Digital Forensics

Dr. Qin Zhou Coursework C

CASE #001-122011

AbdulHasib Osmani
Page | 1

Table of Contents
ABSTRACT................................................................................................................................................ 3 OVERVIEW............................................................................................................................................... 4 1. Crime scene investigation ................................................................................................................... 5 2.1 Seizing evidence ......................................................................................................................... 5 2.2 What evidence was found and seized from the crime scene .................................................. 10 2. Imaging the evidence ........................................................................................................................ 11 2.1 Imaging the CD ............................................................................................................................ 11 2.2 Imaging the USB Memory Stick................................................................................................... 13 3. Summary ........................................................................................................................................... 14 3.1 Log Book ...................................................................................................................................... 14 3.2 General Case Intake Form ........................................................................................................... 15 3.3 Chain of Custody ......................................................................................................................... 16 Appendix A Crime Scene ................................................................................................................ 18 Appendix B Tools Used................................................................................................................... 30

Page | 2

ABSTRACT
I, AbdulHasib Osmani, a computer forensics analyst, had been contacted by Example University in the Kingdom of Example Land (KEL) on the 2nd December 2011, regarding an incident which occurred in one of the Universitys laboratories. The incident was picked up by a network administrator who noticed there was some illegal rhino traffic and he alerted the Universitys management. A network administrator had linked this incident to a computer which is primarily used by a PhD student. I arrived at the scene where the alleged offence took place on the 13th February 2012 at 11:00 am to acquire any evidence which could help in the investigation. I took a series of photographs of the crime scene and then proceeded to seize the physical evidence and placed them in anti-static bags and boxes; i.e. a CD, CD case with a cover, and the desktop computer, monitor and its peripherals. After leaving the crime scene, I went to the laboratory and placed all the related evidence in protected evidence lockers.
As part of the investigation, I made exact bit copies of the CD and USB memory stick which were seized from the scene of the crime scene. I used Masterkey Linux for the CD and AccessData FTKImager for the USB memory stick. Thereafter, I did MD5 checksums to confirm that I made perfect copies of both pieces of evidence. This process needed to be observed properly to make the evidence valid in court. Throughout the procedure, I observed the chain of custody and kept a log of events which is included in the report.

Page | 3

OVERVIEW
On the 2nd December 2011, I was contacted by Dr. Qin Zhou, a manager at Example University, regarding suspected unlawful usage of the universitys equipment to facilitate the possession and distribution of pictures of unique rhinos. After a good discussion with the Universitys management over the phone, I have decided to take on the case and investigate this incident. The primary objective of this investigation is to see whether the Universitys equipment was used to facilitate the possession and distribution of the unique rhino pictures in excess of the legal limit, which is 8. This report contains a complete analysis of the crime scene and the details of the digital media which was also acquired from the crime scene. The first chapter of the report contains the initial phase of the investigation, outlining what was found and what was seized from the scene of the crime. Pictures of the crime scene and evidence are also portrayed alongside a description of the items. The second chapter of the report explains the procedures of imaging and how I went about making exact bit copies of the evidences seized. In the final chapter of the report summarises the sequence of events and my findings including the appendices which contains the images, Chain of Custody, Case Intake Form and any more information on the evidence obtained.

Page | 4

1. Crime scene investigation

2.1 Seizing evidence I arrived at the crime scene in lab room JAG18, situated in the Jaguar building in Example University at 11am on the 13th February 2012. I was told by the head of the faculty, Dr. Qin Zhou, that the scene had been secured as soon as the alleged incident was discovered and access was closed to all personnel. Dr Zhou informed me that the computer was only used by the suspect, a PhD student. This suggests that the scene has been secured properly and nobody else has come to the room to imply that any evidence has been tampered with since the suspect had left. Firstly, I took photographs of the crime scene. There was a off-white Viglen Genie desktop PC, with a 15 TFT monitor and Compaq keyboard of the same colour and an IBM black mouse. (Figure 1)

Figure 1 Crime Scene There was also 2GO 2GB USB memory stick inserted to the front USB slot of the PC. (Figure 2)
Page | 5

Figure 2 2GO USB Memory Stick Upon reviewing the area of the crime scene, I also discovered a CD case, with an article on steganography contained within it, but no CD. (Figure 3 & Figure 4)

Figure 3 CD Case with article

Figure 4 Exploring Steganography: Seeing the unseen

Page | 6

Upon inspection of the rear of the PC, I realised there was only one screw which held the cover in place instead of 2 (figure 5), which suggests that the cover was removed and the hardware possibly tampered with.

Only 1 screw at the bottom of the case is in place, the other screw at the top is missing.

Figure 5 Rear of the PC

Page | 7

I decided to remove the side of the cover to see if the hardware inside had been tampered with and discovered that the hard disk drive had been removed. (Figure 6)

Figure 6 No hard disk drive (HDD) After discovering that the HDD was removed, I put the cover back on and booted the computer to see if the CD was in the CD drive and to check the BIOS settings. I found that the CD was still in the CD drive. (Figure 7)

Figure 7 TDK CD labelled Collection of papers, images.. P.

Page | 8

I then checked the BIOS settings and established that the time on the BIOS was incorrect. It was forward by about 1 hour and 10 minutes. (Figure 8)

Time is incorrect

Figure 8 BIOS Settings

Page | 9

2.2 What evidence was found and seized from the crime scene (Evidence number/Item Description/Serial#) 001) 002) 003) 004) 005) 006) 007) Viglen Genie Desktop PC / #21509852 15 TFT monitor / #21509843 Compaq Keyboard Black IBM mouse 2GO 2GB USB Memory Stick / B000VZ4KIM
TDK CD-R

Power cables for PC and Monitor 008) CD case with article on steganography

Page | 10

2. Imaging the evidence

My primary task upon returning to the lab was to remove the CD and USB Memory Stick from the evidence locker and image them. 2.1 Imaging the CD
I installed the inserted the CD into a forensics workstation which was running Masterkey Linux. This distribution would allow me to create an exact-bit copy of the CD. Once I started running Masterkey Linux, the first thing I did was make use the #fdisk l to see which whether the CD which needed to be imaged was present, which it was as /dev/hdc. I then created a primary partition on the target drive (/dev/sdc) to add an ntfs file system to it using GParted. This created a new directory named /mnt/sdc1. I then proceeded to make sure that the directory wasnt mounted by using the #mount shell prompt, and I wasnt. The next step was to mount the RhinoEvidenceDisk for data acquisition. This was done by entering the following shell prompt #mount -t ntfs-3g /dev/sdc1 /mnt/sdc and this resulted in me

mounting the drive successfully. After that, I changed the directory to the target disks mount point by using the shell prompt #cd /mnt/sdc1. I then used the shell prompt #md5sum /dev/hdc which generated the MD5 hash for the original CD evidence. This gave the hash: a675cf425ee43622d75b18e0528ad2c7.

Figure 9 MD5 CD original evidence

Page | 11

The next task was to image the original evidence CD (/dev/hdc) and save the target disks NTFS partition (/mnt/sdc1) as an image file named RhinoEvidenceDisk.dd. Once that had completed, I checked to see if the image file created existed by using the shell prompt #ls l /mnt/sdc1/, and it was. The final thing which needed to be done was an MD5 hash on the image created to make sure that it is a perfect copy of the original evidence CD. The MD5 hash generated was a675cf425ee43622d75b18e0528ad2c7, which was exactly the
same as the original.

Figure 10 MD5 CD image file

Page | 12

2.2 Imaging the USB Memory Stick

Once I had completed imaging the CD, the next task was to do the same for the USB memory stick. Before I made an image file of the USB, I had to disable write access to the USB ports on the work station as this will prevent any risk of the evidence on the memory stick from getting tampered with. This was done by editing the registry files.

Figure 11 Write protection enabled To do the imaging for the USB, I used a tool named AccessData FTK Imager. The process of imaging the USB was not as long as it was with the CD. I simply created a new disk image from the physical drive the memory stick was inserted and the tool generated the MD5 hash of both, the original and imaged data and they matched as shown in figure 12.

Figure 12 USB Memory stick image MD5 match

Page | 13

3. Summary
3.1 Log Book
Time 11:00 11:02 11:14 11:18 11:19 11:25 11:27 11:30 11:32 11:35 11:36 11:38 11:42 11:47 Events Arrived at Crime Scene Interviewed Dr. Qin Zhou to gain understanding of the crime scene and situation Took a picture of the front of the crime scene Took a picture of the rear of the Crime Scene Found CD case with steganography article Removed case to check inside PC, only 1 screw No hard drive installed in the PC Put the case back on the PC Switched PC on Removed inserted USB and bagged evidence in anti-static bag Found CD in CD drive, seized, bagged and tagged Checked BIOS Settings Recorded wrong time Switched machine off Left Crime Scene

Page | 14

3.2 General Case Intake Form

CASE INTAKE FORM

Details of client
Case# Company Name Address Line 1 Address Line 2 Town/City Postcode Phone Inquiry date Report given in by #001-122011 DG Forensics Ltd. 24 Dilly Dally Street Betchley Narnia N4 8FR 0144 557 9996 02/12/2011 AbdulHasib Osmani Dr. Qin Zhou Example University / Kingdom of Example Land Dr. Qin Zhou N/A N/A Plaintiff Criminal JAG 18, Example University, Kingdom of Example Land 02/12/2011

Referral
Name Company/Location Plaintiff Name(s) Defendant name(s) Other Parties Client type Case Type Location Date of incident

Page | 15

3.3 Chain of Custody

Electronic Evidence Chain of Custody Form Case No: #001-122011 Page 1 of Investigating Organisation: DG Forensics Ltd. Investigator: AbdulHasib Osmani Location Where Evidence JAG18, Jaguar Building, Example University, Kingdom of Example Land Was Obtained: Electronic Media/Computer Details Item No:001 Description: Flash Memory 2

Manufacturer: 2GO Date/Time: 17/02/2012 12:26PM Created By: AbdulHasib Osmani

Model No: M2G-PEN-2 0-2GB Image Details Method Used: AccessData FTKImager

Serial No: B000VZ4KIM Image Name: USBMemoryStick Segments: No

Storage Drive:

HASH: Chain of Custody To: Name:/Org: Abdulhasib Osmani / DG Forensics Lrd Signature:

Tracking No: 001

Date/Time : Date: 13/02/201 2 Time: 11:00am

From:

Reason: Seizure of evidence

Name:/Org: Jeremy Guy / Example University Signature:

002

Date: 13/02/201 2 Time: 12:10pm

Name:/Org: Abdulhasib Osmani / DG Forensics Ltd Signature:

Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature:

Store evidence in secured locker

003

Date: 17/02/201 2 Time: 12:15pm Date: 13/02/201 2 Time: 14:30

Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature: Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature:

Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature: Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature:

Obtain evidence from locker to image them

004

Return the evidence to secured locker

Page | 16

Electronic Evidence Chain of Custody Form Case No: #001-122011 Page 1 Investigating Organisation: DG Forensics Ltd. Investigator: AbdulHasib Osmani Location Where Evidence JAG18, Jaguar Building, Example University, Kingdom of Example Land Was Obtained: Electronic Media/Computer Details Item No:002 Description: Storage object of 2

Manufacturer: TDK

Model No: CD-R80CBA100-B

Image Details Method Used: Masterkey Linux

Serial No: B00067ID7O

Date/Time: 17/02/2012 13:06

Created By: AbdulHasib Osmani

Image Name: RhinoEvidenceDisk

Segments: No

Storage Drive:

HASH: Chain of Custody To: Name:/Org: Abdulhasib Osmani / DG Forensics Lrd Signature:

Tracking No: 005

Date/Time : Date: 13/02/201 2 Time: 11:00am

From:

Reason: Seizure of evidence

Name:/Org: Jeremy Guy / Example University Signature:

006

Date: 13/02/201 2 Time: 12:11pm

Name:/Org: Abdulhasib Osmani / DG Forensics Ltd Signature:

Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature:

Store evidence in secured locker

007

Date: 17/02/201 2 Time: 12:48pm Date: 13/02/201 2 Time: 14:30

Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature: Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature:

Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature: Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature:

Obtain evidence from locker to image them

008

Return the evidence to secured locker

Page | 17

Appendix A Crime Scene

Figure 1 Crime Scene

Page | 18

Figure 2 2GO 2GB USB memory stick

Page | 19

Figure 3 CD Case with article

Page | 20

Figure 4 Exploring Steganography: Seeing the unseen

Page | 21

Figure 5 Rear of the PC

Page | 22

Figure 6 No Hard Disk Drive (HDD)

Page | 23

Figure 7 TDK CD labelled Collection of papers, images.. P.

Page | 24

Figure 8 BIOS Settings

Page | 25

Figure 9 MD5 CD original evidence

Page | 26

Figure 10 MD5 CD image file

Page | 27

Figure 11 Write protection enabled

Page | 28

Figure 12 USB Memory stick image MD5 match

Page | 29

Appendix B Tools Used

1. 2. 3. 4. 5. VirtualBox (http://www.virtualbox.org/) 7-Zip (http://www.7-zip.org/) Adobe Reader (http://get.adobe.com/uk/reader/) FTK1.81.6 (http://www.accessdata.com/downloads.html) Microsoft Word 2010 (http://office.microsoft.com/en-gb/word/)

Page | 30