Digital Forensics

In this course I was introduced to the basic concepts and technologies of digital forensics. I learned the fundamental techniques and tools utilized for collecting, processing, and preserving digital evidence on computers, mobile devices, networks, and cloud computing environments. I also engaged in oral and written communication to report digital forensic findings and prepare court presentation materials.

By the end of this course I was able to:

1. Recognize the duties of a digital forensic investigator and the requirements of a lab environment.
2. Utilized data collection tools and methods necessary for recovering and identifying different digital forensic artifacts left by attacks by using different digital forensic tools to acquire and validate evidence such as forensic analysis software: EnCase, FTK, and Autopsy.
3. Utilize appropriate methods to preserve the integrity of digital evidence and acquire a forensically sound image.
4. Analyze different types of digital evidence to extract the related information important to a case under investigation.
5. Prepare evidence, findings and results of analysis in a digital forensic report.

Case Study:

Case Scenario: You were hired as a forensic expert to investigate alleged contact between US and Russian officials. The owner of the laptop and phone has “lawyered up” and is not saying anything about what they were doing or any meetings that may have happened. You performed a forensic analysis on the laptop and cell phone of a high ranking US government official. You are now writing your official report to the prosecutor as evidence that may go to court in the future. During the investigation you found the following:

• On the phone – a text confirming a lunch meeting on 2/15/20xx and the phone number was labeled “Red Ralph” in the contact list.

• On the laptop – several email communications about meetings and payment for “consulting services” between the official and RedRalph@gmail.com
• On the laptop – several deleted zip files of classified material that web logs show were uploaded to a file sharing site. It is not clear if they were downloaded by anyone.

  Official Report

  Case Identifier: 2211
  Case Investigator: Michael Scott
  Identity of the Submitter: Dwight Schrute
  Date of Receipt: 04/04/23

  Items of Examination:

  – Cellular Device
  o Name: Charlie Sparrow
  o iOS Version: 16.3.1
  o Model Name: iPhone 14 Pro
  o Model Number: MWQC3ML/A
  o Serial Number: W17ZMY9NM6XF

  –Personal Laptop Computer
  o OS Name: Microsoft Windows 11 Pro
  o Version: 10.0.44400 Build 44400
  o Device Name: Charlie’s laptop
  o System Model: Surface Book 4
  o System Type: x64-based PC
  o Model Number: 1800 i4
  o Serial Number: 000192837273

  Findings and Report (Forensic Analysis)

  -Cellular Device:
  o On April 3, 2023, Officer PaulyD obtained a search warrant from the US District
  Courts in Eastern Virginia.
  o Acquired Tools for examination:
  –SIM card reader
  o The forensic examination officially began once a search warrant was obtained.
  – Location of the device found: the mobile device was found on the person
  (Charlie Sparrow) at the time of her arrest, on April 2, 2023.
  –Status of device: The first step was to analyze the condition of the device.
  This is a crucial first step as it determines how the investigation will be
  conducted. The mobile device was powered on with a battery status of
  72%, connected through the mobile networking company of Version. The
  device was locked with the need for a passcode or bio-authentication of
  face recognition.
  – SIM card: The card was inserted when the device was collected.

  o Preservation:
  -The first step to preserving data from the mobile device was to isolate it
  from the network. This is to prevent any remote access to the mobile
  device and its data. Because we did not yet have a passcode, Officer
  PaulyD swiped up on the locked page and turned on airplane mode.
  The chain of Custody is documented as followed:
  -Officer PaulyD removed the mobile device from the person (Charlie
  Sparrow) during arrest at her place of residency: 23947 Hammer
  Communist Lane, Red Town VA, 34789, on April 2, 2023.
  -From there the device was switched to airplane mode at the residency and
  bagged by Officer PaulyD as evidence that same day.
  -Officer PaulyD transported and stored the mobile device evidence in a
  locked storage evidence room at the police station in Red Town, VA that
  same day at 16:30. An affidavit was filed that same day by Officer PaulyD
  for the mobile device to the US District Courts in Eastern Virginia.
  -Digital Investigator Michael Scott received a notice from Officer PaulyD,
  on March 3, 2023, that a search warrant was issued by the courts for the
  mobile device held in evidence.
  -Digital Investigator Michael Scott retrieved the mobile device on March
  3, 2023, and started his examination.
  

  o Acquisition
  – Digital Investigator Michael Scott first removed the SIM card and made a
  replica image of the SIM card found in the mobile device. This is
  standard procedure when examining digital forensics. The SIM card
  image will be examined, while the original SIM card will be kept intact
  in evidence storage. Next, digital Investigator Michael Scott placed the
  image into a SIM card reader to gather the user’s identity, personal
  security keys, contact list, and stored text messages.
  

  Documented Message:

  Contact Name: Red Ralph
  Phone Number: +7 (239) 122-9482
  Date: February 15, 2023
  To: Charlie Sparrow, from: Red Ralph
  Message:
  “Meeting today at the model lobby @ 1800. I will be wearing a blue
  jacket with a red scarf. Carry a red purse and sit in the lobby waiting
  while reading the newspaper. Leave your purse visible and open.”

  Personal Computer:

  On April 8, 2023, Investigator Scott began the forensic imaging process of the
  Microsoft Surface Book 4. A warrant for the device was obtained on April 3,
  2023.

  –The location of device was found at the suspect’s home of residency.
  –Status of the device: Powered off and plugged into a charger with a
  battery life of 100%.
   –The device only had one user’s account and it required a passcode to login
  in as a user of Charlie.

  o Preservation
  -On April 3, 2023, at the residency of Charlie Sparrow, Officer PaulyD
  disabled the laptop device from the Wi-Fi and transported it to the Police
  station. He then stored the evidence in the proper locked locker.
  Investigator Michael Scott needed to wait till the warrant was obtained to
  start the investigation.

  o Acquisition
  -Digital Forensic Investigator Michael Scott started the investigation on
  April 8, 2023.
  –He first removed the drive from the suspect’s computer. Then he
  connected the suspect’s drive to the USB to perform a static acquisition to
  capture the drive. The software tool AccessData Forensic Toolkit (FTK)
  was utilized to capture the static state of this device. Scott made two
  copied images of the drive with write blockers. He then created a storage
  folder on the target drive and placed it under C:\Work\Cases\Case2211
  –The image type selected was Raw (dd).
  –Then Investigator Scott used FTK to calculate an SHA-1 hash for the
  original drive to provide integrity for the investigation. This creates a
  digital fingerprint for the image file.
  –Once a copy of the image file had been completed, Investigator Scott used
  the software forensic tool of OSForensics to start a new case.
  –After starting a new case, he mounted the image file from
  C:\Work\Cases\Case2211 onto the software program.
  –Then he created an index with sparse acquisition to only capture emails
  and attached documents. Once the mounted image file had been indexed,
  Investigator Scott search the index with the search words “consulting
  services”. He received a result of many emails between correspondence
  by: RedRalph@gmail.com. Below are the emails found.
  ———Original Message——–
  To: Charlie Sparrow

  From: Red Ralph
  Date: January 28, 2023, 13:24 (- 5:00 EST)
  Subject: Consulting services
  Hello Ms. Charlie,
  Denise Willington gave me your contact information regarding possible
  services you can provide. I am interested in becoming one of your clients.
  ———Original Message——–
  To: Charlie Sparrow
  From: Red Ralph
  Date: February 02, 2023, 18:24 (- 5:00 EST)
  Subject: Consulting services
  I will wire the payment for your services soon. I will message you the
  details of the meeting via iMessage.

  o Recover Deleted Files
  –Using Deleted File Search on the OSForensics menu GUI, Investigator
  Scott searched the image file for any related files that had been deleted. He
  did a general search scanning the MFT and then searched the string for
  “Classified”. Two documents were found deleted.

  Below are the contents of the files:

  Document 1:
  ———Classified——–

  The attachment to this document contains the software program you have asked for.

  Document 2:
  ———Classified——–

  Payment has been received. Please destroy all evidence of our correspondence.

  Conclusion

  o In conclusion, all data provided in this report holds integrity. We have provided
  this by:
  –Documenting chain-of-custody
  –Created images of original data
  –Provided a validated hash for the image file.
  o Hardware used in the investigation.
  –HP Envy 34-c0000 (2022). Desktop used in the investigation.
  https://www.hp.com/us-en/desktops/envy-34-inch-all-in-one.html
  –SIM card reader with a USB plug.
  –USB

  
  o Software used in the investigation

  –AccessData Forensic Toolkit (FTK)
  –OSForensics
  –Microsoft Office

  o Evidence includes:

  –A text message from Red Ralph to Ms. Charlie about a meeting in a hotel
  lobby.
  –Emails were sent to Ms. Charlie from Red Ralph requesting her services.
  –Deleted documents from Ms. Charlie’s computer about providing a
  software program and receiving a form of payment while requesting that
  all correspondence be deleted.
  –From the evidence we can show that there was an agreement between Red Ralph and
  Charlie Sparrow for a software program that she gave to Red Ralph and in return, she
  received a form of payment for her services.