Upload File

sample-windows investigation

20
Final: WK8 Course Name: CYB624 Professor: Tony DeSarro Date: 10/17/2014 Examiner Name: Raymond Gonzales

Upload: raymond-gonzales

Post on 14-Feb-2017

56 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: SAMPLE-Windows Investigation

Final: WK8Course Name: CYB624Professor: Tony DeSarro

Date: 10/17/2014Examiner Name: Raymond Gonzales

Page 2: SAMPLE-Windows Investigation

Table of ContentsList of Illustrative Materials............................................................................................................3

Tables...........................................................................................................................................3Figures.........................................................................................................................................3

Executive Summary.........................................................................................................................4Background..................................................................................................................................4Request........................................................................................................................................4Summary of Findings..................................................................................................................4Evidence......................................................................................................................................5

Collection and Analysis...................................................................................................................6Collection.....................................................................................................................................6Analysis.......................................................................................................................................6

Conclusion.....................................................................................................................................12Appendix........................................................................................................................................13

Appendix A: Examiner Workstation Specifications..................................................................13Appendix B: Tools.....................................................................................................................14Appendix C: Evidence Verification...........................................................................................15

Page 2 of 15

Page 3: SAMPLE-Windows Investigation

List of Illustrative Materials

TablesTable 1: Case evidence items..........................................................................................................5Table 2: Suspect’s timeline of suspicious Internet browsing activities...........................................7Table 3: Evidence verification table..............................................................................................16

FiguresFigure 1: Processed Internet Browsing Records..............................................................................7Figure 2: Mountain Standard Time (UTC -7)..................................................................................7Figure 3: Fully Expanded Yahoo Folder Tree.................................................................................8Figure 4: Retrieved Yahoo IM Conversation..................................................................................8Figure 5: Unusual Discoloration within the Eagle Image...............................................................9Figure 6: Hidden message within the .gif file..................................................................................9Figure 7: Shipment Information within the locked BillsFile.doc file............................................10Figure 8: Packet of Sea-Monkeys..................................................................................................11Figure 9: Sea-Monkey Aquarium..................................................................................................11

Page 3 of 15

Page 4: SAMPLE-Windows Investigation

Executive Summary

Background

Law enforcement officials, acting on a tip, open an investigation into the illegal smuggling of wild animals into the country. A search of several boxes, recently shipped to the suspect's house, reveal toys and statues, but no evidence of animals. The suspect does not own a computer, but has a USB drive in his possession that is seized. A search of a P.O. Box that is used by the suspect yields a scrap of paper with the words “in the eagles” on it. The DA requested that a copy of the contents of the USB drive be placed in a zip file and made available for download via the Engage website.

Request

The District Attorney (D.A.), Miguel Prado has requested that the examiner analyze the contents of the suspect’s imaged USB drive for evidence connecting the suspect to the illegal smuggling of wild animals into the country. The D.A. is interested in evidence connecting the suspect to: the animals being smuggled into the country; where the cargo was hidden; where the containers were purchased; the exact date, time, and time zone when the containers were purchased; the seller’s EBay user account name; any chat sessions between the seller and buyer; and any evidence proving that the digital data was altered or destroyed by the user. The D.A. has requested that the examiner provides a recommendation for a plan forward in order to identify the true identity of the EBay seller.

Summary of Findings

As requested by the D.A. the examiner performed a forensic analysis on the files contained within the suspect’s USB image. Using various forensic methods and tools the examiner was able to identify the evidence requested by the District Attorney.

The examiner was able to identify that the suspect went onto the EBay website on 4/25/2007 at 9:17 AM MST and purchased a set of NFL Eagles bobble heads on EBay from a seller who goes by the EBay user ID “psa-looker.” Within the files on the USB image the examiner was able to locate a conversation that occurred on 4/26/2007 between the suspect and seller about the status of the order and how the suspect can locate the order details. The examiner analyzed the remaining files within the USB image and was able to identify that Sea Monkeys were the animals being smuggled in the bobble heads that were being purchased from the EBay website. No actual evidence was found on the suspect’s USB image that can connect the suspect to the altering or destroying of any digital data on the USB device. However, the examiner was able to locate suspicious browsing activities on a website named, “Metasploit” and a suspicious .exe file named, “timestomp” on the suspect’s USB image. Timestomp.exe is a known tool that is used by penetration testers and hackers in order to conceal their actions from digital forensic investigators by altering the MAC date and times of files on the system.

Page 4 of 15

Page 5: SAMPLE-Windows Investigation

The examiner recommends that the EBay user account of the suspect be confiscated by the FBI in order to setup a sting operation that will expose the real identity of “psa-looker.” With the assistance of the forensic investigator, the FBI can use the suspect’s EBay account and create interactions with the seller in order to gather more Intel on the seller. With proper coordination between both parties the identity of “psa-looker” can be revealed and the criminal can be brought to justice.

Evidence

Table 1 outlines the evidence items of this case.

Description Designation Filename MD5 HashEvidence Provided

Preservation Copy

CYB624-WK8-Final_Assignment_Files.zip

4864D6EDC2309692CAF9DB101961A603

Evidence Created

Working Copy

CYB624-WK8-Final_Assignment_Files.zip

4864D6EDC2309692CAF9DB101961A603

Evidence Examined

Working Copy

CYB624-WK8-Final_Assignment_Files.zip

4864D6EDC2309692CAF9DB101961A603

Table 1: Case evidence items

Page 5 of 15

Page 6: SAMPLE-Windows Investigation

Collection and Analysis

Collection

On 10/17/2014, a file named, “CYB624-WK8-Final_Assignment_Files.zip” was provided to the examiner for analysis via the Engage website. The examiner downloaded and saved the file named CYB624-WK8-Final_Assignment_Files.zip onto a formatted external storage device, Maxtor OneTouch 4 Mini (SN: 2HASD0QQ), and designated this storage device as the preservation copy. The examiner hashed the CYB624-WK8-Final_Assignment_Files.zip image stored on the preservation copy drive using WinMD5 v1.20 and confirmed that the hash value matched the provided MD5 hash value from the Engage website.

Using the copy-and-paste function in Windows, the examiner copied the CYB624-WK8-Final_Assignment_Files.zip file located on the preservation copy drive onto the desktop of a Toshiba Satellite C55-B (SN: 6E095367P), and designated this storage device as the working copy. With write protection enabled, the examiner hashed the CYB624-WK8-Final_Assignment_Files.zip image stored on the examiner’s machine using WinMD5 v1.20 and confirmed that the hash values of the preservation and working copies matched.

Analysis

With write protection enabled, the working copy (CYB624-WK8-Final_Assignment_Files.zip) on the examiner’s machine was used for forensic analysis purposes. The CYB624-WK8-Final_Assignment_Files.zip was opened on the examiner’s machine and a folder named, “CYB624-WK8-Final_Assignment_Files” was created on the desktop of the examiner’s machine. The directory and files within the CYB624-WK8-Final_Assignment_Files.zip were then exported into the CYB624-WK8-Final_Assignment_Files folder.

The examiner proceeded to open the desktop folder titled, CYB624-WK8-Final_Assignment_Files in order to verify that all of the evidence was successfully transferred from the .zip file into the specified folder. The examiner noticed that two specific evidence files titled Thumbs.db and timestomp.exe were not visible within the CYB624-WK8-Final_Assignment_Files folder. The examiner accessed the control panel options of the examiner’s machine and navigated to the folder settings of the computer and selected the folder options. The folder option, “show hidden files, folders, and drives” was selected and the “hide protected operating system files” was deselected in order to display the remaining evidence files.

The D.A. requested that the examiner analyze the suspect’s USB files for evidence that confirms what kind of containers are being used to smuggle the animals and identify where these containers are being purchased from. The D.A. is interested in knowing the exact date, time, and time zone that the suspect purchased the containers from the vendor. The examiner opened Net Analysis v1.57 and loaded the directory folder titled, “PortableApps” into the tool and commanded the tool to search the entire directory for all of the Internet browsing history files.

Page 6 of 15

Page 7: SAMPLE-Windows Investigation

The Net Analysis tool located the only history browsing file within the PortableApps directory and began to process the information as seen in figure 1.

Figure 1: Processed Internet Browsing Records

Once the data was processed the Net Analysis tool displayed the Internet browsing history of the suspect. Using the capability of the Net Analysis tool the examiner was able to identify the suspect’s time zone as being UTC -7 or Mountain Standard Time (MST) as seen in figure 2.

Figure 2: Mountain Standard Time (UTC -7)

Using the filtering capability of the Net Analysis tool the examiner filtered the dates and times of the Internet browsing history in descending order. The examiner began to analyze the Internet web browsing history of the suspect line by line in order to create a timeline of suspicious activities performed by the suspect and to locate the specific purchasing information that was requested by the District Attorney.

Table 2 outlines the suspect’s timeline of suspicious Internet browsing activities

Date Time Activity Notes4/25/2007 8:42 AM

MSTSuspect first accesses EBay website

4/25/2007 9:07-9:09 AM MST

The suspect accesses the Metasploit website and performs research on the anti-forensic tool timestomp.exe

Timestomp.exe was one of the identified files on the suspect’s USB

4/25/2007 9:17 AM MST

The suspect’s last browsing activities consist of the suspect browsing the EBay website and purchasing a Donovan McNabb road player set figure that is being sold by the EBay seller “psa-looker”

The item browsed, EBay seller ID, and purchase information is all identified within the string of Internet browsing data

Table 2: Suspect’s timeline of suspicious Internet browsing activities

Page 7 of 15

Page 8: SAMPLE-Windows Investigation

The examiner was requested by the D.A. to examine the suspect’s USB files for any evidence of saved Yahoo chat conversations that the suspect may have had stored on the suspect’s USB. If Yahoo chat conversations were to be discovered on the suspect’s USB the D.A. is interested in knowing what was said in those conversations. The examiner proceeded to open the Forensic Tool Kit (FTK) v1.81.5 Demo tool and create a new case titled, “CYB624_Wk8/ Case 008” for the processing of the data located in the Yahoo folder. The examiner configured the FTK tool to process the data for: MD5, Full Test Index, Store Thumbnails, File Listing Database, HTML File Listing, Data Carve, and Registry Reports. The examiner loaded the Yahoo folder as evidence into the FTK tool and began to process the Yahoo folder’s data. Once the Yahoo data was processed by the FTK tool the examiner began his analysis on the now processed data that was produced from the Yahoo folder. The examiner proceeded to fully expand the folder directory of the Yahoo folder within the FTK tool in order to get to the processed data located in the folder titled, “exoticnillegal” as seen in figure 3.

Figure 3: Fully Expanded Yahoo Folder Tree

Contained within the “exoticnillegal” folder was a file that contained the saved data about a previous Yahoo IM conversation that occurred on 4/26/2007 between the seller and the suspect as seen below in figure 4.

Figure 4: Retrieved Yahoo IM Conversation

The Yahoo IM conversation had between the suspect (uc356z) and the seller (psa-looker) consisted of the seller (psa-looker) sending pictures to the suspect (uc356z) confirming the purchase order of the illegal animals from the seller (psa-looker). The seller (psa-looker)

Page 8 of 15

Page 9: SAMPLE-Windows Investigation

explained to the suspect (uc356z) that the suspect (uc356z) would be receiving two files from the seller (psa-looker). One file would contain the details of the shipment and the other file would contain a key that would unlock the protected document. The seller (psa-looker) provided the suspect (uc356z) with the hint that the key would be located “in the eagle.”

Using the information gained from the Yahoo IM conversation the examiner proceeded to open the .gif file titled, “Birds2” that was located on the image of the suspect’s USB. The Bird2.gif file contained an image of a bald eagle that had some unusual discoloration within the image as seen in figure 5.

Figure 5: Unusual Discoloration within the Eagle Image

Slight abnormalities in colors and pixilation in an image are usually signs that raw data in an image has been modified from its original state. The examiner proceeded to open the WinHex v17.9 tool on the examiner’s machine in order to further investigate the suspicious .gif image. Located within the ASCII column of the hex editor the examiner identified the hidden message “password Imabadguy” as seen in figure 6 below. The raw data of the .gif file was altered beginning at the 240 hex offset through the 251 hex offset within the .gif file in order to input the hidden key.

Figure 6: Hidden message within the .gif file

Page 9 of 15

Page 10: SAMPLE-Windows Investigation

Having now found the hidden password within the .gif file of the eagle the examiner proceeded to open the .doc file titled, “BillsFile.” As expected when attempting to open the document a pop-up window appeared asking for the password. The examiner entered the extracted password “Imabadguy” into the pop-up window and the file proceeded to open. The information in the password locked document contained a note saying, “Your order shipped today via FedEx. You will find the cargo inside the items below.” An image of a set of Philadelphia Eagles bobble heads was attached within the file along with the seller’s EBay user ID (psa-looker) as seen in figure 7 below.

Figure 7: Shipment Information within the locked BillsFile.doc file

The examiner then proceeded to analyze the last remaining files within the suspect’s USB drive image. The suspect’s file titled, “Thumbs.db” is a data type file that contains information about images that were downloaded by the suspect. The examiner proceeded to open the Forensic Tool Kit (FTK) v1.81.5 Demo tool and create a new case titled, “CYB624_Wk8/ Thumbs” for the processing of the data located in the Thumbs.db file. The examiner configured the FTK tool to process the data for: MD5, Full Test Index, Store Thumbnails, File Listing Database, HTML File

Page 10 of 15

Page 11: SAMPLE-Windows Investigation

Listing, Data Carve, and Registry Reports. The examiner loaded the Thumbs.db file into the FTK tool and began to process the Thumbs.db file. Once the Thumbs.db file was processed by the FTK tool the examiner began to analyze the now processed data. The examiner was able to extract three images from the processed Thumbs.db file, with one of the files being the Bird2.gif. The remaining images that were extracted from the .db file were the files that were sent to the buyer from the seller per their Yahoo IM conversation. The images below in figures 8 and 9 identify the illegal animals being shipped in the Philadelphia Eagle bobble heads are Sea-Monkeys.

Figure 8: Packet of Sea-Monkeys

Figure 9: Sea-Monkey Aquarium

The D.A. requested that examiner provides evidence confirming or denying the suspicions that the suspect may have altered or deleted digital evidence from the USB device. Throughout, the entire forensic investigation on the suspect’s USB device the examiner was only able to identify suspicious behaviors within the suspect’s USB files. The examiner was able to identify that the suspect had the anti-forensic tool timestomp.exe saved on the suspect’s USB device. The timestomp tool is a known tool to be used for anti-forensic purposes. The timestomp tool is an anti-forensic tool that is primarily used by penetration testers and hackers in order to mask the changes they make to a system. The next suspicious behavior that was found on the suspect’s USB was discovered during the analysis of the browsing history of the suspect. The examiner identified that the suspect had visited the anti-forensics website Metasploit and had performed research on the anti-forensic tool timestomp. Both of these suspicious activities do not provide solid evidence that the suspect had altered or deleted digital evidence from the USB device.

Lastly, the examiner was requested by the D.A. to provide a recommendation for a plan action in order to identify the true identity of psa-looker. The examiner recommends that a team consisting of the FBI and a group of forensic investigators work together in a joint effort to identify the identity of psa-looker and bring the criminal to justice. The examiner recommends that the EBay user account of the suspect be confiscated by this joint task force and a plan be made to perform a sting operation that will expose the real identity of psa-looker. With both the FBI and the forensic team working together in this joint effort a methodical and tactical plan consisting of controlled interactions from the suspect’s account can yield Intel on the real identity of psa-looker and ultimately bring the criminal to justice.

Page 11 of 15

Page 12: SAMPLE-Windows Investigation

Conclusion

Miguel Prado, the District Attorney has requested that the examiner analyze the imaged files of the suspect’s USB device and identify evidence connecting the suspect to the illegal smuggling of exotic animals into the country. The D.A. is interested in knowing specific details relating to: what animals are being smuggled into the country; where the animals are being hidden; where are the containers for the illegal animals being purchased; the seller’s EBay user account name; the exact date, time, and time zone of when the containers are being purchased; evidence of any Yahoo conversations; and any evidence that the digital data has been altered or destroyed by the user. The D.A. requested that the examiner provides recommendations on how the true identity of the seller can be discovered.

The examiner performed an analysis on the USB files using a variety of forensic investigation techniques and tools throughout the investigation. The examiner was able to identify evidence showing that the suspect used the EBay website to purchase a Donovan McNabb NFL Eagles Road-Player Set bobble head doll from a seller who goes by the EBay user account “psa-looker” on 4/25/2007 at 9:17 AM (UTC -7 or MST). Further, evidence shows that the bobble head containers that were purchased on EBay from “psa-looker” were to be used to smuggle Sea-Monkeys into the country. The USB data from the Yahoo folder provided information about a previous conversation that discussed the details of the shipment between that the buyer and the seller via Yahoo IM. Images of the Sea Monkeys were sent to the buyer via their Yahoo IM conversation in order to confirm the purchase by the suspect. Throughout the entire forensic investigation on the suspect’s USB device the examiner was only able to identify suspicious activities relating to the altering or deleting of data on the USB device. The examiner was never able to identify any actual evidence proving that the suspect had altered or deleted digital data from the USB device. The examiner recommends to the D.A. that a joint operation be had between the forensic investigators and law enforcement in order to develop a plan to identify the true identity of psa-looker and bring the criminal to justice.

Page 12 of 15

Page 13: SAMPLE-Windows Investigation

Appendix

Appendix A: Examiner Workstation Specifications

Computer Name: SonGoku Operating System (OS) Name: Windows OS Version: Windows 8.1 System Make/Model: Toshiba Satellite C55-B System Serial Number: 6E095367P Time Zone of Examiner Machine: Pacific Standard Time (PST)

Page 13 of 15

Page 14: SAMPLE-Windows Investigation

Appendix B: Tools

WinMD5Free v1.20 WinHex v17.9 FTK v1.81.5 Net Analysis v1.57

Page 14 of 15

Page 15: SAMPLE-Windows Investigation

Appendix C: Evidence Verification

Table 3 outlines the hashes obtained throughout the evidence verification process. WinMD5 v1.20 was used to calculate MD5 hashes.

Designation Filename MD5 Hash DescriptionPRE-ANALYSIS

Preservation Copy

CYB624-WK8-Final_Assignment_Files.zip

4864D6EDC2309692CAF9DB101961A603 Image file of suspect’s USB device. Downloaded from Engage.

Working Copy

CYB624-WK8-Final_Assignment_Files.zip

4864D6EDC2309692CAF9DB101961A603 Working Copy of suspect’s USB device created from the Preservation Copy. This copywas analyzed.

POST-ANALYSISPreservation Copy

CYB624-WK8-Final_Assignment_Files.zip

4864D6EDC2309692CAF9DB101961A603 Image file of suspect’s USB device. Downloaded from Engage.

Working Copy

CYB624-WK8-Final_Assignment_Files.zip

4864D6EDC2309692CAF9DB101961A603 Working Copy of suspect’s USB device created from the Preservation Copy. This copywas analyzed.

Table 3: Evidence verification table

Page 15 of 15


SUBSURFACE SITE INVESTIGATION REPORT - biznet.ct.gov€¦ · 5.2 Results of Soil Sample Analyses ... Task 210: Subsurface Site Investigation Report, Sample Location Plan included

Windows PowerShell: TFM™ Sample Chapters Windows

Sample Soil Investigation Lab Report

A Sample Application Tutorial Using Windows Embedded - Microsoft

Nanowire LED patent investigation Sample

Soil Investigation Report (Sample)

Sample Content from Microsoft Windows Communication

BayLDA - Windows 10 Investigation Report · Windows 10 Investigation Report Findings regarding Windows 10 Enterprise Version for data controllers in the private sector (September

SEAM - Appendix Q -Supplemental Site Investigation ... · APPENDIX Q – SUPPLEMENTAL SITE INVESTIGATION TECHNICAL MEMORANDUM SAMPLE ... Supplemental Site Investigation ... missing

113-Windows 8 Essentials Sample (1window8)

Incident Investigation Sample Program

FOSS Next Generation Investigation Guide Sample

Windows: The Official Magazine Issue 7 Sample

Learning Puppet for Windows Server - Sample Chapter

Draft Investigation Report - Welcome to the Department of ... · investigation report autumnwood development ... 5.0 investigation results ... 5.1.1 soil sample results

Science Year 3 - acara.edu.au...Sample 3 Poster: Day and night Sample 4 Investigation: Spoons and heat Sample 5 Venn diagram: Features of living things Sample 6 Investigation: Local

Sample Order Under - Federal News Radiofederalnewsradio.com/wp-content/uploads/pdfs/CMaas_sample_task... · Sample Order Under ... 2004 Travel NTE $ 2,500 ... Windows XP: 70%, Windows

LIFE: Life Investigation For Enceladus A Sample Return

Sample windows 2000_foundation_manual_corporate

SekChek for Windows Server: Sample Report

Getting Started with Windows Server Security - Sample Chapter

Table of Contents ADMINISTRATIVE INVESTIGATIONS Investigation... · ADMINISTRATIVE INVESTIGATIONS ... Sample Command Investigation Convening Order.....3-3 Command Investigation Checklist

Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs

Windows 10 IoT Core, a real sample

Windows XP Troubleshooting Desktop Applications & … Sample wkbk.pdf · Windows XP Troubleshooting Windows Sample Workbook. LearnKey, Inc. provides self-paced training courses and

Emerging MEMS Patent Investigation SAMPLE

Windows Malware Analysis Essentials - Sample Chapter

Windows Services (sample work)

The Sample Analysis at Mars Investigation and Instrument Suite · 2017-08-29 · The Sample Analysis at Mars Investigation and Instrument Suite 403 Abstract The Sample Analysis at

Windows Event Analysis - Correlation for Investigation

McFedries/Windows Vista Simplified Sample Chapter

Investigation of removable exits and windows for helicopter simulators

Mastering Windows PowerShell Scripting - Sample Chapter

Sample Chapters from Windows 8.1 Inside Out

Sample collection (Soil Investigation)