Академический Документы
Профессиональный Документы
Культура Документы
Editor-in-Chief
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Managing Editor:
Dominika Zdrodowska
dominika.zdrodowska@eforensicsmag.com
Editors:
Marta Sienicka
sienicka.marta@hakin9.com
Marta Strzelec
marta.strzelec@eforensicsmag.com
Bartek Adach
bartek.adach@pentestmag.com
Senior Consultant/Publisher:
Paweł Marciniak
CEO:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Marketing Director:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
DTP
Dominika Zdrodowska
dominika.zdrodowska@eforensicsmag.com
Cover Design
i Hiep Nguyen Duc
Publisher
Hakin9 Media Sp. z o.o.
02-676 Warszawa
ul. Postępu 17D
Phone: 1 917 338 3631
www.eforensicsmag.com
All trademarks, trade names, or logos mentioned or used are the property of their respective owners.
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
1
word from the team
Dear Readers,
For this publication, we invited digital forensics and cybersecurity lecturers, students, and those,
who have recently graduated from uni. The issue contains many interesting publications on re-
cent academic research.
Diane Gan (in cooperation with David Gresty), who’s a professor at University of Greenwich,
has written an article about using edutaiment to train the next generation of forensics investiga-
tors, and her 3 students have provided forensic case studies on which they worked during their
university course. These case studies relate to murder, terrorism and drug dealing investiga-
tions. Diane’s article and works of her students could be extremely useful for other universities
looking to implement new teaching methods in DFIR programs.
We’re also proud to present a piece of Tamunoibiton Adoki’s master’s research project regard-
ing Forensic Analysis of Web Browsers in Private mode - never before published, anywhere!
Moreover, we have for you articles about steganography in forensic investigations, DMA attacks
for Memory Acquisition, detecting and combating phishing, and it’s still not everything in this is-
sue table of contents. Just download this issue for free and check it yourself!
We would like to thank all authors - lecturers, students, and graduates, as well as our betatest-
ers and proofreaders, for participating in this project. Without you this edition would not be cre-
ated, and everybody knows how important is to educate digital forensics experts - we’re glad to
be a part of it.
Dear Readers, last but not least - feel free to share your feedback about this issue with us.
Regards,
Dominika Zdrodowska
2
www.eforensicsmag.com
Table Of Contents
Using Edutaiment to Train the Next Generation of Forensics Investigators 5
Terrorism case 50
by Student from University of Greenwich
Murder case 82
by Student from University of Greenwich
Introduction
The process of teaching students to become the forensics investigators of the future has certain challenges
for academia. The main challenges are how to provide students with realistic cases that will engage and chal-
lenge them, facilitate learning and are academically appropriate. We have achieved this at the University of
Greenwich by introducing a novel approach to the forensic coursework in the final year module, which uses
an edutainment (education + entertainment) approach. This works on the basis that if students are enjoying a
To achieve this, students are assigned a “crime” and must create appropriate digital evidence for their case.
They work in small groups and each group is given a different crime. Each group must deliver a digital foren-
sic copy of their “crime” at the end of term 1. These cases are then given to different groups and each group
assumes the roles of forensics investigators to analyse the evidence file that they have been allocated. This
means that each group works on an individual case and must solve any investigative problems within their
peer group. The students report that they enjoy the process of being the criminal and the forensics investiga-
tor and at the same time they state that they learn a lot during this process. Two example reports are in-
cluded and these are cases of “drug dealing” and “terrorism” that demonstrate the type of work undertaken
There is also an additional benefit for the lecturers, which is that these cases can be reused as coursework on
other forensics modules, so that other students benefit from having challenging cases to investigate. The
lack of realistic case studies in forensics is a real issue when teaching this subject.
The “Crimes”
Each group must develop the evidence appropriate for their given “crime”. These are selected at random by
the groups. The cases are: Terrorism, Bank robbery, Industrial espionage, Drug dealing, Pedophile ring, Mur-
der, Running a prostitution ring, People smuggling, Stalking someone famous (may include murder/death
threats/kidnapping), Money Laundering, Kidnapping, Car-jacking and exporting. There is often cross-over be-
tween crimes as murder, blackmail and even kidnaping often feature in other cases. For example, the crime
5
of bank robbery used blackmail and kidnapping of a family member to coerce the bank manager to open the
vault and the “criminals” were dealing in drugs to fund their other activities. It should be pointed out that
pornography (illegal or otherwise) is depicted using pictures of dogs and cats for the evidence.
A requirement of the coursework is that students must include at least 15 pieces of easy evidence, 8 to 10
pieces of medium difficulty evidence and 5 to 6 really challenging items. Easy evidence might be a docu-
ment with white text on a white background or a picture covering text in a letter or even a mangled file
where the extension has been changed to hide the type of file. These are mostly items that the forensics
tools would identify and flag up to the investigator. Medium difficulty could include a password protected
file but with the password being easy to guess or being the name of the file. The hard evidence might be a
challenging password, hidden folders or files. Red herrings are expected to throw the investigators off, and
Students put passwords on files and on “steged” images, but these passwords must relate to the case in
some way, either using the names of people or places (perhaps addresses) within the fictitious crime or they
are located somewhere within the evidence. They can use passwords that are abstract but these must be pre-
sent hidden within the case somewhere. A common technique used by students is to obfuscate the pass-
word using binary, hexadecimal or even base64. One group created a script that caused the LEDs on the key-
board to blink the password in Morse-code. Students have also hidden images and even passwords in video
footage, which require the investigators to watch the video to retrieve this. The password to a file can also
be placed as a watermark on the image which hides the evidence. Another group, as seen in the Murder
case, physically wrote passwords on random pages in a book which could only be read using an ultraviolet
light. They also supplied the ultraviolet light has a hint within the seizure evidence. Password cracking using
open source tools is also permitted providing the password is not overly long.
Each year, there is always at least one group that write some malware that is planted within the evidence.
When the investigator clicks on the link the malware deletes their case or reboots the computer. This teaches
the investigators to always keep backup copies of the evidence in the future.
There is always extensive use of tools to hide evidence and steganography tools are always a popular
choice. Truecrypt is also often used. For these types of tools, the students must leave traces of the tools or
the tool themselves that were used to hide the evidence as hints. They often add extra tools to try to throw
the investigators off, as there are 10 extra marks available if the investigators do not find all their evidence.
6
The use of physical evidence is encouraged but is not a requirement. Some student groups have handed in a
laptop, mobile phones, SIM cards, an ultraviolet light, Post-Its and even screwed up paper retrieved from a
“waste paper bin” that had password hints on it. One group shredded paper with a lot of text on it that the
investigators meticulously put back together again but which turned out to be a red herring. We have had
students creating surprisingly complex social media profiles to give clues about the case, such as pet’s
names or where they last ‘checked in’ before the victim goes missing. For the “drug dealing” case, the stu-
Each group is required to produce a biography of the criminal(s), which is given to the investigators. This
must include how they were arrested, what they are suspected of, their names and addresses and details of
any known associates. These details should also be present within the case, so that they can be searched for
using the forensics tools. Some groups also created a timeline for the “crime”, which was very helpful when
The Assessment
The assessment is in two parts. Firstly, the case around the “crime” is assessed at the end of semester one.
Each group is required to demo their evidence to the lecturer and then the report is marked. The prerequi-
site components must be present. This includes a summary table that shows all the evidence, classified as
easy, medium or hard. They must also include the tools used to create each item and all associated pass-
words. As this is a group effort, each participant is required to include a brief personal reflection as an aca-
demic requirement.
Whilst creating the cases, the students have to be cautioned to consider that the ‘hard’ artefacts should not
be overly complex because of the unnecessary convoluted nature of how they were placed into the case.
Similarly, ‘obvious’ pop culture references and associations should be avoided as the class may contain stu-
dents from a range of ages and backgrounds. An example of this was a group rather creatively using footage
from the 2010 science fiction film ‘Inception’, where a feature of the film is that the characters can enter
other people’s dreams, and then deeper levels of dreams below that. The students considered this to be an
obvious clue to the multiple levels of data hiding in the file, and it really was an interesting use of popular cul-
ture inspiring their edutainment. However the clue was sufficiently obscure for the investigators to miss it.
7
The second semester coursework involves a forensics investigation on a different case, which must be written
up as an expert witness report. A professional document is expected that could be presented in a court of
law. This follows on from their introductory course in digital forensics during their second year, where they
are required to investigate a case and then present their evidence as an “expert witness” in a mock court sce-
nario. The use of peer assessment by the “criminals” helps to identify how much of the evidence was found
by the investigators. The quality of the report is then graded by the lecturers.
Conclusion
The process of seeding potential evidence and clues into their case gives the students an appreciation of a
number of issues they may not fully grasp during the earlier stages of their training where they are focused
on locating and reporting on specific artefacts or types of artefacts. For example, a student learning to use
‘gallery view’ in a forensics tool to identify pictures does not necessarily fully consider the importance of the
meta-data of the picture, such as the size, folder location or temporal ordering of the pictures, all of which
become significant features of the picture for the ‘criminals’ if they are trying to plant an innocuous picture
Without prompting, the students start to recognise the difficulty in hiding and manipulating the meta-data,
leading them to come up with their own solutions, such as editing the meta-data, manipulating the system
clock as they plant the artefacts or writing into their narratives the use of bulk-file changers to confuse time-
line analysis. We argue that recognising these problems and coming up with the alternatives makes real prob-
lems for the students with an over-confidence in the evidence. During the earlier stages of training the stu-
dents in general have confidence that when an artefact is called, for example, a WhatsApp chat log made on
the 1st of January, that it is in fact a chat log from the WhatsApp application and it was made at that time.
After doing this exercise, we see the students more readily use phrases such as “it appears to be…” or “it is
called …” rather than the statement of fact “it is…”. This is an important shift as students’ progress towards
This coursework has proved very successful and is popular with the students. Very few students fail to en-
gage with this process. Those that do engage invariably pass the coursework and often gain high marks for
their inventiveness and originality. The students really relish the process of creating the crimes and use their
imagination to come up with innovative scenarios. Graduates who seek employment in forensics related jobs
report back that employers highly value the practical experience that this coursework provides. These stu-
8
dents have been offered employment when this process has been discussed during interviews. This course-
work provides added value to these students as they are not just gaining marks towards their final degree
classification, but they are learning a significant skill that they will be able to draw on in their professional life.
We conclude that the use of edutainment as a tool to enhance student engagement and learning has been a
huge success.
9
Drug dealing case
Our crime for this exercise was ‘drug dealing’, which is very loose terminology for crime due to the diversity
in which it can be employed. Drug dealing can stem from a street dealer all the way to a cartel as well as
commonly involving other avenues of crime. However, we have strictly stuck to drug dealing without diverg-
ing into other aspects of crime and concocted a story revolving around a drug distributing team that is con-
tinuing to grow in size. The investigation revolves around a USB drive recovered during the arrest of the two
individuals suspected of being the heads of the network. Their arrest was the result of police investigation
into the network’s operation and the successful charging of one of the conspirators who subsequently named
them. Despite this, they did not resist when arrested and during the search of their home no evidence could
Creation of our evidence was formed up of three main steps, conceiving the crime and its story, generating
the evidence to substantiate that crime and hiding the generated evidence. The evidence files consist of a
collection of text, spreadsheets, images and emails created using a variety of tools.
Biography
Abstract
Two individuals, William Brown (43) and James Redman (28), were apprehended after an in depth investiga-
tion by the Metropolitan Police force. They were arrested for orchestrating and managing a systematic and
growing narcotics distribution network. This network had been established over many years and was respon-
Due to its continuing size, the network was investigated extensively by the police. As it continued to expand,
more evidence came to light due to its organisational faults. Due to the correlation between size and notice-
able illegal activity, it was concluded that the network had expanded beyond the anticipated scope of its
creators. Due to this, those in charge of the network were unable to maintain seclusion from law enforce-
ment. A number of dealing locations, contact details, social network aliases and CCTV recordings of dealings
were obtained due to this lapse. Popular areas of operation for the organisation were Harlow area, southern
10
Case Details
Arrest warrants were obtained for Mr. Brown and Mr. Redman, which were executed on the 28th of Septem-
ber 2015 at 10:36am. This location was breached and the two culprits were arrested on site, they did not re-
sist arrest. A large amount of materials were removed from the residence for analysis, however, this did not
include any narcotics. There were no clear signs of illicit activity from the materials gathered or anything that
On the premises was a laptop with a USB drive attached, at point of seizure these were all deactivated. A pre-
liminary overview of the laptop showed nothing suspicious within its contents, however, the USB drive was
partially encrypted. Due to this, the drive was flagged as suspicious and sent for further analysis.
On questioning the witnesses about the USB drive, they denied knowledge of any illegal or incriminating
data being present and stated the drive contained some personal media related data. When questioned
about the encrypted section of the drive, they both pleaded ignorance of the key, stating they had forgotten
it. Despite the threat of legal action due to the refusal to open the encrypted volume, the suspects stated
that they were unable to do so as the password/key phrase was unknown to them regardless of legal threat.
A key culprit who was also arrested in connection with William Brown and James Redman is Olivia Demoria
(born May 10, 1990, 26 years old). During the initial investigation, it became clear she was one of the net-
work’s leaders “on the ground” and was caught in the act of organising and re-stocking dealers known to be
in the network. After interrogation of this witness, and the offer of a deal, she named the two heads of the
network as Brown and Redman and has agreed to provide us with her email account. The contents of the
email address provided useful information that related to the network, additional personal information was
uncovered that may be useful in later proceedings (please see associated evidence).
From the information provided by Demoria and a number of the network’s dealers, it became clear that the
relationship between Brown and Redman had recently become strained. The main interest of this is that
Brown was taking a more active role in the organisation of the dealers whereas this had been primarily Red-
man’s position; this was noted by many of the dealers as strange. The reasons are still unclear and Demoria
11
Mr. Redman used to be known on the drug scene as both a user and low level dealer with a number of warn-
ings. Due to this, his connections in the narcotics community are well known, however suspected activity at
Further analysis may provide evidence to prove their connection to the network they are suspected of head-
ing. This evidence (if found) will be used to both charge and prosecute these individuals in a court of law and
Criminal profiles
William Brown
Age: 43
No previous criminal activity with the exception of speeding tickets. University educated, received a 1st hon-
ours in computer science. Despite this, there is no indication he ever specialised in a computer related work-
ing role, instead favouring teaching jobs. From the materials gathered during seizure, he is known to favour
Olivia Demoria
Age: 26
Previously unknown to the police. Educated up to college level. Known to be one of the network’s organizers
and handled the low level dealers. Her connection to the two suspects is not fully understood, however, from
the interview recordings, it has been hinted that the relationship between the two suspects and Demoria
12
James Redman
Age: 28
Criminal record relating to drug possession and intent to sell, however has served no prison time. Education
is unknown and presumed limited. Well known in the narcotics community with known affiliations with deal-
Supporting information
2. From the interrogations of low level dealers, it has been suggested that Demoria had a romantic
3. William Brown has extensive computer knowledge so you may need to tread carefully while
Tools
When creating our evidence image, we used special tools in order to perform some of our data hiding.
TrueCrypt
TrueCrypt is an encryption system that allows a user to encrypt either part or an entire drive with various en-
cryption algorithms. TrueCrypt is not known to have been compromised and creates a formidable obstacle
for any forensics investigator. In our evidence, we have used three portions of data encrypted with the True-
13
Crypt system with variations in the complexity of the passwords as well as varying difficulties in the methods
required to recover those passwords. For all the passwords required, adequate clues and systems have been
put in place for an investigator to find as not doing so would rely on less reliable or time consuming access
methods. This system was employed in order to create boundaries in the system and to create tasks that
could not be circumvented without applying time to the other hidden information or puzzles created.
OpenStego
The term steganography refers to hiding data within another set of data. Throughout the ages, many differ-
ent methods have been employed to this end, however, the most common use today is digitally. Typically
done to image files, steganography programs alter bits (usually the least significant bit) of each byte within a
file in order to contain the bit sequence of the data intended to be hidden. There are multiple methods of
how the bits are dispersed throughout a file and shuffled around between them; this is normally dependent
on the software used. In this case, we used a program called ‘OpenStego’, which also provides an encryption
option when hiding a file to prevent easy discovery or removal of any hidden data.
Glue
This is a file merging program that installs an Excel and Word document into the same file. When a merge is
conducted, each file can be read by changing the extension of the file to the file contained that they wish to
access. On a standard desktop, it would be impossible to tell that the .doc/.xls file contained a secondary
file.
HexEditor
There are many varieties of hex editors around and all can be used free of charge. These tools allow a user to
manipulate the byte data contained within a file, volume or drive. By manipulating the byte values, the user
can corrupt files, change the file/documents content or hide data within a file or slack space. For our evi-
14
Creating the evidence
Easy evidence
We classed easy evidence as anything that would be relevant to the case but would most likely be circum-
stantial during a legal case. Easy evidence was given low priority and therefore we only utilised basic hiding
techniques to conceal their existence. Very few, if any, clues were created for these pieces due to their ease
All information and images relating to drugs was originally found on the internet through various sources. Al-
though these pieces do give a suggestion towards a drug related nature or some form of organisation, they
do not identify or prove any illicit activity. Due to these pieces being easily argued as internet curiosity, they
These pieces of evidence did not use any special techniques to hide them and in all cases can be found
within the file system of this OS. Some of the evidence is stored within an encrypted volume, however this is
easy to access and constitutes the first major obstacle for the investigator to overcome.
The images of the Amazon orders, though perhaps innocent in nature, do suggest that James and William
were partaking in the growth of narcotics (weed). There is obviously no conclusive knowledge of this as they
could just be simple orders. In a Facebook post, James tells William what he needs to buy but again this is
still not a strong piece of evidence. If they find the marijuana guide that James talks about this could help
support these pieces of evidence as it suggests what should be bought. The creation of this evidence was
done by using an old Amazon order and edited using GIMP to make it look like William had bought these
items.
15
Medium evidence
This classification was used for data that would have some weight in a legal proceeding or was important to
the story of the crime and later more damning evidence. As these pieces have some value to an investigator,
we used more standard hiding techniques in order to make their recovery more complicated. Clues were
made for some of these pieces of evidence whereas others require analysis through specialised tools in order
to be discovered. These pieces should be attainable with moderate effort and application. The medium evi-
- Drop points, identifying locations where different narcotics sell best in reference to their profits (Notepad)
- Image of captured email between Demoria and William (Gmail & Paint)
As these pieces of evidence show an interest in producing narcotics as well as evidence of its handling and
references to its distribution, this evidence could pose a legal threat in collaboration with other testimony.
Deliver information
This piece of evidence was made with Notepad and was concealed using the steganography program Open-
Stego. This hidden file is also password protected and requires the investigator to first conclude the data is
hidden in the cover file and also provide the required password at the point of extraction.
Drop Points
This piece of evidence was made with Notepad and was concealed by hiding it as an alternative stream of
another file. This is possible within an NTFS file system by using a terminal and a command such as
“notepad.exe thisismycover.txt:thisismysecret.txt”.
16
Drug dealing website
This piece of evidence was made using the program “Sublime” and generates the HTML code for a website.
We stored this evidence within a WinRar container which we then encrypted and placed on the administrator
user desktop.
This piece of evidence was made using Word and is an adaptation of an online document on the same topic.
We concealed this evidence by using the “Glue” program and storing the .doc file within an .xls document.
By changing the file extension, you can determine which of the “glued” files is opened upon selection.
Container numbers
This evidence was created using Notepad and an online Unicode translator, which can be found here
Unicode.
This evidence was created using Gmail and Paint to create a PNG image. The image has been concealed by
breaking it into different sections using a HexEditor and then saving the sections under different names with
different extensions.
Balance sheet
This evidence was created using Excel. The evidence was concealed by splicing the binary/hex data of the
file into another file using a HexEditor. By knowing the correct offset, the file can be removed with a HexEdi-
tor and recreated. The cover file functions normally despite the splicing.
Full details, include the evidence location within the specified container, can be found in Appendix section 2.
Hard evidence
Evidence in this category would allow a strong legal case against the suspects and could prove their illegal
activities. This evidence received a higher degree of concealment and the techniques used to discover them
are complex. Clues were made for some of these evidence files whereas others would be discoverable
through investigative applications with some technical knowledge. The hard evidence consists of:
17
- A message from M including incriminating information and identifying him as the supplier (Notepad)
- Image of drug handling and separation into different “strains” (Downloaded & Excel)
Due to the value of these pieces of evidence, the methods required to discover them are either complicated
or multi-layered. In all scenarios, these pieces are expected to be discovered last or take the most time.
We took an image of drug handling and separation of narcotics and hid this within an Excel spreadsheet and
merged the media streams using Glue. The Excel spreadsheet contained two different sheets, one with use-
less information, which is just lots of characters that perhaps make it look important. The other sheet con-
tains nothing but has a hidden image within a row and made completely white so you cannot see it unless
To hide this information even further, we used a tool called Glue. Glue merges the streams of the two docu-
ment types, Excel and Word, which you can select by changing the extension of one of them. Using Glue
adds even more difficulty to this piece of evidence as they will need to find out if it’s a merged document or
not. The word document is called startofpoem.doc and contains a short poem so it looks very similar to the
For the Inventory sheet of drugs, which is located on the Ubuntu machine, we hid it within an image file. We
opened the file up in a hex editor tool and took the data and then appended the data onto the end of an im-
age and saved the image. This meant the data for the Inventory sheet was hidden within the image file and
still meant you were able to use the image file, but you could extract the Excel sheet and still use it like nor-
mal.
We took all the emails sent to William Brown’s account and put them in text files. We would then take these
text files and hide them in the slack space of other files, which were Poetry files in the format of .docx, which
18
is a normal Word document format. We were able to achieve this with the tool bmap, which operates on
Linux operating systems and hides information within the slack space of sectors or on the slack space of the
operating system.
You cannot view this information by opening the document in a tool such as hex editor, the only way to read
The image is split into three sections, the containing USB, a Windows virtual machine and a Linux virtual ma-
chine. Before creating any of these, we first created “filler” directories. “Filler” directories are what we used
in order to bulk out the brand new file systems and consist of images, music and documents in keeping with
the character of the described users. The “filler” is used primarily as fodder in which we can more appropri-
ately install the necessary evidence and clue files in order for the investigation to progress.
USB
This section is made primarily of filler and is used simply to indicate aspects of the two individuals and con-
tain the encrypted volume that houses the two VM’s, which is on the root level of the drive. The filler is split
into two distinct sections, each with one of the suspect’s name on them and two game files. Within each sus-
pect’s section are a number of materials such as images, documents and music that relate to the biography.
Within Brown’s section is a folder named “security” that contains the TC binary to directly indicate what tool
was used to create the encrypted file. Within the file “\Brown\Pieces of interest\Rewind”, the footer contains
white coloured text, which is a clue to the password required for the primary section of the encrypted con-
tainer. The clue reads “I cross the alps with acid and devour the rude” which a Google search will result with
Windows
The virtual machines (VM) were created using VirtualBox and were made for Windows XP and Ubuntu 16.04.
First we made the Windows VM and made a default installation. Once this was installed, we booted the VM
and accessed the default user (Error1015) using the password “5101rorrE”. We first started by configuring
some of the main data holders and easy hiding places. First, we created an “invisible folder”. This is a trick
that can be performed in the Windows operating system and generates a folder that cannot be deleted and
19
has no name. When creating a folder, instead of entering a name, you use the alt code 0160 which creates a
“blank” which the system accepts as a name. By then editing the folder’s properties, you can change its icon
also to a blank image and in doing so create a file that, without selecting it, generates no GUI indication of
its existence. This is a common trick used by many but does not help hide the folder when displayed in a dir
listing.
Second, we created the second drive that the operating system (OS) would use through the VirtualBox soft-
ware and attached it. Once the drive was showing up within the OS disk management, we formatted the
drive and attached it as a default drive. We then encrypted the entire drive using the TC system. When en-
crypting the drive we made both a primary and hidden partition, which would each require different pass-
words to access them. We used a standard AES and RIPEMD-160 encryption method. Once the drive was
fully encrypted we mounted it with the appropriate password for the primary partition. The passwords cho-
sen were:
- 0110100001100101011011000110110001101111 (Primary)
- 16435934 (Hidden)
The first password corresponds to the word “hello” in binary and the hidden password is the word “facade”
in hex. We made a note of the chosen passwords in order to create clues or hide them directly later.
In Windows, it is possible to create users that are not accessible by default and as such are classed as “spe-
cial users”. This classification can be bestowed upon any user account by adding their user account name as
user’s account will not be displayed on the login screen and will be “hidden”. We created a user following
this method called HDIC. Once this was done, the template of the system was ready to be populated.
We integrated our “filler” directories into sections of the OS both on the primary and secondary drive in or-
der to give a general look of normality. Amongst the files transferred were a number of .jpg images, which
were stored in the default Pictures directory under a subfolder called “wallpapers”. We created a .txt file con-
taining a clue as to how to access the secondary drive and, using OpenStego, stegged the .txt file into the
.jpg image “powerofthedarkside.jpg” with a password of “shade”. The reason for including the password is
to prevent arbitrary steg searches from extracting the hidden data. Once the data was hidden, the file was
20
altered to a .png file. As a form of camouflage, we then altered all the other images in the folder to .png us-
The “filler” we had created had two subtly distinct user areas, one for each suspect, and as such they con-
tained different materials. Within one section we added a .txt file (TypicalOfYou) that contained a string that
had been manually encrypted and a message indicating another file in the other section called “shining
- I know you will forget, look to the end of the day and you will find its meaning. Don’t forget to use the pass-
By breaking down this sentence the “end of the day” refers to the word “dusk” which only has one occur-
rence in the file system. At this point, there are also few user files that are accessible narrowing down the
choices of where an investigator should look. The second sentence refers to the hidden password in the re-
ferred document that should be used when extracting the data from the image. The “shining dusk” file is a
Word document that has encryption parameters appended to some of the paragraphs and had their text
changed to white. The details are rotation (21), block size (3), transposition (1) and the required password
(shade). The investigator will have to manually conduct the decryption in order to get the message “if you
are lacking the drive don’t forget to embrace the dark side”, where there is only one file with the term “dark
As the default user is a standard user, we included a Vigenere cipher on the desktop that contains a clue to
the administrator password. The cipher’s keyword is the title of the file decoded (base64 encoded) and in-
verted and reads “what did Dante read above the gates of hell”. We have provided both the English and Ital-
ian version of Dante’s Inferno, however the phrase is fairly well known and should be discoverable online.
The password however is only half the answer and must be in Italian such as “lasciateognisperanza”. For the
investigator to be able to access the administrative section is important later for the more difficult pieces of
21
evidence and their associated challenges. Although this is one avenue of access, Windows XP is known to
One such method is to exploit the utilman.exe program, which is a very easy and well known bypass of the
Windows password system. In order to counter this, we removed the run permissions from all users for the
Although this can be easily bypassed by an investigator, it may prevent some users from gaining access.
On the desktop we also placed a file “KEEP IT CLEAN!!” that contains instructions on how to keep the sys-
tem “clean”, which is meant to indicate that measures have been taken to remove any signs of wrong do-
ings. Additionally, the file refers to a sub-system that becomes relevant in later sections. The binary string is
There is a WinRar file on the desktop also, which is encrypted. This file has only a three letter password
which can be easily broken using a dictionary or brute-force .rar cracker program. This was placed specifically
to require the investigator to employ some external attacking method to the encrypted file and also to con-
sume time resources. As this is the first container they will encounter it should be the first to be attacked.
However, due to the ease in which the contents can be compromised, the contents are limited to an image
broken into three sections, which is only a red herring. This is the only encrypted file that does not have a
Within the “invisible file” we placed a number of image files and four .txt files. One of these files is the rota
of meeting locations that was classed as easy evidence. The other files contain a reference to the Open-
Stego program used for steganography (which will be uninstalled from the system during analysis) and what
is commonly known as a ladder cipher. The ladder cipher works by requiring a string to be returned at a spe-
cific interval, which in turn spells out a message in vertical text. The name of the file is “TM81”, which breaks
down to a reference to an image file in the same directory (TrippingMan.png) and the interval where the
string contained needs to be returned (81). The deciphered message reads “When is the time to blaze”,
which is a drug community reference to indicate a common time and reference of 420.
For the folder “C:\Documents and Settings\Error1015\My Documents\Money yo\Super secret dealer
info.bat” we changed the display icon to that of a .bat file. As most are wary of executing a .bat this was
22
seen as a very basic form of deterrent from opening the file. Within the directory “C:\Documents and Set-
tings\Error1015\My Documents\Some of my writings” are a number of files of interest. This folder contains
the file referenced to gain access to the secondary encrypted drive, the drug glossary (easy evidence) and
the medium evidence of drop points hidden within an alternative stream of the one the folders contents
(somethingOrOther.txt).
Within the encrypted secondary drive’s primary partition is another selection of “filler” used to hide the evi-
dence files within. Within the first directory of the drive is a Python script that prints a number of messages to
the terminal. This is an indication towards the user’s knowledge of Python programming, which is relevant
later. Although there is no relevance to it as evidence, it gives a clue to an underlying method that may be
used to hinder the investigation. As an additional method of prevention, OpenOffice is installed within the
encrypted drive and as such will not work while the secondary drive is not mounted. This is a minor hin-
drance as we assume that the investigators will extract the files as required or read them via specialist soft-
The directory “Z:\Nice cars\Nice cars” contains three spate images of narcotics with relevant titles that are
categorised as easy evidence. These images of narcotics are not hidden in any way, however due to their cir-
cumstantial nature we felt that they were appropriate as easy evidence. Within the directory “Z:\Nice cars\Po-
etry\Random”, we created a .bat file called “Brutus.bat” that asks a question repeatedly until the correct an-
swer is provided. The script asks “Et tu, Brutus? What does it mean?” If they enter anincorrect answer it
loops and asks again, however, if they answer correctly, it terminates. This is a pointless .bat script and has
This is also the first place where a “hard” piece of evidence has been hidden within the file “Z:\Nice cars\Po-
etry\startofpoem” that was concealed using the HexEditor tool. This piece of evidence is the “proof to M”,
which is an Excel spreadsheet with an image contained within showing drug handling. Full details on crea-
As a point of the story, we downloaded and integrated the “john the ripper” program into the secondary
drive. This directory can be found at “Z:\Random\john” and has its display icon changed to that of a Word-
Pad related document. Within the program files, we carried out a live system SAM dump and stored them
along with the binaries. We also created a custom “john.pot” file and entered the password for the hidden
HDIC user account. This is the only mention or clue to the password required for the HDIC account. There is
23
also a .txt file within the binaries folder called “todo.txt” that contains an indication of intent to gain access
to the administrator account and that the password contained in the .pot file is for an unknown user.
Additionally, within the directory “Z:\Random\” are a number of image files and within one of these we con-
cealed the password to Redman email. This password was hidden at the bottom of the image in a dark col-
our to blend into the background to make it hard to find, this can be found at the bottom of the image
was created using Paint and can be found at “Z:\SuspsiciousThinking\Sweet Guitars!\If I forget.jpg”. The clue
was hidden by using a variety of dark font and dark background colours to make it difficult to read.
Within the directory “Z:\SuspsiciousThinking\” are a number of folders as well as a hidden .exe file. The ex-
ecutable is actually a bat to exe converted file and is a shutdown virus/bomb. It works by issuing a shutdown
command and then creates a number of .bat files with additional shutdown commands and storing them in
the startup file of the Windows system so that when the system starts, it will immediately attempt to shut-
down. Although this is easily identified and if triggered, it’s repaired, we used this as a basic anti-forensics
measure.
The folder “Z:\SuspsiciousThinking\Balancing books” contains a number of .xls documents. The file “Phone
numbers.xls” however is a “glued” file and contains both the .xls and a concealed .doc file containing the
medium evidence file “marijuana growing guide”. The folder “Z:\SuspsiciousThinking\My orders” contains
the easy evidence files “Amazon order images” related to drug growing equipment. The last piece of evi-
dence within the secondary drive is hidden within “Z:\SuspsiciousThinking\Sweet Guitars!\ NEW2848Epi-
phone 1940 Emperor_03-0a42dffaf8.jpg” and contains the medium evidence “Balance sheet” hidden in the
We then hid the “Screenshot of William – Demoria email” within the system file “C:\WINDOWS\AppPatch
\Lui pens ache io non lo so\” with the directory name meaning “he thought I do not know” in Italian. Once
these files were installed, we moved onto the other user areas being utilised. We accessed the HDIC user
desktop first and added a file to the desktop called “Message from M”, one of the hard pieces of evidence.
In addition to the evidence file, a number of .txt files have been added to the desktop containing numbers.
However, this evidence has been encrypted using AES256 and the clue to the required key is stated as “If
you forget use the files on the desktop in the correct order, if you screw up the order you will be unforgiven”
and then a number of mathematical symbols. The message refers to a .txt document within the default user
24
account with the name “unforgiven.txt” and is used as a sort of book code. At the bottom of the evidence
file, placed very far down so a brief overview may miss it, is a message that states “Remember to only use
every second word, A2”. Breaking down this statement, it tells the investigator that only every two words in
some format should be used to find the key, the A2 refers to the AES256 encryption. The correct method of
attaining the key is to use every second word from the end of each line of the “unforgiven.txt” file and per-
form the necessary mathematical procedure with the numbers within the corresponding files on the desktop.
As a red herring, we have also placed a .vbs script on the desktop called “KeyGrab”, which instead just re-
We then moved to the administrator account. For this account, we used a “needle in a haystack” approach,
utilising vast amounts of files in order to try and conceal the necessary data. To do this, we created three .bat
scripts which created thousands of folders, populated the folders with a number of .txt files containing ran-
dom numbers and a script that appends a new random number to all the files within all the folders. The last
script was made in order to update the “last modified” and “last accessed” data of the files all in one go so
that files of importance could not be discovered by that method. On the desktop we placed a WinRar file
called “WhatsToCome.rar” that contains the medium evidence of the drug dealing website html template.
The clue to the password is contained within the desktop file “4200\blablahblahContainer” and contains the
password in “leet” text (3|\||_|9|-|']['3|\| |\/|3) which translates to “enlighten me”. The medium evidence file of
container details in Unicode was also added to the administrator user account desktop within folder number
“00740068006500730065006100720065007400680065006200690067006f006e00650073”.
That covers all the evidence files on the Windows system. The user will be required to access the hidden sec-
tion of the USB hosted encrypted container in order to examine the Linux VM and collect all the final evi-
dence. In order to access the hidden VM, the investigator will need to generate the password using the cus-
tom built program Alpha2591 which is stored within the system user desktop. Windows XP has a flaw that
permits an administrative user to gain access to the system level user account, which should be isolated.
Within this system level account we have hidden our custom password generator. To access the system ac-
count, the command “at 12:00 /interactive cmd.exe” needs to be entered and then at the time indicated a
terminal will appear. This terminal is system level, therefore, by terminating the running explorer.exe process
and restarting it through the system level terminal, you start the explorer.exe as the system user.
25
On the system level desktop there are two files, the Aplha2591.exe program and an encrypted container
made using TC (256845235785). The program is a jar file converted to exe by use of the program “Jar2Exe
Wizard 2.1” that during conversion also encrypts the java class files in an attempt to prevent reverse engi-
neering. The internals of the program works by prompting the user for five passwords, these are then hashed
via SHA-256 and checked against hard coded hashes. If all five passwords are correct they are then amalga-
mated and hashed to produce the encrypted file key and automatically mount the file. This method was
used in order to prevent the key being easily obtainable should the program be reverse engineered. The
source code for the program can be found under section 4 of the Appendix.
The program has an anti-forensics aspect as well. Each attempt increases a counter; should the counter ex-
ceed 10, the program runs an external Python script to scramble the PBKDF2 header key of the TC file si-
lently. Essentially, after 10 tries, a discrete deletion trigger is activated and the encrypted file becomes inac-
cessible even when using the correct password. In order for this to work, the program first checks for two ex-
ternal files at hardcoded locations, the files are the counter file stored as “C:\WINDOWS\system\system.dat”
and “C:\WINDOWS\notify.py”. If either of these files are not present, the program automatically terminates.
The contents of the notify.py script can be found under section 5 of the Appendix.
The five passwords required are substituted with clues that are spread throughout the system. The investiga-
tor is required to find all five puzzles and come up with the correct answer to their problems in order to ac-
cess the encrypted container. Within the container are two .txt files, one of which has a secondary stream con-
- Clue 1 = Hidden within hex of drive C at offset 13F28EE0 = “Everyone walks on me daily. To some I am a
- Clues 2 = Within the USB filler “Brown\Tinkering\layersuponlayers.bat”, at the bottom of the script file = in
a chocolate factory there are 1000 machines that make bars. One develops a fault and makes them 2g heav-
ier than the rest. You are given a spring loaded scale. What’s the minimum number of weighs needed to find
- Clue 3 = Within the secondary drive hidden section is an image called “thats a fine steak.png” which con-
tains a stegged image, this is the only file in the hidden section. However, at the bottom of the cover file, we
26
used the HexEditor tool to store the third clue. In order to access the hidden section of the drive, the investi-
gator will need to examine the hex of the damaged file “Untitled”, which contains the message “the2nd-
drivehasafacade”. The password to the hidden section is “facade” in hex which equals 16435934. = What is
- Clue 4 = This clue is hidden on the administrator user desktop within the folder 16921 within the file
“zippyContainer.txt” = Which counties earl is thought by some to be responsible for Shakespeare’s work?
When the investigator right clicks a .txt file in the system, the word “lepzuz”, which is an anagram of puzzle,
will be displayed as a hint to its location. = Identify the next four entries in the sequence: 998, 1000, 1003,
As an additional measure we made some registry edits in order to hinder progress and provide misleading
- To clear the page file at shutdown set the following registry subkey to 1 = “HKEY_LOCAL_MACHINE
- Edited the restore point creation to one second before they are discarded
= HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore\R PGlobalIn-
terval
- Added right click commands to Folders in the system by making additions to the key “HKEY_CLAS-
SES_ROOT\Folder\shell”. Created the commands “DataUnlock” and “Trick or Treat”. “DataUnlock” calls a
.vbs script to run a .bat script without a visible terminal that loops the opening of a webpage
(C:\WINDOWS\HDICS.vbs HDIC.bat). “Trick or Treat” terminates the running explorer.exe process and
- Added right click command for .txt files by making additions to the key “HKEY_CLASSES_ROOT\txt-
file\shell\”. Created command “decipher” and “lepzuz”. “decipher” calls a bat script
nothing but contains the puzzle clue, if selected as a right click option an error message is produced.
27
- Altered key “HKEY_CLASSES_ROOT\OpenOffice.Xls\shell\open\command” to instead be directed to a
.vbs script called by the cscript command that indicates the file is corrupted. In this way, any attempt to ac-
cess an .xls document will result in a pop up message stating the file is corrupted.
Ubuntu
The Ubuntu machine was created using VirtualBox, similar to that of the Windows machine that we also cre-
ated. It is automatically turned off so will not boot in a logged in state. The Ubuntu machine acts as William’s
more secure machine where he keeps/reads his emails and hides the inventory sheet of their network. To ac-
cess this machine’s user account, the investigator will have to guess the password, which is “password”; the
reason behind this is we believe that if you come to all this trouble that would be one of the last tries you
would attempt.
Inside the machine, you are presented with the files Gaming and Funny, which have images taken from the
internet. The majority of these images are all harmless and have absolutely nothing hidden within them ex-
cept for the image mt637azgdezx.jpg hidden inside the Gaming folder.
The file mt637azgdezx.jpg contains the inventory Excel spreadsheet that logs information such as how many
narcotics they have and the price for all of them. This is obviously a very important piece of information as it
tells the investigator that William Brown was indeed in control of a large amount of narcotics that they were
selling.
As a hard piece of evidence, it was hidden in a way that someone may not necessarily expect. I opened up
an Image file in Hex editor and the document I wish to hide also in hex editor, then took the data from the
document and put it on the end of the image file’s data, which I then save. This made the image still work
and only added 1KB onto the file but could be accessed again if you took the data that you input from Excel
and save it as an Excel spreadsheet. This is the same technique that was performed to hide the balance
Other pieces of evidence hidden on the Ubuntu machine were emails that William Brown received. These
were hidden using a slack space tool called bmap which I installed on the machine then removed from it.
They can only find out about it if they look at the history of the machine.
28
Bmap is a tool used to hide information in slack space on the Linux operating system. The files we used for
this procedure were poetry files hidden within /home/william/Desktop/Gaming/Poetry. We hid all the emails
- The only way to access these is if they find the slack space in the disk or use the bmap tool to extract the
information.
This piece of work required me to employ a number of forensics methods as well as take on the mentality of
an individual trying to circumvent discovery. These two aspects have enhanced my professional understand-
ing of the methods that can be used for discovery but also the steps that may be taken in data formats to
maintain seclusion. As an extension of the purely discovery based exercises of my previous forensics courses,
the change of perspective has further enhanced my understanding of the methods and steps that may be
taken by a suspects in order to secure their information. A key method of interest in this exercise was the ap-
plication of anti-forensics which is becoming a fairly common method employed by criminals in order to
avoid prosecution or hinder an investigation in ways that may not be obvious to an investigator.
As my main focus was on the creation of the Windows image and the creation of associated clues/puzzles/
riddles to hide the evidence, I spent the vast majority of my time trying to find a balance between the grade
29
of the evidence and the steps required to uncover them. In all of this, the hardest aspect was the necessity to
create clues that the investigator could use to determine a method of access to the evidence files. In a real
life situation I would have employed far more robust systems with no clues to their contents so as to prevent
any investigator from accessing with ease. The necessity for the evidence to be accessible in some way that
could be discovered removed some of the realism of the exercise and required an additional level of thought
during creation.
In order to address the clues to methods issue, without making the process too obvious, I came up with a
number of different types of puzzles that would require an investigator to apply research, collaborate other
pieces of discovered materials or just apply general problem solving in order to come out with the correct
answer. Trying to determine if the puzzles I created were adequate or too easy/hard was additionally difficult.
However, I feel that the end results require an adequate level of time and thought process in order to solve
The application of registry edits is something that I have only ever used as a customisation method, employ-
ing these edits as a seclusion measure was new. During my adaptations, the range of possibilities available
via the registry to convolute the system became clear. Although the methods I used were relatively simple,
there were other options that could effectively disable the system if configured in a specified way. If these
were in place, any arbitrary user could accidentally trigger an event that could “purge” the system data and
In the same avenue of “purging”, the anti-forensics measures I created were tailored around both deletion
and hindrance. Due to the nature of this being an exercise, the use of live and strongly malicious malware
was considered but ultimately decided against. As there were multiple ways to integrate such a virus/worm/
rootkit into the system ready for deployment should it be examined without care, the risk to external
university or personal machines was considered too hazardous. As a compromise, basic “homemade” scripts
were made to disrupt the system they were run on but due to their relative simplicity could be easily reme-
died if needed. In this way we could provide evidence of an anti-forensics nature without endangering any-
one’s personal data outside of the exercise. These hindrances boiled down to elements such as shutdown
In line with malicious scripting, the idea of discrete deletion was also applied. This is the concept of evidence
being deleted without indication by the system should unauthorised access be attempted. An example of
30
this would be creating a system with two keys, one to open and one to destroy. In such a situation, if a sus-
pect gave you a key, you could never be sure if the key they gave you was the open or destroy key and in
getting it wrong, the data could be lost forever. This was employed for the hard pieces of evidence by em-
Although the system will be imaged in a forensic examination program, the multiple layers and measures
taken should provide an adequate obstacle for investigation. In this way, the system provides a significant
challenge in order to find all the required pieces of evidence. Due to the different levels of difficulty in the
puzzles created, this also created a sort of hierarchy in what we expect investigators of different calibres to
be able to accomplish.
By forcing us to engage our forensics knowledge from the opposite perspective of an investigator, this work
creates a great understanding of the techniques and difficulties a criminal or corporate entity may go to in
order to maintain their secrecy. This, in and of itself, is a valuable insight that will be an important thought
process should we encounter future work of a similar nature. Although this is not necessarily as a real system
would be constructed, it nonetheless provides procedural knowledge to the steps that would be required
and as such a better comprehension of elements worth investigating or taking note of during an investiga-
tion.
In conclusion, this work provides both practical application of techniques we may be required to discover in
later years and the alternative perspective of that of a culprit. The technical aspects require a technical knowl-
edge that most aiming for a career of this nature will have. Through research and available programs, the
methods can be understood and applied with relative ease. However, the perspective of a criminal is some-
thing much more difficult to grasp. By requiring us to take on the role of a criminal, we have to anticipate the
types of evidence that may be available as well as the types of media or expertise that may be encountered
in a subsequent investigation. This perspective allows an investigator to better understand the scope of the
skills used as well as the items most likely to be of value. The only negative aspect to this exercise was the
requirement to make the evidence discoverable by providing adequate clues. As this is extremely unlikely to
happen in a real life scenario, it provides little benefit to the primary skills instilled during the practise. De-
spite this, it is clear why these clues are necessary due to the systems used in the second term. If the creation
of a system was permitted with no hints and no restriction on the applications that could be used, it would
be very easy to create a system that would take even professional investigators an excessively long period to
31
break. Due to the time constraints of the second term, this would be unfair and as such the necessity of clues
makes sense.
Appendix
32
2– Medium evidence table
33
3– Hard evidence table
34
4 – Alpha2591 source code
package gui;
/*
*/
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.util.Properties;
import java.util.Scanner;
import javax.swing.JOptionPane;
/**
* @author Brown
*/
/**
35
* Creates new form frontPage
*/
public frontPage() {
initComponents();
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
*/
@SuppressWarnings("unchecked")
36
jLabel7 = new javax.swing.JLabel();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
jLabel1.setText("Password Generator");
jButton1.setText("Submit");
jButton1.addActionListener(new java.awt.event.ActionListener() {
jButton1ActionPerformed(evt);
});
jTextField2.addActionListener(new java.awt.event.ActionListener() {
});
jLabel2.setText("Puzzle1");
jLabel3.setText("lower case");
jLabel4.setText("number");
jLabel5.setText("lower case");
jLabel6.setText("lower case");
jLabel7.setText("no space");
jLabel8.setText("Puzzle 2");
jLabel9.setText("Puzzle 3");
37
jLabel10.setText("Puzzle 4");
jLabel11.setText("Puzzle 5");
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addContainerGap()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jLabel2)
.addComponent(jLabel8)
.addComponent(jLabel9)
.addComponent(jLabel10, javax.swing.GroupLayout.Alignment.TRAILING))
.addComponent(jLabel11))
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel3, javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
.addGroup(layout.createSequentialGroup()
38
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel7))
.addGroup(layout.createSequentialGroup()
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel5))
.addGroup(layout.createSequentialGroup()
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel6))
.addGroup(layout.createSequentialGroup()
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel4)))
.addGap(0, 0, Short.MAX_VALUE))))
.addGroup(layout.createSequentialGroup()
.addComponent(jButton1)))
.addContainerGap())
39
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel1)
.addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel1)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jLabel2)
.addComponent(jLabel3))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jTextField2, javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jLabel4)
.addComponent(jLabel8))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jTextField3, javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
40
.addComponent(jLabel5)
.addComponent(jLabel9))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jTextField4, javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jLabel6)
.addComponent(jLabel10))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jTextField5, javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jLabel7)
.addComponent(jLabel11))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addComponent(jButton1)
.addContainerGap(22, Short.MAX_VALUE))
);
pack();
}// </editor-fold>
Interface.a[0] = jTextField1.getText();
Interface.a[1] = jTextField2.getText();
Interface.a[2] = jTextField3.getText();
Interface.a[3] = jTextField4.getText();
Interface.a[4] = jTextField5.getText();
41
try {
Interface.check();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch(UnsupportedEncodingException e)
e.printStackTrace();
/**
*/
try {
Runtime.getRuntime().exec("python C:\\WINDOWS\\notify.py");
} catch (IOException e) {
System.exit(0);
42
{
try {
Runtime.getRuntime().exec("\"C:\\Program Files\\TrueCrypt\\TrueCrypt.exe\" /s /l
x /v \"C:\\Documents and Settings\\NetworkService\\Desktop\\256845235785\" /p "
+ pass + " /q");
} catch (IOException e) {
System.exit(0);
*/
props = null;
try {
Interface.attempts = Integer.parseInt(cont);
43
scan.close();
} catch (FileNotFoundException e) {
System.exit(0);
} catch (IOException e) {
System.exit(0);
try {
if ("Nimbus".equals(info.getName())) {
javax.swing.UIManager.setLookAndFeel(info.getClassName());
break;
java.util.logging.Logger.getLogger(frontPage.class.getName()).log(java.util.logg
ing.Level.SEVERE, null, ex);
java.util.logging.Logger.getLogger(frontPage.class.getName()).log(java.util.logg
ing.Level.SEVERE, null, ex);
java.util.logging.Logger.getLogger(frontPage.class.getName()).log(java.util.logg
ing.Level.SEVERE, null, ex);
44
java.util.logging.Logger.getLogger(frontPage.class.getName()).log(java.util.logg
ing.Level.SEVERE, null, ex);
//</editor-fold>
java.awt.EventQueue.invokeLater(new Runnable() {
new frontPage().setVisible(true);
});
45
private javax.swing.JTextField jTextField3;
////////////////////////////////////////////////////////////////////////////////
/ / / / / / / / / / / /
////////////////////////////////////////////////////////////////////////////////
////////////
package gui;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Array;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Scanner;
import javax.swing.JOptionPane;
46
ZhnTx2GzwRgvBuxfUFRJ2OvvavdRCMuG7MGKfE=", " r k l L 6 k Y k d m d D R w j R V D s k Q D l Y A U-
j2h5Bappv1rbSPgJA="};
flag = true;
int counter = 0;
hashemup(ent, counter);
counter++;
if(flag == false)
return;
hashemup(comp, 0, true);
47
frontPage.mount(pass);
System.out.println(tester);
System.out.println(p[counter]);
if(tester.equals(p[counter]))
System.out.println("pass");
else
attempts++;
try {
writer.write(Integer.toString(attempts));
writer.close();
} catch (IOException e) {
e.printStackTrace();
48
flag = false;
frontPage.sendNotification();
return;
pass = tester;
return;
5 – notify.py code
stringThing = 'nkaewurgb94bgqubo83ub4g825gb3un02ugtj92p58jt209p58yj2495gnh0g92d'
bytesThing = stringThing.encode(encoding='UTF-8')
fh.seek(0)
fh.write(bytesThing)
fh.close()
49
Terrorism case
Introduction
This case is originally triggered from the concern of neighbours following frequent suspicious visits to a prop-
erty. As described in the case biography, this has led to the arrest of an individual, named Geoff Baker, under
suspicion of terrorism. The evidence seized was a simple USB storage drive, with full information of this de-
Within the seized drive, forensic examiners can expect to find a series of evidence that frames Geoff for
blackmailing an accomplice, Jack Jobs, with illegal pornographic content to partake in a job which proposes
a terrorist attack at the opening match of the FIFA World Cup 2018 (at the Luzhniki Stadium on 14th June
2018). The USB device contains evidence of Geoff planning the trip for Jack (in a false name of Ralph
Boswell), Geoff purchasing goods that will facilitate the attack, and providing Jack with guidance of exactly
how the attack should be carried out. There is additional evidence that points the examiners to a drug deal-
ing crime, however this evidence provides means for Geoff to ensure he had sufficient funds to carry out
Overleaf is a case timeline. This timeline indicates at which date particular events have occurred and also
identifies the events that have been planned. This timeline indicates the order in which evidence should be
presented for it to make logical sense when found, providing a firm case against Geoff for terrorism, plus ad-
ditional crimes along the way. All of the evidence described in this timeline has been further described later
in this report.
50
Case Biography
The police were tipped off by a nervous neighbour who saw a consistent flow of people who did not live at
the address coming and going at all hours of the day/night via a back gate, never using the front door. In re-
sponse, the police have carried out regular surveillance on the property in question, identifying that a few
Police then raided the property of Geoff Baker, finding a USB in an envelope addressed to Jack Jobs at a Bir-
mingham address. This individual is known to MI5 in connection with terrorism and has been known for pro-
viding a false identity to the police. At this time, no additional information is known about Geoff Baker or
Jack Jobs.
Geoff Baker was arrested on 17th January 2018 at 14:23 and is currently being held in custody under suspi-
cion of terrorism. The USB storage device found at the property at the time of arrest was seized and stored
51
Evidence Seized
Note: This screenshot provides evidence of the USB drive’s hash when compared to the image file we cre-
Evidence Summary
This section summarises the evidence hidden on the seized evidence. The first table contains the red her-
rings, evidence that has been specifically put into the case to distract an investigator from the original evi-
dence. The red herrings have not been discussed in the report as they are not considered to be evidence for
52
This table documents all of evidence that contributes to proving the terrorism case. It has been grouped in
easy, medium, and hard, which mirrors the layout of the next section to this report. All of this evidence is
case related and should be uncovered to prove the case of terrorism against Geoff Baker.
53
Evidence Hiding
This section fully documents the evidence overviewed in the previous table. Exact file locations and names
have been provided for each hidden file, with any adaptations to the file detailed here. An image showing a
preview of each file is included to prove the file that should be uncovered in the investigation. Any pass-
words have been documented here, with an explanation of how the passwords can be reasonably found by
the investigator. Contained within the device is a program called BulkFileChanger.exe. From researching this
program, an investigator will see that this edits the file times of all files in a selected folder or device, mean-
ing that the file time attributes of these files cannot be trusted anymore, however, the timeline can still be
pieced together using the dates and times within the files themselves. Any tools mentioned throughout this
Easy Evidence
Checklist.doc A physical piece of evidence, which will house the USB, will be an envelope that also contains
the checklist for “Ralph Boswell”. This will contain some hints as to what he will need to do and how he can
access the boarding pass evidence with the word “Boarding_Pass” in bold. This also indicates to the investi-
gating officers that there are items to look for such as hotel confirmation, tickets, emails, a plan of the jour-
54
Screenshot of Evidence:
Fundrasing.zip
Drug dealing is a way that Geoff Baker has funded his terrorism. To provide evidence to Jack of how he
raised the money for the operation, a ZIP folder contains three images of a conversation via WhatsApp indi-
cating that drug dealing has occurred. The three images are of three separate transactions between Geoff
and a customer. Each of the images have been password protected using 7Zip, with the password being Rus-
sia_2018, a potential title for Geoff’s operation. A file named “Russia_2018” will be located near the ZIP
55
Screenshot of Evidence:
Moscow Attractions.pdf
This is a PDF containing the contents of a website from The Telegraph which contains information about the
attractions in the Russian city of Moscow, home to the Luzhniki Stadium where the proposed attack will take
place. This document will be of assistance to Jack Jobs, the receiver of the device, as it will provide some
guidance on how he can spend his free time in Moscow before the attack takes place. This file is not hidden
or modified in any way to aid it to be the first link away from the evidence of the drug supply offenses and
56
Screenshot of Evidence:
Additional Website Evidence: In addition to the PDF of Moscow attractions, there will be a number of links
on the USB that talk about travelling to Russia, details regarding events in Russia at the time of travel, and
the weather at that time of year. Geoff has included these files on the device to further assist Jack in plan-
ning his trip to Russia, ensuring that he can also explore what the city has to offer during his time there. This
tourist information will point the investigators in the right direction for the setting of the attack.
57
Screenshot of Evidence Files:
Bag of Onions.docx
A Microsoft Word document has been created to show ‘Ralph Boswell’ (the false identity Geoff has given to
Jack for the duration of this case) how to gain access to the dark web, containing a link of how to access Tor,
a download link for the Tor browser and a supporting YouTube video. Accessing the dark web will be vital for
Jack to safely plan his trip to Russia in advance, for example, obtaining a false passport, something Geoff has
The file extension of this file has been changed from a .docx to a .xlsx. This will need to be changed to be
58
Screenshot of Evidence:
House_Keys.txt
This is a file that is easily recoverable, yet appears useless at first sight. The content of this text file will play a
bigger part in the uncovering a piece of hard evidence later in the case. The file contains the public and pri-
vate PGP key that will aid the uncovering of the email contained within The_Day.txt.
The keys in this file have been encrypted using ASCII, using an online text-to-ASCII tool. Decrypting these in
an ASCII-to-text tool will reveal both the public and private PGP keys that are needed later.
59
Screenshot of Evidence:
Bus_Ticket.png
This file is an image that contains a screenshot of the National Express website, where a bus journey from Bir-
mingham to Heathrow Airport has been searched. The screenshot illustrates the user of the site adding one
journey to their basket, however no evidence of purchasing a ticket can be seen here and this alone is not
evidence that Geoff has obtained a ticket, it simply shows he was searching the site.
60
Screenshot of Evidence:
Bus_Ticket.pdf
This file contains a booking confirmation email from National Express for the purchase of a bus ticket from
Birmingham to London. This is evidence that the owner of g.baker@gmail.com has purchased a ticket for
travel from Birmingham to London, which a forensics investigator is likely to associate this email address to
Geoff Baker.
The file is password protected with the password being “heathrow”, the destination of the booked journey.
This evidence is also used to throw the investigator off the real attack location, Russia. This is classified as evi-
61
dence against the attack as ‘Ralph Boswell’ (a.k.a. Jack) will need to travel from Birmingham to Heathrow on
this date to catch his plane, however, the investigator may consider Heathrow Airport to be the target for the
attack at first, which would be incorrect. The password will be able to be found as this is nested in a folder
called ‘heathrow’, additionally a further clue will come from the investigator linking it to the unprotected file
Screenshot of Evidence:
Hotel_Room.png
This file is an image showing a hotel in Moscow called Clean&Cozy Rooms that is being advertised online.
This screenshot shows that the user of the device accessing this website has searched for hotels in Moscow
62
between 11/06/18 and 14/06/18, with the user selecting to view this hotel for further details. This file does
not classify as evidence of a hotel being booked, simply showing that someone, likely to be Geoff, has been
This is hidden very simply by changing the file attribute to “hidden” in Windows Explorer. This means that
unless the investigator is viewing the device with the “Show Hidden Files” box ticked, this file will not be
shown on the device. The name of this hotel is used to generate a password to access the hotel confirmation
Screenshot of Evidence:
63
....txt File
This text file contains five lines that are encrypted in base64. Once decoded, they provide the same identical
filenames that can be found elsewhere on the device, which simply contains photos of places in Russia that
are an essential piece of hard evidence, discussed later to uncover evidence of Geoff blackmailing Jack to
assist him with this case. This file alone serves very little purpose, however, uncovering it will present a huge
Screenshot of Evidence:
This file is a pdf document that contains the explosive products catalogue Geoff receives from the Quality
Supplies store. This catalogue simply contains images of the products, alongside product names, codes and
costs. Geoff uses this catalogue to make his order to the company in the email stored within the purchase
email.
64
The file extension has been changed to MP3 format. In addition, the entire document and filename is in Rus-
sian as the location of this company is in Russia. Geoff ensures to use a Russian store to order these products
to prevent any issues concerning the transportation of these dangerous goods. This file will be housed in a
folder with other Russian music, helping the file to be camouflaged among the others to determine which
Finally, in the email from Quality Supplies, it states that an English version of the catalogue has also been
sent to Geoff. This file is also stored on the USB as a ‘hidden’ file, however this is discussed further later in
Screenshot of Evidence:
65
se3rv1c3R3qu35T.docx
This evidence contains an email where Geoff Baker hires “Melvyne The Hacker” to complete a social engi-
neering attack on “Vladamir Petrov”. This is the first time Vladamir has been identified within this case,
which, after uncovering the email from Quality Supplies later, will explain that Vladamir works for this com-
pany and is responsible for the delivery of goods from the company. Geoff’s motive to conduct this attack on
Vladamir is to find some leverage that can be used to entice him into delivering the items purchased, even
when he becomes knowledgeable that their products are to be used against a large event for their country,
which may cause him doubt. The email also states that a report has been sent that contains the results, link-
The email text has been encrypted in two different ways. Melvyne’s emails have been encrypted in Rot13. Us-
ing a Rot13 decoder will uncover this evidence and allow an investigator to read what was sent from
Melvyne. Geoff Baker’s emails have been encrypted the following way: text to Morse code, then to Hex.
When an investigator tries to expose these emails, they will need to use a Hex to text converter, exposing
the Morse code that can be decoded with a Morse Code translator.
In addition to the encryption, the file extension and signature have been changed to produce xml before
66
Screenshot of Evidence:
Train_Ticket.doc
This file is the train ticket that Ralph Boswell will be using to travel from the Sheremetyevo Airport, in Mos-
cow, to his destination, the city centre. However, this file alone, without placing into the timeline of events,
simply shows that a train ticket has been booked by Geoff with AeroExpress.
Using the Glue software, this file is glued to the Train_Timetable.xls file, which is an Excel file containing a
copy of the train times from the airport to the city. Upon opening this file, it simply appears to be just a list of
67
train times, however the investigator will be required to change the file extension to .doc, where the file can
Screenshot of Evidence:
Hotel_confirmation.pdf
This file is an email confirmation that Geoff has received from booking.com to confirm his hotel reservation
in the hotel highlighted in the screenshot that was discussed earlier. Geoff has booked this hotel for Jack to
stay at whilst he is in Russia to carry out the attack, with the arrival date being 11th June 2018, matching with
the flight booking, and the departure date being the 14th June 2018, matching with the date of the attack.
Hotel Confirmation file is hidden and no longer visible using the ‘WinMend Folder Hidden’ software, mean-
ing that the investigator will need to use this program to uncover the hidden file, located in the “print this”
folder. They will not have to specifically search each folder on the drive, the software will identify any hidden
folders on the drive, however, the software will require the password that was used on the drive previously to
68
be entered before exposing the hidden files. The password that they must use is the hotel name that was un-
covered earlier in the easy evidence of the hotel screenshot, however the ampersand symbol will not work in
this password field, which the investigator will soon realise. For this reason, the password is CleanAndCozy,
Screenshot of Evidence:
Fan_ID.jpg
To ensure Jack can enter the Luzhniki Stadium on this date as Ralph Boswell, he will require a Fan ID. Geoff
has arranged this ID using a photo of Jack and the false name that he will be going by for the duration of
this operation.
69
The Fan ID is hidden within another image using the OpenPuff software. The file is hidden within the
‘worldcup.png’ file alone and the password required for extraction of the ID is “worldcup”, the filename of
the image it is hidden within. ‘worldcup.png’ is hidden within a selection of other football-related images,
meaning that the investigator needs to identify this image as containing steganographic content among the
Screenshot of Evidence:
70
Directions Folder
Within the directions folder, the information that Jack will need when he arrives in Russia is stored. This in-
cludes a local area map (Local_Area_Stadium_Map), a train map (Map_Train), and the directions to the sta-
dium from the airport (Sheremetyevo International Airport to Luzhniki stadium - Google Maps). These files
will assist an investigator in piecing together the various locations around Russia that have been previously
identified, providing evidence of the likely reason for the hotel and flight browsing.
This folder has been encrypted using 7Zip, with the password being ‘Sheremetyevo’, the name of the airport
that is concerned with these directions. This password can also be found within the file name of the flight in-
formation, which is much easier to uncover and discussed further later. The investigator is, however, required
to make the connection between the airport locations previously identified and the need for directions,
Screenshot of Evidence:
71
Floor_plan.png
This file is the stadium floor plan that contains the target of where the attack should happen within the sta-
dium. Someone has marked on the plan where this should occur and also where the exits are for Jack to dis-
creetly bring the products Geoff has ordered into the grounds.
This is hidden by using the PhotoCrypt software with the password “Luzhniki”, which refers to the name of
the stadium. This software encrypts the image file, making it only accessible where the investigator loads the
encrypted ‘.bin’ file with the correct password. This password will be found using the local area stadium map
Screenshot of Evidence:
72
sheremetyevo.png
This file contains a screenshot of the proposed flight that may or may not be booked for Jack to travel to
Moscow. This evidence simply shows that someone has been searching for flights from Heathrow (LHR) to
Moscow, with the search returning a result from LHR to SVO, where SVO is Sheremetyevo Airport. As previ-
ously discussed, the name of this airport, which can be found from searching SVO or from the file name, is
key to providing the correct password to access the encrypted directions folder.
This evidence has been hidden by altering the file signature and file extension. The extension has been
changed to .doc, with the signature being changed to 00 00 00 00, meaning that just changing the file exten-
sion in this case will not reveal the file, but MS Word will not be able to open the file either.
Screenshot of Evidence:
73
Hard Difficulty Evidence
Whatsapp.zip
The zipped file that is hidden contains two images of a WhatsApp conversation between Geoff Baker and
Jack Jobs. Geoff blackmails Jack to help with his task by using the illegal pornography that he had known
about of Jack from a previous job. This evidence is key to the investigation, identifying exactly how Jack fits
into this case. In addition, it is important to note that although Geoff suggests in his messages that these im-
ages are from Jack originally, there is no proof of this, however, this does prove that Geoff is in possession of
illegal pornographic content, which in itself is an criminal offense that can be proved from using reliable
sources that document how WhatsApp works to prove that Geoff was the sender of the images, hence prov-
ing that Geoff’s device sends the messages on the right, in the green bubbles.
This evidence is simply five images that have a ZIP folder hidden within them. The five images are relating to
Moscow and are placed within a folder that contains various images from different global locations, meaning
that the correct set of images will need to be selected from the folder. Using OpenPuff, a forensic investiga-
tor will be able to extract the ZIP folder and gain access to the conversation. However, to expose this folder,
they will need to be aware of the correct order of the images and the password. The password for this file is
simply “jackjobs”, which is given away from the initial loading of the device, where Jack’s full name is pro-
vided in one of the folder names. The order of these images is given in the ‘....txt’ file that was discussed ear-
lier. By decoding the filenames provided in this file, it will give the order required of these images, which are
included below.
1. RussiaToday Studio.jpg
2. st.basils.jpg 3.
3. Temple@Night.jpg
4. St.Petersburg.jpg
5. Stadium.jpg
74
Without uncovering the text file previously, an investigator will have great difficulty in trying to identify which
order these images must be within. In addition, two versions of these same images are included on the USB
device, one in this location, where all file names are in English, and one in the Pictures folder of the System
Files folder, where all the image names are encoded in base64. This will initially fool the investigator, where
they have uncovered the aforementioned text file, finding images that match in name. However, these im-
ages will not uncover the ZIP folder, only the decoded file name versions will expose the ZIP file.
File Location:
\Info\01110100011100100110100101110000\2767cc3ede7592a47bd6657e3799565c\1c625cc86f82
4660a320d185916e3c55\63b04a371849694ef3864687adcb410a
Screenshot of Evidence:
75
Explosive Purchase Email
As previously mentioned, there is a second catalogue from Quality Supplies that is in English, hidden using
the ‘hidden’ file attribute. A conversation that Geoff has had between himself and Anatoly, from Quality Sup-
plies, is hidden within this PDF file (Catalogue.pdf). The conversation has been hidden within the slack space
of this catalogue file, which has been written into the file using the HexEdit program, however, this will be
visible using any software which can examine the slack space of a file. This file is evidence of Geoff purchas-
ing the explosives from Anatoly, mentioning Vladamir as a member of staff from Quality Supplies, explaining
Note: If the investigator saves the PDF file before finding the email conversation in the slack space using the
same file name and location, this will overwrite the meta data and the conversation will be deleted. However,
as forensics investigators, it is a known fact that to use the evidence as proof, the files cannot be altered dur-
ing investigation, therefore the investigators should not wish to save any changes they make to any files on
the device.
Screenshot of Evidence:
76
boarding.jpg
This file contains the boarding pass that Jack will use, as Ralph Boswell, to travel to Moscow. This is a key
piece of evidence that puts focus onto the case and places Jack at the scene of the attack. A clue has been
provided in the checklist for uncovering this evidence, where the investigators can see that they need to re-
move the boarding pass from the bin. Despite the array of bin files and folders added to the drive to add dis-
traction, as mentioned in the red herring section previously, this is actually referring to the Recycle Bin con-
tained within the System Files folder, which contains an array of system folder, where most of them link to the
folders of the system the investigator is using. For example, the Recycle Bin folder used to hide this file does
simply just open the PCs Recycle Bin at first. Until in identifying the tool used on the device, the investigator
Using a tool called “Disguise Folder 1.0”, Geoff was able to disguise files as system files. The boarding pass
image was hidden using this tool to replicate the Recycle Bin. The password required to expose this evi-
dence is the folder name that has been hidden, “Boarding_Pass” which is given to the investigators in the
unusual formatting of the words boarding pass in the checklist. When the Recycle Bin folder is revealed, a
‘boarding.txt’ file is presented within the ‘Boarding_Pass’ folder. This file requires the extension to be
changed to boarding.jpg where the boarding pass will be shown. Again, it is this evidence that places Jack
Screenshot of Evidence:
77
The_Day.txt
This file contains a final email to be sent by Jack (as Ralph Boswell) once he is in Moscow to ensure that prod-
ucts Geoff has ordered from Quality Supplies are delivered to the stadium as agreed in Geoff’s previous
email to the company. As the supplier was of Russian descent, Geoff feels it is important to ensure that
Vladamir had not backed out from the service Geoff has paid for. From the social engineering they were able
to find some kind of leverage, which is detailed in this email from examining his Facebook Profile. This email
uses this leverage against Vladamir to ensure he doesn’t back out, however, this email should not be sent to
Vladamir until the day before the attack. This can be identified from the content of the email here, and it is
important that the investigators identify that the email has not been sent.
The email was encrypted in PGP. With the keys being found in the file “House_Keys.txt” that was easily
found. The password for the keys used to decrypt, that can be done using a variety of online tools, is “Mos-
cow” which is a generic case related password that the forensic investigators should be able to guess. Fur-
thermore, the keys need to be decrypted from ASCII to text before they are inserted into the decrypt PGP
online tool. Upon decryption of this text file, the email will be viewed.
File Location:
\FYI_JackJobs\78cce544bc088ca5fea9c99fcae9d10f\4049cf76aecd83e075d7b9c12d082625\do_not_
open\bmV3IGZvbGRlcjMNCg==\MTQvMDYvMjAxOA==\c2VuZCB0byB2bGFkYW1pcg==\The_Day.txt
Screenshot of Evidence:
78
Vladamir_Petrov_SE
A social engineering report of Vladamir has been created by ‘Melv the hacker’ for Geoff, which is contained
within this file. This report details Melv’s findings from the social engineering attack, providing Facebook cre-
dentials of Vladamir’s account, which the investigators will require a warrant for. From the report, the investi-
gators will be able to gain a warrant as this report is sufficient evidence that pornography may exist within
this profile, however, once they obtain a warrant and investigate this, they will see that all of the content is
legal. From this profile, however, is where the leverage of Vladamir’s grandma is identified, which was used in
the previous evidence discussed, the final email to ensure he doesn’t back out.
This is a PDF that has been locked with the password “bWVsdg==” which is the base64 encryption of
“melv”. To provide a further clue, the password is then hidden within the slack space of the email chain be-
Screenshot of Evidence:
79
Additional Files
In addition to all of the case-related evidence files included on this device, a number of non-related files
have also been added onto the device to ensure the evidence blends in with the usual files. Although these
are not evidence, these files have all been hidden in a similar fashion to those of the evidence files, offering
a distraction to the user from the original files. Many of these files are simple image files or text files that con-
tain encrypted text. Many of the image files are humorous images, ensuring that it is clear to the investiga-
tors that these files are not to be considered as evidence, however, many are case related, such as mention-
ing Russia, Moscow or explosives. Some of these images are simply of other places and are used to com-
plete the gallery-style folders and mix within the image files detailed in the evidence section. Furthermore,
many of the text files simply contain encrypted riddles that have been obtained from various web sources,
again, trying to ensure that it is clear to the investigator that these are irrelevant files. Finally, some MP3 files
have been included within the device. This is simply to complete the ‘Music’ folder and make the evidence
file here appear realistically located. Overall, it is important to conclude that this evidence has no impact on
Overall, this was one of the more enjoyable experiences of completing a coursework. I believe that we did
underestimate the time it would take to complete this as having never completed these tasks before such as
creating evidence and hiding. There was a small case of having to re-learn how to use some of the tools, but
this was a quick task as once I played with them I was on my way. Once we had started to create a structure
of what the crime was, how it was committed, a target, etc, then everything started to flow better. Ideas and
different ways to hide the evidence became clearer and more cunning.
Having to hide files like a criminal did seem like a fun task and thinking how certain bits of evidence would
never be found, however, there was a moment when reality hit. Forensic investigators have a huge job on
their hands. There are many tools out there that do make hidden files near impossible to find. Yes, it was fun
hiding and hoping that no one finds the evidence, but this is a regular occurrence that criminals will under-
take to not get caught. From the experience of hiding the evidence, it did make me wonder what crimes are
out there being electronically stored that will probably never be uncovered due to the techniques available
to prevent being caught and the timescales forensic investigators must work towards. In addition to this, it
80
makes me think what is the point to commit these crimes as to hide evidence well, takes a long time and ef-
fort.
In addition, there was another hindsight moment as to when, with the knowledge we have of forensics stu-
dents, the criminals that do undertake the hiding of evidence, they have to have a certain degree of intellect.
That’s where it does become a battle of minds with the covering and uncovering of evidence. Obviously,
there are a fair amount who are obnoxious and believe they will never get caught, who always end up being
caught.
With now having had to play both sides of the coin, the next coursework of having to uncover evidence
again, I now believe I can put my mind in the head of the criminal. I am now aware of the tools that can be
used, the techniques that are used. I can now think “how would I have hidden that”, “that file extension
I do wish that we had started working on this coursework earlier. There are so many new ideas that kept com-
ing to mind towards the end due date. I would include the tampering of registry files and inclusion of hidden
partitions. This would have bolstered the hiding techniques to a bigger variety than already included.
In summary, I have learned a new approach to forensic investigations in being able to think in different mind-
sets for my approach. I have also learned that there are different tools that can complete the same task; for
instance, folders can be hidden within system files or within images. I have also gained a new-found respect
for what forensic investigators have to do. They have to go off basic short pieces of information to uncover a
web of evidence.
81
Murder case
Part One:
Your group will be given a crime that you must create the evidence for.
Create a biography for the case – Write an overview of the crime and how this person/persons were arrested.
You should also include the details of all equipment seized for the forensics investigators, with dates and
times. It should also include the names of any criminals and associates. These names must also be present in
the evidence to facilitate a search using forensics tools. Details of the arrest should also be included.
1. Introduction:
Cindy and Derek Slaughter are a British couple who have been married for 10 years. Living in Blackheath of
South East London raising two children, Derek is a self-employed painter and decorator whilst Cindy is the
managing director of a small accounting firm in the City. Their sons, Ben and Jerry Slaughter, both attend pri-
Additional individuals who are involved in this case include Bernard and Michelle Slaughter. Bernard is a
Technical Solutions Specialist for Raytheon UK and Michelle works in a book shop in Lewisham, the area
where they live. Bernard is the brother of Derek and has been married to Michelle for nearly eight years. At
the time of documenting this incident, Derek was 36 years of age and Bernard was 34 (born in 1981 and
1983 respectively).
Despite Derek and Cindy being married for an extended period, Cindy has fallen victim to physical and men-
tal abuse from her husband consistently over the past five years. Derek has been reported to the police on
multiple occasions by Cindy’s family members and has been charged with counts of Grievous Bodily Harm
82
On the morning of 05/12/2017, one Cindy Slaughter was found dead on the river bank in front of the
University of Greenwich gates, near the Cutty Sark Ship on the south side of London. Cindy was not wrapped
in any sheets or coverings but laid bare among the rubble at the foot of the River Thames.
Following the retrieval of Cindy’s body, Derek was taken into custody and questioned, following an arrest at
the family home that same morning. Derek is being treated as the primary suspect following his track record
of abusing Cindy and this appears to be the only motive to murder Cindy, according to officers. Derek also
claims to be the last person to see Cindy the morning before her body was found, when she left the house
to go to work. At this stage, Derek has not provided any information or a confession about this murder.
1.1.1 Location
The location of the body was in front of the University of Greenwich on the south side of the River Thames.
However, detectives indicated that Cindy’s body may have been disposed of at least the evening before she
was found at a location west of the University as her attack wounds were still relatively fresh. The body was
Two critical pieces of evidence have been retrieved both from the primary suspect and the family home,
which was searched by police officers following the arrest. The first piece of evidence was an iPhone 5 mo-
bile device found on Derek’s person and the second piece was a Universal Serial Bus (USB) device identified
on a desk in the family home next to a desktop computer. At the time of retrieval, the USB device was not
83
plugged in and the desktop was switched off. A forensic image of the USB’s contents needs to be made for
investigation.
2. Victims:
Cindy Slaughter is the victim of a murder against the potential assailant: Derek Slaughter. Derek is the pri-
mary suspect in this investigation having been found guilty of previous offences. This will lead to an addi-
tional investigation into Bernard, who reported a sighting of the dead body to the police.
The victim was found washed out from the tide on the edge of the river bank of the Thames, in plain sight
and fully clothed. However, there were serious blood stains on Cindy’s clothes. She was found to have two
The timeframe for the victim’s body retrieval and the arrest of Derek on 5/12/2017 are as follows:
07:30 Police receive a phone call from Bernard telling them that he has identified a body on the river bank
07:45 Two first responder police officers and paramedics arrive at the scene. After a short deliberation, the
07:55 Officers call in a homicide unit to conduct a physical forensic investigation to identify the body and
cause of death.
08:05 Bernard was taken in a police car to the local station for questioning over the discovery of the body.
09:00 Investigators declare that the victim was murdered following stab wounds to the abdomen and chest.
They also explain that the body was recently washed up on the river bank and was murdered approximately
18-24 hours prior to the investigation. Investigators also find a small purse in the victim’s jacket pocket that
contained a UK driving license. The license enclosed details of a Cindy Slaughter who resided at an address
in Blackheath, London.
84
09:30 Detectives visit Cindy’s home and find Derek in the house with their two sons. Derek was arrested on
suspicion of murdering Cindy following his track record and potential motive, so he could be questioned at
the police station. Derek’s possessions, including his iPhone 5 mobile device, were seized immediately.
13:00 After an in-depth search of the family home, a USB device was seized from the property as part of a
digital forensic investigation in association with the iPhone 5 device belonging to Derek.
15:00 Following news coverage of this incident, detectives receive a call from a neighbour of Bernard who
spotted Cindy leaving Bernard’s house the evening before her body was found in the Thames. Bernard is re-
No direct computer system, network or system activity has been captured or assessed during this forensic in-
vestigation. Only the USB and iPhone 5 devices belonging to the suspect have been temporarily repos-
sessed from Derek’s home residence. The USB device’s details have been saved in the form of an ‘AD1’ im-
age, which needs to be examined for investigation. The iPhone 5 mobile device requires every page of it to
be photographed before any investigation takes place. A comparison of the SHA256 hash values will take
place at multiple points during the imaging process. This will ensure that all actions have been carried out
legitimately with no evidence contaminated during the process by the forensic investigator.
85
2.2.3 iPhone 5 Mobile Device
2.2.4 Book
Device Name: Action and Reaction – The Life and Adventures of a Couple
ISBN: 1-890951-20-X
Device Name: Black Eastpak Pencil case with two additional buttons attached.
Contents: Pens (11), Pencils (3), Eraser (1), Highlighter (2), Sharpener (1), Stylus (1).
2.2.6 Camera
Derek’s iPhone 5 mobile device was seized upon the arrest at his house. The device was already switched off
and placed in a forensic evidence bag for investigation at the police station.
86
2.3.2 Seizure of USB
The USB device was found on the desk by the desktop computer in the family home. According to Derek, he
believed that this USB device belonged to Cindy who used it for work related purposes. This was also placed
The book, ‘Action and Reaction – The Life and Adventures of a Couple’, was found positioned on top of the
desktop computer in the family home. Derek claimed ownership of this book but emphasizes that his late
The Pencil Case was discovered on Derek’s person upon being arrested. The contents contained have not
been removed and the auditing or documentation should be carried out prior to any examination.
A camera was discovered when searching the vehicle belonging to Derek Slaughter. The film has not yet
been developed, whereas all photos have been used. It is evident that the camera has been opened and the
film removed.
You should have a reasonable amount of easy evidence (minimum 10 to 15), some middling difficulty (mini-
mum 5 to 10) and a small amount of challenging evidence (minimum 5). You should include a few “red her-
rings”. Summarise this in a table for your interim report, including the level of difficulty, the passwords and
3. Table of Evidence:
The following table presents a high-level view of the evidence collected for this case, including the folder
structures of the USB device and placement of physical evidence. The table lists all the easy, medium and
hard pieces of evidence in this case plus any red herrings, clues and filler files used to place around the core
evidence files.
87
88
89
To summarize the above table, we have 14 pieces of easy evidence, 10 medium and 6 hard. This totals 30
pieces of core evidence overall. In addition, there are 15 files that act as clues, 45 files acting as fillers and 14
red herrings. After speaking to Diane, we were advised that it was not necessary, and we would not lose any
additional marks for not including the registry files associated with the encrypted files or containers.
Create your given crime using any tools as appropriate and thoroughly document this activity (step by step)
on such a way that someone could follow your instructions and reproduce your results.
90
4. Evidence Overview:
The Evidence ID numbers listed throughout the documentation part of this report correspond to the cell IDs
Brief Description:
This is an image of a high-rise block of flats, which contains a hidden text file behind it. The text file is written
as a base64 encoded message, which requires the use of an online tool to uncover it. The password for this
text file can be found elsewhere within the evidence case file.
Method of Detection:
1. Upon obtaining access to the USB after entering the encrypted password for it, you will be presented with
a combination of 11 files and folders. One of the files is called ‘availabilityblock.bmp’, which appears to be
91
2. As the image is stored in a ‘.bmp’ format, ‘Stools.exe’ is required to reveal a hidden text file. This is a form
of steganography, where the image is password-protected and contains an easy piece of evidence. The
password for this file is: D1R7Yli771353CR37. Coupled with this, you are required to select ‘3DES’ (Triple
DES) as the encryption format in order to discover the contents of the file behind the image. The pass-
word D1R7Yli771353CR37 is linked to a clue that is described later in this document, named
‘slideshow(see_behind).pptx’.
3. After entering the password and encryption format correctly, you are presented with ‘Availability.txt’. This
is a text file containing a base64 encoded message as per the following screenshot:
4. Translate the base64 encoded message using the following website: https://www.base64decode.org/.
Copy and paste the message into this website, and you are presented with the following outcome: Michelle
is out this evening. Come to my house when you're available. Set the decoding format to ‘ISO-8859-2’.
92
Brief Description:
The included ‘Partition.exe’ file has been included as a red herring in an attempt to mislead the investigators
in focusing their attention and resource here, rather than other pieces of genuine evidence. When the pro-
gram starts, it will prevent an investigator from running Task Manager and will kill any current instances. Upon
selection of the ‘Yes’ or ‘No’ button, the investigator will first be presented with an appropriate message and
then presented with a percentage progress bar. This progress bar is set to increment sequentially every sec-
ond and will stop increasing once it hits 100%. Upon reaching 100%, the program will enter an infinite loop
creating Windows message boxes stating ‘Critical Error Detected. Please Reboot Without Mass Storage’. It
should be reiterated that this program does not cause any damage and is classified as Scareware, although
the program reduces computer processing speeds due to the program being resource intensive.
Method of Detection:
4. Review Partition.exe Product name and Product version via Right click > Properties or when opened in a
text editor
93
Brief Description:
The ’Customer.7z’ compressed folder is a password protected folder which is used to host the following
three files: ‘131 Techno Terrace.xlsx’, ‘Wall Cleaning.pdf’ and ‘Blood Stain Removal.pdf’, which will be de-
scribed in the proceeding descriptions. As the contents of this folder contains two easy pieces of evidence
and one red herring, we have decided to password protect the file with ‘rjX5bbq576’ which is stored within
the Password subdirectory located within the ‘My Calculator’ application. This has been documented in more
Methods of Detection:
94
Brief Description:
The Microsoft Excel document ‘131 Techno Terrace.xlsx’ contains four sheets: ‘PD Invoice’, ‘Personal In-
come’, ‘Materials’ and ‘Sheet 4’. The first two sheets are related directly to Derek’s work, which have been
utilised to hide the third sheet used to describe the materials used to carry out the murder of Cindy Slaugh-
ter. We have classed this as an easy evidence due to the simple procurement methods required and the cir-
Method of Detection:
95
Brief Description:
The wall cleaning PDF is included within the password protected ‘Customer.7z’ compressed file. This docu-
ment refers to cleaning a variety of items from a wall. This document has not been included in the evidence
list, as Derek’s occupation is a full-time painter / decorator and would be required to remove stains from
walls. However, the inclusion of hiding this document is being used to mislead the investigators to believe
Method of Detection:
96
Brief Description:
The inclusion of the ‘Blood Stain Removal.pdf’ has been incorporated as an easy piece of evidence. This
document details information on how to remove any blood stains. This evidence should be linked with other
pieces to identify that Derek stabbed Cindy twice to the torso. This file has been password protected and in-
Method of Detection:
97
Brief Description:
The included ‘Gun Magazine.pdf’ file is a red herring and has been included to mislead in the investigation
of this case. This piece of evidence is not related to the case as the synopsis clearly states the victim was
found with ‘stab wounds to the chest and abdomen’. In addition, firearms are not identified to have had any
Method of Detection:
2. Open “Gun Magazine.pdf” located in the root directory of the recovered USB drive.
Brief Description:
‘PasswordList.txt’ is an additional red herring containing 100 alphanumeric passwords, which hold no rele-
vance to the case. The purpose of including these is to deter investigators from obtaining any correct pass-
words. The full ‘Password List’ is comprised of 100 alphanumeric passwords but do not have any relevance to
the case. This list has been included to distract an investigator and slows down the investigation.
98
Method of Detection:
2. Open the ‘Password List.txt’ file in the recovered USB root directory
Brief Description:
This email details a conversation between the two brothers, describing the use of cleaning equipment re-
lated to the murder that is being plotted. The email was written and saved in Google Mail, but downloaded
99
Method of Detection:
1. The PDF document can be found in the ‘Bernard’ folder, stored on the USB. Upon opening the file, you
2. Note: the five Word documents that are attached to the email within the PDF document are not located
anywhere in this case’s evidence files. They just contribute to the same piece of easy evidence as per the
above screenshot.
Brief Description:
This file is classified as a clue among our evidence files. It is an image of the University of Greenwich campus,
the location where Cindy’s body was found washed up on the embankment. However, this image does not
display a dead body, rather it is masked with a 16 x 6 grid containing references placed around it as per the
above screenshot:
Method of Detection:
1. The image file has two red boxes located within the grid. The small box on the left-hand side is positioned
within grid reference E4. The larger box on the right-hand side is positioned across many grid references. In
the case of this evidence, the two references of importance are E9 and FF. The three references are com-
bined to make a password for the mobile phone vault application, called ‘My Calculator’.
2. Change the three grid references from hexadecimal to standard numerical format as per the following:
100
E4 = 56
E9 = 126
FF = 255
3. Open ‘My Calculator’ in the mobile phone, and add the three numbers together before pressing the per-
centage button: 56 + 126 +255 = 437%. This will open the vault containing a number of medium evidence
files.
Brief Description:
The included ‘Single.bat’ file has been used to switch off the investigator’s computer. The purpose for includ-
ing this file is to identify when an unauthorised user has attempted to gain access and in doing so executes a
fake ‘deletion script’. However, due to contents potentially being moved to personal USB devices, we have
simply executed a shutdown command as follows: ‘shutdown -s -f -c “An unexpected error has occurred. Re-
Method of Detection:
101
4.1.12 Evidence ID: 19
Brief Description:
This is an encrypted folder containing two files hidden within it, stored in the ‘Bernard’ folder of the USB as
Method of Detection:
1. Right-click on ‘Surprise.7z’ and under ‘7-zip’, choose ‘Extract here’. Enter the password ‘10595’ when
prompted and wait for the two files to be successfully extracted. The password can be found in the bay
window of the Audi TT car in ‘Alterior Motives.tt’, representative of the price of the car.
2. The two files extracted after entering the password are listed in the following screenshot:
102
4.1.13 Evidence ID: 20
Brief Description:
This file was also extracted after entering the password for ‘Surprise.7z’. It is a code listing for a random com-
puter program.
Method of Detection:
1. The 3rd line of the file, which is commented out, contains a definition called ‘_PASSWORD_FOR_VM_’.
However, this is a red herring and has no relevance to the case or evidence files at all as per the above
screenshot.
Brief Description:
Mounting and decrypting an encryption container is the most significant part of this case, as it leads to key
pieces of evidence which are all classified as hard. VeraCrypt, an upgrade from the previously cracked True-
Crypt, has been used to create a volume that acts as an encryption container. This is password protected and
requires VeraCrypt to mount the drive and reveal the hidden file. The file that has been hidden is
103
‘Bernard.ova’, a Linux Virtual Machine (VM) created on Oracle VirtualBox. The Linux VM contains additional
hard pieces of evidence, with a series of additional passwords required to progress further into the case. The
encryption container file, which appeared after unlocking the ‘Surprise.7z’ folder, is called ‘ToAndFrom’.
Method of Detection:
1. Install VeraCrypt using the ‘VeraCrypt Setup 1.21.exe’ installer found in the ‘Software’ folder of the USB.
2. Run VeraCrypt and click ‘Mount Drive’ after clicking on drive ‘W:’
4. Enter the password ‘C1NDYS1AUGH1ER’ to successfully mount the file to the drive
5. Go to the ‘W:’ drive in Windows File Explorer and uncover the ‘Bernard.ova’ file located there
6. 6. Open ‘VirtualBox’, using a machine that has administrative access, before loading in the ‘Bernard.ova’
Brief Description:
Once revealing the ‘Slaughter.ova’ the investigators will need to mount the snapshot of the encrypted VM
and attempt to boot it. The VM will then prompt the investigators for an encrypted key and user credentials.
After successfully achieving this, multiple pieces of evidence will be available. The evidence contained within
this VM are all considered hard due to the steps required to obtain it. Evidence includes: ‘.withLove.dat’,
These pieces of evidence require different levels of permission and are in different directories.
Method of Detection:
2. Navigate to Bernard
104
5. Enter Decryption Key ‘013418006744691’
Brief Description:
The hidden document, within Bernard’s Documents directory, ‘.withLove.dat’ is a letter which Cindy intends
to send to her soon to be ex-husband Derek. She has included the letter on the VM so that the draft can be
Method of Detection:
2. Navigate to Bernard
8. Navigate to ‘/home/Bernard/Documents/’
105
9. Open ‘.withLove.dat’
Brief Description:
The file ‘youFoundMe.txt’ contains a private message from the victim, Cindy, to Bernard. It details her con-
cerns about Derek falling into his old habits and relying on alcohol again. The message suggests that she is
uncertain due to the wide range of receipts she discovered. It later goes on to detail that she intends to con-
front him about his drinking issue. This file has been stored within a hidden subdirectory.
Method of Detection:
2. Navigate to Bernard
8. Navigate to ‘/home/Bernard/.tmp/’
9. Open ‘youFoundMe.txt’
106
4.1.18 Evidence ID: 25
Brief Description:
‘.confessionsOfAnAlcoholic’ is a secret message written by Cindy to her secret lover Bernard, Derek’s
brother. This document details how the two listed in the document are having an affair, which has been com-
mented on several times throughout the case, are intending to leave both partners and elope elsewhere.
This file also references the file documented in Evidence ID: 23. ‘.confessionsOfAnAlcoholic’ is password pro-
Method of Detection:
2. Navigate to Bernard
107
4.1.19 Evidence ID: 26
Brief Description:
There has been a substitution cipher included within the VM. The key for this cipher was hinted within Evi-
dence ID: 11. When decoding the message, the cipher translates to: ‘Hey D, I don’t think what you are plan-
ning is a good idea. You should be very careful with how you are messaging me. Stop talking over emails
and I’ll give you a call tomorrow evening. Just hang in there for now. B’. This is to show the murder was or-
Method of Detection:
2. Navigate to Bernard
10. Change permissions so the file is readable by either the owner or users
108
11. Open the file
Brief Description:
Included within the ‘/tmp/’ directory on the Linux VM is a suicide note left by Derek. He has detailed how he
is struggling with life and the issues within the relationship. This is meant to identify that Derek is not cur-
rently in a good mindset and intends to take his own life. A crucial part of why Derek changed his mind was
the discovery of Evidence ID: 25, which lead to the murder of Cindy with the help of Bernard.
Method of Detection:
20. Change to the ‘/tmp/’ directory and open the ‘theEnd’ file
109
4.1.21 Evidence ID: 28
Brief Description:
Upon successful decryption of the Linux VM and correct login details, the investigators will be prompted to
enter a further password. We have intentionally not included any hits to the identification of this password in
other pieces of evidence. As the password used will be in the majority of publicly available rainbow tables,
we did not think this necessary. However, should the investigators enter anything other than ‘Password’ then
a red herring message will be displayed to them detailing, ‘Files changed. Please revert back to see original
content.’ In contradiction to this, should the correct password be entered, then a hint will be revealed stating
‘You’ll need root permissions for this next phase, etc...’, referencing the directory ‘/etc/’ where a piece of evi-
Method of Detection:
2. Navigate to Bernard
110
4.1.22 Evidence ID: 30
Brief Description:
There has been a clue inserted into the comments of the ‘Wishy Washy.rft’ file, which has been base64 en-
coded. To decipher this clue, the investigators will need to use an online converter
(https://www.base64decode.org/) to reveal the message ‘Just to let you know, it'll all wash up in the end in
E9’. This corresponds to one of the mappings required to unlock the My Calculator application. The use of
several pages is to appear as a red herring, as is the message ‘Ubuntu’ in the header.
Method of Detection:
4. Select Review and change the markup of the document to ‘All Markup’
Brief Description:
The included ‘21. VHS Credits.aiff’ file is a renamed copy of Evidence ID: 9 and features an alternative file ex-
tension. This piece of evidence has been included to delay the investigators. A detailed explanation of this
programs operation can be found in the brief description of Evidence ID: 9. It should be reiterated that this
program does not cause any damage and is classified as Scareware although the program may cause signifi-
111
Method of Detection:
5. Run application
7. Review 21. VHS Credits.exe Product name, Product version and Original File name via Right click > Proper-
112
Brief Description: There are 22 files stored within the ‘Music’ folder on the USB, all appearing to be ‘.aiff’ mu-
sic files. However, there is one file that is significantly smaller in size compared to the rest, which is ‘Adam
Method of Detection:
2. Upon changing the file extension and opening it, you will see a sample document for a divorce settle-
ment. This represents the separation of Cindy’s marriage to Derek, as she has requested the divorce and
113
4.1.25 Evidence ID: 52
Brief Description:
The ‘Alterior Motives.tt’ image contains multiple pieces of critical information that are relevant to this case, in
the form of providing clues. The most significant piece is the price value of the Audi TT car, listed in the front
window as £10,595 from an RAC dealership. As this car is located behind the main focal point, which is the
Mini car, users need to look closely so they can read the price clearly. The value of the car is then used as a
password for another area of the case. The ‘Surprise.7z’ folder requires the password of ‘10595’ to unlock offi-
cial pieces of evidence. However, to view the image appropriately and determine the nature of the pass-
word, users will need to change the file extension of ‘Alterior Motives.tt’ to ‘Alterior Motives.jpg’.
Method of Detection:
4. Zoom in to the black Audi TT car in the background of the image and identify the value as ‘10595’
5. The above screenshot demonstrates the identification of the password from this clue after zooming in on
the image
114
4.1.26 Evidence ID: 54
Brief Description:
This file can be found in the ‘Pictures’ folder, stored on the USB. Upon opening the file, you will be pre-
sented with an image of The London Eye, taken from Westminster Bridge as per the above screenshot.
Method of Detection:
1. As the image is stored in a ‘.bmp’ format, ‘Stools.exe’ is required to reveal a hidden text file. This is a form
of steganography, where the image is password-protected and contains an easy piece of evidence. The
written using base64 encoding, and can be viewed via this link: https://www.base64decode.org/. If you
translate this message back into its original state, it reads as Nothing to see here unfortunately. This
phrase can also be found as a clue in the ‘Seeking.docx’ document, stored in the ‘Private’ folder of the
USB. Coupled with this, you are required to select ‘DES’ as the encryption format in order to discover the
115
2. After entering the password and encryption format correctly, you are presented with ‘Knives.txt’. This is a
text file containing a base64 encoded message as per the following screenshot sample:
3. The screenshot above demonstrates a sample of the encoded message. The full message is printed as fol-
lows:
QSBrbmlmZSBpcyBwcmltYXJpbHkgYSB0b29sIHVzZWQgZm9yIGN1dHRpbmcuIE9mdGVuIG1hZGUgdXAg
b2YgdHdvIHBhcnRzIGEga25pZmUgY29tcHJpc2VzIG9mIGEgaGFuZGxlIGFuZCB0aGUgYmxhZGUuIFRo
ZXkgY2FuIGJlIHVzZWQgaW4gbWFueSBhcHBsaWNhdGlvbiBzdWNoIGFzIG1lYWwgcHJlcGFyYXRpb24s
IGh1bnRbmcgYW5kIGNvbWJhdC4gS25pdmVzIGNvbWUgaW4gYWxsIHNoYXBlcyBhbmQgc2l6ZXMgcmFuZ
2luZyBmcm9tIHNtYWxsLCBmb2xkaW5nIGV2ZXJ5ZGF5IGNhcnJ5IGtuaXZlcyB0byA2IGluY2ggZml4Z
WQgYmxhZGUgY29tYmF0IGtuaXZlcyBpc3N1ZWQgdG8gc29sZGllcnMgaW4gdGhlIGFybXkuIEluIGFkZ
Gl0aW9uLCB0aGUgc2l6ZSBhbmQgc2hhcGUgb2YgYSBrbmlmZSB0aGV5IGNhbiBiZSBtYWRlIGZyb20gY
SB2YXJpZXR5IG9mIG1hdVyaWFscyBpbmNsdWRpbmcgbWV0YWwsIHBsYXN0aWMgYW5kIGNlcmFtaWMuIF
RoZSB2YXJpZXR5IG9mIGuaWZlIG1hdGVyaWFscyBjYW4gbWFrZSB0aGVtIGRpZmZpY3VsdCB0byBkZXR
lY3QgdXNpbmcgY29udmVudGlvbmFsIHRlY2huaXF1ZXMgc3VjaCBhcyBtZX RhbCBkZXRlY3RvcnMu.
4. Translate the base64 encoded message using the following website: https://www.base64decode.org/.
Copy and paste the message into this website, and you are presented with the following outcome: A knife is
primarily a tool used for cutting. Often made up of two parts a knife comprises of a handle and the blade.
They can be used in many application such as meal preparation, hunting and combat. Knives come in all
shapes and sizes ranging from small, folding everyday carry knives to 6 inch fixed blade combat knives is-
sued to soldiers in the army. In addition, the size and shape of a knife they can be made from a variety of ma-
terials including metal, plastic and ceramic. The variety of knife materials can make them difficult to detect
using conventional techniques such as metal detectors. Set the decoding format to ‘UTF-8’.
116
4.1.27 Evidence ID: 57
Brief Description:
In the ‘Pictures’ folder of the USB, you will find a series of gun images. As a gun was not the choice of mur-
der weapon used in this case, they are all deemed to be red herrings. The biggest hint that guns are red her-
Method of Detection:
2. Open the file and you are presented with another gun image as per the following screenshot:
117
Brief Description:
This file can also be found in the ‘Pictures’ folder of the USB. This image contains the getaway vehicle used
to dispose of Cindy’s body from Tower Bridge as per the above screenshot.
Method of Detection:
1. The screenshot above is not officially classified as a piece of evidence until you have uncovered the text
file hidden behind the ‘rockfallimage.bmp’ image, stored in the same folder on the USB. This explains a
desire for red Mini cars, thus acting as a clue and additional piece of evidence to this case.
2. 2. The registration plate on the car reads ‘YD61 ROU’. This piece of evidence also acts as a clue whereby
it is a password for the ‘Accounts.7z’ folder, stored within the ‘Work’ folder of the USB. In this case, the
Brief Description:
Throughout the given case, there have been hints to weapons being used when committing the crime, espe-
cially guns. To reinforce this theme, an image of Derek having access to purchasing a hand pistol has been
118
included within the Pictures subdirectories. Despite this, the murder weapon remains a knife and no evi-
dence will be found to prove Cindy was murdered any other way or that Derek has possession of a pistol.
Method of Detection:
3. Open ‘Purchases.png’
Brief Description:
This is the location where Derek disposes of Cindy’s body, before it is washed up at the University later in the
night.
Method of Detection:
1. After uncovering the route map from Lewisham to Tower Bridge within the mobile phone application
119
4.1.31 Evidence ID: 71
Brief Description:
This file can be found in the ‘Pictures’ folder, stored on the USB. Upon opening the file, you will be pre-
Method of Detection:
1. As the image is stored in a ‘.bmp’ format, ‘Stools.exe’ is required to reveal a hidden text file. This is a form
of steganography, where the image is password-protected and contains an easy piece of evidence. The
password for this file is: MDIwNzg5NjIxNTY=. This password is written using base64 encoding, using
https://www.base64decode.org/. If you translate this message back into its original state, it reads as
02078962156. This phrase can also be found as a clue in the ‘CV.docx’ document, stored in the ‘Work’
folder of the USB. Coupled with this, you are required to select ‘IDEA’ as the encryption format in order to
2. After entering the password and encryption format correctly, you are presented with ‘Mini.txt’. This is a
text file containing a base64 encoded message as per the following screenshot:
120
3. Translate the base64 encoded message using the following website: https://www.base64decode.org/.
Copy and paste the message into this website, and you are presented with the following outcome: Red Mini
cars are the best. Very easy to drive and use. Set the decoding format to ‘Windows-1252’. This piece of evi-
dence proves that a red Mini car was used as the getaway vehicle after disposing of Cindy’s body, and links
Brief Description:
‘Behind the Scenes of iOS Security.mp4’ is a video taken from a conference video filmed at Black Hat, Las Ve-
gas 2016. We have manipulated the video to include the registration of the red Mini Cooper, which has been
used as a password later in the coursework. The password is only shown for 11 frames, commencing at
24:42. However, the code shown (YD61RO) is not the correct or complete password, instead this is a hinting
121
Method of Detection:
Brief Description:
The first of two PowerPoint presentation clues in this case, ‘slideshow(see_behind).pptx’ contains a key pass-
word that is used elsewhere to uncover additional evidence. In this scenario, one of the slides hosts a pass-
word to unlock a hidden text file behind ‘availabilityblock.bmp’ in the base directory of the USB device. How-
ever, the password in this file is also hidden behind an image, but in a less technical format compared to the
Method of Detection:
122
2. Open the ‘slideshow(see_behind).pptx’ presentation file, without changing to any other file extension.
3. Scroll down to slide 72 and delete the image of the red Mini. Click ‘Ctrl+A’ to highlight all the text in the
slide.
4. Change the colour of the text, contained in the text box, to red. The password for the steganographic im-
Brief Description:
This document contains three images laid out over two pages. There are two images on the first page, both
of which are covered by white text boxes. The third image on the document’s second page is a SanDisk USB
Method of Detection:
1. Click the two text boxes on the first page and select ‘Delete’. This will uncover two images of stab
wounds, which is classified as an easy piece of evidence for this case. The first image demonstrates a clear
stab wound to the hand, and the second image shows another person assisting with bandaging up the
wound.
123
2. 2. Click on the USB image and the text box that it is contained within. Reduce the size of the image and
click on the text box containing it again. Change the colour of the text to ‘red’ and you will be presented
with the following text: Nothing to see here unfortunately. This message acts as a password for uncover-
ing the hidden text file behind ‘eyeofthetigerlandscape.bmp’, a clue used for cracking steganography in
this case.
The following screenshot demonstrates the process of completing parts 2 and 3 of this sub-section:
Brief Description:
The included ‘Bernard.bat’ file has been used to switch off the investigator’s computer. This has the same
Method of Detection:
124
4.1.36 Evidence ID: 77
Brief Description:
This file contains a similar document name to another one in the same ‘Private’ folder, stored on the USB.
However, this particular document acts as a clue that contains a password to uncover another piece of evi-
dence.
Method of Detection:
1. Within PowerPoint, scroll down to slide 72 of the document. Click ‘Ctrl+A’ to highlight all the text on that
page. A password is hidden within the green bush to the right of the car.
2. Change the colour of the text to ‘red’. On the right-hand side of the slide, change the transparency of the
3. Identify the password as ‘C1NDYS1AUGH1ER’. This password will be used to uncover the mounted drive
on the Linux Virtual Machine (VM). The above screenshot demonstrates how to uncover the password in
the slideshow.
125
4.1.37 Evidence ID: 79
Brief Description:
John the Ripper is a password cracking software that attempts to break passwords using a brute force ap-
proach. Despite Bernard being in a Computer Software role, his specialty remains in programming as does
his occupation. Therefore, by having this software indicates that he was attempting to break passwords for
Method of Detection:
Brief Description:
‘Stego Suite.7z’ is a password-protected compressed file that contains an easy piece of evidence and five ad-
ditional random files. The password can be identified from the image contained within the ‘My Calculator’
application on the phone storing information about the phone’s carrier: ‘vodafone UK 28.2.5’.
Method of Detection:
126
3. Input the correct password to decrypt the archive
Brief Description:
The encrypted archive folder contains one piece of easy evidence (Screen Shot 2017-09-21 at 13.58.15) and
five other non-related documents. The easy evidence features a screenshot of a knife on Amazon, which was
Method of Detection:
7. Browse files
127
4.1.40 Evidence ID: 88
Brief Description:
The batch file enables the automatic running of ‘For Derek.ps1’. Rather than enabling the investigators to
double click the PowerShell script and detect the red herring and mitigate the powering off the machine, this
Method of Detection:
Brief Description:
The included ‘For Derek.ps1’ file has been used to switch off the investigator’s computer. The purpose for in-
cluding this file is to establish when an unauthorised user has attempted to gain access and in doing so exe-
cutes a fake ‘deletion script’. However, due to contents potentially being moved to personal USB devices,
we have simply executed a shutdown command similar to the one described in Evidence ID: 18. However,
this script required the investigators to either run the script via PowerShell or use the ‘For Derek.bat’ file.
Method of Detection:
Brief Description:
The included ‘Discover.exe’ file is a renamed copy of Evidence ID: 9. This red herring has been included to
hinder the investigation. A detailed explanation of this program’s operation can be found in the brief descrip-
128
tion of Evidence ID: 9. It should be reiterated that this program does not cause any damage and is classified
as Scareware although the program may cause delay of the investigator’s computer.
Method of Detection:
2. Navigate to Software
5. Review Discover.exe Product name, Product version and Original File name via Right click > Properties or
Brief Description:
‘S-Tools.exe’ is an executable file found in the ‘Stools.zip’ folder of the ‘Software’ folder, within the USB. This
tool is classified as an easy piece of evidence because of the crucial role it plays in hiding and uncovering
Method of Detection:
1. The executable file can be found among its information guide plus other configuration files (ending in
‘.dll’). The three files which require the use of ‘S-Tools.exe’ are: ‘availabilityblock.bmp’,
129
4.1.44 Evidence ID: 93
Brief Description:
This is an executable file found in the ‘Software’ folder, stored on the USB. This is classified as an easy piece
of evidence because it potentially uncovers all the hard pieces of evidence associated with this case.
Method of Detection:
The purpose of this tool is to enable users to mount a drive and enter a password before unlocking files that
are saved on the drive in an encrypted format. This is linked to the Linux VM, which contains the hard pieces
130
Brief Description:
The ‘Accounts.7z’ compressed file has been password-protected with the reverse of the registration for the
getaway vehicle, UOR16DY. This compressed file contains two documents inside: ‘Invoice Template.xlsx’ and
‘Routes.png’. The password for this file has been hinted several times throughout the coursework such as Evi-
Method of Detection:
Brief Description:
The file ‘Routes.png’ contains an image of the planned route from the assailant’s house, where the murder
was committed, to the dumpsite of the body. This was not the final route taken but shows planning of the at-
131
Method of Detection:
4. Open ‘Routes.png’
Brief Description:
Upon successful opening of the ‘Accounts.7z’ folder, two files will be extracted. The ‘Invoice Template.xlsx’
file is a disguised cipher key created by Bernard. The file will originally look like an invoice for Slaughter Tech-
nologies, but the selective green boxes correspond to the cipher key needed to unlock the message in Evi-
dence ID: 26. The columns align to a number, which is the true representation of the required letter. An exam-
132
Method of Detection:
Brief Description:
This document can be found in the ‘Work’ folder, stored on the USB. This is a clue that contains the pass-
word for uncovering the hidden text file behind ‘rockfallimage.bmp’. This refers to the telephone number
133
Method of Detection:
1. You need to take the telephone number and convert it to a base64 encoded message, which officially acts
as the password for the steganographic image elsewhere. Upon translation, the number should read:
MDIwNzg5NjIxNTY=.
Brief Description:
After gaining access to the USB and navigating to the Work subdirectory, the investigator is presented with
the file ‘Keys.txt’. This file contains a substitution ciphered message from Bernard to Derek detailing ‘You’ll
Method of Detection:
134
Brief Description:
This is a medium piece of evidence found on the menu page of the mobile phone being used in this case.
Method of Detection:
1. Firstly, begin with logging in to the mobile phone by entering the USB’s SHA256 hash as the password.
2. Upon logging in, scroll right to the third menu page. This page demonstrates a message, hidden within
the application icons downloaded from the App Store as per the above screenshot.
3. This message indicates that Cindy attempted to stab Derek at some point leading up to her murder. This
piece of evidence is classified as ‘medium’ because it shows that Derek may have acted in self-defence of
4. Note: For the purpose of this forensics investigation, screenshots or photographs will need to be taken
and documented of every page in the mobile device before proceeding to identify any pieces of evi-
dence.
Brief Description:
The IMEI number of the phone has been used to encrypt the USB. To gain more information, the investiga-
tors will need to identify the engraved number on the rear of the device, ‘013418006744691’. Alternatively,
should they gain access to the phone, the IMEI number is also detailed within the settings menu on the de-
vice. This has been classed as a clue, due to the password being used to obtain the majority of the informa-
135
Method of Detection:
or
2. Settings
3. General
4. About
136
Brief Description:
This piece of evidence is located on the mobile device that belongs to Derek. Using a password-protected
mobile application called ‘My Calculator’, a picture of a knife is found within the ‘Passwords’ folder. This is a
medium piece of evidence, as it is an image of the murder weapon Derek uses to kill Cindy.
Method of Detection:
1. Login to the mobile device using the SHA256 hash that was generated for the USB
2. Open ‘My Calculator’ in the mobile phone, and add the following three numbers together before press-
ing the percentage button: 56 + 126 + 255 = 437%. This will open the vault containing a number of me-
4. There should be four images stored in the ‘Pictures’ folder. Click on the knife image to view its contents as
137
Brief Description:
This piece of evidence is classified as medium because it is also stored on Derek’s mobile device, within the
‘My Calculator’ password vault. A screenshot of a route map from Lewisham to Blackheath can be found in
the vault, taken on Google Maps. Lewisham is the location of Bernard’s house and Blackheath is the location
Method of Detection:
1. Login to the mobile device using the SHA256 hash that was generated for the USB
2. Open ‘My Calculator’ in the mobile phone, and add the following three numbers together before press-
ing the percentage button: 56 + 126 + 255 = 437%. This will open the vault containing a number of me-
4. There should be four images stored in the ‘Pictures’ folder. Click on the route map image to view its con-
138
Brief Description:
This piece of evidence is classified as a clue because of its location in Derek’s mobile device, using ‘My Calcu-
lator’ to store the image with a complex password required to enter. A breakdown of the mobile device’s key
information including the capacity, version number and model number are listed in the image. This is listed
as a clue because the ‘Carrier’ is partly used as a password to unlock the ‘Stego Suite.7z’ folder: vodafone
UK 28.2.5.
Method of Detection:
1. Login to the mobile device using the SHA256 hash that was generated for the USB
2. Open ‘My Calculator’ in the mobile phone, and add the following three numbers together before press-
ing the percentage button: 56 + 126 + 255 = 437%. This will open the vault containing a number of me-
4. There should be four images stored in the ‘Pictures’ folder. Click on the phone description image to view
139
Brief Description:
After gaining access to the secret vault decoyed as the ‘My Calculator’ application with the passcode previ-
ously described, the investigator will then be presented with four subdirectories: ‘Picture’, ‘Video’, ‘Audio’
and ‘File’. Should the investigator continue to navigate to the ‘Pictures’ folder and open ‘IMG_2362.png’
then a conversation between the two brothers will be displayed. This message has a general conversation to
start, then references the disposal and murder of Cindy Slaughter. Derek sends two messages detailing that
the murder will be concluded at 20:00, ‘Pick up time 20:00, don’t make me wait’ and requires picking up and
disposing of the body. However, Bernard suggests a different time, ‘How about 23:00, as I’ve got to send
something off first?’; the item he is referring to is Cindy. The affair is reinforced with the letter found within
the Linux Virtual Machine (VM). The newly proposed time is then confirmed by both parties.
Method of Detection:
4. Open ‘IMG_2362.png’
140
Brief Description:
The screenshot below is a view of the browsing history that was found on Derek’s phone. Upon opening Sa-
fari from the main menu page of the mobile device, there is one tab open that is relevant to the case. This
tab is entitled ‘Entry requirements – Mexico travel advice’ from the UK Government’s website. This is classi-
fied as a medium piece of evidence, as Derek is attempting to escape the country and fly to Mexico follow-
Method of Detection:
1. Login to the mobile device using the SHA256 hash that was generated for the USB
2. Open Safari at the bottom of the main menu after logging in to the phone
3. Click the tab button at the bottom right hand side of the page in Safari
4. Scroll to the middle of the open tabs to find the one related to Mexico as per the above screenshot
141
Brief Description:
There are specific calendar events that have been added into the mobile device belonging to Derek. Some
of the events in November 2017 are trivial or circumstantial. However, there is one of particular interest
dated the 4th December 2017, where Derek had noted a ‘Private Appointment’ in the early evening. The rea-
son why this is classified as a medium piece of evidence is because the location is listed as ‘Tower Bridge’,
which coincides with the images of the same bridge in other areas of the case. Also, this is the location
where Derek disposes of Cindy’s body after murdering her. The 4th December 2017 is the day before the
Cindy’s body is found washed up on the embankment of the River Thames, in front of the University of Green-
wich.
Method of Detection:
1. Login to the mobile device using the SHA256 hash that was generated for the USB
2. Open the ‘Calendar’ application on the main menu page after logging in to the phone
3. Scroll down to December 2017 and click on the 4th day (listed as a Monday) to see the appointment
4. Click on other dates earlier in the year. Notice that they do not correspond or link to the one on the 4th
142
Brief Description:
A password file has been included within the ‘My Calculator’ application, which contains a total of 20 pass-
words. Whilst 95% of the passwords listed have no relevance to the investigation, the entry ‘rjX5bbq576’ can
Method of Detection:
143
Brief Description:
This file can be found as a screenshot image in the ‘Pictures’ folder of the mobile phone application vault
called ‘My Calculator’. As it is password-protected, users will need to login to the application prior to viewing
this image’s contents. This is a medium piece of evidence and contains a set of text about bleach, written as
a base64 encoded message. Users will need to convert this message using an online tool to identify the
Method of Detection:
1. Login to the mobile device using the SHA256 hash that was generated for the USB.
2. Open ‘My Calculator’ in the mobile phone, and add the following three numbers together before press-
ing the percentage button: 56 + 126 + 255 = 437%. This will open the vault containing a number of me-
4. There should be four images stored in the ‘Pictures’ folder. Click on the bleach text image to view its con-
144
Brief Description:
An email message from Bernard sent to Derek’s account has been included. The message has been en-
crypted using the cipher detailed in Evidence ID: 116. This translates to ‘Derek, I can’t believe you’ve gone
ahead with it! What do we do now? I feel like we should come clean!’.
Method of Detection:
1. Unscrew/detach pen
2. Remove film
Brief Description:
The password for Derek’s email address, 81dslaughter@gmail.com, has been included on the reverse of a
photograph. The password details with a handwritten code, 000818739. This has been cut from the remain-
ing film, which was included in the physical evidence and placed within a pen to make it harder to detect.
145
Method of Detection:
1. Unscrew/detach pen
2. Remove film
Brief Description:
An image has been included in Derek’s Google Drive to confirm Cindy’s suspicion of him turning to alcohol.
Method of Detection:
1. Unscrew/detach pen
2. Remove film
5. Identify ‘mybeauties.png’
146
4.1.63 Evidence ID: 115
Brief Description:
As part of our evidence, we have included a book that features three words written in invisible ink that can
only be viewed under a UV (ultraviolet) light, pages 64, 128 and 256. In addition to the book, we have in-
cluded a pencil case that contains an assortment of pens, pencils and a UV light. The three hidden words,
when combined, form the password for the recovered USB drive. Investigators are expected to deduce this
from inspecting the content of the included pencil case and manually trawl through the book for any mes-
sages.
Method of Detection:
1. Search through the contents of the pencil case to find the UV light.
2. Search through the book with the UV light for anything relating to the case.
147
4.1.64 Evidence ID: 116
Brief Description:
A Rotation Cipher Key has been included within chapter seven of the book ‘The Life and Adventures of a
Couple’, which requires rotating the total number of pages within the book, in order to reveal the substitu-
tion cipher key used for the email previously explained in Evidence ID: 98. The cipher can be identified by
highlighting the shaded word and taking the first letter of each word. We have limited the cipher to one key
per page.
Method of Detection:
2. Identify the keyed word. This will be shaded in pencil with one keyed word per page
4. Repeat these steps until the full alphabet has been identified
6. Insert newly decoded cipher key and email (Evidence ID: 98) to the online tool
(http://practicalcryptography.com/ciphers/simple-substitution-cipher/)
148
4.2 Physical Evidence Overview:
Brief Description:
The inclusion of a password regarding Derek Slaughter’s email address has been written on the reverse of
the film taken from the camera detailed in Evidence ID: 113. The camera film has then been rolled up and
placed within the BAE Systems pen located within the pencil case. Two following images detail the hiding of
this clue.
149
Method of Detection:
3. Unroll the film and see reverse side to identify the password
Brief Description:
The background hints to a number of settings that can be used as a passcode to unlock the USB. The fields
with information removed detail: ‘Capacity’, ‘Version’, ‘Model’, ‘Wi-Fi Address’ and ‘IMEI’, of which the IMEI
number is the required key. Although the number isn’t present, it has been engraved on the reverse of the
phone and can be detected that way. In addition to this, the passcode required to unlock this device is the
SHA256 hash of the encrypted USB device. Once the investigators have detected this, they will have full ac-
cess of the phone and be able to investigate other layers previously specified in this report.
150
Method of Detection:
Brief Description:
The pencil case incorporates the pen described previously to hide the evidence. Included within are several
other pieces of stationery. However, the most important part is the UV light that can be used to detect the
Method of Detection:
151
4.2.4 Evidence ID: 120
Brief Description:
The book will be included as a piece of evidence and refers to every action having a reaction. There have
been multiple red herrings, passwords and cipher keys included within this book. This has been explained at
Method of Detection:
152
4.2.5 Evidence ID: 121
Brief Description:
The camera was initially used to reveal a password, only detectable when the film was held up to a light
source. However, when trialing this, it was clear that the investigators will not be able to identify this pass-
word. Therefore, the camera has been included as a red herring, attempting to consume the investigator’s
Method of Detection:
153
Brief Description:
The UV light will be included as a piece of evidence and can be used to identify the password required to de-
crypt the USB. This has been explained in more depth within Evidence ID: 115.
Method of Detection:
You must include the hash of your evidence file in your report
5. SHA256 Hash:
Using FTK Imager we converted our USB evidence to an .ad1 file. The hash of this file is:
6. Overall Reflection:
6.1 Conclusion
Overall throughout this coursework, I have been able to identify relevant and current techniques and tech-
nologies that can be used to hide or disguise evidence. Albeit this coursework has been fictional, it can be
clearly identified that the skills and concepts required and utilised can be applied to a real-world scenario
used across industry. I have found this coursework to be one of the most enjoyable undertaken by having the
range to create evidence files and explore aspects of computer forensics that I find the most intriguing and
relevant. I believe this is limited in other modules due to a set guideline of tasks, ultimately limiting the learn-
ing experience.
154
6.2 Reflection
Having previously completed the Computer Forensics 2 module, I was able to identify areas in which I be-
lieve would be more beneficial and successful in disguising evidence. Furthermore, having studied the foren-
sics of iPhones during my Industrial Placement, I have been able to implement my knowledge and under-
standing physically. It is my opinion that by obtaining more than a theoretical approach and physically hiding
our created evidence that I have been able to recognise and absorb a greater level of understanding. An ex-
ample of this would include how the Secure Enclave within iOS works.
Before the completion of this coursework, I was unfamiliar with some of the tools used, such as: TrueCrypt,
VeraCrypt and BitLocker to Go. By attempting to use these tools and conducting secondary research, I have
identified tools and algorithms that have now been broken and are no longer suitable to use. This typically
included SHA1, MD5 and TrueCrypt. By identifying this, the team and I have been able to use more applica-
ble tools and algorithms that prove harder to break such as: SHA256 and VeraCrypt. It is clear that experts
are required to keep up to date with subjects similar to this, in order to maintain the confidentiality, integrity
Finally, I originally had a very limited understanding of cryptography and encryption. However, the group
and I believed that by not including the use of these would hinder our chances of all the evidence being dis-
covered. This was one of the primary reasons for researching and implementing these techniques, which I
Prior to starting this coursework, I was unaware of the different forms of cryptography and how valuable
these techniques could be in ensuring the confidentiality of information. After conducting additional re-
search and using publicly available tools, I have grown a new fondness for cryptography as a new area of
computer forensics. This was reinforced after confusing which key belonged to which text and having to
In total, I have thoroughly enjoyed this coursework and would highly recommend this module to other stu-
dents. It is my opinion that having the freedom to disguise and hide evidence at our discretion has enabled
155
us to pursue our personal interests within computer forensics. An example of this includes the use of perform-
One aspect I personally, and from a group perspective, found challenging is the number of evidence files cre-
ated and the organisational structure required for this. When previously creating our evidence, we did not
detail the evidence, passwords or methods required to discover the files and therefore got confused to what
password corresponded to which file. However, upon identifying this issue, we incorporated the table in-
cluded within section three of this report, which helped overcome this issue.
In additional to this, one mistake made by a group member was revealing a vital password that could be
used to gain a significant discovery within the case. Due to this mistake, the group was required to change
the password and spend multiple hours overcoming this issue. In hindsight, I would emphasise the conse-
One aspect I would recommend reviewing is the amount of evidence files required for the coursework. In my
experience, I found that creating 25 individual pieces of evidence to be tedious and believe my time would
have been better utilised in identifying other hiding techniques. I would also encourage other groups to ex-
pand their evidence from a generic USB to other forms of media storage due to the diverse range available
Overall, I believe the skills and techniques used throughout this coursework will prove fundamental should I
1https://www.gre.ac.uk
156
ROCHESTER
INSTITUTE OF
TECHNOLOGY,
DUBAI
THE AUTHOR OF THIS ARTICLE, RAINA ZAKIR, HAS RE-
TECHNOLOGY.1
DMA Attacks for Memory Acquisition causes the operating system on the target machine
The FireWire interface, as standardized by the IEEE tion to get read and write permissions to the RAM
1394, is one of the easy ways of getting Direct Mem- on the target system, which then searches at certain
ory Access (DMA) on a target system. This article dis- offsets of the authentication module to look for sig-
cusses a way to use the FireWire interface to per- natures to get the operating system password to
form a live memory forensics on a target system us- elude an incorrect password check once it is gener-
ing a tool called Inception, which enables execution ated. This results in bypassing the login by entering
of invasive and non-invasive memory hacks on a live any password or dumping of the memory based on
target. In the latter part, some limitations are dis- the commands provided.
158
Build the installation file by issuing the ‘cmake
output below:
• libforensics:
159
• To Install Inception, download the files by cloning If the following error is encountered:
into the git repo. Then change directory to ‘incep-
to install Inception:
160
3. When the success message specifying ‘Signature
2. Run the ‘incept unlock’ command from the host found’ appears with patch verification being success-
machine. Once a FireWire connection to the target ful, enter any dummy random password to the target
machine is detected, choose the target OS when machine and the OS log in will be bypassed:
161
4. To attain a RAM dump of the target system, issue References:
• https://github.com/carmaa/inception
system.
1https://www.rit.edu/dubai/
162
NORWICH
UNIVERSITY
NORWICH UNIVERSITY (BESIDES REGULAR
by Matthew Kafami
Introduction: Chances are you have seen phishing emails; you may have even been the victim of one. You
know, the email claiming to be from your bank warning you that your account may have been compromised
and requesting you verify your identity by providing your username, password, and answers to your security
questions. Additionally, this email will more than likely contain a link to a webpage that looks identical to the
site you are familiar with, with a similar layout, choice of text and font, and accurate logos. Do not enter your
information. In fact, don’t even click on the link provided in the email without first performing the steps that
follow.
Phishing – An Overview: Phishing is a common attack employed by hackers that focuses heavily on psychol-
ogy by crafting messages that usually create a sense of urgency and stem from a place of authority. Attackers
commonly use tools like the Social Engineering Toolkit to imitate an official webpage to make their malicious
sites harder to distinguish, thus increasing the likelihood of success. These messages often look something
like this:
Our records indicate the password for your bank account is about to expire, in which case your account will
be frozen until proper identity verification can be provided at your local branch. Please use the secure link
provided below to update your password and avoid your account being frozen.
Your Bank
The link provided in most of these emails will likely be a domain in one of two formats: domain squatting or
a hijacked domain. A squatted domain is one that looks similar to a legitimate link. For example, instead of
linking to USBank.com, the link might show USBaank.com, with two instances of the letter “a”. The second
letter “a” may go unnoticed if read fast enough with other priorities on your mind, like your bank account po-
tentially being frozen because of an expired password. Hijacked links on the other hand are URLs that start
completely different from whatever organization the attacker is attempting to mimic. This is usually due to
hackers gaining administrative access to other sites and adding the necessary HTML, CSS, PHP, and or Javas-
cript code to that compromised site in order to appear like the intended site. For example, a locally owned
164
and operated florist’s website may have been compromised and now has a webpage with a URL like this:
However, some, if not most, email services offer some way to change the text displayed on a link. For exam-
ple, in Gmail there is an option to insert link a few icons to the right of the send button. Clicking this will sum-
The Text to display option will be the only text visible when the link is added to the email, which means a
hacker could potentially provide what appears to be a completely legitimate link that masks the malicious
Often, the page you will be directed to will include form boxes (the space in which you enter your responses)
for the “old” or “current” password, your “new password” and another box to confirm that password. Some
hackers even go so far as to replicate the password recovery page and include form boxes for your security
questions, complete with dropdown menus and some of the most common questions from which to choose
(i.e. mother’s maiden name, city of birth, first pet’s name, etc.) in an attempt to increase the success rate of
165
Figure 1: An email mimicking the same format, style, and even using the
same logos as USAA Bank has been sent in an attempt to phish a potential
victim. Using the “Edit Link” feature available via most email providers was
used to make the link appear legitimate. We will see that is not the case
upon examining Figure 2. Notice how this email attempts to create a sense
of urgency by stating “For immediate and continuous access to restore your
account…”
166
Figure 2: Upon clicking the link, the user is redirected to a page that shows what appears to
be the USAA home page. The “Online ID”, “Password”, and “Log On” features of the
website are the only reactive components on this page. Limited site functionality is often a
sign that the site is illegitimate. Additionally, the URL shows usaa-com-account-online.
lexqmi.com, which is a clear indicator of a hijacked site. The true domain lexqmi.com has
been compromised and is now being used to host this phishing content.
167
Figure 3: Assuming the user enters information into the ID and Password forms shown on the page in
Figure 2, the site then directs the user to a page with six security questions to collect even more
information. Each dropdown provides several possible security questions (shown in Figure 4).
168
Figure 4
If the user misses all of the signs of phishing up to this point, Figure 5 shows the next web page in this hi-
jacked site requesting the user update contact information, except the contact information being requested
is highly suspect: a USAA Member Number (something a user should not be able to manipulate in any form
from a legitimate bank), the user’s email password, Social Security Number, PIN, and card information. No
169
Figure 5
Reacting To Phishing Content: When you come across what you suspect to be phishing content, you need
• Confirm – confirm the email is truly phishing content and is intended to be malicious.
• Alert – alert the organization being impersonated to monitor your account for suspicious activity.
Confirm: As you saw in Figures 1-5, it is important to be able to discern legitimate emails from phishing con-
tent. Once you know how to detect phishing content, you need to know what to do if you receive an email
from any organization or individual appearing to represent an organization that holds any of your personal,
financial, or health related information, read the message completely. Look for typos and grammatical errors,
most legitimate organizations will send correspondence that is free of error. Additionally, look at what, if any-
thing, is being asked of you. Some organizations, in an effort to combat phishing, will simply alert you of an
upcoming password expiration and prompt you to navigate to their website yourself to log in, rather than in-
If a link is included in the message, you can display the actual address you will be directed to by hovering
your cursor over the link. This display will appear in the lower left corner of your browser window. If the dis-
played text matches the link in the message, the likelihood of the message being legitimate increases. If
you’re still not sure, you can click on the link and then start removing subdirectories from the URL. For exam-
ple, the link will likely look like this: bank.com/login/password-reset. If you removed “password-reset” from
the link and hit enter, a legitimate link should still display something that resembles something similar to or-
ganization’s official site. If you remove the “login” subdirectory, the “bank.com” link should definitely directly
you to the official webpage. Often times, whether a dedicated domain or a hijacked domain, the base direc-
tory of a phishing site will be a basic HTML page with links to the actual phishing content, and look nothing
If you’re still not sure, you can take the link and drop it through a search bar in a site like CentralOps.net, you
can reference information such as the owner’s contact information, registration date, and geographical loca-
tion information to help determine whether the link is legitimate. Official domains will usually show as having
locations similar to that of the organization’s headquarters and some sort of owner’s information. Malicious
URLs will usually hide the owner’s information and will also have a noticeably shorter registration date.
170
If you’re still not entirely sure after having taken all these steps, take the initiative to contact whichever organi-
zation is requesting information from you to verify the correspondence is legitimate. For example, if you’ve
received a legitimate email from a bank, that bank will more than likely be able to check your account in their
system and confirm whatever the email is claiming. If it turns out that the organization has no record of what-
ever the email is claiming, they may be able to help give some direction on which actions to take.
It is especially important to note that if you do happen to become a victim of phishing, you may need to up-
date security settings on more accounts than just the account that was compromised, as people are crea-
tures of habit and you have likely used the same security credentials across several accounts.
Report: This next step is crucial to helping prevent others fall victim to the same phishing content sent to
you; report it. Most email service providers have an easy way to report email addresses being used to spread
phishing content. For example, within the message itself in Gmail, there is a button composed of 3 dots to
the far right of the email header. Clicking on this will provide a dropdown menu with an option to report
phishing. A new window will appear to confirm that you want to report the email as phishing, at which time
You can also report the malicious link in an effort to have the content removed by using tools like
CentralOps.net to obtain contact information for the hosting provider and domain registrar, which both more
than likely have an abuse contact email address dedicated to accepting reports of malicious and illegal con-
tent from people like yourself. In the case of hijacked sites, you might even go so far as to reach out to the
site’s owner (if their contact information is not protected by an anonymity service such as WhoIsGuard) and
Alert: Alert the organization being impersonated. This will let the organization know to monitor your account
for suspicious activity and keep you informed of any anomalies. Also, if you receive an email looking for such
detailed information, it’s likely that others have received the same malicious requests. Alerting the organiza-
tion often helps prevent more than just you from being at risk of compromise. Most organizations will have a
security team monitoring for suspicious activity as well as compromised credentials using sites like PasteBin
171
Conclusion: Using the information gained from this article you now have a better idea of how hackers at-
tempt to gain access to your account information, how to react to such attempts, and how to verify the con-
tent’s legitimacy. Additionally, you now have the resources necessary to help prevent others from becoming
victims of the same attack by reporting the content in an attempt to have it removed.
1https://www.norwich.edu
172
UNIVERSITY OF
SOUTH WALES
DURING THE COMPUTER FORENSICS DEGREE OF
COMPUTER CRIME.1
Are Digital Forensic Investigators There are many examples of steganography from
rensic industry as a science or art. Steganography Modern technology started to develop in 1985. Since
has been used for many years to enable people to then, a number of stenography software packages
hide data from unauthorised viewers. have been created that are free and available to the
4. Hide n Send
5. OpenStego
174
What does this mean for Law Enforcement? tected by the general public and potential criminals,
interceptor of an effective steganography file will not To help counteract this, a form of detection called
be able to view the data. This presents a problem to ‘steganalysis’ has been introduced. Steganalysis is
law enforcement agencies as when searching de- the method investigators will use to detect hidden
vices, potential evidence could go undetected due messages that have been implemented using stegan-
By pre-agreement, a criminal hides an indecent im- A number of questionnaires have been handed out
age of a child in a legitimate image, which is later to Digital Forensic Investigators to gain a better un-
sent to another via email. That legitimate image derstanding of their knowledge of steganography
does not cause any concern to a Digital Forensic In- and if they are actively completing ‘steganalysis’ on
vestigator and has now gone undetected but the re- their cases.
Another concern is if a drug dealer communicates tors currently completing criminal cases, I have found
with their customer using steganography to place an that each participant had a limited understanding of
order. This would include the type of drug, the steganography and had never come across it in their
With steganography being used to communicate Examples of the questions and the answers provided
without prying eyes, this could result in terrorists plot- from Digital Forensic Investigators are as follows:
From the examples provided, it just shows the about half of the participants responded with a very
amount of data that could be hidden and unde- limited knowledge of steganography, some investiga-
175
tors not understanding the process, just knowing the they have not seen any information that would indi-
word means ‘concealed writing’ in Greek. The other cate this to be the case.
• Have you ever worked on a criminal case that in- under-estimate the use of steganography and are
volved steganography? If so, was the data found under-equipped to deal with this type of scientific
and how did this affect the investigation? method? However, what does that mean for poten-
“No- have done 100s forensic computer investiga- Firstly, as a lecturer, I am aware that steganography is
tions in the last 10 years not one of which featured taught within universities with taster days available
However, the other half stated there is no reason to ing of Digital Forensic Investigators on steganogra-
believe that this method would increase because phy, the dangers that this can pose and how to over-
176
How does Steganalysis Work? ages for any inconsistencies. This will indicate to the
Apart from steganalysis software, there are a number The Digital Forensic Investigation can look at the me-
of ways a Digital Forensic Investigator can detect if tadata of files; this could include size differences,
steganography has been used, some are shown be- date/time differences and contents. As an example
This is a very simple form of steganalysis, as the Digi- Another method would be the digital forensic investi-
tal Forensic Investigator just has to view all the im- gator looking at the programs that are installed or
177
previously installed; if the digital forensic investigator
About the Author
finds a steganography tool that has been run, this
Conclusion
the examples that have been provided on the poten- Rachael Medhurst is a graduate of the University
tial of different crimes being hidden, can we ensure of South Wales where she gained her Digital Fo-
that we are not under-estimating the importance of rensic qualifications at both Bachelor's and Mas-
1https://www.southwales.ac.uk
178
UNIVERISTY OF
THE WEST
ENGLAND
FORENSIC COMPUTING AND SECURITY IS ONE OF
The internet of things has been a topic of discussion hospital in different geographical locations.
for many years. An internet of things device is any Digital forensics is still a major topic for discussion in
device that is always connected to the internet and relation to the internet of things. There are several
can be accessible this way. A few examples of IoT reasons why completing digital forensics on an IoT
devices are smart televisions, Smart Watches, smart device is considered rather complicated now, which
energy meters and even the Amazon Echo and other is since most IoT devices use cloud applications and
similar speakers. These are just a small sampling of storage, meaning that fragments of the information
the larger variety of devices that are interconnected are stored on different physical servers which is
via the internet. This, of course, gives the devices known as the cloud. You would therefore have to
more functionality and can begin to complete tasks perform digital forensics both on the local IoT de-
a lot quicker and easier than in previous years. The vice and the cloud system they use. The digital foren-
Internet of things area has been vastly growing in sics on the local device’s storage could tell us many
the last five years and is expected to keep growing things about the owner of the device including the
180
commands recently used, however, much of the con- coming a botnet. Using an IoT device as a botnet
tent is usually stored and accessed on the cloud. Be- could be even more lucrative for a hacker because
sides this, there is a range of different reasons why many IoT devices have sensors and actuators. The
you may need to perform digital forensics on an IoT IoT devices would have a small amount of comput-
device. The process of a forensic analysis would in- ing power to perform other tasks for the hacker such
clude the identification of an infected device, the as sending emails. Since there will be trillions of IoT
preservation of the data the forensic analyst will re- devices as time goes on, the hacker would not be
quire, the analysis of the data by the analyst and required to gain malicious access to so many net-
then a report to type up to present their findings to works but only to a few to make a botnet successful
Issues with IoT device security & Privacy The sensors will detect an event or a physical object
the easiest methods is to infect the device with mal- Another scenario in which an IoT device infected
ware and then use it as a botnet where the attacker with malware would be more likely to cause harm
is able to use the devices resources, such as comput- would be in healthcare. If a medical IoT device be-
ing power, to perform malicious tasks without the came infected with malware this could potentially
owner’s knowledge. Since an IoT device is always become life threatening to the patient and concern-
connected to the internet, it is susceptible to many ing for the medical institution. Another name for IoT
conventional computing attacks, which includes be- devices in healthcare is mIoT (medical IoT).
181
Examples of IoT devices becoming infected shocks to the person with the device. This could
device and that includes medical devices as will be A further prediction of attacks on the IoT could be
discussed further on in this article. considered the best targets for a ransomware attack.
able for everyone else. Once infected with this mal- How to ensure IoT devices do not become in-
Another example of how an IoT device can become digital forensics investigation since the data could
infected and cause harm to a person’s health and po- quite easily be erased by the hacker prior to the in-
tential life is the hackable cardiac devices that allow vestigation. There are a few ways in which you can
doctors to remotely view a patient’s heart rate and protect your IoT devices in today’s world which in-
182
• Run port scans on all networked devices and close ing in different geographical locations, it would virtu-
all ports not required for the operation of your IoT ally become impossible to take fragments from each
Digital forensics is proving a challenging matter in with a device and transferring the data from one de-
relation to IoT devices. This is due to the nature of vice to another would become very challenging with-
an IoT device, which is predominantly cloud based, out being specialised in embedded systems and the
and therefore cloud forensics will play a part in an IoT infrastructure, which brings us to the interfaces
IoT device digital forensic investigation. Completing that could be used to interact with many IoT de-
183
will have access to. JTAG could be used to gather ered that devices should be used behind a secure
data about what the chips of the device are doing network and usually a firewall to keep unwanted con-
and the output of certain registers. This could aid nections off the network they are connected to as
the investigators to discover if a device is infected well as changing passwords and closing the unneces-
since the chips will likely be outputting their own pro- sary open ports on a device. Many manufacturers,
tocols and maybe triggering events from the device such as Amazon with the Echo, will not give you
with no user interaction. The use of JTAG is also many options of security, therefore, connecting it to
popular for manufacturers since this interaction can a secured network may work best and be the most
turer’s specification. If this is not the case, then the • Anatomy of an IoT malware attack – Available
device may have been infected by malware or other from:
malicious data. The use of JTAG could therefore be https://developer.ibm.com/articles/iot-anatomy-iot
considered a best practice to be able to find out -malware-attack/ Accessed: 26th October 2018 at
how an IoT device is operating at a component level 10:28am
to discover if a device has been infected or not.
• The dark side of IoT devices – Available from:
Conclusion https://blog.avast.com/the-dark-side-of-iot-device
with an IoT device, either through the cloud infra- • Digital evidence challenges in the internet of
structure or through the local device with the use of things – Chapter 2 WDFIA Papers - R.C.Hegarty,
technologies such as JTAG to discover if the device D.J.Lamb and A.Attwood
has become infected and, therefore, could need to
184
About the author
Kevin Rice has studied a BSc Forensic computing and degree programme at UWE Bristol and now has
been developing an IT business that offers a variety of services for both individuals and small busi-
nesses called Kevs IT. I am always ready to help people with their computer and technology problems
as well as learn new things myself. I am also currently looking for graduate employment with a com-
pany to be able to keep challenging myself in the field. In my spare time, I like to research emerging
technology and deepening my understanding of both current and emerging trends in technology.
1https://www.uwe.ac.uk
185
PURDUE UNIVERSITY
GLOBAL
WALDEN UNIVERISTY
WESTERN
GOVERNORS
UNIVERSITY
Intro to data breaches tentially put at risk because of exposure. This expo-
(https://www.idtheftcenter.org) has been tracking se- Those metrics create a formula for a very lucrative
curity breaches since 2005. They focus on patterns career with the right guidance and preparation. The
in data breaches and any new trends that seem to ranks of cyber security threats have now reached the
be developing to better protect and educate con- attention of national security. It has been said that
sumers and businesses on the threats and their im- our campaigns are waged by land, air, sea, and now
portance in the realm of information security. The by cyber. The government has now mandated a cer-
laws that protect our data have become increasingly tain level of security which is deemed as a baseline
more stringent for those who wish to parlay those to thwart most of your general attacks. In this new
skills to obtain financial, personal or political gain. In era of cyber-attacks, companies must do their due
the past few years, we have been hearing quite a bit diligence to protect the identities and personal iden-
about data breaches and the damage it has caused tifiable information of all individuals who participate
to various companies, not only economically but to in e-commerce as well as other areas where PII
their overall integrity as well. Exactly what is a data needs to be protected. Without attention to these
breach? The ITRC defines a data breach as an inci- factors, your company could be putting valuable
dent in which an individual’s name plus a Social Secu- data assets at risk, not to mention the possibility of
187
There are no foolproof methods to prevent data study are limitless. Many in the field enjoy cyber se-
breaches but care must be taken to at least have curity for the sheer excitement of deciphering and
the basics of data security vulnerabilities mitigated. strategizing the next move of the cyber security mav-
Think of the task of security professionals in this con- ericks. We, as security professionals, must become
struct. There are thousands of vulnerabilities that well versed in several areas of security and network
must be mitigated and the hackers only have to find functions as well as forensics. There is no shortage of
one to have success against your network. Want to subjects to tackle when it comes to out-maneuvering
be a security professional? No pressure, just another your opponents. Anything is possible and the vulner-
day at the office. Cool, calm, and collected and the abilities are without measure. This is what drives
weight of a billion-dollar enterprise hanging on your learning and conceptualizing new techniques that
ability to be calculating, creative, and most of all pre- require the ingenuity of a hacker, the methodology
pared. I love what I do and can’t think of anything used by scientists, the instincts of a detective to rec-
else I’d rather be doing. We are looking for a few reate an event, as well as being a technological gen-
good students so join the team and let’s have a ball. ius traversing through tools and techniques you find
188
curred in recent years, companies would feel a little mised and a host of events transpire after the breach
more secure and have confidence that we are clos- is detected. One of the vestiges of a security breach
ing the gap on some of these threats. If you have cer- that really needs to be relayed is the loss of con-
tain tools and technologies at your disposal but you sumer confidence. That pertains to the customer re-
do not realize the potential of the tool, then you are tention factor as well as future prospective clients. A
doing you and your organization a disservice by not significant breach can cause significant damage to a
doing your due diligence to find out what the tools thriving company as well as destroy a burgeoning
can do. Once tested, use your own creativity to ap- enterprise. That’s the significance of cyber security
ply those tools in a security environment. and its importance is tacit throughout the realm of
because of its integral association in business, gov- Education, along with experience and certifications,
ernment, social networks, and life in general, we are was my route to achieving my profession but work
embarking upon some of the most revealing times in experience in the profession and or licenses, certifi-
our history of technology. Computers have become cations, and registrations may be an avenue. Some
more powerful and less expensive, thereby opening reach this goal by career advancement. I have heard
the door for less sophisticated attackers to gain ac- of some IT professionals starting out at an organiza-
cess to some pretty secure networks. In technology, tion with a totally unrelated job function and making
you would think that the more complex the design their way to IT. It can be done but I would advise the
of your application, the better security. Quite the more traditional route. Purdue University Global was
contrary - the more complex a system, the more ave- an excellent vehicle for my advancement and enrich-
nues that can be exploited and scanned for vulner- ment that definitely propelled my career to new
abilities. This concept of complexity is being manipu- heights and I am grateful for its program, achieving
lated by some hacker whose main focus is to seek my master’s degree in October of 2014. The degree
one weakness in a sea of many. After the vulnerabil- is not a prerequisite of an IT security position but it
ity has been discovered, there are steps that an at- is definitely a vehicle that provides more options and
tacker initializes (left out of this article for security opens more doors, which inherently leads to greater
189
About the author
I will close by telling you some necessary attributes
works have been compromised. My name is Kevin, I reside in Roanoke, Texas, I hold an
AAS in Computer and Electrical Engineering, a BS in IT Se-
2. Detail oriented. Because cyber attacks can be diffi- curity and Forensics, a Master’s in IT Security & Assurance,
a Master’s in Information Systems Management, and ulti-
cult to detect, information security analysts pay care-
mately a doctorate as I am in the doctoral study phase of
ful attention to their computer systems and watch my doctorate degree. I hold a CompTIA Security+ Certifi-
cation and a Cisco CCENT certification. I also hold about
for minor changes in performance.
30 Dell certifications in repair and break/fix. I also hold 10
certificates from the Dept. Homeland Security in conjunc-
3. Ingenuity. Information security analysts try to out-
tion with FEMA through Texas A&M Engineering under
think cybercriminals and invent new ways to protect Cyber Security frameworks. I've been involved in IT for
about 30 years dating back to my first Computer Repair
their organization’s computer systems and networks.
certificate while attending half a day of high school then
the other half I attended vocational school through my
4. Problem-solving skills. Information security ana-
11th and 12th-grade years. I build and repair computers as
lysts uncover and fix flaws in computer systems and a hobby and I also repair some systems for very little to no
networks. charge for the less fortunate. I formerly worked for the
great state of Arkansas' Office of Systems and Technology
department for DHS as the Sr. Information Cyber Security
Engineer as Head of the Cyber Forensics Department. I
help to formulate the Computer Forensics program as well
as documentation and chain of custody procedures. I
played an integral role on an incident response team for
the state as well as head up the investigations for the foren-
sics department. I also executed malware analysis and over-
saw its reverse engineering. I was also formerly the EnCase
Administrator in charge of the forensic investigations for
the state of Arkansas. I also executed penetration testing
and advanced the implementation and adherence of secu-
rity protocols and policies in a secure network environ-
ment. I formerly authored a column on Cybersecurity for
Purdue University's GITA organization. I am currently a Sr.
Cybersecurity Engineer for a global financial services com-
pany as well as a faculty member of a university.
190
EDINBURGH
NAPIER
UNIVERSITY
EDINBURG NAPIER UNIVERSITY OFFERS A LOT OF
& CYBERCRIME.1
Forensic Analysis of Web Browsers in Private mode
by Tamunoibiton Adoki
Abstract
The importance of the privacy of personal data in the modern era is one of great concern. Users are becom-
ing aware of their digital footprint and are taking precautions to keep their data from prying eyes. There is an
attempt to reduce the footprint created online across websites visited and locally on the user’s personal de-
vices while also attempting to make personal data inaccessible by unauthorised people.
The use of encryption is one such method used to prevent unauthorised access of data and is mostly applied
to data stored online. A solution created to ensure that the local footprint is kept small is the use of private
browsers. The implementation of private browsing is often a subject of research among academia.
This work focuses on the local footprint created and aims to contribute to perhaps a never ending research
on privacy. Four major browsers are studied in this research using a combination of different experimental ac-
tivities to investigate the efficiency of these browsers in private mode at keeping a small local footprint.
An experiment is performed in which a set of activities are used to seed each browser with data after which
forensic methods are used in an attempt to recover data stored locally in the primary storage devices. The
behaviours of these browsers is also studied to make a comparison on observable differences in behaviour
while in normal and private mode. This will give an insight to how private browsers go about implementing
private browsing.
The results of the experiment show that Google Chrome and Mozilla Firefox are the most successful in keep-
ing a small footprint on the primary storage device after the use of private browsing and this is attributed to
an operation that occurs in the above mentioned browsers. Internet Explorer and Microsoft Edge were the
least effective in private mode as data was recovered with relative ease using forensic tools. In physical mem-
ory, however, related data is recovered using a keyword search but this does not show a flaw but rather identi-
fies it as a rich source of evidence. An attempted use of the Volatility tool to extract data from a captured im-
192
Acknowledgements
I would like to show appreciation to a number of people whose advice and support proved to be invaluable
Firstly, I would like to say thanks to my parents, their constant advice and support both morally and financially
throughout my program kept me going and focused. They made it possible to enroll in the university to pur-
I would also like to thank my uncle for the support provided throughout my stay in Edinburgh.
Special thanks goes to my supervisor Alsnousi Ali who kept me going in the right direction for this disserta-
tion.
Introduction
Background
According to Kishore et al., forensics is the science applied in the resolution of legal problems. While digital
forensics is a branch of forensics, it involves the collaboration of computer science and investigative proce-
dures for the identification, collection, preservation, analysis and presentation of data that is admissible as evi-
In the early years, digital forensics began as a result of the use of information collected during audits per-
formed by system administrators to improve the accuracy at which the systems processed data (Politt, 2010).
These audits performed by the system administrators were to ensure accurate and efficient processing of
data, however; law enforcement agencies could also use system audit information for the investigation of
cyber-crimes. The proliferation of cyber-crime cases necessitated the creation of volunteer groups of law en-
forcement agents who were trained as investigators in obtaining information from suspect computers. Most
digital forensic investigations were performed by officers who had basic training and often used personal
equipment; there was an absence of digital investigation frameworks and formal supervision (Vincze, 2016).
The technology boom in 1995 and cases related to child pornography stressed the need for formal methods
of performing digital investigations. Between 1999 and 2000, various regulatory bodies published guidelines
and standards for digital forensic investigations leading to the rise of different organisations that provide fo-
rensic services (Politt, 2010). Better tools were developed and the command line tools in use paved the way
for the creation of more user friendly tools such as Encase and the Forensic Toolkit (Vincze 2016). To some,
193
digital forensics might seem like a new development but It can be traced to the 70s when engineers were
able to recover a database that had been accidentally deleted (Caviglione, Wendzel, & Mazurczyk, 2017).
The year 2018 has seen an increase in the revenue generated from IoT devices and the worldwide revenue
from the IoT platform will reach USD3.2 billion as more enterprises invest more on the technology (Rich,
2018). With the increase in the sales of IoT enabled devices, the challenge of performing forensic investiga-
tions on these devices also increases as there is a rise in the development of embedded operating systems.
The use of IoT devices means that evidence no longer resides only on PCs or mobile phones but also on vehi-
cles, RFID cards, wearable devices and sensors. Most IoT devices leverage on cloud technology and this cre-
ates the problem of knowing the exact location of data required for an investigation and this creates the main
problem of IoT forensics, which is the problem of data acquisition because standard processes that involve
search and seizure do not apply to IoT devices (MacDermott, Baker, & Shi, 2018).
In RFC 3227 (Brezinski & Killalea, 2007), the internet engineering task force produced a set of guidelines that
can be applied in the acquisition stage. According to the RFC, procedure involved during acquisition must
not alter data, but in some cases this is inevitable; however, the document suggests that these changes to
data must be properly documented. Evidence must be collected first before analysis and this should proceed
according to the level of volatility of data as follows; registry information, temporary files, network configura-
tion information, remote sessions and then the hard drive itself.
According to Grande and Guadron, the preservation of recovered evidence is required to prevent any dam-
age or alteration that makes the evidence non-admissible in the court of law. Copies of recovered media such
as hard drives are made to prevent any modifications to the original medium after which it is signed with a
cryptographic hash used to make comparisons to ensure the integrity of the evidence (Grande & Guadron,
2016).
The importance of the protection of private information nowadays is one of the great concerns and one way
The aim of this project to determine the extent to which browsers protect user data by analysing four popular
web browsers to evaluate the efficiency of private browsing at protecting user’s private activity.
194
Accomplishing this aim will require the following objectives to be met:
1. Conduct a literature review to identify current and previous studies conducted in the field of digital foren-
2. Design a methodology that will be used to evaluate the efficiency of private browsers
3. Conducting an experiment that will observe the differences in the behaviour of browsers in private and nor-
mal mode while using forensics tools in an attempt to recover data left behind after private browsing
4. Discussing the results obtained and making a comparison between the tested web browsers
Research Questions
1. What information do web browsers store about users and to what extent does it store information?
3. How do browsers in private mode differ from browsers in non-private mode in terms of interaction with the
Motivation
The motivation for carrying out this academic project stemmed from the curiosity that arose from completing
a practical lab involving portable web browsers. Portable web browsers alongside private web browsers are
seen as solutions to prevent traces of a user’s activity on the internet from being stored locally. The possibility
of recovering data after the use of a portable browser raised the question of the effectiveness of the private
Methodology
Introduction
The design of this experiment adopted a methodology similar to Montasari and Peltola, (2015) and Horsman
(2017). Montasari and Peltola investigated the level of privacy offered by various browsers. They set up a vir-
tual machine that was deliberately seeded with data using a predefined set of activities they attempted to re-
cover in order to validate or refute the claims of enhanced privacy provided by the private modes of various
browsers deployed within the Windows 7 operating system. Horsman (2017) studied the behaviour of Google
195
Chrome with a focus on the file system and the process level activity between both browsing modes. A file
monitoring tool was used to monitor the various interactions with the file system to make a comparison be-
tween how both browsing modes interact differently with the file system while attempting to identify how pri-
A similar experiment is performed based on the Windows 10 operating system and the browsers; Google
Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer are examined and a comparison is made be-
Previous research by Montasari and Peltola (2015) and Horsman (2017) have studied browsers deployed in the
Windows 7 environment while this experiment is focused on the Windows 10 operating system and the latest
versions of web browsers, which might have a significantly different behaviour from the older versions that
Experimentation
Previous research focused on older Windows operating systems and up to this point, there is an absence of
an up to date study involving the behaviour of web browsers deployed in the Windows 10 operating system
This research extends the research done by Montasari and Peltola (2015) by providing an up to date study of
browsers in the Windows 10 environment by attempting to recover data after a private browsing session. The
research performed by Horsman (2017) is also extended by studying the process level behaviour of three addi-
tional browsers while also identifying all possible locations where data could be stored and all files created by
the browser.
This experiment involves the analysis of three different browsers and to avoid mixing artefacts produced by
the browsers, different options were considered before the use of a virtual environment was chosen. The first
option was to install the same base operating system on different physical hard drives to which the browsers
were installed. This option was not chosen as it would require three different hard drives and creating an im-
age of each hard drive would be time consuming as hard drives obtainable are typically one terabyte or more
in size. The option of virtualization was chosen because Virtual Box, the virtualization software, is a free and
open source tool and there would not be a need to use different physical hard drives. The second reason was
that while setting up each virtual machine, the size of the virtual disk can be scaled down to the minimum size
196
required to run the operating system and install the tools needed for the experiment. This would drastically
Prior to analysing each browser, a predefined set of activities were carried out to populate each browser with
artefacts. During the data population process, the various processes created by each browser, both in its nor-
mal mode and private mode, were monitored to make a comparison between the number of total events oc-
curring in the normal and private modes level of interactions between the browser and the file system. The
write operation to the file system is particularly important as this could give an insight to the files being cre-
ated and being written to, and it is assumed that a private browsing window will have a significantly lower
process level activity compared to a normal browser window to reduce its footprint on the operating system.
Additional research was performed to identify the location of artefacts produced by each browser, however,
the location of Microsoft Edge artefacts was not found in the location specified in the reviewed literature for
unknown reasons and a minor experiment was performed to discover where the artefacts produced by Micro-
soft Edge were located. This involved using process monitor to identify the files written to by the Edge
browser processes.
Experiment Tools
FTK Imager
FTK Imager is an industry standard tool which is popular with law enforcement agencies and academics inter-
ested in digital forensic research. It is used to create byte for byte images of hard drives and other storage me-
dia during the process of acquisition, it has the capability to perform on-the-fly hashing of files in the hard
drives and it also calculates a hash value of the entire hard disk before and after acquisition to prove the integ-
Autopsy
Autopsy is a graphical user interface to its open source counterpart, The Sleuth Kit. It is capable of recovering
deleted files, performing timeline analysis and keyword searching. The functionality of Autopsy most vital to
this experiment is its file indexing feature, which creates an index of all files present in a disk image and per-
197
Process Monitor
Process monitor is an advanced monitoring tool used for monitoring file system, registry and process activity.
It is capable of performing filtering that classifies occurring processes based on activity type.
Software Version
VirtualBox 5.2.14
Windows 10 Pro 1703
Procedure
This section explains in detail each activity carried out in conducting this experiment. The processes include
the Virtual Machine configuration, reasons for the choice of tools, the process of creating browser artefacts
with predetermined activities, creating an image of the virtual hard disk and the collection of results after the
experiment.
VM Configuration
A simulation of a Windows 10 operating system was created using Oracle VirtualBox version 5.2.14 as it re-
quires less time to setup than utilizing a physical machine. VirtualBox was favoured as the choice emulation
software mainly because it is an open source tool and, therefore, free to use compared to a similar software
VMware, which requires purchasing a license to use the software. VirtualBox utilizes a virtual hard disk file to
store the operating system environment and, during installation, the size of the virtual hard drive can be
scaled down to the minimum storage size required to perform the experiment to reduce the time it takes to
198
Each experiment was run in a similar environment created from the snapshot of an initial installation to ensure
results from one experiment do not corrupt the results when performing the next experiment. The initial instal-
lation was cloned two times, after which one browser was installed to each. The hardware specifications for
• Processor Count: 4
• Memory: 2 GB
• Storage: 30 GB
Browser Selection
The study of the behaviour of Web browsers in their normal and private modes was the primary objective of
this experiment and as such the browsers with the highest popularity among desktop users were selected
based on statistics retrieved from w3counter.com, an online statistics website. The browsers selected were
Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. The Safari browser was the second
most popular browser for desktop users but it was not included in this experiment as it was not popular
among users of the Windows operating system. Having an overall popularity of 66.7 percent, these browsers
were the most common browsers with private modes utilised in this experiment.
During the browser selection process, a different class of browsers was also considered. These browsers are
used to provide online anonymity through the use of protocols like onion routing, these browsers were not
selected for study as they were outside the scope of this research, which focused on local privacy.
Data Population
The chosen browsers were used to carry out a predefined set of activities using different websites to search
for items, log in with usernames and passwords, watching videos, reading PDF documents, viewing images
and creating bookmarks. The activities were carried out in an attempt to simulate user behaviour during a
199
browsing session and to produce a variety of artefacts that were chosen because, if found, the correlation of
information from the various artefacts can be used to identify a user’s browsing habits.
The various activities that were carried out to populate the browsers with data is listed below. The data popu-
lation process was preceded by launching the file monitor tool and letting it run for the entire duration the
browser windows are open. The activities carried out to simulate user behaviour is shown in Appendix 1.
It should be noted that the keywords searched for were selected mainly to reduce the likelihood of false posi-
Additional research was carried out to discover the known locations where each browser stores its data. Each
browser shared a similar storage location. All browsers analysed stored artefacts in their application folders.
The list below shows the locations of the file names of browser artefacts files. Only artefacts that include
browsing history, cookies, bookmarks, credentials, keywords and typed URLs are stored in the locations listed
below.
was inconsistent and a separate experiment was conducted to discover the location Edge browser stored its
artefacts. The experiment involves the use of the Process Monitor tool to monitor the processes created by
the Edge browser to discover which folders it accessed and which files were being written to. The location of
C:\...\Appdata\Local\Packages\Microsoft.MicrosoftEdge_*\Ac\MicrosoftEdge\user\De
fault
200
C:\...\Appdata\Local\Packages\Microsoft.MicrosoftEdge_*\Ac\MicrosoftEdge\user\De
fault\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
This database was found to contain tables for artefacts such as auto form fill data, bookmarks, browser exten-
sions, reading list, top sites, typed URLs and URL history.
There are several drawbacks of the methods used in this research; the various activities carried out to simulate
user behaviour are not sufficient to duplicate a real browsing experience that involves different variables.
There was prior knowledge of what information to search for and this makes the recovery of data from a pri-
vate browsing session relatively easy, unlike in a real scenario where no keywords would be available.
Due to a license for Encase being expensive to obtain and being unavailable for use in this project, it was not
possible to know if Encase would have discovered artefacts from Google Chrome and Mozilla Firefox, which
Autopsy was unable to recover. Relying on physical memory, a source of evidence will not be practical in a
real scenario due to the loss of data in physical memory after a shutdown.
With the increasing popularity of solid state drives, it is not known if the artefacts recovered in this experiment
would also be recovered from solid state drives. A solid state drive uses garbage collection technology to
wipe disk blocks marked as dirty due to their content being overwritten. This happens automatically and
might perhaps permanently delete the artefacts that might not be properly deleted by the browser, thereby
In the search for artefacts left behind after carrying out a private browsing session, an image of the virtual ma-
chine disk was analysed using Autopsy following the data population process. This phase of experimentation
involves only the private modes of the browsers. The browsing artefacts were searched for in both allocated
and unallocated space of the disk. Files in unallocated space are no longer accessible by a user due to the de-
letion of the file. When a file is deleted from the NTFS file system, only the metadata of the file is deleted.
This file metadata includes details such as the file name, file size, last modified, last accessed and file creation
date. Although the file metadata is deleted, the contents of the file still remain intact until it is overwritten by
201
another file. Unallocated files are vital in this experiment because they are a potential source of data regard-
ing deleted files. If any private browsing artefacts are present in the unallocated space, it is likely that they will
not be discovered by the average user due to an absence of the knowledge of the inner workings of a file sys-
tem. Allocated files, on the other hand, still reside on the disk and can be accessed by navigating through the
A keyword search is performed to find files containing data relating to the activities carried out using the key-
word search functionality of the Autopsy tool. A list of keywords was generated based on the websites visited
and the various activities carried out. The list of keywords is shown in Appendix 1. A manual search of arte-
facts is also performed alongside the keyword search to search for artefacts located in known locations (re-
ported in literature). This phase of the experiment is carried out in an attempt to provide an answer to the re-
search question of the possibility and data being recovered after a private browsing session
Mozilla Firefox
Analysis of the disk image on which Mozilla Firefox was installed did not reveal any data that could identify
the activities of a user during a private browsing session, the keyword search did not produce any matches.
While navigating through the file system tree, it was discovered that Mozilla Firefox had a separate location
for storing data different from its default folder in the directory:
“C:/../Appdata/Roaming/Mozilla/Firefox/Profiles/urnipy0x.default/storage/
permanent/chrome/idb”
Autopsy revealed SQLite database files that were linked to Mozilla Firefox due to the timestamps that show
they had been accessed within the timeframe the browser was launched. Some of these files had been de-
leted, but Autopsy was able to recover them to reveal their contents. The analysis of the contents of the de-
leted and non-deleted SQLite database files, showed the absence of any information that could be used to
identify a user’s activity. The only information that could be retrieved from the files is their recently accessed
timestamp, which indicates that the browser was used recently, although from this information, it is not possi-
ble to make a deduction as to whether it was a private browsing or a normal browsing session.
Further navigation through the file system structure revealed a deleted file located in the “.
$OrphanedFiles/credential” directory. This file contained information revealing that a private browsing
202
window was opened, as shown in figure 4.3. Figure 4.4 shows the accessed timestamp of the file, which re-
veals the exact time when the private browsing window was opened.
ticular user that had used private browsing. A cookie persisted revealing the fact that a private browsing ses-
sion had taken place and its metadata had information about the time in which a private browsing session
203
Figure 4.5: Cookie retained after private browsing
Google Chrome
An initial keyword search performed using Autopsy did not match any of the keywords, but while manually
navigating through the file system directory tree, a photo was discovered in the $CarvedFiles directory, which
is located in the root directory and is not accessible to a user unless a tool like Autopsy is used. The file found
was a thumbnail file that was probably created when the PDF file was viewed during the data population proc-
ess. Although the file MAC times have been deleted, the content of the file still remains, as shown in figure
4.6.
deleted, the contents of these files does not give any evidence that a private browsing session had taken
place. The search for artefacts in allocated space did not yield positive results and the only information pre-
sent were the timestamps of the files in Chrome’s default directory that show the browser had recently been
used. The fact that the files had been recently accessed but contained no information also tells us that private
browsing had taken place or the browsing data had been deleted manually.
Microsoft Edge
The analysis of Microsoft Edge’s InPrivate mode produced the highest amount of data that could be used to
identify the activities of a user after a private browsing session. An initial keyword search produced matches
for each of the keywords; the number of matches for each keyword is shown in Appendix 2 (Table 12). Most of
the files whose contents produced matches were found in unallocated space and merely relying on the
names of the files would not give away the information they contain. Additional data was recovered through
manually navigating to the “$CarvedFiles” directory visible within the Autopsy GUI. Data recovered from the
carved files included whole chunks of HTML code that was used to construct the visited pages. Careful man-
204
ual inspection revealed that some of these files not only contained HTML code but also the links to the web
205
The last location examined was the default folder of Microsoft Edge. Within this location, deleted files identi-
fied earlier in the process monitoring experiment were discovered and these files contained precise informa-
tion about the contents of the web pages a user viewed, as shown in figure 4.9 and 4.10.
Figure 4.9: deleted files recovered from Microsoft Edge’s default directory
206
Internet Explorer
Results from the experiment on Internet Explorer shows that it produced the largest number of recoverable
artefacts. The keyword search performed produced matches for the keywords listed in Appendix A, screen-
shots of the contents of the files that matched the keywords are shown below. From the data recovered, it can
be observed that the browser also stores data for pages linked to the current page as items related to the
Autopsy’s Exif Metadata module recovered a large number of images different from the images intentionally
viewed as part of the data population process. Two such images are shown in figure 4.11 and 4.12. It is as-
sumed that Internet Explorer cached all elements of the web pages visited.
207
Figure 4.12: Recovered photo related to viewed content
When the $CarvedFiles directory was analysed, it was found to contain a large number of unallocated files
whose content was still intact and when viewed manually were found to also be elements of the web pages.
This directory also contained chunks of HTML code that could be used to reconstruct the web pages to see
tence of deleted cached files whose metadata had been deleted but the contents were still intact. These files
were easily retrieved but some of these files could not be retrieved due to the contents being deleted as
208
Figure 4.13: Cached file with contents deleted
Figure 4.14: Cached file with intact content
Also discovered while manually navigating to known locations where artefacts are stored was the WebCache
directory containing the WebCacheVO1.dat file and log files that also contain data, as shown in figure 4.15.
These files still existed in allocated space with their contents intact. The WebCacheV01.dat file matched most
keywords and these files contained information that includes all links visited and items searched for.
Process Activity
Monitoring the processes created and the interaction with the file system will give an insight as to how brows-
ers in private mode differ from the same browsers operating in their normal browsing modes while attempt-
209
ing to provide an explanation why Chrome and Firefox are better at maintaining privacy than Internet Ex-
plorer and Microsoft Edge. The information of interest in this phase of experimentation is the total number of
events occurring and the events that are write related because data being written to files increases the
chances of revealing user activity. Information obtained in this phase of experimentation will answer the re-
search question of how browsers in private modes differ from their normal modes.
The sections below describe the results that were obtained from this phase of experimentation from the
tested browsers.
Analysis of Google Chrome’s process activity in Incognito mode shows the various files created and directo-
ries that were accessed. It was discovered that the highest number of write operation was to the file paths:
C:\...\Chrome\User Data\Default\GPUCache\data_0
C:\...\Chrome\UserData\ShaderCache\GPUCache\data_0
C:\$ConvertToNonresident
with 262, 174 and 54 write operations respectively to these files. The .tmp files identified by Horsman (2017) in
C:\...\Appdata\Local\Google\Chrome\User Data
C:\...\Appdata\Local\Google\Chrome\User Data\Default
However, with the Incognito window open, an attempt was made to navigate to the above directories but the
files were not found in the specified directories. On two separate experiments with slight variations in the ap-
proach used, it was found that the number of write operations to the “C:\$ConvertToNonresident” path coin-
cided with the number of .TMP files discovered and it is believed that the data written to the above directory
Data was also discovered to have been written to some of Chrome’s databases; History, Web Data and Login
Data. However, upon the examination of the SQLite database files, no data was found relating to the private
browsing session. Google Chrome browser is able to interact with its SQLite databases using structured
query language (SQL) and it is believed that the entries in the databases might have been deleted after the
210
Google Chrome
Analysis of Chrome’s process activity in its normal mode shows a big difference in the number of write opera-
tions and the number of files written to when compared to incognito mode. A summary is shown in Table 4.1.
Data from the Process Monitor tool shows the highest number of write operations was to the files:
C:\...\Chrome\User Data\Default\Cache\data_0
C:\...\Chrome\User Data\Default\Cache\data_1
with 96,633 and 17,879 write operations respectively. 127 TMP files were identified to be created in the directo-
ries:
C:\...\Appdata\Local\Google\Chrome\User Data
C:\...\Appdata\Local\Google\Chrome\User Data\Default
An attempt was also made during this experiment to verify the existence of these files but, upon navigation
to the directories listed above, the files were not found even after setting Windows file explorer to view hid-
den files. It was also discovered that data was written to the directory “C:\$ConvertToNonresident”, and the
number of writes to this files coincided with the number of TMP files that exist. Results from both incognito
and normal mode further increased the likelihood of data written to the above file being responsible for the
absence of the TMP files. Data was also found to have been written to Chrome’s databases; History, Top Sites,
Favicons, Cookies and their journal files; History-Journal, Top Sites-Journal, Favicons-Journal and Cookies-
Journal. Data being written to these files is not surprising as they will persist until they are manually deleted
Mozilla Firefox
Analysis of Mozilla Firefox process activity operating in normal mode shows that with the predetermined ac-
tions to populate the browsers with data, the highest numbers of write operations was carried out on the
“cookie.sqlite-wal”, “places.sqlite-wal” and “cookies.sqlite” database files with 29,120, 11,370 and 2357 write
operations, respectively.
C:\...\AppData\Local\Mozilla\Firefox\Profiles\yx50t4rf.default\cache2\entries
211
with 5,201 events. This represents a large volume of the processes that occurred during the browsing session.
However, the contents of these files that remained after the browsing session was terminated, when exam-
ined with a hex editor, was unreadable text, but further analysis of the files shows that it contains the date and
time for a digital certificate request. Also discovered in this test was a total of 18 writes to “C:\
$ConvertToNonResident”
Results from the experiment on Mozilla Firefox private mode show that it writes significantly less data to the
file system when compared to its normal mode. The file paths involved in the highest number of write opera-
tions differ greatly from its normal mode, with 917 write operations made to the revocations.txt file present in
the browser’s default directory. Analysis of this file shows that it contains non-readable characters. Data from
Process monitor show that Mozilla Firefox while in private mode writes session related data to SQLite data-
bases different from the normal databases. These database files were identified with random file names while
having the SQLite file extension. It was also found that data was written to the “C:\$ConvertToNonResident”
directory a total number of 31 times, which is more than the amount of times data was written to this directory
Microsoft Edge
Results from the monitoring of Microsoft Edge browser in normal mode shows that 66,857 write operations to
the file system were initiated during the browsing session. A significantly large portion of the files written to
had the file extension “.dat” and were located in the directory:
C:\...\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft
Edge\User\Default\Recovery\Active
During the browsing session, a large number of cache files relating to the contents of the pages visited with
data were written to Microsoft Edge’s main database file, ‘Spartan.edb’ located in the directory:
C:\Users\Experiment\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore
The directory, C:\$ConvertToNonResident, which was identified as one of the locations where data was writ-
ten to in the experiment with Mozilla Firefox, both in normal and private modes, was not identified as a loca-
tion where Microsoft Edge wrote data. The reason for this behaviour, which varies from what was observed
212
with the other browsers, is not yet known, although, it might be due to the fact that the Microsoft Edge
Microsoft Edge’s InPrivate mode carries out significantly less operations when compared to its normal brows-
ing mode. The highest number of writes occurred to temporary files that had the .TMP and the “.dat” exten-
sions. For each browser tab that was created in the data population process (12 in total), there existed two
files that presumably hold information related to the contents of the pages visited, one file with the “.dat” ex-
tension and one file with the “.TMP” extension. 127,380 events occurred in Microsoft Edge’s private browsing
compared to the non-private mode with 332,933, which is a 61.7% decrease for events that occurred. Of the
total events that occurred, 6,286 events were write-related in InPrivate mode compared to the normal mode
It is also important to note that there was no evidence of data being written to the
C:\$ConvertToNonResident directory, which is a similar behaviour shared with its non-private browsing
mode.
Internet Explorer
Analysis of the process activity of Internet Explorer shows the total events that occurred to be 233,647 with
20,403 write operations. Just like the other browsers examined, it had written data to files with “.dat” file ex-
tensions and stored a lot of content related data in its cache folder. Files were created for images, videos and
web pages accessed and could be identified from the file extensions in the cache folder. The write operations
were spread out across a large number of files with .jpg, .css and .htm file extensions. With the amount of files
created and cached, it is assumed the Internet Explorer caches whole web pages, which might be to reduce
the time to load pages during the next visit to the same web page. With a similar behaviour observed in Mi-
Internet explorer in its private mode had a total of 221,959 events with 15,567 write related operations. The
files created by this browser during this experiment had file names that easily gave away the contents of the
web pages a user had accessed even without manually viewing the files. These files were cached in their na-
213
tive extensions, videos with .mp4 file extension and photos with .jpg extension. A large number of the files
created were multimedia files just as with internet explorer in its non-private mode, a large number of tempo-
the same content were stored in the same cache directory and some of the filenames give away the nature of
activities. Also observed was the absence of any data written to “C:\$ConvertToNonResident”.
Summary of Events
Table 4.1 below provides a summary of the number of events occurring in the private and non-private modes
The data presented in Table 4.1 above is visualised using two graphs, as shown in figure 4.1 and 4.2.
214
Figure 4.1 Visual representation of occurring events in Normal browser
215
Discussion
This research sought to answer the questions; is private browsing really private? is it possible to recover data
after a private browsing session? and how much data does a browser store about a user?
There are individuals who are heavily concerned about their privacy and would not want traces of their activi-
ties on the internet to be stored on their computer. The main concern of these individuals is someone else po-
tentially discovering information about what activities were carried out using the internet and who they may
have communicated with (Gao G., 2015). For these individuals, this research is of the relevance to identify
which web browsers would prevent their activities from being discovered. On the opposite spectrum is the
significance of this work to law enforcement and those who are tasked with the responsibility of performing a
forensic examination of a computer. Most often, computer forensic examiners are in search of any data that
may be hidden by an individual. For forensic examiners, it is necessary to understand the recovery of data af-
ter the use of private browsing by having knowledge of where to look for such data, as well as understanding
what could be found, as this will reduce the time required to search for such data.
This study employed the methodologies used by Montasari and Peltola (2015) and Horsman (2017). Both in-
volved an analysis of private browsers but Montasari and Peltola focused on analysing web browsers for the
possibility of recovering any data. Their study was based on the Windows 7 operating system. This work also
employed a similar methodology to Horsman (2017) in which an analysis of Google Chrome web browser was
carried out to discover how well the web browser is able to maintain privacy.
This research focused on the Windows 10 operating system and analysed four web browsers; Google
Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer to know if data could be recovered after a pri-
vate browsing session, while also studying the behaviour of these web browsers on a process level to under-
stand how browsers in private mode differ from the same browsers in normal mode. While this research has
similarity to Monatasari and Peltola (2015) and Horsman (2017), it went a step further by applying the method-
ology of Horsman to provide a possible explanation to why Google Chrome and Mozilla Firefox are better
than Microsoft Edge and Internet Explorer in rendering data from a private browsing session unrecoverable.
Autopsy was used conduct a forensic analysis of the disk images on which the various browsers were installed.
Although Autopsy was used in this study, EnCase and Forensic toolkit, tools with the same capabilities as
216
Autopsy, were not chosen due to the inability to obtain software licenses. This brought about the limitation of
not knowing if these tools would have performed better than Autopsy.
From the experiment performed, Mozilla Firefox and Google Chrome did not leave behind any trace of data
related to the activities performed. Microsoft Edge and Internet Explorer left behind traces of data pointing
directly to the activities performed. The data retrieved was located both in the allocated and unallocated
space and the data retrieved included search items, viewed photos and typed URLs. Also recovered were ele-
ments of the viewed elements that included HTML code, styling sheets and other photos that were not di-
rectly accessed but were present on the web page. The data recovered were from files present in the $Carved-
Files directory available in Autopsy’s user interface. Autopsy extracts and indexes files whose metadata have
been deleted but their contents remain intact; these files are named by Autopsy and stored in $CarvedFiles.
Indeed, Microsoft Edge and Internet Explorer deleted these files containing information about activities car-
ried out while in private but these browsers could not render these files unrecoverable as Google Chrome
A separate experiment was performed using Process Monitor to observe the four browsers to understand
how these browsers behave differently while in private and normal mode and also to look for a possible expla-
nation as to why Google Chrome and Mozilla are able to render the files deleted after private browsing unre-
coverable while Internet Explorer and Microsoft Edge are not able to do so. The experiment performed in-
volved monitoring the process activity of the web browsers while in normal and private mode to understand
The results obtained by Horsman (2017) show that Google Chrome, while in private mode, wrote significantly
less data to the file system From this experiment performed on Google Chrome, an assumption was made re-
garding the fact that other browsers would follow suit in writing less data to the file system while in private
mode. This assumption was confirmed by the experiment performed in this study as Mozilla Firefox, Microsoft
Edge and Internet Explorer wrote significantly less data to the file system with Google Chrome experiencing
a 99.1% drop in write activity, Microsoft Edge with a 90.6 % drop, Mozilla Firefox and Internet Explorer with
80.8 % and 23% respectively. These figures, however, do not give an explanation as to why data from Google
Chrome and Mozilla Firefox are unrecoverable. This further contradicts the idea that browsers that write the
least data to the file system are better at preserving privacy, as Microsoft Edge wrote less data to the file sys-
217
tem than Mozilla Firefox. A further analysis involved monitoring all files created and directories accessed by
all four browsers, paying special attention to write operations to the file system.
Monitoring the file system activity of the browsers revealed a peculiar activity unique to Google Chrome and
Mozilla Firefox. Observing all four browsers shows the creation of various files, special attention was paid to
the ones created with the .tmp file extension just as Horsman (2017) had observed but an additional observa-
tion was made. For the number of files with the ‘.tmp’ extensions, a corresponding number of write opera-
tions was performed by Google Chrome and Mozilla Firefox to ‘C:\$ConvertToNonresident’ but not Microsoft
Edge and Internet Explorer. This behaviour, peculiar to Google Chrome and Mozilla Firefox raised the ques-
tions, what data is being written to this location? What is the content of this location? Is this responsible for
the inability to recover data from Chrome and Firefox? These questions raised will form the basis for further
The concept of privacy is often interpreted differently depending on the context in which it is used. When the
privacy of a private browser is discussed by most researchers, it is being referred to as how well a browser is
able to remove all traces of user activity after a private browsing session. Most of the time, the level of privacy
is often judged by the activities that take place locally on the user’s computer rather than how well a browser
The expectations researchers have about private browsing often exceeds what is promised by the vendors.
Most vendors’ statements about private mode is that browsing history, cookies and site data will not be saved
and, from what is observed, this statement is implemented, but is only effective against the user with average
knowledge of a computer. In the experiment performed, it can be seen that a deep knowledge of computers
and forensic data recovery methods is required for the recovery of private browsing data to be possible. An-
other statement made by the vendors is that any data created during private browsing is deleted. The key-
word in this statement is “deleted”. With regards to a file system, when data is deleted, the pointer to the lo-
cation of the file is removed but its content remains intact until it is overwritten by another file. The word “de-
leted” is very much different from “overwritten”, which is when the contents of a deleted file is replaced with
zeros or by the contents of another file. Most researchers make poor remarks about the privacy of a browser
when deleted files that have not been overwritten are successfully recovered but this is outside the scope of
the vendor’s statement. Also outside the scope of the vendor’s statement is the deletion of data remaining in
physical memory. From this argument, it can be seen that private browsing is private when considered from
218
the angle of the browser vendors as they keep to their statement of the deletion of files and data after a pri-
The second question of the possibility of recovering data after a private browsing session actually depends
on the browser in question. The process level behaviour of the selected web browsers was studied and com-
pared. The study reveals every possible location were the browsers could store data. These locations were in-
vestigated using Autopsy to reveal any deleted files that could be recovered. The study shows that Google
Chrome and Mozilla Firefox effectively deleted any data that could identify the activities carried out in private
browsing. Microsoft Edge and Internet Explorer, when compared to the former, left traces of data both in allo-
cated and unallocated space. The non-recovery of data from Google Chrome and Mozilla Firefox was attrib-
uted to the writes involving the “$ConvertToNonResident” directory, as this behaviour was not discovered in
Microsoft Edge.
The question of the possibility of recovering data after a private browsing session also depends the size of
the primary storage device. During a test run of the experiment process, it was discovered that a smaller sized
storage device will reduce the chances of recovering deleted data due to deleted files in unallocated space
From this study, it can be seen that the amount of data a browser stores about user activity is also dependent
on the browser being used. The results of the experiment show that Internet Explorer, both in its private and
normal mode, stores a large amount of data related to the activities carried out. It was observed that data di-
rectly linked to the activities carried out, like typed URLs and the pictures viewed, were stored in its cached
folders alongside the contents of linked pages that were not viewed directly. Google Chrome is deemed to
store the least amount of data about user activity due to having the lowest number of write operations to files
The concept of privacy is interpreted differently depending on the context in which it is used. When the pri-
vacy of a private browser is discussed by most researchers, it is being referred to as how well a browser is able
to remove all traces of user activity after a private browsing session. Most of the time, the level of privacy is
often judged by the activities that take place locally on the user’s computer rather than how well a browser en-
219
Conclusion
This project sought to contribute towards the pursuit of better implementation of privacy in technology with a
The reviewed literature provided a brief summary of the broad background area of digital forensics in which
this project lies. The concerns end users of services have about their privacy is highlighted in this project and
this concern for privacy largely contributes to vendors implementing private browsing. This implementation,
however, to some level, provides sufficient protection locally against an attacker with only a basic knowledge
of the workings of a computer. To an advanced attacker, the implementation of private browsing, especially in
The experiment performed in this project further magnifies the level of ineffectiveness by easily recovering
traces of information left behind after using these browsers. The reason for this ineffectiveness is seen in the
experiment, which involves monitoring the processes created by these browsers. A small difference occurred
in the process activity of Google Chrome, Mozilla Firefox and Internet Explorer.
The literature reviewed highlights the works done by other researchers while also describing their research
methodology. Comparing the results obtained in this study to work done previously by researchers, it can be
seen that improvements have been made by browser vendors in improving the privacy of the private browser
but this is only said with regards to Google Chrome and Mozilla Firefox.
220
References
• Akbal, E., Gunes, F., & Akbal, A. (2016). Digital Forensic Analyses of Web Browser Records. Journal of soft-
ware, 631-637.
• Alabdulsalam, S., Schaefer, K., Kechadi, T., & Le-Khac, N.-A. (2018). Internet of things forensics: Challenges
and Case Study. 14th Annual IFIP WG11.9 International Conference on Digital Forensics. New Delhi.
• Bhosale, S. T., Patil, T., & Patil, P. (2015). SQLite: Light Database System . International Journal of Computer
Science and Mobile Computing , 882-885.
• Brezinski, D., & Killalea, T. (2007). RFC 3227-Guidelines For Evidence Collection and Archiving . Retrieved
from https://tools.ietf.org/html/rfc3227
• Caviglione, L., Wendzel, S., & Mazurczyk, W. (2017). The Future of Digital Forensics: Challenges and the
Road Ahead. IEEE Security & Privacy, 12-17.
• Feng, X., & Zhao, Y. (2017). Digital Forensics Challenges to Big Data in the Cloud. 2017 IEEE International
Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom)
and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). Exeter: IEEE.
• Gao, G. (2015, May 29). What Americans think about NSA surveillance, national security and privacy. Re-
trieved from Pewresearch:
http://www.pewresearch.org/fact-tank/2015/05/29/what-americans-think-about-nsa-surveillance-national-se
curity-and-privacy/
• Gao, X., Yang, Y., Fu, H., Lindqvist, J., & Wang, Y. (2014). Private Browsing: an Inquiry on Usability and Pri-
vacy Protection. Proceedings of the 13th Workshop on Privacy in the Electronic Society (pp. 97-106). Scotts-
dale: ACM.
• Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Proceedings of the Tenth Annual DFRWS
Conference, (pp. 64-73).
• Gartner. (2018, March 21). Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018. Re-
trieved from Gartner: https://www.gartner.com/newsroom/id/3869181
221
• Grande, L. C., & Guadron, R. S. (2016). Computer Forensics. 2016 IEEE 36th Central American and Panama
Convention. IEEE.
• Horsman, G. (2017). A process-level analysis of private browsing behavior: A focus on Google Chrome’s In-
cognito mode. 2017 5th International Symposium on Digital Forensic and Security (ISDFS) (pp. 1-6). Tirgu
Mures: IEEE.
• Kishore, N., Saxena, S., & Raina, P. (2017). Big data as a challenge and opportunity in digital forensic investi-
gation. Telecommunication and Networks. India.
• Lacroix, K., Loo, Y. L., & Choi, Y. B. (2017). Cookies and Sessions: A Study of What They Are, How They Work
and How They Can Be Stolen. International Conference on Software Security and Assurance (ICSSA) (pp.
• MacDermott, A., Baker, T., & Shi, Q. (2018). IoT Forensics: Challenges for the Ioa Era. New Technologies, Mo-
bility and Security. Paris: IEEE.
• Marrington, A., Baggili, I., Ismail, T. A., & Kaf, A. A. (2012). Portable web browser forensics: A forensic exami-
nation of the privacy benefits of portable web browsers. 2012 International Conference on Computer Sys-
• Messier, R., & Mackay, K. (2015). Operating System Forensics. Waltham, MA: Syngress.
• Montasari, R., & Peltola, P. (2015). Computer Forensic Analysis of Private Browsing Modes. International Con-
ference on Global Security, Safety, and Sustainability (pp. 96-109). Springer.
• Muir, B. (2015, September 9). Windows 10 - Microsoft Edge Browser Forensics. Retrieved June 28, 2018,
from Kinja: https://bsmuir.kinja.com/windows-10-microsoft-edge-browser-forensics-1733533818
• Murdock, J. (2018, April 4). Facebook Is Tracking You Online, Even If You Don’t Have an Account. Retrieved
July 7, 2018, from newsweek:
https://www.newsweek.com/facebook-tracking-you-even-if-you-dont-have-account-888699
222
• Nemetz, S., Schmitt, S., & Freiling, F. (2018). A standardized corpus for SQLite database forensics. Proceed-
ings of the Fifth Annual DFRWS Europe (pp. 121-130). Europe: Elsevier.
• Ohana, D. J., & Shashidar, N. (2013). Do Private and Portable Web Browsers Leave Incriminating Evidence?
A Forensic Analysis of Residual Artifacts from Private and Portable Web Browsing Sessions. 2013 IEEE Secu-
• Politt, M. (2010). A History of Digital Forensics. IFIP International Conference on Digital Forensics (pp. 3-15).
Springer, Berlin, Heidelberg.
• Rathod, D. (2017). Web Browser Forensics: Google Chrome. international Journal of Advanced Research in
Computer Science.
• Satvat, K., Forshaw, M., Hao, F., & Toreini, E. (2014). On the privacy of private browsing - A forensic ap-
proach. Journal of Information Security and Applications, 88-100.
• StatCounter. (2018, June 27). Desktop Browser Market Share Worldwide - May 2018. Retrieved from Stat-
counter: http://gs.statcounter.com/browser-market-share/desktop/worldwide
• Tillbury, C. (2015, June 3). ESE Databases are Dirty! Retrieved June 15, 2018, from Sans:
https://digital-forensics.sans.org/blog/2015/06/03/ese-databases-are-dirty
• Travis, A. (2018, january 30). UK mass digital surveillance regime ruled unlawful. Retrieved from theguardian:
https://www.theguardian.com/uk-news/2018/jan/30/uk-mass-digital-surveillance-regime-ruled-unlawful-app
eal-ruling-snoopers-charter
• Vincze, E. A. (2016). Challenges in digital forensics. Police Practice and Research, 17(2), 1-12.
• Wei, W. (2018, April 15). Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer. Re-
trieved from thehackernews: https://thehackernews.com/2018/04/iot-hacking-thermometer.html
223
• Xu, M., Jang, Y., Xing, X., Kim, T., & Lee, W. (2015). UCognito: Private Browsing without Tears. Proceedings
of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 438-449). Colorado:
ACM.
Appendix 1
• Searched for the items listed below using Google search engine:
• mbappe
• lewandowski
• Cristiano
• Neymar
• Mandzukic
• Ribery
• Http://www.nairaland.com
• http://www.nigerianmonitor.com
• http://www.jumia.com.ng
• http://www.konga.com
• Pikachu
• Pokémon
• Tamagotchi
224
• Raspberry PI
• Indomie
• Shuriken
• thesisexperiment1122@gmail.com
• edissertation@yahoo.com
• Send the randomly generated string “qww2qo3fi1fbyrt5mplv” from the Gmail account to the Yahoo mail ac-
count
• Send the randomly generated string “usps6cznp19c0p8hzk3q” from the Yahoo mail account to the Gmail
account
1https://www.napier.ac.uk
225