Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Forensics
Uploaded by Shawn Sines

CHFI V3 CASE STUDIES

Computer Hacking Forensic Investigator Case Studies
CHFI
Case Studies
1
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-49
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 1: Employee Sabotage
Kim Stevens is a research scientist working for a pharmaceutical company called Jusco
Enterprises. It manufactures human vaccines for polio treatment, which could finally make a
breakthrough in the project. Kim was involved in the research for 6 years. According to the
company policy, research documents need to be stored in MS Word or Rich Text Format. Critical
documents were stored as PDF to prevent tampering.
Kim’s research files had 270 pages of sensitive formulae. Recently Kim had a fight with the
management for sidelining her while promoting Jack as Senior Scientist. After all the effort and
time that she put in, Kim was not rewarded. This made her furious, and so she decided to quit the
company.
She did not want to part with the formulae that she had come up with her 6 years of work. In a fit
of rage she deleted all the critical and research documents so that no one can access them.
This act of Kim came to light a week after she left.
The enterprise central backup machine was under repair due to which her machine was not
backed up during a regular backup cycle. Her most recent work which contained the final
formula was not backed up. If the data was not retrieved, the firm stood to lose $3 million in
various contracts with the suppliers.
The company’s IT department failed to retrieve the data. The company hires you (Who is a CHFI
Professional) to investigate the incident and restore the data.
How would you investigate this computer crime?
2
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Answer:
1.
Visit Kim’s desk and seize all the hardware devices which include the following: hard
disks, CDROM, Ipods, and DVD disks.
2. Place the devices carefully in anti-static bags and transport them to the forensics
laboratory.
3. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
4. Generate MD5 or SHA1 hashes of the bit stream images.
5. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
6. You are ready for investigation.
7.
List the items that you are asked to investigate by the client.
a.
In this case you are asked to recover deleted files with the content of chemical
formulae and mathematical codes. You do not now the name/format of the file.
8. Run a hexadecimal editor and scan the entire image for the keywords.
9. Run undeleted utilities and the entire hard disk to see whether there are any deleted files.
10. If the utility shows up any deleted files, then you should be able to recover them.
11. If you are unable to recover the deleted files, then you should be able to at least recover
the portion of the data. View the entire hard disk in the hexadecimal image format and
analyze the entire image.
12. If you recognize the content of the hexadecimal data then you should be able to recover
the portion of the data using file scavenger utilities.
13. Prepare a professional forensics based on the actions you have taken to restore the data.
14. Print a copy of the report in a PDF format and attached the restored files in an
encrypted/password protected CDROM.
15. Deliver the report to the company along with the fee for the forensics service you
rendered.
3
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 2: Disaster Recovery Investigation
Jason works for the biggest accounting company called H&M Consultants in Dallas, Texas. He
prepares financial balance sheet accounting reports to big corporate clients. His deadline to
submit the annual tax filing for JacobSun Enterprises was on Friday by 10am.
He works hard and completes the entire Tax filing report on Thursday night, and feels that he has
done a fantastic report that will boost his promotion opportunities within the company. He leaves
for the night and goes home. Jason’s always leaves his computer switched on.
The next morning Jason arrives at the office and gets ready to print the document for IRS filing
submission. Apparently there was a power outage within the building due to voltage fluctuation.
Jason notices that his computer is turned off. So he tries to switch it on, and to his shock the
computer fails to boot with the following message displayed: (The NTOSKRNL.exe is
corrupted along with serious damage to your data files. Please reinstall the
Operating Systems and recover data from backup source).
Jason’s computer was not on the network and never backed up. He picks up the phone and calls
the company’s IT help desk for assistance. The company IT help desk advises that the data cannot
be recovered, and advices Jason to hire a forensics investigator who might assist him in this
situation.
Jason searches the Google for “skilled computer forensics investigator” and your name
pops up as link “We have CHFI on board to investigate all your Computer Forensics
needs”
Jason looks up your telephone number from the web page and hires you immediately over the
phone.
How would you investigate the incident?
4
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Answer:
1.
Visit Jason’s desk and remove the hard disk carefully from his computer.
2. Place the hard disk carefully in anti-static bags and transport it to the forensics
laboratory.
3. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
4. Generate MD5 or SHA1 hashes of the bit stream images.
5. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
6. You are ready for investigation.
7.
You are asked to retrieve the following:
i.
IRS files
ii.
Spreadsheet files
8. Load the bit stream image as evidence file in Encase Forensic Utility.
9. Encase mounts the hard disk and displays as C: drive.
10.
You observe the following:
i.
The Operating System is Windows XP Professional with SP2
ii.
Memory is 2GB
iii.
The size of C; drive is 30 Gb and he has only one partition
11. You view the boot sector files and notice that you are unable to access files located in this
directory c:\windows\systems32.
12. The partition table pointing C: drive was corrupted. This prevented the system from
booting.
13. You use Encase Hex Editing utility to fix the partition table.
14. You save the hard disk image and mount it as a primary device in another computer.
15. The computer boots normally and you copy all the IRS Tax files , spreadsheet documents
to a DVD ROM.
16. Prepare a professional forensics based on the actions you have taken to restore the data.
17. Print a copy of the report in a PDF format and attached the restored files in an
encrypted/password protected CDROM.
18. Deliver the report to the company along with the fee for the forensics service you
rendered.
5
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 3: Business Rivalry
TargetMac and OneMac are two magazines that cater to the growing Ipod users. The CEO of
TargetMac is Bryan Smith and the CEO of OneMac is John Beetlesman. Bryan calls John one day
and convinces him to purchase TargetMac. The lawyers of both companies were called in to
finalize the deal. The lawyers draft the sale contract, which restricts removal of sensitive and
confidential information and non solicitation of TargetMac customers and working staff. A non
compete clause was also added in the agreement.
It has been two years and John Beetlesman is suspicious about Bryan’s activities. John suspects
Bryan has breached the contract. John knows that you are a CHFI professional and provide
computer forensics services to his clients. John’s company lawyer Smith Franklyn contacts you to
investigate and provide evidence to support the breach of contract so that John can file a lawsuit
against Bryan at local civil court in San Francisco, California.
How do you investigate this incident?
Answer:
1.
You want to examine hard disk and laptop computers of Bryan’s home and office for
evidence.
2. You ask the lawyer Smith Franklyn to obtain a search and seizure warrant at Bryan’s
home located at 37 Albert Avenue, San Jose and his office located at 46, Mathew Street,
Santa Monica.
3. Smith Franklyn works with the local District Attorney to obtain the required search
warrant.
4. Smith Franklyn and you visit Bryan’s home and seize his computer which is a HP Pavilion
Model 1172.
5. You later visit Bryan’s office and seize his laptop, floppy disks and CDROMS.
6. You place the devices carefully in anti-static bags and transport it to the forensics
laboratory.
7.
Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
8. Generate MD5 or SHA1 hashes of the bit stream images.
9. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
10. You are ready for investigation.
6
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
11. You are asked to retrieve:
a.
Any document in the computer which shows proof for breach of contract.
12. You load the bit stream image in FTK tool kit and browse every single file in the file
system.
13. You also read every single email displayed in FTK.
14. After many days/nights of investigation you retrieve the following crucial evidence:
15. Encrypted file titled “Business Plan AppleMac Magazine”
16. Excel spreadsheet “revenuestreams.xls”
17. Numerous email messages back and forth with his investors.
18. You run a password cracking utility to crack the encrypted file “Business Plan AppleMac
Magazine.doc” and the password was “planapple”.
19. These above documents clearly indicate that his new business would compete with
TargetOnes’s business.
20. You copy these files to a CDROM.
21. You use FTK report facility feature and produce a professional report.
22. You deliver the report to the company along with the fee for the forensics service you
rendered.
Based on your submitted report the lawyer, Smith Franklyn initiates a $20 million lawsuit against
Bryan. After two weeks the court of law holds Smith Franklyn Bryan guilty and asks to pay the
amount.
Case Study 4: Corporate Espionage
Computermania Inc. is the largest computer wholesale company located in Albuquerque, New
Mexico. They are the exclusive Dell distributors in the region. Mr. Daniel Moore is the sales manager
of Computermania and overlooks sales and distribution operations across the company in the east
coast region.
Recently Computermania audited the financial accounts through A & T Auditing firm. The
management at Computermania was shocked to find that the company incurred $ 7.2 million loss in
Dell computer Sales Division. The company was aware that Dell computer sales were on the rise at
about 20% every year. They did not believe that this division was losing money.
7
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
They suspect Daniel Moore had something to do with the loss. The auditors A & T went through every
financial transaction and noticed that many sales invoices were issued to a company called Raleigh
Computermart, Inc. in Dallas, Texas. The invoices were heavily discounted beyond the companies
standard discount policy.
A & T’s Regional Head Ms. Zelda Stevens is a close friend of your wife Sheela. Ms. Zelda is aware of
your computer forensics skills and she contacts you to assist her in the ongoing investigation of
Computermania, Inc.
How would you conduct the computer forensics investigation to prove Daniel Moore was responsible
for the company’s financial loss?
Answer:
1.
You want to examine the hard disk of Mr. Daniel Moore’s office computer for evidence.
2. You contact Ms. Zelda to access Mr. Daniel Moore’s office on the 17th floor for evidence of
his involvement in the crime. She gives you the permission to do so.
3. Later, you visit Computermania office on the 17th floor and seize Mr. Daniel Moore’s
company owned laptop for investigation.
4.
You place the device carefully in anti-static bag and transport it to the forensics
laboratory.
5. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
6. Generate MD5 or SHA1 hashes of the bit stream images.
7.
Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
8. You are ready for investigation.
9. You are asked to retrieve the following:
i. Any information that links Daniel Moore’s involvement related to the financial loss
incurred by the firm.
10. You load the bit stream image in Sleuth Kit and browse every single file in the file system.
11. You also read every single email displayed in Sleuth Kit.
12. After two weeks of intensive investigation, you could not find a single evidence that shows
Mr. Daniel Moore’s involvement in the financial fraud.
13. You almost want to give up the case. But you decide to visit Daniel Moore’s office to look
for other evidences.
8
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
14. You visit Mr. Daniel Moore’s office on the 17th floor and scan the whole office for other
evidences. You fail to find any CDROMs, PDAs, Digital Camera, IPods; the only evidence
was his laptop which you had already investigated but with no success.
15. You notice a Xerox Model 1703 Color Photocopier on the hallway at 17th floor.
16. This photocopier was used by all the office staff on the 17th floor. You walk towards the
Xerox photocopier and take a look. You notice that it is a very advanced color photocopier
powered by embedded Linux operating system.
17. You pick up the phone, call Ms. Zelda and ask her whether you can remove the hard disk
of the photocopier for investigation. She gives you a “Go ahead”.
18. You place the device carefully in anti-static bag and transport it to the forensics
laboratory.
19. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
20. Generate MD5 or SHA1 hashes of the bit stream images.
21. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
22. You are ready for the second round of investigation.
23. You load the bit stream image in Sleuth Kit and browse every single file in the file system.
24. You also read every single email displayed in Sleuth Kit.
25. The files were located in a directory with date on it. The files were stored as “Tiff” image
file format.
26. You view every image and come across an image which attracts attention.
27. This image contains 10 pages of balance sheet and ownership transfer data of the
company Raleigh Computermart, Inc.
28. The Xerox 1703 Color Photocopier stores every single photocopy made on the machine
for 7 days before it gets deleted.
29. The Tiff document contains evidence in which Mr. Daniel Moore has 51% ownership in
the Raleigh Computermart, Inc.
10. You copy these files to a CDROM.
11. You use Sleuth Kit report facility feature and produce a professional report.
30. You deliver the report to Ms.Zelda at Computermart, Inc. along with the fee for the
forensics service that you have rendered.
Mr. Daniel Moore was dismissed after it was discovered through the forensic evidence that he
had concealed ownership interest in Raleigh Computermart, Inc.
9
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 5: Pornography
Natasha Gabriel is an attractive woman who is in her early 20s. She works as an Advertising
Manager for the firm Cosmopolitan-Ad Agency. She is a sexy woman who always makes lewd
remarks about her male colleagues.
One day you receive a phone call from the CEO of Cosmopolitan-Ad Agency, Mr. Mark
Dwendler asking for your computer forensics investigation services to assist him in the
internal investigation of Natasha Gabriel downloading pornography images and other
inappropriate materials on her PC.
You send a quotation of $10,000 fees for a 3 day investigation for Natasha Gabriel’s case.
Mark agrees to the quotation.
How will you proceed with Natasha’s computer crime investigation?
Answer:
1.
Visit Natasha’s desk and remove the 80GB Seagate hard disk carefully from her HP
Pavilion office computer.
2. Place the hard disk carefully in anti-static bags and transport it to the forensics
laboratory.
3. Create a bit-stream image of the hard disk using tools such as FTK and Encase.
4. Generate MD5 or SHA1 hashes of the bit stream images.
5. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
6. You are ready for investigation.
7.
You are asked to retrieve the following evidence files:
a.
Pornography images
b. Pornographic videos
8. You load the bit stream image in FTK tool kit and search for image (jpeg, gif, bmp, tiff)
and video (mpeg, dat, avi, mov) files in the hard disk image.
9. FTK search comes up with pornographic images and video files in the following
directories:
a.
C:\Documents and Settings\Conference\My Documents\My Pictures
b. Internet
Cache
(C:\Documents
and
Settings\Temporary Internet Files\Content.IE5 )
10
Settings\Administrator\Local
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
c.
Exam 312-49
Deleted files in Recycle Bin
d. C:\Documents and Settings\Conference\My Documents\My Videos
10. Most of the pornographic images and video content are related to “Lesbian Sex activities”
.
11. You copy these files to a CDROM.
12. You use FTK report facility feature and produce a professional report.
13. You deliver the report to Mr. Mark Dwendler and issue an invoice to Cosmopolitan-Ad
Agency for the payment of your service.
Based on your report Natasha Gabriel was fired from the company for breaching the clause 3.1 (a)
mentioned in the Employment Agreement.
11
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 6: Virus Attack
First Commercial Bank is a private bank which caters to 600o customers in Rochester, New York.
A virus called “MaMia.w32” hit the computers at First Commercial Bank. This virus infected the
bank’s 200 computers. As a result, all the data was lost. The “MaMia.w32” virus formatted the
entire hard disk upon infection.
All the computers in the bank are backed up every Sunday at 7.00 P.M. The virus infected on
Saturday 2.00 P.M. So one week of work was lost.
Nick Madison in a frantic voice calls your Super Computer Forensics Company, which is located
in Atlanta, GA and requests your professional service.
Nick asks you to recover the data from all the 200 computers infected by the virus. You tell Nick
that you will need 10 computer forensics professionals to assist you with this investigation and
will cost him lots of money, to which Nick says, “Money is not an issue as long as the data is
recovered successfully”..
How will you investigate this incident?
12
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Answers:
1.
Imaging 200 computers; assuming the capacity of each hard disk is 100GB, you will need
to make at least 2 bit stream copies of the original hard disk. (It is a forensics rule).
2. That means 2 x 100 GB x 200 Computers = 40,000 GB of data storage space to begin
investigation.
3. Your forensic laboratory does not have a storage capacity of such a large size.
4. You call freelance computer forensics investigators in Rochester if they would like to join
with you in the investigation. They agree after negotiating a high per day fees with you. 10
of the freelances join you for this investigation.
5. You and your forensics team visit the First Commercial Bank and remove the virus
infected hard disks from the computers.
6. Place the hard disks carefully in anti-static bags and transport it to the forensics
laboratory.
7.
Your forensics laboratory is piled up with the hard disks of the First Commercial Bank.
8. You rent 50,000 GB EMC rack servers from the Disaster Recovery Centre Inc. in New
York City.
9. The Disaster Recovery Centre Inc. sends you the huge racks in a special truck to your
forensics laboratory.
10. You and your team of forensics investigators make a bit-stream image of the hard disks
using tools such as FTK and Encase.
11. You also generate MD5 or SHA1 hashes of the bit stream images.
12. You prepare the chain of custody and store the 200 original hard disks in a secure
location. You would be investigating the bit stream image copies.
13. You take a single hard disk image to study the possibility of recovering the data.
14. You use R Drive to load the image to a free partition on the local computer.
15. The loaded image shows as D: drive of 70 GB.
16. You scan the D: drive and notice that all the files have been deleted and the drive is not
readable.
17. You install the “Handy Recovery” utility and view the deleted partitions from the D: drive.
It shows that 5 partitions have been deleted.
18. You restore all the 5 partitions along with the deleted files to your local C: drive. You also
note that all recovered files are intact and in good condition.
13
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
19. The reason why you could successfully restore the data was that the deleted data was not
over written with other data.
20. You follow the same procedure to successfully recover the data in the remaining 199 hard
disks.
21. You call Nick and tell him that your team was successful in restoring the data and how he
would like the recovered data to be delivered to him.
22. Nick tells you to format the existing hard disk and load the recovered data on each hard
disk.
23. Your team produces a forensics report and delivers the report along with the 200 hard
disks to Nick.
24. You disk wipe the data on the rented EMC storage servers and return the servers to the
Data Recovery Centre Inc.
25. You charge First Commercial Bank for your professional services as follows:
a.
Your team consists of 10 investigators plus you. In total you are an 11 member
team.
b. Your team works 8 hours a day for 4 days.
c.
Your team charges $200 per hour.
d. The rental charges for EMC storage servers costs you $ 8000 for 4 days.
e.
Transportation charges for the rented EMC rack servers, hotel charges, car rental,
and airfare for travel to New York and back costs you $ 20,000.
f.
Your professional fees for the forensics investigation service costs $18,000.
g.
Total Cost = 8 x 200 x 10 x 4 + 8000 + 20000 + 10000 = $110,000.
26. You invoice First Commercial Bank for your service rendered.
14
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 7: Sabotage
Keith Robertson works in Sancong Mobile Manufacturing Company in Barcelona, Spain. This
company designs mobile phone interfaces and GUI for popular vendors. Sancong has become
market leader within a short time. Keith was involved in design of the latest Motorola Razor
phone. He managed to design a GUI interface for the phone which rivals Apple’s Ipod designs.
The company uses Maya 3d application to design the work. He was proud of his design and had
secretly planned to offer the design to Sancong’s competitors. He contacted Sancongs’s
competitor Jentech and struck a deal in selling them the design. A week later, Keith tendered his
resignation to Sancong and left the company. Sancong’s engineers were shocked to notice many of
the mobile phone designs at Keith’s computer were missing. Millions of Dollars were spent on
Research and Development for these designs, especially the new Motorola Razor phone design.
This situation looks bad on Sancong. Keith had sabotaged the designs before he left the company.
Keith’s system was never backed up due to high confidential nature of the work. Only Keith had
access to these designs.
The CEO of Sancong Mr. Julian Rod was very disturbed. The company stands to lose millions of
Dollars if the designs are leaked out. Sancong planned to patent the designs, so that they can
license the technology to mobile telephone manufacturers around the world.
Mr. Julian Rod has read successful stories of your computer forensics investigation around the
world. He is also aware of the fact that you are a respected CHFI professional and a CEH. He
hires you to investigate and provide evidence of Keith’s sabotage, and to retrieve the data.
How will you investigate this incident?
Answer:
1.
Visit Keith’s desk and remove the hard disk carefully from his Dell Dimension 372 office
computer.
2. Place the hard disk carefully in anti-static bags and transport it to the forensics
laboratory.
3. Create a bit-stream image of the hard disk using tools such as FTK and Encase.
4. Generate MD5 or SHA1 hashes of the bit stream images.
5. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
6. You are ready for investigation.
7.
You are asked to retrieve the following evidence files:
a.
Presence of any evidence related to Keith’s role in the sabotage.
b. Retrieval of data related to designs.
15
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
8. You load the bit stream image in FTK tool kit and search for the Maya 3d graphic design
files.
9. FTK search shows you zero results.
10. You search for deleted data, deleted partitions and slack space. FTK again shows you no
results. The other files are intact without any corruption except the missing Maya 3d files.
11. FTK shows you that there are 11,200 files present in the hard disk.
12. You start analyzing every single file in the hard disk which is time consuming.
13. You come across one interesting file called”BeastMan.exe” in c:\Windows\System32
directory.
14. You become suspicious about this file and you search in Google to investigate more about
this program.
15. The “BeastMan.exe” program is used to permanently wipe data from the computer so
that recovery of the files is impossible.
16. At this stage of the investigation you suspect that Keith would have used this program to
destroy the Maya 3d graphic files.
17. You want to confirm the suspicion.
18. You call up Mr. Julian Rod and ask him to send the back up tapes of the router, firewall,
DHCP, IDS and proxy server log files.
19. Next day a FedEx box arrive from Mr. Julian Rod with 4 sets of Sony backup tape.
20. You create bit stream images of these tapes and load them through FTK.
21. You search the proxy log files called “checkpointproxy.dat” using the search string
“BeastMan.exe”.
22. FTK returns few results
10.0.0.7
64.233.189.104
10.36.12
17/08/2006
http://www.google.com/search?hl=en&hs=VSa&client=firefoxa&rls=org.mozilla:enUS:official_s&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=how+to+perman
ently+delete+Maya+3d+file&spell=1
16
10.0.0.7
207.3.4.4
wipers/BeastMan/index.htm
10:37:03
17/08/2006
GET/Trojans
10.0.0.7
207.3.4.4
wipers/BeastMan/beastman.jpeg
10:37:13
17/08/2006
GET/Trojans
10.0.0.7
207.3.4.4
wipers/BeastMan/help.txt
10:37:22
17/08/2006
GET/Trojans
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
10.0.0.7
207.3.4.4
wipers/BeastMan/contact.htm
10:37:33
17/08/2006
GET/Trojans
10.0.0.7
207.3.4.4
wipers/BeastMan/rule.htm
10:37:40
17/08/2006
GET/Trojans
10.0.0.7
207.3.4.4
wipers/BeastMan/beastman.exe
10:37:51
17/08/2006
GET/Trojans
23. Based on these logs, you confirm the machine at 10.0.0.7 searched in Google for utility
that securely deleted Maya 3d files from the system.
24. The machine at 10.0.0.7 visited a site located at 207.3.4.4 and downloaded a program
named “beastman.exe”.
25. You need to extract evidence; which machine used IP address 10.0.0.7 on 17/08/2006 at
10:37.
26. You note the DHCP log file called dhcp.log and start searching 10.0.0.7 and 17/08/2006.
27. FTK shows you one result. The text is as follows
Lease duration; 180mins, DHCP scope:0, IP 100.0.7, subnet mask
255.255.255.0, MAC 00-11-11-A0-5A-47
28. You confirm that the computer at Sancong with the MAC address of 00-11-11-A0-5A-47
was used to download the BeastMan program.
29. You conduct further investigation and confirm that the Mac address belongs to Keith’s
computer.
30. You would need to prove that Keith was at his desk at that particular time, and he was the
one who downloaded the program.
31. You call up Mr. Julian Rod and ask him what physical security policies and
authentication system, the company uses in the building for its employees.
32. Mr. Julian replies that every employee has a company id card and must use this card to
access every department section they enter. He also said that there are CCTV cameras
present at the ceiling of every department in the company and the images are recorded to
DVD drives 24x7.
33. You ask Mr. Julian to send you the log files of physical access card data and copies of
CCTV DVD recordings.
34. The next day you receive from Mr. Julian a FedEx box with the above items.
35. New access control log files are created every day of the week. You search through the
access control log file named “acccntrl170806”.
36. You see an entry like this:
Acc3742 EMP2316 Keith Robertson 17 08 06 10:24:34
cardscan Status: success Room: 37
17
Auth
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
type:
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
37. The above log confirms Keith Robertson used his card to gain access to Room 37. This
confirms that he was present at his desk while “BeastMan.exe” was being downloaded.
38. This does not prove that Keith was the one who downloaded it. It could be the act of
someone sitting on his computer while Keith was elsewhere in the department.
39. CCTV video recordings are created and stored as new files everyday on a DVD.
40. You scan through few DVDs and locate the DVD file “CCTVrecording170806.mpeg”.
41. You play the above file in Windows Media Player and position the frame to time
10:36:00
42. You see Keith Roberson sitting in front of his computer seriously looking at his computer
screen while talking to someone on the phone.
43. This proves Keith was the one who downloaded the file and destroyed the data.
44. You have the necessary evidence of Keith’s hand in the sabotage. But the files could not be
recovered as the hard disk was wiped out using “BeastMan.exe”
45. You copy these files to a CDROM.
46. You use FTK report facility feature and produce a professional report which includes the
evidence from DHCP logs, Access control logs and CCTV disc.
47. You deliver the report to Mr. Julian Rod and issue an invoice to Sancong Mobile
Manufacturing Company for the payment of your service.
Based on your evidence, Mr. Julian Rod files a lawsuit against Keith Robertson for sabotage and
destruction of confidential data. Mr. Julian Rod is claiming $6.7 million as damages.
18
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 8: Child Pornography
GlobalDVD is a multinational company, headquartered in San Antonio, Texas; with branch offices
in Atlanta, Los Angeles, New York and Chicago. GlobalDVD manufactures DVD covers and
produces DVD discs for big movie companies such as Warner Brothers, Paramount Pictures and
Universal Studios. The company’s annual turnover exceeds $8 Billion.
The Atlanta Operations is headed by Robert Stevens. The CEO of GlobalDVD Mathew Jacobson
suspects that Robert has been using the company’s disk duplicating machines for illegal purposes.
The disc duplicating machine consists of a rack of Dell servers with 10 DVD writers installed. It is
meant to produce multiple discs of DVD from a single ISO image.
Mathew confronts Robert about any illegal activity going around in the Atlanta manufacturing
plant because he had heard rumors about the same. Robert coolly denies the accusations.
After two weeks Robert sends an email to Mathew saying that the disc duplicating machine has
been stolen. The insurance company was involved in the investigation.
Later, one of the office employees states that the disc duplication machine was on sale on eBay for
$ 5000. The picture on the machine posted on eBay confirms that it is the GlobalDVD’s disc
duplicating machine. The seller was from Pakistan. Mathew buys the machine using his credit
card.
Mathew calls you to help him to nail Robert.
How would you investigate this incident?
19
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Answer:
1.
You visit Mathew’s office and pack the disk duplicating machine.
2. You carefully transport it to the forensics laboratory.
3. You open the disc duplicating machine carefully and remove the hard disk which has a
capacity of 1.5 TB ( 1500 GB).
4. You create a bit-stream image of the huge hard disk using dd command in Linux.
5. Generate MD5 or SHA1 hashes of the bit stream image.
6. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
7.
You are ready for investigation.
8. You are asked to retrieve:
a.
Any evidence of Robert’s illegal activities
9. You mount the hard disk image in SleuthKit Autopsy program in Linux.
10. You search for files in the disc and find nothing. The disc is completely empty. You
understand the eBay seller in Pakistan has deleted all the files before putting up the
machine for sale on eBay.
11. You load Linux undelete utilities and run a thorough scan on the hard disk image.
12. You are find the following interesting files that were deleted:
a.
1200 Jpeg files
b. 700 gif files
c.
2000 Mpeg files
d. 3500 xls document
e.
7000 .htm files
f.
13 iso files
13. You extract all the files on your PC and view them.
14. You are totally SHOCKED to find child pornography images as part of the deleted files.
15. Things get serious now. You start viewing the word documents and you find one
interesting file that is labeled as “ahmedinvoice.doc”. You open this file and have a look. It
is an invoice sent from Robert Stevens to Ahmed Jamaluddin in Islamabad, Pakistan
billing him for 2000 DVDs of “Sex with 10 year old Little Angie-never seen footage”
16. The invoice shows evidence that Robert used the GlobalDVD’s disc duplicating device
to make the child pornography DVDs and sold the discs along with the machine to a
buyer in Pakistan.
20
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
17. You scan through the deleted iso files and you recover a file called angie.iso
18. You load this in your Myhome2DVD player.
19. You are “TOTALLY SHOCKED TO FIND CHILD PORNOGRAPHY VIDEO OF A LITTLE
GIRL CALLED ANGIE”
20. You immediately stop the investigation at this point.
21. You call Mathew and inform him that you have a possession of evidence that needs to be
handed over to the local law enforcement agency and seek his advice how to proceed with
the investigation.
22. Mathew replies that he would get his company’s lawyer to contact FBI to take over the
case from you.
23. Mathew says to stop the investigation immediately and secure it until the FBI arrives.
24. You conclude the investigation by handing over all the evidence to the FBI.
25. You delete the local copies of all evidence files of child pornography images and videos on
the local computer permanently using a hard drive wipe utility.
21
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 9: Steganography
Joan Shelly works at Texas National Bank in Dallas, Texas as corporate loan officer. She
resigned from the bank recently. Don Johnson the CEO of the Bank suspects that Joan used her
position to send confidential loan information to someone outside the bank. This investigation
must be carried out in complete confidentiality due to FDIC requirement.
Don calls you to investigate and prove Joan’s crime, which is theft of confidential data.
How would you carry out this investigation?
22
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Answer:
1.
You ask Don to send the hard disk of Joan Shelly’s computer to your office for
investigation.
2. You also give Don instructions on how to remove the hard disk from the computer and
how to package it for transportation.
3. Don complies with your request and sends you the hard disk through one day FedEx
shipping.
4. You create a bit-stream image of the hard disk using dd command in Linux.
5. Generate MD5 or SHA1 hashes of the bit stream image.
6. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
7.
You are ready for investigation.
8. You are asked to retrieve:
a.
Evidence of transmission of confidential documents to others.
9. You load the image in Encase and search for files.
10. Encase shows you zero results.
11. You scan for deleted partitions and scan for formatted partitions but with no results.
12. Without any valid data in the hard disk you are unable to continue with the
investigation.
13. You pick up the phone and call Don and tell him that there is no data on the hard disk
for you to continue with the investigation.
14. Don replies that the Bank’s IT department Zaps the entire hard disk of every outgoing
employee with unrecoverable disk wipe program.
15. You tell Don “That makes sense!”
16. You ask Don if you can have copies of mail server logs for investigation. He says “That’s
possible” because his company backs up the log files with the exchange server everyday.
17. The next day you receive a FedEx envelope containing CDs of exchange log files.
18. You scan through the exchange server log files and you find that Joan has been sending
a mail with no messages to henry@xsecurity.com
19. You see that there are about 10 emails sent to this address with no message but with an
attachment of blank text file with no data in it.
20. You are wondering “why did she send so many emails with empty blank files?” The size
of the blank files is 500kb.
23
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
21. You suspect the blank files contain steganography code.
22. You scan the blank files with the snow steganography utility. Amazed you see the
confidential customer loan profiles of 6000 banks’ customers!
23. This evidence shows that Joan used steganography to conceal the data and send them
to a third party outside the company.
24. You prepare the report in a PDF format and deliver the evidence CD back to Don along
with an invoice for your professional service.
Don initiated a lawsuit against Joan Shelly for theft of confidential information.
24
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case 10: Trademark Infringement
Martin Spencers, Inc. is a clothing manufacturing chain in San Jose, Texas.
They had designed the latest collection of Men’s Summer Shirts. These designs were considered
unique in the marketplace. They have spent many years in developing these designs. Martin
Spencers also trademarked these designs. They published these designs on the Internet in 2005
for custom licensing.
Another company Jaco Designs based in London had a similar design and was offering them for
sale worldwide. The CEO of Martin Spencers, Mr. Alfred Stonwell was shocked to know that Jaco
Designs had copied the designs from his company.
Mr. Alfred filed a trademark infringement lawsuit against Jaco Designs in London. The lawyers at
Jaco Designs argued that their client created the designs first and had not seen or heard about the
Summer clothing designs from Martin Spencers. They also argued that they have not even seen
the designs at Martin Spencers website www.martinspencersx.com in 2005. Jaco Designs claims
that the designs created by them are original.
Mr. Alfred calls you (the forensic investigator) to prove them wrong.
How would you handle this trademark infringement case?
25
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Answer:
1.
You would need to prove that Jaco Designs was aware of your Summer Shirt designs.
2. Martin Spencers published the entire catalog with the disputed designs on the website on
3rd March 2005
3. You should look for evidence that shows the staff at Jaco Designs visited the website at
www.martinspencersx.com
4. Ask Alfred whether they have kept the backup copies of web server log files for the past
two years. The current year is 2006.
5. Alfred checks with the IT department and arranges to send you backup tapes of IIS web
server log files since the year 2004.
6. The next day you receive a FedEx box from Alfred which contains 20 backup tapes.
7.
You copy the data from all the tapes to your hard disks. There are about 300 GB of data.
8. You prepare a chain of custody and store the backup tapes in a secure location
9. You check the Jaco Designs company’s IP address at Netcraft by searching the domain
name www.jacodesignsx.com
10. Netcraft shows you the IP address of the domain is 207.3.3.3
11. You double check this IP address by using DNS reverse lookup and confirms that it
resolves to 207.3.3.3
12. Now you are ready for a serious search.
13. You search the entire IIS logs using Microsoft IIS log parser utility for IP address
207.3.3.3
14. 207.3.3.3, -, 10/13/04, 2:55:14, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog.gif
207.3.3.3, -, 10/13/04, 2:55:14, W3SVC2, Martinsp,
3223, 200, 0, GET, /summerdesign-catalog.htm
4502,
163,
207.3.3.3, -, 10/13/04, 2:55:16, W3SVC2, Martinsp,
3223, 200, 0, GET, /summerdesign-catalog.htm
4502,
163,
207.3.3.3, -, 11/23/04, 13:05:50, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog2.gif
207.3.3.3, -, 11/23/04, 13:05:50, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog2.htm
207.3.3.3, -, 11/23/04, 13:05:52, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog2.pdf
26
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
207.3.3.3, -, 03/03/05, 10:55:20, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog3.gif
207.3.3.3, -, 03/03/05, 10:55:21, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog3.htm
207.3.3.3, -, 03/03/05, 10:55:23, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog3.pdf
199.7.8.2, -, 03/15/05, 10:55:20, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog3.gif
199.7.8.2, -, 03/15/05, 10:55:23, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog3.htm
199.7.8.2, -, 03/15/05, 10:55:24, W3SVC2, Martinsp, 4502, 163,
3223, 200, 0, GET, /summerdesign-catalog3.pdf
15. The above log entry proves that the company Jaco
www.martinspencersx.com and downloaded the pdf document.
Designs
had
visited
16. You also note an IP address 199.7.8.2 accessed the Summer Design catalog that month.
17. A search in Google for the IP address shows you it resolves to Jaco Designs Law firm,
Manchester Law Associates which is located in London.
18. This proves that not only the people at Jaco Designs had seen the Summer Shirt designs
but also that the law firm of Jaco Designs had visited the website
www.martinspencersx.com
19. You prepare the report in a PDF format and deliver the evidence CD back to Don along
with an invoice for your professional service.
20. Based on your forensics evidence, Martin Spencers was awarded $2.3 Million by the
London High Court for willful trademark infringement.
21. Jaco Designs plans to appeal the case to the London Supreme Court.
27
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case 11: Encrypted Documents
Mason Stevens works as software programmer at IT-Defense Solutions Pte. Ltd. in Singapore.
He was involved in programming the Ballistic Missile Management application. It was a topsecret project, and he was the only one involved in the project. No backups were made due to the
sensitive nature of the project.
Mason had written about 200,000 lines of C++ source code and had almost completed the
project.
Mason resigned from the company due to work pressure and internal office politics.
He submitted the entire project on DVD discs to the management including the documentation
for the project to his boss Mr. Lloyd Seen. He had cleared his desk and left the company for
another IT job in Japan.
Mr. Lloyd looks at the submitted DVDs and finds about 230 C++ source code files but the core
source code component (hook.dll and bindc.dll files) for the Ballistic Missile project was
encrypted and password protected. Without these files the entire project is useless.
Mr. Lloyd is under tight pressure to show a full working prototype of this application to
prospective buyers from Russia in 2 days failing which the company would lose the entire
contract, which is worth several million dollars. Mr.Lolyd might also lose his job for no show.
Mason’s whereabouts is unknown at this stage.
Mr. Lloyd calls you, the forensic investigator to unlock these files.
How will you do it?
28
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Answers:
1.
You ask Mr. Lloyd to send you a copy of the core source code component in a CD.
2. Next day you receive a shipment from Mr. Lloyd through FedEx. The shipment contains
the CD which had the core source code component.
3. You create a bit-stream image of the CD using dd command in Linux.
4. Generate MD5 or SHA1 hashes of the bit stream image.
5. Prepare the chain of custody and store the original CD in a secure location. You would
be investigating the bit stream image copy.
6. You are ready for investigation.
7.
You are asked to retrieve:
a.
Crack the password on the file component.zip
8. You load up the password cracker application called “Advanced Zip Password
Recovery” and launch brute force dictionary attack on the file component.zip
9. You leave the program running.
10. In six hours the password recovery tool cracks the password of the encrypted file
component.zip
11. The crack password is “juggyboy97X”
12. You copy the files to a CD.
13. You prepare the report in a PDF format and personally deliver the evidence CD to Mr.
Lloyd the same day along with an invoice for your professional service.
14. The entire investigation was concluded in 8 hrs.
29
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case 11: Expert Witness
A highflying lawyer in Georgia Mr. Bond Level is handling a divorce case of Mr. and Mrs. Steve
Rally. Mr. Bond represents Steve while Mr. Green Smith represents Steve’s wife Sheela. Mr. Bond
had presented forensic evidence of several e-mail messages as evidence to prove that Sheela was
having an extra-marital affair with her hairstylist and was cheating on her husband. This is the
reason why Steve was seeking a divorce.
In Orange County civil court, the lawyers argue about the validity of the e-mail evidence. The
lawyer, Green Smith emphasizes that his client never sent the e-mail messages, and it should not
be accepted as evidence.
Mr. Bond needs to prove that the e-mail messages are in fact authentic. He calls you (forensic
investigator) to visit the courtroom as expert witness.
How will you proceed?
Answers:
Court Scene at Orange County Local Civil Court
You take the stand as expert witness.
[Mr. Bond Level]: Please state your name and designation.
[You]: My name is Jonathan Shelly and I am the Forensics Investigator at Data Forensics
Communications Inc.
[Mr. Bond Level]: Can you please state your qualifications?
[You]: I have a Masters of Security Science (MSS) degree from EC-Council and have a Bachelors
Degree in Information Technology from New York University. I also hold various professional
certifications such as MCSE, CISSP, CEH, CHFI and CCNA.
[Mr. Bond Level]: Wow! That is very impressive Mr. Jonathan. What experience do you have in
the field of computer forensics?
[You]: I am a Computer Hacking Forensics Investigator and I hold the CHFI certification from
EC-Council. I also attended formal 5 day training on the above certification.
[Mr. Bond Level]: Those are your professional qualifications. What the Court would like to know
is your experience in investigating computer forensics cases.
[You]: I have attended many corporate sexual harassment internal investigations involving
computers. I have investigated various terrorist related cases for the Homeland Security
Department.
30
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
[Mr. Bond Level]: Could you discuss these cases so that we know how qualified you are?
[You]: I am sorry I won’t be able to discuss the cases here as I have signed a non disclosure
agreement with my clients, unless the court issues me an order.
[Mr. Bond Level]: That’s alright. Have you published any books, whitepapers, articles etc?
[You]: I have written a book titled “CHFI Study Guide” for McGraw-Hill. I have contributed many
articles at http://portal.eccouncil.org. I have also presented papers at various Hacker Halted
conferences around the world.
[Mr. Bond Level]: I agree you are a computer forensics expert. Can you please take a look at
Exhibit A, which contains the email messages sent from Mrs. Sheela Rally to her hairstylist, Mr.
Rouba Bandoras? Could you tell me if this email message is a legitimate message?
Return-Path: <shellyd@xjewellery.com>
X-SpamCatcher-Score: 1 [X]
Received: from [207.3.3.3] (HELO xjewellery.com)by fe3.xjewellery.com
(CommuniGate
Pro
SMTP
6.1.2)
with
ESMTP-TLS
id
61258719
for
roubx@xmenc.com; Mon, 23 Aug 2004 09:40:10 -0400
Message-ID: <4129F3CA.2020509@xjewellery.com>
Date: Mon, 23 Aug 2004 09:40:26 -0400
From: Sheela Rally
<shellyd@xjewellery.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1)
Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Rouba Bandoras <zroubx@xmenc.com>
Subject: Your Sexy Girl Alone at home
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Message:
Dear Rouba Bandoras,
My husband is going on a business trip to Italy on the 25th of this
month. He will be back on the 29th. Let’s meet at our usual hotel
Hilton Suite 333 at 8.0 PM tomorrow. I will wait for you with roses,
red wine and no clothes on me :)
Its party time honey! Today is very special because we are celebrating
20 weeks of our secret affair.
With lots of love
Sheela Rally
[You]: Yes, I investigated this email header and I confirm the following:
•
31
The email was sent from Sheela Rally to Rouba Bandoras.
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
•
The IP address of the email server was correct and it was routed through
207.3.3.3 which confirms her domain xjewellery.com
•
I have computed the Message ID of the SMTP server and it is accurate.
[Mr. Bond Level]: In other words this email message cannot be forged, right?
[You]: Yes
[Mr. Bond Level]: Could you tell the court, if there any possibility for the message to be bogus
[You]: No. The message server logs also show that the message id and the date sent matches with
Microsoft Outlook’s data from Mrs. Sheela Rally’s computer.
[Mr. Bond Level]: Are you sure? Very sure? This message is authentic and cannot be forged?
[You]: Yes
[Mr. Bond Level]: (you look at the judge) That’s all Your Honor.
[Judge]: Mr. Green Smith, would you like to cross examine the Expert Witness?
[Green Smith]: Yes Your Honor.
You walk up to the witness stand.
[Green Smith]: Mr. Jonathan Shelly, could you tell me exactly what technical skills do you
possess?
[You]: I’m sorry I do not understand the question
[Green Smith]: Let me rephrase the question. What Internet server technologies and client
technologies have you mastered till today?
[You]: I have worked with UNIX, Linux, Mainframe computers, Internet Programming
Languages, Microsoft Windows 2000, XP, 2003, Firewalls, IDS, Proxy servers, Routers etc. I have
20 years of experience in the IT field.
[Green Smith]: You have stated that you have conducted a forensics analysis on Mrs. Sheela
Rally’s computer and found the IP address to be the same on the server log files. Am I right?
[You]: The evidence file analysis was conducted using Encase, which was linked to ….
Green Smith interrupts you!
[Green Smith]: Please answer yes or no.
Judge intervenes.
[Judge]: Mr. Jonathan Shelly please answer the question.
[You]: (Looking at the judge) Yes Your Honor
[You]: Yes
32
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
[Green Smith]: Could you explain to the court what unique message id was created by the SMTP
server?
[You]: The message id was calculated by the SMTP server program using MD5 algorithm
[Green Smith]: What is MD5 algorithm Mr. Jonathan Shelly?
[You]: MD5 is a secure hashing function that converts an arbitrarily long data stream into a digest
of fixed size. It is conjectured that the difficulty of coming up with two messages having the same
message digest is on the order of 2 64 operations, and that the difficulty of coming up with any
message having a given message digest is on the order of 2 128 operations
[Green Smith]: Thank you Mr. Jonathan Shelly. So this message cannot be duplicated using
another identical message id. Am I right?
[You]: Yes
[Green Smith]: Based on your experience, your professional qualifications, your technical
competency, is the email message authentic and cannot be forged?
[You]: Yes
[Green Smith]: Please take a look at Exhibit A and note the SMTP server CommuniGate Pro 6.1.2.
Can you tell me what that is?
[You]: CommuniGate Pro is a SMTP server program for Linux Operating System and is widely
used on embedded computers
[Green Smith]: The email header shows that the message was routed through CommuniGate Pro
6.1.2 server. Am I right?
[You]: Yes
[Green Smith]: Once again based on your thorough investigation on the SMTP log files and Sheela
Rally’s computer hard disk image the message was routed through CommuniGate Pro 6.1.2
server, Yes or No?
[You]: Yes. 100% right!
[Green Smith]: Mr. Jonathan Shelly, I searched in Google for the term “CommuniGate Pro 6.1.2”
but could not find any results. I contacted several Linux professionals and asked them if there was
ever CommuniGate Pro 6.1.2 and their answer was No. The latest version was 4.1.2. I contacted
the company vendor Stalker Corporation and asked them if they ever produced CommuniGate
Pro 6.1.2 server and their reply was No. Also they mentioned that the banner message of SMTP
server cannot be altered.
(You hand over Exhibit C to the Judge an email text message send from Stalker communication to
Green Smith)
[Green Smith]: Mr. Jonathan Shelly, please take a look at Exhibit A and tell me if this email
header is accurate and not forged
[You]: (pause…….pause……pause...) mmm…I’m not sure
33
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
(You look at the Judge)
[Green Smith]: This email message cannot be accepted as evidence. Thank you Your Honor.
(The Judge dismisses the email message as crucial evidence in the divorce case)
Note: Please make sure you conduct a thorough forensics investigation and be able
to justify the report 100% in the Court of Law. You just lost the case.
34
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 12: Racial Discrimination
Dr. Kent Rogers is a leading skin specialist in Bronx, New York.
One day, Raj Khanna who is of Indian origin visits the doctor to treat his black pigmentation skin
allergy. The doctor after conducting several clinical tests refuses to treat Raj for his allergy on the
face and asks him to take treatment from New York National Skin Center.
The following week Raj files racial discrimination lawsuit against Dr. Kent Rogers in New York
civil court for having refused to treat him.
Dr. Kent Rogers hires you (forensic investigator) to prove his innocence.
How will you handle this case?
Answer:
Dr. Kent Rogers discusses with you the series of threatening emails send by Mr.Raj Khanna.
Mr.Raj Khanna wanted refund on his treatment.
1.
You visit Dr. Kent Rogers’ clinic.
2. You remove the hard disk from Dr. Kent Rogers’ laptop.
3. You place the device carefully in anti-static bags and transport it to the forensics
laboratory.
4. You create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
5. You generate MD5 or SHA1 hashes of the bit stream images.
6. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
7.
You are ready for investigation.
8. You are required to retrieve:
a.
Email messages sent by Dr. Kent Rogers to various Medical Practitioners
around the world discussing Mr.Raj Khanna’s treatment which proves Dr. Kent
Rogers’s innocence.
9. You use Paraben's E-mail Examiner to analyze the emails sent by Dr. Kent Rogers
using MS Outlook 2003 using his email id drkentrogers@kentrogerscl.com
10. Paraben’s E-mail Examiner analysis shows series of emails sent by Dr.Kent Rogers to
Medical Practitioners around the world enquiring about the continuation of treatment
to Mr. Raj Khanna for his black pigmentation skin allergy.
35
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
11. The emails reveal the fact of other doctors warning Dr. Kent Rogers not to proceed with
the particular treatment to Mr. Raj Khanna as he was suffering from a pigmentation
allergy which was serious in nature. If the treatment was continued the condition of
Mr.Raj Khanna would aggravate, and they also recommended that he seek treatment
from New Skin Allergy Hospital.
12. These series of emails proved that the charges filed by Mr. Raj Khanna against Dr. Kent
Rogers are false.
13. You prepare the report of your forensics analysis in a PDF format and personally
deliver the evidence CD to Dr. Kent Rogers along with an invoice for your professional
service.
14. Dr. Kent Rogers hires an attorney to fight his case. Based on your forensics analysis and
the attorney’s legal explanation, the District Court Judge dismisses the racial
discrimination case against Dr. Kent Rogers.
15. Dr. Kent Rogers lost many clients due to the bad publicity in the press.
16. Dr. Kent Rogers files for a defamation case against Mr. Raj Khanna for a sum of $
500,000
36
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case Study 13:
Katherine was found murdered under the far eastern side of San Francisco Bridge. Her body was
taken to the forensics laboratory. They examine her body and conclude that she was raped and
murdered. The local police launch an investigation into the murder. They want to nab the culprits
and the way she was murdered. The chief investigator Mr. Marty Smith visits Katherine’s house
and collects details about her from her parents. Katherine was a 16 year old teenager studying at
Lassie High School at Madison County at San Francisco. She had lots of friends and used to hang
on with them quite often.
Mr. Marty Smith visits Katherine’s room and collects various evidences like pillows, bed sheets,
greeting cards and handbooks. He also comes across Katherine’s IBook Laptop which was in her
room. Her dad Simon said, “Katherine used to spend late hours night on the Internet, we thought
she was studying”.
Mr. Marty Smith takes the laptop along with him to the local county office for investigation. Mr.
Marty is not an IT professional, so he does not know where to begin. He calls you to help him out
with his criminal investigation.
Answer:
1.
You visit Mr. Marty Smith’s office.
2. Remove the hard disk from Katherine’s IBook laptop.
3. Create a bit-stream image of the hard disk using tools such as FTK and Encase.
4. Place the hard disk carefully in anti-static bag.
5. Generate MD5 or SHA1 hashes of the bit stream images.
6. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
7.
You are ready for investigation.
8. You are asked to retrieve the following:
a.
Internet cache files, chat history of MSN messenger, Temporary Internet Files.
b. Outlook contacts, emails and any other evidence which would be of help in the
investigation.
9. You load the image in Encase and search for files.
10. The search does not reveal any specific result.
11. You run MessenPass to crack the password of Katherine’s MSN id. Her MSN id was
“katsinlovev2@msn.com”.
12. MessenPass cracks Katherine’s password. Her password is “myloveeric4521”
37
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
13. You logon to her MSN messenger.
14. You search her chat history. You notice a particular MSN id
“erichulklover27@msn.com”. The chat sessions show that Katherine has been
constantly interacting with the person using this particular id.
15. The chat session revealed Katherine’s affection and love towards this individual who
claimed to be from Boston and was of 27 years of age.
16. A series of emails from Katherine’s outlook revealed the plan made by
“erichulklover27@msn.com” for a meet at a pub “The Hunter’s Paradise” near San
Francisco, a day before Katherine was found dead.
17. Based on the above findings the local Police visit the pub “The Hunter’s Paradise”.
18. The police check the record of transactions made by customers for the past one week.
19. Katherine’s photograph was shown to the bar tenders and the manager of the pub who
confirmed of her presence at the pub two days back. They had seen her with a tall man
with good looks in his late 30s.
20. The police scanned the credit card transactions in detail and they were able to zero
down on one particular transaction made by a person called Eric Newman. The
payment was made for two 45 ml of Scotch whisky and one 45 ml of Gin.
21. The police were sure of the person involved in the crime as MSN id of the person found
on Katherine’s IBook laptop “erichulklover27” and the name of the person who visited
the pub along with Katherine matched.
22. Further investigations revealed more interesting details about the couple who visited
the pub two days back.
23. Mr. Marty Smith contacts the credit card company “GreatCards” whose card was used
by Eric Newman. “GreatCards” Operations Manager Mr. Luther Rock extended his help
to the police investigating the case.
24. The personal detail along with the contact address (Home/Office) was handed over to
Mr. Marty Smith by Mr. Luther Rock. The home address of Eric Newman as per the
personal detail was at Merrimac Street, Boston, MA 02114.
25. Mr. Marty Smith along with other police officials leave for Boston. Mr. Marty Smith
asks you to join him for the investigation at Boston.
26. The police contact the Local Court at Boston and issues a search and seizure warrant
against Eric Newman.
27. Eric Newman is taken into police custody.
28. You remove the hard disk from Eric Newman’s HP Presario PC.
29. Place the hard disk carefully in anti-static bags and transport it to the forensics
laboratory.
38
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
30. Create a bit-stream image of the hard disk using tools such as FTK and Encase.
31. Generate MD5 or SHA1 hashes of the bit stream images.
32. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
33. You are ready for investigation.
34. You are asked to retrieve the following evidence:
a.
Internet cache files, chat history of MSN messenger, Temporary Internet Files.
b. Outlook contacts, emails and any other evidence which would be of help in the
investigation.
35. You run MessenPass to crack the password of Eric Newman’s MSN id.
36. MessenPass cracks Eric Newman’s password. Her password is “myloveeric4521”
37. You logon to his MSN messenger.
38. You search his chat history. You notice a particular MSN id “katsinlovev2@msn.com”.
This MSN id belonged to Katherine The chat sessions show that Eric Newman had been
interacting with Katherine using this particular id for the past 6 months.
39. There were other girls listed on his MSN messenger buddy list. From his chat history
you conclude that Eric Newman had indeed met Katherine on the fateful day. He had
plans of meeting other girls listed on his chat list.
40. The police questions Eric Newman. Under pressure he breaks down and confesses to
the crime. The medical records of Eric Newman showed that he was a “schizophrenic”;
patient of mental disorder which was due to a depressed childhood. Katherine
accompanied him to his home where he sexually abused her and later murdered her
after she threatened to report the incident to the Local Police Department.
41. Mr. Marty Smith thanks you for helping the Local Police Department in solving the
case.
42. You prepare the report of your forensics analysis in a PDF format and personally
deliver the evidence CD to Mr. Marty along with an invoice for your professional
service.
39
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case study 14: Terrorist Attack
A terrorist was shot down at Heathrow International airport. He was planning to bomb the Mason
International airport at Fiji. His face matched with the terrorist list. He tried to escape when the
police confronted him; eventually they shot him. He was carrying a laptop briefcase when he was
shot down.
Mr. John Wales, the Chief Investigator at The Heathrow Police Department calls you for a
professional investigation services. You are asked to investigate the items in the brief case. How
would you investigate this case?
Answer:
1.
To investigate this case you are given the laptop bag along with the Dell Laptop which
the terrorist had at the time of confrontation with the police, photographs of the crime
scene, and fingerprints matching the terrorist.
2. You find the computer in a “Stand By” mode.
3. You take photographs of the computer screen using your “Cannon Digital camera” for
evidence.
4. You notice that the Operating System in use was Microsoft Windows XP Professional
Service Pack 2.
5. You insert the Helix CDROM and collect the volatile evidence such as programs that are
running, ports which are open, open Explorer windows.
6. You copy the “pagefile.sys”
7.
You check the date and time as shown by the Operating System.
8. You copy individual memory processes to a Sony USB stick without hampering the
contents of the original hard disk.
9. You do a formal shutdown of the Windows XP Operating System.
10. You unscrew the Dell Laptop and remove the hard disk.
11. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd
commands.
12. Place the hard disk carefully in anti-static bag and transport it to the State Forensics
Laboratory.
13. Generate MD5 or SHA1 hashes of the bit stream images.
14. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating the bit stream image copy.
15. You are ready for investigation.
40
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
16. You are asked to retrieve the following:
a.
Any MS Word, Excel, PDF, Images files (jpeg, giff, bmp, tiff), video files (avi,
mpeg, dat, mov) and audio files (mp3, wav and rm) related to the case.
b. MS Outlook contacts, email messages, messenger chat history, cache files,
Temporary Internet files.
17. You load the image in Encase and search for the above mentioned files.
18. Encase search gives you the following results:
a.
50 contact lists from Outlook
b. 25 video files
c.
132 image files
d. 12 PDF files
e.
34 MS Word files
f.
3 MS Excel sheets
19. You notice that the video files had contents related to the following:
a.
9/11 Bombings
b. Video showing terrorists practicing at a terror camp
c.
Killing of kidnapped hostages
d. Motivational speeches by leaders of various terrorist outfits
e.
Personal videos which showed the terrorist spending some light moments with
his wife and two small kids
f.
A 30 minute video of the Heathrow International Airport and Mason
International airport at Fiji
g.
Videos taken in a hotel room along with 6 other suspects
20. You make a detailed list of the videos and prepare a document explaining each of the
videos in brief.
21. There were photographs of Heathrow International Airport and Mason International
airport at Fiji. The terrorists had taken the snaps of these two airports in detail, which
confirmed the intention of the terrorist group to which he was associated.
22. There were few logos of a particular terrorist group which confirmed his association.
23. Documents related to “How to make chemical bomb”, “How to prepare for Jihad” ,
“How to be a suicide bomber” along with other materials were also recovered.
24. One particular document “How to bomb Mason International airport” caught your
attention. You read the document and find that the article contains instructions from
41
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
few people on how to spread terror at Mason International airport, Fiji. You are more
than assured about his involvement in the crime.
25. With the help of Encase, you are able to get the list of contacts in the terrorist’s MS
Outlook. These contact names matched to the ones found in earlier documents.
26. The Excel sheets found had bank account names and the details of inflow of funds to
the accounts.
27. The laptop bag had few documents and immigration visas which made clear of his links
with other terrorist organizations.
28. You prepare the report of your forensics analysis in a PDF format and personally
deliver the evidence CD to Mr. John Wales along with an invoice for your professional
service.
42
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
Case study 15: Ipod- A Handy Tool For Crime
Xdata Enterprises is an online storage company based in Albuquerque, New Mexico. The
company had a major share in the online storage market. John Cruise, the CEO of Xdata
Enterprises believed in free work environment at his office.
Physical security measures were not given priority at Xdata Enterprises. Ron Smith was working
as a lead Storage Architect with Xdata Enterprises. He was the senior most employee in the
Offline Storage Department of Xdata Enterprises. He had worked hard for a new Product “
MyOfflineStorage”, which Xdata Enterprises were about to release in a couple of months. He was
expecting a 40% hike in his salary after the monthly review.
All hopes of Ron were washed away when Yuri Wellington, his colleague and member of the key
project “ MyOfflineStorage” was given the maximum credit during the performance review.
Subsequently Yuri got a hike of 45 % on his salary.
Few months later SecureOffline Storage Inc, a competitor company based in St. Louis, Missouri
launches a product which is similar to Xdata Enterprises’ “ MyOfflineStorage”. John suspects
Ron for selling the blueprint of MyOfflineStorage to SecureOffline Storage Inc.
He calls you, the forensic investigator to investigate this case.
Answer:
1.
Visit Ron’s desk and remove the hard disk carefully from his HP Pavilion office
computer.
2. Place the hard disk carefully in anti-static bags and transport it to the forensics
laboratory.
3. Create a bit-stream image of the hard disk using tools such as FTK and Encase.
4. Generate MD5 or SHA1 hashes of the bit stream images.
5. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating
the bit stream image copy.
6. You are ready for investigation.
7.
You are asked to retrieve the following evidence files:
ƒ
Presence of any evidence related to Keith’s role in the sabotage.
8. You load the bit stream image in Encase and search MS Outlook for emails related to
the sabotage
9. You search the “Sent” folder in MS Outlook but fail to find any attachments related to
the blueprint of the project, that was sent through email
43
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Case Studies
Exam 312-49
10. You search for deleted data, deleted partitions and slack space. You come across an exe
file ImageHide.exe. You become suspicious of Ron’s activity. ImageHide is a
Steganography tool to hide information in image files.
11. You search for image files( jpeg, tiff, bmp, gif). You come across more than 20000
image files. To analyze each file for stegonagraphic content will be time consuming.
John had asked you to investigate the case in 2 days as he plans to sue SecureOffline
Storage Inc for Corporate Espionage. His company’s share was falling as each day
passed.
12. You get to know from his peers that Ron used an Ipod to listen to Music while on the
job.
13. You ask John to get Ron’s Ipod for investigation.
14. You stored the Ipod in a static free bag and mark as evidence
15. Create a bit-stream image of the hard disk using tools such as FTK and Encase.
16. Generate MD5 or SHA1 hashes of the bit stream images.
17. Prepare the chain of custody and store the original hard disk in a secure location. You
would be investigating
the bit stream image copy.
18. You are ready for investigation.
19. Encase recovers all files present n the Ipod including the deleted ones
20. You notice an image file called “blueprintimp.jpeg”. The size of the image file was
800kb.
21. You open the image file . The image turns out to be Ron’s Photograph.
22. You try to open the file “blueprintimp.jpeg” using StegDetect, a steganalysis tool.
23. You find information related to the product embedded into the image file.
24. You prepare the report of your forensics analysis in a PDF format along with an invoice
for your professional service
Based on your investigation and evidence found, Ron was arrested by the Local Police
Department. Ron confesses to the crime. John sues SecureOffline Storage Inc for corporate
espionage for a sum of $15 million
44
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Related documents
Date: July 27, 2016 To:
Date: July 27, 2016 To:
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
Intro Review - Forensics
Intro Review - Forensics
Debriefing Form Smith College ● Northampton, MA
Debriefing Form Smith College ● Northampton, MA
Download