Академический Документы
Профессиональный Документы
Культура Документы
Final Assignment
Austin Ticknor
University of Advancing Technology
4/22/2016
Table of Contents:
Page one
Page two
Page three
Page four
Prime suspect revealed for accessing sales website and no.1 suspect
cleared
Page five
confirmed
Page six
Additional details
Page seven Final confirmation of suspect revealed and identified and conclusion
Page eight
Reference Page
each copy was a match to its original counterpart. For this comparison I will be
using the tool, MD5 Summer version 1.2.0.11
Based on this comparison of 2 sets of MD5 hash values, it can be said that the
copied files are a perfect match to the original files.
The first thing I did to start the forensic analysis of the pcap files was to open
the tool called Network Miner version 2.0. I then placed the 7 files that I was given
into the tool for analysis. I then decided that because this was a crime of images
that I would sweep the images of each file looking for the child pornography to
document. I found one illicit image hiding in plain sight and was very hard to notice
due to its small picture size. But I found it.
I was able to look at the file location and use its tracking spot to find the IP address
that it came from.
And as it turns out not only did the IP address contain traffic and the TCP protocol
that matched the pictures data, but also I found that Charlie and Terry has both
accessed the picture. Jos name was nowhere near the IP address. Thus the illegal
material on the computer could not have come from Jo. Jo is clean of any
involvement.
Since Charlie and Terry had sent the picture around, they both have their hands
dirty for processing illegal material. Since only one photo was found, it is likely that
more are on this pcap file, but are unable to be found due to special measures of an
unknown nature that were taken.
As for who sold the laptop, I checked the sessions tab and specified Craigslist in the
search, and only one name came up in the search. Terry.
Terry has been on Craigslist many different times, so its only fair to surmise that it
was he who sold the laptop. Its unsure why he sold the laptop, but its somewhat
likely that Terry stole the laptop and sole it with child pornography that he put on
there. But to make sure this is the case and the Network miner tool isnt broken, I
decided to get a second opinion on the subject by parsing the files with a second
tool for comparison. The second tool is called Wireshark version 2.0.2.
So what I did then was put the 7 .pcap files into Wireshark for analysis to
make sure that the information found here is the same or different from Network
Miner. The first comparison I needed to make was to make sure that the IP address
carrying the one image that was found dies indeed contain the image and was
indeed accessed by Terry and Charlie with an IP address match up. So what I did
was put in a filter for TCP protocol and used it to scroll down until I found the IP
address that contained the illegal material. I then proceeded to check the IP address
that was interacting back and forth with the Illicit IP address and compared it with
network miner. From what I saw in Wireshark, The IP address that contained the
image in Network Miner has been interacting with an IP address associated with the
employee Charlie and no one else.
This is strange because Network Miner says that both Charlie and Terry had
access to the image. Which can only mean one thing. That Charlie and Terry both
had access to it but Charlie had greater access to it before the computer was sold
off on Craigslist by Terry.
To confirm this theory, I went back to Wireshark and looked up the online
traffic involving Craigslist. This way we can double confirm that Terry is indeed the
one who sold the computer.
Also just to make sure that the traffic seen on the screen is accurate, I scrolled down
into the details of the IP address connections.
PCAP Files Are Great Arn't They?? (2012, December 15). Retrieved April 24, 2016,
from https://www.trustwave.com/Resources/SpiderLabs-Blog/PCAP-Files-Are-GreatArn-t-They--/
How to Use Wireshark to Capture, Filter and Inspect Packets. (n.d.). Retrieved April
24, 2016, from http://www.howtogeek.com/104278/how-to-use-wireshark-tocapture-filter-and-inspect-packets/