal activities
8. He mounted the hard disk image in Sleuth Kit Autopsy program in Linux.
9. He searched for files in the disc and found nothing. The disc was completely empty. He
understood that the eBay seller in Pakistan has deleted all the files before putting up the machine
for sale on eBay.
10. Samuel used a file recovery tool and ran a thorough scan on the hard disk image.
11. He found the following interesting files that were deleted:
Page | 1 Computer Hacking Forensic Investigator Copyright © by EC-Council

All Rights Reserved. Reproduction Is Strictly Prohibited.
Case Studies
a. 1200 Jpeg files
b. 700 gif files
c. 2000 Mpeg files
d. 3500 xls document
e. 7000 .htm files
f. 13 iso files
12. He extracted all the files to his PC and viewed them.

13. He was shocked to find child pornography images as part of the deleted files.
14. Next, Samuel started viewing the word documents and found one interesting file that was labeled
as ahmedinvoice.doc. He opened the file and had a look. It was an invoice sent from Robert
Stevens to Ahmed Jamaluddin in Islamabad, Pakistan billing him for 2000 DVDs of “Sex with 10
year old Little Angie-never seen footage”
15. The invoice showed evidence that Robert used the GlobalDVD’s disc duplicating device to
make the child pornography DVDs and sold the discs along with the machine to a buyer in
Pakistan.
16. Samuel scanned through the deleted .iso files and recovered a file called angie.iso.
17. He loaded angie.iso file in Myhome2DVD player.
18. He found child pornography video of a little girl called ANGIE
19. He immediately stopped the investigation at that point.
20. Samuel called Mathew and informed him that he has a possession of evidence that needs to
be handed over to the local law enforcement agency and sought his advice how to proceed
with the investigation.
21. Mathew replied that he would get his company’s lawyer to contact FBI to take over the case
from Samuel.
22. Mathew asked Samuel to stop the investigation immediately and secure it until FBI arrives.
23. Samuel concluded the investigation by handing over all the evidence to FBI.
24. He deleted the local copies of all evidence files of child pornography images and videos on
the local computer permanently using a hard drive wipe utility.

Case Studies
Case Study 2: Corporate Espionage

Computermania Inc. is the largest computer wholesale company located in Albuquerque, New Mexico.
They are the exclusive Dell distributors in the region. Mr. Daniel Moore was the sales manager of
Computermania and was responsible for sales and distribution operations of the company across the east
coast region.
Computermania was audited for the financial accounts by A & T Auditing firm. The management at
Computermania was shocked to find that the company incurred USD 7.2 million losses in Dell Computer
Sales Division. The company was aware that the Dell computer sales were on the rise at a rate of
approximately 20% every year. They could not believe that this division was losing money.
They suspected that Daniel Moore, the sales manager, had something to do with loss. The auditors A & T
went through every financial transaction and noticed that many sales invoices were issued to a company
called Raleigh Computermart, Inc. in Dallas, Texas. The invoices were heavily discounted beyond the
companies standard discount policy.
A & T’s regional head Ms. Zelda Stevens contacted Johnson, a CHFI certified investigator, to assist her in
the ongoing investigation of Computermania, Inc.
1. Johnson was required to examine the hard disk of Mr. Daniel Moore’s office computer for
evidence.
2. He contacted Ms. Zelda to access Mr. Daniel Moore’s office for evidence of his involvement in
the crime. She gave Johnson the permission to do so.
3. Later, Johnson visited Computermania office and seized Mr. Daniel Moore’s company owned
laptop for investigation.
4. Johnson placed the device carefully in an anti-static bag and transported it to the forensics
laboratory.
5. He created a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands and generated MD5 hashes of the image.
6. Johnson prepared a chain-of-custody document and stored the original hard disk in a secure
location.
7. Johnson loaded the bit-stream image in the Sleuth Kit tool and browsed every single file in the
file system.
8. He read every single email displayed in the Sleuth Kit.
9. Even after two weeks of intensive investigation, Johnson was not able to find any evidence that
indicate Mr. Daniel Moore’s involvement in the financial fraud.
10. Johnson almost wanted to give up the case but he decided to visit Daniel Moore’s office to look
for other evidence.
11. He visited Mr. Daniel Moore’s office and scanned the whole office again for other evidence.
Johnson failed to find CD-ROMs, PDAs, Digital Camera, iPods or any other digital evidence; the
only evidence was Moore’s laptop which he had already investigated with no success.
12. Johnson noticed a Xerox Model 1703 Color Photocopier in the hallway.

Case Studies
13. The photocopier was used by all the office staff. Johnson then walked towards the Xerox
photocopier and had a glance. He noticed that it was a very advanced color photocopier powered
by embedded Linux operating system.
14. Johnson called Ms. Zelda and asked whether he could remove the hard disk of the photocopier
for investigation.
15. He placed the hard disk carefully in an anti-static bag and transported it to the forensics
laboratory.
commands and generated MD5 hashes of the image.
17. Johnson updated the chain-of-custody document and stored the original hard disk in a secure
location.
18. He was ready for the second round of investigation.
19. Johnson loaded the bit stream image in the Sleuth Kit and browsed every single file in the file
system.
20. He also read every single email displayed in Sleuth Kit.
21. He found that some files were located in a directory with a date on it. The files were stored as
“TIFF” image file format.
22. He viewed every image and came across an image which attracted his attention.
23. The image contained 10 pages of balance sheet and ownership transfer data of the company
Raleigh Computermart, Inc.
24. The Xerox 1703 Color Photocopier stored every single photocopy made on the machine for 7
days.
25. The TIFF document contained evidence which showed Mr. Daniel Moore had a 51 percent
ownership in the Raleigh Computermart, Inc.
26. Johnson copied those files to a CD-ROM.
27. He used Sleuth Kit reporting features and produced a professional report.
28. He delivered the report to Ms.Zelda at Computermart, Inc. along with the invoice for the
forensics service he has rendered.
29. Mr. Daniel Moore was dismissed after it was discovered, through the forensic evidence, that he
had concealed ownership interest in Raleigh Computermart, Inc.

Case Studies
Case Study 3: Terrorist Attack

A terrorist was shot down at Heathrow International airport. He was planning to bomb the Mason
International airport at Fiji. His face matched with the terrorist list. He tried to escape when the police
confronted him; eventually they shot him. He was carrying a laptop briefcase when he was shot down.
Mr. John Wales, the Chief Investigator at The Heathrow Police Department made a phone call to Lewis, a
detective in a professional investigation service, and asked him to investigate the items in the brief case.
1. To investigate that case Lewis was given the laptop bag along with the Dell Laptop which the
terrorist had at the time of confrontation with the police, photographs of the crime scene, and
fingerprints that matched the terrorist.
2. He found the computer in a Stand By mode.
3. He took the photographs of the computer screen using his Cannon Digital camera for evidence.
4. Lewis noticed that the Operating System in use was Microsoft Windows XP Professional Service
Pack 2.
5. He inserted the Helix CD-ROM and collected the volatile evidence such as programs that were
running, ports which were opened, open Explorer windows.
6. He copied the pagefile.sys
7. He then checked the date and time as shown by the Operating System.
8. He copied individual memory processes to a Sony USB stick without tampering the contents of
the original hard disk.
9. He did a formal shutdown of the Windows XP Operating System.
10. He then unscrewed the Dell Laptop and removed the hard disk.
11. Lewis created two bit-stream images of the hard disk using tools such as R-Drive and Linux dd
commands.
12. He then placed the hard disk carefully in an anti-static bag and transported it to the State
Forensics Laboratory.
13. He generated MD5 hashes of the bit-stream images.
14. He then prepared a chain-of-custody document and stored the original hard disk in a secure
location.
15. Lewis was asked to retrieve the following:
a. Any MS Word, Excel, PDF, Images files (jpeg, giff, bmp, tiff), video files (avi, mpeg, dat,
mov) and audio files (mp3, wav and rm) related to the case.
b. MS Outlook contacts, email messages, messenger chat history, cache files, Temporary
Internet files.
16. He loaded the image in Encase and searched for the above mentioned files.
17. Encase search gave him the following results:

Case Studies
a. 50 contact lists from Outlook

b. 25 video files
c. 132 image files
d. 12 PDF files
e. 34 MS Word files
f. 3 MS Excel sheets
18. He noticed that the video files had contents related to the following:
a. 9/11 Bombings
b. Video showing terrorists practicing at a terror camp
c. Killing of kidnapped hostages
d. Motivational speeches by leaders of various terrorist outfits
e. Personal videos which showed the terrorist spending some light moments with his wife and
two small kids
f. A 30 minute video of the Heathrow International Airport and Mason International airport at
Fiji
g. Videos taken in a hotel room along with 6 other suspects
19. He made a detailed list of the videos and prepared a document explaining each of the videos in
brief.
20. There were photographs of Heathrow International Airport and Mason International airport at
Fiji. The terrorists had taken the snaps of these two airports in detail, which confirmed the
intention of the terrorist group to which he was associated.
21. There were few logos of a particular terrorist group which confirmed his association.
22. Documents related to “How to make chemical bomb”, “How to prepare for Jihad”, “How to be
a suicide bomber” along with other materials were also recovered.
23. One particular document “How to bomb Mason International airport” caught Lewis’s attention.
He then read the document and found that the article contained instructions from few people on
how to spread terror at Mason International airport, Fiji. He was more than assured about the
involvement of the accused in the crime.
24. With the help of EnCase, he was able to get the list of contacts in the terrorist’s MS Outlook. The
contact names matched to the ones found in the earlier documents.
25. The Excel sheets found had bank account names and the details of inflow of funds to the
accounts.
26. The laptop bag had few documents and immigration visas which made clear of his links with
other terrorist organizations.
27. Lewis prepared a report of his forensics analysis in PDF format and personally delivered the
evidence CD to Mr. John Wales along with an invoice for his professional service.

Case Studies
Case Study 4: Brutal Murder

Katherine was found murdered under the far eastern side of San Francisco Bridge. Her body was taken to
the forensics laboratory. They examined her body and concluded that she was raped and murdered. The
local police launched an investigation into the murder. They wanted to nab the culprits and know the way
she was murdered. The chief investigator Mr. Marty Smith visited Katherine’s house and collected details
about her from her parents. Katherine was a 16 year old teenager studying at Lassie High School at
Madison County at San Francisco. She had lots of friends and used to hang on with them quite often.
Mr. Marty Smith visited Katherine’s room and collected various evidences like pillows, bed sheets,
greeting cards and handbooks. He also came across Katherine’s laptop which was in her room. Her dad
Simon said, “Katherine used to spend late night hours on the Internet, we thought she was studying”.
Mr. Marty Smith took the laptop along with him to the local county office for investigation. Mr. Marty
was not an IT professional, so he made a call to Wright, a computer forensic investigator to help him out
with his criminal investigation.
1. Wright visited Mr. Marty Smith’s office.
2. He removed the hard disk from Katherine’s laptop and created two bit-stream images of the hard
disk using tools such as FTK and EnCase.
3. He then placed the hard disk carefully in an anti-static bag.
4. Wright then generated MD5 hashes of the bit-stream images.
5. He prepared a chain-of-custody document and stored the original hard disk in a secure location.
6. Wright was asked to retrieve the following:
a. Internet cache files, chat history of MSN messenger, Temporary Internet Files, Outlook
contacts, emails and any other evidence which would be of help in the investigation.
7. Wright loaded one of the images in Encase and searched for files.
8. The search did not reveal any specific result so he ran MessenPass to crack the password of
Katherine’s MSN ID. Her MSN ID was katsinlovev2@msn.com.
9. MessenPass cracked Katherine’s password. Her password was myloveeric4521
10. Wright then logged on to her MSN messenger and searched her chat history. He noticed a
particular MSN ID erichulklover27@msn.com. The chat sessions showed that Katherine had
been constantly interacting with the person using that particular ID.
11. The chat session revealed Katherine’s affection and love towards that individual who claimed to
be from Boston and was of 27 years of age.
12. A series of emails from Katherine’s Outlook revealed the plan of erichulklover27@msn.com for
a meet at a pub The Hunter’s Paradise near San Francisco, a day before Katherine was found
dead.
13. Based on the above findings the local Police visited the pub The Hunter’s Paradise.
14. The police checked the record of transactions made by customers for past one week from the
time of murder.

Case Studies
15. Katherine’s photograph was shown to the bar tenders and the manager of the pub who
confirmed of her presence at the pub two days back just before the time of her murder. They had
seen her with a tall man with good looks in his late 30s.
16. The police scanned the credit card transactions in detail and they were able to zero down on one
particular transaction made by a person called Eric Newman. The payment was made for two 45
ml of Scotch whisky and one 45 ml of Gin.
17. The police were sure of the person involved in the crime as MSN id of the person found on
Katherine’s IBook laptop “erichulklover27” and the name of the person who visited the pub
along with Katherine matched.
18. Further investigations revealed more interesting details about the couple who visited the pub two
days back at the time of investigation.
19. Mr. Marty Smith contacted the credit card company “GreatCards” whose card was used by Eric
Newman. “GreatCards” Operations Manager Mr. Luther Rock extended his help to the police
investigating the case.
20. The personal details along with the contact address (Home/Office) were handed over to Mr.
Marty Smith by Mr. Luther Rock. The home address of Eric Newman as per the personal detail
was at Merrimac Street, Boston, MA 02114.
21. Mr. Marty Smith along with other police officials left for Boston. Mr. Marty Smith asked Wright
to join him for the investigation at Boston.
22. The police contacted the Local Court at Boston and issued a search and seizure warrant against
Eric Newman.
23. Eric Newman was taken into police custody.
24. Wright removed the hard disk from Eric Newman’s HP Presario PC.
25. He placed the hard disk carefully in anti-static bags and transported it to the forensics laboratory.
26. He created a bit-stream image of the hard disk using tools such as FTK and EnCase and
generated MD5 hashes of the bit stream images.
27. He prepared the chain of custody and stored the original hard disk in a secure location. Wright
then investigated the bit stream image copy.
28. He was ready for investigation.
29. He was asked to retrieve the following evidence:
a. Internet cache files, chat history of MSN messenger, Temporary Internet Files.
b. Outlook contacts, emails and any other evidence which would be of help in the investigation.
30. He ran MessenPass to crack the password of Eric Newman’s MSN id.
31. MessenPass cracked Eric Newman’s password. Her password is myloveeric4521.
32. Wright then logged on to Eric’s MSN messenger.
33. Wright searched Eric’s chat history. He noticed a particular MSN id “katsinlovev2@msn.com”.
That MSN id belonged to Katherine. The chat sessions showed that Eric Newman had been
interacting with Katherine using that’s particular id for the past 6 months.

Case Studies
34. There were other girls listed on his MSN messenger buddy list. From his chat history Wright
concluded that Eric Newman had indeed met Katherine on the fateful day. He had plans of
meeting other girls listed on his chat list.
35. The police questioned Eric Newman. Under pressure he broke down and confessed to the crime.
The medical records of Eric Newman showed that he was a “schizophrenic”; patient of mental
disorder which was due to a depressed childhood. Katherine accompanied him to his home
where he sexually abused her and later murdered her after she threatened to report the incident to
the Local Police Department.
36. Mr. Marty Smith thanked Wright for helping the Local Police Department in solving the case.
37. Wright prepared the report of his forensics analysis in PDF format and personally delivered the
evidence CD to Mr. Marty along with an invoice for his professional service.

Case Studies
Case Study 5: Employee Sabotage

Kim Stevens is a research scientist working for a pharmaceutical company called Jusco Enterprises. The
company was working on a human vaccine for polio treatment. Kim was involved in the research for six
years. According to the company policy, research documents need to be stored in MS Word or Rich Text
Format. Critical documents were stored as PDF to prevent tampering.
Kim’s research files had 270 pages of sensitive formulae. Recently, she had a fight with the management
for sidelining her while promoting Jack as Senior Scientist. Kim was disappointed thinking she was not
rewarded after all of her efforts and time. This made her furious, and she decided to quit the company.
She did not want to part with the formulae that she had come up in her six years of work. In a fit of rage,
she deleted all the critical research documents so that no one can access them.
This act of Kim came to light a week after she left the company. Her machine was not backed up during a
regular backup cycle as the enterprise central backup machine was under repair. Her most recent work
which contained the final formula was not backed up. If the data was not retrieved, the firm stood to lose
USD 3 million in various contracts with the suppliers.
The company’s IT department failed to retrieve the data. The company hired Jason Springfield (a CHFI
Professional) to investigate the incident and restore the data.
1. Jason visited Kim’s desk and seized all the hardware devices such as hard disks, CDROM, iPods,
and DVD disks etc.
2. He placed all the seized devices carefully in anti-static bags and transported them to a forensics
laboratory.
3. Jason created a bit-stream image of the hard disk and other storage devices using tools such as R-
Drive and Linux dd commands.

location.
6. Jason listed all the items that he was asked to investigate by the client.
In this case, he was asked to recover deleted files containing the chemical formulae and
mathematical codes.
7. He used a hexadecimal editor and scanned the entire image for keywords.
8. Next, he used a file recovery tool and scanned the entire hard disk to determine if there are any
deleted files.
9. The tool showed many deleted files that Jason was able to recover; however, there were many
deleted files that he could not recover.
10. Jason examined the entire hard disk in the hexadecimal image format and scanned the entire
image.
11. Jason recognized some content of the hexadecimal data, and was able to recover the portion of
the data using file scavenger utilities.

Case Studies
12. He prepared a professional forensics report based on the actions he has taken to restore the data.
13. He printed a copy of the report in PDF format and collected all the restored files in an
encrypted/password protected DVD-ROM.
14. Jason delivered the report to the company along with the DVD-ROM and charged his fee for the
forensics services he rendered.

Case Studies
Case Study 6: Virus Attack

First Commercial Bank, a private bank, caters to 6000 customers in Rochester, New York. A virus called
MaMia.w32 hit the computers at First Commercial Bank. The virus infected the bank’s 200 computers. As a
result, all the sensitive data stored in these computers was lost. The MaMia.w32 virus formatted the entire
hard disk in the infected computers.
All the computers in the bank are backed up every Sunday at 7.00 P.M. The virus infected the computers
on Saturday at 2.00 P.M. So one week of work was lost.
Nick Madison, the chief information security officer at First Commercial Bank, hired Smith, a forensic
investigator, to recover the data from all the 200 computers infected by the virus. Smith told Nick that he
will need 10 computer forensics professionals to assist him with this investigation and it will cost him lots
of money, to which Nick said, “Money is not an issue as long as the data is recovered successfully”.
1. Imaging 200 computers will require 40,000 GB of data storage space to begin investigation; as the
capacity of each hard disk was 100GB. Smith needs to make at least 2 bit-stream copies of the
original hard disk.
2. Smith’s forensic laboratory was not having storage facility of such a large size.
3. Smith called freelance computer forensics investigators in Rochester and checked if they would
like to join him in the investigation. They agreed after negotiating a high per day fees. Ten
freelancers joined him for this investigation.
4. Smith and his forensics team visited the First Commercial Bank and removed the infected hard
disks from the computers.
5. They placed the hard disks carefully in anti-static bags and transported them to the forensics
laboratory.
6. Smith’s forensics laboratory was piled-up with the hard disks of the First Commercial Bank.
7. He rented 50,000 GB EMC rack servers from the Disaster Recovery Centre Inc. in New York
City.
8. The Disaster Recovery Centre Inc. sent the huge racks in a special truck for his forensics
laboratory.
9. Smith and his team of forensics investigators made bit-stream images of all the hard disks using
tools such as FTK and EnCase.
10. They also generated MD5 hashes of the bit-stream images.
11. The team prepared a chain-of-custody document and stored the original hard disks in a secure
location.
12. The team took a single hard disk image to study the possibility of recovering the data.
13. They used R-Drive to load the image to a free partition on the local computer.
14. The image was loaded as D: drive of 70 GB.
15. They scanned the D: drive and noticed that all the files have been deleted and the drive is not
readable.

Case Studies
16. The investigation team installed the Handy Recovery utility to check the deleted partitions from
the D: drive. It showed that 5 partitions have been deleted.
17. The team restored all the 5 partitions along with the deleted files to their local C: drive. They
observed that all recovered files were intact and in good condition.
18. The reason why they could successfully restore the data was that the deleted data was not over
written with other data.
19. The investigation team followed the same procedure to successfully recover the data in the
remaining 199 hard disks.
20. Smith called Nick and told him that his team was successful in restoring the data and how he
would like the recovered data to be delivered to him.
21. Nick told Smith to format the existing hard disks and load the recovered data on respective hard
disks.
22. The team created a forensics report and delivered it along with the 200 hard disks to Nick.
23. The team wiped the data on the rented EMC storage servers and returned the servers to the
Data Recovery Centre Inc.
24. Smith charged First Commercial Bank for his professional services as follows:
a. The team consisted of 11 investigators.
b. The team worked 8 hours a day for 4 days.
c. Smith charged $200 per hour.
d. The rental charges for EMC storage servers cost USD8000 for 4 days.
e. Transportation charges for the rented EMC rack servers, hotel charges, car rental, and airfare
for travel to New York and back cost USD 20,000.
f. Professional fees for the forensics investigation service costs USD18,000.
g. Total Cost = 8 x 200 x 10 x 4 + 8000 + 20000 + 10000 = USD 110,000.
25. Smith sent an invoice to First Commercial Bank for the service rendered.

Case Studies
Case Study 7: Business Rivalry

TargetMac and OneMac are two magazines, catering to the growing iPod user base. The CEO of the
TargetMac is Bryan Smith and the CEO of the OneMac is John Beetlesman. Bryan made a deal with John
and convinced him to purchase TargetMac. Lawyers of both the companies were called in to finalize the
deal. The lawyers drafted the sale contract, which restricted removal of sensitive and confidential
information, and non-solicitation of TargetMac customers and working staff. A non-compete clause was
also added in the agreement.
It has been two years but John Beetlesman was suspicious of Bryan’s activities. John suspected that Bryan
has breached the contract. John knew Martin, a CHFI professional who provided computer forensics
services. John’s lawyer Smith Franklyn contacted Martin to investigate and provide evidence to support
the breach of contract so that John could file a lawsuit against Bryan at a local civil court in San Francisco,
California.
Forensics Methodology Used
1. Martin wanted to examine Bryan’s home and office hard disks and laptops for evidence.
2. He asked Smith Franklyn to obtain a search and seizure warrant at Bryan’s home located at 37
Albert Avenue, San Jose and his office located at 46, Mathew Street, Santa Monica.
3. Smith Franklyn worked with the local District Attorney and obtained the required search warrant.
4. Smith Franklyn and Martin visited Bryan’s home and seized his computer, laptop and DVD-ROM.
5. Martin placed the devices carefully in anti-static bags and transported it to the forensics
laboratory.
commands and generated MD5 hashes of the bit-stream images.
8. Martin loaded the bit stream image in FTK tool kit and browsed every single file in the file system.
9. He also read every single email displayed in FTK.
10. After many days and nights of investigation Martin retrieved the following crucial evidence:
a. Encrypted file titled Business Plan AppleMac Magazine.
b. Excel spreadsheet revenuestreams.xls.
c. Numerous email messages with Franklyn’s investors.
d. Martin used a password cracking utility to crack the encrypted file Business Plan AppleMac
Magazine.doc, the password was planapple.
11. The above documents clearly indicated that Bryan’s new business have competed with
TargetOnes’s business.
12. Martin copied these files to a DVD-ROM and used FTK’s reporting features to produce a
professional report.
13. Martin delivered the report to the company along with the invoice for the forensics services he
rendered.

Case Studies
14. Based on Martin’s forensic investigation report, Smith Franklyn initiated a USD 20 million lawsuit
against Bryan. After two weeks the court pronounced Smith Franklyn Bryan guilty and asked him
to pay the compensation.

Case Studies
Case Study 8: Sabotage

Keith Robertson works in Sancong Mobile Manufacturing Company in Barcelona, Spain. The company
designs mobile phone interfaces and GUI for popular vendors. Sancong has become a market leader in its
segment within a very short span of time. Keith was involved in the design of the latest Motorola Razor
phone. He managed to design a GUI interface for the phone which rivaled Apple’s iPod designs. The
company used Maya 3d application to design the work. He was proud of his design and had secretly
planned to offer the design to Sancong’s competitors. He contacted Sancongs’s competitor Jentech and
struck a deal for selling them the design. A week later, Keith tendered his resignation and left Sancong.
Sancong’s engineers were shocked to notice many of the mobile phone designs in the Keith’s computer
were missing. Millions of dollars were spent on research and development of these designs, especially the
new Motorola Razor phone design. Keith had sabotaged the designs before he left the company. Keith’s
system was never backed up due to high confidential nature of the work. Only Keith had access to these
designs.
The CEO of Sancong Mr. Julian Rod was very disturbed. Sancong planned to patent the designs, so that
they can license the technology to mobile telephone manufacturers around the world. The company
stands to lose millions of dollars if the designs are leaked out.
Mr. Julian Rod has read success stories of computer forensics investigation around the world. He hired
Steve Johnson, a CHFI and CEH certified professional, to investigate and provide evidence of Keith’s
sabotage, and retrieve the data.
1. Steve visited Keith’s desk and removed the hard disk carefully from his Dell Dimension 372
office computer.
laboratory.
3. He created a bit-stream image of the hard disk using tools such as FTK and EnCase and
generated MD5 hashes of the bit-stream image.
4. Steve prepared a chain-of-custody document and stored the original hard disk in a secure
location.
5. He loaded the bit-stream image in the FTK toolkit and searched for the Maya 3D graphic
design files.
6. FTK search showed him no results.
7. He searched for deleted data, deleted partitions and slack space. FTK again showed no
results. The other files were intact without any corruption except the missing Maya 3D files.
8. FTK showed that there were 11,200 files present in the hard disk.
9. Steve started analyzing every single file in the hard disk which was a very time consuming
task.
10. He came across one interesting file called BeastMan.exe in c:\Windows\System32
directory.
11. Steve become suspicious about this file and searched Google to investigate more about the
program.

Case Studies
12. In his research Steve found that the BeastMan.exe program is used to permanently wipe
data from the computer so that recovery of the files is impossible.
13. At this stage of the investigation he suspected that Keith might have used this program to
destroy the Maya 3D graphic files.
14. Steve wanted to confirm the suspicion.
15. He called Mr. Julian Rod and asked him to send the backup tapes of the router, firewall,
DHCP, IDS and proxy server log files.
16. Next day, a FedEx box arrived from Mr. Rod with 4 sets of Sony backup tapes.
17. Steve created bit stream images of these tapes and examined them in FTK.
18. He searched the proxy log files called checkpointproxy.dat for search string BeastMan.exe.
19. FTK returned results as below:
10.0.0.7 64.233.189.104 10.36.12 17/08/2006
http://www.google.com/search?hl=en&hs=VSa&client=firefox-
a&rls=org.mozilla:en-
US:official_s&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=how+to+perman
ently+delete+Maya+3d+file&spell=1
10.0.0.7 207.3.4.4 10:37:03 17/08/2006 GET/Trojans
wipers/BeastMan/index.htm
10.0.0.7 207.3.4.4 10:37:13 17/08/2006 GET/Trojans
wipers/BeastMan/beastman.jpeg
10.0.0.7 207.3.4.4 10:37:22 17/08/2006 GET/Trojans
wipers/BeastMan/help.txt
10.0.0.7 207.3.4.4 10:37:33 17/08/2006 GET/Trojans
wipers/BeastMan/contact.htm
10.0.0.7 207.3.4.4 10:37:40 17/08/2006 GET/Trojans
wipers/BeastMan/rule.htm
10.0.0.7 207.3.4.4 10:37:51 17/08/2006 GET/Trojans
wipers/BeastMan/beastman.exe
20. Based on these logs, Steve confirmed that the machine at 10.0.0.7 searched Google for utility that
can securely delete files from the system.
21. The machine at 10.0.0.7 visited a site located at 207.3.4.4 and downloaded a program named
beastman.exe.
22. Steve wanted to extract evidence; which machine used IP address 10.0.0.7 on 17/08/2006 at
10:37.
23. He examined the DHCP log file called dhcp.log and started searching 10.0.0.7 and 17/08/2006.
24. FTK showed him one result. The text is as follows:
Lease duration; 180mins, DHCP scope:0, IP 100.0.7, subnet mask 255.255.255.0, MAC 00-
11-11-A0-5A-47

Case Studies
25. It was confirmed that the computer at Sancong with the MAC address of 00-11-11-A0-5A-47 was
used to download the BeastMan program.
26. Further investigation confirmed that the MAC address belongs to Keith’s computer.
27. Steve was further required to prove that Keith was at his desk at that particular time, and was the
one who downloaded the program.
28. Steve called Mr. Rod and enquired about physical security policies and authentication system the
company used.
29. Mr. Julian replied that every employee in his company has a company ID card and must use this
card to access every department section. He also said that there are CCTV cameras present at the
ceiling of every department in the company and the images are recorded to DVD drives 24x7.
30. Steve asked Mr. Rod to send the log files of physical access card data and copies of CCTV DVD
recordings.
31. The next day, he received a FedEx box with the above items from Mr. Julian.
32. New access control log files were created every day of the week. Steve searched the access control
log file named acccntrl170806 and discovered an entry as:
Acc3742 EMP2316 Keith Robertson 17 08 06 10:24:34 Auth type:
cardscan Status: success Room: 37
33. The above log confirmed that Keith Robertson used his card to gain access to Room 37. This also
confirmed that he was present at his desk while BeastMan.exe was being downloaded.
34. To further confirm his findings, Steve scanned through few DVDs and located the DVD file
CCTVrecording170806.mpeg.
35. He played the .mpeg file in Windows Media Player and positioned the frame to time 10:36:00.
36. He saw Keith Roberson sitting in front of his computer seriously looking at his computer screen
while talking to someone on the phone.
37. This proved that Keith was indeed the one who downloaded the file and destroyed the data.
38. Steve has gathered the necessary evidence of Keith’s hand in the sabotage, but the files could not
be recovered as the hard disk was wiped out using BeastMan.exe.
39. Steve used FTK’s reporting feature and produced a professional report which included the
evidence from DHCP logs, Access control logs and CCTV disc.
40. He delivered the report to Mr. Rod and issued an invoice to Sancong Mobile Manufacturing
Company for the payment towards his service.
Based on Steve’s evidence, Mr. Rod filed a lawsuit against Keith Robertson for sabotage and
destruction of confidential data. Mr. Rod claimed USD 6.7 million as damages.

Case Studies
Case Study 9: Disaster Recovery Investigation

Jason worked for a large accounting firm H&M Consultants in Dallas, Texas. He prepared financial
balance sheet and accounting reports for big corporate clients. His deadline to submit the annual tax filing
for JacobSun Enterprises was on Friday by 10 am. He worked hard and completed the entire Tax filing
report on Thursday night, and felt that he had done a fantastic report that will boost his promotion
opportunities within the company. He left for the night and went home. Jason’s always leaves his
computer switched on.
The next morning Jason arrived at the office and got ready to print the document for IRS filing
submission. Apparently, there was a power outage within the building due to voltage fluctuation. Jason
noticed that his computer is turned off. So he tried to switch it on, and to his shock the computer failed to
boot with the following message displayed: The NTOSKRNL.exe is corrupted along with serious damage
to your data files. Please reinstall the Operating Systems and recover data from backup source.
Jason’s computer was not on the network and never backed up. He picked up the phone and called the
company’s IT help desk for assistance. The company IT help desk told Jason that the data cannot be
recovered, and advised him to hire a forensics investigator who might assist in this situation.
Jason searched Google for skilled computer forensics investigator and Brian name pops up as link “We have
CHFI on board to investigate all your Computer Forensics needs” Jason looked up Brian’s telephone
number from the web page and hired him immediately over the phone.
1. Brian visited Jason’s desk and removed the hard disk carefully from his computer.
2. He placed the hard disk carefully in anti-static bags and transported it to the forensics laboratory.
commands.
4. Brian generated MD5 hashes of the bit-stream image.
6. Brian was asked to retrieve the following:
a. IRS files
b. Spreadsheet files
7. He loaded the bit stream image as evidence file in EnCase Forensic tool.
8. Encase mounts the hard disk as C: drive.
9. He observed the following:
a. The Operating System is Windows XP Professional with SP2
b. Memory is 2 Ghz
c. The size of C: drive is 30 Gb and he has only one partition
10. He viewed the boot sector files and noticed that he was unable to access files located in this
directory c:\windows\systems32.
11. The partition table indicated that C: drive was corrupted. This prevented the system from booting.

Case Studies
12. He used Encase Hex Editing utility to fix the partition table.
13. He saved the hard disk image and mounted it as a primary device in another computer.
14. The computer booted normally and he copied all the IRS Tax files, spreadsheet documents to a
DVD-ROM.
15. Brian prepared a professional forensics report based on the actions he has taken to restore the
data.
16. He printed a copy of the report in PDF format and attached the restored files in an
encrypted/password protected DVD-ROM.
17. Brian delivered the report to the company along with the fee for the forensics service he rendered.

Case Studies
Case Study 10: Steganography

Joan Shelly worked at Texas National Bank in Dallas, Texas, as a corporate loan officer. She resigned
from the bank recently. Don Johnson the CEO of the Bank suspected that Joan has used her position to
send confidential loan information to someone outside the bank. This investigation must be carried out in
complete confidentiality due to FDIC requirement.
Don called Mathew to investigate and prove Joan’s crime, which was considered as a theft of confidential
data.
1. Mathew asked Don to send the hard disk of Joan Shelly’s computer to his office for investigation.
2. He also gave instructions to Don on how to remove the hard disk from the computer and how to
package it for transportation.
3. Don complied with Mathew’s request and sent him the hard disk through FedEx.
4. Mathew created a bit-stream image of the hard disk using dd command in Linux.
5. He generated MD5 hashes of the bit stream image.
7. Mathew loaded the image in EnCase and searched for files.
8. Encase showed Mathew zero results.
9. He also scanned the image for deleted and formatted partitions but with no results.
10. Without any valid data in the hard disk Mathew was unable to continue with the investigation.
11. He called Don and told him that there was no data on the hard disk for you to continue with the
investigation.
12. Don replied that the Bank’s IT department zaps the entire hard disk of every outgoing employee
with unrecoverable disk wipe program.
13. Mathew told Don “That makes sense!”
14. He asked Don if they have copies of mail server logs for investigation. The company has a policy
to back up the log files with the exchange server every day. The next day Mathew received a
FedEx envelope containing CDs of exchange log files.
15. He scanned through the exchange server log files and found that Joan has been sending a mail
with no messages to henry@xsecurity.com.
16. He saw that there were about 10 emails sent to this address with no message but with an
attachment of blank text file with no data in it.
17. He wondered “why did she send so many emails with empty blank files?” The size of the blank
files was 500kb.
18. He suspected that the blank files contained steganography code.
19. Mathew scanned the blank files with the snow steganography utility and was amazed to see the
confidential customer loan profiles of 6000 banks’.

Case Studies
20. This evidence showed that Joan used steganography to conceal the data and send them to a third
party outside the company.
21. Mathew prepared the report in PDF format and delivered the evidence CD back to Don along
with an invoice for his professional service.
22. Don initiated a lawsuit against Joan Shelly for theft of confidential information.

Case Studies
Case Study 11: Encrypted Documents

Mason Stevens worked as software programmer at IT-Defense Solutions Pvt. Ltd. in Singapore. He was
involved in programming the Ballistic Missile Management application. It was a top-secret project, and he
was the only one involved in the project. No backups were made due to the sensitive nature of the
project.
Mason had written about 200,000 lines of C++ code and had almost completed the project. Mason
resigned from the company due to work pressure and internal office politics. He submitted the entire
project on DVD discs to his boss Mr. Lloyd Seen including the documentation for the project. He had
cleared his desk and left the company for another IT job in Japan.
Mr. Lloyd looked at the submitted DVDs and found about 230 C++ source code files but the core
source code component (hook.dll and bindc.dll files) for the Ballistic Missile project was encrypted and
password protected. Without these files the entire project was useless.
Mr. Lloyd was under extreme pressure to show a full working prototype of this application to prospective
buyers from Russia in 2 days failing which the company would lose the entire contract, which is worth
several million dollars. Mr. Lolyd might also lose his job for the no show. Mason’s whereabouts is
unknown at this stage.
Mr. Lloyd called Derrick, a forensic investigator to unlock these files.
1. Derrick asked Mr. Lloyd to send a copy of the core source code component in a DVD.
2. Next day, Derrick received a shipment from Mr. Lloyd through FedEx. The shipment contained
the DVD which had the core source code component.
3. He created a bit-stream image of the DVD using dd command in Linux.
5. He prepared a chain-of-custody document and stored the original DVD in a secure location.
6. Derrick loaded up the password cracker application called Advanced Zip Password Recovery
and launched brute force dictionary attack on the file component.zip
7. He left the program running.
8. In six hours, the password recovery tool cracked the password of the encrypted file
component.zip
9. The cracked password was juggyboy97X

10. He copied the files to a DVD.
11. He prepared an investigation report in PDF format and personally delivered the evidence DVD to
Mr. Lloyd the same day along with an invoice for his professional service.
12. The entire investigation was concluded in 8 hrs.

Case Studies
Case Study 12: Trademark Infringement

Martin Spencers, Inc. is a clothing manufacturing chain in San Jose, Texas. They had designed a latest
collection of Men’s Summer Shirts. These designs were considered unique in the marketplace. They have
spent many years in developing these designs. Martin Spencers also trademarked these designs. They
published these designs on the Internet in 2005 for custom licensing.
Another company Jaco Designs based in London had a similar design and was offering them for sale
worldwide. The CEO of Martin Spencers, Mr. Alfred Stonwell was shocked to know that Jaco Designs
had copied the designs from his company.
Mr. Alfred filed a trademark infringement lawsuit against Jaco Designs in London. The lawyers at Jaco
Designs argued that their client created the designs first and had not seen or heard about the summer
clothing designs from Martin Spencers. They also argued that they have not even seen the designs at
Martin Spencers website www.martinspencersx.com in 2005. Jaco Designs claimed that the designs
created by them were original.
Mr. Alfred made a call to Thomson (a forensic investigator) to prove Jaco Designs wrong.
1. Thomson is required to prove that Jaco Designs was aware of Martin Spencers, Inc Summer Shirt
designs.
2. Martin Spencers published the entire catalog with the disputed designs on the website on 3rd
March 2005.
3. Thomson had a responsibility to find evidence that shows that the staff at Jaco Designs visited the
website at www.martinspencersx.com.
4. Thomson asked Alfred whether they had kept the backup copies of web server log files for the
past two years from the time of investigation. The year was 2006.
5. Alfred checked with the IT department and arranged to send Thomson the backup tapes of IIS
web server log files since the year 2004.
6. The next day, Thomson received a FedEx box from Alfred which contained 20 backup tapes.
7. Thomson copied data from all the tapes to his hard disks. There was about 300 GB of data.
8. He prepared a chain-of-custody document and stored the backup tapes in a secure location.
9. He then checked the Jaco Designs company’s IP address at Netcraft by searching the domain
name www.jacodesignsx.com.
10. Netcraft showed Thomson the IP address of the domain as 207.3.3.3.
11. He double checked that IP address by using DNS reverse lookup and confirmed that it resolved
to 207.3.3.3.
12. Thomson was now ready for a serious search.
13. He searched the entire IIS logs using Microsoft IIS log parser utility for IP address 207.3.3.3.
207.3.3.3, -, 10/13/04, 2:55:14, W3SVC2, Martinsp, 4502, 163, 3223,
200, 0, GET, /summerdesign-catalog.gif
207.3.3.3, -, 10/13/04, 2:55:14, W3SVC2, Martinsp, 4502, 163,

Case Studies
3223, 200, 0,GET, /summerdesign-catalog.htm

207.3.3.3, -, 10/13/04, 2:55:16, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog.htm
207.3.3.3, -, 11/23/04, 13:05:50, W3SVC2, Martinsp, 4502, 163, 3223,
200, 0, GET, /summerdesign-catalog2.gif
207.3.3.3, -, 11/23/04, 13:05:50, W3SVC2, Martinsp, 4502, 163, 3223,
200, 0, GET, /summerdesign-catalog2.htm
207.3.3.3, -, 11/23/04, 13:05:52, W3SVC2, Martinsp, 4502, 163, 3223,
200, 0, GET, /summerdesign-catalog2.pdf
207.3.3.3, -, 03/03/05, 10:55:20, W3SVC2, Martinsp, 4502, 163, 3223,
207.3.3.3, -, 03/03/05, 10:55:21, W3SVC2, Martinsp, 4502, 163, 3223,
207.3.3.3, -, 03/03/05, 10:55:23, W3SVC2, Martinsp, 4502, 163, 3223,
200, 0, GET, /summerdesign-catalog3.pdf
199.7.8.2, -, 03/15/05, 10:55:20, W3SVC2, Martinsp, 4502, 163, 3223,
199.7.8.2, -, 03/15/05, 10:55:23, W3SVC2, Martinsp, 4502, 163, 3223,
199.7.8.2, -, 03/15/05, 10:55:24, W3SVC2, Martinsp, 4502, 163, 3223, 200,
0, GET, /summerdesign-catalog3.pdf
14. The above log entry proved that the company Jaco Designs had visited
www.martinspencersx.com and downloaded the pdf document.
15. He also noted an IP address 199.7.8.2 accessed the Summer Design catalog that month.
16. A search in Google for the IP address showed him that it resolved to Jaco Designs Law firm,
Manchester Law Associates which was located in London.
17. This proved that not only the people at Jaco Designs had seen the Summer Shirt designs but also
that the law firm of Jaco Designs had visited the website www.martinspencersx.com.
18. Thomson prepared the investigation report in PDF format and delivered the evidence tapes back
to Don along with an invoice for his professional service.
19. Based on Thomson’s forensics evidence, Martin Spencers was awarded USD 2.3 Million by the
London High Court for willful trademark infringement.
20. Jaco Designs was planning to appeal the case in the London Supreme Court.

Case Studies
Case Study 13: Racial Discrimination

Dr. Kent Rogers is a leading skin specialist in Bronx, New York.
One day, Jackson who is of African origin visited the doctor Kent Rogers for treatment of his black
pigmentation skin allergy. The doctor after conducting several clinical tests refused to treat Jackson for his
allergy on the face and asked him to take treatment from New York National Skin Center.
The following week Jackson filed racial discrimination lawsuit against Dr. Kent Rogers in New York civil
court for having refused to treat him.
Dr. Kent Rogers hired a forensic investigator Richard Walter to carry out forensic investigation and prove
him innocent.
Dr. Kent Rogers discussed with Richard the series of threatening emails sent by Jackson. Jackson wanted
refund on his treatment.
1. Richard visited Dr. Rogers’ clinic.
2. He removed the hard disk from Dr. Rogers’ laptop.
3. He placed the device carefully in an anti-static bag and transported it to the forensics laboratory.
4. Richard created a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
location.
7. Richard was asked to retrieve:
a. Email messages sent by Dr. Kent Rogers to various Medical Practitioners around the world
discussing Jackson’s treatment which will prove Dr. Rogers’s innocence.
8. Richard used Paraben's E-mail Examiner to analyze the emails sent by Dr. Kent Rogers from
MS Outlook 2003 email client using his email iddrkentrogers@kentrogerscl.com
9. Paraben’s E-mail Examiner analysis showed series of emails sent by Dr.Kent Rogers to Medical
Practitioners around the world enquiring about the continuation of treatment to Jackson for his
black pigmentation skin allergy.
10. The emails revealed the fact of other doctors warning Dr. Kent Rogers not to proceed with the
particular treatment of Jackson as he was suffering from a pigmentation allergy which was serious
in nature. If the treatment is continued the condition of Jackson would aggravate, and they also
recommended that Jackson should seek treatment from New Skin Allergy Hospital.
11. Series of emails proved that the charges filed by Jackson against Dr. Kent Rogers were false.
12. Richard prepared the report of forensics analysis in PDF format and personally delivered the
evidence DVD to Dr. Kent Rogers along with an invoice for his professional service.

Case Studies
13. Dr. Rogers hired an attorney to fight his case. Based on Richard’s forensics analysis and the
attorney’s legal explanations, the District Court Judge dismissed the racial discrimination case
against Dr. Rogers.
14. Dr. Rogers lost many clients due to the bad publicity in the press.
15. Dr. Rogers filed for a defamation case against Jackson for a sum of USD 500,000.

Case Studies
Case Study 14: iPod - A Handy Tool for Crime

Xdata Enterprises is an online storage company based in Albuquerque, New Mexico. The company had a
major share in the online storage market. John Cruise, the CEO of Xdata Enterprises believed in a free
work environment at his office.
Physical security measures were not given priority at Xdata Enterprises. Ron Smith was working as a lead
Storage Architect with Xdata Enterprises. He was the senior most employees in the Offline Storage
Department of Xdata Enterprises. He had worked hard for a new Product MyOfflineStorage, which Xdata
Enterprises were about to release in a couple of months. He was expecting a 40% hike in his salary after
the monthly review.
All hopes of Ron were washed away when Yuri Wellington, his colleague and member of the key project
MyOfflineStorage was given the maximum credit during the performance review. Subsequently, Yuri got a
hike of 45 % on his salary.
Few months later SecureOffline Storage Inc, a competitor based in St. Louis, Missouri launched a product
which was similar to Xdata Enterprises’ MyOfflineStorage. John suspected Ron for selling the blueprint
of MyOfflineStorage to SecureOffline Storage Inc.
He called Fabian Thomas, a renowned forensic investigator to investigate the case.
1. Fabian visited Ron’s desk and removed the hard disk carefully from his HP Pavilion office
computer.
laboratory.
3. Fabian created a bit-stream image of the hard disk using tools such as FTK and EnCase.
location.
6. Fabian loaded the bit-stream image in EnCase and searched MS Outlook for emails related to the
sabotage.
7. He searched the Sent folder in MS Outlook but failed to find any attachments related to the
blueprint of the project.
8. Fabian, searched for deleted data, deleted partitions and slack space. He came across an .exe file
ImageHide.exe. He became suspicious of Ron’s activities. ImageHide is a Steganography tool to
hide information in image files.
9. He searched for image files (jpeg, tiff, bmp, gif). He came across more than 20000 image files. It is
a time consuming task to analyze each file for steganography content. John had asked him to
investigate the case in 2 days as he planned to sue SecureOffline Storage Inc for Corporate
Espionage. His company’s shares were falling as each day passed.
10. Fabian discovered from Ron’s peers that he used an iPod for listening music while on the job.
11. He asked John to get Ron’s iPod for investigation.

Case Studies
12. Fabian stored the iPod in a static free bag and marked it as evidence.
13. He created a bit-stream image of the iPod using tools such as FTK and EnCase.
15. Fabian prepared a chain-of-custody document and stored the original iPod in a secure location.
16. EnCase recovered all files present in the iPod including the deleted ones.
17. He noticed an image file called blueprintimp.jpeg. The size of the image file was 800kb.
18. He opened the image file. The image turned out to be Ron’s Photograph.
19. Fabian tried to open the file blueprintimp.jpeg using StegDetect, a steganalysis tool.
20. He found information related to the product embedded into the image file.
21. He prepared the report of his forensics analysis in PDF format and delivered it to John along with
an invoice for his professional service.
Based on his investigation and evidence found, Ron was arrested by the Local Police Department.
Ron confessed to the crime. John sued SecureOffline Storage Inc. on corporate espionage charges for
a sum of USD15 million.

Case Studies
Case Study 15: Pornography

Natasha Gabriel worked as an Advertising Manager for the firm Cosmopolitan-Ad Agency. She was a
liberal woman who always made unreserved and lewd remarks about her male colleagues.
Mr. Mark Dwendler, CEO of Cosmopolitan-Ad Agency, called Jayson Springfield, a forensic investigator,
and asked him for his computer forensics investigation services to assist him in an internal investigation to
determine whether Natasha Gabriel downloaded pornography images and other inappropriate materials
on her PC.
Jayson sent a quotation of USD 10,000 fee for a 3-day investigation of Natasha Gabriel’s case. Mark
agreed to the quotation.
Forensic Investigation Methodology
1. Jayson visited Natasha’s desk and removed the 80 GB Seagate hard disk carefully from her HP
Pavilion office computer.
laboratory.
3. Jayson created a bit-stream image of the hard disk using tools such as FTK and EnCase.
location.
6. Jayson was asked to retrieve the following evidence files:
a. Pornography images
b. Pornographic videos
7. He loaded the bit stream image in FTK tool kit and searched for image files (jpeg, gif, bmp, tiff)
and videos (mpeg, dat, avi, mov) in the hard disk image.
8. FTK search came up with pornographic images and video files in the following directories:
a. C:\Documents and Settings\Conference\My Documents\My Pictures
b. Internet Cache (C:\Documents and Settings\Administrator\Local Settings\Temporary

Internet Files\Content.IE5 )
c. Deleted files in Recycle Bin
d. C:\Documents and Settings\Conference\My Documents\My Videos
9. Most of the pornographic images and video content was related to “Lesbian Sex activities”.
10. Jayson copied those files to a DVD-ROM.
11. He used FTK report features and produced a professional report.
12. He delivered the report to Mr. Mark Dwendler and issued an invoice to Cosmopolitan-Ad
Agency for the payment towards his service.
Based on Jayson’s report Natasha Gabriel was fired from the company for breaching the clause 3.1 (a)
mentioned in the Employment Agreement.

Case Studies
Case Study 16: Expert Witness

A highflying lawyer in Georgia Mr. Bond Level handled a divorce case of Mr. and Mrs. Steve Rally. Mr.
Bond represented Steve while Mr. Green Smith represented Steve’s wife Sheela. Mr. Bond had presented
forensic evidence of several e-mail messages as evidence to prove that Sheela was having an extra-marital
affair with her hairstylist and was cheating on her husband. This is the reason why Steve was seeking a
divorce.
In Orange County civil court, the lawyers argued about the validity of the e-mail evidence. The lawyer,
Green Smith emphasized that his client never sent the e-mail messages, and it should not be accepted as
evidence.
Mr. Bond was required to prove that the e-mail messages were authentic. He hired a forensic investigator
Jonathan Shelly to visit the courtroom as an expert witness.
Expert Witness Cross Examination
Court Scene at Orange County Local Civil Court
Mr. Jonathan Shelly took the stand as expert witness.

[Mr. Bond Level]: Please state your name and designation.
[Mr. John Carlton]: My name is Jonathan Shelly and I am the Forensics Investigator at Data Forensics
Communications Inc.
[Mr. Bond Level]: Can you please state your qualifications?
[Jonathan]: I have a Bachelor’s Degree in Information Technology from New York University. I also hold
various professional certifications such as MCSE and CCNA.
[Mr. Bond Level]: Wow! That is very impressive Mr. Jonathan. What experience do you have in the field
of computer forensics?
[Jonathan]: I have over 20 years of working experience in the field of information security and network
administration.
[Mr. Bond Level]: Those are your professional qualifications. What the Court would like to know is your
experience in investigating computer forensics cases.
[Jonathan]: I have attended many corporate sexual harassment internal investigations involving computers.
I have investigated various terrorist related cases for the Homeland Security Department.
[Mr. Bond Level]: Could you discuss these cases so that we know how qualified you are?
[Jonathan]: I am sorry I won’t be able to discuss the cases here as I have signed a non-disclosure
agreement with my clients, unless the court issues me an order.
[Mr. Bond Level]: That’s alright. Have you published any books, whitepapers, articles etc.?
[Jonathan]: I have written a book titled Investigating Computer Crimes for McGraw-Hill. I have
contributed many articles at http://searchsecurity.techtarget.com. I have also presented papers at various
security conferences around the world.
[Mr. Bond Level]: I agree you are a computer forensics expert. Can you please take a look at Exhibit A,
which contains the email messages sent from Mrs. Sheela Rally to her hairstylist, Mr. Rouba Bandoras?
Could you tell me if this email message is a legitimate message?

Case Studies
[Jonathan]: Yes, I investigated this email header and I confirm the following:
 The email was sent from Sheela Rally to Rouba Bandoras.
 The IP address of the email server was correct and it was routed through 207.3.3.3 which confirms
her domain xjewellery.com
 I have computed the Message ID of the SMTP server and it is accurate.
[Mr. Bond Level]: In other words this email message cannot be forged, right? [Jonathan]: Yes
[Mr. Bond Level]: Could you tell the court, if there is any possibility for the message to be bogus
[Jonathan]: No. The message server logs also show that the message id and the date sent matches with
Microsoft Outlook’s data from Mrs. Sheela Rally’s computer.
[Mr. Bond Level]: Are you sure? Very sure? This message is authentic and cannot be forged?
[Jonathan]: Yes
[Mr. Bond Level]: That’s all Your Honor.
[Judge]: Mr. Green Smith, would you like to cross examine the Expert Witness? [Green Smith]: Yes Your
Honor.
Jonathan walked up to the witness stand.
[Green Smith]: Mr. Jonathan Shelly, could you tell me exactly what technical skills do you possess?
[Jonathan]: I’m sorry I do not understand the question
[Green Smith]: Let me rephrase the question. What Internet server technologies and client technologies
have you mastered till today?

Case Studies
[Jonathan]: I have worked with UNIX, Linux, Mainframe computers, Internet Programming Languages,
Microsoft Windows 2000, XP, 2003, Firewalls, IDS, Proxy servers, Routers etc. I have 20 years of
experience in the IT field.
[Green Smith]: You have stated that you have conducted a forensics analysis on Mrs. Sheela Rally’s
computer and found the IP address to be the same on the server log files. Am I right?
[Jonathan]: The evidence file analysis was conducted using Encase, which was linked to …. Green Smith
interrupts Jonathan!
[Green Smith]: Please answer yes or no. Judge intervenes.
[Judge]: Mr. Jonathan Shelly please answer the question.
[Jonathan]: (Looking at the judge) Yes Your Honor
[Jonathan]: Yes
[Green Smith]: Could you explain to the court what unique message id was created by the SMTP server?
[Jonathan]: The message id was calculated by the SMTP server program using MD5 algorithm [Green
Smith]: What is MD5 algorithm Mr. Jonathan Shelly?
[Jonathan]: MD5 is a secure hashing function that converts an arbitrarily long data stream into a digest of
fixed size. It is conjectured that the difficulty of coming up with two messages having the same message
digest is on the order of 2 64 operations, and that the difficulty of coming up with any message having a
given message digest is on the order of 2 128 operations
[Green Smith]: Thank you Mr. Jonathan Shelly. So this message cannot be duplicated using another
identical message id. Am I right?
[Jonathan]: Yes
[Green Smith]: Based on your experience, your professional qualifications, your technical competency, is
the email message authentic and cannot be forged?
[Jonathan]: Yes
[Green Smith]: Please take a look at Exhibit A and note the SMPTP server CommuniGate Pro 6.1.2. Can
you tell me what that is?
[Jonathan]: CommuniGate Pro is a SMTP server program for Linux Operating System and is widely used
on embedded computers
[Green Smith]: The email header shows that the message was routed through CommuniGate Pro 6.1.2
server. Am I right?
[Jonathan]: Yes
[Green Smith]: Once again based on your thorough investigation on the SMTP log files and Sheela Rally’s
computer hard disk image the message was routed through CommuniGate Pro 6.1.2 server, Yes or No?
[Jonathan]: Yes. 100% right!
[Green Smith]: Mr. Jonathan Shelly, I searched in Google for the term “CommuniGate Pro 6.1.2” but
could not find any results. I contacted several Linux professionals and asked them if there was ever
CommuniGate Pro 6.1.2 and their answer was No. The latest version was 4.1.2. I contacted the company
vendor Stalker Corporation and asked them if they ever produced CommuniGate Pro 6.1.2 server and
their reply was No. Also they mentioned that the banner message of SMTP server cannot be altered.

Case Studies
(Jonathan handed over Exhibit C to the Judge an email text message sent from Stalker communication to
Green Smith)
[Green Smith]: Mr. Jonathan Shelly, please take a look at Exhibit A and tell me if this email header is
accurate and not forged
[Jonathan]: (pause…….pause……pause...) mmm…I’m not sure (Jonathan looked at the Judge)
[Green Smith]: This email message cannot be accepted as evidence. Thank you Your Honor.
(The Judge dismissed the email message as crucial evidence in the divorce case)
Note: It is necessary to conduct a thorough forensics investigation and justify the report 100% in the
Court of Law. Jonathan just lost the case.


Computer Forensics Hacking Investigator Case Studies

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Forensics Hacking Investigator Case Studies

Uploaded by

Copyright:

Available Formats

Computer Hacking Forensic Investigator Exam 312-49

CHFIv8 Case Studies

Case Study 1: Child Pornography

Page | 1 Computer Hacking Forensic Investigator Copyright © by EC-Council

a. 1200 Jpeg files

b. 700 gif files

c. 2000 Mpeg files

d. 3500 xls document

e. 7000 .htm files

12. He extracted all the files to his PC and viewed them.

Page | 2 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 2: Corporate Espionage

Page | 3 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 4 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 3: Terrorist Attack

Page | 5 Computer Hacking Forensic Investigator Copyright © by EC-Council

a. 50 contact lists from Outlook

Page | 6 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 4: Brutal Murder

Page | 7 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 8 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 9 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 5: Employee Sabotage

4. He generated MD5 hashes of the bit-stream image.

Page | 10 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 11 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 6: Virus Attack

Page | 12 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 13 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 7: Business Rivalry

Page | 14 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 15 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 8: Sabotage

Page | 16 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 17 Computer Hacking Forensic Investigator Copyright © by EC-Council

cardscan Status: success Room: 37

Page | 18 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 9: Disaster Recovery Investigation

Page | 19 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 20 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 10: Steganography

Page | 21 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 22 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 11: Encrypted Documents

9. The cracked password was juggyboy97X

Page | 23 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 12: Trademark Infringement

Page | 24 Computer Hacking Forensic Investigator Copyright © by EC-Council

3223, 200, 0,GET, /summerdesign-catalog.htm

Page | 25 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 13: Racial Discrimination

Page | 26 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 27 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 14: iPod - A Handy Tool for Crime

Page | 28 Computer Hacking Forensic Investigator Copyright © by EC-Council

Page | 29 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 15: Pornography

b. Internet Cache (C:\Documents and Settings\Administrator\Local Settings\Temporary

c. Deleted files in Recycle Bin

d. C:\Documents and Settings\Conference\My Documents\My Videos

Page | 30 Computer Hacking Forensic Investigator Copyright © by EC-Council

Case Study 16: Expert Witness