Week 8 Linux Forensic Tools

Week 8 Investigating images using Linux forensic tools
The module project of week8 concludes cyber forensics module with re-investigating SANS SIFT example images using
Linux forensic tools. Windows keep most of user and system activity as well as configuration under Windows Registry.
So, extracting information from Windows registry will provide examiner with valuable information. In this case, we are
going to use RegRipper tool with plugins to fetch Windows operating system and user information.
Successful forensics analysis may follow below steps during image investigation.
1- Completed the administrative step: Revision of the policies and procedures, confirm the chain of custody, filling
evidence collection form, filling the consent form.
2- Work Plan: Review policies and laws, form understanding of background, requirements, and deliverables. Then
create work analysis plan, create investigation plan.
3- Setup Case folder: Evidence files information such as case number, custodian name, media type, and logs.
4- Confirm Image integrity.
5- Per-analysis procedures: Mount the image, gather system information.
6- Analysis process: Gather timeline, passion, time, research, and resource.
7- Interpretation and review artifacts.
8- Reporting.
Preliminary analysis
Checking the image file information using the following command:
# file cfreds_2015_data_leakage_pc.dd
The image contains Windows 7 operating system.
Explore image partitions information using the following command:
# mmls cfreds_2015_data_leakage_pc.dd or
# sudo parted cfreds_2015_data_leakage_pc.dd 'unit B print'
Cyber Forensics – Module 6 Week 8 Individual Assignment Page 1 of 48

Mounting the image 20 GB partition which contains Windows 7 root directories for analysis using the following
commands:
To determine the offset of the partition we need to multiply the partition start by 512. In this case the windows 7
partition starts at 206848. So, the offset required is 206848 X 512 = 105906176
# sudo mount -t ntfs -o offset=105906176 cfreds_2015_data_leakage_pc.dd /mnt/win7dd2
Browsing the partition files and folders:
# ls -l /mnt/win7dd2
Step 6: Images investigation Analysis:
Question number 1:
What are the hash values (MD5 & SHA-1) of all images?
Does the acquisition and verification hash value match?
Running the following command to verify the md5 and SHA-1 of the images against the download page
# md5sum cfreds_2015_data_leakage_pc.dd
# sha1sum cfreds_2015_data_leakage_pc.dd

Image Hash SHA-1 Hash MD5
cfreds_2015_data_leakage_pc.dd afe5c9ab487bd47a8a9856b1371c2384d44fd785 a49d1254c873808c58e6f1bcd60b5bde
cfreds_2015_data_leakage_rm#2.dd 048961a85ca3eced8cc73f1517442d31d4dca0a3 b4644902acab4583a1d0f9f1a08faa77
cfreds_2015_data_leakage_rm#3_type2.dd 471d3eedca9add872fc0708297284e1960ff44f8 858c7250183a44dd83eb706f3f178990
Question Number 2:
Identify the partition information of PC image
The image has two partitions, first partition size is 100 MB and the second partition is 20,378MB. The parted command
revealed the following information as follows:
# sudo parted cfreds_2015_data_leakage_pc.dd 'unit MiB print'
Question Number 3:
Explain installed OS information in detail.

(OS name, install date, registered owner…)
The details of the OS information can be fetched from the Software, SYSTEM, and NTUSER.DAT registry hives found on
the keys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKLM\Software\Microsoft\Office\Common\UserInfo
# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SOFTWARE -p winver

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p compname
# perl rip.pl -r /mnt/win7dd2/Users/informant/NTUSER.DAT -p userinfo
OS name Windows 7 Ultimate with Service Pack 1

install date 22/3/2015 14:34:26

registered owner Iaman Informant
Computer name INFORMANT-PC
Question Number 4:
What is the time zone setting?
The time zone used on the system was as per below table and extracted from Windows registry using the following
command:
# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p timezone
The time zone shows that the Bias is 5 hours from UTC which means that the machine is on the EST time zone. The
daylight-saving time is set to one hour. The registry hive that have the time zone information is system. On the key
HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation
Question Number 5:
What is the computer name?
INFORMANT-PC
# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p compname
Question Number 6:
List all accounts in OS except the system accounts: Administrator, Guest, systemprofile, LocalService, NetworkService.
(Account name, login count, last logon date…)
The user information can be found under the SAM registry hive and using the following command with regripper
revealed the users assigned under Windows.
# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SAM -p samparse
Username : informant [1000]

Full Name :
User Comment :
Account Type : Default Admin User
Account Created : Sun Mar 22 14:33:54 2015 Z
Password Hint : IAMAN
Last Login Date : Wed Mar 25 14:45:59 2015 Z
Pwd Reset Date : Sun Mar 22 14:33:54 2015 Z
Pwd Fail Date : Wed Mar 25 14:45:43 2015 Z
Login Count : 10
--> Password does not expire
--> Normal user account
--> Password not required
Username : admin11 [1001]

Full Name : admin11
User Comment :
Last Login Date : Sun Mar 22 15:57:02 2015 Z
Pwd Fail Date : Sun Mar 22 15:53:02 2015 Z
Login Count : 2
Username : ITechTeam [1002]

Full Name : ITechTeam
User Comment :
Last Login Date : Never
Login Count : 0
Username : temporary [1003]

Full Name : temporary
User Comment :
Account Type : Custom Limited Acct
Last Login Date : Sun Mar 22 15:55:57 2015 Z
Login Count : 1
Question Number 7: Who was the last user to logon into PC?
As per information of question 6, the last user logged into the machine is ‘Informant’ at 25/03/2015 14:45:59 UTC.
Question Number 8: When was the last recorded shutdown date/time?

25/03/2015 15:31:05 UTC
The machine shutdown information can be found under the SYSTEM registry hive. Running the following command
reveals this information:
The registry key value is HKLM\SYSTEM\ControlSet001\Control\windows and the ShutdownTime value.
# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p shutdown

Question Number 9: Explain the information of network interface(s) with an IP address assigned by DHCP.
The network card configuration is found under SOFTWARE registry hive under the key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
Running the following commands to view the configuration:
# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SOFTWARE -p networkcards

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p nic2
Adapter Name Intel(R) PRO/1000 MT Network Connection

IP Address 10.11.11.129
Subnet mask 255.255.255.0
Default Gateway 10.11.11.2
DHCP server 10.11.11.254
DNS Server 10.11.11.2
Domain localdomain

Question Number 10: What applications were installed by the suspect after installing OS?
The information of installed applications can be found under SOFTWARE registry hive using the key uninstall.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Uninstall
The command used to reveal the information is as follows:
# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SOFTWARE -p uninstall
Application Install time

Eraser 6.2.0.2962 v.6.2.2962 Wed Mar 25 14:57:31 2015 (UTC)
Microsoft .NET Framework 4 Extended v.4.0.30319 Wed Mar 25 14:54:33 2015 (UTC)
MPlayer2 Wed Mar 25 10:15:21 2015 (UTC)
Google Drive v.1.20.8672.3137 Mon Mar 23 20:02:46 2015 (UTC)
Apple Software Update v.2.1.3.127 Mon Mar 23 20:01:01 2015 (UTC)
Apple Application Support v.3.0.6 Mon Mar 23 20:00:45 2015 (UTC)
Bonjour v.3.0.0.10 Mon Mar 23 20:00:58 2015 (UTC)
Google Chrome v.41.0.2272.101 Sun Mar 22 15:11:51 2015 (UTC)
Microsoft Office Professional Plus 2013 v.15.0.4420.1017 Sun Mar 22 15:04:14 2015 (UTC)
Microsoft Word MUI (English) 2013 v.15.0.4420.1017 Sun Mar 22 15:01:38 2015 (UTC)
Question Number 11: List application execution logs.

(Executable path, execution time, execution count...)
The execution of the applications traces is generally recorded under NTUSER.DAT registry hive under key
HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Running the following command extracted the runtime and count of the executables:
# perl rip.pl -r /mnt/win7dd2/Users/informant/NTUSER.DAT -p userassist > apps_exec3.txt
Executable path execution time execution count

xpsrchvw.exe Wed Mar 25 15:28:47 2015 1
Microsoft Office\Office15\WINWORD.EXE Wed Mar 25 15:24:48 2015 4
Google\Drive\googledrivesync.exe Wed Mar 25 15:21:30 2015 1
\CCleaner\CCleaner64.exe Wed Mar 25 15:15:50 2015 1
Eraser\Eraser.exe Wed Mar 25 15:12:28 2015 1
C:\Users\informant\Desktop\Download\ccsetup504.exe Wed Mar 25 14:57:56 2015 1
C:\Users\informant\Desktop\Download\Eraser 6.2.0.2962.exe Wed Mar 25 14:50:14 2015 1
Microsoft.InternetExplorer.Default Wed Mar 25 14:46:05 2015 5
Microsoft.Windows.MediaPlayer32 Wed Mar 25 14:42:47 2015 1
\Microsoft Office\Office15\OUTLOOK.EXE Wed Mar 25 14:41:03 2015 5
Chrome Tue Mar 24 21:05:38 2015 7
Microsoft.Windows.StickyNotes Tue Mar 24 18:31:55 2015 13
Microsoft Office\Office15\POWERPNT.EXE Mon Mar 23 20:27:33 2015 2
\Microsoft Office\Office15\EXCEL.EXE Mon Mar 23 20:26:50 2015 1
cmd.exe Mon Mar 23 20:10:19 2015 4
slui.exe Sun Mar 22 15:24:47 2015 3
IE11-Windows6.1-x64-en-us.exe Sun Mar 22 15:12:32 2015 1
calc.exe Sun Mar 22 14:33:13 2015 12
\SnippingTool.exe Sun Mar 22 14:33:13 2015 10
mspaint.exe Sun Mar 22 14:33:13 2015 9
Microsoft.Windows.RemoteDesktop Sun Mar 22 14:33:13 2015 8
magnify.exe Sun Mar 22 14:33:13 2015 7
Microsoft Games\Solitaire\solitaire.exe Sun Mar 22 14:33:13 2015 6
Question Number 12: List all traces about the system on/off and the user logon/logoff.
(It should be considered only during a time range between 09:00 and 18:00 in the timezone from Question 4.)
Windows event logs that contain the logon and logoff events can be found under the security windows event file which
is located under Windows/System32/winevt/Security.evtx
Using the following tool and command to dump the security events and look for the logon event ID 4624 and logoff 4634
as well as the shutdown event ID 1100
# evtxdump.py /mnt/win7dd2/Windows/System32/winevt/Logs/Security.evtx | more >

wind_security_log.xml
Time Event ID Type

3/25/2015 15:31 1100 Service shutdown
3/25/2015 14:45 4624 Logon
3/25/2015 14:45 4634 Logoff
3/25/2015 10:19 4624 Logon
3/25/2015 10:15 4624 Logon
3/24/2015 20:58 4624 Logon
3/24/2015 18:28 4634 Logoff
3/24/2015 18:28 4624 Logon
3/24/2015 18:28 4634 Logoff
3/24/2015 13:21 4624 Logon
3/23/2015 20:01 4624 Logon
3/22/2015 15:58 4634 Logoff
3/22/2015 15:57 4624 Logon
3/22/2015 15:56 4634 Logoff
3/22/2015 15:43 4624 Logon
3/22/2015 15:22 4624 Logon
3/22/2015 15:19 4624 Logon
3/22/2015 14:34 4624 Logon

Question Number 13: What web browsers were used?
As per question number 10 of the applications installed, the browsers used are Internet explorer 9, Internet Explorer 11
and Google Chrome
Question Number 14: Identify directory/file paths related to the web browser history.?
Browsers keep the browsing history under the user folders. In this case the user informant folder will contain the
browsing history files of internet explorer and Chrome as follows:
Internet Explorer 9
C:\Users\informant\AppData\Local\Microsoft\Windows\History\
C:\Users\informant\AppData\Local\Microsoft\Windows\Temporary Internet Files\
C:\Users\informant\AppData\Roaming\Microsoft\Windows\Cookies\
Internet Explorer 11

C:\Users\informant\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Google Chrome:
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\History
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Application Cache\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Media Cache\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\GPUCache\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Cookies\
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
C:\Users\informant\AppData\Local\Google\Chrome\User Data\Default\Extensions\
Question Number 15: What websites were the suspect accessing? (Timestamp, URL...)
Examining the files as per question 14 reveals the following URLs has been accessed on Internet Explorer and Google
Chrome:
Utilizing the SQLite tool to get the visited sites with timestamps:
# sqlite3 /mnt/win7dd2/Users/informant/AppData/Local/Google/Chrome/User\
Data/Default/History
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"),
urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
Time Stamp URL

3/22/2015 15:10 http://windows.microsoft.com/en-us/internet-explorer/ie-11-worldwide-languages
3/22/2015 15:11 https://www.google.com/chrome/browser/thankyou.html?brand=CHNG&platform=win&clickon
ceinstalled=1
3/22/2015 15:10 https://www.google.com/search?hl=en&source=hp&q=internet+explorer+11&gbv=2&oq=intern
et+explorer+11&gs_l=heirloom-
hp.3..0l10.5163.7893.0.9562.20.13.0.7.7.0.156.1110.11j2.13.0.msedr...0...1ac.1.34.heirloom-
hp..0.20.1250.5j7Xm44tv5w
3/22/2015 15:09 http://www.msn.com/?ocid=iehp
3/22/2015 15:10 http://windows.microsoft.com/en-us/internet-explorer/download-ie
3/22/2015 15:09 http://www.google.com/url?url=http://windows.microsoft.com/en-us/internet-explorer/ie-11-
worldwide-
languages&rct=j&frm=1&q=&esrc=s&sa=U&ei=6ykQVZWLGbeJsQT7goDACg&ved=0CCoQFjAB&u
sg=AFQjCNE7UKIWEBiWO2N96IFeo6ZywhRLfw
3/22/2015 15:09 http://windows.microsoft.com/en-US/internet-explorer/products/ie-8/welcome
3/22/2015 15:11 http://download.microsoft.com/download/7/1/7/7179A150-F2D2-4502-9D70-
4B59EA148EAA/IE11-Windows6.1-x64-en-us.exe
3/22/2015 15:09 https://www.google.com/?gws_rd=ssl
3/22/2015 15:09 http://www.google.com/url?url=http://windows.microsoft.com/en-us/internet-
explorer/download-
ie&rct=j&frm=1&q=&esrc=s&sa=U&ei=6ykQVZWLGbeJsQT7goDACg&ved=0CB8QFjAA&usg=AFQj
CNEwsIz17kY-jTXbaWPcQDfBbVEi7A
3/22/2015 15:10 https://www.google.com/webhp?hl=en
3/22/2015 15:11 https://dl.google.com/update2/1.3.26.9/GoogleInstaller_en.application?appguid%3D%7B8A69D
345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B68685C6D-795B-6A37-5D90-
2AB8DC4D402B%7D%26lang%3Den%26browser%3D2%26usagestats%3D0%26appname%3DGoo
gle%2520Chrome%26needsadmin%3Dprefers%26brand%3DCHNG
3/22/2015 15:11 https://www.google.com/chrome/index.html?hl=en&brand=CHNG&utm_source=en-
hpp&utm_medium=hpp&utm_campaign=en
3/22/2015 15:11 http://tools.google.com/chrome/intl/en/welcome.html
3/22/2015 15:11 https://www.google.com/intl/en/chrome/browser/welcome.html
3/22/2015 15:27 https://www.google.com/#q=outlook+2013+settings
3/22/2015 15:28 https://support.office.com/en-nz/article/Set-up-email-in-Outlook-2010-or-Outlook-2013-for-
Office-365-or-Exchange-based-accounts-6e27792a-9267-4aa4-8bb6-c84ef146101b
3/22/2015 15:28 https://www.google.com/#q=outlook+2013+settings
3/23/2015 17:26 http://www.bing.com/
3/23/2015 17:27 https://www.google.com/webhp?hl=en#q=Emmy+Noether&oi=ddle&ct=emmy-noethers-133rd-
birthday-5681045017985024-hp&hl=en
3/23/2015 17:27 https://www.google.com/webhp?hl=en#q=Emmy+Noether&oi=ddle&ct=emmy-noethers-133rd-
birthday-5681045017985024-hp&hl=en
3/23/2015 18:02 https://www.google.com/webhp?hl=en#hl=en&q=data+leakage+methods
3/23/2015 18:02 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB4QFjAA&url=
http%3A%2F%2Fwww.sans.org%2Freading-room%2Fwhitepapers%2Fawareness%2Fdata-
leakage-threats-

mitigation_1931&ei=IFUQVezLK5PnsATO3IDoBw&usg=AFQjCNGnnDJlx5Rnz6z5bVXCIJgaCwXuaQ
&bvm=bv.88528373,d.aWw&cad=rja
3/23/2015 18:02 http://www.sans.org/reading-room/whitepapers/awareness/data-leakage-threats-
mitigation_1931
3/23/2015 18:02 http://www.sans.org/reading-room/whitepapers/awareness/data-leakage-threats-mitigation-
1931
3/23/2015 18:02 https://www.google.com/webhp?hl=en#hl=en&q=leaking+confidential+information
3/23/2015 18:03 https://www.google.com/webhp?hl=en#q=leaking+confidential+information&hl=en&start=10
3/23/2015 18:03 https://www.google.com/webhp?hl=en#q=leaking+confidential+information&hl=en&start=20
3/23/2015 18:03 https://www.google.com/webhp?hl=en#hl=en&q=information+leakage+cases
3/23/2015 18:04 https://www.google.com/webhp?hl=en#q=information+leakage+cases&hl=en&tbm=nws
3/23/2015 18:04 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=newssearch&cd=4&ved=0CCYQqQ
IoADAD&url=http%3A%2F%2Fwww.emirates247.com%2Fbusiness%2Ftechnology%2Ftop-5-
sources-leaking-personal-data-2015-03-13-1.584027&ei=sFUQVdKvPPWZsQSC-
oLgDA&usg=AFQjCNGhQdoP0v9rKLkw4B9tET-YRTFEtw&bvm=bv.88528373,d.aWw&cad=rja
3/23/2015 18:04 http://www.emirates247.com/business/technology/top-5-sources-leaking-personal-data-2015-
03-13-1.584027
3/23/2015 18:05 https://www.google.com/webhp?hl=en#q=information+leakage+cases&hl=en
3/23/2015 18:05 https://www.google.com/search?q=information+leakage+cases&hl=en&biw=950&bih=499&site
=webhp&source=lnms&tbm=isch&sa=X&ei=21UQVb20Eu-HsQTJ5IDAAQ&ved=0CAgQ_AUoAw
=webhp&tbm=vid&source=lnms&sa=X&ei=3VUQVYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA
&dpr=1
&dpr=1#q=information+leakage+cases&hl=en
3/23/2015 18:05 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCMQFjAA&url
=http%3A%2F%2Fwww.mediapost.com%2Fpublications%2Farticle%2F205047%2Fgoogle-to-
settle-data-leakage-case-for-85-
mill.html%3Fedition%3D&ei=4VUQVdO8JurfsAT9ioLIBQ&usg=AFQjCNFc5f-
cGTRfFN2WeWpfm9Eli0siBg&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:05 http://www.mediapost.com/publications/article/205047/google-to-settle-data-leakage-case-for-
85-mill.html?edition=
&dpr=1#hl=en&q=intellectual+property+theft
3/23/2015 18:05 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CB4QFjA
A&url=http%3A%2F%2Fwww.fbi.gov%2Fabout-
us%2Finvestigate%2Fwhite_collar%2Fipr%2Fipr&ei=-
VUQVaXJM7iSsQT584DADw&usg=AFQjCNF7eFFsWGyvWw2jaWkVtlf-
0Btddg&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:05 http://www.fbi.gov/about-us/investigate/white_collar/ipr/ipr
3/23/2015 18:06 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&sqi=2&ved=0CDEQFjA
C&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIntellectual_property&ei=-
VUQVaXJM7iSsQT584DADw&usg=AFQjCNGhHfTZFaK6wQe0WVP95Go0kFfGLA&bvm=bv.885283
73,d.cWc&cad=rja
3/23/2015 18:06 http://en.wikipedia.org/wiki/Intellectual_property

&dpr=1#hl=en&q=how+to+leak+a+secret
3/23/2015 18:06 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&sqi=2&ved=0CCcQFjA
B&url=http%3A%2F%2Fresearch.microsoft.com%2Fen-
us%2Fum%2Fpeople%2Fyael%2Fpublications%2F2001-
leak_secret.pdf&ei=IlYQVbbzB6uxsASbj4GgCA&usg=AFQjCNGpzaLYBk7grHEpVoQi0fIXATFEWA&
bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:06 http://research.microsoft.com/en-us/um/people/yael/publications/2001-leak_secret.pdf
&dpr=1#hl=en&q=cloud+storage
3/23/2015 18:15 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&sqi=2&ved=0CEUQFjA
B&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCloud_storage&ei=GFgQVfWtL8mPsQTr94D
ADg&usg=AFQjCNH2X7RGXgS6UOnd4gSg8NmtZ6JDtQ&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:15 http://en.wikipedia.org/wiki/Cloud_storage
3/23/2015 18:15 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&sqi=2&ved=0CEwQFjA
C&url=http%3A%2F%2Fwww.pcadvisor.co.uk%2Ftest-centre%2Finternet%2F3506734%2Fbest-
cloud-storage-dropbox-google-drive-onedrive-
icloud%2F&ei=GFgQVfWtL8mPsQTr94DADg&usg=AFQjCNFK5bX07QI1lKKNzlkXBEbv8LzMsg&bv
m=bv.88528373,d.cWc&cad=rja
3/23/2015 18:15 http://www.pcadvisor.co.uk/test-centre/internet/3506734/best-cloud-storage-dropbox-google-
drive-onedrive-icloud/
&dpr=1#hl=en&q=digital+forensics
3/23/2015 18:15 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CFEQFjAF&url=
http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FDigital_forensics&ei=UFgQVayPBOG1sQS7y4Ew&u
sg=AFQjCNFU-HDPY2v07qAo1hunNjD4uG8U9Q&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:15 http://en.wikipedia.org/wiki/Digital_forensics
3/23/2015 18:16 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CF0QFjAG&url=
http%3A%2F%2Fnij.gov%2Ftopics%2Fforensics%2Fevidence%2Fdigital%2Fpages%2Fwelcome.as
px&ei=UFgQVayPBOG1sQS7y4Ew&usg=AFQjCNF4PYQlnERZIKDzb1fMP-
T5aZLTrg&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:16 http://nij.gov/topics/forensics/evidence/digital/pages/welcome.aspx
3/23/2015 18:16 http://nij.gov/Pages/PageNotFoundError.aspx?requestUrl=http://nij.gov/topics/forensics/eviden
ce/digital/standards/pages/welcome.aspx
3/23/2015 18:16 http://nij.gov/topics/forensics/evidence/digital/pages/welcome.aspx
3/23/2015 18:16 http://nij.gov/topics/forensics/evidence/digital/analysis/pages/welcome.aspx
&dpr=1#hl=en&q=how+to+delete+data
&dpr=1#hl=en&q=anti-forensics
3/23/2015 18:17 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCMQFjAA&url
=http%3A%2F%2Fforensicswiki.org%2Fwiki%2FAnti-
forensic_techniques&ei=qlgQVa2iCs3jsASKxICQCQ&usg=AFQjCNFPXy9OjJutWkkJNc2rdmEsnH8g
mw&bvm=bv.88528373,d.cWc&cad=rja

3/23/2015 18:17 http://forensicswiki.org/wiki/Anti-forensic_techniques
3/23/2015 18:17 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEcQFjAE&url=
https%3A%2F%2Fdefcon.org%2Fimages%2Fdefcon-20%2Fdc-20-
presentations%2FPerklin%2FDEFCON-20-Perklin-
AntiForensics.pdf&ei=qlgQVa2iCs3jsASKxICQCQ&usg=AFQjCNGuYkqfQ-
eoxWMrlLOnA1MEBetVMA&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:18 https://defcon.org/images/defcon-20/dc-20-presentations/Perklin/DEFCON-20-Perklin-
AntiForensics.pdf
&dpr=1#hl=en&q=system+cleaner
&dpr=1#q=system+cleaner&hl=en&start=10
&dpr=1#hl=en&q=how+to+recover+data
&dpr=1#q=how+to+recover+data&hl=en&start=20
&dpr=1#q=how+to+recover+data&hl=en&start=10
&dpr=1#hl=en&q=data+recovery+tools
3/23/2015 18:19 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CGwQFjAG&url
=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FList_of_data_recovery_software&ei=F1kQVd3EGf
OHsQSAz4CIDA&usg=AFQjCNEPVfDD6BgIwmVUOVFG3RsE-
3XGQA&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:19 http://en.wikipedia.org/wiki/List_of_data_recovery_software
3/23/2015 18:19 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CIABEBYwCQ&
url=http%3A%2F%2Fwww.forensicswiki.org%2Fwiki%2FTools%3AData_Recovery&ei=F1kQVd3E
GfOHsQSAz4CIDA&usg=AFQjCNH6vSduODlbRgqX5d02tLe3fhy-
sw&bvm=bv.88528373,d.cWc&cad=rja
3/23/2015 18:19 http://www.forensicswiki.org/wiki/Tools:Data_Recovery
&dpr=1#hl=en&q=data+recovery+tools
3/23/2015 19:48 https://www.google.com/webhp?hl=en#hl=en&q=google
3/23/2015 19:55 https://www.google.com/webhp?hl=en#hl=en&q=apple+icloud
3/23/2015 19:55 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCUQFjAB&url=
https%3A%2F%2Fwww.apple.com%2Ficloud%2F&ei=nm8QVc_BC8vasATi_IGoBA&usg=AFQjCNE
GtiW1BO4CUv7JdC2GJrvivhQAZg&bvm=bv.88528373,d.aWw&cad=rja
3/23/2015 19:55 https://www.apple.com/icloud/
3/23/2015 19:55 https://www.apple.com/icloud/setup/pc.html
3/23/2015 19:55 http://www.icloud.com/icloudcontrolpanel

3/23/2015 19:55 https://www.icloud.com/icloudcontrolpanel
3/23/2015 19:55 http://www.icloud.com/icloudcontrolpanel/
3/23/2015 19:55 https://www.icloud.com/icloudcontrolpanel/
3/23/2015 19:55 http://support.apple.com/kb/DL1455
3/23/2015 19:55 https://support.apple.com/kb/DL1455
3/23/2015 19:55 http://support.apple.com/kb/DL1455?locale=en_US
3/23/2015 19:55 https://support.apple.com/kb/DL1455?locale=en_US
3/23/2015 19:56 https://www.google.com/webhp?hl=en#hl=en&q=google+drive
3/23/2015 19:56 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB4QFjAA&url=
https%3A%2F%2Fwww.google.com%2Fdrive%2F&ei=1G8QVYfAGJK_sQSE-
oCAAQ&usg=AFQjCNEkd59bGLZR6pLjNvtXxR3vGLBE9Q&bvm=bv.88528373,d.aWw&cad=rja
3/23/2015 19:56 https://www.google.com/drive/
3/23/2015 19:56 https://www.google.com/drive/download/
3/23/2015 19:56 https://tools.google.com/dlpage/drive/index.html?hl=en#eula
3/23/2015 19:56 https://tools.google.com/dlpage/drive/thankyou.html?hl=en
3/24/2015 14:05 http://www.bing.com/
3/24/2015 14:12 http://www.bing.com/
3/24/2015 15:22 https://news.google.com/nwshp?hl=en&tab=wn&ei=xnARVdWfPPLjsASdgIKoAw&ved=0CAUQqS
4oBQ
3/24/2015 15:22 https://news.google.com/news/section?pz=1&cf=all&ned=us&topic=w&siidp=0b2226a6a5dab3
b27ee85fc5e8d21f28f01e
3/24/2015 15:23 https://news.google.com/news/section?pz=1&cf=all&ned=us&topic=tc&siidp=e6116f8175cb189
b8dd7fd58ef6bc922ec04
b8dd7fd58ef6bc922ec04&ar=1427212899
b8dd7fd58ef6bc922ec04&ar=1427213801
b8dd7fd58ef6bc922ec04&ar=1427214703
b8dd7fd58ef6bc922ec04&ar=1427215604
b8dd7fd58ef6bc922ec04&ar=1427216506
b8dd7fd58ef6bc922ec04&ar=1427217407
b8dd7fd58ef6bc922ec04&ar=1427218623
b8dd7fd58ef6bc922ec04&ar=1427219526
b8dd7fd58ef6bc922ec04&ar=1427220429
b8dd7fd58ef6bc922ec04&ar=1427221332
b8dd7fd58ef6bc922ec04&ar=1427222627
3/24/2015 18:59 https://news.google.com/news?pz=1&cf=all&ned=us&siidp=0c33ef04190b3734a22c5bae18801f
f1041e
3/24/2015 19:00 http://www.cbsnews.com/news/germanwings-flight-9525-pulverized-plane-parts-rough-
mountain-terrain/
3/24/2015 19:00 https://news.google.com/news/section?pz=1&cf=all&ned=us&topic=w&siidp=538c61c825aba06
be7485be747a619778015
3/24/2015 19:00 https://news.google.com/news?pz=1&cf=all&ned=us&siidp=f206159a77e2be8861b5231ddc055
443b303
3/24/2015 19:00 https://news.google.com/news/section?pz=1&cf=all&ned=us&topic=s&siidp=545d9217fe5452fc
fbcbe251400793f398ac
3/24/2015 19:01 https://news.google.com/news?pz=1&hl=en&tab=nn
3/24/2015 19:01 http://www.bing.com/
3/24/2015 19:01 https://news.google.com/news?pz=1&hl=en&tab=nn
3/24/2015 19:01 https://www.google.com/
3/24/2015 21:05 https://www.google.com/
3/24/2015 21:05 http://www.bing.com/
3/24/2015 21:06 https://www.google.com/#q=security+checkpoint+cd-r
Internet Explorer:
3/25/2015 14:47 informant@http://iweb.dl.sourceforge.net/project/eraser/Eraser%206/6.2/Eraser%206.2.0.2962.

exe
3/22/2015 15:24 informant@https://dl.google.com/update2/1.3.26.9/GoogleInstaller_en.application?appguid%3D
%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B68685C6D-795B-6A37-5D90-
2AB8DC4D402B%7D%26lang%3Den%26browser%3D2%26usagestats%3D0%26appname%3DGoo
gle%2520Chrome%26needsadmin%3Dprefers%26brand%3DCHNG
3/23/2015 20:34 Visited:
informant@https://clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-
static%2F_%2Fjs%2Fk%3Doz.gapi.en.Vh6dPmTLRzs.O%2Fm%3D__features__%2Fam%3DIQ%2Frt
%3Dj%2Fd%3D1%2Ft%3Dzcms%2Frs%3DAGLTcCPMH84qo1WVX7OKMktu4bYHvIFfsw
3/23/2015 17:27 informant@http://www.msn.com/?ocid=iehp
3/23/2015 18:14 informant@http://www.forensicswiki.org/wiki/USB_History_Viewing
3/23/2015 18:14 informant@http://www.forensicswiki.org/favicon.ico
3/25/2015 14:48 informant@http://www.piriform.com/ccleaner/download
3/25/2015 14:48 informant@http://www.piriform.com/ccleaner/download/standard
3/25/2015 14:48 informant@http://www.piriform.com/ccleaner
3/23/2015 18:12 informant@https://support.microsoft.com/en-us/kb/308427
3/23/2015 18:12 informant@https://support.microsoft.com/favicon.ico
3/23/2015 20:27 informant@https://odc.officeapps.live.com/odc/emailhrd?lcid=1033&syslcid=1033&uilcid=1033
&app=3&ver=15&build=15.0.4420&p=0&a=1&hm=1&sp=0

3/24/2015 13:34 informant@outlook:0000000038A1BB1005E5101AA1BB08002B2A56C20000454D534D44422E44
4C4C00000000000000001B55FA20AA6611CD9BC800AA002FC45A0C00000031623738383832382
D633861322D343638312D626636662D623164663939333534313562406E6973742E676F76002F
6F3D45786368616E67654C6162732F6F753D45786368616E67652041646D696E69737472617469
76652047726F7570202846594449424F484632335350444C54292F636E3D526563697069656E74
732F636E3D32356662336665653538663734613534393766383830373233343131346636352D69
616D616E00
3/23/2015 18:11 informant@http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-
forensics-part-i-registry/
3/23/2015 18:11 informant@http://resources.infosecinstitute.com/favicon.ico
3/23/2015 18:13 informant@https://msdn.microsoft.com/en-
us/library/windows/desktop/dd562212(v=vs.85).aspx
3/22/2015 15:24 informant@https://www.google.com/chrome/browser/thankyou.html?brand=CHNG&platform=
win&clickonceinstalled=1
3/22/2015 15:24 informant@https://www.google.com/chrome/index.html?hl=en&brand=CHNG&utm_source=en-
hpp&utm_medium=hpp&utm_campaign=en
3/22/2015 15:24 informant@https://www.google.com/search?hl=en&source=hp&q=internet+explorer+11&gbv=2
&oq=internet+explorer+11&gs_l=heirloom-
hp.3..0l10.5163.7893.0.9562.20.13.0.7.7.0.156.1110.11j2.13.0.msedr...0...1ac.1.34.heirloom-
hp..0.20.1250.5j7Xm44tv5w
3/22/2015 15:24 informant@https://www.google.com/webhp?hl=en
3/22/2015 15:24 informant@https://www.google.com/?gws_rd=ssl
3/24/2015 20:44 informant@file:///D:/de/winter_whether_advisory.zip
3/25/2015 14:58 informant@file:///C:/Users/informant/AppData/Local/Temp/nsvE0EF.tmp/g/gtb/toolbar.html
3/25/2015 15:29 informant@file:///C:/Users/informant/Desktop/Resignation_Letter_(Iaman_Informant).docx
3/23/2015 18:38 informant@file:///E:/RM#1/Secret%20Project%20Data/design/[secret_project]_design_concept.
ppt
3/25/2015 15:28 informant@file:///C:/Users/informant/Desktop/Resignation_Letter_(Iaman_Informant).xps
3/23/2015 18:37 informant@file:///E:/RM#1/Secret%20Project%20Data/proposal/[secret_project]_proposal.docx
3/24/2015 21:01 informant@file:///D:/Tulips.jpg
3/24/2015 14:01 informant@file:///E:/Secret%20Project%20Data/design/winter_whether_advisory.zip
3/24/2015 21:01 informant@file:///D:/Koala.jpg
3/23/2015 20:27 informant@file:///V:/Secret%20Project%20Data/final/[secret_project]_final_meeting.pptx
3/24/2015 21:01 informant@file:///D:/Penguins.jpg
3/23/2015 18:08 informant@http://sysinfotools.com/blog/tethering-internet-files-sharing/
3/23/2015 18:12 informant@https://technet.microsoft.com/en-us/library/cc162846.aspx
3/22/2015 15:24 informant@http://www.google.com/url?url=http://windows.microsoft.com/en-us/internet-
explorer/download-
ie&rct=j&frm=1&q=&esrc=s&sa=U&ei=6ykQVZWLGbeJsQT7goDACg&ved=0CB8QFjAA&usg=AFQj
CNEwsIz17kY-jTXbaWPcQDfBbVEi7A
3/22/2015 15:24 informant@http://www.google.com/url?url=http://windows.microsoft.com/en-us/internet-
explorer/ie-11-worldwide-
languages&rct=j&frm=1&q=&esrc=s&sa=U&ei=6ykQVZWLGbeJsQT7goDACg&ved=0CCoQFjAB&u
sg=AFQjCNE7UKIWEBiWO2N96IFeo6ZywhRLfw
3/25/2015 14:47 informant@http://sourceforge.net/projects/eraser/files/Eraser%206/6.2/Eraser%206.2.0.2962.e
xe/download
3/23/2015 17:27 informant@http://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/vie
3/22/2015 15:24 informant@http://download.microsoft.com/download/7/1/7/7179A150-F2D2-4502-9D70-
3/24/2015 19:33 informant@outlook:0000000083073BC3313D734B85B739BE025FF682010067F0FC59CC93ED4D8
A9E086F82A4E83200000000010C0000
3/23/2015 20:26 informant@file://10.11.11.128/secured_drive/Secret%20Project%20Data/pricing%20decision/(se
cret_project)_pricing_decision.xlsx
3/25/2015 14:47 informant@http://eraser.heidi.ie/download.php
3/25/2015 14:47 informant@http://eraser.heidi.ie/
3/23/2015 18:12 informant@http://en.wikipedia.org/wiki/Event_Viewer
3/24/2015 19:33 informant@outlook:0000000083073BC3313D734B85B739BE025FF682010067F0FC59CC93ED4D8
A9E086F82A4E8320000000001090000
3/23/2015 20:04 informant@https://accounts.google.com/ServiceLoginAuth
3/25/2015 15:22 informant@https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fwww.google.
com%2Fsettings%2Fstorage%3Fhl%3Den_US&sacu=1&passive=1209600
3/23/2015 20:34 informant@https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2
Fdrive.google.com
3/25/2015 15:22 informant@https://accounts.google.com/AccountChooser?Email=iaman.informant.personal%40
gmail.com&continue=https%3A//www.google.com/settings/storage%3Fhl%3Den_US
3/22/2015 15:24 informant@http://go.microsoft.com/fwlink/?LinkID=121792
3/23/2015 17:27 informant@http://go.microsoft.com/fwlink/?LinkId=299201
3/25/2015 14:49 informant@http://go.microsoft.com/fwlink/?LinkId=69157
3/22/2015 15:24 informant@http://windows.microsoft.com/en-us/internet-explorer/download-ie
3/22/2015 15:24 informant@http://windows.microsoft.com/en-US/internet-explorer/products/ie-8/welcome
3/22/2015 15:24 informant@http://windows.microsoft.com/en-us/internet-explorer/ie-8-welcome
3/22/2015 15:24 informant@http://windows.microsoft.com/en-us/internet-explorer/ie-11-worldwide-languages
3/25/2015 14:49 informant@http://www.bing.com/?FORM=Z9FD1
3/23/2015 20:45 informant@http://www.bing.com/news?q=science+technology+news&FORM=NWBTCB
3/23/2015 20:45 informant@http://www.bing.com/news?q=Soccer+News&FORM=NSBABR
3/23/2015 20:55 informant@http://www.bing.com/news?q=us+news&FORM=NSBABR
3/23/2015 20:55 informant@http://www.bing.com/news?q=world+news&FORM=NSBABR
3/23/2015 20:55 informant@http://www.bing.com/news?q=political+news&FORM=NSBABR
3/23/2015 18:13 informant@http://www.bing.com/news/search?q=file+sharing+and+tethering&FORM=HDRSC6
3/23/2015 18:07 informant@http://www.bing.com/search?q=Top+Stories&FORM=HDRSC1
3/23/2015 18:07 informant@http://www.bing.com/
3/23/2015 20:57 informant@http://www.bing.com/news?q=top+stories&FORM=NSBABR
3/23/2015 20:43 informant@http://www.bing.com/search?q=external%20device%20and%20forensics&qs=n&for
m=QBRE&pq=external%20device%20and%20forensics&sc=8-9&sp=-
1&sk=&cvid=c30c4b1f36114b1c9bc683838c69823a
3/23/2015 17:28 informant@http://www.bing.com/search
3/23/2015 20:55 informant@http://www.bing.com/news?q=business+news&FORM=NSBABR
3/23/2015 20:55 informant@http://www.bing.com/news?q=sports+news&FORM=NSBABR
3/23/2015 20:55 informant@http://www.bing.com/news?q=local&FORM=NSBABR
3/23/2015 20:55 informant@http://www.bing.com/news?q=health+news&FORM=NSBABR
3/23/2015 20:55 informant@http://www.bing.com/news?q=science+technology+news&FORM=NSBABR
3/25/2015 14:46 informant@http://www.bing.com/search?q=anti-forensic+tools&qs=n&form=QBLH&pq=anti-
forensic+tools&sc=8-13&sp=-1&sk=&cvid=e799e715fa2244a5a7967675bdcca9d3
3/23/2015 20:53 informant@http://www.bing.com/news?q=top+stories&FORM=NWRFSH
3/23/2015 20:55 informant@http://www.bing.com/news?q=entertainment+news&FORM=NSBABR
3/23/2015 20:44 informant@http://www.bing.com/news?FORM=Z9LH3

3/23/2015 18:08 informant@http://www.bing.com/search?q=file+sharing+and+tethering&qs=n&form=QBLH&pq=
file+sharing+and+tethering&sc=0-18&sp=-1&sk=&cvid=171b77e4ffd54b2a92c4e97abf995fe1
3/23/2015 18:07 informant@http://www.bing.com/news/search?q=Top Stories&FORM=NSBABR
3/23/2015 20:56 informant@http://www.wired.com/2015/03/stealing-data-computers-using-heat/
3/23/2015 20:45 informant@http://www.wired.com/?p=1756538
Question Number 16: List all search keywords using web browsers. (Timestamp, URL, keyword...)
Internet Explorer:
Time Stamp URL Keyword

3/22/2015 15:24 https://www.google.com/search?hl=en&source=hp&q=internet+explorer Internet explorer 11
+11&gbv=2&oq=internet+explorer+11&gs_l=heirloom-
hp.3..0l10.5163.7893.0.9562.20.13.0.7.7.0.156.1110.11j2.13.0.msedr...0..
.1ac.1.34.heirloom-hp..0.20.1250.5j7Xm44tv5w
3/23/2015 18:13 http://www.bing.com/news/search?q=file+sharing+and+tethering&FOR File sharing and
M=HDRSC6 tethering
3/23/2015 18:07 http://www.bing.com/search?q=Top+Stories&FORM=HDRSC1 Top Stories
3/23/2015 20:43 http://www.bing.com/search?q=external%20device%20and%20forensics External device and
&qs=n&form=QBRE&pq=external%20device%20and%20forensics&sc=8- forensics
9&sp=-1&sk=&cvid=c30c4b1f36114b1c9bc683838c69823a
3/25/2015 14:46 http://www.bing.com/search?q=anti- Anti-forensic tools
forensic+tools&qs=n&form=QBLH&pq=anti-forensic+tools&sc=8-13&sp=-
1&sk=&cvid=e799e715fa2244a5a7967675bdcca9d3
3/23/2015 18:08 http://www.bing.com/search?q=file+sharing+and+tethering&qs=n&form File sharing and
=QBLH&pq=file+sharing+and+tethering&sc=0-18&sp=- tethering
1&sk=&cvid=171b77e4ffd54b2a92c4e97abf995fe1
Google Chrome
Time Stamp URL Keyword

3/22/2015 15:10 https://www.google.com/search?hl=en&source=hp&q=internet+explore internet explorer 11 -
r+11&gbv=2&oq=internet+explorer+11&gs_l=heirloom- Google Search
hp.3..0l10.5163.7893.0.9562.20.13.0.7.7.0.156.1110.11j2.13.0.msedr...0.
..1ac.1.34.heirloom-hp..0.20.1250.5j7Xm44tv5w
3/23/2015 17:27 https://www.google.com/webhp?hl=en#q=Emmy+Noether&oi=ddle&ct Emmy Noether -
=emmy-noethers-133rd-birthday-5681045017985024-hp&hl=en Google Search
3/23/2015 17:27 https://www.google.com/webhp?hl=en Google
3/23/2015 17:27 https://www.google.com/webhp?hl=en#q=Emmy+Noether&oi=ddle&ct Emmy Noether -
=emmy-noethers-133rd-birthday-5681045017985024-hp&hl=en Google Search
3/23/2015 18:02 https://www.google.com/webhp?hl=en#hl=en&q=data+leakage+metho data leakage methods
ds - Google Search
3/23/2015 18:02 https://www.google.com/webhp?hl=en#hl=en&q=leaking+confidential+i leaking confidential
nformation information - Google
Search
3/23/2015 18:03 https://www.google.com/webhp?hl=en#hl=en&q=information+leakage+ information leakage
cases cases - Google Search

3/23/2015 18:05 https://www.google.com/search?q=information+leakage+cases&hl=en& information leakage
biw=950&bih=499&site=webhp&source=lnms&tbm=isch&sa=X&ei=21U cases - Google Search
QVb20Eu-HsQTJ5IDAAQ&ved=0CAgQ_AUoAw
biw=950&bih=499&site=webhp&tbm=vid&source=lnms&sa=X&ei=3VUQ cases - Google Search
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1
3/23/2015 18:05 https://www.google.com/search?q=information+leakage+cases&hl=en& intellectual property
biw=950&bih=499&site=webhp&tbm=vid&source=lnms&sa=X&ei=3VUQ theft - Google Search
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1#q=information+le
akage+cases&hl=en
3/23/2015 18:05 https://www.google.com/search?q=information+leakage+cases&hl=en& how to leak a secret -
biw=950&bih=499&site=webhp&tbm=vid&source=lnms&sa=X&ei=3VUQ Google Search
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1#hl=en&q=intellec
tual+property+theft
3/23/2015 18:06 https://www.google.com/search?q=information+leakage+cases&hl=en& cloud storage - Google
biw=950&bih=499&site=webhp&tbm=vid&source=lnms&sa=X&ei=3VUQ Search
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1#hl=en&q=how+to
+leak+a+secret
3/23/2015 18:15 https://www.google.com/search?q=information+leakage+cases&hl=en& digital forensics -
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1#hl=en&q=digital+
forensics
3/23/2015 18:16 https://www.google.com/search?q=information+leakage+cases&hl=en& how to delete data -
+delete+data
3/23/2015 18:17 https://www.google.com/search?q=information+leakage+cases&hl=en& anti-forensics - Google
biw=950&bih=499&site=webhp&tbm=vid&source=lnms&sa=X&ei=3VUQ Search
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1#hl=en&q=anti-
forensics
3/23/2015 18:18 https://www.google.com/search?q=information+leakage+cases&hl=en& how to recover data -
+recover+data
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1#hl=en&q=data+re
covery+tools
VYH3FMO1sQTf1YGwBw&ved=0CAoQ_AUoBA&dpr=1#hl=en&q=data+re
covery+tools
3/23/2015 19:55 https://www.google.com/webhp?hl=en#hl=en&q=apple+icloud apple icloud - Google
Search
3/23/2015 19:56 https://www.google.com/webhp?hl=en#hl=en&q=google+drive google drive - Google
Search
3/24/2015 21:06 https://www.google.com/#q=security+checkpoint+cd-r security checkpoint
cd-r - Google Search
Question Number 17: user keywords at the search bar in Windows Explorer. (Timestamp, Keyword)

The keyword can be extracted from the registry entry WordWheelQuery located under USER.DAT
HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\
Using the following command to extract the keyword search:
# perl rip.pl -r /mnt/win7dd2/Users/informant/NTUSER.DAT -p wordwheelquery
The keyword found is ‘secret’ searched at Mon March 23 2015 18:40:17 (UTC)
Question Number 18: What application was used for e-mail communication?
Microsoft Outlook 2013 installed with Office professional plus 2013. Found outlook is installed under registry key
uninstall as per question 10.
Question Number 19: Where is the e-mail file located?

C:\users\informant\Appdata\Local\Microsoft\Outlook\iaman.informant@nist.gov.ost
# ls -l /mnt/win7dd2/Users/informant/AppData/Local/Microsoft/Outlook
Question Number 20: What was the e-mail account used by the suspect?
As per question 19, the email address used is iaman.informant@nist.gov
Question Number 21: List all e-mails of the suspect. If possible, identify deleted e-mails.
(You can identify the following items: Timestamp, From, To, Subject, Body, and Attachment)
[Hint: just examine the OST file only.]
Using the tool pffexport to export the OST file and examine the messages of the OST as follows:
pffexport -m all -t imanost

/mnt/win7dd2/Users/informant/AppData/Local/Microsoft/Outlook/iaman.informant@nist.gov.ost

From To Subject Body Folder Date
SPY IAMAN Hello, Iaman How are you doing? Inbox 23/03/2015 17:29:29 UTC
IAMAN SPY RE: Hello, Iaman Successfully Secured. Sent 23/03/2015 18:44:31 UTC
SPY IAMAN Good job, buddy. Good, job. Inbox 23/03/2015 19:15:00 UTC
I need a more detailed data about this
business.
IAMAN SPY RE: Good job, This is a sample. Recovered 23/03/2015 15:19 UTC
buddy.
SPY IAMAN RE: Good job, Okay, I got it. Inbox 23/03/2015 19:20:41 UTC
buddy. I’ll be in touch.
SPY IAMAN Important I confirmed it. Inbox 23/03/2015 19:26:23 UTC
request But, I need a more data.
Do your best.
IAMAN SPY RE: Important Umm….. I need time to think. Sent 23/03/2015 19:27:00 UTC
request
SPY IAMAN RE: It's me I got it. Deleted 23/03/2015 20:41:22 UTC
SPY IAMAN Last request This is the last request. Inbox 24/03/2015 13:25:59 UTC
I want to get the remaining data.
IAMAN SPY RE: Last request Stop it! Recovered 24/03/2015 9:30 UTC
It is very hard to transfer all data over the
internet!
SPY IAMAN RE: Last request No problem. Recovered 24/03/2015 9:34 UTC
U can directly deliver storage devices that
stored it.
IAMAN SPY RE: Last request This is the last time.. Deleted 24/03/2015 13:35:00 UTC
SPY IAMAN Watch out! USB device may be easily detected. Recovered 24/03/2015 15:33 UTC
So, try another method.
IAMAN SPY RE: Watch out! I am trying. Deleted 24/03/2015 19:34:02 UTC
IAMAN SPY Done It’s done. See you tomorrow. Deleted 24/03/2015 21:05:00 UTC
Question Number 22: List external storage devices attached to PC.
There are two devices attached. The information can be found under the registry key Enum\USB under SYSTEM.
Using the following command to bring the information of attached devices:

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p usbdevices
VID_0781&PID_5571
LastWrite: Tue Mar 24 13:58:31 2015
SN : 4C530012450531101593
VID_0781&PID_5571
SN : 4C530012550531106501
Question Number 23: Identify all traces related to ‘renaming’ of files in Windows Desktop.
(It should be considered only during a date range between 2015-03-23 and 2015-03-24.)
[Hint: the parent directories of renamed files were deleted and their MFT entries were also overwritten. Therefore,
you may not be able to find their full paths.]
The $UsnJrnl located under $Extend folder in partition 2 in the image contains valuable information about file operation
activities on the operating system. Therefore, we need to extract the UsnJrnl records as binary for analysis to find out
the renaming traces of any suspected files.
First, we need to find out the offset partition where the UsnJrnl is located in the image using mmls which is 0000206848
# mmls cfreds_2015_data_leakage_pc.dd
Then, use the tool fls to list the UsnJrnl string and located the $J MFT entry as follows:
# fls -r -o 0000206848 cfreds_2015_data_leakage_pc.dd | grep Usn
The MFT entry that we need is 59016
Then use istat to find the data location or $J which normally at 128
# istat -i raw -o 0000206848 cfreds_2015_data_leakage_pc.dd 59016 | more >
istat_results.txt
The $Data of $J is 128-3
After that, using icat to extract the UsnJrnl binary for processing.
icat -i raw -o 0000206848 cfreds_2015_data_leakage_pc.dd 59016-128-3 > UsnJrn.bin
The resultant file is then downloaded to windows machine for parsing using a windows tool called UsnJrnl2Csv
The CSV file is then imported to Excel where it can be easily searched and filtered to look for the renamed files as
follows:

Date RENAME Old RENAME New
2015-03-23 18:41:40 [secret_project]_detailed_proposal.docx landscape.png
2015-03-23 18:41:55 [secret_project]_design_concept.ppt space_and_earth.mp4
2015-03-23 20:30:44 (secret_project)_pricing_decision.xlsx happy_holiday.jpg
2015-03-23 20:31:03 [secret_project]_final_meeting.pptx do_u_wanna_build_a_snow_man.mp3
2015-03-24 13:49:52 [secret_project]_detailed_design.pptx winter_whether_advisory.zip
2015-03-24 13:50:08 [secret_project]_revised_points.ppt winter_storm.amr
2015-03-24 13:50:49 [secret_project]_design_concept.ppt space_and_earth.mp4
2015-03-24 13:52 design design
2015-03-24 13:52 final final
2015-03-24 13:52 pricing decision pricing decision
2015-03-24 13:52 progress progress
2015-03-24 13:52 proposal proposal
2015-03-24 13:52 technical review technical review
2015-03-24 13:52 [secret_project]_final_meeting.pptx do_u_wanna_build_a_snow_man.mp3
2015-03-24 13:52:57 (secret_project)_market_analysis.xlsx new_years_day.jpg
2015-03-24 13:53:09 (secret_project)_market_shares.xls super_bowl.avi
2015-03-24 13:53:39 (secret_project)_price_analysis_#1.xlsx my_favorite_movies.7z
2015-03-24 13:53:52 (secret_project)_price_analysis_#2.xls my_favorite_cars.db
2015-03-24 13:54 (secret_project)_pricing_decision.xlsx happy_holiday.jpg
2015-03-24 13:54 [secret_project]_progress_#1.docx my_smartphone.png
2015-03-24 13:54 [secret_project]_progress_#2.docx new_year_calendar.one
2015-03-24 13:54 [secret_project]_progress_#3.doc my_friends.svg
2015-03-24 13:55 [secret_project]_detailed_proposal.docx a_gift_from_you.gif
2015-03-24 13:55 [secret_project]_proposal.docx landscape.png
2015-03-24 13:55 [secret_project]_technical_review_#1.docx diary_#1d.txt
2015-03-24 13:55 [secret_project]_technical_review_#1.pptx diary_#1p.txt
2015-03-24 13:55 [secret_project]_technical_review_#2.docx diary_#2d.txt
2015-03-24 13:56 [secret_project]_technical_review_#2.ppt diary_#2p.txt
2015-03-24 13:56 [secret_project]_technical_review_#3.doc diary_#3d.txt
2015-03-24 13:56 [secret_project]_technical_review_#3.ppt diary_#3p.txt

Question Number 24: What is the IP address of company’s shared network drive?
To find the network shares used by the user, we need to examine the RUNMRU key under NTUSER.DAT
HKU\informant\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
Running the following command to find out the network share:
# perl rip.pl -r /mnt/win7dd2/Users/informant/NTUSER.DAT -p runmru
The network drive is accessed through the IP address 10.11.11.128
b \\10.11.11.128\secured_drive\1
Question Number 25: List all directories that were traversed in ‘RM#2’.
Windows ShellBags key under USRCLASS.dat could reveal important information about the files traversed to external
storage. So, investigating the registry hive USRCLASS.dat located under the following link:
/mnt/win7dd2/Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat
HKU\informant\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
So, issuing the following command reveal the directories traversed to RM#2:
# perl rip.pl -r
/mnt/win7dd2/Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat -p shellbags >
shellbags_results.txt
Time Stamp Directory

2015-02-15 21:52:10 E:\RM#1
2015-02-15 21:52:10 E:\RM#1\Secret Project Data

2015-02-15 21:52:10 E:\RM#1\Secret Project Data\design
2015-03-24 13:59:28 E:\Secret Project Data
2015-03-24 14:00:14 E:\Secret Project Data\technical review
2015-03-24 13:59:46 E:\Secret Project Data\proposal
2015-03-24 13:59:44 E:\Secret Project Data\progress
2015-03-24 13:59:40 E:\Secret Project Data\pricing decision
2015-03-24 13:59:28 E:\Secret Project Data\design
2015-03-24 13:59:38 E:\Secret Project Data\design\winter_whether_advisory.zip
Question Number 26: List all files that were opened in 'RM#2’.
Based on pervious question, the files were opened as follows:
2015-03-24 04:00:00 E:\Secret Project Data\design\winter_whether_advisory.zip
Question Number 27: List all directories that were traversed in the company’s network drive.
Examining the following folders under appdata of Informant user folder showed the files traversed to network folder:
Using question 25 extracted shellbags we can find also the directories traversed to network drive:
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Common Data

2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Past Projects
2015-03-22 14:52:24 \\10.11.11.128\secured_drive\Secret Project Data
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\design
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\pricing decision
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\final
2015-03-22 14:52:24 \\10.11.11.128\secured_drive\Secret Project Data\technical review
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\proposal
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\progress
Question Number 28: List all files that were opened in the company’s network drive.
Using recent docs located at and shellbags, the files were open as follows:
# ls -l /mnt/win7dd2/Users/informant/AppData/Roaming/Microsoft/Windows/Recent
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\design

2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\pricing decision
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\final
2015-03-22 14:52:22 \\10.11.11.128\secured_drive\Secret Project Data\proposal

Question Number 29: Find traces related to cloud services on PC.
(Service name, log files...)
The registry key “uninstall” fetched in question 10 revealed that Google drive and googlesync services and Apple iCloud
as installed applications.
Question Number 30: What files were deleted from Google Drive?
Find the filename and modified timestamp of the file.
[Hint: Find a transaction log file of Google Drive.]
Investigating the log file of Google Drive located at

C:\users\informant\appdata\local\google\drive_user_defaults\syn_log.log to find out about the deleted files from the
drive.
# cat /mnt/win7dd2/Users/informant/AppData/Local/Google/Drive/user_default/sync_log.log >

google_log.txt
Time Stamp Files

2015-03-23 16:42:17 do_u_wanna_build_a_snow_man.mp3
2015-03-23 16:42:17 happy_holiday.jpg
Question Number 31: Identify account information for synchronizing Google Drive.
Investigating google logs to identify the account as follows:
iaman.informant.personal@gmail.com

Question Number 32: What a method (or software) was used for burning CD-R?
The suspect user has used normal windows burning tools. The event logs showed using the cdrom and event IDs as
cdrom was found under the event logs.
Extracting the system event logs to show the cdrom events.
# evtxdump.py /mnt/win7dd2/Windows/System32/winevt/Logs/System.evtx | more >

wind_system_log.xml
Question Number 33: When did the suspect burn CD-R?

[Hint: It may be one or more times.]
As per previous question, investigating Windows event under event 133 cdrom showed that the suspect burned the files
at 24/03/2015 19:47:47 PM, 24/03/2015 19:56:11 PM, 24/03/2015 20:24:46 PM, 24/03/2015 20:41:21 PM
Also, the UsnJrnl showed cdrom burning operations as DAT,FIL, and POST.
File Time Stamp Operation

FIL51898.tmp 3/24/2015 20:24 FILE_CREATE
POST51898.tmp 3/24/2015 20:24 FILE_CREATE
FIL51898.tmp 3/24/2015 20:24 DATA_EXTEND+FILE_CREATE
FIL51898.tmp 3/24/2015 20:24 DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE
POST51898.tmp 3/24/2015 20:24 DATA_EXTEND+FILE_CREATE
FIL51898.tmp 3/24/2015 20:25 CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+FILE_DELETE
POST51898.tmp 3/24/2015 20:25 CLOSE+DATA_EXTEND+FILE_CREATE+FILE_DELETE
Question Number 34: What files were copied from PC to CD-R?

[Hint: Just use PC image only. You can examine transaction logs of the file system for this task.]
Investigating the UsnJrnal about the file copied to CD-R:
File Time Stamp

Tulips.jpg 3/24/2015 20:24
design 3/24/2015 20:40
winter_storm.amr 3/24/2015 20:40
winter_whether_advisory.zip 3/24/2015 20:40

pricing decision 3/24/2015 20:40
my_favorite_cars.db 3/24/2015 20:40
my_favorite_movies.7z 3/24/2015 20:40
new_years_day.jpg 3/24/2015 20:40
super_bowl.avi 3/24/2015 20:40
progress 3/24/2015 20:40
my_friends.svg 3/24/2015 20:40
my_smartphone.png 3/24/2015 20:40
new_year_calendar.one 3/24/2015 20:40
proposal 3/24/2015 20:40
a_gift_from_you.gif 3/24/2015 20:40
landscape.png 3/24/2015 20:40
technical review 3/24/2015 20:40
diary_#1d.txt 3/24/2015 20:40
diary_#1p.txt 3/24/2015 20:40
diary_#2d.txt 3/24/2015 20:40
diary_#2p.txt 3/24/2015 20:40
diary_#3d.txt 3/24/2015 20:40
diary_#3p.txt 3/24/2015 20:40
winter_storm.amr 3/24/2015 20:43
winter_whether_advisory.zip 3/24/2015 20:43
my_favorite_cars.db 3/24/2015 20:43
my_favorite_movies.7z 3/24/2015 20:43
new_years_day.jpg 3/24/2015 20:43
super_bowl.avi 3/24/2015 20:43
my_friends.svg 3/24/2015 20:43
my_smartphone.png 3/24/2015 20:43
new_year_calendar.one 3/24/2015 20:43
a_gift_from_you.gif 3/24/2015 20:43
landscape.png 3/24/2015 20:43
diary_#1d.txt 3/24/2015 20:43
diary_#1p.txt 3/24/2015 20:43
diary_#2d.txt 3/24/2015 20:43
diary_#2p.txt 3/24/2015 20:43
diary_#3d.txt 3/24/2015 20:43
diary_#3p.txt 3/24/2015 20:43
Question Number 35: What files were opened from CD-R?

Investigating the location /mnt/win7dd2/Users/informant/AppData/Roaming/Microsoft/Windows/Recent we may find
the recent files were opened taking in consideration the shellbags which show similar results:
Koala.jpg
Penguins.jpg
Tulips.jpg
D:\prop
D:\prog

D:\de
D:\de\winter_whether_advisory.zip
D:\de\winter_whether_advisory.zip\ppt
D:\de\winter_whether_advisory.zip\ppt\slides\ppt
D:\de\winter_whether_advisory.zip\ppt\slideMasters\ppt
Question Number 36: Identify all timestamps related to a resignation file in Windows Desktop.
[Hint: the resignation file is a DOCX file in NTFS file system.]
Investigating UsnJrnl, we can find the timestamps of the document file operations changes as follows:
File Time Stamp Operation

Resignation_Letter_(Iaman_Informant).docx 3/24/2015 18:48 File Created
Resignation_Letter_(Iaman_Informant).docx 3/24/2015 18:57 File modified
Resignation_Letter_(Iaman_Informant).docx 3/24/2015 18:59 File modified
Question Number 37: How and when did the suspect print a resignation file?
Examining the default printer of the user from the registry key HKLM\Software\Microsoft\Windows
NT\CurrentVersion\PrinterPorts
# perl rip.pl -r /mnt/win7dd2/Users/informant/NTUSER.DAT -p printers
The user printed on the default printer which was Microsoft XPS printer.
Also, upon investigating recentdocs, we can identify the xps file.
Question Number 38: Where are ‘Thumbcache’ files located?
The thumbcache files are located at the following locations:

C:\Users\informant\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
C:\Users\informant\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
C:\Users\informant\AppData\Local\Microsoft\Windows\Explorer\ thumbcache_256.db
C:\Users\informant\AppData\Local\Microsoft\Windows\Explorer\ thumbcache_1024.db
Question Number 39: Identify traces related to confidential files stored in Thumbcache.
(Include ‘256’ only)
Download thumbcache_256.db to my windows machine and examine the file using Thumbcache viewer.
Question Number 40: Where are Sticky Note files located?
C:\Users\informant\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
Question Number 41: Identify notes stored in the Sticky Note file.
Casting the content of the file to a text file showed the below message:
# cat /mnt/win7dd2/Users/informant/AppData/Roaming/Microsoft/Sticky\
Notes/StickyNotes.snt > stickydata.txt
Tomorrow...
Everything will be OK

Question Number 42: Was the ‘Windows Search and Indexing’ function enabled? How can you identify it?
If it was enabled, what is a file path of the ‘Windows Search’ index database?
Usually windows maintain the database of search and index under database called windows.edb. The file existence
means that Windows Search and Indexing is enabled.
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
Examining registry locations also will identify the database file location and parameters.
Using the tool hivexsh to load the SOFTWARE registry hive and search of the Windows Search key. The key and the key
value details shows that Windows Search and indexing is enabled.
# hivexsh /mnt/win7dd2/Windows/System32/config/SOFTWARE
The tool allows to view the keys value using the command lsval.
Question Number 43: What kinds of data were stored in Windows Search database?
Windows.edb contains valuable information about various sections of windows activity such as browsing history,
stickynotes and messaging information.
Getting information about the data within the Windows.edb file:

# esedbinfo
/mnt/win7dd2/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb >
windb_info.txt
Question Number 44: Find traces of Internet Explorer usage stored in Windows Search database.
Using the tool libesedb to examine and extract information from the windows.edb which is located under the
folder/mnt/win7dd2/ProgramData/Microsoft/Search/Data/Applications/Windows/
Export windows.edb data to a file for analysis:

# esedbexport -m all -t esedbexport
/mnt/win7dd2/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb

The resulting folder is esedbexport.export and contains the extracted tables in files. The browsing history can be found
under the files Microsoft_IE_VisitCount0.43 and Microsoft_IE_SelectionCount0.41
URL Time Stamp

http://windows.microsoft.com/en-us/internet-explorer/ie-8-welcome 2015-03-22 15:09:22
http://www.msn.com/?ocid=iehp 2015-03-22 15:09:23
https://www.google.com/?gws_rd=ssl 2015-03-22 15:09:40
https://www.google.com/search?hl=en&source=hp&q=internet+explorer+11& 2015-03-22 15:09:50
gbv=2&oq=internet+explorer+11&gs_l=heirloom-
hp.3..0l10.5163.7893.0.9562.20.13.0.7.7.0.156.1110.11j2.13.0.msedr...0...1ac.
1.34.heirloom-hp..0.20.1250.5j7Xm44tv5w
http://www.google.com/url?url=http://windows.microsoft.com/en- 2015-03-22 15:09:52
us/internet-explorer/download-
ie&rct=j&frm=1&q=&esrc=s&sa=U&ei=6ykQVZWLGbeJsQT7goDACg&ved=0CB
8QFjAA&usg=AFQjCNEwsIz17kY-jTXbaWPcQDfBbVEi7A
http://windows.microsoft.com/en-us/internet-explorer/download-ie 2015-03-22 15:09:54

http://www.google.com/url?url=http://windows.microsoft.com/en- 2015-03-22 15:09:56
us/internet-explorer/ie-11-worldwide-
languages&rct=j&frm=1&q=&esrc=s&sa=U&ei=6ykQVZWLGbeJsQT7goDACg&v
ed=0CCoQFjAB&usg=AFQjCNE7UKIWEBiWO2N96IFeo6ZywhRLfw
http://windows.microsoft.com/en-us/internet-explorer/ie-11-worldwide- 2015-03-22 15:10:24.0000000
languages
https://www.google.com/webhp?hl=en 2015-03-22 15:10:54.0000000
https://www.google.com/chrome/index.html?hl=en&brand=CHNG&utm_sour 2015-03-22 15:10:58.0000000
ce=en-hpp&utm_medium=hpp&utm_campaign=en
http://download.microsoft.com/download/7/1/7/7179A150-F2D2-4502-9D70- 2015-03-22 15:11:06.0000000
https://www.google.com/chrome/browser/thankyou.html?brand=CHNG&plat 2015-03-22 15:11:16.0000000
form=win&clickonceinstalled=1
https://odc.officeapps.live.com/odc/emailhrd?lcid=1033&syslcid=1033&uilcid 2015-03-23 17:26:32.7064807
=1033&app=5&ver=15&build=15.0.4420&p=0&a=1&hm=1&sp=0
http://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/vie 2015-03-23 17:27:49.1508053
http://www.bing.com/search 2015-03-23 17:27:49.3380057
http://go.microsoft.com/fwlink/?LinkId=69157 2015-03-23 17:27:49.3536057
http://www.bing.com/ 2015-03-23 17:28:18.7003056
http://www.bing.com/news/search?q=Top Stories&FORM=NSBABR 2015-03-23 18:07:52.3141875
http://www.bing.com/search?q=Top+Stories&FORM=HDRSC1 2015-03-23 18:07:54.9811928
http://www.bing.com/news/search?q=file+sharing+and+tethering&FORM=HD 2015-03-23 18:07:58.0807015
RSC6
http://www.bing.com/search?q=file+sharing+and+tethering&qs=n&form=QBL 2015-03-23 18:07:59.8902072
H&pq=file+sharing+and+tethering&sc=0-18&sp=-
1&sk=&cvid=171b77e4ffd54b2a92c4e97abf995fe1
http://sysinfotools.com/blog/tethering-internet-files-sharing/ 2015-03-23 18:08:18.1332598
http://resources.infosecinstitute.com/windows-systems-and-artifacts-in- 2015-03-23 18:11:12.8895882
digital-forensics-part-i-registry/
https://technet.microsoft.com/en-us/library/cc162846.aspx 2015-03-23 18:12:07.6492237
https://support.microsoft.com/en-us/kb/308427 2015-03-23 18:12:45.4772849
http://en.wikipedia.org/wiki/Event_Viewer 2015-03-23 18:12:52.2412968
https://msdn.microsoft.com/en- 2015-03-23 18:13:57.5029066
us/library/windows/desktop/dd562212(v=vs.85).aspx
http://www.forensicswiki.org/wiki/USB_History_Viewing 2015-03-23 18:14:24.6524502
http://www.bing.com/search?q=external%20device%20and%20forensics&qs= 2015-03-23 20:43:47.5124809
n&form=QBRE&pq=external%20device%20and%20forensics&sc=8-9&sp=-
1&sk=&cvid=c30c4b1f36114b1c9bc683838c69823a
http://www.bing.com/?FORM=Z9FD1 2015-03-23 20:43:50.3584907
http://www.bing.com/news?FORM=Z9LH3 2015-03-23 20:43:52.4577059
http://www.bing.com/news?q=science+technology+news&FORM=NWBTCB 2015-03-23 20:44:57.8311777
http://www.wired.com/?p=1756538 2015-03-23 20:45:22.2342276
http://www.bing.com/news?q=Soccer+News&FORM=NSBABR 2015-03-23 20:45:30.1272483
http://www.bing.com/news?q=top+stories&FORM=NWRFSH 2015-03-23 20:53:46.6184648
http://www.bing.com/news?q=us+news&FORM=NSBABR 2015-03-23 20:55:08.5210799
http://www.bing.com/news?q=world+news&FORM=NSBABR 2015-03-23 20:55:10.3330851
http://www.bing.com/news?q=local&FORM=NSBABR 2015-03-23 20:55:17.4655954
http://www.bing.com/news?q=entertainment+news&FORM=NSBABR 2015-03-23 20:55:18.3305971

http://www.bing.com/news?q=science+technology+news&FORM=NSBABR 2015-03-23 20:55:29.2406128
http://www.bing.com/news?q=business+news&FORM=NSBABR 2015-03-23 20:55:54.7876504
http://www.bing.com/news?q=political+news&FORM=NSBABR 2015-03-23 20:55:56.1346540
http://www.bing.com/news?q=sports+news&FORM=NSBABR 2015-03-23 20:55:57.4121566
http://www.bing.com/news?q=health+news&FORM=NSBABR 2015-03-23 20:55:58.7421589
http://www.bing.com/news?q=top+stories&FORM=NSBABR 2015-03-23 20:56:08.7071740
http://www.wired.com/2015/03/stealing-data-computers-using-heat/ 2015-03-23 20:56:32.8582772
Question Number 45: List the e-mail communication stored in Windows Search database.
Based on the export of the Windows.edb completed in the previous question. We may now look for the messaging items
and locate the email communication as follows:
The email communication is saved in the columns System_Message_DateReceived0.9, System_Message_DateSent0.8,

System_Message_ToName409.7.
Time Folder Subject From To
2015-03-23 17:29 Inbox Hello, Iaman spy; iaman
2015-03-23 18:44 Sent Items RE: Hello, Iaman iaman; spy
2015-03-23 19:15 Inbox Good job, buddy. spy; iaman
2015-03-23 19:19 Sent Items RE: Good job, buddy. iaman; spy
2015-03-23 18:39 Sent Items RE: Good job, buddy. : iaman; spy
space_and_earth.mp4
2015-03-23 19:20 Inbox RE: Good job, buddy. spy; iaman
2015-03-23 19:26 Inbox Important request spy; iaman
2015-03-23 19:27 Sent Items RE: Important request iaman; spy
2015-03-23 20:38 Sent Items It's me iaman; spy
2015-03-23 20:41 Inbox RE: It's me spy; iaman
2015-03-24 13:25 Inbox Last request spy; iaman
2015-03-24 13:30 Sent Items RE: Last request iaman; spy
2015-03-24 13:33 Inbox RE: Last request spy; iaman
2015-03-24 13:35 Sent Items RE: Last request iaman; spy
2015-03-24 19:32 Inbox Watch out! spy; iaman
2015-03-24 19:34 Sent Items RE: Watch out! iaman; spy
2015-03-24 21:05 Sent Items Done iaman; spy
Question Number 46: List files and directories related to Windows Desktop stored in Windows Search database.
(Windows Desktop directory: \Users\informant\Desktop\)
Viewing the file System_ItemDate and filter the file using excel to show the records of C:\Users\informant\Desktop
2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Tulips.jpg

2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Jellyfish.jpg
2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Koala.jpg
2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Lighthouse.jpg
2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Penguins.jpg
2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Chrysanthemum.jpg
2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Desert.jpg
2015-03-24 19:52:46 C:\\Users\\informant\\Desktop\\temp\\Hydrangeas.jpg
2015-03-24 13:47:58 C:\\Users\\informant\\Desktop\\S data\\Secret Project Data\\Secret Project Data\\pricing
decision\\(secret_project)_market_analysis.xlsx
decision\\(secret_project)_market_shares.xls
2015-03-24 13:40:09 C:\\Users\\informant\\Desktop\\S data\\Secret Project Data\\Secret Project
Data\\design\\space_and_earth.mp4
Data\\design\\[secret_project]_detailed_design.pptx
Data\\proposal\\[secret_project]_detailed_proposal.docx
Data\\proposal\\[secret_project]_proposal.docx
decision\\(secret_project)_price_analysis_#1.xlsx
Data\\design\\winter_storm.amr
Data\\final\\[secret_project]_final_meeting.pptx
2015-03-22 14:34:55 C:\\Users\\informant\\Desktop\\desktop.ini
2015-03-22 15:08:23 C:\\Users\\informant\\Desktop\\Download
2015-03-22 15:11:04 C:\\Users\\informant\\Desktop\\Download\\IE11-Windows6.1-x64-en-us.exe
2015-03-24 19:52:35 C:\\Users\\informant\\Desktop\\temp\\IE11-Windows6.1-x64-en-us.exe
2015-03-23 20:05:32 C:\\Users\\informant\\Desktop\\Google Drive.lnk
Data\\design\\winter_whether_advisory.zip
Data\\proposal
2015-03-24 18:48:41 C:\\Users\\informant\\Desktop\\Resignation_Letter_(Iaman_Informant).docx
Question Number 47: Where are Volume Shadow Copies stored? When were they created?
Microsoft Windows maintains volume shadow copies under C:\System Volume Information. Created at 25-03-2015 with
size 335,544,320 Bytes.

Question Number 48: Find traces related to Google Drive service in Volume Shadow Copy.
What are the differences between the current system image (of Question 29 ~ 31) and its VSC?
Datbases snapshot.db sync_config.db were deleted from google drive due to user logoff activity whereas they still exist
in volume shadow copy. Carving the db files to find the deleted files.
Question Number 49: What files were deleted from Google Drive?
Find deleted records of cloud_entry table inside snapshot.db from VSC.
(Just examine the SQLite database only. Let us suppose that a text based log file was wiped.)
[Hint: DDL of cloud_entry table is as follows.]
CREATE TABLE cloud_entry

(doc_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER,
doc_type INTEGER, removed INTEGER, size INTEGER, checksum TEXT, shared INTEGER,
resource_type TEXT, PRIMARY KEY (doc_id));
As per NIST answer sheet, examining the snapshot.db located in VSC through file carving shows the deleted files shown
in google_sync log.
Question Number 50: Why can’t we find Outlook’s e-mail data in Volume Shadow Copy?
Outlook was excluded from being kept in the VSC probably due to the size usually mailboxes have. The registry
information showed that outlook is excluded from VSC copy.
Using the registry key: HKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot\
Using hivexsh to mount SYSTEM registry key from /mnt/win7dd2/Windows/System32/config/SYSTEM to find out if the
ost files are excluded from the VSC copy.
# hivexsh /mnt/win7dd2/Windows/System32/config/SYSTEM
The content of the key FilesNotToSnapshot contains the OST files located at user profile excluded from the VSC copy.

The conversion of the Hex value showed the text: $Userprofile$\AppData\Local\Microsoft\outlook\*.ost
Question Number 51: Examine ‘Recycle Bin’ data in PC.
Using the tool fls to retreive the deleted files from $Recycle.Bin and as follows:
# sudo fls -f ntfs -d -r -p -o 206848 cfreds_2015_data_leakage_pc.dd > fls_results.txt
The result showed the deleted files under $Recycle.Bin
The deleted files MFT starts from 74311 till 74766
Therefore, we will use the tool ntfsdelete to recover the deleted files:
# sudo ntfsundelete -u /dev/loop0 -i 74311-74766 -d recoverdel
Next using strings to locate the origin of the deleted files:
# sudo strings -el -f \$I*

File Original Location
$I40295N C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\prop
$I508CBB.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Hydrangeas.jpg
$I55Z163 C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\pd
$I8YP3XK.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Jellyfish.jpg
$I9M7UMY C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\tr
$IDOI3HE.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Tulips.jpg
$IFVCH5V.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Penguins.jpg
$II3FM2A.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Desert.jpg
$IIQGWTT.ini C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
$IJEMT64.exe C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\IE11-Windows6.1-x64-en-
us.exe
$IKXD1U3.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Chrysanthemum.jpg
$IU3FKWI.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Koala.jpg
$IX538VH.jpg C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\Lighthouse.jpg
$IXWGVWC C:\Users\informant\AppData\Local\Microsoft\Windows\Burn\Burn\prog
Question Number 52: What actions were performed for anti-forensics on PC at the last day '2015-03-25'?
Date and Time of action Action taken

3/25/2015 14:46 Searching for ant forensics
3/25/2015 14:47 Downloaded Eraser
03/25/2015 14:57 Installed Eraser and CCleaner
03/25/2015 15:12:28 Run Eraser
3/25/2015 15:13 $UsnJrnl contained traces of Eraser activities by renaming files as see below:
ERASER.EXE-CE61944A.pf 68268384 3/25/2015 15:13
ERASER.EXE-CE61944A.pf 68268488 3/25/2015 15:13
ERASER.EXE-CE61944A.pf 68268592 3/25/2015 15:13
$RKXD1U3.jpg 68268696 3/25/2015 15:13
$RKXD1U3.jpg 68268784 3/25/2015 15:13
$RKXD1U3.jpg 68268872 3/25/2015 15:13
$RKXD1U3.jpg 68268960 3/25/2015 15:13
$RKXD1U3.jpg 68269048 3/25/2015 15:13
$RKXD1U3.jpg 68269136 3/25/2015 15:13
$RKXD1U3.jpg 68269224 3/25/2015 15:13
$RKXD1U3.jpg 68269312 3/25/2015 15:13
Chrysanthemum.jpg 68269400 3/25/2015 15:13
S9(wQm9ff_gd,hZ~c 68269496 3/25/2015 15:13
Desert.jpg 68273400 3/25/2015 15:13
ijpQC}9bow 68273480 3/25/2015 15:13
3/25/2015 14:57 Delete Eraser (x64).msi 68216696
3/25/2015 14:48 Delete ccsetup504.exe and ccsetup504[1].exe
3/25/2015 11:22:47 Removing Google Drive traces as per Google log
2015-03-25 11:22:47,053 -0400 INFO pid=3164 1528:MainThread
common.sync_app:1630 Signing Out
common.pause_manager:113 Adding pause reason USER

common.pause_manager:117 Pausing
common.local.watcher:246 RootObserverUnregistered
common.local.watcher:294 Unschedule:
_MyDriveRoot(u'\\\\?\\C:\\Users\\informant\\Google Drive')
Delete emails from inbox and from sent items as per previously shown the deleted
items from OST file.
Question Number 53: Recover deleted files from USB drive ‘RM#2’.
Using the tools PhotoRec to recover the files, I could recover all files on the image using the following command:
# photorec cfreds_2015_data_leakage_rm#2.dd
-rw-rw-r-- 1 ubuntu ubuntu 14547968 Jan 23 2015 f0008216_[secret_project]_revised_points.ppt

-rw-rw-r-- 1 ubuntu ubuntu 16381123 Jan 1 1980 f0036632.pptx
-rw-rw-r-- 1 ubuntu ubuntu 1260544 Jan 16 2015 f0068640_[secret_project]_price_analysis_#2.xls
-rw-rw-r-- 1 ubuntu ubuntu 100078 Jan 1 1980 f0071104.xlsx
-rw-rw-r-- 1 ubuntu ubuntu 10289152 Dec 2 2014 f0091304_[secret_project]_market_shares.xls
-rw-rw-r-- 1 ubuntu ubuntu 57344 Jan 20 2015 f0111408_[secret_project]_progress_#3.doc
-rw-rw-r-- 1 ubuntu ubuntu 4440235 Jan 1 1980 f0111528.docx
-rw-rw-r-- 1 ubuntu ubuntu 3980 May 16 21:04 f0205536.xml
-rw-rw-r-- 1 ubuntu ubuntu 2360832 Jan 20 2015 f0206440_[secret_project]_technical_review_#3.doc
-rw-rw-r-- 1 ubuntu ubuntu 129 May 16 21:04 f0211704.java
-rw-rw-r-- 1 ubuntu ubuntu 11994668 May 16 21:04 f0224136.3gp
-rw-rw-r-- 1 ubuntu ubuntu 1293505 May 16 21:04 f0284968.wma
-rw-rw-r-- 1 ubuntu ubuntu 2467078 May 27 2003 f0287496.wmv
-rw-rw-r-- 1 ubuntu ubuntu 9773451 May 16 21:04 f0306760_skip.mov
-rw-rw-r-- 1 ubuntu ubuntu 590588 May 16 21:04 f0325864_skip.mov
-rw-rw-r-- 1 ubuntu ubuntu 4949421 May 16 21:04 f0327048.mp4
-rw-rw-r-- 1 ubuntu ubuntu 921654 May 16 21:04 f0368264.bmp
-rw-rw-r-- 1 ubuntu ubuntu 6717692 May 16 21:04 f0370088.gif
-rw-rw-r-- 1 ubuntu ubuntu 8798374 May 16 21:04 f0393960.bmp
-rw-rw-r-- 1 ubuntu ubuntu 6164389 May 16 21:04 f0411176.png
-rw-rw-r-- 1 ubuntu ubuntu 1625241 Oct 6 2004 f0439240.jpg
-rw-rw-r-- 1 ubuntu ubuntu 7553024 May 16 21:04 f0462856.tif
-rw-rw-r-- 1 ubuntu ubuntu 2015880 May 16 21:04 f0477608.jpg
-rw-rw-r-- 1 ubuntu ubuntu 798064 Nov 8 2009 f0481576.jpg
-rw-rw-r-- 1 ubuntu ubuntu 1370140 Dec 6 2009 f0483144.jpg
-rw-rw-r-- 1 ubuntu ubuntu 1267394 Apr 4 2005 f0502376.jpg
-rw-rw-r-- 1 ubuntu ubuntu 847709 Apr 4 2005 f0504872.jpg
-rw-rw-r-- 1 ubuntu ubuntu 0 May 16 21:06 recovered_files.txt
-rw-rw-r-- 1 ubuntu ubuntu 13193 May 16 21:05 report.xml
-rw-rw-r-- 1 ubuntu ubuntu 5174 Oct 6 2004 t0439240.jpg
-rw-rw-r-- 1 ubuntu ubuntu 2808 Nov 8 2009 t0481576.jpg
-rw-rw-r-- 1 ubuntu ubuntu 3601 Dec 6 2009 t0483144.jpg
-rw-rw-r-- 1 ubuntu ubuntu 4412 Apr 4 2005 t0502376.jpg
-rw-rw-r-- 1 ubuntu ubuntu 3328 Apr 4 2005 t0504872.jpg
Question Number 54: What actions were performed for anti-forensics on USB drive ‘RM#2’?
[Hint: this can be inferred from the results of Question 53.]
The media has been quick formatted and I could recover deleted files from the free space.
Question Number 55: What files were copied from PC to USB drive ‘RM#2’?
As per question 53, the files recovered were copied to RM#2, they were softly deleted for future easy recovery.
Question Number 56: Recover hidden files from the CD-R ‘RM#3’.
How to determine proper filenames of the original files prior to renaming tasks
Using the tool photrec to carve the files and recover them.

# photorec cfreds_2015_data_leakage_rm#3_type2.dd

-rw-rw-r-- 1 ubuntu ubuntu 1260544 Jan 16 2015 f0061720_[secret_project]_price_analysis_#2.xls
-rw-rw-r-- 1 ubuntu ubuntu 10289152 Dec 2 2014 f0084376_[secret_project]_market_shares.xls
-rw-rw-r-- 1 ubuntu ubuntu 57344 Jan 20 2015 f0104472_[secret_project]_progress_#3.doc
-rw-rw-r-- 1 ubuntu ubuntu 1465 Jan 1 1980 f0198545_drs.zip
-rw-rw-r-- 1 ubuntu ubuntu 314 May 16 21:22 f0198632.xml
-rw-rw-r-- 1 ubuntu ubuntu 2360832 Jan 20 2015 f0199536_[secret_project]_technical_review_#3.doc
-rw-rw-r-- 1 ubuntu ubuntu 780831 Feb 11 2008 f0205596.jpg
-rw-rw-r-- 1 ubuntu ubuntu 4560 May 16 21:22 report.xml
-rw-rw-r-- 1 ubuntu ubuntu 4834 Feb 11 2008 t0205596.jpg
Question Number 57: What actions were performed for anti-forensics on CD-R ‘RM#3’?
Format the CD to be used as an external storage, copy secret files and other non-business files then delete the secret
files for recovery on a later stage.
Question Number 58: Create a detailed timeline of data leakage processes.
The user had a regular operation day on 22/03/2015.
Then, on 23/03/2015, the suspect started communication with a conspirator who confirmed the shared files through
email from the suspect.
23/05/2015 18:21 UTC, the suspect then searched using Chrome and Internet Explorer for data leakage methods.
23/05/2015 18:31 UTC, started to leak confidential information by searching for the word secret and copy confidential
files from USB to PC.
23/05/2015 18:41 UTC rename file copies files into different titles with different extensions such as .jpg and mp3.
Received email from SPY and IAMAM confirmed “Successfully secured.” And then sent an attachment to SPY.
23/03/2015 20:00 UTC started to look for cloud drives to share the confidential files. Logged into Google drive then
connected to network shared drive, downloaded secret files from the network share then renamed the files and then
uploaded to google drive. The links of Google drive shared files sent by email from IAMAM to SPY.
On 24/03/2015, email communication continued between SPY and IAMAM about the data leakage. The suspect
connected RM#1 then copied files to PC. Also, connecting to network share \\10.11.11.128 and downloaded confidential
files to PC. Renamed the files and copied them to RM#2. 24/05/2015 14:02, ejecting the RM#2 then delete the files from
the PC.
On 24/03/2015 18:31, the suspect created a resignation letter and wrote a sticky note.
On 24/03/2015 18:38 Connected the USB and copied file to CD-R media then format disk and burn other non-related
files.
On 24/03/2015 20:53 inserted new CD-R and copied confidential folders and renamed them and copy other non-related
files and delete the confidential folders. Finally, perform quick format on the USB RM#2.
On 25/03/2015 14:46, the suspect searched for anti-forensics methods, and installed CCleaner and Eraser and ran them.
On 25/03/2015 15:00 Delete emails from outlook.
On 25/03/2015 15:14 removing files from recycle bin and removed installer files Eraser and CCleaner and uninstall
CCleaner and iCloud. Then signed out from Google Drive.
On 25/03/2015 15:28 opened the resignation letter document and printed it using XPS default printer.
Question Number 59: List and explain methodologies of data leakage performed by the suspect.
The suspect used the email to communication with a spying agent and shared secret files but renamed the file in
advance. Then shared confidential files using cloud services such as Google Drive and iCloud. Also, used USB and CD as
removable media for copying data then deleted them from them to recover them on a later stage using forensic
techniques.
Question Number 60: Create a visual diagram for a summary of results.

References
Bajpai, P. (2014). ‘Windows Registry Forensics using ‘RegRipper’ Command-Line on Linux’. InfoSec institute.[Online].
Available at: http://resources.infosecinstitute.com/registry-forensics-regripper-command-line-linux/#gref [Accessed 16
May 2018].
Cfreds.nist.gov. (2018). CFReDS - Data Leakage Case. [online] Available at:

https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html [Accessed 16 May 2018].
cgsecurity.org, (No date). ‘PhotoRec Step By Step’. [Online]. Available at:

https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step. [Accessed 16 May 2018].
Dwyer, G. (2013). ‘How and When to Use Sqlite’. Digital Ocean. [Online]. Available at:
https://www.digitalocean.com/community/tutorials/how-and-when-to-use-sqlite . [Accessed 16 May 2018].
forensicswiki.org, (No date). ‘Google Chrome’. ForensicsWiki. [Online]. Available at:

https://www.forensicswiki.org/wiki/Google_Chrome. [Accessed 16 May 2018].
libguestfs.org. (Not date). ‘hivexsh - Windows Registry hive shell’. [Online]. Available at:
http://libguestfs.org/hivexsh.1.html. [Accessed 16 May 2018].
Rocha, L. (2017). ‘Digital Forensics – NTFS Change Journal’. [Online]. Available at:
https://countuponsecurity.com/2017/05/25/digital-forensics-ntfs-change-journal/ . [Accessed 16 May 2018].

Week 8 Linux Forensic Tools

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Week 8 Linux Forensic Tools

Hochgeladen von

Copyright:

Verfügbare Formate

Week 8 Investigating images using Linux forensic tools

Checking the image file information using the following command:

The image contains Windows 7 operating system.

Explore image partitions information using the following command:

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 1 of 48

# sudo mount -t ntfs -o offset=105906176 cfreds_2015_data_leakage_pc.dd /mnt/win7dd2

Browsing the partition files and folders:

Step 6: Images investigation Analysis:

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 2 of 48

Identify the partition information of PC image

Explain installed OS information in detail.

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SOFTWARE -p winver

OS name Windows 7 Ultimate with Service Pack 1

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 3 of 48

What is the time zone setting?

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p timezone

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p compname

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SAM -p samparse

Username : informant [1000]

Username : admin11 [1001]

Username : ITechTeam [1002]

Username : temporary [1003]

Question Number 8: When was the last recorded shutdown date/time?

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SYSTEM -p shutdown

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 6 of 48

Running the following commands to view the configuration:

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SOFTWARE -p networkcards

Adapter Name Intel(R) PRO/1000 MT Network Connection

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 7 of 48

The command used to reveal the information is as follows:

# perl rip.pl -r /mnt/win7dd2/Windows/System32/config/SOFTWARE -p uninstall

Application Install time

Question Number 11: List application execution logs.

# perl rip.pl -r /mnt/win7dd2/Users/informant/NTUSER.DAT -p userassist > apps_exec3.txt

Executable path execution time execution count

# evtxdump.py /mnt/win7dd2/Windows/System32/winevt/Logs/Security.evtx | more >

Time Event ID Type

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 10 of 48

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 11 of 48

Time Stamp URL

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 12 of 48

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 13 of 48

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 14 of 48

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 15 of 48

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 16 of 48

3/25/2015 14:47 informant@http://iweb.dl.sourceforge.net/project/eraser/Eraser%206/6.2/Eraser%206.2.0.2962.

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 18 of 48

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 20 of 48

Time Stamp URL Keyword

Time Stamp URL Keyword

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 21 of 48

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 22 of 48

Using the following command to extract the keyword search:

# perl rip.pl -r /mnt/win7dd2/Users/informant/NTUSER.DAT -p wordwheelquery

Question Number 19: Where is the e-mail file located?

pffexport -m all -t imanost

Cyber Forensics – Module 6 Week 8 Individual Assignment Page 23 of 48

Using the following command to bring the information of attached devices:

# fls -r -o 0000206848 cfreds_2015_data_leakage_pc.dd | grep Usn

The MFT entry that we need is 59016

The $Data of $J is 128-3

icat -i raw -o 0000206848 cfreds_2015_data_leakage_pc.dd 59016-128-3 > UsnJrn.bin