Académique Documents
Professionnel Documents
Culture Documents
AbdulHasib Osmani
Page | 1
Table of Contents
ABSTRACT................................................................................................................................................ 3 OVERVIEW............................................................................................................................................... 4 1. Crime scene investigation ................................................................................................................... 5 2.1 Seizing evidence ......................................................................................................................... 5 2.2 What evidence was found and seized from the crime scene .................................................. 10 2. Imaging the evidence ........................................................................................................................ 11 2.1 Imaging the CD ............................................................................................................................ 11 2.2 Imaging the USB Memory Stick................................................................................................... 13 3. Summary ........................................................................................................................................... 14 3.1 Log Book ...................................................................................................................................... 14 3.2 General Case Intake Form ........................................................................................................... 15 3.3 Chain of Custody ......................................................................................................................... 16 Appendix A Crime Scene ................................................................................................................ 18 Appendix B Tools Used................................................................................................................... 30
Page | 2
ABSTRACT
I, AbdulHasib Osmani, a computer forensics analyst, had been contacted by Example University in the Kingdom of Example Land (KEL) on the 2nd December 2011, regarding an incident which occurred in one of the Universitys laboratories. The incident was picked up by a network administrator who noticed there was some illegal rhino traffic and he alerted the Universitys management. A network administrator had linked this incident to a computer which is primarily used by a PhD student. I arrived at the scene where the alleged offence took place on the 13th February 2012 at 11:00 am to acquire any evidence which could help in the investigation. I took a series of photographs of the crime scene and then proceeded to seize the physical evidence and placed them in anti-static bags and boxes; i.e. a CD, CD case with a cover, and the desktop computer, monitor and its peripherals. After leaving the crime scene, I went to the laboratory and placed all the related evidence in protected evidence lockers.
As part of the investigation, I made exact bit copies of the CD and USB memory stick which were seized from the scene of the crime scene. I used Masterkey Linux for the CD and AccessData FTKImager for the USB memory stick. Thereafter, I did MD5 checksums to confirm that I made perfect copies of both pieces of evidence. This process needed to be observed properly to make the evidence valid in court. Throughout the procedure, I observed the chain of custody and kept a log of events which is included in the report.
Page | 3
OVERVIEW
On the 2nd December 2011, I was contacted by Dr. Qin Zhou, a manager at Example University, regarding suspected unlawful usage of the universitys equipment to facilitate the possession and distribution of pictures of unique rhinos. After a good discussion with the Universitys management over the phone, I have decided to take on the case and investigate this incident. The primary objective of this investigation is to see whether the Universitys equipment was used to facilitate the possession and distribution of the unique rhino pictures in excess of the legal limit, which is 8. This report contains a complete analysis of the crime scene and the details of the digital media which was also acquired from the crime scene. The first chapter of the report contains the initial phase of the investigation, outlining what was found and what was seized from the scene of the crime. Pictures of the crime scene and evidence are also portrayed alongside a description of the items. The second chapter of the report explains the procedures of imaging and how I went about making exact bit copies of the evidences seized. In the final chapter of the report summarises the sequence of events and my findings including the appendices which contains the images, Chain of Custody, Case Intake Form and any more information on the evidence obtained.
Page | 4
Figure 1 Crime Scene There was also 2GO 2GB USB memory stick inserted to the front USB slot of the PC. (Figure 2)
Page | 5
Figure 2 2GO USB Memory Stick Upon reviewing the area of the crime scene, I also discovered a CD case, with an article on steganography contained within it, but no CD. (Figure 3 & Figure 4)
Page | 6
Upon inspection of the rear of the PC, I realised there was only one screw which held the cover in place instead of 2 (figure 5), which suggests that the cover was removed and the hardware possibly tampered with.
Only 1 screw at the bottom of the case is in place, the other screw at the top is missing.
Page | 7
I decided to remove the side of the cover to see if the hardware inside had been tampered with and discovered that the hard disk drive had been removed. (Figure 6)
Figure 6 No hard disk drive (HDD) After discovering that the HDD was removed, I put the cover back on and booted the computer to see if the CD was in the CD drive and to check the BIOS settings. I found that the CD was still in the CD drive. (Figure 7)
I then checked the BIOS settings and established that the time on the BIOS was incorrect. It was forward by about 1 hour and 10 minutes. (Figure 8)
Time is incorrect
Page | 9
2.2 What evidence was found and seized from the crime scene (Evidence number/Item Description/Serial#) 001) 002) 003) 004) 005) 006) 007) Viglen Genie Desktop PC / #21509852 15 TFT monitor / #21509843 Compaq Keyboard Black IBM mouse 2GO 2GB USB Memory Stick / B000VZ4KIM
TDK CD-R
Power cables for PC and Monitor 008) CD case with article on steganography
Page | 10
mounting the drive successfully. After that, I changed the directory to the target disks mount point by using the shell prompt #cd /mnt/sdc1. I then used the shell prompt #md5sum /dev/hdc which generated the MD5 hash for the original CD evidence. This gave the hash: a675cf425ee43622d75b18e0528ad2c7.
Page | 11
The next task was to image the original evidence CD (/dev/hdc) and save the target disks NTFS partition (/mnt/sdc1) as an image file named RhinoEvidenceDisk.dd. Once that had completed, I checked to see if the image file created existed by using the shell prompt #ls l /mnt/sdc1/, and it was. The final thing which needed to be done was an MD5 hash on the image created to make sure that it is a perfect copy of the original evidence CD. The MD5 hash generated was a675cf425ee43622d75b18e0528ad2c7, which was exactly the
same as the original.
Page | 12
Figure 11 Write protection enabled To do the imaging for the USB, I used a tool named AccessData FTK Imager. The process of imaging the USB was not as long as it was with the CD. I simply created a new disk image from the physical drive the memory stick was inserted and the tool generated the MD5 hash of both, the original and imaged data and they matched as shown in figure 12.
Page | 13
3. Summary
3.1 Log Book
Time 11:00 11:02 11:14 11:18 11:19 11:25 11:27 11:30 11:32 11:35 11:36 11:38 11:42 11:47 Events Arrived at Crime Scene Interviewed Dr. Qin Zhou to gain understanding of the crime scene and situation Took a picture of the front of the crime scene Took a picture of the rear of the Crime Scene Found CD case with steganography article Removed case to check inside PC, only 1 screw No hard drive installed in the PC Put the case back on the PC Switched PC on Removed inserted USB and bagged evidence in anti-static bag Found CD in CD drive, seized, bagged and tagged Checked BIOS Settings Recorded wrong time Switched machine off Left Crime Scene
Page | 14
Referral
Name Company/Location Plaintiff Name(s) Defendant name(s) Other Parties Client type Case Type Location Date of incident
Page | 15
Model No: M2G-PEN-2 0-2GB Image Details Method Used: AccessData FTKImager
Storage Drive:
HASH: Chain of Custody To: Name:/Org: Abdulhasib Osmani / DG Forensics Lrd Signature:
From:
002
003
Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature: Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature:
Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature: Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature:
004
Page | 16
Electronic Evidence Chain of Custody Form Case No: #001-122011 Page 1 Investigating Organisation: DG Forensics Ltd. Investigator: AbdulHasib Osmani Location Where Evidence JAG18, Jaguar Building, Example University, Kingdom of Example Land Was Obtained: Electronic Media/Computer Details Item No:002 Description: Storage object of 2
Manufacturer: TDK
Segments: No
Storage Drive:
HASH: Chain of Custody To: Name:/Org: Abdulhasib Osmani / DG Forensics Lrd Signature:
From:
006
007
Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature: Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature:
Name:/Org: AbdulHasib Osmani / DG Forensics Ltd Signature: Name:/Org: Sherlock Knomes / DG Forensics Ltd Signature:
008
Page | 17
Page | 18
Page | 19
Page | 20
Page | 21
Page | 22
Page | 23
Page | 24
Page | 25
Page | 26
Page | 27
Page | 28
Page | 29
Page | 30