Running head: Midterm Practical 1

Midterm Practice

Livia Nguyen

CFR105

Professor: Frank Griffits

June 30, 2017

MIDTERM PRACTICAL 2

Summary
The thumb drive and memory dump taken from the Canon Digital Camera located on top of
Steve Vogans desk contain evidence shows that it was Steve Vogon, who took the photographs
of Saraquoit Corporation confidential data. Mr. Vogon develop a script called xfer.pl, which
allow him to secretly take those confidential data and transfer it to another location where
through the network port that allow him to get access to those information. There is activities
show that Steve Vogon has been putting encryption and reformatted his thumb drive to hide this
data and avoid getting caught. The data recover from the thumb drive also recover information
of two other individuals, which is Catherine Lagrande and Matthew Geiger, who could also be
involved in this case with Mr. Vogon.
MIDTERM PRACTICAL 3

In regard to the USB thumb drive image that you have been provided with, were there
any steps taken or actions performed to conceal the drives contents? If so, what were
they?

The copy of the USB thumb drive image shows that it is an empty FAT16 file
system, but after further analysis, there appear to be hidden file in the unallocated
space that can be recovered by using the carving techniques. The thumb drive
appears to be reformatted before, because there are no files system entries for any of
the file.

The thumb drive contains an encrypted container. The executable file on the thumb
drive has been concealed by using the Ultimate Packer for Executables (UPX)
Compress. It also gives hints on the location of the encrypted container, which
appear to be in E:\secret located in the memory dump.

Figure 1: The memory dump shows the encryption and the location of the encrypted
container in E:\secret
MIDTERM PRACTICAL 4

What files were found on this disk? How did you recover them?
Please provide a full explanation for each file found on the USB thumb drive to
include file type, contents and purpose.

All file on the thumb drive are manually collect by using file carving techniques.

Name Description Location

Secret Truecrypt Container Memory dump
Keyfile Keyfile for secret Truecrypt container Thump Drive
xfer.pl Perl script source code within the Truecrypt Memory Dump
container
Expedia Web page The web page show summary of who purchases Thump Drive
the three round trip tickets from Washington DC
to Liberia and it show that Steve Vogon,
Catherine Lagrande and Mathew purchase the
ticket.
PAR packed Executable version of xfer.pl created using Perl Memory Dump
executable Archive toolkit (PAR)
upx.exe Utility to UPX compress executable Memory Dump
wget.exe Command line utility to access Web sites Memory Dump
libeay32.dll Component of Open SSL toolkit OpenSSL Memory Dump
Shared Library
ssleay32.dll Component of Open SSL toolkit OpenSSL Memory Dump
Shared Library
libintl3.dll Required by wget GetText: library and tools Memory Dump
for native language support
libiconv32.dll Required by wget LibIconv: convert between Memory Dump
character encodings.
MIDTERM PRACTICAL 5

Figured 2: Keyfile.wav file recovery located on the thumb drive

Figure 3: upx.exe

Firured 4: wget.exe
MIDTERM PRACTICAL 6

Figured 5: wget.exe

Figured 6: libeay32.dll

Figured 7: ssleay32.dll

Figured 8: linint3.dll
MIDTERM PRACTICAL 7

Figured 9: libiconv32.dll

Recovery of files from the thumb drive requires manual carving through the
unallocated space because the majority of tools cannot distinguish some of the many
file types that exist. Figured 10 shows the start of the encrypted container and the
end of this encrypted container must be ended with a known header signature
indicating when a new file starts, by using file signature. There are limitations to
automated file carving techniques; the PAR files contain compressed data that it will
be carved as a ZIP file instead.
MIDTERM PRACTICAL 8

Figured 10: Start of encrypted container on thumb drive

Figured 11: ZIP file signature

Based on your previous findings, please determine what Steve Vogons intentions
were?
Did Steve Vogon act on his intentions? If so, what did he do? How can you prove
this?

All of the evidence has been collected show that Steve Vogons tool the Keyfile that
belong to Saraquoit Corporation and used a customized program on his memory
dump to transfer files to a remote location on the internet. The information that was
captured by Steve Volga containing Saraquoit Corporations intellectual property,
including file such as topsecret.gif and secretplan7.jpg, being copy from the company
network with the IP address 172.16.109.34 in the folder named Secretplans locally
as the X: drive as shown in figured 12.

Figured12: Evidence shown in memory dump show file transfer from 172.16.109.34
and Secret plans.
MIDTERM PRACTICAL 9

The finding is supported by data from the SMB connection found at decimal offset
0x36096192 in the memory dump, the remainder of the filenames recovered from
memory, and an active network connection on TCP port 445 that is used to direct
TCP/IP MS Networking access recovered from the memory dump using FTK Imager.

Figured 13: SMB connection

Example: \WINDOWS\system32\cmd.exe-copy X:\Secretplans\topsecret.gifT:

Further forensic examination of the memory dump by using the keyword

secretplans show that secretplans2.jpg, secretplans4.jpg, secretplans5.jpg,
secretplans6.jpg was also being copied.
MIDTERM PRACTICAL 10

Figured 14: Example shows secretplans7.jpg being transfer by using svxfer.exe to the
X: drive
Data from the memory dump indicate that the xfer program that has been
customized by Steve Vogon was being executed multiple times. A prefetch file
C:\WINDOWS\Prefetch\SVXFER.EXE-2DAB52DD.pf was found, indicating that
the svxfer.exe file was being executed.

Figured 15: Prefetch file

The memory dump also contains section of the HTTP communication to host that
was listed in the customized xfer.pl program created by Steve Volgon. Figured 16
shows that segment of the secretplansN.jpg and topsecret.gif files letting the program
know that it has successfully perform the transfer of file. There is also a Cval=
string encoded in Base64, which contain the operation of the xfer.pl. So when the
JPEG is being decoded, the result will show a JPEG file and the header information
states the source of the image as a Canon Powershot SD400 and that the
photographs were taken at 21:48:41 on 10/22/2007. The camera could be owned by
Steve Vogons as it was located on his desk at the scene.

Figured 16: The image shows successful transmission and Cval Based64 encoded
strings.
MIDTERM PRACTICAL 11

While the above information is necessary, it is of no value if it cannot be tied to a

specific individual. Saraquoit Corporation suspects that Steve Vogon was a
disgruntled employee and may have performed malicious acts against the company.
However, they need proof of this. Please provide detailed information based on your
findings that would tie Steve Vogon (or others) to the contents on this thumb drive.

The recovery data from the thumb drive mention Steve Vogan names, indicating that
he is involved in a data theft plan. The xfer.pl file was specifically developed and
customized to how Steve Vogon wants as there are error messages and input prompts
in the Perl script that uses the same name. The Expedia Web page discovered from
the thumb drive also contains flight information for Steve Vogon, Catherine Lagrande
and Matthew Geiger.

Figured 17: Flight information on Steve Vogon from the Thump Drive

To determine if the photo that was being transferred using the xfer.pl program
developed by Steve Vogon is taken by Canon PowerShot SD40 camera to the camera
that was found on Steve Vogans desk to prove that his camera was used to take
photo of stolen intellectual information.
MIDTERM PRACTICAL 12

References

Kessler, G. (2017, June 22). File Signatures Table. Retrieved June 30, 2017, from
http://www.garykessler.net/library/file_sigs.html

Process Library and DLLs. (n.d.). Retrieved June 30, 2017, from
http://www.processlibrary.com/en/