CYBER FORENSICS – CASE 1

INVESTIGATOR NAME : RISHI.G.G

COMMANDS:

C:\Users\batch1\Desktop\stegdetect>stegdetect -t p *.jpg

auto1 (1).jpg : negative

Corrupt JPEG data: 8 extraneous bytes before marker 0xd9

auto1 (2).jpg : jphide(*)

auto1 (3).jpg : false positive

auto1 (4).jpg : negative

auto1 (5).jpg : negative

auto1 (6).jpg : negative

Corrupt JPEG data: 198 extraneous bytes before marker 0xd9

auto1 (7).jpg : negative

C:\Users\batch1\Desktop\stegdetect>stegdetect -n -t p *.jpg

auto1 (1).jpg : negative

Corrupt JPEG data: 8 extraneous bytes before marker 0xd9

auto1 (2).jpg : jphide(*)

auto1 (3).jpg : false positive

auto1 (4).jpg : negative

auto1 (5).jpg : negative

auto1 (6).jpg : negative

Corrupt JPEG data: 198 extraneous bytes before marker 0xd9

auto1 (7).jpg : negative

C:\Users\batch1\Desktop\stegdetect>stegbreak -r rules.ini -f worlist.txt -t p au

to1 (2)

Processed 0 files, found 0 embeddings.

Time: 0 seconds: Cracks: 0, NaN c/s

C:\Users\batch1\Desktop\stegdetect>stegbreak -r rules.ini -f worlist.txt -t p jp

hidepic.jpg

Corrupt JPEG data: 8 extraneous bytes before marker 0xd9

Loaded 1 files...

fopen: worlist.txt: No such file or directory

C:\Users\batch1\Desktop\stegdetect>stegbreak -r rules.ini -f wordlist.txt -t p j

phidepic.jpg

Corrupt JPEG data: 8 extraneous bytes before marker 0xd9

Loaded 1 files...

fopen: wordlist.txt: No such file or directory

C:\Users\batch1\Desktop\stegdetect>stegbreak -r rules.ini -f words.txt -t p jphi

depic.jpg

Corrupt JPEG data: 8 extraneous bytes before marker 0xd9

Loaded 1 files...

jphidepic.jpg : jphide[v5](gumbo)

Processed 1 files, found 1 embeddings.

Time: 7 seconds: Cracks: 80743, 11534.7 c/s

C:\Users\batch1\Desktop\stegdetect>stegbreak -r rules.ini -f wordlist.txt -t p j

phidepic2.jpg

Loaded 1 files...

fopen: wordlist.txt: No such file or directory

C:\Users\batch1\Desktop\stegdetect>stegbreak -r rules.ini -f words.txt -t p jphi

depic2.jpg

Loaded 1 files...

jphidepic2.jpg : jphide[v5](gator)

Processed 1 files, found 1 embeddings.

Time: 7 seconds: Cracks: 75723, 10817.6 c/s

 MANTOOTH CASE
NAME : RISHI.G.G
REG. NO. : 18BCI0125

QN 1) What type of file is Mantooth.E01

Mantooth is an encased disk image (.EO1 file)

QN 2) What is the Operating System?

The operating system detected is Windows Vista ™ Ultimate

QN 3) What is the File System?

NTFS

QN 4) Provide the account name and last login information for each account present in

Mantooth

NAME LAST LOGIN INFO

Wes Mantooth 2008-02-13 03:15:48 IST
Dracula 2008-02-13 01:43:54 IST

QN 5) If there is any evidence of .exe file being deleted, describe the artifact name and
document your findings

There are totally 7 executable files in the disk. But none of the *.exe deleted file was
deleted.No file has the mark of red cross, indicating deletion of file.
QN 6) Find proof of communication with Gladiator

QN 7) What is a "Pranic Vampire"? In which document is it mentioned? When was the

document created?

Pranic Vampire

This is a more common and possibly more correct term for psychic vampire. Prana is the
Sanskrit word meaning "life energy", Which does more accurately describe the energy that we
feed on.
Pranic Vampires have a broken or in most cases removed Chakra, Generally the Navel, but in
some cases the Heart Chakra. Often times this type of Psychic vampire has a completely
reworked energy system.

Pranic vampire is generally a catch all term and may encompass the other types or psychic
vampires as well.

QN 8) What is present in happy.mpeg?

In happy.mpeg, there is a person who gets irritated and thrashes the keyboard towards the
monitor hastly, then hurrying out from his desk and barging out of the office. After this the man
disappears from the view of camera. There was an another man who looks at what was
happening when the guy got frustrated and blew up up the computer and left the place.

QN 9) Check if picture of any drugs are present? If so name the drugs.

QN 10) Find the list of criminal activities Mantooth was involved in and the associated

artifacts.

CRIMES DONE :

 ATM CARD STEALING

 MAKING METH
 DRUG RECIPES
 CHECK WASHING

(PROVES PROVIDED IN THE PICTURE BELOW)

QN 11) Summarize the finding against Mantooth

An encased filecontains information about a drug dealer who has pictures of cocaine,
meth and more drugs. The criminal also is involved in stealing ATM cards. We have web search
history and the pictures in the disk which proves that the person is clearly involved in this. There
are some E-mails, encrypted files, pictures, remote disk, information of operating systems and 6
releveant e-mail address which all support and aid in the proceeding of this case.

QN 12) Mantooth received one Text Internet Email that had no subject about a

stolen ATM. Who sent it to him (name and email) and when was it sent?

We see there is no subject in this email.

Further information about the email with no subject is :

From : Wes Mantooth : dollarhyde86@comcast.net

Timings :

Modified 2007-08-04 21:32:56 IST

Accessed 2007-07-08 04:20:07 IST
Created 2007-07-08 04:20:07 IST
Changed 2007-08-04 21:36:26 IST

QN 13) Find when and who deleted the file ValidCreditCard.jar

We see that email was sent from arpan4017@yahoo.com.

Credit card no : 3400-1234-5678-902

person who deleted it : MANTOOTH ( USER )

It was deleted on “2007-01-13 3:59:48 IST”.