You are Given a Copy of a computer Hard Drive in VM dk Format and a Mobile Phone Disk Image in dd Format: Digital Forensics Case Study, UOB, UK
|University||University of Birmingham(UOB)|
You are given a copy of a computer hard drive in VM dk format and a Mobile Phone Disk image in dd format. You are also given some other relevant files and information. You will have to examine the hard disk and mobile image using a number of different forensic techniques. You may use any software you like to perform the examination. EnCase is suitable for the hard drive investigation, and Cellebrite is suitable for the Mobile Phone. You should use EnCase and Cellebrite reports or screenshots to support your arguments and explanations.
Each examination task relates to a different case and would normally require the examination of a different disk. However, for simplicity, you are given fabricated evidence for all cases on a single disk. You should therefore use your own judgment about whether to report on the evidence if you find evidence relating to one case when you perform a procedure relating to a different case. You need not report on evidence relating to the alternative case.
The report is an individual report. You may discuss with others how to use EnCase and Cellebrite, or how to perform standard digital forensic procedures, but you should not tell anyone else how or where you found evidence. You should not discuss with anyone else what you think of the significance of the evidence. If students are found to have cheated by copying or collaborating, action will be taken against them.
This assessment requires the use of VMWare Horizon Remote Desktop to start a remote session on one of the Lab machines with Forensics Software installed. If you prefer to go to the lab in person, that is also acceptable providing you remain Covid-safe.
Make sure that you save your EnCase or Cellebrite Case Files to some permanent storage before you close your Horizon session, otherwise, you will lose all your work. You can use your personal space on ACESVMSTORE to save the Case files.
Copy the file”Assessment 2020 Sem 1.vmdk” from aces VM store to your physical machine (University Desktop). Attach this disk to the Forensic Virtual Machine and add the evidence as a local disk. Alternatively, you can copy the .vmdk file into your virtual machine and add the evidence as an Evidence File.
This VM DK is the hard disk to examine for all cases. Note that this is a Windows 7 disk image and is approximately 10GB in size. It takes about 10 minutes to “Acquire” and about 20 minutes to process on a powerful SHU Lab machine, depending on the options you choose for processing.
Copy the file “GalaxyNexusArias-dm0.dd” as the Mobile Phone image to examine using Cellebrite. You will need to copy this into the Virtual Machine file store.
Copy the file “Student Files.zip” into your Forensic Virtual Machine. This contains additional information you will need for some cases.
A boy who sent a naked photograph of himself to a girl at school has had the crime of making and distributing indecent images recorded against him by police, the BBC has learned.
The boy, aged 14, who was not arrested or charged, could have his name stored on a police database for 10 years.
The information could also be disclosed to future employers, his mother said.
Police said three children were named in a crime report, but it was not in the public interest to prosecute.
The Criminal Bar Association said the case highlighted the dangers of needlessly criminalizing children.
The schoolboy, who lives in the north of England, told BBC Radio 4’s Today Programme he took the naked photo of himself in his own bedroom.
He then sent it to a girl from his school using Snapchat – an app that deletes direct messages within 10 seconds.
However, before the image disappeared, the girl saved it on her own phone and it was then sent to other pupils at the school.
In this exercise, we are using fake names as shown below:
- The pupil who took a naked photograph of himself is David Michaels.
- The girl he sent the image to using Snapchat is Sophie Stated
- Another pupil at the same school under investigation is Mark Deman
You are asked to determine whether the image was stored on the computer of Mark Deman. Mark denies any knowledge of the photo. Since the image is an indecent image of a minor, possession of copies of this image may be considered a crime. You have been given the following items:
- A hash library containing a hash of the original image taken from Snapchat on the mobile belonging to Sophie Stated.
- A copy of a second image also sent to Sophie Stikated by David Michaels. The actual images are not used in this case. Substitutes Michelangelo’s “David” are used which are not considered indecent.
- A copy of the hard disk drive of the computer belonging to Mark Deman.
- The hash Library provided in the file “Case1\Hash Library.zip” contains a hash of the image you need to find. Import this hash library so that you can use it to search your evidence.
- Add the hash of the second image “full-front.jpg” to your hash library
- Use the hash library to determine whether the substitute “indecent” images exist on the computer disk of Mark Deman
- Produce a report using Word, EnCase, and/or other tools showing your activities and findings.
- Assess the significance of any evidence you find and the possible outcome.
Case 2: Stalking
A male suspect Rawi Hasse has been arrested for stalking and harassment. He was allegedly repeatedly taking pictures of his target, another male. He claims that he has no pictures of the target in his possession. He has been observed to use a Nexus 5 phone to take pictures.
You have been given a picture of the target so that you know what he looks like. You have also been given a copy of the hard drive of the suspect’s computer (Rawi Hasse).
- Perform a signature analysis to determine whether there are any suspicious files on the suspect’s computer.
- Examine any suspicious files found relating to this case
- Use a technique of your choice to examine the Unallocated data on the disk to find at least one relevant jpg image of about 40kB in size. Show how you have done this.
- Produce a report on your activities and findings
- Assess the significance of any evidence you find and the possible outcome.
Case 3: Suspected misrepresentation
Sheffield Travel is a specialist travel agent wanting to hire someone to handle trips to Rome. Mira Chep applied for the post and has provided a reference in Microsoft Word format to accompany her job application. Mira claims that the reference comes from Sara Bartholomew at BlueSkyTravel, where she says she worked as a travel consultant in Rome for 6 months.
The Human Resources department of Sheffield Travel contacted BlueSkyTravel and were told by Sarah Bartholomew that Mira had worked at BlueSkyTravel, but had left quite suddenly after an argument. Sara Bartholomew emailed a reference to Mira Chep on 1st July 2015.
You have been given a digital copy of the reference from Mira Chep to examine and determine whether it is authentic or not.
The job Mira applied for at Sheffield Travel requires the experience of traveling in Rome. Mira supplied a digital photograph of herself at the colosseum, claiming that it was taken by a fellow traveler using Mira’s iPhone 6.
Examine the copy of this photograph which you have been given and report on any significant findings.
- Explain the concept of metadata and its use in a forensics examination
- Examine the metadata relating to the reference given and report on your findings
- Examine the metadata of the photograph of the applicant in Rome, and report on your findings.
- What recommendation would you make for Sheffield Travel
Case 4: Refugees across Europe
Kyle Dammer in Austria is suspected of involvement in the human trafficking of refugees from Syria through Europe. It is also suspected that he was in some way involved in the movement of the vehicle in which 27 refugees were found suffocated on the Austrian Border on 23 July 2015. Police seized his computer on 1 August 2015, and have asked you to examine the hard drive.
- Use a keyword search to find the email address that Kyle Dammer uses, and to find up to three emails to or from Kyle Dammer which could be used as evidence that Kyle Dammer has been involved in trafficking refugees from Syria through Europe.
- Use Keyword Searches to find the names of four possible contacts who may have worked with Kyle Dammer
- Find one email ruling out one of the accomplices
- Find physical addresses associated with two accomplices.
- Explain the difference between a “raw search” and an “indexed search”. State which searches you have used and why.
- Explain what “slack space” is, how data may be left in slack space and how it may be found using forensic tools.
Case 5: Stolen Diagrams
K-Parts is a manufacturing company that suspects that an employee, Jon Gidno has been stealing intellectual property about its manufacturing processes. The company manufactures parts which are numbered according to the following standard:
A part number begins with 4 digits, followed by a dash “-” followed by three lower case letters and another dash and finally two upper-case letters. 1234-ABC-VS is a valid part number
Jon Gidno states that he has never taken any data home from work.
You are given a copy of the hard drive of Jon Gidno’s home computer to determine whether there is any evidence of copies of company documents containing part numbers.
- Explain how Regular Expressions can help with this search, where simple keywords are inadequate.
- Develop a GREP string that will find valid part numbers. Explain the components of your GREP string.
- Use a GREP search to find any evidence of part numbers on the employee’s hard drive, and report on your findings.
- The company states that some of the documents that may have been stolen are stored in .pdf or .docx form. Describe any changes you would make to your method of searching so that you can handle pdf and Docx files
- Note that you will need to use an earlier version of EnCase (8.05) to perform this examination. Instructions for installing and using EnCase 8.05 can be found on BlackBoard.
- Find two additional relevant documents using your modified method.