SlideShare uma empresa Scribd logo

CYB624 Final Case: Evidence Links Suspect to Smuggling Sea Monkeys

Transferir como DOCX, PDF
R
Raymond Gonzales

The examiner analyzed the contents of a suspect's USB drive and found evidence connecting them to illegally smuggling sea monkeys. The examiner discovered the suspect purchased NFL Eagles bobbleheads from an eBay seller on 4/25/2007 that were being used to smuggle the sea monkeys. A Yahoo chat revealed the smuggled animals and provided a password to unlock a file detailing the shipment. However, no evidence was found that the suspect directly altered or deleted data from the USB drive.

1 de 15
Final: WK8 Course Name: CYB624 Professor: Tony DeSarro Date: 10/17/2014 Examiner Name: Raymond Gonzales
Page 2 of 15 Table of Contents List of Illustrative Materials............................................................................................................ 3 Tables.......................................................................................................................................... 3 Figures......................................................................................................................................... 3 Executive Summary........................................................................................................................ 4 Background ................................................................................................................................. 4 Request........................................................................................................................................ 4 Summary of Findings.................................................................................................................. 4 Evidence...................................................................................................................................... 5 Collection and Analysis .................................................................................................................. 6 Collection.................................................................................................................................... 6 Analysis....................................................................................................................................... 6 Conclusion .................................................................................................................................... 12 Appendix....................................................................................................................................... 13 Appendix A: Examiner Workstation Specifications ................................................................. 13 Appendix B: Tools.................................................................................................................... 14 Appendix C: Evidence Verification.......................................................................................... 15
Page 3 of 15 List of Illustrative Materials Tables Table 1: Case evidence items.......................................................................................................... 5 Table 2: Suspect’s timeline of suspicious Internet browsing activities .......................................... 7 Table 3: Evidence verification table ............................................................................................. 15 Figures Figure 1: Processed Internet Browsing Records............................................................................. 7 Figure 2: Mountain Standard Time (UTC -7)................................................................................. 7 Figure 3: Fully Expanded Yahoo Folder Tree ................................................................................ 8 Figure 4: Retrieved Yahoo IM Conversation.................................................................................. 8 Figure 5: Unusual Discoloration within the Eagle Image............................................................... 9 Figure 6: Hidden message within the .gif file ................................................................................. 9 Figure 7: Shipment Information within the locked BillsFile.doc file ........................................... 10 Figure 8: Packet of Sea-Monkeys ................................................................................................. 11 Figure 9: Sea-Monkey Aquarium ................................................................................................. 11
Page 4 of 15 Executive Summary Background Law enforcement officials, acting on a tip, open an investigation into the illegal smuggling of wild animals into the country. A search of several boxes, recently shipped to the suspect's house, reveal toys and statues, but no evidence of animals. The suspect does not own a computer, but has a USB drive in his possession that is seized. A search of a P.O. Box that is used by the suspect yields a scrap of paper with the words “in the eagles” on it. The DA requested that a copy of the contents of the USB drive be placed in a zip file and made available for download via the Engage website. Request The District Attorney (D.A.), Miguel Prado has requested that the examiner analyze the contents of the suspect’s imaged USB drive for evidence connecting the suspect to the illegal smuggling of wild animals into the country. The D.A. is interested in evidence connecting the suspect to: the animals being smuggled into the country; where the cargo was hidden; where the containers were purchased; the exact date, time, and time zone when the containers were purchased; the seller’s EBay user account name; any chat sessions between the seller and buyer; and any evidence proving that the digital data was altered or destroyed by the user. The D.A. has requested that the examiner provides a recommendation for a plan forward in order to identify the true identity of the EBay seller. Summary of Findings As requested by the D.A. the examiner performed a forensic analysis on the files contained within the suspect’s USB image. Using various forensic methods and tools the examiner was able to identify the evidence requested by the District Attorney. The examiner was able to identify that the suspect went onto the EBay website on 4/25/2007 at 9:17 AM MST and purchased a set of NFL Eagles bobble heads on EBay from a seller who goes by the EBay user ID “psa-looker.” Within the files on the USB image the examiner was able to locate a conversation that occurred on 4/26/2007 between the suspect and seller about the status of the order and how the suspect can locate the order details. The examiner analyzed the remaining files within the USB image and was able to identify that Sea Monkeys were the animals being smuggled in the bobble heads that were being purchased from the EBay website. No actual evidence was found on the suspect’s USB image that can connect the suspect to the altering or destroying of any digital data on the USB device. However, the examiner was able to locate suspicious browsing activities on a website named, “Metasploit” and a suspicious .exe file named, “timestomp” on the suspect’s USB image. Timestomp.exe is a known tool that is used by penetration testers and hackers in order to conceal their actions from digital forensic investigators by altering the MAC date and times of files on the system.
Page 5 of 15 The examiner recommends that the EBay user account of the suspect be confiscated by the FBI in order to setup a sting operation that will expose the real identity of “psa-looker.” With the assistance of the forensic investigator, the FBI can use the suspect’s EBay account and create interactions with the seller in order to gather more Intel on the seller. With proper coordination between both parties the identity of “psa-looker” can be revealed and the criminal can be brought to justice. Evidence Table 1 outlines the evidence items of this case. Description Designation Filename MD5 Hash Evidence Provided Preservation Copy CYB624-WK8- Final_Assignment _Files.zip 4864D6EDC2309692CAF9DB101961A603 Evidence Created Working Copy CYB624-WK8- Final_Assignment _Files.zip 4864D6EDC2309692CAF9DB101961A603 Evidence Examined Working Copy CYB624-WK8- Final_Assignment _Files.zip 4864D6EDC2309692CAF9DB101961A603 Table 1: Case evidence items
Page 6 of 15 Collection and Analysis Collection On 10/17/2014, a file named, “CYB624-WK8-Final_Assignment_Files.zip” was provided to the examiner for analysis via the Engage website. The examiner downloaded and saved the file named CYB624-WK8-Final_Assignment_Files.zip onto a formatted external storage device, Maxtor OneTouch 4 Mini (SN: 2HASD0QQ), and designated this storage device as the preservation copy. The examiner hashed the CYB624-WK8-Final_Assignment_Files.zip image stored on the preservation copy drive using WinMD5 v1.20 and confirmed that the hash value matched the provided MD5 hash value from the Engage website. Using the copy-and-paste function in Windows, the examiner copied the CYB624-WK8- Final_Assignment_Files.zip file located on the preservation copy drive onto the desktop of a Toshiba Satellite C55-B (SN: 6E095367P), and designated this storage device as the working copy. With write protection enabled, the examiner hashed the CYB624-WK8- Final_Assignment_Files.zip image stored on the examiner’s machine using WinMD5 v1.20 and confirmed that the hash values of the preservation and working copies matched. Analysis With write protection enabled, the working copy (CYB624-WK8-Final_Assignment_Files.zip) on the examiner’s machine was used for forensic analysis purposes. The CYB624-WK8- Final_Assignment_Files.zip was opened on the examiner’s machine and a folder named, “CYB624-WK8-Final_Assignment_Files” was created on the desktop of the examiner’s machine. The directory and files within the CYB624-WK8-Final_Assignment_Files.zip were then exported into the CYB624-WK8-Final_Assignment_Files folder. The examiner proceeded to open the desktop folder titled, CYB624-WK8- Final_Assignment_Files in order to verify that all of the evidence was successfully transferred from the .zip file into the specified folder. The examiner noticed that two specific evidence files titled Thumbs.db and timestomp.exe were not visible within the CYB624-WK8- Final_Assignment_Files folder. The examiner accessed the control panel options of the examiner’s machine and navigated to the folder settings of the computer and selected the folder options. The folder option, “show hidden files, folders, and drives” was selected and the “hide protected operating system files” was deselected in order to display the remaining evidence files. The D.A. requested that the examiner analyze the suspect’s USB files for evidence that confirms what kind of containers are being used to smuggle the animals and identify where these containers are being purchased from. The D.A. is interested in knowing the exact date, time, and time zone that the suspect purchased the containers from the vendor. The examiner opened Net Analysis v1.57 and loaded the directory folder titled, “PortableApps” into the tool and commanded the tool to search the entire directory for all of the Internet browsing history files. The Net Analysis tool located the only history browsing file within the PortableApps directory and began to process the information as seen in figure 1.
Page 7 of 15 Figure 1: Processed Internet Browsing Records Once the data was processed the Net Analysis tool displayed the Internet browsing history of the suspect. Using the capability of the Net Analysis tool the examiner was able to identify the suspect’s time zone as being UTC -7 or Mountain Standard Time (MST) as seen in figure 2. Figure 2: Mountain Standard Time (UTC -7) Using the filtering capability of the Net Analysis tool the examiner filtered the dates and times of the Internet browsing history in descending order. The examiner began to analyze the Internet web browsing history of the suspect line by line in order to create a timeline of suspicious activities performed by the suspect and to locate the specific purchasing information that was requested by the District Attorney. Table 2 outlines the suspect’s timeline of suspicious Internet browsing activities Date Time Activity Notes 4/25/2007 8:42 AM MST Suspect first accesses EBay website 4/25/2007 9:07-9:09 AM MST The suspect accesses the Metasploit website and performs research on the anti-forensic tool timestomp.exe Timestomp.exe was one of the identified files on the suspect’s USB 4/25/2007 9:17 AM MST The suspect’s last browsing activities consist of the suspect browsing the EBay website and purchasing a Donovan McNabb road player set figure that is being sold by the EBay seller “psa-looker” The item browsed, EBay seller ID, and purchase information is all identified within the string of Internet browsing data Table 2: Suspect’s timeline of suspicious Internet browsing activities
Page 8 of 15 The examiner was requested by the D.A. to examine the suspect’s USB files for any evidence of saved Yahoo chat conversations that the suspect may have had stored on the suspect’s USB. If Yahoo chat conversations were to be discovered on the suspect’s USB the D.A. is interested in knowing what was said in those conversations. The examiner proceeded to open the Forensic Tool Kit (FTK) v1.81.5 Demo tool and create a new case titled, “CYB624_Wk8/ Case 008” for the processing of the data located in the Yahoo folder. The examiner configured the FTK tool to process the data for: MD5, Full Test Index, Store Thumbnails, File Listing Database, HTML File Listing, Data Carve, and Registry Reports. The examiner loaded the Yahoo folder as evidence into the FTK tool and began to process the Yahoo folder’s data. Once the Yahoo data was processed by the FTK tool the examiner began his analysis on the now processed data that was produced from the Yahoo folder. The examiner proceeded to fully expand the folder directory of the Yahoo folder within the FTK tool in order to get to the processed data located in the folder titled, “exoticnillegal” as seen in figure 3. Figure 3: Fully Expanded Yahoo Folder Tree Contained within the “exoticnillegal” folder was a file that contained the saved data about a previous Yahoo IM conversation that occurred on 4/26/2007 between the seller and the suspect as seen below in figure 4. Figure 4: Retrieved Yahoo IM Conversation The Yahoo IM conversation had between the suspect (uc356z) and the seller (psa-looker) consisted of the seller (psa-looker) sending pictures to the suspect (uc356z) confirming the purchase order of the illegal animals from the seller (psa-looker). The seller (psa-looker) explained to the suspect (uc356z) that the suspect (uc356z) would be receiving two files from the seller (psa-looker). One file would contain the details of the shipment and the other file would
Page 9 of 15 contain a key that would unlock the protected document. The seller (psa-looker) provided the suspect (uc356z) with the hint that the key would be located “in the eagle.” Using the information gained from the Yahoo IM conversation the examiner proceeded to open the .gif file titled, “Birds2” that was located on the image of the suspect’s USB. The Bird2.gif file contained an image of a bald eagle that had some unusual discoloration within the image as seen in figure 5. Figure 5: Unusual Discoloration within the Eagle Image Slight abnormalities in colors and pixilation in an image are usually signs that raw data in an image has been modified from its original state. The examiner proceeded to open the WinHex v17.9 tool on the examiner’s machine in order to further investigate the suspicious .gif image. Located within the ASCII column of the hex editor the examiner identified the hidden message “password Imabadguy” as seen in figure 6 below. The raw data of the .gif file was altered beginning at the 240 hex offset through the 251 hex offset within the .gif file in order to input the hidden key. Figure 6: Hidden message within the .gif file Having now found the hidden password within the .gif file of the eagle the examiner proceeded to open the .doc file titled, “BillsFile.” As expected when attempting to open the document a
Page 10 of 15 pop-up window appeared asking for the password. The examiner entered the extracted password “Imabadguy” into the pop-up window and the file proceeded to open. The information in the password locked document contained a note saying, “Your order shipped today via FedEx. You will find the cargo inside the items below.” An image of a set of Philadelphia Eagles bobble heads was attached within the file along with the seller’s EBay user ID (psa-looker) as seen in figure 7 below. Figure 7: Shipment Information within the locked BillsFile.doc file The examiner then proceeded to analyze the last remaining files within the suspect’s USB drive image. The suspect’s file titled, “Thumbs.db” is a data type file that contains information about images that were downloaded by the suspect. The examiner proceeded to open the Forensic Tool Kit (FTK) v1.81.5 Demo tool and create a new case titled, “CYB624_Wk8/ Thumbs” for the processing of the data located in the Thumbs.db file. The examiner configured the FTK tool to process the data for: MD5, Full Test Index, Store Thumbnails, File Listing Database, HTML File Listing, Data Carve, and Registry Reports. The examiner loaded the Thumbs.db file into the FTK tool and began to process the Thumbs.db file. Once the Thumbs.db file was processed by
Page 11 of 15 the FTK tool the examiner began to analyze the now processed data. The examiner was able to extract three images from the processed Thumbs.db file, with one of the files being the Bird2.gif. The remaining images that were extracted from the .db file were the files that were sent to the buyer from the seller per their Yahoo IM conversation. The images below in figures 8 and 9 identify the illegal animals being shipped in the Philadelphia Eagle bobble heads are Sea- Monkeys. Figure 8: Packet of Sea-Monkeys Figure 9: Sea-Monkey Aquarium The D.A. requested that examiner provides evidence confirming or denying the suspicions that the suspect may have altered or deleted digital evidence from the USB device. Throughout, the entire forensic investigation on the suspect’s USB device the examiner was only able to identify suspicious behaviors within the suspect’s USB files. The examiner was able to identify that the suspect had the anti-forensic tool timestomp.exe saved on the suspect’s USB device. The timestomp tool is a known tool to be used for anti-forensic purposes. The timestomp tool is an anti-forensic tool that is primarily used by penetration testers and hackers in order to mask the changes they make to a system. The next suspicious behavior that was found on the suspect’s USB was discovered during the analysis of the browsing history of the suspect. The examiner identified that the suspect had visited the anti-forensics website Metasploit and had performed research on the anti-forensic tool timestomp. Both of these suspicious activities do not provide solid evidence that the suspect had altered or deleted digital evidence from the USB device. Lastly, the examiner was requested by the D.A. to provide a recommendation for a plan action in order to identify the true identity of psa-looker. The examiner recommends that a team consisting of the FBI and a group of forensic investigators work together in a joint effort to identify the identity of psa-looker and bring the criminal to justice. The examiner recommends that the EBay user account of the suspect be confiscated by this joint task force and a plan be made to perform a sting operation that will expose the real identity of psa-looker. With both the FBI and the forensic team working together in this joint effort a methodical and tactical plan consisting of controlled interactions from the suspect’s account can yield Intel on the real identity of psa-looker and ultimately bring the criminal to justice.
Page 12 of 15 Conclusion Miguel Prado, the District Attorney has requested that the examiner analyze the imaged files of the suspect’s USB device and identify evidence connecting the suspect to the illegal smuggling of exotic animals into the country. The D.A. is interested in knowing specific details relating to: what animals are being smuggled into the country; where the animals are being hidden; where are the containers for the illegal animals being purchased; the seller’s EBay user account name; the exact date, time, and time zone of when the containers are being purchased; evidence of any Yahoo conversations; and any evidence that the digital data has been altered or destroyed by the user. The D.A. requested that the examiner provides recommendations on how the true identity of the seller can be discovered. The examiner performed an analysis on the USB files using a variety of forensic investigation techniques and tools throughout the investigation. The examiner was able to identify evidence showing that the suspect used the EBay website to purchase a Donovan McNabb NFL Eagles Road-Player Set bobble head doll from a seller who goes by the EBay user account “psa-looker” on 4/25/2007 at 9:17 AM (UTC -7 or MST). Further, evidence shows that the bobble head containers that were purchased on EBay from “psa-looker” were to be used to smuggle Sea- Monkeys into the country. The USB data from the Yahoo folder provided information about a previous conversation that discussed the details of the shipment between that the buyer and the seller via Yahoo IM. Images of the Sea Monkeys were sent to the buyer via their Yahoo IM conversation in order to confirm the purchase by the suspect. Throughout the entire forensic investigation on the suspect’s USB device the examiner was only able to identify suspicious activities relating to the altering or deleting of data on the USB device. The examiner was never able to identify any actual evidence proving that the suspect had altered or deleted digital data from the USB device. The examiner recommends to the D.A. that a joint operation be had between the forensic investigators and law enforcement in order to develop a plan to identify the true identity of psa-looker and bring the criminal to justice.
Page 13 of 15 Appendix Appendix A: Examiner Workstation Specifications  Computer Name: SonGoku  Operating System (OS) Name: Windows  OS Version: Windows 8.1  System Make/Model: Toshiba Satellite C55-B  System Serial Number: 6E095367P  Time Zone of Examiner Machine: Pacific Standard Time (PST)
Page 14 of 15 Appendix B: Tools  WinMD5Free v1.20  WinHex v17.9  FTK v1.81.5  Net Analysis v1.57
Page 15 of 15 Appendix C: Evidence Verification Table 3 outlines the hashes obtained throughout the evidence verification process. WinMD5 v1.20 was used to calculate MD5 hashes. Designation Filename MD5 Hash Description PRE-ANALYSIS Preservation Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Image file of suspect’s USB device. Downloaded from Engage. Working Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Working Copy of suspect’s USB device created from the Preservation Copy. This copy was analyzed. POST-ANALYSIS Preservation Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Image file of suspect’s USB device. Downloaded from Engage. Working Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Working Copy of suspect’s USB device created from the Preservation Copy. This copy was analyzed. Table 3: Evidence verification table

Recomendados

Plano de curso geometria - 9ºano
Plano de curso geometria - 9ºanoPlano de curso geometria - 9ºano
Plano de curso geometria - 9ºanonandatinoco
 
Proyecto 1 tics de sergio angulo
Proyecto 1 tics de sergio anguloProyecto 1 tics de sergio angulo
Proyecto 1 tics de sergio angulosergio angulo
 
El liderazgo
El liderazgo El liderazgo
El liderazgo katherinron
 
Torniolaakson kesäsiika
Torniolaakson kesäsiikaTorniolaakson kesäsiika
Torniolaakson kesäsiikaMira Kemppainen
 
Samyak veera -small_business_ideas_
Samyak veera -small_business_ideas_Samyak veera -small_business_ideas_
Samyak veera -small_business_ideas_Samyak Veera
 
Mi libro de artista
Mi libro de artistaMi libro de artista
Mi libro de artistabarbaracondell
 
Ecologia
EcologiaEcologia
EcologiaEdwin Cuja
 
[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...
[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...
[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...Zhulkeflee Ismail
 

Recomendados

Plano de curso geometria - 9ºano
Plano de curso geometria - 9ºanoPlano de curso geometria - 9ºano
Plano de curso geometria - 9ºanonandatinoco
 
Proyecto 1 tics de sergio angulo
Proyecto 1 tics de sergio anguloProyecto 1 tics de sergio angulo
Proyecto 1 tics de sergio angulosergio angulo
 
El liderazgo
El liderazgo El liderazgo
El liderazgo katherinron
 
Torniolaakson kesäsiika
Torniolaakson kesäsiikaTorniolaakson kesäsiika
Torniolaakson kesäsiikaMira Kemppainen
 
Samyak veera -small_business_ideas_
Samyak veera -small_business_ideas_Samyak veera -small_business_ideas_
Samyak veera -small_business_ideas_Samyak Veera
 
Mi libro de artista
Mi libro de artistaMi libro de artista
Mi libro de artistabarbaracondell
 
Ecologia
EcologiaEcologia
EcologiaEdwin Cuja
 
[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...
[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...
[Slideshare] tadzkirah-november -2016-message-to-jews-christians-(baqarah-2-3...Zhulkeflee Ismail
 
Unit-2 Process of Digital Forensics [Autosaved].pptx
Unit-2 Process of Digital Forensics [Autosaved].pptxUnit-2 Process of Digital Forensics [Autosaved].pptx
Unit-2 Process of Digital Forensics [Autosaved].pptxSunny94841
 
Lab 1 Bag & Tag (cyber forensics)
Lab 1 Bag & Tag (cyber forensics)Lab 1 Bag & Tag (cyber forensics)
Lab 1 Bag & Tag (cyber forensics)MUSAAB HASAN
 
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaignQuasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaignESET Middle East
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsShreya Singireddy
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
Forensic Procedures
Forensic ProceduresForensic Procedures
Forensic ProceduresRichard Woodford
 
E discovery2
E discovery2E discovery2
E discovery2elijaht
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
Sound E-Discovery Collection Practices
Sound E-Discovery Collection PracticesSound E-Discovery Collection Practices
Sound E-Discovery Collection PracticesSeth Row
 
DOJ
DOJDOJ
DOJAndrei Bujaki
 
WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1Jeremy Wright
 
Crime scene-investigation
Crime scene-investigationCrime scene-investigation
Crime scene-investigationRhem Rick Corpuz
 
Prison Management System Best
Prison Management System BestPrison Management System Best
Prison Management System BestBinyam Eshetu
 
Throughout this course, you will be keeping an investigative jou
Throughout this course, you will be keeping an investigative jouThroughout this course, you will be keeping an investigative jou
Throughout this course, you will be keeping an investigative joumarilynnhoare
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
A Novel Methodology for Offline Forensics Triage in Windows Systems
A Novel Methodology for Offline Forensics Triage in Windows SystemsA Novel Methodology for Offline Forensics Triage in Windows Systems
A Novel Methodology for Offline Forensics Triage in Windows SystemsIRJET Journal
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collectiongagan deep
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic MethodologiesLedjit
 

Mais conteúdo relacionado

Semelhante a CYB624 Final Case: Evidence Links Suspect to Smuggling Sea Monkeys

Unit-2 Process of Digital Forensics [Autosaved].pptx
Unit-2 Process of Digital Forensics [Autosaved].pptxUnit-2 Process of Digital Forensics [Autosaved].pptx
Unit-2 Process of Digital Forensics [Autosaved].pptxSunny94841
 
Lab 1 Bag & Tag (cyber forensics)
Lab 1 Bag & Tag (cyber forensics)Lab 1 Bag & Tag (cyber forensics)
Lab 1 Bag & Tag (cyber forensics)MUSAAB HASAN
 
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaignQuasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaignESET Middle East
 
E discovery2
E discovery2E discovery2
E discovery2elijaht
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
Sound E-Discovery Collection Practices
Sound E-Discovery Collection PracticesSound E-Discovery Collection Practices
Sound E-Discovery Collection PracticesSeth Row
 
WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1Jeremy Wright
 
Prison Management System Best
Prison Management System BestPrison Management System Best
Prison Management System BestBinyam Eshetu
 
Throughout this course, you will be keeping an investigative jou
Throughout this course, you will be keeping an investigative jouThroughout this course, you will be keeping an investigative jou
Throughout this course, you will be keeping an investigative joumarilynnhoare
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
A Novel Methodology for Offline Forensics Triage in Windows Systems
A Novel Methodology for Offline Forensics Triage in Windows SystemsA Novel Methodology for Offline Forensics Triage in Windows Systems
A Novel Methodology for Offline Forensics Triage in Windows SystemsIRJET Journal
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collectiongagan deep
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic MethodologiesLedjit
 

Semelhante a CYB624 Final Case: Evidence Links Suspect to Smuggling Sea Monkeys (20)

Unit-2 Process of Digital Forensics [Autosaved].pptx
Unit-2 Process of Digital Forensics [Autosaved].pptxUnit-2 Process of Digital Forensics [Autosaved].pptx
Unit-2 Process of Digital Forensics [Autosaved].pptx
 
Lab 1 Bag & Tag (cyber forensics)
Lab 1 Bag & Tag (cyber forensics)Lab 1 Bag & Tag (cyber forensics)
Lab 1 Bag & Tag (cyber forensics)
 
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaignQuasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Forensic Procedures
Forensic ProceduresForensic Procedures
Forensic Procedures
 
E discovery2
E discovery2E discovery2
E discovery2
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
Sound E-Discovery Collection Practices
Sound E-Discovery Collection PracticesSound E-Discovery Collection Practices
Sound E-Discovery Collection Practices
 
DOJ
DOJDOJ
DOJ
 
WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1WRIGHT_JEREMY_1000738685-1
WRIGHT_JEREMY_1000738685-1
 
Crime scene-investigation
Crime scene-investigationCrime scene-investigation
Crime scene-investigation
 
Prison Management System Best
Prison Management System BestPrison Management System Best
Prison Management System Best
 
Throughout this course, you will be keeping an investigative jou
Throughout this course, you will be keeping an investigative jouThroughout this course, you will be keeping an investigative jou
Throughout this course, you will be keeping an investigative jou
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
A Novel Methodology for Offline Forensics Triage in Windows Systems
A Novel Methodology for Offline Forensics Triage in Windows SystemsA Novel Methodology for Offline Forensics Triage in Windows Systems
A Novel Methodology for Offline Forensics Triage in Windows Systems
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
 

CYB624 Final Case: Evidence Links Suspect to Smuggling Sea Monkeys

  • 1. Final: WK8 Course Name: CYB624 Professor: Tony DeSarro Date: 10/17/2014 Examiner Name: Raymond Gonzales
  • 2. Page 2 of 15 Table of Contents List of Illustrative Materials............................................................................................................ 3 Tables.......................................................................................................................................... 3 Figures......................................................................................................................................... 3 Executive Summary........................................................................................................................ 4 Background ................................................................................................................................. 4 Request........................................................................................................................................ 4 Summary of Findings.................................................................................................................. 4 Evidence...................................................................................................................................... 5 Collection and Analysis .................................................................................................................. 6 Collection.................................................................................................................................... 6 Analysis....................................................................................................................................... 6 Conclusion .................................................................................................................................... 12 Appendix....................................................................................................................................... 13 Appendix A: Examiner Workstation Specifications ................................................................. 13 Appendix B: Tools.................................................................................................................... 14 Appendix C: Evidence Verification.......................................................................................... 15
  • 3. Page 3 of 15 List of Illustrative Materials Tables Table 1: Case evidence items.......................................................................................................... 5 Table 2: Suspect’s timeline of suspicious Internet browsing activities .......................................... 7 Table 3: Evidence verification table ............................................................................................. 15 Figures Figure 1: Processed Internet Browsing Records............................................................................. 7 Figure 2: Mountain Standard Time (UTC -7)................................................................................. 7 Figure 3: Fully Expanded Yahoo Folder Tree ................................................................................ 8 Figure 4: Retrieved Yahoo IM Conversation.................................................................................. 8 Figure 5: Unusual Discoloration within the Eagle Image............................................................... 9 Figure 6: Hidden message within the .gif file ................................................................................. 9 Figure 7: Shipment Information within the locked BillsFile.doc file ........................................... 10 Figure 8: Packet of Sea-Monkeys ................................................................................................. 11 Figure 9: Sea-Monkey Aquarium ................................................................................................. 11
  • 4. Page 4 of 15 Executive Summary Background Law enforcement officials, acting on a tip, open an investigation into the illegal smuggling of wild animals into the country. A search of several boxes, recently shipped to the suspect's house, reveal toys and statues, but no evidence of animals. The suspect does not own a computer, but has a USB drive in his possession that is seized. A search of a P.O. Box that is used by the suspect yields a scrap of paper with the words “in the eagles” on it. The DA requested that a copy of the contents of the USB drive be placed in a zip file and made available for download via the Engage website. Request The District Attorney (D.A.), Miguel Prado has requested that the examiner analyze the contents of the suspect’s imaged USB drive for evidence connecting the suspect to the illegal smuggling of wild animals into the country. The D.A. is interested in evidence connecting the suspect to: the animals being smuggled into the country; where the cargo was hidden; where the containers were purchased; the exact date, time, and time zone when the containers were purchased; the seller’s EBay user account name; any chat sessions between the seller and buyer; and any evidence proving that the digital data was altered or destroyed by the user. The D.A. has requested that the examiner provides a recommendation for a plan forward in order to identify the true identity of the EBay seller. Summary of Findings As requested by the D.A. the examiner performed a forensic analysis on the files contained within the suspect’s USB image. Using various forensic methods and tools the examiner was able to identify the evidence requested by the District Attorney. The examiner was able to identify that the suspect went onto the EBay website on 4/25/2007 at 9:17 AM MST and purchased a set of NFL Eagles bobble heads on EBay from a seller who goes by the EBay user ID “psa-looker.” Within the files on the USB image the examiner was able to locate a conversation that occurred on 4/26/2007 between the suspect and seller about the status of the order and how the suspect can locate the order details. The examiner analyzed the remaining files within the USB image and was able to identify that Sea Monkeys were the animals being smuggled in the bobble heads that were being purchased from the EBay website. No actual evidence was found on the suspect’s USB image that can connect the suspect to the altering or destroying of any digital data on the USB device. However, the examiner was able to locate suspicious browsing activities on a website named, “Metasploit” and a suspicious .exe file named, “timestomp” on the suspect’s USB image. Timestomp.exe is a known tool that is used by penetration testers and hackers in order to conceal their actions from digital forensic investigators by altering the MAC date and times of files on the system.
  • 5. Page 5 of 15 The examiner recommends that the EBay user account of the suspect be confiscated by the FBI in order to setup a sting operation that will expose the real identity of “psa-looker.” With the assistance of the forensic investigator, the FBI can use the suspect’s EBay account and create interactions with the seller in order to gather more Intel on the seller. With proper coordination between both parties the identity of “psa-looker” can be revealed and the criminal can be brought to justice. Evidence Table 1 outlines the evidence items of this case. Description Designation Filename MD5 Hash Evidence Provided Preservation Copy CYB624-WK8- Final_Assignment _Files.zip 4864D6EDC2309692CAF9DB101961A603 Evidence Created Working Copy CYB624-WK8- Final_Assignment _Files.zip 4864D6EDC2309692CAF9DB101961A603 Evidence Examined Working Copy CYB624-WK8- Final_Assignment _Files.zip 4864D6EDC2309692CAF9DB101961A603 Table 1: Case evidence items
  • 6. Page 6 of 15 Collection and Analysis Collection On 10/17/2014, a file named, “CYB624-WK8-Final_Assignment_Files.zip” was provided to the examiner for analysis via the Engage website. The examiner downloaded and saved the file named CYB624-WK8-Final_Assignment_Files.zip onto a formatted external storage device, Maxtor OneTouch 4 Mini (SN: 2HASD0QQ), and designated this storage device as the preservation copy. The examiner hashed the CYB624-WK8-Final_Assignment_Files.zip image stored on the preservation copy drive using WinMD5 v1.20 and confirmed that the hash value matched the provided MD5 hash value from the Engage website. Using the copy-and-paste function in Windows, the examiner copied the CYB624-WK8- Final_Assignment_Files.zip file located on the preservation copy drive onto the desktop of a Toshiba Satellite C55-B (SN: 6E095367P), and designated this storage device as the working copy. With write protection enabled, the examiner hashed the CYB624-WK8- Final_Assignment_Files.zip image stored on the examiner’s machine using WinMD5 v1.20 and confirmed that the hash values of the preservation and working copies matched. Analysis With write protection enabled, the working copy (CYB624-WK8-Final_Assignment_Files.zip) on the examiner’s machine was used for forensic analysis purposes. The CYB624-WK8- Final_Assignment_Files.zip was opened on the examiner’s machine and a folder named, “CYB624-WK8-Final_Assignment_Files” was created on the desktop of the examiner’s machine. The directory and files within the CYB624-WK8-Final_Assignment_Files.zip were then exported into the CYB624-WK8-Final_Assignment_Files folder. The examiner proceeded to open the desktop folder titled, CYB624-WK8- Final_Assignment_Files in order to verify that all of the evidence was successfully transferred from the .zip file into the specified folder. The examiner noticed that two specific evidence files titled Thumbs.db and timestomp.exe were not visible within the CYB624-WK8- Final_Assignment_Files folder. The examiner accessed the control panel options of the examiner’s machine and navigated to the folder settings of the computer and selected the folder options. The folder option, “show hidden files, folders, and drives” was selected and the “hide protected operating system files” was deselected in order to display the remaining evidence files. The D.A. requested that the examiner analyze the suspect’s USB files for evidence that confirms what kind of containers are being used to smuggle the animals and identify where these containers are being purchased from. The D.A. is interested in knowing the exact date, time, and time zone that the suspect purchased the containers from the vendor. The examiner opened Net Analysis v1.57 and loaded the directory folder titled, “PortableApps” into the tool and commanded the tool to search the entire directory for all of the Internet browsing history files. The Net Analysis tool located the only history browsing file within the PortableApps directory and began to process the information as seen in figure 1.
  • 7. Page 7 of 15 Figure 1: Processed Internet Browsing Records Once the data was processed the Net Analysis tool displayed the Internet browsing history of the suspect. Using the capability of the Net Analysis tool the examiner was able to identify the suspect’s time zone as being UTC -7 or Mountain Standard Time (MST) as seen in figure 2. Figure 2: Mountain Standard Time (UTC -7) Using the filtering capability of the Net Analysis tool the examiner filtered the dates and times of the Internet browsing history in descending order. The examiner began to analyze the Internet web browsing history of the suspect line by line in order to create a timeline of suspicious activities performed by the suspect and to locate the specific purchasing information that was requested by the District Attorney. Table 2 outlines the suspect’s timeline of suspicious Internet browsing activities Date Time Activity Notes 4/25/2007 8:42 AM MST Suspect first accesses EBay website 4/25/2007 9:07-9:09 AM MST The suspect accesses the Metasploit website and performs research on the anti-forensic tool timestomp.exe Timestomp.exe was one of the identified files on the suspect’s USB 4/25/2007 9:17 AM MST The suspect’s last browsing activities consist of the suspect browsing the EBay website and purchasing a Donovan McNabb road player set figure that is being sold by the EBay seller “psa-looker” The item browsed, EBay seller ID, and purchase information is all identified within the string of Internet browsing data Table 2: Suspect’s timeline of suspicious Internet browsing activities
  • 8. Page 8 of 15 The examiner was requested by the D.A. to examine the suspect’s USB files for any evidence of saved Yahoo chat conversations that the suspect may have had stored on the suspect’s USB. If Yahoo chat conversations were to be discovered on the suspect’s USB the D.A. is interested in knowing what was said in those conversations. The examiner proceeded to open the Forensic Tool Kit (FTK) v1.81.5 Demo tool and create a new case titled, “CYB624_Wk8/ Case 008” for the processing of the data located in the Yahoo folder. The examiner configured the FTK tool to process the data for: MD5, Full Test Index, Store Thumbnails, File Listing Database, HTML File Listing, Data Carve, and Registry Reports. The examiner loaded the Yahoo folder as evidence into the FTK tool and began to process the Yahoo folder’s data. Once the Yahoo data was processed by the FTK tool the examiner began his analysis on the now processed data that was produced from the Yahoo folder. The examiner proceeded to fully expand the folder directory of the Yahoo folder within the FTK tool in order to get to the processed data located in the folder titled, “exoticnillegal” as seen in figure 3. Figure 3: Fully Expanded Yahoo Folder Tree Contained within the “exoticnillegal” folder was a file that contained the saved data about a previous Yahoo IM conversation that occurred on 4/26/2007 between the seller and the suspect as seen below in figure 4. Figure 4: Retrieved Yahoo IM Conversation The Yahoo IM conversation had between the suspect (uc356z) and the seller (psa-looker) consisted of the seller (psa-looker) sending pictures to the suspect (uc356z) confirming the purchase order of the illegal animals from the seller (psa-looker). The seller (psa-looker) explained to the suspect (uc356z) that the suspect (uc356z) would be receiving two files from the seller (psa-looker). One file would contain the details of the shipment and the other file would
  • 9. Page 9 of 15 contain a key that would unlock the protected document. The seller (psa-looker) provided the suspect (uc356z) with the hint that the key would be located “in the eagle.” Using the information gained from the Yahoo IM conversation the examiner proceeded to open the .gif file titled, “Birds2” that was located on the image of the suspect’s USB. The Bird2.gif file contained an image of a bald eagle that had some unusual discoloration within the image as seen in figure 5. Figure 5: Unusual Discoloration within the Eagle Image Slight abnormalities in colors and pixilation in an image are usually signs that raw data in an image has been modified from its original state. The examiner proceeded to open the WinHex v17.9 tool on the examiner’s machine in order to further investigate the suspicious .gif image. Located within the ASCII column of the hex editor the examiner identified the hidden message “password Imabadguy” as seen in figure 6 below. The raw data of the .gif file was altered beginning at the 240 hex offset through the 251 hex offset within the .gif file in order to input the hidden key. Figure 6: Hidden message within the .gif file Having now found the hidden password within the .gif file of the eagle the examiner proceeded to open the .doc file titled, “BillsFile.” As expected when attempting to open the document a
  • 10. Page 10 of 15 pop-up window appeared asking for the password. The examiner entered the extracted password “Imabadguy” into the pop-up window and the file proceeded to open. The information in the password locked document contained a note saying, “Your order shipped today via FedEx. You will find the cargo inside the items below.” An image of a set of Philadelphia Eagles bobble heads was attached within the file along with the seller’s EBay user ID (psa-looker) as seen in figure 7 below. Figure 7: Shipment Information within the locked BillsFile.doc file The examiner then proceeded to analyze the last remaining files within the suspect’s USB drive image. The suspect’s file titled, “Thumbs.db” is a data type file that contains information about images that were downloaded by the suspect. The examiner proceeded to open the Forensic Tool Kit (FTK) v1.81.5 Demo tool and create a new case titled, “CYB624_Wk8/ Thumbs” for the processing of the data located in the Thumbs.db file. The examiner configured the FTK tool to process the data for: MD5, Full Test Index, Store Thumbnails, File Listing Database, HTML File Listing, Data Carve, and Registry Reports. The examiner loaded the Thumbs.db file into the FTK tool and began to process the Thumbs.db file. Once the Thumbs.db file was processed by
  • 11. Page 11 of 15 the FTK tool the examiner began to analyze the now processed data. The examiner was able to extract three images from the processed Thumbs.db file, with one of the files being the Bird2.gif. The remaining images that were extracted from the .db file were the files that were sent to the buyer from the seller per their Yahoo IM conversation. The images below in figures 8 and 9 identify the illegal animals being shipped in the Philadelphia Eagle bobble heads are Sea- Monkeys. Figure 8: Packet of Sea-Monkeys Figure 9: Sea-Monkey Aquarium The D.A. requested that examiner provides evidence confirming or denying the suspicions that the suspect may have altered or deleted digital evidence from the USB device. Throughout, the entire forensic investigation on the suspect’s USB device the examiner was only able to identify suspicious behaviors within the suspect’s USB files. The examiner was able to identify that the suspect had the anti-forensic tool timestomp.exe saved on the suspect’s USB device. The timestomp tool is a known tool to be used for anti-forensic purposes. The timestomp tool is an anti-forensic tool that is primarily used by penetration testers and hackers in order to mask the changes they make to a system. The next suspicious behavior that was found on the suspect’s USB was discovered during the analysis of the browsing history of the suspect. The examiner identified that the suspect had visited the anti-forensics website Metasploit and had performed research on the anti-forensic tool timestomp. Both of these suspicious activities do not provide solid evidence that the suspect had altered or deleted digital evidence from the USB device. Lastly, the examiner was requested by the D.A. to provide a recommendation for a plan action in order to identify the true identity of psa-looker. The examiner recommends that a team consisting of the FBI and a group of forensic investigators work together in a joint effort to identify the identity of psa-looker and bring the criminal to justice. The examiner recommends that the EBay user account of the suspect be confiscated by this joint task force and a plan be made to perform a sting operation that will expose the real identity of psa-looker. With both the FBI and the forensic team working together in this joint effort a methodical and tactical plan consisting of controlled interactions from the suspect’s account can yield Intel on the real identity of psa-looker and ultimately bring the criminal to justice.
  • 12. Page 12 of 15 Conclusion Miguel Prado, the District Attorney has requested that the examiner analyze the imaged files of the suspect’s USB device and identify evidence connecting the suspect to the illegal smuggling of exotic animals into the country. The D.A. is interested in knowing specific details relating to: what animals are being smuggled into the country; where the animals are being hidden; where are the containers for the illegal animals being purchased; the seller’s EBay user account name; the exact date, time, and time zone of when the containers are being purchased; evidence of any Yahoo conversations; and any evidence that the digital data has been altered or destroyed by the user. The D.A. requested that the examiner provides recommendations on how the true identity of the seller can be discovered. The examiner performed an analysis on the USB files using a variety of forensic investigation techniques and tools throughout the investigation. The examiner was able to identify evidence showing that the suspect used the EBay website to purchase a Donovan McNabb NFL Eagles Road-Player Set bobble head doll from a seller who goes by the EBay user account “psa-looker” on 4/25/2007 at 9:17 AM (UTC -7 or MST). Further, evidence shows that the bobble head containers that were purchased on EBay from “psa-looker” were to be used to smuggle Sea- Monkeys into the country. The USB data from the Yahoo folder provided information about a previous conversation that discussed the details of the shipment between that the buyer and the seller via Yahoo IM. Images of the Sea Monkeys were sent to the buyer via their Yahoo IM conversation in order to confirm the purchase by the suspect. Throughout the entire forensic investigation on the suspect’s USB device the examiner was only able to identify suspicious activities relating to the altering or deleting of data on the USB device. The examiner was never able to identify any actual evidence proving that the suspect had altered or deleted digital data from the USB device. The examiner recommends to the D.A. that a joint operation be had between the forensic investigators and law enforcement in order to develop a plan to identify the true identity of psa-looker and bring the criminal to justice.
  • 13. Page 13 of 15 Appendix Appendix A: Examiner Workstation Specifications  Computer Name: SonGoku  Operating System (OS) Name: Windows  OS Version: Windows 8.1  System Make/Model: Toshiba Satellite C55-B  System Serial Number: 6E095367P  Time Zone of Examiner Machine: Pacific Standard Time (PST)
  • 14. Page 14 of 15 Appendix B: Tools  WinMD5Free v1.20  WinHex v17.9  FTK v1.81.5  Net Analysis v1.57
  • 15. Page 15 of 15 Appendix C: Evidence Verification Table 3 outlines the hashes obtained throughout the evidence verification process. WinMD5 v1.20 was used to calculate MD5 hashes. Designation Filename MD5 Hash Description PRE-ANALYSIS Preservation Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Image file of suspect’s USB device. Downloaded from Engage. Working Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Working Copy of suspect’s USB device created from the Preservation Copy. This copy was analyzed. POST-ANALYSIS Preservation Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Image file of suspect’s USB device. Downloaded from Engage. Working Copy CYB624- WK8- Final_Assignm ent_Files.zip 4864D6EDC2309692CAF9DB101961A603 Working Copy of suspect’s USB device created from the Preservation Copy. This copy was analyzed. Table 3: Evidence verification table