Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
Abstract ......................................................................................................................................................... 2
Section 1: Evidence ....................................................................................................................................... 2
1-A: Thumb Drive Image ........................................................................................................................... 2
Figure 1: Thumb Drive Hash (MD5). ..................................................................................................... 2
Section 2: Tools ............................................................................................................................................. 2
2-A: FTK imager ......................................................................................................................................... 2
Figure 2: Device in FTK Imager .............................................................................................................. 3
2-B: Cyohash ............................................................................................................................................. 3
Section 3: Investigation Findings .................................................................................................................. 3
3-A: Thumb Drive content......................................................................................................................... 3
Figure 4: NONAME [FAT16] content ..................................................................................................... 3
Figure 5: NONAME [FAT16] [unallocated space] .................................................................................. 4
Figure 6: 00002 hash value ................................................................................................................... 4
3-B: File content ........................................................................................................................................ 4
Figure3 : Time Script ............................................................................................................................. 4
Figure 4: win32 script ............................................................................................................................ 5
Figure 5: Override script ....................................................................................................................... 6
Figure 6: script notation ........................................................................................................................ 6
Section 4: Results .......................................................................................................................................... 6
4-A: Thumb drive ...................................................................................................................................... 6
4-B: files found .......................................................................................................................................... 7
4-C: file content......................................................................................................................................... 7
4-D: Possible intent ................................................................................................................................... 7
4-E: Who.................................................................................................................................................... 7
Abstract
The Saraquoit Corporation has asked for assistance in investigating a disgruntled employee. They are
concerned that the employee is going to attempt to damage the companys network in some manner.
When searching the employees office the company IT department found a company thumb drive and a
digital camera that belonged to the employee in question. The company wants the thumb drive and the
digital camera examined for any evidence that may suggest that the employee in question is attempting
the harm the company in some way. Upon completion of the investigation this report will be sent to
Saraquoit IT member Kal Dalil.
Section 1: Evidence
The section covers the evidence that is provided by the Saraquoit IT department. This is what was
examined and used to determine if the employee in question did have harmful intentions.
Section 2: Tools
This section covers the tools that were used in the investigation. It also covers the manner in which the
tools were used during this investigation.
2-B: Cyohash
This program was used to obtain the hash value of the device and programs used to verify that
everything was legitimate.
The [unallocated space] folder in the partitioned space of the drive had two files in it. 00002 and 51202
appeared to be deleted by the user in an attempt to hide the files from investigators. The 51202 file
showed a data size of 23,690 but we were unable to view the data that was in the folder. We will
investigate it further if the other data is not sufficient enough for the company. However, the 00002 file
contained a large amount of data that we were able to view. The file was hashes to show that it is the
same file that was found on the original drive and not a written script that was added later.
Figure 5: NONAME [FAT16] [unallocated space]
The above script seems to be extracting files that were created within a specific time period. This could
be anything from old financial records or employee files. These company records could cause a great
deal of damage to the company as well as its current and former employees.
The above script seems to be used to access the win32 file on a system. It is accessing the operating
system of the computer system. They seem to be trying to gain control of the computer system.
The above script seems to be to be overriding and extracting paths and log information.
Figure 6: script notation
The above notation from the script shows that the script may be used for malicious intent.
Section 4: Results
This section covers the final results of the investigation. Based on these results the investigators
4-E: Who
The drive was found in Vogons office and he was described as disgruntled by the companys HR
department. These mark him as the prime suspect of the investigation. In order to tie Vogon to the drive
and prove his motives we need to be able to prove the Vogon had in fact at least tried to use the drive in
some way. We could get the log records of the companys network to see if the drive used was plugged
in on any company computer in the build where Vogon worked. By searching for the drive signature on
the system logs we would be able to see where it was used and then using surveillance cameras to put
him at that computer at the time the drive was used.