Description
Detailed Assignment Description for Forensic Report #2
The purpose of this assignment is to determine if you can
- Properly process and handle evidence for a case and perform other case management functions
- Comply with laws, regulations, policies, procedures, and ethical constraints which apply to a case
- Develop and document a minimum set of policies and procedures required for the professional practice of digital forensics. (See report outline.)
- Select and use appropriate digital forensics tools
- Process an evidence drive by using a forensic tool to view and analyze partitions, folders, and files to answer questions posed by a client and to identify additional questions that should be asked
- Recover and analyze specific file types and contents
- Email files
- Encrypted or password protected files
- Internet Explorer cache files
- MS Office documents, spreadsheets, and presentations (including metadata)
- Windows Registry files
- Text files
- Other file types as found in the image
- Perform keyword driven searches to identify files and other digital artifacts of forensic interest to the case
- Perform file carving to recover orphaned files and then identify which carved files contain information of forensic interest to the case.
- Properly recover and handle contraband (adult and child pornography, evidence related to narcotics)
- Write a reasonably professional comprehensive (full) report of a forensic examination
Required Deliverables:
- Forensic Report #2 File containing:
- Transmittal Letter
- Delivery Package Inventory
- Forensic Report (Full) and all appendices
- Chain of Custody Document
- List of MD5 Hash Values for all files submitted for this assignment
CMIT 424 Forensic Report #2Scenario
James Randell, president and owner of Practical Applied Gaming Solutions, Inc. (PAGS), contacted you to request additional assistance in handling a sensitive matter regarding the unexpected resignation of a senior employee of his company. In your previous investigation, you learned that Mr. Randell had become concerned about an employee’s resignation after receiving a report that Mr. George Dean (also known as Jeorge Dean), the company’s Assistant Chief Security Officer, left a voice mail tendering his resignation effective immediately.
After agreeing to accept this case, you met face to face with Mr. Randell and Mr. Singh at the PAGS offices in Rockville, MD. At that meeting you executed (signed) an investigation agreement (contract) and received a sealed envelope from Mr. Singh which contain a USB drive. The original copy of Mr. Dean’s signed employment agreement was provided for your inspection by Mr. Singh but you were not allowed to take a copy with you.
During your meeting with the client, Mr. Randell, and the head of HR, Mr. Singh, youalso learned that:
- PAGS is a contractor to several state gaming (gambling) commissions. The company and its employees are required to maintain high ethical standards and are not allowed to participate in any forms of gaming or gambling, including lotteries, due to their involvement as security consultants to the gaming commissioners.
- Before starting work, each employee must sign an employment agreement which includes
- Immediately before his departure, Mr. Dean was using a company issued laptop in the office as a temporary replacement for his workstation; an empty soft-sided laptop case was found under Mr. Dean’s desk but the company issued laptop was not found in the office.
- Mr. Dean’s company provided workstation was sent out for repair earlier in the week; the repair ticket listed repeated operating system crashes as the primary symptom. The IT Support Center reported that the workstation had been infected with a “nasty rootkit” which required a complete wipe and reload of the hard disk (operating system and software applications).
- The IT Support technician, Ms. Valentina Reyes, has already re-imaged the hard drive for Mr. Dean’s workstation. Per company standard practice, she saved a copy of Mr. Dean’s profile (entire directory) and the user registry file. Ms. Reyes copied the user profile from Mr. Dean’s workstation hard drive to a USB which she provided to Mr. Singh at his request. This USB was placed in a sealed envelope by Mr. Singh.
- Acceptance of restrictions on personal activities (no gambling or gaming in any form);
- Consent to search and monitoring of computers, media, and communications used by the employee in the performance of his or her duties for the company.
Your contract with PAGS directs that you examine the contents of the entire USB drive and then prepare a report. The client wants to know if there is any indication of any activities by any persons which would violate the company’s employment agreement (see item #2 above). In addition to your report, you are also required to provide copies of files and information of forensic interest which were recovered by you from the USB drive.
Notes for the Student:
- You may encounter contraband, e.g. images depicting adult or child pornography, during your examination of the provided forensic image. If this occurs, you are to proceed as though you had legally authorized permission to continue your examination and prepare a report which includes information about the contraband. For training purposes, Adult pornography is depicted using images of canines (dogs or puppies). Child pornography is depicted using images of felines (cats or kittens). Images of child pornography (cats or kittens) should not be included in a forensic report and should not be extracted from the forensic image. The file information, however, should be reported i.e. file name, file location, and relevant metadata such as MD5 hash, creation, last written, last accessed dates.
2. For training purposes, pictures of flowers are used to denote narcotics and related contraband.
3. The referenced employment agreement is understood to include prohibitions against participating in any/all illegal activities on company premises or while using company IT resources. This prohibition includes receipt and transmission of illegal forms of pornography (as defined by the State of Maryland and the US Federal Government) and engaging in any/all forms of drug trafficking.
4. For the purposes of this assignment, you (the student) are acting in the role of “forensic examiner.” In the grading rubric, actions attributed to “the examiner” are actions that you should (or should not) have taken.
5. You should use any and all information provided in the detailed assignment description for Forensic Report #1 and the results of your examination of the evidence as reported in Forensic Report #1.
6. Use the following case naming and evidence numbering conventions:
- Case Names: PAGS01 (Forensic Report #1) and PAGS03 (Forensic Report #2)
- Evidence Labels: PAGS01_USB and PAGS03_USB
Acquisition / Forensic Imaging Report (USB)
Forensically sterile media was created using Sumuri Paladin and then used for the imaging operation as the target media. The sterile state was verified using DCFLDD’s verify file command (sudodcflddvf=/dev/sdx pattern=00 where sdx is the drive designator for the USB).
Imaging operation was performed using FTK Imager.
Note: for your forensic report, you must determine whether or not you will report the imaging operation as onsite or in-lab. In both cases, your chain of custody should show transfer of a USB containing the evidence from the PAGS premises to your forensic lab location. If you perform the imaging operation onsite, you will report that you immediately returned the original media (USB from sealed envelope) to Mr. Singh.
————————————————————-
Created ByAccessData® FTK® Imager 3.2.0.0
Case Information:
Acquired using: ADI3.2.0.0
Case Number: PAGS03
Evidence Number: PAGS03
Unique description: vmdk
Examiner: Instructor
Notes:
————————————————————–
Information for C:CMIT424PAGS03PAGS03_12162014:
Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Physical
[Drive Geometry]
Bytes per Sector: 512
Sector Count: 20,971,520
[Image]
Image Type: Raw (dd)
Source data size: 10240 MB
Sector count:20971520
[Computed Hashes]
MD5 checksum:f311a2152887024bdd0b9155b94c4db6
SHA1 checksum:af6c44766b188ece5ff5d91677e8adf11168a61e
Image Information:
Acquisition started:Tue Dec 16 17:08:13 2014
Acquisition finished:Tue Dec 16 17:13:42 2014
Segment list:
C:CMIT424PAGS03PAGS03_12162014.E01
Image Verification Results:
Verification started:Tue Dec 16 17:13:44 2014
Verification finished: Tue Dec 16 17:15:52 2014
MD5 checksum:f311a2152887024bdd0b9155b94c4db6 : verified
SHA1 checksum:af6c44766b188ece5ff5d91677e8adf11168a61e : verified
Examination of the Evidence (Procedure) for Forensic Report #2
Before You Begin:
- Locate the forensic image file(s) on the share drive in the VDA (H:Lab ResourcesResourcesFR2). This is your evidence file and should be treated as if it were stored on a physical USB that you can move from place to place.
- Download and review the outline for the full forensic report with the pre-inserted additional documentation (Transmittal Letter & Delivery Package Inventory). Take particular note of the appendices and additional required information (Policies, Glossary, Equipment / Software list, etc.). You can use the glossary from the previous FR1 template.
- Download and review the chain of custody form. This file is stored in LEO Week 1 Content.
Note: the Delivery Package Inventory lists the files the examiner has created and is delivering to the client. It is NOT a listing of the evidence files.
Utilize the reporting features of the forensic applications (example: bookmarks) but bear in mind that automated reports do not replace the final forensic report. Use this information, however, to enhance your report in the form of addendums or by inserting relevant information into the report template to illustrate/justify your findings.
Examination Procedure:
- To begin, start a chain of custody document for this case. List the E01 files by evidence tag number (which you should assign – or, use the file name without the extension) and put the file name in the description column. Include the MD5 hash value for the E01 file. Remember to record the transfer of the USB from the PAGS location to your forensic lab. You should also record that you put the evidence media in a SAFE (for “safe keeping”).
- Remember to record the movement of the USB from your safe to your lab “for examination.” (From here on in the procedures, it is assumed that you understand when and how to make appropriate entries in the chain of custody.)
- Launch the forensic tool (software application) that you will use to process your case.
- Create or Open your case
- Add the forensic image file to your case.
- Review the files and folders found in the case.
- Analyze your recovered files to find answers to the questions presented in the Scenario document for this assignment. Make sure that you keep track of which files support your answers.
- Export an inventory listing of the forensically interesting files which you will address in the body of your report and prepare the screen snapshots which you will include in Appendix A of your report. (For the purposes of this assignment, you do not need to include the actual files in your assignment submission.) Include your inventory listing as a table in Appendix A.
- Prepare a Full Forensic Report in which you present a summary of your forensic processing and your findings (answers to the scenario questions). Typically this report ranges from 12-25 pages.
- Crop and compress any screen snapshots included in your forensic report to reduce the total size of your report file.
- Compute and report MD5 hash values for all files being submitted as part of your assignment. Include the list of filenames and hash values in the comments section of your assignment submission. Alternatively, you may include these in an attached text file.
- Attach your forensic report, your transmittal letter, your delivery package inventory, and your chain of custody document to the assignment for Forensic Report #2 and submit it for grading.
- Email files
- Encrypted or password protected files
- Internet Explorer cache files
- MS Office documents, spreadsheets, and presentations (including metadata)
- Windows Registry files
- Text files
- Other file types as found in the image
Grading Information for Forensic Report #2
The rubric for this assignment is attached to the assignment folder entry. The information below provides additional information about content and format requirements. This assignment is graded on a 100 point basis and is worth 15% of the final course grade.
Formatting Note:
Comprehensive forensic reports are written in narrative format. You should use a professional layout for your pages. APA style compliance is not required but, you may find that the APA formatting guidelines are appropriate and provide a professional appearance for fonts, margins, sections, paragraphs, etc.
Outline / Required Content Items:
The paragraph below each item lists the full performance or “A” level requirements for that item.
1. Overview of the Case (10 points)
Provided an overview section that contains an excellent summary of the case. The overview appropriately used information from the scenario. Clearly identified and accurately phrased the case questions.
2. Summary of Findings (10 points)
Provided an excellent summary of the examiner’s findings at or near the beginning of the report. Clearly and accurately summarized the findings related to each case question. Provided clear and concise answers to the case questions.
3. Case Management and Evidence Handling (10 points)
Demonstrated excellence in the handling, management, and documentation of the case. Submission included evidence tagging/labeling, transfer of evidence between the client and the examiner, full provenance of the evidence (as known to the examiner), chain of custody documentation, delivery package inventory, transmittal letter, and hand receipts.
4. Client interview and Onsite examination (5 points)
Provided an excellent, thorough report detailing the conduct of a client interview and all information obtained through direct questions of the individuals who were involved or had knowledge of the incident or evidence. Correctly executed and reported upon the onsite examination (if any). Reporting includes properly labeled pictures or images of the site and all evidence.
5. Evidence Acquisition and Imaging (5 points)
Report correctly explains how the forensic duplicates of the original evidence were created (or explains how this would have been done in cases where an E01 file was provided for the examination). The report includes an appendix which provides an understandable policy which governs the acquisition and forensic imaging of evidence. The policy includes requirements for wiping media (forensic sterilization) prior to use for duplication.
6. Physical and Logical Analysis of the Evidence (10 points)
Report provides an excellent (correct and thorough) explanation of how the examiner analyzed the structure of the physical and logical media. Provides pictures, measurements, and descriptions of the physical media. Provides a logical analysis which includes partition types, file system types, partition names. Analysis included MBR or BPB or VBR, partitioning, root directory structure, and evidence of wiping / formatting (if any). Provides information about file systems contained within partitions (name, type, etc.).
7. Files and Folders: Recovery and Analysis (20 points)
Conducted and reported upon a thorough and procedurally correct examination of active and deleted files and folders in all partitions. Identifies, recovers, and presents important files which provide answers to case questions or otherwise support the examiner’s findings. Examination report includes discussion of findings related to the following:
8. File Carving, Keyword Searches, Password Recovery, and Recovery of Hidden Text or Messages (10 points)
Conducted and reported upon a thorough and procedurally correct examination of the media which included recovery of files and contents thereof through file carving, password recovery, locating and recovering hidden messages or hidden information. Conducted appropriate keyword searches and reported upon both positive and negative results for all of the above.
9. Policies, Procedures, Ethics Compliance (10 points)
Demonstrates excellence in compliance with ethical and procedural requirements for the conduct of forensics examinations. Report package includes correct and appropriate statements showing ethical use of software and hardware (licensing / authorized use / anti-virus protection). Provided 3 or more policy statements regarding compliance with standard practices, e.g. wiping media, evidence tagging, transfer of evidence, etc. Provided a glossary and bibliography. Provided a brief resume showing examiner’s experience and credentials.
10. Professionalism (10 points)
Submitted work shows outstanding organization and the use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.No formatting, grammar, spelling, or punctuation errors. Appropriately uses footnotes or end notes (or other form of citations).