Digital Forensic Investigation - Report Example

Digital forensics Report USB Autopsy Investigation April 26 USB Autopsy Investigation Report Jalal, BSc (Hons) UCLAN Occupation: Forensic Computer Analyst Client: Vamos Solution Declaration This Forensic report details the examination of a USB Key drive image for evidence of Espionage. It gives details of the forensic procedure used as well as the results of the investigation. This report is true to the investigators knowledge and belief. Dated the 10th Day of May 2015 Signature……………………………………………… Introduction I am a forensic investigator commissioned by the UCLAN High Tech Crime Unit to produce this report. I have been contacted by the Managing Director of the company ‘Vamos Solutions’. One of their employees has been accused of stealing company secrets. The suspect has provided access to a USB pen drive for examination. This USB pen has been forensically imaged and this image provided as exhibit CST/001. Instructions I have been instructed to view the data contained within exhibit CST/001 and construct a report which answers the following four questions. Question 1: Is there any evidence to suggest that the company secrets have been copied onto the USB pen? (Pg.7 lines18-19) Question 2: Is there any evidence to suggest that the suspect has tried to hide any data? (Pg.7 line1) Question 3: Any evidence to suggest the reason why the suspect has attempted to steal this data? (Pg.6 lines 23-24) Question 4: What further evidence may be needed by the investigation team to support any of the facts discovered during your investigation? (Pg. 7 lines 13-14 &Table) Forensic Examination of CST/001 1.0 Introduction The main item containing evidence, in this case, is a USB data storage device (Flash drive) found with the employee. The identification features are permanently associated with the given artefact and this gives it a unique tag. This specific designation gives a room for a positive identification of the evidence. The unique identification is in line with core requirement of a verifiable procedure of custody. The handover process is well documented in the evidence custody journal and safely secured to ensure integrity is maintained. 2.0 Examination Details This part of the report gives detailed information concerning the forensic procedure and tools which were utilised and provide a stepwise explanation of the examination process. 2.1 The Forensic Computer and Tools The forensic computer used for this examination was an HP EliteBook6930p laptop with 8GB of RAM and a 150 GB hard drive. The laptops operating systems are windows and Caine version 6.0. The forensic tools and programs used during this investigation include: Autopsy Forensic Browser version 2.24 VMware-workstation-full-11.1.0-2496824 MMLS 2.1.1 Autopsy Forensic Browser version 2.24 Autopsy Forensic is a commonly used open source forensic tool. It is a graphical digital forensics platform hosting the Sleuth Kit as well as other digital forensics tools. Normally it’s utilised by government law enforcement institutions such as the police, national defence, and private examiners in the investigation of digital devices. It is used to recover erased contents of file systems as well as conducting key word searches. 2.1.2 Caine version 6.0. CAINE (Computer Aided INvestigative Environment) is an integrated digital forensics environment based on Ubuntu-based GNU/Linux live distribution offering a complete forensic environment with a user friendly graphical interface and a semi-automated report generating feature. 2.1.3 MMLS MMLS is a command tool that determines the kind of file systems installed on a hard disk. 3. Preservation of Image Once the investigator received the USB image, preservation of its original state was attained and recorded. The main reason to preserve the image is to maintain its integrity as it is prone to tampering and alteration in the succeeding forensic analysis phases. Immediately the image integrity is established the subsequent analysis is conducted on copies. This gives a way of comparing the copy with original at any phase. As a result the copies are verified to be authentic and have not been altered in any way thereby relevant and reliable. The investigator used Caine kernel version is 6.0 platform to conduct the digital forensic analysis. 4. Chain of Custody and Validation of the USB Flashdrive image I received the digital image from Vamos technology with the following chain of custody information: Case ID USBCase001 Case name Espionage Investigation001 Evidence ID CST-001.dd Owner of evidence Vamos solutions Evidence obtained date 04 May 2015 14:00 Evidence obtained location Form of identification Tag Identification information Tag No. USB FD001 Description USB data key drive Serial No USB500D Image MD5 Evidence Released by (name+sign) UCLAN (signed......) Released date/time 04 May 2015 14:00 Evidence Accepted by (name+sign) Jalal (signed......) Accepted date/time 04 May 2015 14:00 Special Instructions See also Appendix (i) The investigator copied digital image of the USB into the forensic computer and ran md5sum to ascertain the integrity of the image and got the md5 hashes match 5. Separation of the USB Flash drive image into partition images The initial step in analysing the image is to find the number and kind of partitions the image holds and is achieved by running both the fdisk and mmls controls on the image. Then the partitions are segregated for analysis using the dd command. Next, the md5sum and file commands are run on the newly made partition image files. The next step is loading the image into the Autopsy 2.24 browser for the analysis 6. Autopsy evidence search methods utilised 1. After opening a new case; USBcase001, the Add Host button is used to add a host named Autopsy Investigation001. Next, Add Image file into the case followed by selecting the Calculate hash value for this image. 2. Running the mmls command on the original USB Keydrive image in this case, explicitly show that the file system has a FAT32 file system installed. Next, calculate the MD5 for the evidence file that has been added. The MD5 for the evidence file is checked to make sure the MD5 has not been altered in any way. See Appendix (iii) 3. At this stage Autopsy offers the ability to analyse the evidence as either ‘disk’ or ‘file system’. The disk option provides keyword searches and enable the viewing of the distinct disk sectors while ‘file system’ option allow interaction with file system objects i.e. files and folders. The Image Details option gives more information on the added evidence file showing the forensic investigator the manner in which the disk is set up. It entails the disk layout and activity timestamp. 4. In this case the ‘disk’ choice is chosen for the analysis. In the disk mode a keyword word search is conducted to view the distinct disk sectors or view the evidence file. 5. Next utilise expression ‘income’ to perform the search against the evidence file to see areas where it has occurred. An occurrence is found and viewed by selecting either the ASCII or Hex option links. The ASCII link displays the human readable text. See Appendix (vii) 6. The file analysis option shows the contents of the file system ($FAT1, $FAT2 and $MBR) and view their various corresponding file system artefacts. It also shows ‘documents’ and pictures’. See Appendix (iv) 7. On selecting ‘documents’ then the specific, the file is loaded with a text of the format excel that is consequently exported and viewed in Office Libre. This process is repeated for the ‘pictures’ option. Other image files can are also viewed in full size mode to ensure no details are left. See Appendix (Vi) Company’s income statement Exhibit CST/001was found to hold the company’s income statement an indication that the employee may have conspired to sell the company secrets to competitors. This data was found concealed in a disk region that is usually set aside for the operating system. To access this data would require someone with prior knowledge on the location of the file. There was an interesting part of the evidence on timeline as depicted on appendix (ix). It was very crucial to notice the timestamp of when files were created, accessed and erased. The timeline activity corresponds to the dates of activity reported by the management. 8. On selecting ‘Meta Data’ in the top menu followed by ‘Allocation List’ gives a list of the files recorded as well as their associated file system. Viewing the contents of an allocation item gives information about the stored data. The hex link shows the inherent data for the root directory. This process identifies and recovers deleted content. See Appendix (ix) Analysis of the suspect’s office computer Analysis of the suspect’s office computer may give further evidence needed by the investigator to support some of the facts discovered during the investigation. Action Comments Determining the availability and location of log data by examining configuration files. Data is obtainable from /var/log/audit/audit.log. directory It is recovered for the subsequent analysis. Getting the records of users and login dates and times. The suspect was the only user. Logged on several occasions Identify times of USB flash drive usage. Mounted on behalf of the suspect user id, Unmounted from drive on behalf of the suspect user id. Analysing controlling users history file for commands executed. Controlling user was the suspect employee Summary The results of the investigation of exhibit CST/001 image show data that identify the employee to be involved with the USB drive activity. The corresponding date, time and mount point are identified by the data. It also shows names of file, path and actions taken by the employee. Works cited 1) Doherty, E. (2013). Digital forensics for handheld devices. Boca Raton, FL: CRC Press. 2) Topi, H. and Tucker, A. (2014). Computing handbook. Boca Raton, FL: CRC Press / Chapman et Hall. Read More