Answer To: its a case study of computer forensics subject which can be done by using autopsy software
Vidhi answered on Oct 30 2020
autopsy/1.jpg
autopsy/autopsy.docx
Forensic Investigation Case Study
Table Of contents
S.No.
Topic
1.
Summary
2.
Presentation of content relating to offence
3.
Identification
4.
Intent
5.
Quantity of Files
6.
Installed Software
7.
Appendix A – Running Sheet
8.
Appendix B – Timeline of Events
Summary
In the state of Western Australia, it is illegal to access, own or distribute digital content relating to clowns. An allegation was been made to law enforcement whereby a witness claims to have seen an individual access clown related content within a place of work. Following the approval of formal warrants, the computer in question was seized from the work place. The computer was then forensically acquired using FTK Imager. Unfortunately, the junior investigator who obtained the ‘forensic image’ of the computer only performed a logical acquisition. To worsen the situation, the junior investigator forensically wiped the original hard drive from the computer. Fortunately, the logical acquisition was undertaken in a forensically sound manner. The suspect, Clark denies accessing clown content. However, Clark does confirm that the computer does belong to him. Clark stated that he does not always take the computer home or lock it when he is away from his desk.
You are a consultant who specialises in digital forensic investigations. You have been assigned the task of examining a ‘forensic’ image of the laptop, which was seized with correct warrants. It is currently unknown what Clark was doing with the clown content. In Clark’s opinion, the computer was infected with malware which resulted in any potential content appearing on the computer
In this report the contents are covered in form of that first section covers A detailed representation of all content identified, extracted and analysed in the investigation. All evidence must characterised, explained and examined. What is the value of the evidence to the investigation? What does each piece of evidence mean? Does evidence support or negate the allegations made are evaluated
Secondly it evaluates Detail all information relating to possible use/ownership of the evidence identified and extracted. How can you link the evidence to a particular owner? Is there any digital evidence, which demonstrates ownership of the device or content?
Third it evaluates about Was the digital content purposefully accessed/used/downloaded/installed? Was it accidental? Was it a third party? Was it malicious software? Present all evidence to support your theory.
Next it takes into consideration that How many files of every type were present on the system? What percentage of these files relate to the offence? What does this mean for the overall investigation?
Then the report evaluates What applications are installed that relate to the investigation? What purpose do these applications serve? Have they been used/run? Dates/times the application was used. What impact do these applications have on the investigation?
In last the report contains the appendices and the conclusion with references
We are using the Autopsy and MKT image viewer for evaluating the image scene and then reporting accordingly taking each and every step into consideration so that the investigation should be done easily and can be made the analysis using the prescribed tools and using these are for evaluating the scene and then making it for analysis and generating report
Presentation of content relating to offence
The content shown in the image is presented using the autopsy software and the report is generated in the form of
The Analysis is done using the Autopsy software
And it is analysed as follows :
1. Click New Case. The ‘Create a New Case’ page will open. Fill in the ‘Case Name’, ‘Description’, and ‘Investigator Name’. Then select ‘New Case’ near the bottom of the screen.
Scroll down to find our file, ‘vacationinfo.txt’. Click on the file. Notice that the contents of the file will populate in the space below. You can also view information about the file, including the size, when it was created, the last time it was accessed, and the last time it was changed. In the next section, you will create a basic report about this file.
From the analysis page, it is possible to create a report about a file that can be used for later easy access. Click on ‘ASCII report’. This will create an easy-to-read report with all the information about ‘vacationinfo.txt’. Right click this report to save it as a .txt file
Note that it is possible to also print out HEX and String reports. Also note that it is possible to export the file for further analysis, just as in ProDiscover and FTK. You can also add a note about the individual file
1. One (1) white turtleneck sleeveless shirt, size Small.
2. One (1) pair navy blue sweatpants, size Small.
3. Two (2) silver hoop earrings.
4. One (1) silver bracelet.
5. Samples of Blood (type O+), Bile, and Tissue (heart, lung, brain, kidney, liver, spleen).
6. Fifteen (15) swabs from various body locations, to be tested for presence of hypochlorite.
7. Eleven (11) autopsy photographs.
8. One postmortem CT scan.
9. One postmortem MRI.
After our investigation, we summarize our findings as follows:
· Identified the attacker’s persistent remote access to the company’s computers.
· The forensic analysis identified that the systems had been compromised.
· OS patches were not installed in some systems.
· Suspected malware was found in compromised system.
· Identification of that malware and its functionality & aim of malware led us conclude that it is ‘spamming’ malware.
· Determined the attackers had access to the client’s systems using the malware by supplying in appropriate website link for payment gateway
The victim is wearing a white sleeveless turtleneck shirt and navy blue sweatpants. Jewelry included two smooth-textured silver hoop pierced earrings, 1-inch diameter, one in each ear, and one 1-inch wide silver expandable wristband on left wrist. A 1.5-inch wide tan belt with green stripes is cinched around the upper neck using the buckle. The opposite end of the belt is tied in a half-hitch knot, which was used to affix it to the crossbar in the closet where the body was found.
The body is that of a normally developed white female measuring 67 inches and weighing 118 pounds, and appearing generally consistent with the stated age of twenty-six years. The body is cold and unembalmed. Lividity is fixed in the distal portions of the limbs. The eyes are open. The irises are brown and corneas are cloudy. Petechial hemorrhaging is present in the conjuctival surfaces of the eyes. The pupils measure 0.3 cm. The hair is dark blonde with lighter blonde highlights, wavy, layered and approximately 11 inches in length at the longest point.
Identification
The scene identified as the following scenario
The body is presented in a black body bag. The victim is wearing a white sleeveless turtleneck shirt and navy blue sweatpants. Jewelry included two smooth-textured silver hoop pierced earrings, 1-inch diameter, one in each ear, and one 1-inch wide silver expandable wristband on left wrist. A 1.5-inch wide tan belt with green stripes is cinched around the upper neck using the buckle. The opposite end of the belt is tied in a half-hitch knot, which was used to affix it to the crossbar in the closet where the body was found.
The body is that of a normally developed white female measuring 67 inches and weighing 118 pounds, and appearing generally consistent with the stated age of twenty-six years. The body is cold and unembalmed. Lividity is fixed in the distal portions of the limbs. The eyes are open. The irises are brown and corneas are cloudy. Petechial hemorrhaging is present in the conjuctival surfaces of the eyes. The pupils measure 0.3 cm. The hair is dark blonde with lighter blonde highlights, wavy, layered and approximately 11 inches in length at the longest point.
Removal of the belt revealed a ligature mark (known throughout this report as Ligature A) on the neck below the mandible. Ligature A is approximately 1.5 inches wide and encircles the neck in the form of a "V" on the anterior of the neck and an inverted "V" on the posterior of the neck, consistent with hanging. Minor abrasions are present in the area of Ligature A. Lack of hemorrhage surrounding Ligature A indicates this injury to be post-mortem.
Upon removal of the victim’s clothing, an odor of bleach was detected. Areas of the body were swabbed and submitted for detection of hypochlorite. Following removal of the shirt, a second ligature mark (known throughout this report as Ligature B) was observed on the victim’s neck. The mark is dark red ligature and encircles the neck, crossing the anterior midline of the neck just below the laryngeal promience. The width of the mark varies between 0.8 and 1cm and is horizontal in orientation. The skin of the anterior neck above and below the ligature mark shows petechial hemorrhaging. Ligature B is not consistent with the belt that caused Ligature A. The absence of abrasions associated with Ligature B, along with the variations in the width of the ligature mark, are consistent with a soft ligature, such as a length of fabric. No trace evidence was recovered from Ligature B that might assist in identification of the ligature used.
The genitalia are that of an adult female and there is no evidence of injury. Pubic hair has been shaved in its entirety within six hours of death. Limbs are equal, symmetrically developed and show no evidence of injury. The fingernails are medium length and fingernail beds are blue. There are no residual scars, markings or tattoos.
We can use the FKT image viewer for analyzing the image as lick the Viewer Pane and press the CTRL + F keys to open up the Find function. Search for pictures and perhaps decide to enter the common term “IMG”.
Figure 2. Search for file artifacts in the MFT (FTK)
In a short while...