LAB/WRITTEN CYBERSECURITY

Part I: Lab Deliverables

Screenshots

This screenshot shows the commands used to mount the evidence source drive as read only and for the working drive to save information as read-write for the evidence file and image to be collected in.

This screenshot shows the creation of a new case using the autopsy tool with the ability to customize the case name, description of the case, and the investigator names.

Using the Autopsy File Analysis tool, this screenshot shows all files that have been deleted or have the ability to be recovered from the evidence.

This screenshot shows the Keyword Search analysis tool under the Autopsy analysis that allows full searching of the forensic image and the individual files/directories within the image for finding evidence of interest for specific keyword searches.

This is a screenshot of the Event Sequencer in the Autopsy analysis tool that allow investigators to create a timeline of events and create a sequence with the ability to add specific notes

Log of Forensic Analysis

Date 1:used the root terminal to mount evidence from the source drive- the source drive was a read only files

Date 2: used the root terminal and configured the file then use the dd to generate the dd image or copy of the original to avoid evidence tampering

Date three; started the autopsy to verify the contents and found the harsh values do not match

Date 4: after the harsh value difference, I started conducting evidence analysis, the contents, and imagined the possible scenario.

C. Report Letter to the Professor

Date: 27th march 2014

Dear Professor,
RE: DIGITAL FORENSIC REPORT LETTER

Following the request for analysis report and the digital evidence provided in a case in which Mr. Joey Lawless was suspected to be colluding with the Barzini family to commit a crime; I hereby present to you my report letter. My department performed a compete forensic examination as required by practice such as log report and evidence analyses.

During the analysis, all the digital evidence analyze through Autopsy Forensic Browser 2.20 pointed at a possible communication between Mr. Joey Lawless and the Barzini family. While there is no direct communication with Barzini, it is healthy to assume that Mr. Barzini could have used ban alias, and in some case using his real name t talk to Mr. Joey Lawless. All the steps were photographed for evidence and backup. All the media types found were copied into a DD image.

Even through the process was smooth, it was difficult to establish a Linux environments and this causes the team many wasted hours. Additionally, the harsh value of the digital image of the suspect drive was different from the harsh value of the actual evidence and these only points at evidence tampering.

Youth faithfully

Daren court

Part II: Lab Questions

Based on the Request for Analysis pdf document, come up with five keywords that would be good to search for in this investigation.

For this investigation, it is important to use relevant keywords that could be used to pull up the required research. Therefore, names such as Emilio, Barzini, Joey Lawless, media, emails are the right key words.

Emilio is not a common name and any communication n between Mr. Joey Lawless could be done using Emilio as the key word. For example, any search query using the key word Emilio producing the search words would indicate that Emilio who is sauced must have collaborated with the Mr. Joey Lawless

Barzini: Emilio would have used Barzini as an alternative name in has email communication with Mr. Joey Lawless; therefore, this is the second most important search term.

New Jersey: the Barzini crime family live in new jersey making new jersey an important key words that could direct the investigators towards the Bernini family. If a query produces new jerry, then the Barzini family or one of the members must have been participating with Mr. Joey Lawless

Media: the media refers to the files shared between Mr. Joey Lawless and the alleged Barzini family member. It is therefore important to look for files, both embedded in emails. 5this can be retrieved from the download folder, or the computer search history

The cookies- Barzini family can be retrieved from the cookies. This means that the cookies could have come from the Barzini family computer, website, or intranet.

What is the hash value of the forensic image during verification of the evidence in Autopsy? You must attach your screenshot for the hash value you obtained during the lab. Does it match the information provided in the Request for Analysis? What is the significance of the hash values matching?

The harsh values of the forensic image during the verification of the evidence in the autopsy are 20179E888CEA0DDF2D5C174BE673034D. This is quite different from the harsh value that was obtained during the request for analysis- fd4d351a9ef12525dcd66ba2cf0055. The brains of the harsh values are that they are used to determine if there has been any alteration of the forensic image. Th4e difference between the two harsh values may have been causes by an alteration or the analysis of a wrong forensic image or evidence

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s