cs 537 (cybercrime and forensics) - shoeb.info · download: ost to pst converter . encase final...
TRANSCRIPT
Encase Final Project Report by Abu Shoeb: Page 1 of 30
CS 537 (Cybercrime and Forensics)
Final Assignment: Part One – Individual Forensic Examiner’s Log
Case Name: Tdurden (Tyler Durden)
Submitted By
Abu Awal Md Shoeb (BlazerID – shoeb) Dept. of Computer and Information Sciences
University of Alabama at Birmingham
April 15, 2015
Encase Final Project Report by Abu Shoeb: Page 2 of 30
Contents Problem Description ..................................................................................................................................... 3
TASK 1: System description, including size of hard drive(s), number of files present, and Operating
system installed ............................................................................................................................................ 4
TASK 2: Identify primary users and create a timeline for their use of the system. ...................................... 5
TASK 3: Registry review for installed programs. ........................................................................................... 6
Installed Applications ................................................................................................................................ 7
Installed Microsoft Programs .................................................................................................................... 8
Uninstalled Programs ................................................................................................................................ 9
TASK 4: List of installed programs from “Program Files”. ........................................................................... 10
TASK 5: Review of Significant Programs ..................................................................................................... 11
TASK 6: Review data files created by subject for evidence. ....................................................................... 13
Download Folder ..................................................................................................................................... 13
List of files after the extraction of steg.zip ............................................................................................. 14
Image found for Encryption Software .................................................................................................... 14
TASK 7: Review images created or downloaded by the subject for evidence ............................................ 15
TASK 8: Review internet history for evidence............................................................................................. 18
Search: How to make fake ID .................................................................................................................. 18
Download: Easy-Hide-IP .......................................................................................................................... 18
Download: Gimp ..................................................................................................................................... 19
Download: OST to PST Converter ........................................................................................................... 19
Search: Hiding Text in Text Steganography ............................................................................................ 20
Download: TrueCrypt .............................................................................................................................. 20
Search: Free Encryption Software .......................................................................................................... 20
TASK 9: Review Emails for evidence ........................................................................................................... 21
Screenshot of the location of Outlook file - User Account: tyler.durden ............................................... 22
Screenshot of the location of Outlook file - User Account: Tyler.Durden.ZEROBIT ............................... 23
Proof of Two Email IDs of The German ................................................................................................... 24
Proof of Attachment: Employee Monitoring .......................................................................................... 24
Email Evidence: Employee Monitoring Tools .......................................................................................... 25
Email Evidence: Use of TrueCrypt ........................................................................................................... 26
Email Evidence: Employee Monitoring.doc as attachment .................................................................... 27
Email Evidence: Welcome email from Norman ...................................................................................... 27
Encase Final Project Report by Abu Shoeb: Page 3 of 30
Email Evidence: Pornography image as attachment .............................................................................. 28
TASK 10: Search drive for keywords discovered during investigation so far .............................................. 29
Case Narrative ............................................................................................................................................. 30
Problem Description PART ONE – INDIVIDUAL FORENSIC EXAMINER’S LOG
Every time you touch the evidence, it is important that you document your activities. As
you build your examiner’s log, make the following entries for every session:
DATE/TIME: When did you begin your exam and when did you complete your
exam?
OBJECTIVE: What are you trying to accomplish in this session?
ACTIVITIES: What did you do in order to accomplish those objectives?
RESULTS: What did you find in support of your objectives?
Tasks - Each Forensic Examiner’s Log should include at least the following objectives:
1. System description, including size of hard drive(s), number of files present, and
Operating system installed.
2. Identify primary users and create a timeline for their use of the system.
3. Registry review for installed programs.
4. List of installed programs from “Program Files”.
5. If there are “significant programs” found (such as a chat program, an encryption
program, etc.) a new objective section should be created for each, such as: “Review
usage of Yahoo Instant Messenger for Evidence” or “Review usage of Kazaa File
Sharing for evidence” (I’m not saying either of these is involved in this case. These
are just examples.)
6. Review data files created by subject for evidence.
7. Review images created or downloaded by the subject for evidence.
8. Review Internet history for evidence.
9. Review Emails for evidence.
10. Search drive for keywords discovered during investigation so far.
Encase Final Project Report by Abu Shoeb: Page 4 of 30
TASK 1: System description, including size of hard drive(s), number of files present, and Operating system installed
DATE/TIME: Begin – March 18, 2015 05:10 PM Central Time
End – March 18, 2015 07:10 PM Central Time
OBJECTIVE: Getting familiar with the evidence file and finding basic information about the
evidence.
ACTIVITIES: Once we process the evidence, click on Tdurden.
It shows ‘C’ drive and ‘Unused Disk Area’ under the Table View.
View the logical size and description there.
View the evidence in Records format then follow:
Records > Evidence Processor Module Results > System Info Parser Records >
SYS > Windows > Tdurden (C) > Operating System > System Articrafts
RESULTS: System description = Volume, Sector 2048-27258879, 13 GB, Folder, Internal,
Overwritten, Hidden, System.
Size of Hard Drive = 13 GB
Number of files present = 134779
Operating System Installed =
o Product Name – Windows 7 Ultimate
o Product ID – 00426-068-6081695-86561
o Current Version – 6.1
Last Written – 04/20/11 03:05:07 PM
Encase Final Project Report by Abu Shoeb: Page 5 of 30
TASK 2: Identify primary users and create a timeline for their use of the system.
DATE/TIME: Begin – March 18, 2015 05:10 PM Central Time
End – March 18, 2015 07:10 PM Central Time
OBJECTIVE: Getting familiar with how user accounts are located in Windows system.
ACTIVITIES: Go to C Drive Users Then we will find the list of the users.
RESULTS: Two primary users account are:
1. tyler.durden (associated email address is [email protected])
2. Tyler.Durden.ZEROBIT (associated email address is Tyler.Durden@zero-
bit.com)
Encase Final Project Report by Abu Shoeb: Page 6 of 30
TASK 3: Registry review for installed programs.
DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Getting familiar with Windows Registry system.
ACTIVITIES: View the evidence in Records format then follow:
Records > Evidence Processor Module Results > System Info Parser Records > SYS > Windows > Tdurden (C) > Software > Three options are available:
o Installed Applications o Installed Microsoft Applications o Uninstalled Applications
RESULTS: Total 184 programs installed during the life of the hard drive. Some suspicious programs are: Gimp, VMWare
Encase Final Project Report by Abu Shoeb: Page 7 of 30
Installed Applications
Encase Final Project Report by Abu Shoeb: Page 8 of 30
Installed Microsoft Programs
Encase Final Project Report by Abu Shoeb: Page 9 of 30
Uninstalled Programs
Encase Final Project Report by Abu Shoeb: Page 10 of 30
TASK 4: List of installed programs from “Program Files”. DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Getting familiar with how installed programs are located in Program Files.
ACTIVITIES: Go to C Drive, then we will see two Program File folders
Two folders are:
o Program Files
o Program Files (x86)
RESULTS: Four major suspicious programs found in Program Files. They are:
μ torrent (freeware software to download programs, executables, books,
pictures, videos etc.)
Vmware (software that creates a virtual environment inside the main system)
Gimp (GNU Image Manipulation Program – is an image editing software)
Hide Easy IP (software that hides your IP address when accessing the internet)
Encase Final Project Report by Abu Shoeb: Page 11 of 30
TASK 5: Review of Significant Programs
If there are “significant programs” found (such as a chat program, an encryption program, etc.) a
new objective section should be created for each, such as: “Review usage of Yahoo Instant
Messenger for Evidence” or “Review usage of Kazaa File Sharing for evidence” (I’m not saying
either of these is involved in this case. These are just examples.)
DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Getting relevant evidence from suspicious installed programs.
ACTIVITIES: Layered Images were opened in photo editing software to see different layers.
RESULTS: μ torrent - No significant information found for this software
Vmware – It is used to download files and then saved a copy of the executables
or relevant information on external hard drives.
Gimp – Some images were found and had Layered View when it is opened in
Gimp. Tdurden might have used the pictures to hide some codes. Tdurden
might also be dealing in counterfeit bills. Two images are:
o Layered 20 Front
o Layered 20 Back
Image: Layered 20 Front (Layer 1)
Encase Final Project Report by Abu Shoeb: Page 12 of 30
Image: Layered 20 Front (Layer 2)
Image: Layered 20 Back (Layer 1)
Image: Layered 20 Back (Layer 2)
Encase Final Project Report by Abu Shoeb: Page 13 of 30
TASK 6: Review data files created by subject for evidence. DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Getting relevant evidence from data files located in different locations such as
Downloads, My Documents, My Pictures, etc.
ACTIVITIES: Go to C drive > Users > Tyler.Durden.ZEROBIT > Downloads Then two executable files and one zip file found as suspicious. They are:
o steg.zip (Steganography) o easy-hide-ip-3.7.6.exe o TrueCrypt Setup 7.0.a.exe
RESULTS: Steganography is used for hiding images, files, passwords, etc. Steg.zip was found
in download folder which was also extracted to see other files inside it. A program named ‘Hide Password’ was also found after extracting steg.zip folder. So it is suspected that Tdurden might use this stuff to hide his personal or sensitive information. True Crypt software is used to encrypt a partition or to create a virtual encrypted disk. So there is possibility that Tdurden could use this software to exchange personal or sensitive information with others in encrypted way.
Download Folder
Encase Final Project Report by Abu Shoeb: Page 14 of 30
List of files after the extraction of steg.zip
Image found for Encryption Software
Encase Final Project Report by Abu Shoeb: Page 15 of 30
TASK 7: Review images created or downloaded by the subject for evidence DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Getting relevant images from different locations downloaded or exchanged by
users on that machine.
ACTIVITIES: Gallery view was used to see all images together. However, gallery view was also applied to some other specific folder such as Downloads, Temporary Internet Files, etc. to view less number of images at a time.
RESULTS: Many images found on the hard drive were related to child pornography. Some images were related to counterfeit, and fake id cards.
rename1.xxx rename2Technet.xxx
Encase Final Project Report by Abu Shoeb: Page 16 of 30
v12.jpg v23.jpg
Encase Final Project Report by Abu Shoeb: Page 17 of 30
Layered Image Front
Layered Image Back
Encase Final Project Report by Abu Shoeb: Page 18 of 30
TASK 8: Review internet history for evidence DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Getting relevant evidence from internet history by examining web history,
internet searches, etc.
ACTIVITIES: Internet history can be retrieved as follows: Records > Internet > Internet Explorer (Windows) > typed URL Records > Internet > Internet Explorer (Windows) > Visited Link Records –> Internet –> Mozilla 3 (Windows/Mac)
RESULTS: Tdurden searched and visited many websites. It includes followings: How to make a fake ID Hiding Text in Text Steganography Free Encryption Software
He also downloaded some software such as TrueCrypt, Gimp, etc. These downloads and searches make him a real suspect.
Search: How to make fake ID
Download: Easy-Hide-IP
Encase Final Project Report by Abu Shoeb: Page 19 of 30
Download: Gimp
Download: OST to PST Converter
Encase Final Project Report by Abu Shoeb: Page 20 of 30
Search: Hiding Text in Text Steganography
Download: TrueCrypt
Search: Free Encryption Software
Encase Final Project Report by Abu Shoeb: Page 21 of 30
TASK 9: Review Emails for evidence DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Look into email histories of all user accounts and find relevance with other
keywords and findings
ACTIVITIES: Checked Microsoft Outlook data for following users:
User Account 1: tyler.durden
Location C:\Users\
tyler.durden\AppData\Local\Microsoft\Outlook\[email protected]
m.pst
User Account 2: Tyler.Durden.ZEROBIT
Location C:\Users\
Tyler.Durden.ZEROBIT\AppData\Local\Microsoft\Outlook\outlook.ost
RESULTS: Tyler Durden used two email addresses for communication
His email addresses are [email protected] and
[email protected] was created on April 08, 2011 02:44:11 PM
Norman Peterson [email protected] sent welcome email to
Tyler Durden mostly communicated with The German
The German has yahoo address with same id
Their company decided to develop Employee Monitoring Tools that makes
their personal communication difficult for them. As a result, they decided
to encrypt their stuff and wanted to use Instant Messenger (IM) instead of
using company phones.
They use Truecrypt for encryption.
Tyler Durden used his two different email address and send/receive email
to his own address to check whether it works through Gmail or not. He also
sent attachments to check his mail configuration.
Encase Final Project Report by Abu Shoeb: Page 22 of 30
Screenshot of the location of Outlook file - User Account: tyler.durden
Location: C:\Users\
tyler.durden\AppData\Local\Microsoft\Outlook\[email protected]\
Encase Final Project Report by Abu Shoeb: Page 23 of 30
Screenshot of the location of Outlook file - User Account:
Tyler.Durden.ZEROBIT
Location: C:\Users\
Tyler.Durden.ZEROBIT\AppData\Local\Microsoft\Outlook\outlook.ost
Encase Final Project Report by Abu Shoeb: Page 24 of 30
Proof of Two Email IDs of The German
Proof of Attachment: Employee Monitoring
Encase Final Project Report by Abu Shoeb: Page 25 of 30
Email Evidence: Employee Monitoring Tools
Encase Final Project Report by Abu Shoeb: Page 26 of 30
Email Evidence: Use of TrueCrypt
Encase Final Project Report by Abu Shoeb: Page 27 of 30
Email Evidence: Employee Monitoring.doc as attachment
Email Evidence: Welcome email from Norman
Encase Final Project Report by Abu Shoeb: Page 28 of 30
Email Evidence: Pornography image as attachment
Encase Final Project Report by Abu Shoeb: Page 29 of 30
TASK 10: Search drive for keywords discovered during investigation so far DATE/TIME: Begin – April 13, 2015 12:50 PM Central Time
End – April 14, 2015 10:10 PM Central Time
OBJECTIVE: Getting relevant evidence based on keywords.
ACTIVITIES: Search was done based on keywords provided in results below.
RESULTS: Potential keywords are: Tdurden tyler.durden Tyler.Durden.ZEROBIT tdurden1263 steganography steg crypt truecrypt hide hide-easy-ip porn VMware GIMP μ torrent zip layered .jpg .doc .docx .txt
Encase Final Project Report by Abu Shoeb: Page 30 of 30
Case Narrative
As a requirement of CS 537, we were given a case named Tdurden for investigation. The
case file contained a hard drive from Tyler Durden’s computer. Our task was to perform
forensics analysis of the hard drive. EnCase software was also given to perform the
analysis.
At the very beginning, we had to process the evidence in EnCase. Once it is processed, the
hard drive is ready for analyses. EnCase helps us to search, collect, preserve, and analyze
data from hard drives.
I performed all given tasks (presented in this report) on the Tdurden hard drive. After
carefully analyzing the evidence, it is likely true that Tdurden is involved in some illegal
activities such as child pornography, counterfeiting, credit card misusing, fake id creation,
etc. His internet usage history, download history and email conversation proved these
activities. He had email conversation to use software for encrypting data and images for
communication. Later he downloaded and installed the software to perform the encryption.
Similarly, a folder (steg.zip) was found in download folder related to steganography.
Steganography is used for hiding images, files, passwords, etc. I also found few layered
images that actually related to counterfeiting. Once the images were opened in image
editing software, the second layer of those images was found as twenty dollar bills.
Moreover, some images and documents, exchanged over email, have match with Bill
Basher’s files. Bill Basher is also a suspect for child pornography.
Finally, the case has enough evidence to suspect Tdurden as guilty. However, we should
perform additional investigation to be concluded it as a complete suspect.