Lab 3 – Data Forensics
Team 3
CIS 481.01
20 May 2015
Data Forensics Case
Table of Contents
Authorization Letter
Executive Summary....................................................................................................................................... 8
Case Details ................................................................................................................................................... 9
Tom Warner’s Workstation ...................................................................................................................... 9
Leslie Stowle’s Workstation ...................................................................................................................... 9
Server ........................................................................................................................................................ 9
Tom Warner’s Workstation ........................................................................................................................ 10
E-mails .................................................................................................................................................... 10
Files ......................................................................................................................................................... 15
Leslie Stowle’s Workstation ....................................................................................................................... 21
E-mails .................................................................................................................................................... 21
Files ......................................................................................................................................................... 23
PSC Server .................................................................................................................................................. 28
Files ......................................................................................................................................................... 28
Glossary ...................................................................................................................................................... 30
Team 3 | P a g e 2
Data Forensics Case
Team 3
5/20/15
3801 W Temple Ave Pomona, CA 91768
Dear Ms. Stayce Price,
This document contains a computer forensics examination by Team 3: Jose Lamata, Jade Joubi,
Andrew Densmore, and Luilly Martinez. Stayce Price, the owner of Price Software Company
hired us to conduct a computer forensic examination at her company. Ms. Price was concerned
about the effect of hiring new personnel to fill executive positions over her current staff. Ms.
Price was worried specifically about two individuals, Senior Sales Manager Tom Warner and
Finance Manager Leslie Stowle. Ms. Price also explicitly stated that the examination be done
without the knowledge of anyone else other than Ms. Price and we the forensic examiners. Ms.
Price provided documentation stating that she is the sole owner of Price Software Company and
that each employee signed the company’s computer usage policy stating that all data contained
on the company’s computer systems are the property of the company and subject to inspection at
any time. After verifying that Team 3 had the proper authority to conduct the examination, Ms.
Price handed over E01 images of Mr. Warner’s workstation, Ms. Stowle’s workstation, and the
company’s server. This document contains the report and findings of Team 3’s computer
forensic examination of the E01 images given by Ms. Price.
Sincerely,
Team 3
Compensation: $200.00 per hour
____________________________________
_________________________
Jose Lamata
Date
____________________________________
_________________________
Jade Joubi
Date
____________________________________
_________________________
Andrew Densmore
Date
____________________________________
_________________________
Luilly Martinez
Date
Team 3 | P a g e 3
Data Forensics Case
Jose Jaime Lamata
1234 Somewhere Avenue
Acity, California 91762
jjlamataadad@cpp.edu
Summary
Enthusiastic, quick learning college graduate seeking a position in the healthcare industry. Diversified skill sets
including public speaking and presenting, experienced in optimization and efficiency of day to day business
operations, production of analytical reports, and strong team management skills. Extremely organized, able to
handle multiple jobs and projects while meeting deadlines. Fluency in English and Filipino(Illongo).
Education
Overall GPA: 3.5
California State Polytechnic University, Pomona, College of Business
Bachelor of Science in Business with a focus on Computer Information Systems
Expected Graduation date
3/30/2016
Chaffey College
Associates of Arts Business and Technology
Associates of Arts in Mathematics and science
Associates of Arts in Social Science
Relevant Courses Taken
CIS-304 Intermediate Java Programing for Business
CIS-305 Database Design and Development
CIS-307 Business Telecommunications
CIS-481 Computer Forensics
Work Experience
Baxter, Thousand Oaks, CA
2013-Current
Public Speaker and Presenter for Baxter Pharmaceuticals True Identity Program
 Present relevant and innovative treatments, products, and care plans to prospective and current patients
and doctors
 Fielded Q and A segments
 Develop both business and personal relationships with audience
eAlternatives, Rancho Cucamonga, CA
2010-2012
Executive assistant and Goggle Analytics specialist for ecommerce and website development. Assisted in day to
day operations and finances.
 Provide technical support for both hardware and software required for Windows Operating Systems,
Quickbooks, and Google Analytics
 Maintained filing systems by storing and retrieving any and all pertinent information required or requested.
 Managed the receptions and creation of invoices and reconciliation of client accounts in Quickbooks
 Generated monthly, quarterly, and annual analytic reports on client websites through Google Analytics
Team 3 | P a g e 4
Data Forensics Case
Jade A. Joubi
3854 Riverside Dr
New York, NY 90245
(909)545-6843, JaJoubi@smartypants.edu
Summary
Results driven, multi-disciplined project leader with scrum methodology experience and complex
program/project development. Proven proficiency in information technologies, web development, web
design and project management. Excellent team-building, problem-solving, communication skills with a
high degree of initiative and decision-making abilities. Well-developed analytical, planning and
administrative skills and the ability to accurately prioritize and manage time/resources for maximum
efficiency and productivity. Significant experience with fluency in English, Arabic and French.
Technical, Functional and Industry expertise
Program/Project Management
Auto-Cad
Micro-station
Erwin Data Modeler
NetBeans IDE
Team Scrum Methodology
Daily Scrum
Internet Portals
Microsoft SQL Server
Oracle VM Box
Web Design
Web Creation
Python Programming
WinSCP
Java
Business Telecommunications, Windows, MS Project, MS Office, MS development tools, MS excel.
Education
Bachelor of Science in Computer Information Systems, California State Polytechnic University Pomona
(in progress)
Work Experience or Project Accomplishments
Cal Poly Pomona CIS 231, Pomona, California
4/17/13-5/27/13
Worked on a daily scrum methodology project with a group of 5+ members and developed a successfully
working online video game review based website with an active online interaction feature, and professional
promotions for hardware and software sales for entertainment companies.
 Working in a group of 5+ students on a tight schedule in order to accomplish the maximum amount of
software promoted on the site in a period of 2 months.
 Ensuring group members are all informed on past, current, and future tasks and details that will be applied
to the site.
 Harnessed the availability and innovation of 3rd party online web tools to create, manage, and maintain
Video Game review website, while providing web users an online community in order to discuss and
express opinions on all content published on the site.
 Link to Site: http://nerdcomplaints.weebly.com/
Don Lugo FFA student chapter, Chino, California
9/5/056/20/06
Treasurer for a student run club in the Pomona area. Future Farmers of America treasurer duties included
and were not limited to:
 Keeping accurate records of investments and expenses for all club activities.
 Ensuring sufficient funds are available throughout the year for all club meetings, activities, outside
expenses, group trips, and award and party events.
Team 3 | P a g e 5
Data Forensics Case
Andrew Densmore
123 somewhere, this city, CA 12345
andrew.dens@gmail.com
123-123-1234
Student Experience
Student GPA: 3.46 Cal Poly, 3.21 Overall
Proficient knowledge in:
 Database Design and Development – Grade Earned: A Access and update
databases with SQL. Used entity relationship diagrams for relationship database
design and development.
 Interactive Web Development – Grade Earned: A- Design and develop web
applications using advanced text editors alongside Dreamweaver for website
dynamics and interactivity.
 Telecommunication Networks – Grade Earned: A Analyze hardware and software
used in the design of local area networks, transmission of media, Interconnectivity
issues, and cost/benefit tradeoffs.
 Network Security – Grade Earned: A Use hardware virtualization software
(GNS3/Packet Tracer) to initialize and configure routers/switches/ASA firewalls for a
networking environment.
Student Involvement:
 Professional Business Fraternity
 Business Clubs:
o SWIFT – Attended CIS related events such as Southern California Linux
Expo
o MISSA – Team leader for IT competition in Telecommunications
Professional Experience
Associated Students Inc., Cal Poly Pomona, Pomona, California
Present
September 2014 –
 B.E.A.T. (Bronco Events and Activities Team) Music Chair
September 2014 –
Present
 Experience with volunteer recruitment, and delegation for events on campus
 Strong relationships with Performers, Agents, and other Organizations
Ralph’s Marketplace, Kroger Co., Thousand Oaks, California,
September 2013
May 2008 to
 Safety Coach
May 2013 –
September 2013
 Supervise Meat, Produce, Service Deli, Grocery, and Front End Departments
Team 3 | P a g e 6
Data Forensics Case
224 BILLBURY AVE POMONA,CA  91768
234-262-6666  LUILLYLUILLY@SBCGLOBAL.NET
L U I L L Y M A R I T N E Z
H T T P : / / W W W . C S U P O M O N A . E D U / ~ L U I L L Y M /
H T T P : / / W W W . L U I L L Y M A R T I N E Z . C O M /
EMPLOYMENT
2015 Santana High School
IT Student Assistant
Provide IT assistance for a high school including IP and network configuration, setting up
computer labs, managing IT inventory, and general IT help
2014 Los Olivos Dinning
Busser/Server
Serve hot food to students while managing adequate levels of food in the serving area
2013 Knott's Berry Farm
Ride Operator
Preformed ride operations for Knott's Supreme Scream which include assisting and
making sure guest are safe and meet guidelines to ride as well as dispatching towers.
2012 Cal Poly Pomona’s Optic Laboratory
Research Assistant
Helped conduct research in Cal Poly Pomona's Optic laboratory by helping in aligning and
recording data of a laser system to measure the count of down converted photons through a
BBO crystal
EDUCATION
2011-2015 California Polytechnic State University Pomona
Pomona, California
B.S. Computer Information Systems (Expected in 2015)
Mexican American Student Association
Social Director (2012-2013)
External Affairs Officer (2013-2014)
Webmaster (2014-2015)
Forensic and Security Technology (F.A.S.T)
Director of Communication (2015)
HTCIA Member
MISSA Member
Physics Club Member
Alpha Lambda Delta Honor Society Member
FYFS Program at Encinitas Dormitory
SKILLS
Forensics Toolkit (FTK),Java, vSphere ,ESXi,
Microsoft SQL, MySQL, HMTL,CSS, Erwin Data Modeling, UML experience, C++,
Mathematica, Wordpress
Robotics knowledge (took Robots course using VEX System)
Office programs (Word, Excel ,Access, PowerPoint,Outlook)
Leadership and team building (4 years of JROTC courses)
Team 3 | P a g e 7
Data Forensics Case
Executive Summary
Team 3 began the examination of Mr. Warner’s, Ms. Stowle’s, and the PSC server E01
images using FTK 5.6. After examining Tom Warner’s workstation, Team 3 forensic team found
7 emails and 6 files that appear to be non-work related. Starting with the emails, there are
multiple occurrences of personal conversation between Tom Warner’s email account and Leslie
Stowle’s email account. These conversations included discussions about going to lunch, job
promotions, and vacation plans.
In the emails referring to the job promotion, Toms email states that he “deserves it and
can use the extra money”, and an invitation to lunch is placed towards Leslie Stowle account.
Leslie sends an email response to Tom’s e-mail and congratulates him on his promotion.
An e-mail from Tom’s account to Leslie’s account then shows that Tom had found a
memo from Ms. Price claiming that he was not going to get promoted. Tom’s email then states
that he will “get even” and that he was traveling back to his residence after the e-mail was sent.
Leslie’s email response tells Tom that he can’t be sure about the accuracy of the claim and asks
him to lunch to discuss the matter further.
Tom sends an email reply, and says he is sure that he will not get promoted because he
saw the memo and has proof now. His email talks about how long he had been employed with
the company stating he worked there for seven years and helped start the company, and mentions
“they owe me so much.” He then sends an email and declines the lunch invitation due to an
upcoming meeting but extends an invitation for dinner instead. An e-mail was then found
showing Leslie Stowle sending Tom Warner’s account an internet link to a hotel website in
Hawaii. Tom email replies “that looks nice, make it happen.”
We found an htm file containing hotmail accounts for hotdog918@hotmail.com labeled
as the contact “Tom Warner”, and sweetdog918@hotmail.com labeled as the contact “Leslie
Stowle”, where they message each other about vacation plans.
Upon further examination of Tom Warner’s and Leslie Stowle’s workstation, an
executable file called “eraser.exe” was found. An .xml file was also found showing a description
of the file and its capabilities. A zip file titled “Earser57Setup.zip” was also found on on the
PSC server.
Team 3 | P a g e 8
Data Forensics Case
Case Details
A Forensic examination of the E01 images provided to us have resulted in the following
findings:
Tom Warner’s Workstation
E-mails:
-E-mail about a new job………………………………………………….……….Item 1 pg. 10
-E-mail reply to new job……………………………………………………....….Item 2 pg. 11
-E-mail discussing found memo and not getting a job promotion………………..Item 3 pg. 11
-E-mail invitation for lunch to discuss e-mail about promotion……………...…..Item 4 pg. 12
-E-mail declining lunch and an invitation to dinner instead………………….…..Item 5 pg. 13
-E-mail message containing online link to a hotel………………………….…….Item 6 pg. 13
-E-mail acknowledgement of hotel link..................................................................Item 7 pg. 14
Files:
-File for a program named Eraser............................................................................Item 1 pg. 15
-An .xml file for Eraser program.............................................................................Item 2 pg. 15
-An htm file showing an attachment on a hotmail e-mail page...............................Item 3 pg. 16
-An htm file containing notification message sent to Saspah Software..................Item 4 pg. 17
-An htm file indicating an error occurred ...............................................................Item 5 pg. 18
-An htm file stating failure of delivery of message.................................................Item 6 pg. 20
Leslie Stowle’s Workstation
E-mails:
-E-mail confirming lunch plans between Ms. Stowle and Mr. Warner...................Item 1 pg. 21
-E-mail reply Ms. Stowle about lunch.....................................................................Item 2 pg. 21
-E-mail from Ms. Stowle sending link from expedia.com to Mr. Warner...............Item 3 pg. 22
-E-mail from Mr. Warner to Ms. Stowle to confirm vacation plans........................Item 4 pg. 22
Files:
-Executable file named eraser.exe............................................................................Item 1 pg. 23
-An .xml file titled eraser.xml..................................................................................Item 2 pg. 23
-A file titles "entry #00012" shows e-mail page of a hotmail account.....................Item 3 pg. 23
-An htm file showing an exchange of email links between Leslie and Tom............Item 4 pg. 24
-A file containing a spreadsheet with confidential information................................Item 5 pg. 26
-A file containing an image of a google search for the word "embezzlement” ......Item 6 pg. 27
Server
-A file on the PSC server showing IE history with a link to the eraser program ....Item 1 pg. 28
-A deleted jpeg image of the eraser program...........................................................Item 2 pg. 28
-Eraser program downloaded from sourceforge.net.................................................Item 3 pg. 29
Team 3 | P a g e 9
Data Forensics Case
Tom Warner’s Workstation
E-mails
1.
An e-mail from Mr. Warner’s account(twarner@PSC.local) discussing with Leslie
Stowle’s account(lstowle@PSC.local) about an e-mail about a new job and needing
money. The email also asks Ms. Stowle’s account if they can do lunch. The e-mail was
sent on 9/30/2004 at 5:54:38 PM UTC.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Sent Items/Vice Pres”.
Team 3 | P a g e 10
Data Forensics Case
2.
An e-mail found in Mr. Warner’s account with a reply from Ms. Stowle’s account replying
to e-mail #1. In the e-mail, Ms. Stowle’s account accepts the invitation to lunch. E-mail
sent on 9/30/2004 at 6:11:01 PM UTC.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Personal/RE: Vice Pres”
3.
An e-mail from Mr. Warner’s account discussing with Ms. Stowle’s account about being
passed up for a promotion and getting even. E-mail sent on 10/1/2004 at 6:06:37 AM UTC.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Sent Items/Hay”
Team 3 | P a g e 11
Data Forensics Case
4.
An e-mail found in Mr. Warner’s account containing a reply from Ms. Stowle’s account
replying to e-mail #3. Ms. Stowle’s account would once again like to meet Mr. Warner’s
account for lunch. E-mail sent on 10/4/2004 at 5:10:53 PM UTC.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Personal/RE: Hay”
Team 3 | P a g e 12
Data Forensics Case
5.
An e-mail sent from Mr. Warner’s account replying to Ms. Stowle’s account regarding email #4. Mr. Warner’s account asks Ms. Stowle’s account if they can do dinner. E-mail
sent on 10/4/2004 at 5:17:44 PM UTC.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Sent Items/RE: Hay”
6.
An e-mail sent to Mr. Warner’s account from Ms. Stowle’s account containing a link about
a hotel. E-mail sent on 10/4/2004 at 5:31:39 PM UTC.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Inbox/RE: I like this one”
Team 3 | P a g e 13
Data Forensics Case
The url:
http://www.expedia.com/pub/agent.dll?qscr=cmhi&htid=426160&dsct=&dlvl=&rtmn=&rtmx=&dcty=LAX&dr
id1=180074&tair1=KOA&ddpt1=&tdpt1=&drtn1=&trtn1=&cAdt1=2&cmbt=2&mtxt=Sample+4%2Dnight+air
%2Fhotel+package+Los+Angeles+to+Big+Island+from+%241070+based+on+travel+11%2F11+through+
11%2F15%2E+Sample+prices+based+on+double+occupancy+and+vary+by+dates+of+travel%2C+availa
bility%2C+and+departure+city%2E+Shop+for+your+travel+dates+and+departure+city+below%2E&rfrr=33440&&zz=1096910619000&
7.
An e-mail from Mr. Warner’s account replying to e-mail #6 stating “That looks nice.
Make it happen”. E-mail sent on 10/4/2004 at 5:32:18 PM UTC.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Sent Items/RE: I like this one”
Team 3 | P a g e 14
Data Forensics Case
Files
1.
An executable file titled “eraser.exe” was found on Mr. Warner’s workstation.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Program
Files/Eraser/eraser.exe”
Date and Time(PST) of eraser.exe being accessed on Tom’s machine
2.
An .xml file titled “eraser.xml” was found on Mr. Warner’s workstation.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Program
Files/Eraser/eraser.xml”
A screenshot of the program description is below:
Team 3 | P a g e 15
Data Forensics Case
3.
An htm file was found on Mr. Warner’s workstation titled “doattach3899b7c7[1].htm”.
The contents of the file show a hotmail e-mail page. An e-mail is being composed from
user hotdog918@hotmail.com to user cmelonis@saspahsoftware.com . An attachment “
realarcade.exe” with file size of 0.20 MB has been attached and the body of the e-mail is
as follows:
“You should like this one. We have a meeting to I should be able to let you know what
we are doing next.Cheers,TW”. File accessed on 10/27/2004 at 8:47:38 AM PST.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Temporary Internet
Files/Content.IE5/FEP9EXEZ/doattach3899b7c7[1].htm”
Team 3 | P a g e 16
Data Forensics Case
4.
An htm file titled “84914a107dff[1].htm” was found on Mr.Warner’s workstation. The
contents of the file show a hotmail e-mail page containing a notification that a message
was sent to cmelonis@saspahsoftware.com . File accessed on 10/27/2004 at 8:47:48 AM
PST.
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Temporary Internet
Files/Content.IE5/W1WFZXOA/84914a107dff[1].htm”
Team 3 | P a g e 17
Data Forensics Case
5.
An htm file titled “8666fa6d0983[1].htm” was found on Mr. Warner’s workstation. The
contents of the file show a hotmail e-mail page stating that an error had occurred. A
message was also being composed from hotdog918@hotmail.com to
sweetdog918@hotmail.com . File accessed on 10/27/2004 at 8:50:35 AM PST. The
content of the message is as follows: “I sent another file today. A few more and we can
get out of here. How's the vacation plan coming?
>From: "Leslie Stowle" <sweetdog918@hotmail.com>
>To: hotdog918@hotmail.com
>Subject: I did it!
>Date: Wed, 29 Sep 2004 21:56:00 +0000
>
>Hay Tom. I set up my Hotmail account like you said to. This is cool.
>”
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Temporary Internet
Files/Content.IE5/9121CJKM/8666fa6d0983[1].htm”
Team 3 | P a g e 18
Data Forensics Case
Team 3 | P a g e 19
Data Forensics Case
6.
An htm file titled “getmsg[2].htm” was found on Mr. Warner’s workstation. The contents
of the file show a hotmail e-mail page stating a failure of delivery from
postmaster@mail@hotmail.com to hotdog918@hotmail.com . File accessed on
10/27/2004 at 8:59:42 AM PST. The content of the message is as follows: “ Hotmail has
permanently blocked the following potentially unsafe attachments(s):
realarcade.exe(0.27mb) More Info…
This is an automatically generated Delivery Status Notification.
Delivery ot the following recipients failed.
cmelonis@saspahsoftware.com “
File Path: “PSC Tom WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/twarner/Local Settings/Temporary
InternetFiles/Content.IE5/L853109U/getmsg[2].htm”
Team 3 | P a g e 20
Data Forensics Case
Leslie Stowle’s Workstation
E-mails
1.
An e-mail from Ms. Stowle’s account replying to Mr.Warner’s account about wanting to
have lunch.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/lstowle/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Sent Items/RE: Vice Pres”
2.
An e-mail from Ms. Stowle’s account replying to Mr. Warner’s account wanting to meet
for lunch again. E-mail sent on 10/4/2004 at 5:10:53 PM UTC.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/lstowle/Local Settings/Application
Data/Microsoft/Outlook/outlook.ost/[root]/Root - Mailbox/IPM_SUBTREE/Sent
Items/RE: Hay”
Team 3 | P a g e 21
Data Forensics Case
3.
An e-mail from Ms. Stowle’s account sending a link from expedia.com to Mr. Warner’s
account. Refer to Tom Warner’s Workstation E-mail #6 for the link and image of the
website.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/lstowle/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Sent Items/RE: I like this one”
4.
An e-mail sent from Mr. Warner’s account to Ms. Stowle’s account replying to Leslie
Stowle’s Worstation e-mail# 3 stating “That looks nice. Make it happen”. E-mail sent on
10/4/2004 at 5:32:18 PM UTC.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/lstowle/Local Settings/Application Data/Microsoft/Outlook/outlook.ost/[root]/Root Mailbox/IPM_SUBTREE/Inbox/RE: I like this one”
Team 3 | P a g e 22
Data Forensics Case
Files
1.
An executable file titled “eraser.exe” was found on Mr. Warner’s workstation.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Program
Files/Eraser/eraser.exe”
Date and Time(PST) of eraser.exe being accessed on Leslie’s machine
2.
An .xml file titled “eraser.xml” was found on Ms. Stowles’s workstation. Refer to Tom
Warner’s Workstation Files #2 for an image and contents of the file.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Program
Files/Eraser/eraser.xml”
3.
A file titled “entry #00012” was found on Ms. Stowles’s workstation. The contents of the
file show a hotmail e-mail page that shows the user sweetdog918@hotmail.com inbox
with the contact “Tom Warner”. File accessed on 10/27/2004 12:22:50 PM PST.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/lstowle/Local Settings/History/History.IE5/index.dat/entry #00012”
Team 3 | P a g e 23
Data Forensics Case
4.
An htm file titled “getmsg[1].htm” was found on Ms. Stowle’s workstation. The contents
of the file show a hotmail e-mail page a series of e-mails between “Leslie
Stowel”sweetdog918@hotmail.com and “Tom Warner” <hotdog918@hotmail.com> .
The content of the messages are as follows :” I sent another file today. A few more and
we can get out of here. How’s the vacation plan coming?”. The second message
contained the following content “Hey Tom. I set up my Hotmail account like you said to.
This is cool.”. File accessed on 10/27/2004 12:22:54 PM PST.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/lstowle/Local Settings/Temporary InternetFiles/Content.IE5/L853109U/getmsg[1].htm”
Team 3 | P a g e 24
Data Forensics Case
Team 3 | P a g e 25
Data Forensics Case
5.
A file titled “system23.dll” was found on Ms. Stowle’s workstation. This file contained
information in an spreadsheet format that contained names, credit card numbers, job title,
credit limit and current balance. File accesed on 10/4/2004 11:11:03 AM PST.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME
[NTFS]/[root]/WINDOWS/system32/system23.dll”
Team 3 | P a g e 26
Data Forensics Case
6.
A file titled “search[2]” was found on Ms. Stowle’s workstation. The file contains an
image of a google search for “embezzlement”. File accessed on 9/30/2004 11:13:35 AM
PST.
File Path: “PSC Leslie WS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/lstowle/Local Settings/Temporary Internet Files/Content.IE5/9121CJKM/search[2]”
Team 3 | P a g e 27
Data Forensics Case
PSC Server
Files
1.
A file titled “entry #00343” was found on the PSC server. The file shows an IE history
index with the url:
http://prdownloads.sourceforge.net/eraser/Eraser57Setup.zip?use_mirror=easynews being
visited by the administrator. File accessed on 9/29/2004 11:41:17 AM PST.
File Path: “PSC Server OS.E01/Partition 1/NONAME [NTFS]/[root]/Documents and
Settings/Administrator/Local Settings/History/History.IE5/index.dat/entry #00343”
2.
A deleted jpeg file titled “eraser_logo_ball[1].jpg” was found on the PSC server. File
accessed on 9/29/2004 11:40:41 AM PST.
File Path: “PSC Server OS.E01/Partition 1/NONAME [NTFS]/[orphan]/eraser_logo_ball[1].jpg”
Team 3 | P a g e 28
Data Forensics Case
3.
History of a download from sourceforge.net.
File Path: “PSC Server OS.E01/Partition 1/NONAME [NTFS]/[orphan]/Eraser57Setup[2].htm”
Team 3 | P a g e 29
Data Forensics Case
Glossary
A Sector is the smallest unit of physical storage that is directly accessible by the disk controller,
consisting of 512 bytes.
A Cluster is the smallest unit of logical storage that is directly accessible by the operating
systems file management system, consisting of one or more sectors.
An E01 Image (Encase Image File Format) file keeps backup of various types of acquired digital
evidences that includes disk imaging, storing of logical files, etc. When an investigator (or a
Forensic Expert) uses Encase to create a backup of data available in the hard disk, a physical bit
stream of the data is produced.
A File Path is the general form of the name of a file or directory, specifies a unique location in a
file system. A path points to a file system location by following the directory tree hierarchy
expressed in a string of characters in which path components, separated by a delimiting
character, represent each directory.
A computer processor executes an instruction, meaning that it performs the operations called for
by that instruction. An Executable File that contains a program - that is, a particular kind of file
that is capable of being executed or run as a program in the computer.
An .xml File or Extensible Markup Language (XML) is a markup language that defines a set
of rules for encoding documents in a format which is both human-readable and machinereadable. It is defined by the W3C's XML 1.0 Specification and by several other related
specifications, all of which are free open standards.
A jpeg a format for compressing image files.
A dynamic-link library (DLL) file is an executable file that allows programs to share code and
other resources necessary to perform particular tasks. Microsoft Windows provides DLL files
that contain functions and resources that allow Windows-based programs to operate in the
Windows environment.
An htm file is a common file extension for html files.
UTC – a time zone called Universal Time Coordinated, calculated as (UTC+/-0:00)
PST – a time zone called Pacific Standard Time, is calculated as (UTC-7:00) and (UTC-8:00)
depending on daylight saving time.
Team 3 | P a g e 30