Вы находитесь на странице: 1из 21

IT Attack Project

Massoud Rahimzadeh 924302
Ali Raza 924318
Table of Content
1. Executive Summary
2. Objectives
3. Evidence Analyzed
4. Tools used
5. Steps were Taken
6. Relevant Findings
7. Timeline
8. Conclusion
Executive Summary
Forensic analysis on the suspicious computer were performed
Evidences which show illegal usage based on WackoPickos of
the suspicious computer were gathered
Many files had been deleted which recovered and stored as
Report was created and would be supported by the
investigation team
A copy of the hard drive row image in .dd format was stored
and would be submitted to the company as record and also
further investigation
The owner of some suspicious recovered files couldnt be
detected because of the lack of capabilities in free tools
Forensic Analysis over the suspicious companys computer
Create images .dd and .ex1 for record
Gather as much evidences as possible
Time-line analysis
Submit and support the report and evidences in front of the
companys lawyer
Evidences Analyzed
File types: images, videos, audios,
Installed programs
Web activities history
Downloads History
Devices attached
Emails and documents
Tools were used
Deft 8.2
Sleuth kit
Autopsy 2.24
Autopsy 3.1.3
Steps were taken:
Research and select appropriate tools for forensic analysis in this case
Taking over the suspended computer
Installing deft 8.2 as our major forensic tool on virtual machine
Attach the suspended computer hard drive to the new Lubunto machine
Using Guymager in order to create images from the hard drive (.dd, .ex1
and .ex2)
Unattached the suspended hard drive
Using Autopsy 2.24 as a complete tools package for forensic analysis
Recovering deleted files
View and investigate among the file types
Analyzing the web and download activities (Autopsy 3.1.3 windows version)
Producing the time-line and drive suspicious events
Creating reports using Autopsy 3.1.3
Presenting the evidences and reports to the WackoPickos lawyer
Relevant Findings
File Types: Images, videos and Documents were discovered.
Web Activity
Download history
Email Addresses
Device attached
File Type Recovery
Illegal software used
Boinc Software
Activity Time Line
The Employee Frank has used the system for personal
use and install some illegal software and also deleted the
He also tried to remove all the traces
We have got all the evidence of illegal activates and
personal usage of company system