Black Dapeng cellphone 3 Vincenzo D. Were the three 3 cell phones; exhibits 1, 2 and 4 [serial- , and , respectively] used to call individuals, or browse for information which may be deemed as incriminating and of relevance to the investigation? Did anyone else other than the accused have access to the thumb drive; exhibit 3 [serial- FYY ] before, during and or after Brainchild's possession of it?
Evidence to Search For Based on the nature of the case and all that which have been made against the accused Therese Brainchild , to begin analysis of the obtained evidence, the search for data of probative value to the investigation will be in the area of; A acquiring the browsing data from the laptop and cell phones' browsers, B investigate the previous locations and calls made to and from the cell phones, C The acquisition of files deleted from the laptop, phone memories and most importantly files deleted from the thumb drive.
Deleted files of evidentiary value to the case 5. These documents contained; code clues, encrypted and steganographic files, erroneous documents, stolen credit cards information, cheque details, information on lottery winners. The five 5 txt files recovered contained names, address, phone numbers and credit card information of individuals.
Among these files, were steganographic clues to encrypted data. However, only 4 of these documents were relevant to the investigation as they contained, lottery leads, bank cheque, stolen credit cards information and a terrorist map. Forensic Science 6. Corporate Breach Theresa Brainchild, deemed to have committed corporate breaches such as; the breach of contract to maintain data integrity and company confidentiality, falsification of data, Embezzlement and industrial espionage.
The sha1 hash value e2abcf6fe70bd9eefdd and MD5 hash value 3b50d4fde5c5c29ef7fdbc1d were obtained in order to aid in proving the legitimacy of the files recovered. Among the files recovered, there was a database document named 'Snowden Employee. Deleted, Encrypted and Steganographic files Approximately forty-one 41 files of different formats were deleted.
Of all the files retrieved, two 2 files and one 1 folder was encrypted. The encrypted files were cracked as a result of steganograpic files which contained clues and passwords to break the encryption. The encrypted files and passwords are as follows;. Rar file entitled 'x' containing; 1 Database documents of customer and employees' detailed information names, positions, ID numbers, bill payments and account numbers, accounts 5 Vincenzo D.
Forensic Science above dollars. The steganographic files obtained were hidden in various forms. The Personal and Swiss bank account numbers of Therese Brainchild recovered from encryption is; [ and respectively].
Forensic Science 9. Analysis Results From the above exhibits; The cell phones confiscated for analysis, 'Burgundy Wi-Fi Mobile Cellphone', 'Nokia Mobile Phone' and 'Black Dapeng cellphone', exhibits 1, 2 and 5 [serial- , and , respectively], were analyzed and I calculated their check digit in order to verify the IMEIs which intern reveals the make, model, date and country of origin of all three exhibits.
The check digits calculated are as follows: Exhibit 1, Wi-Fi Mobile Cellphone, [serial - , corrected was found to be '6']. Exhibit 2, Nokia Mobile Phone, [serial - , correct check digit found to be '4']. Exhibit 5, Black Dapeng cellphone, [serial - , [check digit remains unchanged '0'] Further analysis brought to the forefront, identified metadata information which proved to be vital to this investigation.
Password clue to the binary digits password [] required to open the 'rar' file entitled 'x' containing fraudulent activities of Therese Brainchild.
Passwords were also hidden in Steganography files which lead to brainchild's Personal bank account and Swiss bank account. Conclusion and I managed to maintain the integrity of all the deleted data during its recovery as all the exhibits were protected and verified by checking hash values and recalculating check digits during the examination. This section is very important, as you must detail your interaction with the digital evidence and the steps taken to preserve and forensically acquire the evidence.
Any additional steps that you take e. Examiner's Tip: You should have a digital camera in your forensic toolkit. Take a picture of the evidence and document each step of the forensic acquisition and preparation process. Regardless, if you include the picture in your report or as an exhibit, this picture is a perfect field note for you as the examiner to reference when completing your report.
This is the most detailed section of your investigation. You will include all artifacts that you find during your analysis relating to the case. Examiner's Tip: A very good practice when you are including your evidence into your report is to include hyperlinks within your report to link to pictures, documents, etc.
Make sure you test and validate that the hyperlinks work properly so when your report is being reviewed, the reader can navigate easily to the evidence that you are including in your report. In this section, you are basing your conclusion off the forensic evidence. Remember, the goal of the forensic examination is to report the facts, regardless if the evidence is inculpatory or exculpatory in nature. A successful forensic examination is one that is very thorough and one in which you "leave no stone unturned".
In the scenario that I provided using a recovered stolen laptop, what else might you include besides e-mail and browser forensics in your analysis to put the suspect in possession and at the keyboard of the stolen laptop?
Where else would you look and what would you look for? This post is for informational purposes and a guide for the new forensic examiner. Your report will vary in length and format. You can follow Brad on Twitter bgarnett17 and his blog at www. Brad Garnett. Prior to imaging the stolen laptop, I photographed the laptop, documenting any identifiers e.
Using a sterile storage media examination medium that had been previously forensically wiped and verified by this examiner MD5 hash value: ed6bebf3cca01eccaddd using ABC tool version 1. The MD5 hash value for the examination medium yielded the same MD5 hash value as previous forensic wipes to sterilize this media.
At this point, I removed the hard drive from the stolen laptop and connected it to my hardware write-blocker, which is running the most recent firmware and has been verified by this examiner.
After connecting the hardware write blocker to the suspect hard drive, I connected the hardware write blocker via USB 2.
Etc, etc. You will also need to include that you verified your forensic image and notate the hash values e. You will also need to briefly describe the process you used when making a working copy from the forensic image of the original evidence. Further analysis shows that a John Doe logged into his Google Mail account. See screenshots below: John Doe logging into Google Mail account. John Doe logging into Google Mail account.
0コメント