SIT282 - Assignment 2 PDF

Preview

Summary

Bachelor of Cyber SecuritySIT282- Computer Crime and Digital ForensicsAssignment 2Prepared By:Thiviyapraneeth Manoharan |BSCP|CS|22|Submitted to:Mr. Chanaka SeekkugeDue Date: 25th January 2020Executive SummaryThis report presents a detailed account of the investigative procedures and forensic analys...

Description

Bachelor of Cyber Security

SIT282- Computer Crime and Digital Forensics Assignment 2

Prepared By: Thiviyapraneeth Manoharan |BSCP|CS|22|034

Submitted to: Mr. Chanaka Seekkuge Due Date: 25th January 2020

Executive Summary This report presents a detailed account of the investigative procedures and forensic analysis carried out with regard to the alleged intellectual property theft by an employee of Superior Bicycles Inc. The forensic investigation was conducted on a digital evidence belonging to the alleged suspect. Based on a trustworthy piece of initial evidence obtained by the President of the organization, one present employee and another terminated employee, who happens to be a close relative of the former, were suspected to be engaging in an intellectual property theft. Hence, a USB drive belonging to one of the alleged suspects was confiscated and the digital forensic investigation was carried out based on the information obtained from the initial evidence given by the President. After a thorough analysis of the entire drive, all of the images which belong to the organization as their intellectual property were discovered, together with email conversations between the suspects. Hence, the digital evidences pertaining to the alleged offense were uncovered and the legal proceedings can be successfully carried out using them.

2

Table of Contents Introduction 1.0 Analysis

6

2.0 Findings

16

4

3.0 Conclusion

17

4.0 References

17

3

1.0 Introduction The investigation was carried out pertaining to an alleged intellectual property theft by a new employee of Superior Bicycles, Inc. This employee, Tom Johnson, was identified to be the cousin of Jim Shu, an employee who had been terminated. Bob Aspen is an external contractor and investor, happened to get a strange e-mail from Terry Sadler about Jim Shu's new project. Bob had forwarded the e-mail to Chris Robinson, the president of Superior Bicycles, in order to inquire about any special projects that might need capital investments. Chris had forwarded the e-mail to the general counsel, Ralph Benson, asking him to investigate it. It is then forwarded to Bob Swartz, asking him to have the IT department look for any e-mails with attachments. After a little investigation, Bob Swartz had found two suspicious e-mails and had forwarded it to Chris Robinson. Chris had also found a USB drive on the desk Tom Johnson was assigned to, which is considered to be the main piece of physical evidence in the case. The two suspicious emails were analyzed before commencing the investigation. Based on the information derived from the emails, the investigation was started. All the files confiscated were securely stored to be downloaded during the investigation.

4

E-MAIL 01

E-MAIL 02

5

2.0 Analysis The files were downloaded into the directory “Assignment2” and a copy of the files were made in the folder “Copy”. The file permissions were changed to read-only to prevent any modifications in the original data during the analysis (Fig 1).

Figure 1

The MD5 hash value of the “C08InChp.exe” file has been determined and stored in a text file during the collection of evidences. Before starting the analysis of the files, the MD5 hash value of the file was calculated using the Ubuntu terminal, and validated with the original hash value to confirm the integrity of data (Fig 2).

Figure 2

In order to make sure the validation is completely fool-proof, the hash value was re-checked using the online tool “OnlineMD5” (Fig 3).

Figure 3

6

The analysis was initially started on the PST file named “Jim_shus.pst”. PST files are data files created by Microsoft Outlook and are used to store messages and several other items. In order view the PST file contents, the mail client “Evolution” was installed using the Ubuntu terminal. Then the client “Evolution” was launched and the PST file was selected (Fig 4 and Fig 5).

Figure 4

Figure 5

All the folders and different types of data files were imported (Fig 6).

Figure 6

7

Multiple emails were seen in the folders Inbox, Sent Items and Deleted Items. By going through all the emails, it was confirmed that the alleged suspects Tom Johnson and Jim Shu have been exchanging messages related to the intellectual property theft (Fig 7).

Figure 7

But no other solid evidences were found in the emails except for two suspicious attachments in the Deleted Items folder. One file was named “AC19.gpj” accompanied with the message asking to rename the file with the extension JPG. It was exported with the correct extension, and saved in the work folder for future analysis. Another file named “Tubing_materials.rtf” was also found and it was also exported to the same folder (Fig 8, Fig 9 and Fig 10).

Figure 8

8

Figure 9

Figure 10

The investigation was then shifted to the next file named “C08InChp.exe”. As it was a Windows executable file, it was opened using the software named Wine, which allows to run Windows programs on Linux machines. The file was found to be an archive file (Fig 11).

Figure 11

9

A disk image file named “C08InChp.dd” was discovered inside the archive and it was extracted into the work folder (Fig 12).

Figure 12

The file permissions were changed to read-only before the analysis, and its hash value was calculated as well. The file system was found to be FAT12. (Fig 13).

Figure 13

Then the Autopsy web application was launched from the terminal and was accessed using the given URL (Fig 14).

Figure 14

A new case was created for this particular investigation (Fig 15).

Figure 15

10

The disk image file was specified using its location path (Fig 16).

Figure 16

The type of the image file was given as Volume Image (Fig 17).

Figure 17

Then the image file was added and opened for analysis (Fig 18 and Fig 19).

Figure 18

11

Figure 19

The disk image consisted of 7 directories and 3 volumes, but the directory named “Vacation_Pictures” seemed to be the most important as the previously analyzed emails contained information regarding some smuggled pictures (Fig 20).

Figure 20

When the other directories were analyzed, no suspicious data related the investigation were found. Most the files in those directories were empty or contained unrelated random data (Fig 21, Fig 22 and Fig 23).

Figure 21

12

Figure 22

Figure 23

Then the analysis was moved to the final folder named “Vacation_Pictures”. It was found to be containing three files with EXE extensions (Fig 24).

Figure 24

13

The Hex values of the files were inspected and it was observed that the files contained very similar, yet altered headers. This confirmed that these files were highly likely to be the images with altered Hex values as mentioned in the email conversations (Fig 25).

Figure 25

The three files were exported into the work folder for further analysis (Fig 26).

Figure 26

It was identified that the Hex values of the files must be modified as mentioned by Tom Johnson in his email to Jim Shu. Hex editor software HxD which runs on Windows platforms was downloaded, installed using Wine and launched using Wine as well. The header of all the exported files were edited using HxD to the proper JPG header as mentioned in the email (Fig 27, Fig 28 and Fig 29).

Figure 27

14

Figure 28

Figure 29

15

3.0 Findings After successfully editing the headers, all the three files were opened and it was found that the images smuggled were in-fact intellectual property owned by Superior Bicycles, Inc (Fig 30, Fig 31 and Fig 32).

Figure 30

Figure 31

Figure 32

4.0 Conclusion Based on the findings of this impartial investigation, it can be concluded that the alleged suspects have been proven guilty and have engaged in intellectual property theft. Further legal proceedings can be carried out based on these findings.

5.0 References - Jackman, M. (2003, 5). WinHex: A powerful data recovery and forensics too. Retrieved from https://www.techrepublic.com/article/winhex-a-powerful-data-recovery-and-forensics-tool/ - Nelson, B., Phillips, A., & Steuart, C. (2018-04-17). Guide to Computer Forensics and Investigations: Processing Digital Evidence (6th edition).

17...