Detailed Assignment Description for Forensic Report #2

The purpose of this assignment is to determine if you can 

• Properly process and handle evidence for a case and perform other case management functions
• Comply with laws, regulations, policies, procedures, and ethical constraints which apply to a case
  • Develop and document a minimum set of policies and procedures required for the professional practice of digital forensics. (See report outline.)
• Select and use appropriate digital forensics tools
• Process an evidence drive by using a forensic tool to view and analyze partitions, folders, and files to answer questions posed by a client and to identify additional questions that should be asked
• Recover and analyze specific file types and contents
  • Email files
  • Encrypted or password protected files
  • Internet Explorer cache files
  • MS Office documents, spreadsheets, and presentations (including metadata)
  • Windows Registry files
  • Text files
  • Other file types as found in the image
• Perform keyword driven searches to identify files and other digital artifacts of forensic interest to the case
• Perform file carving to recover orphaned files and then identify which carved files contain information of forensic interest to the case.
• Properly recover and handle contraband (adult and child pornography, evidence related to narcotics)
• Write a reasonably professional comprehensive (full) report of a forensic examination

Required Deliverables:

• Forensic Report #2 File containing:
  • Transmittal Letter
  • Delivery Package Inventory
  • Forensic Report (Full) and all appendices
• Chain of Custody Document
• List of MD5 Hash Values for all files submitted for this assignment

CMIT 424 Forensic Report #2Scenario

James Randell, president and owner of Practical Applied Gaming Solutions, Inc. (PAGS), contacted you to request additional assistance in handling a sensitive matter regarding the unexpected resignation of a senior employee of his company. In your previous investigation, you learned that Mr. Randell had become concerned about an employee’s resignation after receiving a report that Mr. George Dean (also known as Jeorge Dean), the company’s Assistant Chief Security Officer, left a voice mail tendering his resignation effective immediately.

After agreeing to accept this case, you met face to face with Mr. Randell and Mr. Singh at the PAGS offices in Rockville, MD. At that meeting you executed (signed) an investigation agreement (contract) and received a sealed envelope from Mr. Singh which contain a USB drive. The original copy of Mr. Dean’s signed employment agreement was provided for your inspection by Mr. Singh but you were not allowed to take a copy with you.

During your meeting with the client, Mr. Randell, and the head of HR, Mr. Singh, youalso learned that:

• PAGS is a contractor to several state gaming (gambling) commissions. The company and its employees are required to maintain high ethical standards and are not allowed to participate in any forms of gaming or gambling, including lotteries, due to their involvement as security consultants to the gaming commissioners. 
• Before starting work, each employee must sign an employment agreement which includes 
• Immediately before his departure, Mr. Dean was using a company issued laptop in the office as a temporary replacement for his workstation; an empty soft-sided laptop case was found under Mr. Dean’s desk but the company issued laptop was not found in the office. 
• Mr. Dean’s company provided workstation was sent out for repair earlier in the week; the repair ticket listed repeated operating system crashes as the primary symptom. The IT Support Center reported that the workstation had been infected with a “nasty rootkit” which required a complete wipe and reload of the hard disk (operating system and software applications).
• The IT Support technician, Ms. Valentina Reyes, has already re-imaged the hard drive for Mr. Dean’s workstation. Per company standard practice, she saved a copy of Mr. Dean’s profile (entire directory) and the user registry file. Ms. Reyes copied the user profile from Mr. Dean’s workstation hard drive to a USB which she provided to Mr. Singh at his request. This USB was placed in a sealed envelope by Mr. Singh.
• Acceptance of restrictions on personal activities (no gambling or gaming in any form);
• Consent to search and monitoring of computers, media, and communications used by the employee in the performance of his or her duties for the company. 

Your contract with PAGS directs that you examine the contents of the entire USB drive and then prepare a report. The client wants to know if there is any indication of any activities by any persons which would violate the company’s employment agreement (see item #2 above). In addition to your report, you are also required to provide copies of files and information of forensic interest which were recovered by you from the USB drive.

Notes for the Student: 

• You may encounter contraband, e.g. images depicting adult or child pornography, during your examination of the provided forensic image. If this occurs, you are to proceed as though you had legally authorized permission to continue your examination and prepare a report which includes information about the contraband. For training purposes, Adult pornography is depicted using images of canines (dogs or puppies). Child pornography is depicted using images of felines (cats or kittens). Images of child pornography (cats or kittens) should not be included in a forensic report and should not be extracted from the forensic image. The file information, however, should be reported i.e. file name, file location, and relevant metadata such as MD5 hash, creation, last written, last accessed dates.

2. For training purposes, pictures of flowers are used to denote narcotics and related contraband.

3. The referenced employment agreement is understood to include prohibitions against participating in any/all illegal activities on company premises or while using company IT resources. This prohibition includes receipt and transmission of illegal forms of pornography (as defined by the State of Maryland and the US Federal Government) and engaging in any/all forms of drug trafficking.

4. For the purposes of this assignment, you (the student) are acting in the role of “forensic examiner.” In the grading rubric, actions attributed to “the examiner” are actions that you should (or should not) have taken.

5. You should use any and all information provided in the detailed assignment description for Forensic Report #1 and the results of your examination of the evidence as reported in Forensic Report #1. 

6. Use the following case naming and evidence numbering conventions:

• Case Names: PAGS01 (Forensic Report #1) and PAGS03 (Forensic Report #2)
• Evidence Labels: PAGS01_USB and PAGS03_USB

Acquisition / Forensic Imaging Report (USB)

Forensically sterile media was created using Sumuri Paladin and then used for the imaging operation as the target media. The sterile state was verified using DCFLDD’s verify file command (sudodcflddvf=/dev/sdx pattern=00 where sdx is the drive designator for the USB).

Imaging operation was performed using FTK Imager.

Note: for your forensic report, you must determine whether or not you will report the imaging operation as onsite or in-lab. In both cases, your chain of custody should show transfer of a USB containing the evidence from the PAGS premises to your forensic lab location. If you perform the imaging operation onsite, you will report that you immediately returned the original media (USB from sealed envelope) to Mr. Singh.

-------------------------------------------------------------

Created ByAccessData® FTK® Imager 3.2.0.0 

Case Information: 

Acquired using: ADI3.2.0.0

Case Number: PAGS03

Evidence Number: PAGS03

Unique description: vmdk

Examiner: Instructor

Notes:

--------------------------------------------------------------

Information for C:\CMIT424\PAGS03\PAGS03_12162014:

Physical Evidentiary Item (Source) Information:

[Device Info]

Source Type: Physical

[Drive Geometry]

Bytes per Sector: 512

Sector Count: 20,971,520

[Image]

Image Type: Raw (dd)

Source data size: 10240 MB

Sector count:20971520

[Computed Hashes]

MD5 checksum:f311a2152887024bdd0b9155b94c4db6

SHA1 checksum:af6c44766b188ece5ff5d91677e8adf11168a61e

Image Information:

Acquisition started:Tue Dec 16 17:08:13 2014

Acquisition finished:Tue Dec 16 17:13:42 2014

Segment list:

C:\CMIT424\PAGS03\PAGS03_12162014.E01

Image Verification Results:

Verification started:Tue Dec 16 17:13:44 2014

Verification finished: Tue Dec 16 17:15:52 2014

MD5 checksum:f311a2152887024bdd0b9155b94c4db6 : verified

SHA1 checksum:af6c44766b188ece5ff5d91677e8adf11168a61e : verified

Examination of the Evidence (Procedure) for Forensic Report #2

Before You Begin: 

• Locate the forensic image file(s) on the share drive in the VDA (H:\Lab Resources\Resources\FR2). This is your evidence file and should be treated as if it were stored on a physical USB that you can move from place to place. 
• Download and review the outline for the full forensic report with the pre-inserted additional documentation (Transmittal Letter & Delivery Package Inventory). Take particular note of the appendices and additional required information (Policies, Glossary, Equipment / Software list, etc.). You can use the glossary from the previous FR1 template.
• Download and review the chain of custody form. This file is stored in LEO Week 1 Content.

Note: the Delivery Package Inventory lists the files the examiner has created and is delivering to the client. It is NOT a listing of the evidence files.

Utilize the reporting features of the forensic applications (example: bookmarks) but bear in mind that automated reports do not replace the final forensic report. Use this information, however, to enhance your report in the form of addendums or by inserting relevant information into the report template to illustrate/justify your findings.

Examination Procedure:

• To begin, start a chain of custody document for this case. List the E01 files by evidence tag number (which you should assign – or, use the file name without the extension) and put the file name in the description column. Include the MD5 hash value for the E01 file. Remember to record the transfer of the USB from the PAGS location to your forensic lab. You should also record that you put the evidence media in a SAFE (for “safe keeping”).
• Remember to record the movement of the USB from your safe to your lab “for examination.” (From here on in the procedures, it is assumed that you understand when and how to make appropriate entries in the chain of custody.)
• Launch the forensic tool (software application) that you will use to process your case.
• Create or Open your case
• Add the forensic image file to your case.
• Review the files and folders found in the case.
• Analyze your recovered files to find answers to the questions presented in the Scenario document for this assignment. Make sure that you keep track of which files support your answers.
• Export an inventory listing of the forensically interesting files which you will address in the body of your report and prepare the screen snapshots which you will include in Appendix A of your report. (For the purposes of this assignment, you do not need to include the actual files in your assignment submission.) Include your inventory listing as a table in Appendix A.
• Prepare a Full Forensic Report in which you present a summary of your forensic processing and your findings (answers to the scenario questions). Typically this report ranges from 12-25 pages.
• Crop and compress any screen snapshots included in your forensic report to reduce the total size of your report file.
• Compute and report MD5 hash values for all files being submitted as part of your assignment. Include the list of filenames and hash values in the comments section of your assignment submission. Alternatively, you may include these in an attached text file.
• Attach your forensic report, your transmittal letter, your delivery package inventory, and your chain of custody document to the assignment for Forensic Report #2 and submit it for grading. 
  • Email files
  • Encrypted or password protected files
  • Internet Explorer cache files
  • MS Office documents, spreadsheets, and presentations (including metadata)
  • Windows Registry files
  • Text files
  • Other file types as found in the image