Add to collection(s) Add to saved
  1. No category
Uploaded by Timothy Muscat

ForensicsCoursework

advertisement 
Host-Based Forensics Assignment
Timothy Muscat
MSc. Advanced Security and Digital Forensics
Edinburgh Napier University
November 28, 2018
1
Executive Summary and Timeline
With regards to the two suspects Stephen Knox and Filipe Young (henceforth referred to as simply Knox
and Young respectively), a cursory investigation of the data on their shared machine has allowed the
formation of a solid hypothesis both with regards to the guilt of Knox and Young as well as that of the
alleged co-conspirators Christopher Guzman and Lewis Campbell (henceforth simply Guzman and
Campbell ).
No evidence has been found to support Knox’s claim that Young was the one behind the thefts. Indeed
this investigation was not able to find any evidence to suggest Young had any part in or even knowledge
of the automobile theft and resale racket of which Guzman, Campbell and Knox were initially arrested
for forming part of.
With regards to Knox, ample evidence to suggest he played an active role in the scheme has been found
on the subject machine. Although the thefts occurred in March of 2017, the suspect’s browsing history
suggests the thefts had been planned at least as far back as January of the same year, suggesting
Guzman and Campbell first made contact with Knox around this time. Communication appears to have
taken place principally through Skype and Email. No encryption was used throughout. Guzman and
Knox appear to have communicated using an idiosyncratic code language. A key to decoding this coded
language as well as a list of prospective car models to steal were found in an spreadsheet on the suspect’s
computer entitled The List.ods.
The suspect’s code language, was a simple and informal idiom whereby Knox would refer to different
makes, models and years of manufacture of cars he planned to obtain for Guzman using women’s names
and the places and times they planned to take them on dates, with the days of said dates denoting at
what stage the plan was at; whether the car had been spotted, in the process of being stolen or stolen
and delivered to one of two drop-off points. Additionally, several photographs of luxury vehicles parked
in various places around Edinburgh were found on the suspect’s drive, having secret messages coded into
them by Campbell (presumably, as the preliminary investigation concluded that he was responsible for
locating potential targets and communicating them to the person who was to commit the theft) detailing
the GPS coordinates of the vehicles and often certain information regarding the movements and habits of
their owners and the times it is likely to be parked.
1
Conclusion And Limitations
Overall, the evidence found appears to form a coherent picture of the role of Knox within Guzman and
Campbell’s theft ring as well as their modus operandi. It is clear fom the evidence gathered that Knox
played an active and integral role in the operation and was far more than a mere accomplice. On the
other hand, no evidence was found to justify the continued detention of Young.
Regarding the limitations of this investigation, our analysis was limited to the main drive of the PC and
one could not account for data that may have been stored on removable media used on the PC or
web-based communications that store no local data. While the spreadsheet found in Knox’s possession
spoke of two drop-off points for the stolen vehicles, this investigation was unable to determine where
these drop-off points may have been from the data on hand. This was however, beyond the remit of this
investigation.
Overleaf is a reconstruction of events gleaned from the suspect machine in chronological order.
Event Time
30/01/2017
13:07
Event Type
Browsing
History
30/01/2017
13:07
Browsing
History
08/02/2017
19:20
Browsing
History
22/02/2017
11:49
Skype
Logs
28/02/2017
09:18
Skype
Logs
05/03/2017
05:26
Skype
Logs
09/03/2017
20:49
Browsing
History
21:22-21:24
1
Details
Knox watches a YouTube video entitled
“how to Hot wire a car”
Knox looks for coordinates of
NCP Car Park Castle Terrace, Edinburgh.
Innocuous in and of itself, but suspicious in
the given context.
Knox researched “phone fob car jamming”;
A technology used to jam signals from car
keys to lock a car, leaving the car open and
vulnerable to theft, as well as car alarm signal
jamming.
He subsequently searches for such a device on
Amazon.
Guzman adds Knox as a contact on Skype.
Around this time he also begins researching theft laws.
Guzman first contacts Knox over Skype;
Sends a text message reading:
“Keep yourself available later this week, I’ll let you know asap,
but we might have something”
Guzman contacts Knox over Skype,
tells him he has a ”shopping list” for him.
Also advises him to download the program “QuickStego”.
Knox searches “what is quick stego” and subsequently downloads
Quickstego, a free, basic image steganography 1 software
that the group were using to hide their communications.
Knox makes a number of car related searches:
“cars in Edinburgh”, “ used cars in Edinburgh”,
“Edinburgh Expensive Cars”
“Luxury cars in Edinburgh”
Image steganography is the hiding of hidden text within image files.
2
13/03/2017
13:03
Communication
20:51
13/03/2017
20:55-58
13/03/2017
21:06
14/03/2017
14:39
15/03/2017
14:33
Email
Browsing
History
Skype
Communication
Skype
Communication
00:56
Browsing
History
17/03/2017
16:12
Skype
Communication
18/03/2017
00:24
19/03/2017
20:18
20/03/2017
02:01
Browsing
History
Skype
Communication
Browsing
History
Skype
Communication
21/03/2017
04:14
Browsing
History
18:03
Skype
Communication
Knox sends a Skype message to Guzman reading:
”Thanks for joining Faith and I for coffee at 5pm yesterday,
had a great time.
I’m thinking of going to the gym tomorrow if you want to join.”
Decoded this means:
“The Ford Focus taken from the Airport Long Stay has been delivered.”
Knox receives email on address fortknox2017@outlook.com:
“Pick up Carla from the supermarket at 6:25, take her out for dinner”
Decoded this means: There is a Citroen C2 at the Fountain Car Park.
Knox receives and downloads 5 images of different cars with hidden
messages within them as email attachments showing their GPS coords.
Knox searches Google Maps for GPS coordinates encoded in one of the
images, appears to be a white SUV outside of a clinic.
Knox sends a Skype message to Guzman reading:
“I met Vanda today after she finished work at the cafe,
thanks for suggesting that restaurant to take her to dinner at.”
Decoded this means: Volkswagen Golf Available at Fountain Car Park
Knox sends a Skype Message to Guzman reading:
“My sister Carla came over for dinner tonight when she was finished
at the gym,
hope you’re having a good day too!”
Decoded: Citroen DS3 Available at the Fountain Park Car Park
Knox begins making Google Searches about Tesla and Mercedes E-Class,
pictures of which were found on the subject’s PC with GPS coordinates.
Knox sends a Skype Message to Guzman reading:
“Remember Mary from the cafe? We went for a jog at 5pm.
It was pretty nice weather you should join us next time.”
Decoded: Mini Clubman available at Omnicenter car park
Knox makes several searches for Used car buyers.
Suggests he may have been thinking to cut Guzman and Campbell out
and sell the stolen vehicles himself.
Knox sends a Skype Message to Guzman reading:
“I think I’m going to have trouble meeting Mary from University at 6pm,
I’ll fill you in later. But I met Nigela at Lunch today at University.”
2011 Mini Cooper, Nissan 370z at Fountain Park Car Park.
Knox inputs GPS coordinates embedded in another one of the images,
a red Nissan minivan, into Google Maps.
Knox sends a Skype Message to Guzman reading:
“Ariana and I are going for lunch tomorrow,
usual place if you want to meet us.”
Decoded: Retrieving Audi from Fountain Park Car Park.
Knox inputs GPS coordinates embedded in another one of the images,
a matte black Audi, into Google Maps.
Knox sends a Skype Message to Guzman reading:
“I’m going to enjoy taking Tina out for a drink tomorrow,
she might be a challenge compared to the rest of the girls though”
Decoded: Retrieving Tesla from Airport Long Stay.
3
22/03/2017
02:01
Browsing
History
Knox inputs GPS coordinates embedded in another one of the images,
a Tesla, into Google Maps.
Embedded in this image are links to a list of charge points in Edinburgh
and an article on Tesla security precautions.
Knox makes several Google searches on how to
bypass Tesla security features.
02:15
Skype
Communication
03/04/2017
12:30
Skype
Communication
2
Knox sends a Skype Message to Guzman reading:
“Just got back from having a drink with Tina, she’s really fun!”.
Indicating the Tesla has been successfully stolen.
Campbell contacts Young on Skype requesting that he log into Knox’s
account and activate TeamViewer, ostensibly so that he may retrieve
some information that Knox has stored.
Young claims that he had not seen Knox in several days here,
most likely as Knox was already in police custody by this point.
Young consents to Campbell’s request and logs into Knox’s account,
apparently knowing the password.
He continues the conversation with Campbell on Knox’s Skype account.
He gives Campbell Knox’s TeamViewer ID and his password.
Procedure/Discussion
Procedure
• The image of the suspect’s drive was received in Expert Witness Format (EWF) and ingested into
Autopsy (v4.9 Running on Ubuntu Linux )
• The integrity of the image was first checked using the embedded md5 checksum.
• The image appeared to belong to a PC running Windows 10 Education Edition, having two user
accounts, Filipe Young and “John”. “Filipe Young” fairly obviously belonged to Young, however
“John” was in fact the name of the user account used by Knox.
• A cursory look through files on the system revealed the following files of interest:
– A number of photographs of cars appearing to have been taken in and around Edinburgh.
– A map of Tesla charge points in Edinburgh.
– A spreadsheet file The List.ods mapping makes and models of cars to female names crossed
with different locations crossed with different times of day. From later findings, this appears to
be the key to deciphering a code language.
• A keyword search using String Extraction [1] was made for the names of the two suspects, Guzman
and Campbell using Autopsy, the search revealed Skype chat logs in which the two made contact
with Knox.
• Skype chat logs are found mainly in a database file entitled main.db, with each user having one [4].
Saved in Microsoft’s proprietarySQLite format. The files were loaded into a reader revealing the
4
following exchange between Guzman and Knox, the true meaning of which was explained in the
table above. 2
Figure 1: Skype Conversation Between Guzman and Knox
• Additionally, an exchange between Campbell and Young was also found in which the former
requests the latter log into Knox’s account, where he continues the exchange. 2
Figure 2: Lewis Campbell Contacts Filipe Young and requests he log into his account
5
Figure 3: Microsoft Outlook Planner Entries on Knox’s PC
Pick up Mandy from the Cafe at 8pm, go for a cycle!
Pick up Mary from University at 6pm for Dinner
Pick up Faith from the Gym at 5pm, she fancies a coffee
Pick up Carla from the Gym at 10:30, take her for a nice walk
Pick up Carla from the Supermarket at 6:25, take her out for Dinner
2013 Mercedes E-Class
At Omni-Center Car Park
2011 Mini Cooper
at Fountain Park Car Park
2010 Ford Focus
at Airport Long stay
2015 Citroen DS3
at Omni Center Car Park
2011 Citroen C2
at Fountain Park Car Park
• From String Extraction, a Microsoft Outlook planner containing the following entries was found.
These appear to contain coded messages. A translation derived using the previously found
spreadsheet has been included alongside the original messages in the referenced table: 3
• The suspect’s browsing history was investigated using the log2timeline tool in Autopsy. The relevant
findings were included in the above timeline.
• Owing to previous findings, namely Guzman sending Knox a download link to QuickStego[3] and Knox
making a number of searches for download links for the software, the suspicion that the previously found
images may contain hidden messages was established.
• Using the QuickStego tool, the hidden messages inside each image was retrieved and laid out in the table
below next to the names of the picture in question.
• Loading the pictures into an EXIF reader revealed no metadata present, indicating that it may have been
stripped out.
The Eighth.bmp
found here
55.97882970000001,-3.228954499999986
watchout you don’t get the tires slashed
The Fifth.bmp
Up the hill, right then left from the third
again this might be too close to the others and will raise alarm if stolen
potentially follow it, it’s not there during school hours midweek
6
The Fourth.bmp
55.92723965483411,-3.2346609234809875
at the gym
this guy is actually healthy but also if you could, give me his shoes when you steal it
they are amazing. he takes them off and put thems in his car before going to the gym
oh and his ipad too
Mon, Wed, Fri 6am - 8am
Thursday 7-8pm (playing 5 a side)
The Second.bmp
55.92723965483411,-3.2346609234809875
He goes to the gym when his lazy ass can
usaully once a week on a monday morning
7am - 9am
i would say tail him as you can also get another car here
don’t want to raise alarms
The Seventh.bmp
Across from the boxing gym in T2
Only there 2pm until 11pm
Ashley Tisdale.bmp
55.96316389999999,-3.191300599999977
7
MC Hammer.bmp
55.93871253413824,-3.2250478863716125
Michael Cera.bmp
55.93871253413824,-3.2250478863716125
Muhammad Ali.bmp
55.9524108,-3.2034777000000076
Nina Nesbitt.bmp
55.9731683,-3.1726105999999845
8
Tupac Shakur.bmp
55.9310172,-3.2148125000000003
Charge points incase you need it
http://www.greenerscotland.org/greener-travel/greener-driving/charge-point-map
Tesla security precautions - you may want to look at this
http://www.techtimes.com/articles/14537/20140901/everyone-loves-tesla-motor-s-except-thieves-he
• Deleted files recovered using the Photorec [2] file carving utility within Autopsy were analyzed. Nothing of
interest to the investigation was found.
• The above findings were organised into the above timeline.
Discussion
The findings suggest the high-level of organisation of the suspects as well as the extent and ambition of
their plans. They also show the naivety of Knox and his ineptitude when it comes to operational security
in the use of computers to facilitate the commission of crime.
Notwithstanding this naivety, it would appear that Knox was involved in the planning and potential
execution of no less than 11 automobile thefts, with speculative plans for many more.
As already stated, no evidence has been found to suggest Young was in any way involved. All evidence
found was in plaintext and required no decryption. The only serious attempt at obfuscating
communication (the “code language” notwithstanding) was the use of steganography to hide messages
within the photographs of cars. The tool used was a free consumer-level tool from the QuickCrypto [3]
suite of tools and the hidden messages were not encrypted. The hiding of the messages within images
already suspicious in the given context also shows the ineptitude of the subjects. Ultimately, the methods
of communication used by the suspects all left an extensive footprint allowing the easy recovery of
communication, nor was any attempt made to delete records of communication. Overall, it is felt that
sufficient evidence has been found to build a strong criminal case against the subjects.
References
[1] Anthony Dowling. Digital forensics: A demonstration of the effectiveness of the sleuth kit and autopsy
forensic browser, pg. 83. Master’s thesis, University of Otago, Dunedin, New Zealand, 2006.
[2] Klaus Knopper. Rescuing lost files with testdisk and photorec. Linux Magazine, 2015.
[3] Ana Marculescu. Quickstego. Softpedia, 2013.
[4] Jamie McQuaid. Skype forensics: Analyzing call and chat data from computers and mobile. Magnet
Forensics, 2014.
9
Related documents
Nakeishia Knox
Nakeishia Knox
MECKLENBURG COUNTY FIRE MARSHAL'S OFFICE
MECKLENBURG COUNTY FIRE MARSHAL'S OFFICE
“Foxy Knoxy”: the fabrication of a killer celebrity identity
“Foxy Knoxy”: the fabrication of a killer celebrity identity
Download
advertisement