Computer Forensics Report
advertisement
Computer Forensics Report
Pat Smith – Acme Industries
Investigator: Chris Simone
christophersimone@gmail.com
11/5/06
Investigator Information
The following report was conducted by Chris Simone. My job is to take the evidence
presented to me and deliver facts that would seem relevant to the case. The evidence
being reviewed has been collected by a previous investigator and verified to be unaltered.
Any questions or concerns pertaining to the acquisition of the evidence can be found in
his/her report.
Case Description
Acme Industries’ Pat Smith is being investigated under the fear that he may be offering
proprietary company information to a competitor in exchange for a job.
Computer and Forensic Tool Statistics
The computer was removed from its position in ACME Industries at 4/12/04 8:27:03 PM
where it was carted out to a nearby secure forensics facility. Once settled at the forensics
lab the hard drive was imaged to begin the research and testing. The image of the hard
drive was tested using the program EnCase Forensic Edition Version 4.17b by Guidance
Software. This program has been proven in the court of law to provide valid and accurate
results when scanning and analyzing a system.
Investigation
The following was the procedure that I took to extract what data I found to be relevant to
the case.
I created a new case called Case Study. I added to this case the already captured image
file (C:\forensicsfile\winlabencase.image) by going to File Add Device, clicking
sessions, and clicking on add evidence file.
With the case loaded I immediately set the time zone by right clicking on the image
Modify Time Zone. From the following screen I selected the time zone that I was
working in. This is done to adjust the evidence to all correlate in the same time zone.
The next step was to recover any hidden or deleted folders on the system. Doing this step
now would allow my searches to be more complete in the future and determine if there
were any actions taken to hide or destroy evidence. In order to do this I right clicked on
the image Recover Folders.
I ran a script next to determine the specifications about the computer because I had not
been the one to create the image from the suspect machine. The script comes preloaded
into EnCase V4. I went to View Scripts and selected the Initialize Case script which
prompted me to enter information of the investigator and person conducting the
examination. Once the information was entered the script asks where I would like the
data saved. I chose to add it to the bookmark section under the folder Encase Computer
Analysis Report. I also needed to check which information I would want present. I
chose to display the Windows version and registration, time zone settings, network
information, user information, and last shutdown time. The report generated can be
found on the following page. The important information pulled from the report is that the
machine is running a FAT16 file system with Windows XP. The total capacity of the
partition is only 22MB. Now that this information has been discovered I can begin my
investigation.
Volume
File System:
Sectors per
cluster:
Total Sectors:
FAT16
Drive Type:
1
Bytes per sector: 512
45,360
Total Capacity:
Total Clusters:
44,968
Unallocated:
Free Clusters:
Volume Name:
OEM Version:
27,094
NO NAME
MSDOS5.0
Heads:
240
Unused Sectors:
Sectors Per FAT:
12,292,560
176
Allocated:
Volume Offset:
Serial Number:
Sectors Per
Track:
Number of FATs:
Boot Sectors:
Device
Evidence Number:
File Path:
Actual Date:
Target Date:
Total Size:
Total Sectors:
File Integrity:
EnCase Version:
System Version:
Acquisition Hash:
Verify Hash:
Fixed
23,023,616 bytes (22MB)
13,872,128 bytes
(13.2MB)
9,151,488 bytes (8.7MB)
0
30E0-8F46
63
2
8
Lab5 image
C:\forensicsfiles\WinLabEnCase.image.E01
04/12/04 08:27:03PM
04/12/04 08:27:03PM
23,224,320 bytes (22.1MB)
45,360
Completely Verified, 0 Errors
4.17b
Windows XP
F70C5FFF082E526A368E2C0A13ABB093
F70C5FFF082E526A368E2C0A13ABB093
Daylight Saving Time settings
Hour Day of Week Week of month (5=last) Month
Daylight start 2
Sunday
1
4
Standard start 2
Sunday
5
10
Time Zone Settings (minutes)
Time Zone Bias: 300
Daylight Bias: -60
Standard Bias: 0
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
My first task was to compile a list of keywords that I would need to search the file system
for. Knowing what words to start searching on could help me eliminate loads of
irrelevant data. The list contained the following: ACME Industries (ACME and ACME
Industry as different variations as well), Raytheon, Boeing, and promotion. With this list
in hand I created a keyword list by clicking on View Keywords. I right clicked
Keywords Add New Folder. I named the folder PSmith Keywords. Once the folder
was created I can right click the PSmith Keywords folder Insert Keyword List. The
list box gets stored with the keywords previously mentioned. The new keywords were
then selected and a search was performed by going to Search at the top. The search was
done under the following criteria: search each file for keywords, search file slack, and
selected keywords only. The table below shows the numerical results of the search.
Search Summary
Hits First Searched Last Searched
Search Text
5
11/05/06 04:57:01PM acme industries
0
11/05/06 04:57:01PM acme industry
67
11/05/06 04:57:01PM acme
253
11/05/06 04:57:01PM raytheon
127
11/05/06 04:57:01PM boeing
1
11/05/06 04:57:01PM promotion
With so many hits for Raytheon and Boeing I concluded that I was on the right track. I
started with the smallest and worked my way up. Promotion’s results were just a spam email. The files found under ACME Industries were project files and some e-mail items.
At this point I was more interested in evidence relating to some kind of contact between
Pat Smith and Rayteheon and Boeing. The results from ACME came back with 4
interesting hits. Amidst the e-mail files were 4 temporary files found at:
Case Study\Lab5 image\Documents and Settings\PSMITH\Local
Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK50.TMP
Case Study\Lab5 image\Documents and Settings\PSMITH\Local
Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK52.TMP
Case Study\Lab5 image\Documents and Settings\PSMITH\Local
Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK54.TMP
Case Study\Lab5 image\Documents and Settings\PSMITH\Local
Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK56.TMP
These files all contained the message: “I’d like to offer you some material from my
company in exchange for a position in your company.” – psmith@acme.com. These files
grabbed my attention so I made sure to take down the access times (all last accessed on
3/9/04 around 11:38 AM). I took note by book marking the four files by selecting them
and right clicking Bookmark Files. I created a new folder called TMP Files (ACME)
and the four were imported there for further consideration later. Boeing’s results were
next shuffled through but they were mostly HTML files that Pat Smith must have been
visiting. The bulk of the hits came from Raytheon. They were a mix of web files
including data and content. The web files came from the Raytheon website where the
company’s about and contact pages were visited. Also mixed in were a few e-mails to a
bconrad@raytheon.com. I selected a few files which I saved to bookmarks in the DBX
Files (Raytheon) folder. Two e-mails in particular stood out that contained information
that seemed to relate to this case. The following below is where the files can be located.
Case Study\Lab5 image\Documents and Settings\PSMITH\Local
Settings\Application Data\Identities\{E893F19B-C77A-4082-943587534CCECF93}\Microsoft\Outlook Express\Deleted Items.dbx
Case Study\Lab5 image\Documents and Settings\PSMITH\Local
Settings\Application Data\Identities\{E893F19B-C77A-4082-943587534CCECF93}\Microsoft\Outlook Express\Sent Items.dbx
The e-mails were both from psmith@acme.com to bconrad@raytheon.com.
following are the content of the two e-mails.
The
"Pat Smith" <psmith@acme.com>
To: "bconrad@raytheon.com"
Subject: A Proposition
Date: Fri, 23 Jan 2004 12:06:52 -0500
I'd like to offer you some material from my company in exchange for a
position in your company.
Pat Smith
psmith@acme.com
From: "Pat Smith" <psmith@acme.com>
To: "bconrad@raytheon.com"
Subject: My Proposition
Date: Fri, 01 Jul 2003 10:04:39 -0500
It's been a week since I sent you my proposal. Have you had a chance to
consider it?
Pat
The first email was the same information found in the temporary files that I had found
earlier from the results of the ACME Industries keyword search.
I was getting closer and closer to when with just the help of the keyword search. I
decided to take a look at the timeline of the operating system which documents when a
file was created, accessed, and modified. It places each entry in a nice calendar view so
an investigator can see when there is a surplus of changes. By selecting the case I was
working on and going to Timeline I found that there was heavy traffic on 1/23/04, 3/9/04,
and 3/15/04. Starting with the earliest date and moving forward I examined the data by
honed in on each date where it gets more detailed by hour and minute the closer you
zoom in. The traffic generated on 1/23/04 was mainly searching for a new job through
sites like Monster.com, Yahoo Jobs, and searching the Raytheon and Boeing website.
The web files and cookies that were created on this date confirm this; they are found at:
Case Study\Lab5 image\Documents and Settings\PSMITH\Cookies
The files on 3/9/04 and 3/15/04 are the heaviest in traffic. They include many cookies
and website files being created and deleted in temporary files space along with the two emails previously started above being modified and deleted.
There were still a few more tests I could complete on this test case. One was to go
through the image Gallery and check the images found on the file system. In order to do
this I had to specify which folders contained images. I decided to check the entire case
and brought open the Gallery view. There were many images from the Raytheon website
as well as images pertaining to finding a new job, adding nothing more than we already
know.
I had found clues on the who, the when, and the where but I was still missing what and
how. My next step was to run a signature analysis to see if any files were still hidden that
I may have overlooked because their extensions were modified. Running a signature
analysis will take the proper signature that a file should be and see if it matches up
against the extension that it actually is. If there is a mismatch it will be labeled as so and
Encase will tell me what extension it should be. Running a signature analysis has me
selecting the complete image and doing a Search (the same Search as done prior). The
only option that should be selected is Verify File Signatures and to have the results saved
to a bookmark called Signature Mismatch. A few files stuck out from the others:
Case Study\Lab5 image\Documents and Settings\PSMITH\My
Documents\Confidential\Project 238x.pdf
Case Study\Lab5 image\Documents and Settings\PSMITH\My
Documents\Confidential\Project 47x.xls
Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00000.SPL
Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00001.SPL
The first two files are project files from ACME Industries that were kept in a confidential
folder with altered file extensions. The last two files are printing spools that look like
they have been altered. The spools correspond to each of the first two files being sent to
the IP address of 192.168.1.106. The Project 238x was sent to that address on 3/9/04 and
the Project 47x file was sent on 3/15/04 by the user name PSMITH. The IP address is
mapped to the HP LaserJet 4000 Series PCL6 at ACME Industries. Both spool files can
be found at:
C:\Windows\system32\spool\Printers
Just to make sure I had covered all pertinent data I ran two more scripts before
completion of my investigation. I ran the IE history parser with keyword search script to
make sure that all the websites that I had seen through the cookies and temporary web
files were actually visited and to make sure that I had not missed any others. In order to
run this script I went to the Scripts menu and added the options of add bookmarks and
create web page and tab-delimited files and to search all files. The report did not deliver
any new information that had not already been discovered. The last script I ran was to
see if there was any information I could obtain from the NTFS INFO2 file. This is the
Recycle Bin file that would contain any deleted file information. By running the script
NTFS INFO2 Record Finder and selecting to only read INFO2 files only and saving it to
the bookmark Recovered NTFS Info2 Records I came up with only one file deleted from
the My Documents folder of PSMITH relating to Boeing. It did not seem to be of any
value to this case.
Conclusion
This report has pointed out pieces of information relating to the case of Pat Smith from
ACME Industries and his relations with the companies Raytheon and Boeing. It is now
up to the judge reading this report to determine if this information is of any value to the
case. It is important to state that there was no evidence present that B. Conrad from
Raytheon contacted Pat Smith or that the printed files ever left the officer. It is
interesting though that the printing spools and project files were altered after printing.
The printing spool files are often not touched except by the operating system so it is
obvious that they were targeted. Determining any further information on this cause is up
to be conducted by a crime scene investigator and falls out of my jurisdiction. My job is
to present the facts as I have found them on the suspect machine.
