Академический Документы
Профессиональный Документы
Культура Документы
Midterm Practice
Livia Nguyen
CFR105
Summary
The thumb drive and memory dump taken from the Canon Digital Camera located on top of
Steve Vogans desk contain evidence shows that it was Steve Vogon, who took the photographs
of Saraquoit Corporation confidential data. Mr. Vogon develop a script called xfer.pl, which
allow him to secretly take those confidential data and transfer it to another location where
through the network port that allow him to get access to those information. There is activities
show that Steve Vogon has been putting encryption and reformatted his thumb drive to hide this
data and avoid getting caught. The data recover from the thumb drive also recover information
of two other individuals, which is Catherine Lagrande and Matthew Geiger, who could also be
involved in this case with Mr. Vogon.
MIDTERM PRACTICAL 3
In regard to the USB thumb drive image that you have been provided with, were there
any steps taken or actions performed to conceal the drives contents? If so, what were
they?
The copy of the USB thumb drive image shows that it is an empty FAT16 file
system, but after further analysis, there appear to be hidden file in the unallocated
space that can be recovered by using the carving techniques. The thumb drive
appears to be reformatted before, because there are no files system entries for any of
the file.
The thumb drive contains an encrypted container. The executable file on the thumb
drive has been concealed by using the Ultimate Packer for Executables (UPX)
Compress. It also gives hints on the location of the encrypted container, which
appear to be in E:\secret located in the memory dump.
Figure 1: The memory dump shows the encryption and the location of the encrypted
container in E:\secret
MIDTERM PRACTICAL 4
What files were found on this disk? How did you recover them?
Please provide a full explanation for each file found on the USB thumb drive to
include file type, contents and purpose.
All file on the thumb drive are manually collect by using file carving techniques.
Figure 3: upx.exe
Firured 4: wget.exe
MIDTERM PRACTICAL 6
Figured 5: wget.exe
Figured 6: libeay32.dll
Figured 7: ssleay32.dll
Figured 8: linint3.dll
MIDTERM PRACTICAL 7
Figured 9: libiconv32.dll
Recovery of files from the thumb drive requires manual carving through the
unallocated space because the majority of tools cannot distinguish some of the many
file types that exist. Figured 10 shows the start of the encrypted container and the
end of this encrypted container must be ended with a known header signature
indicating when a new file starts, by using file signature. There are limitations to
automated file carving techniques; the PAR files contain compressed data that it will
be carved as a ZIP file instead.
MIDTERM PRACTICAL 8
Based on your previous findings, please determine what Steve Vogons intentions
were?
Did Steve Vogon act on his intentions? If so, what did he do? How can you prove
this?
All of the evidence has been collected show that Steve Vogons tool the Keyfile that
belong to Saraquoit Corporation and used a customized program on his memory
dump to transfer files to a remote location on the internet. The information that was
captured by Steve Volga containing Saraquoit Corporations intellectual property,
including file such as topsecret.gif and secretplan7.jpg, being copy from the company
network with the IP address 172.16.109.34 in the folder named Secretplans locally
as the X: drive as shown in figured 12.
Figured12: Evidence shown in memory dump show file transfer from 172.16.109.34
and Secret plans.
MIDTERM PRACTICAL 9
The finding is supported by data from the SMB connection found at decimal offset
0x36096192 in the memory dump, the remainder of the filenames recovered from
memory, and an active network connection on TCP port 445 that is used to direct
TCP/IP MS Networking access recovered from the memory dump using FTK Imager.
Figured 14: Example shows secretplans7.jpg being transfer by using svxfer.exe to the
X: drive
Data from the memory dump indicate that the xfer program that has been
customized by Steve Vogon was being executed multiple times. A prefetch file
C:\WINDOWS\Prefetch\SVXFER.EXE-2DAB52DD.pf was found, indicating that
the svxfer.exe file was being executed.
The memory dump also contains section of the HTTP communication to host that
was listed in the customized xfer.pl program created by Steve Volgon. Figured 16
shows that segment of the secretplansN.jpg and topsecret.gif files letting the program
know that it has successfully perform the transfer of file. There is also a Cval=
string encoded in Base64, which contain the operation of the xfer.pl. So when the
JPEG is being decoded, the result will show a JPEG file and the header information
states the source of the image as a Canon Powershot SD400 and that the
photographs were taken at 21:48:41 on 10/22/2007. The camera could be owned by
Steve Vogons as it was located on his desk at the scene.
Figured 16: The image shows successful transmission and Cval Based64 encoded
strings.
MIDTERM PRACTICAL 11
The recovery data from the thumb drive mention Steve Vogan names, indicating that
he is involved in a data theft plan. The xfer.pl file was specifically developed and
customized to how Steve Vogon wants as there are error messages and input prompts
in the Perl script that uses the same name. The Expedia Web page discovered from
the thumb drive also contains flight information for Steve Vogon, Catherine Lagrande
and Matthew Geiger.
Figured 17: Flight information on Steve Vogon from the Thump Drive
To determine if the photo that was being transferred using the xfer.pl program
developed by Steve Vogon is taken by Canon PowerShot SD40 camera to the camera
that was found on Steve Vogans desk to prove that his camera was used to take
photo of stolen intellectual information.
MIDTERM PRACTICAL 12
References
Kessler, G. (2017, June 22). File Signatures Table. Retrieved June 30, 2017, from
http://www.garykessler.net/library/file_sigs.html
Process Library and DLLs. (n.d.). Retrieved June 30, 2017, from
http://www.processlibrary.com/en/