Eforensics Magazine 2018 07 Academic Trends in Digital Forensics UPDATED PDF

TEAM
Editor-in-Chief 
Joanna Kretowicz  
joanna.kretowicz@eforensicsmag.com
Managing Editor:
Dominika Zdrodowska 
dominika.zdrodowska@eforensicsmag.com
Editors:
Marta Sienicka 
sienicka.marta@hakin9.com
Marta Strzelec  
marta.strzelec@eforensicsmag.com
Bartek Adach 
bartek.adach@pentestmag.com
Senior Consultant/Publisher:  
Paweł Marciniak
CEO:  
Marketing Director:  
DTP 
Dominika Zdrodowska 
dominika.zdrodowska@eforensicsmag.com
Cover Design 
i Hiep Nguyen Duc
Publisher  
Hakin9 Media Sp. z o.o. 
02-676 Warszawa 
ul. Postępu 17D  
Phone: 1 917 338 3631
www.eforensicsmag.com
All trademarks, trade names, or logos mentioned or used are the property of their respective owners.
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
1
word from the team
Dear Readers,
We couldn’t be happier to announce the newest issue of eForensics Magazine - Academic

Trends in Digital Forensics. It is devoted to universities that offer digital forensics courses, and,
what’s important - this issue is FREE to download!
For this publication, we invited digital forensics and cybersecurity lecturers, students, and those,
who have recently graduated from uni. The issue contains many interesting publications on re-
cent academic research.
Diane Gan (in cooperation with David Gresty), who’s a professor at University of Greenwich,
has written an article about using edutaiment to train the next generation of forensics investiga-
tors, and her 3 students have provided forensic case studies on which they worked during their
university course. These case studies relate to murder, terrorism and drug dealing investiga-
tions. Diane’s article and works of her students could be extremely useful for other universities
looking to implement new teaching methods in DFIR programs.
We’re also proud to present a piece of Tamunoibiton Adoki’s master’s research project regard-
ing Forensic Analysis of Web Browsers in Private mode - never before published, anywhere!
Moreover, we have for you articles about steganography in forensic investigations, DMA attacks
for Memory Acquisition, detecting and combating phishing, and it’s still not everything in this is-
sue table of contents. Just download this issue for free and check it yourself!
We would like to thank all authors - lecturers, students, and graduates, as well as our betatest-
ers and proofreaders, for participating in this project. Without you this edition would not be cre-
ated, and everybody knows how important is to educate digital forensics experts - we’re glad to
be a part of it.
Dear Readers, last but not least - feel free to share your feedback about this issue with us.
Regards,
Dominika Zdrodowska
and the eForensics Magazine Editorial Team
2
www.eforensicsmag.com
Table Of Contents
Using Edutaiment to Train the Next Generation of Forensics Investigators 5
by Diane Gan & David Gresty - lecturers from University of Greenwich
Drug dealing case 10

by Student from University of Greenwich
Terrorism case 50
Murder case 82
DMA Attacks for Memory Acquisition using FireWire 158

by Raina Zakir - graduate from Rochester Institute of Technology, Dubai
Detecting and Combating Phishing 164

by Matthew Kafami - student from Norwich University
Are Digital Forensics Investigators under-estimating Steganography? 174

by Rachael Medhurst - lecturer from University of South Wales
Introduction to IoT: Forensics Challenges 180

by Kevin Rice - graduate from University of the West England
Intro to data breaches and why get into IT field 187

by Kevin Moore - lecturer from Purdue University Global, Walden University and
Western Governors University
Forensic analysis of Web Browsers in Private Mode 192
by Tamunoibiton Adoki - graduate from Edinburg Napier University

3
UNIVERSITY OF
GREENWICH
T H E D E PA R T M E N T O F C O M P U T I N G AND IN-
FORMATIONS SYSTEMS AT UNIVERSITY OF
GREENWICH OFFERS A RANGE OF UNDER-
GRADUATE, POSTGRADUATE AND RESEARCH
DEGREES . AMONG OTHERS - COMPUTER FO-
RENSICS AND CYBER SECURITY (MSC), COM-
PUTER SCIENCE (BSC HONS, MSC), COM-
PUTER SECURITY AND FORENSICS (BSC
HONS) AND COMPUTING INFORMATION SYS-
TEMS (MSC).1
Using Edutainment to Train the Next Generation of Forensics Investigators
by Diane Gan & David Gresty
Introduction
The process of teaching students to become the forensics investigators of the future has certain challenges
for academia. The main challenges are how to provide students with realistic cases that will engage and chal-
lenge them, facilitate learning and are academically appropriate. We have achieved this at the University of
Greenwich by introducing a novel approach to the forensic coursework in the final year module, which uses
an edutainment (education + entertainment) approach. This works on the basis that if students are enjoying a
subject, they will learn more effectively.
To achieve this, students are assigned a “crime” and must create appropriate digital evidence for their case.
They work in small groups and each group is given a different crime. Each group must deliver a digital foren-
sic copy of their “crime” at the end of term 1. These cases are then given to different groups and each group
assumes the roles of forensics investigators to analyse the evidence file that they have been allocated. This
means that each group works on an individual case and must solve any investigative problems within their
peer group. The students report that they enjoy the process of being the criminal and the forensics investiga-
tor and at the same time they state that they learn a lot during this process. Two example reports are in-
cluded and these are cases of “drug dealing” and “terrorism” that demonstrate the type of work undertaken
by these final year students. These reports have been anonymised.
There is also an additional benefit for the lecturers, which is that these cases can be reused as coursework on
other forensics modules, so that other students benefit from having challenging cases to investigate. The
lack of realistic case studies in forensics is a real issue when teaching this subject.
The “Crimes”
Each group must develop the evidence appropriate for their given “crime”. These are selected at random by
the groups. The cases are: Terrorism, Bank robbery, Industrial espionage, Drug dealing, Pedophile ring, Mur-
der, Running a prostitution ring, People smuggling, Stalking someone famous (may include murder/death
threats/kidnapping), Money Laundering, Kidnapping, Car-jacking and exporting. There is often cross-over be-
tween crimes as murder, blackmail and even kidnaping often feature in other cases. For example, the crime
5
of bank robbery used blackmail and kidnapping of a family member to coerce the bank manager to open the
vault and the “criminals” were dealing in drugs to fund their other activities. It should be pointed out that
pornography (illegal or otherwise) is depicted using pictures of dogs and cats for the evidence.
A requirement of the coursework is that students must include at least 15 pieces of easy evidence, 8 to 10
pieces of medium difficulty evidence and 5 to 6 really challenging items. Easy evidence might be a docu-
ment with white text on a white background or a picture covering text in a letter or even a mangled file
where the extension has been changed to hide the type of file. These are mostly items that the forensics
tools would identify and flag up to the investigator. Medium difficulty could include a password protected
file but with the password being easy to guess or being the name of the file. The hard evidence might be a
challenging password, hidden folders or files. Red herrings are expected to throw the investigators off, and
form part of the “noise” around a case.
Students put passwords on files and on “steged” images, but these passwords must relate to the case in
some way, either using the names of people or places (perhaps addresses) within the fictitious crime or they
are located somewhere within the evidence. They can use passwords that are abstract but these must be pre-
sent hidden within the case somewhere. A common technique used by students is to obfuscate the pass-
word using binary, hexadecimal or even base64. One group created a script that caused the LEDs on the key-
board to blink the password in Morse-code. Students have also hidden images and even passwords in video
footage, which require the investigators to watch the video to retrieve this. The password to a file can also
be placed as a watermark on the image which hides the evidence. Another group, as seen in the Murder
case, physically wrote passwords on random pages in a book which could only be read using an ultraviolet
light. They also supplied the ultraviolet light has a hint within the seizure evidence. Password cracking using
open source tools is also permitted providing the password is not overly long.
Each year, there is always at least one group that write some malware that is planted within the evidence.
When the investigator clicks on the link the malware deletes their case or reboots the computer. This teaches
the investigators to always keep backup copies of the evidence in the future.
There is always extensive use of tools to hide evidence and steganography tools are always a popular
choice. Truecrypt is also often used. For these types of tools, the students must leave traces of the tools or
the tool themselves that were used to hide the evidence as hints. They often add extra tools to try to throw
the investigators off, as there are 10 extra marks available if the investigators do not find all their evidence.
6
The use of physical evidence is encouraged but is not a requirement. Some student groups have handed in a
laptop, mobile phones, SIM cards, an ultraviolet light, Post-Its and even screwed up paper retrieved from a
“waste paper bin” that had password hints on it. One group shredded paper with a lot of text on it that the
investigators meticulously put back together again but which turned out to be a red herring. We have had
students creating surprisingly complex social media profiles to give clues about the case, such as pet’s
names or where they last ‘checked in’ before the victim goes missing. For the “drug dealing” case, the stu-
dents created Facebook pages for their “criminals”.
Each group is required to produce a biography of the criminal(s), which is given to the investigators. This
must include how they were arrested, what they are suspected of, their names and addresses and details of
any known associates. These details should also be present within the case, so that they can be searched for
using the forensics tools. Some groups also created a timeline for the “crime”, which was very helpful when
marking the investigators who were allocated that case.
The Assessment
The assessment is in two parts. Firstly, the case around the “crime” is assessed at the end of semester one.
Each group is required to demo their evidence to the lecturer and then the report is marked. The prerequi-
site components must be present. This includes a summary table that shows all the evidence, classified as
easy, medium or hard. They must also include the tools used to create each item and all associated pass-
words. As this is a group effort, each participant is required to include a brief personal reflection as an aca-
demic requirement.
Whilst creating the cases, the students have to be cautioned to consider that the ‘hard’ artefacts should not
be overly complex because of the unnecessary convoluted nature of how they were placed into the case.
Similarly, ‘obvious’ pop culture references and associations should be avoided as the class may contain stu-
dents from a range of ages and backgrounds. An example of this was a group rather creatively using footage
from the 2010 science fiction film ‘Inception’, where a feature of the film is that the characters can enter
other people’s dreams, and then deeper levels of dreams below that. The students considered this to be an
obvious clue to the multiple levels of data hiding in the file, and it really was an interesting use of popular cul-
ture inspiring their edutainment. However the clue was sufficiently obscure for the investigators to miss it.
7
The second semester coursework involves a forensics investigation on a different case, which must be written
up as an expert witness report. A professional document is expected that could be presented in a court of
law. This follows on from their introductory course in digital forensics during their second year, where they
are required to investigate a case and then present their evidence as an “expert witness” in a mock court sce-
nario. The use of peer assessment by the “criminals” helps to identify how much of the evidence was found
by the investigators. The quality of the report is then graded by the lecturers.
Conclusion
The process of seeding potential evidence and clues into their case gives the students an appreciation of a
number of issues they may not fully grasp during the earlier stages of their training where they are focused
on locating and reporting on specific artefacts or types of artefacts. For example, a student learning to use
‘gallery view’ in a forensics tool to identify pictures does not necessarily fully consider the importance of the
meta-data of the picture, such as the size, folder location or temporal ordering of the pictures, all of which
become significant features of the picture for the ‘criminals’ if they are trying to plant an innocuous picture
into their case.
Without prompting, the students start to recognise the difficulty in hiding and manipulating the meta-data,
leading them to come up with their own solutions, such as editing the meta-data, manipulating the system
clock as they plant the artefacts or writing into their narratives the use of bulk-file changers to confuse time-
line analysis. We argue that recognising these problems and coming up with the alternatives makes real prob-
lems for the students with an over-confidence in the evidence. During the earlier stages of training the stu-
dents in general have confidence that when an artefact is called, for example, a WhatsApp chat log made on
the 1st of January, that it is in fact a chat log from the WhatsApp application and it was made at that time.
After doing this exercise, we see the students more readily use phrases such as “it appears to be…” or “it is
called …” rather than the statement of fact “it is…”. This is an important shift as students’ progress towards
developing the skills appropriate to a forensics investigator.
This coursework has proved very successful and is popular with the students. Very few students fail to en-
gage with this process. Those that do engage invariably pass the coursework and often gain high marks for
their inventiveness and originality. The students really relish the process of creating the crimes and use their
imagination to come up with innovative scenarios. Graduates who seek employment in forensics related jobs
report back that employers highly value the practical experience that this coursework provides. These stu-
8
dents have been offered employment when this process has been discussed during interviews. This course-
work provides added value to these students as they are not just gaining marks towards their final degree
classification, but they are learning a significant skill that they will be able to draw on in their professional life.
We conclude that the use of edutainment as a tool to enhance student engagement and learning has been a
huge success.
About the Author
Dr Diane Gan is an Associate Professor in the School

of Computing and Mathematical Sciences. She is the
team leader for the teaching group Cyber-SAFE and
a member of the IoT and Security (IoTSec) research
group. She has a PhD in the field of computer net-
works, is a chartered engineer with the Institute of En-
gineering and Technology (IET) and a Senior Fellow
of the Higher Education Academy (HEA). Dr Gan’s cur-
rent engagements include research and teaching
within the areas of cyber security and digital forensics.
9
Drug dealing case
Student from University of Greenwich
Our crime for this exercise was ‘drug dealing’, which is very loose terminology for crime due to the diversity
in which it can be employed. Drug dealing can stem from a street dealer all the way to a cartel as well as
commonly involving other avenues of crime. However, we have strictly stuck to drug dealing without diverg-
ing into other aspects of crime and concocted a story revolving around a drug distributing team that is con-
tinuing to grow in size. The investigation revolves around a USB drive recovered during the arrest of the two
individuals suspected of being the heads of the network. Their arrest was the result of police investigation
into the network’s operation and the successful charging of one of the conspirators who subsequently named
them. Despite this, they did not resist when arrested and during the search of their home no evidence could
be found linking them to drug dealing activities.
Creation of our evidence was formed up of three main steps, conceiving the crime and its story, generating
the evidence to substantiate that crime and hiding the generated evidence. The evidence files consist of a
collection of text, spreadsheets, images and emails created using a variety of tools.
Biography
Abstract
Two individuals, William Brown (43) and James Redman (28), were apprehended after an in depth investiga-
tion by the Metropolitan Police force. They were arrested for orchestrating and managing a systematic and
growing narcotics distribution network. This network had been established over many years and was respon-
sible for supplying large quantities of narcotics to the metropolitan area.
Due to its continuing size, the network was investigated extensively by the police. As it continued to expand,
more evidence came to light due to its organisational faults. Due to the correlation between size and notice-
able illegal activity, it was concluded that the network had expanded beyond the anticipated scope of its
creators. Due to this, those in charge of the network were unable to maintain seclusion from law enforce-
ment. A number of dealing locations, contact details, social network aliases and CCTV recordings of dealings
were obtained due to this lapse. Popular areas of operation for the organisation were Harlow area, southern
Kent and other eastern areas.
10
Case Details
Arrest warrants were obtained for Mr. Brown and Mr. Redman, which were executed on the 28th of Septem-
ber 2015 at 10:36am. This location was breached and the two culprits were arrested on site, they did not re-
sist arrest. A large amount of materials were removed from the residence for analysis, however, this did not
include any narcotics. There were no clear signs of illicit activity from the materials gathered or anything that
would indicate as such.
On the premises was a laptop with a USB drive attached, at point of seizure these were all deactivated. A pre-
liminary overview of the laptop showed nothing suspicious within its contents, however, the USB drive was
partially encrypted. Due to this, the drive was flagged as suspicious and sent for further analysis.
On questioning the witnesses about the USB drive, they denied knowledge of any illegal or incriminating
data being present and stated the drive contained some personal media related data. When questioned
about the encrypted section of the drive, they both pleaded ignorance of the key, stating they had forgotten
it. Despite the threat of legal action due to the refusal to open the encrypted volume, the suspects stated
that they were unable to do so as the password/key phrase was unknown to them regardless of legal threat.
A key culprit who was also arrested in connection with William Brown and James Redman is Olivia Demoria
(born May 10, 1990, 26 years old). During the initial investigation, it became clear she was one of the net-
work’s leaders “on the ground” and was caught in the act of organising and re-stocking dealers known to be
in the network. After interrogation of this witness, and the offer of a deal, she named the two heads of the
network as Brown and Redman and has agreed to provide us with her email account. The contents of the
email address provided useful information that related to the network, additional personal information was
uncovered that may be useful in later proceedings (please see associated evidence).
From the information provided by Demoria and a number of the network’s dealers, it became clear that the
relationship between Brown and Redman had recently become strained. The main interest of this is that
Brown was taking a more active role in the organisation of the dealers whereas this had been primarily Red-
man’s position; this was noted by many of the dealers as strange. The reasons are still unclear and Demoria
pleaded ignorance to any personal information on the two.
11
Mr. Redman used to be known on the drug scene as both a user and low level dealer with a number of warn-
ings. Due to this, his connections in the narcotics community are well known, however suspected activity at
this level is new and out of character.
Further analysis may provide evidence to prove their connection to the network they are suspected of head-
ing. This evidence (if found) will be used to both charge and prosecute these individuals in a court of law and
may also determine their level of involvement.
Criminal profiles
William Brown
Born: 5 April 1973
Age: 43
No previous criminal activity with the exception of speeding tickets. University educated, received a 1st hon-
ours in computer science. Despite this, there is no indication he ever specialised in a computer related work-
ing role, instead favouring teaching jobs. From the materials gathered during seizure, he is known to favour
fine art and medieval writings as a form of recreation.
Address: 54 Brick Ln, London E1 6RL
Olivia Demoria
Born: May 10, 1990
Age: 26
Previously unknown to the police. Educated up to college level. Known to be one of the network’s organizers
and handled the low level dealers. Her connection to the two suspects is not fully understood, however, from
the interview recordings, it has been hinted that the relationship between the two suspects and Demoria
may be more than professional.
Address: 78 Whitechapel High Street, London
12
James Redman
Born: 18 January 1988
Age: 28
Criminal record relating to drug possession and intent to sell, however has served no prison time. Education
is unknown and presumed limited. Well known in the narcotics community with known affiliations with deal-
ers and areas known for their drug related activities.
Address: 54 Brick Ln, London E1 6RL
Supporting information
1. William Brown and James Redman had social media accounts:
1.1. https://www.facebook.com/profile.php?id=100014111462825 – James Redman
1.2. https://www.facebook.com/profile.php?id=100014126972439 – William Brown
2. From the interrogations of low level dealers, it has been suggested that Demoria had a romantic
involvement with Redman.
3. William Brown has extensive computer knowledge so you may need to tread carefully while
investigating the USB drive
4. Olivia Demoria email address: demoira12122@gmail.com Password: apricot123
5. Brown is known to have an interest in medieval art and writings.
Tools
When creating our evidence image, we used special tools in order to perform some of our data hiding.
These tools are typically open source and free to use.
TrueCrypt
TrueCrypt is an encryption system that allows a user to encrypt either part or an entire drive with various en-
cryption algorithms. TrueCrypt is not known to have been compromised and creates a formidable obstacle
for any forensics investigator. In our evidence, we have used three portions of data encrypted with the True-
13
Crypt system with variations in the complexity of the passwords as well as varying difficulties in the methods
required to recover those passwords. For all the passwords required, adequate clues and systems have been
put in place for an investigator to find as not doing so would rely on less reliable or time consuming access
methods. This system was employed in order to create boundaries in the system and to create tasks that
could not be circumvented without applying time to the other hidden information or puzzles created.
OpenStego
The term steganography refers to hiding data within another set of data. Throughout the ages, many differ-
ent methods have been employed to this end, however, the most common use today is digitally. Typically
done to image files, steganography programs alter bits (usually the least significant bit) of each byte within a
file in order to contain the bit sequence of the data intended to be hidden. There are multiple methods of
how the bits are dispersed throughout a file and shuffled around between them; this is normally dependent
on the software used. In this case, we used a program called ‘OpenStego’, which also provides an encryption
option when hiding a file to prevent easy discovery or removal of any hidden data.
Glue
This is a file merging program that installs an Excel and Word document into the same file. When a merge is
conducted, each file can be read by changing the extension of the file to the file contained that they wish to
access. On a standard desktop, it would be impossible to tell that the .doc/.xls file contained a secondary
file.
HexEditor
There are many varieties of hex editors around and all can be used free of charge. These tools allow a user to
manipulate the byte data contained within a file, volume or drive. By manipulating the byte values, the user
can corrupt files, change the file/documents content or hide data within a file or slack space. For our evi-
dence, we used a combination of “Hex Workshop” and HxD.
14
Creating the evidence
Easy evidence
We classed easy evidence as anything that would be relevant to the case but would most likely be circum-
stantial during a legal case. Easy evidence was given low priority and therefore we only utilised basic hiding
techniques to conceal their existence. Very few, if any, clues were created for these pieces due to their ease
in acquirement. The easy evidence consists of:
- A glossary of drug names (Word)
- A rota of meeting locations (Notepad)
- Facebook profile wall posts
- Images of Amazon orders (GIMP)
- Images of drugs (Downloaded)
All information and images relating to drugs was originally found on the internet through various sources. Al-
though these pieces do give a suggestion towards a drug related nature or some form of organisation, they
do not identify or prove any illicit activity. Due to these pieces being easily argued as internet curiosity, they
were classed as easy pieces of evidence.
These pieces of evidence did not use any special techniques to hide them and in all cases can be found
within the file system of this OS. Some of the evidence is stored within an encrypted volume, however this is
easy to access and constitutes the first major obstacle for the investigator to overcome.
Images of Amazon orders
The images of the Amazon orders, though perhaps innocent in nature, do suggest that James and William
were partaking in the growth of narcotics (weed). There is obviously no conclusive knowledge of this as they
could just be simple orders. In a Facebook post, James tells William what he needs to buy but again this is
still not a strong piece of evidence. If they find the marijuana guide that James talks about this could help
support these pieces of evidence as it suggests what should be bought. The creation of this evidence was
done by using an old Amazon order and edited using GIMP to make it look like William had bought these
items.
15
Medium evidence
This classification was used for data that would have some weight in a legal proceeding or was important to
the story of the crime and later more damning evidence. As these pieces have some value to an investigator,
we used more standard hiding techniques in order to make their recovery more complicated. Clues were
made for some of these pieces of evidence whereas others require analysis through specialised tools in order
to be discovered. These pieces should be attainable with moderate effort and application. The medium evi-
dence consists of:
- Delivery information from supplier M, no use of drug terminology though (Notepad)
- Drop points, identifying locations where different narcotics sell best in reference to their profits (Notepad)
- HTML code for a drug dealing website idea (Notepad)
- Marijuana growing guide (Word)
- Image of captured email between Demoria and William (Gmail & Paint)
- Document referencing container numbers (Notepad)
As these pieces of evidence show an interest in producing narcotics as well as evidence of its handling and
references to its distribution, this evidence could pose a legal threat in collaboration with other testimony.
Deliver information
This piece of evidence was made with Notepad and was concealed using the steganography program Open-
Stego. This hidden file is also password protected and requires the investigator to first conclude the data is
hidden in the cover file and also provide the required password at the point of extraction.
Drop Points
This piece of evidence was made with Notepad and was concealed by hiding it as an alternative stream of
another file. This is possible within an NTFS file system by using a terminal and a command such as
“notepad.exe thisismycover.txt:thisismysecret.txt”.
16
Drug dealing website
This piece of evidence was made using the program “Sublime” and generates the HTML code for a website.
We stored this evidence within a WinRar container which we then encrypted and placed on the administrator
user desktop.
Marijuana growing guide
This piece of evidence was made using Word and is an adaptation of an online document on the same topic.
We concealed this evidence by using the “Glue” program and storing the .doc file within an .xls document.
By changing the file extension, you can determine which of the “glued” files is opened upon selection.
Container numbers
This evidence was created using Notepad and an online Unicode translator, which can be found here
https://www.branah.com/unicode-converter. This is a translation of Unitext to Unicode rather than ASCII to
Unicode.
Screenshot of email between William and Demoria
This evidence was created using Gmail and Paint to create a PNG image. The image has been concealed by
breaking it into different sections using a HexEditor and then saving the sections under different names with
different extensions.
Balance sheet
This evidence was created using Excel. The evidence was concealed by splicing the binary/hex data of the
file into another file using a HexEditor. By knowing the correct offset, the file can be removed with a HexEdi-
tor and recreated. The cover file functions normally despite the splicing.
Full details, include the evidence location within the specified container, can be found in Appendix section 2.
Hard evidence
Evidence in this category would allow a strong legal case against the suspects and could prove their illegal
activities. This evidence received a higher degree of concealment and the techniques used to discover them
are complex. Clues were made for some of these evidence files whereas others would be discoverable
through investigative applications with some technical knowledge. The hard evidence consists of:
17
- A message from M including incriminating information and identifying him as the supplier (Notepad)
- Image of drug handling and separation into different “strains” (Downloaded & Excel)
- Inventory sheet of drugs (Excel)
- Brown’s email account (Gmail)
- Red’s deleted emails catalogued in various files (Notepad)
Due to the value of these pieces of evidence, the methods required to discover them are either complicated
or multi-layered. In all scenarios, these pieces are expected to be discovered last or take the most time.
For the creation of the hard evidence:
We took an image of drug handling and separation of narcotics and hid this within an Excel spreadsheet and
merged the media streams using Glue. The Excel spreadsheet contained two different sheets, one with use-
less information, which is just lots of characters that perhaps make it look important. The other sheet con-
tains nothing but has a hidden image within a row and made completely white so you cannot see it unless
you select the image and change the colour settings.
To hide this information even further, we used a tool called Glue. Glue merges the streams of the two docu-
ment types, Excel and Word, which you can select by changing the extension of one of them. Using Glue
adds even more difficulty to this piece of evidence as they will need to find out if it’s a merged document or
not. The word document is called startofpoem.doc and contains a short poem so it looks very similar to the
other poems that it is surrounded by.
For the Inventory sheet of drugs, which is located on the Ubuntu machine, we hid it within an image file. We
opened the file up in a hex editor tool and took the data and then appended the data onto the end of an im-
age and saved the image. This meant the data for the Inventory sheet was hidden within the image file and
still meant you were able to use the image file, but you could extract the Excel sheet and still use it like nor-
mal.
Brown’s email account
We took all the emails sent to William Brown’s account and put them in text files. We would then take these
text files and hide them in the slack space of other files, which were Poetry files in the format of .docx, which
18
is a normal Word document format. We were able to achieve this with the tool bmap, which operates on
Linux operating systems and hides information within the slack space of sectors or on the slack space of the
operating system.
You cannot view this information by opening the document in a tool such as hex editor, the only way to read
what is written is finding it yourself or using the tool bmap.
Image creation method
The image is split into three sections, the containing USB, a Windows virtual machine and a Linux virtual ma-
chine. Before creating any of these, we first created “filler” directories. “Filler” directories are what we used
in order to bulk out the brand new file systems and consist of images, music and documents in keeping with
the character of the described users. The “filler” is used primarily as fodder in which we can more appropri-
ately install the necessary evidence and clue files in order for the investigation to progress.
USB
This section is made primarily of filler and is used simply to indicate aspects of the two individuals and con-
tain the encrypted volume that houses the two VM’s, which is on the root level of the drive. The filler is split
into two distinct sections, each with one of the suspect’s name on them and two game files. Within each sus-
pect’s section are a number of materials such as images, documents and music that relate to the biography.
Within Brown’s section is a folder named “security” that contains the TC binary to directly indicate what tool
was used to create the encrypted file. Within the file “\Brown\Pieces of interest\Rewind”, the footer contains
white coloured text, which is a clue to the password required for the primary section of the encrypted con-
tainer. The clue reads “I cross the alps with acid and devour the rude” which a Google search will result with
the name Hannibal, the password is “hannibal”.
Windows
The virtual machines (VM) were created using VirtualBox and were made for Windows XP and Ubuntu 16.04.
First we made the Windows VM and made a default installation. Once this was installed, we booted the VM
and accessed the default user (Error1015) using the password “5101rorrE”. We first started by configuring
some of the main data holders and easy hiding places. First, we created an “invisible folder”. This is a trick
that can be performed in the Windows operating system and generates a folder that cannot be deleted and
19
has no name. When creating a folder, instead of entering a name, you use the alt code 0160 which creates a
“blank” which the system accepts as a name. By then editing the folder’s properties, you can change its icon
also to a blank image and in doing so create a file that, without selecting it, generates no GUI indication of
its existence. This is a common trick used by many but does not help hide the folder when displayed in a dir
listing.
Second, we created the second drive that the operating system (OS) would use through the VirtualBox soft-
ware and attached it. Once the drive was showing up within the OS disk management, we formatted the
drive and attached it as a default drive. We then encrypted the entire drive using the TC system. When en-
crypting the drive we made both a primary and hidden partition, which would each require different pass-
words to access them. We used a standard AES and RIPEMD-160 encryption method. Once the drive was
fully encrypted we mounted it with the appropriate password for the primary partition. The passwords cho-
sen were:
- 0110100001100101011011000110110001101111 (Primary)
- 16435934 (Hidden)
The first password corresponds to the word “hello” in binary and the hidden password is the word “facade”
in hex. We made a note of the chosen passwords in order to create clues or hide them directly later.
In Windows, it is possible to create users that are not accessible by default and as such are classed as “spe-
cial users”. This classification can be bestowed upon any user account by adding their user account name as
a DWord value (set to 0) to the following registry “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\WindowsNT\CurrentVersion\Winlogon\SpecialAccoun ts\UserList”. This will mean that the
user’s account will not be displayed on the login screen and will be “hidden”. We created a user following
this method called HDIC. Once this was done, the template of the system was ready to be populated.
We integrated our “filler” directories into sections of the OS both on the primary and secondary drive in or-
der to give a general look of normality. Amongst the files transferred were a number of .jpg images, which
were stored in the default Pictures directory under a subfolder called “wallpapers”. We created a .txt file con-
taining a clue as to how to access the secondary drive and, using OpenStego, stegged the .txt file into the
.jpg image “powerofthedarkside.jpg” with a password of “shade”. The reason for including the password is
to prevent arbitrary steg searches from extracting the hidden data. Once the data was hidden, the file was
20
altered to a .png file. As a form of camouflage, we then altered all the other images in the folder to .png us-
ing the Paint program.
The “filler” we had created had two subtly distinct user areas, one for each suspect, and as such they con-
tained different materials. Within one section we added a .txt file (TypicalOfYou) that contained a string that
had been manually encrypted and a message indicating another file in the other section called “shining
dusk”. The paths of the two files are:
- C:\Documents and Settings\Error1015\My Documents\Some of my writings\shining dusk
- C:\Documents and Settings\Error1015\My Documents\Money yo\TypicalOfYou
The clue inside the “TypicalOfYou” reads:
- I know you will forget, look to the end of the day and you will find its meaning. Don’t forget to use the pass-
word when grabbing it.
By breaking down this sentence the “end of the day” refers to the word “dusk” which only has one occur-
rence in the file system. At this point, there are also few user files that are accessible narrowing down the
choices of where an investigator should look. The second sentence refers to the hidden password in the re-
ferred document that should be used when extracting the data from the image. The “shining dusk” file is a
Word document that has encryption parameters appended to some of the paragraphs and had their text
changed to white. The details are rotation (21), block size (3), transposition (1) and the required password
(shade). The investigator will have to manually conduct the decryption in order to get the message “if you
are lacking the drive don’t forget to embrace the dark side”, where there is only one file with the term “dark
side” in its title.
As the default user is a standard user, we included a Vigenere cipher on the desktop that contains a clue to
the administrator password. The cipher’s keyword is the title of the file decoded (base64 encoded) and in-
verted and reads “what did Dante read above the gates of hell”. We have provided both the English and Ital-
ian version of Dante’s Inferno, however the phrase is fairly well known and should be discoverable online.
The password however is only half the answer and must be in Italian such as “lasciateognisperanza”. For the
investigator to be able to access the administrative section is important later for the more difficult pieces of
21
evidence and their associated challenges. Although this is one avenue of access, Windows XP is known to
have flaws that allow privilege escalation.
One such method is to exploit the utilman.exe program, which is a very easy and well known bypass of the
Windows password system. In order to counter this, we removed the run permissions from all users for the
utilman.exe program by using the following command in a command prompt:
cacls %windir%\system32\utilman.exe /C /D Everyone
Although this can be easily bypassed by an investigator, it may prevent some users from gaining access.
On the desktop we also placed a file “KEEP IT CLEAN!!” that contains instructions on how to keep the sys-
tem “clean”, which is meant to indicate that measures have been taken to remove any signs of wrong do-
ings. Additionally, the file refers to a sub-system that becomes relevant in later sections. The binary string is
meaningless and is a red herring.
There is a WinRar file on the desktop also, which is encrypted. This file has only a three letter password
which can be easily broken using a dictionary or brute-force .rar cracker program. This was placed specifically
to require the investigator to employ some external attacking method to the encrypted file and also to con-
sume time resources. As this is the first container they will encounter it should be the first to be attacked.
However, due to the ease in which the contents can be compromised, the contents are limited to an image
broken into three sections, which is only a red herring. This is the only encrypted file that does not have a
clue to the decryption key.
Within the “invisible file” we placed a number of image files and four .txt files. One of these files is the rota
of meeting locations that was classed as easy evidence. The other files contain a reference to the Open-
Stego program used for steganography (which will be uninstalled from the system during analysis) and what
is commonly known as a ladder cipher. The ladder cipher works by requiring a string to be returned at a spe-
cific interval, which in turn spells out a message in vertical text. The name of the file is “TM81”, which breaks
down to a reference to an image file in the same directory (TrippingMan.png) and the interval where the
string contained needs to be returned (81). The deciphered message reads “When is the time to blaze”,
which is a drug community reference to indicate a common time and reference of 420.
For the folder “C:\Documents and Settings\Error1015\My Documents\Money yo\Super secret dealer
info.bat” we changed the display icon to that of a .bat file. As most are wary of executing a .bat this was
22
seen as a very basic form of deterrent from opening the file. Within the directory “C:\Documents and Set-
tings\Error1015\My Documents\Some of my writings” are a number of files of interest. This folder contains
the file referenced to gain access to the secondary encrypted drive, the drug glossary (easy evidence) and
the medium evidence of drop points hidden within an alternative stream of the one the folders contents
(somethingOrOther.txt).
Within the encrypted secondary drive’s primary partition is another selection of “filler” used to hide the evi-
dence files within. Within the first directory of the drive is a Python script that prints a number of messages to
the terminal. This is an indication towards the user’s knowledge of Python programming, which is relevant
later. Although there is no relevance to it as evidence, it gives a clue to an underlying method that may be
used to hinder the investigation. As an additional method of prevention, OpenOffice is installed within the
encrypted drive and as such will not work while the secondary drive is not mounted. This is a minor hin-
drance as we assume that the investigators will extract the files as required or read them via specialist soft-
ware such as Encase.
The directory “Z:\Nice cars\Nice cars” contains three spate images of narcotics with relevant titles that are
categorised as easy evidence. These images of narcotics are not hidden in any way, however due to their cir-
cumstantial nature we felt that they were appropriate as easy evidence. Within the directory “Z:\Nice cars\Po-
etry\Random”, we created a .bat file called “Brutus.bat” that asks a question repeatedly until the correct an-
swer is provided. The script asks “Et tu, Brutus? What does it mean?” If they enter anincorrect answer it
loops and asks again, however, if they answer correctly, it terminates. This is a pointless .bat script and has
been included as a time consumer.
This is also the first place where a “hard” piece of evidence has been hidden within the file “Z:\Nice cars\Po-
etry\startofpoem” that was concealed using the HexEditor tool. This piece of evidence is the “proof to M”,
which is an Excel spreadsheet with an image contained within showing drug handling. Full details on crea-
tion can be found in the evidence creation section.
As a point of the story, we downloaded and integrated the “john the ripper” program into the secondary
drive. This directory can be found at “Z:\Random\john” and has its display icon changed to that of a Word-
Pad related document. Within the program files, we carried out a live system SAM dump and stored them
along with the binaries. We also created a custom “john.pot” file and entered the password for the hidden
HDIC user account. This is the only mention or clue to the password required for the HDIC account. There is
23
also a .txt file within the binaries folder called “todo.txt” that contains an indication of intent to gain access
to the administrator account and that the password contained in the .pot file is for an unknown user.
Additionally, within the directory “Z:\Random\” are a number of image files and within one of these we con-
cealed the password to Redman email. This password was hidden at the bottom of the image in a dark col-
our to blend into the background to make it hard to find, this can be found at the bottom of the image
“14358628_994773887301198_1460146057479386243_m.jpg”. A reference to the contents of this image
was created using Paint and can be found at “Z:\SuspsiciousThinking\Sweet Guitars!\If I forget.jpg”. The clue
was hidden by using a variety of dark font and dark background colours to make it difficult to read.
Within the directory “Z:\SuspsiciousThinking\” are a number of folders as well as a hidden .exe file. The ex-
ecutable is actually a bat to exe converted file and is a shutdown virus/bomb. It works by issuing a shutdown
command and then creates a number of .bat files with additional shutdown commands and storing them in
the startup file of the Windows system so that when the system starts, it will immediately attempt to shut-
down. Although this is easily identified and if triggered, it’s repaired, we used this as a basic anti-forensics
measure.
The folder “Z:\SuspsiciousThinking\Balancing books” contains a number of .xls documents. The file “Phone
numbers.xls” however is a “glued” file and contains both the .xls and a concealed .doc file containing the
medium evidence file “marijuana growing guide”. The folder “Z:\SuspsiciousThinking\My orders” contains
the easy evidence files “Amazon order images” related to drug growing equipment. The last piece of evi-
dence within the secondary drive is hidden within “Z:\SuspsiciousThinking\Sweet Guitars!\ NEW2848Epi-
phone 1940 Emperor_03-0a42dffaf8.jpg” and contains the medium evidence “Balance sheet” hidden in the
cover file by use of the hex editor tools.
We then hid the “Screenshot of William – Demoria email” within the system file “C:\WINDOWS\AppPatch
\Lui pens ache io non lo so\” with the directory name meaning “he thought I do not know” in Italian. Once
these files were installed, we moved onto the other user areas being utilised. We accessed the HDIC user
desktop first and added a file to the desktop called “Message from M”, one of the hard pieces of evidence.
In addition to the evidence file, a number of .txt files have been added to the desktop containing numbers.
However, this evidence has been encrypted using AES256 and the clue to the required key is stated as “If
you forget use the files on the desktop in the correct order, if you screw up the order you will be unforgiven”
and then a number of mathematical symbols. The message refers to a .txt document within the default user
24
account with the name “unforgiven.txt” and is used as a sort of book code. At the bottom of the evidence
file, placed very far down so a brief overview may miss it, is a message that states “Remember to only use
every second word, A2”. Breaking down this statement, it tells the investigator that only every two words in
some format should be used to find the key, the A2 refers to the AES256 encryption. The correct method of
attaining the key is to use every second word from the end of each line of the “unforgiven.txt” file and per-
form the necessary mathematical procedure with the numbers within the corresponding files on the desktop.
As a red herring, we have also placed a .vbs script on the desktop called “KeyGrab”, which instead just re-
turns the ID of the running machine.
We then moved to the administrator account. For this account, we used a “needle in a haystack” approach,
utilising vast amounts of files in order to try and conceal the necessary data. To do this, we created three .bat
scripts which created thousands of folders, populated the folders with a number of .txt files containing ran-
dom numbers and a script that appends a new random number to all the files within all the folders. The last
script was made in order to update the “last modified” and “last accessed” data of the files all in one go so
that files of importance could not be discovered by that method. On the desktop we placed a WinRar file
called “WhatsToCome.rar” that contains the medium evidence of the drug dealing website html template.
The clue to the password is contained within the desktop file “4200\blablahblahContainer” and contains the
password in “leet” text (3|\||_|9|-|']['3|\| |\/|3) which translates to “enlighten me”. The medium evidence file of
container details in Unicode was also added to the administrator user account desktop within folder number
2031 as file name
“00740068006500730065006100720065007400680065006200690067006f006e00650073”.
That covers all the evidence files on the Windows system. The user will be required to access the hidden sec-
tion of the USB hosted encrypted container in order to examine the Linux VM and collect all the final evi-
dence. In order to access the hidden VM, the investigator will need to generate the password using the cus-
tom built program Alpha2591 which is stored within the system user desktop. Windows XP has a flaw that
permits an administrative user to gain access to the system level user account, which should be isolated.
Within this system level account we have hidden our custom password generator. To access the system ac-
count, the command “at 12:00 /interactive cmd.exe” needs to be entered and then at the time indicated a
terminal will appear. This terminal is system level, therefore, by terminating the running explorer.exe process
and restarting it through the system level terminal, you start the explorer.exe as the system user.
25
On the system level desktop there are two files, the Aplha2591.exe program and an encrypted container
made using TC (256845235785). The program is a jar file converted to exe by use of the program “Jar2Exe
Wizard 2.1” that during conversion also encrypts the java class files in an attempt to prevent reverse engi-
neering. The internals of the program works by prompting the user for five passwords, these are then hashed
via SHA-256 and checked against hard coded hashes. If all five passwords are correct they are then amalga-
mated and hashed to produce the encrypted file key and automatically mount the file. This method was
used in order to prevent the key being easily obtainable should the program be reverse engineered. The
source code for the program can be found under section 4 of the Appendix.
The program has an anti-forensics aspect as well. Each attempt increases a counter; should the counter ex-
ceed 10, the program runs an external Python script to scramble the PBKDF2 header key of the TC file si-
lently. Essentially, after 10 tries, a discrete deletion trigger is activated and the encrypted file becomes inac-
cessible even when using the correct password. In order for this to work, the program first checks for two ex-
ternal files at hardcoded locations, the files are the counter file stored as “C:\WINDOWS\system\system.dat”
and “C:\WINDOWS\notify.py”. If either of these files are not present, the program automatically terminates.
The contents of the notify.py script can be found under section 5 of the Appendix.
The five passwords required are substituted with clues that are spread throughout the system. The investiga-
tor is required to find all five puzzles and come up with the correct answer to their problems in order to ac-
cess the encrypted container. Within the container are two .txt files, one of which has a secondary stream con-
taining the password to the hidden VM.
The five password clues are hidden at the following locations:
- Clue 1 = Hidden within hex of drive C at offset 13F28EE0 = “Everyone walks on me daily. To some I am a
precious possession that can never be touched yet to others I am an enigma”
- Clues 2 = Within the USB filler “Brown\Tinkering\layersuponlayers.bat”, at the bottom of the script file = in
a chocolate factory there are 1000 machines that make bars. One develops a fault and makes them 2g heav-
ier than the rest. You are given a spring loaded scale. What’s the minimum number of weighs needed to find
the faulty machine?
- Clue 3 = Within the secondary drive hidden section is an image called “thats a fine steak.png” which con-
tains a stegged image, this is the only file in the hidden section. However, at the bottom of the cover file, we
26
used the HexEditor tool to store the third clue. In order to access the hidden section of the drive, the investi-
gator will need to examine the hex of the damaged file “Untitled”, which contains the message “the2nd-
drivehasafacade”. The password to the hidden section is “facade” in hex which equals 16435934. = What is
the river that flows through the seventh circle of hell?
- Clue 4 = This clue is hidden on the administrator user desktop within the folder 16921 within the file
“zippyContainer.txt” = Which counties earl is thought by some to be responsible for Shakespeare’s work?
- Clue 5 = This clue is hidden within the registry at “HKEY_CLASSES_ROOT\txtfile\shell\lepzuz\Puzzle5”.
When the investigator right clicks a .txt file in the system, the word “lepzuz”, which is an anagram of puzzle,
will be displayed as a hint to its location. = Identify the next four entries in the sequence: 998, 1000, 1003,
1009, 1029, 1030
As an additional measure we made some registry edits in order to hinder progress and provide misleading
commands. Here are list of the alterations that we made:
- To clear the page file at shutdown set the following registry subkey to 1 = “HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management”
- Edited the restore point creation to one second before they are discarded
= HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore\R PGlobalIn-
terval
- Added right click commands to Folders in the system by making additions to the key “HKEY_CLAS-
SES_ROOT\Folder\shell”. Created the commands “DataUnlock” and “Trick or Treat”. “DataUnlock” calls a
.vbs script to run a .bat script without a visible terminal that loops the opening of a webpage
(C:\WINDOWS\HDICS.vbs HDIC.bat). “Trick or Treat” terminates the running explorer.exe process and
schedules a cmd.exe (this will only work if accessed as admin)
- Added right click command for .txt files by making additions to the key “HKEY_CLASSES_ROOT\txt-
file\shell\”. Created command “decipher” and “lepzuz”. “decipher” calls a bat script
(C\WINDOWS\system\DeCipher.bat) that prints random numbers to a terminal on a loop. “lepzuz” does
nothing but contains the puzzle clue, if selected as a right click option an error message is produced.
27
- Altered key “HKEY_CLASSES_ROOT\OpenOffice.Xls\shell\open\command” to instead be directed to a
.vbs script called by the cscript command that indicates the file is corrupted. In this way, any attempt to ac-
cess an .xls document will result in a pop up message stating the file is corrupted.
Ubuntu
The Ubuntu machine was created using VirtualBox, similar to that of the Windows machine that we also cre-
ated. It is automatically turned off so will not boot in a logged in state. The Ubuntu machine acts as William’s
more secure machine where he keeps/reads his emails and hides the inventory sheet of their network. To ac-
cess this machine’s user account, the investigator will have to guess the password, which is “password”; the
reason behind this is we believe that if you come to all this trouble that would be one of the last tries you
would attempt.
Inside the machine, you are presented with the files Gaming and Funny, which have images taken from the
internet. The majority of these images are all harmless and have absolutely nothing hidden within them ex-
cept for the image mt637azgdezx.jpg hidden inside the Gaming folder.
The file mt637azgdezx.jpg contains the inventory Excel spreadsheet that logs information such as how many
narcotics they have and the price for all of them. This is obviously a very important piece of information as it
tells the investigator that William Brown was indeed in control of a large amount of narcotics that they were
selling.
As a hard piece of evidence, it was hidden in a way that someone may not necessarily expect. I opened up
an Image file in Hex editor and the document I wish to hide also in hex editor, then took the data from the
document and put it on the end of the image file’s data, which I then save. This made the image still work
and only added 1KB onto the file but could be accessed again if you took the data that you input from Excel
and save it as an Excel spreadsheet. This is the same technique that was performed to hide the balance
sheet within the Windows machine.
Other pieces of evidence hidden on the Ubuntu machine were emails that William Brown received. These
were hidden using a slack space tool called bmap which I installed on the machine then removed from it.
They can only find out about it if they look at the history of the machine.
28
Bmap is a tool used to hide information in slack space on the Linux operating system. The files we used for
this procedure were poetry files hidden within /home/william/Desktop/Gaming/Poetry. We hid all the emails
inside the word documents;
- coke n skunk.txt hidden in A Dream within A Dream.docx
- Drugz.txt hidden in All the world's a stage.docx
- James.txt hidden in I wandered lonely as a cloud.docx
- James Update.txt hidden in The Raven.docx
- Marijuana.txt hidden in To my wife - with A copy of my poems.docx
- More Produce.txt hidden in A Birthday Poem.docx
- Payment.txt hidden in A Girl.docx
- Watch James.txt hidden in A pretty a day.docx
- weed.txt hidden in A word to husbands.docx
- The only way to access these is if they find the slack space in the disk or use the bmap tool to extract the
information.
Evaluation & Conclusion
This piece of work required me to employ a number of forensics methods as well as take on the mentality of
an individual trying to circumvent discovery. These two aspects have enhanced my professional understand-
ing of the methods that can be used for discovery but also the steps that may be taken in data formats to
maintain seclusion. As an extension of the purely discovery based exercises of my previous forensics courses,
the change of perspective has further enhanced my understanding of the methods and steps that may be
taken by a suspects in order to secure their information. A key method of interest in this exercise was the ap-
plication of anti-forensics which is becoming a fairly common method employed by criminals in order to
avoid prosecution or hinder an investigation in ways that may not be obvious to an investigator.
As my main focus was on the creation of the Windows image and the creation of associated clues/puzzles/
riddles to hide the evidence, I spent the vast majority of my time trying to find a balance between the grade
29
of the evidence and the steps required to uncover them. In all of this, the hardest aspect was the necessity to
create clues that the investigator could use to determine a method of access to the evidence files. In a real
life situation I would have employed far more robust systems with no clues to their contents so as to prevent
any investigator from accessing with ease. The necessity for the evidence to be accessible in some way that
could be discovered removed some of the realism of the exercise and required an additional level of thought
during creation.
In order to address the clues to methods issue, without making the process too obvious, I came up with a
number of different types of puzzles that would require an investigator to apply research, collaborate other
pieces of discovered materials or just apply general problem solving in order to come out with the correct
answer. Trying to determine if the puzzles I created were adequate or too easy/hard was additionally difficult.
However, I feel that the end results require an adequate level of time and thought process in order to solve
them, respective to the materials they provide.
The application of registry edits is something that I have only ever used as a customisation method, employ-
ing these edits as a seclusion measure was new. During my adaptations, the range of possibilities available
via the registry to convolute the system became clear. Although the methods I used were relatively simple,
there were other options that could effectively disable the system if configured in a specified way. If these
were in place, any arbitrary user could accidentally trigger an event that could “purge” the system data and
the contained evidence along with it.
In the same avenue of “purging”, the anti-forensics measures I created were tailored around both deletion
and hindrance. Due to the nature of this being an exercise, the use of live and strongly malicious malware
was considered but ultimately decided against. As there were multiple ways to integrate such a virus/worm/
rootkit into the system ready for deployment should it be examined without care, the risk to external
university or personal machines was considered too hazardous. As a compromise, basic “homemade” scripts
were made to disrupt the system they were run on but due to their relative simplicity could be easily reme-
died if needed. In this way we could provide evidence of an anti-forensics nature without endangering any-
one’s personal data outside of the exercise. These hindrances boiled down to elements such as shutdown
scripts or web bombs.
In line with malicious scripting, the idea of discrete deletion was also applied. This is the concept of evidence
being deleted without indication by the system should unauthorised access be attempted. An example of
30
this would be creating a system with two keys, one to open and one to destroy. In such a situation, if a sus-
pect gave you a key, you could never be sure if the key they gave you was the open or destroy key and in
getting it wrong, the data could be lost forever. This was employed for the hard pieces of evidence by em-
ploying knowledge gained during my project work on the TC encryption system.
Although the system will be imaged in a forensic examination program, the multiple layers and measures
taken should provide an adequate obstacle for investigation. In this way, the system provides a significant
challenge in order to find all the required pieces of evidence. Due to the different levels of difficulty in the
puzzles created, this also created a sort of hierarchy in what we expect investigators of different calibres to
be able to accomplish.
By forcing us to engage our forensics knowledge from the opposite perspective of an investigator, this work
creates a great understanding of the techniques and difficulties a criminal or corporate entity may go to in
order to maintain their secrecy. This, in and of itself, is a valuable insight that will be an important thought
process should we encounter future work of a similar nature. Although this is not necessarily as a real system
would be constructed, it nonetheless provides procedural knowledge to the steps that would be required
and as such a better comprehension of elements worth investigating or taking note of during an investiga-
tion.
In conclusion, this work provides both practical application of techniques we may be required to discover in
later years and the alternative perspective of that of a culprit. The technical aspects require a technical knowl-
edge that most aiming for a career of this nature will have. Through research and available programs, the
methods can be understood and applied with relative ease. However, the perspective of a criminal is some-
thing much more difficult to grasp. By requiring us to take on the role of a criminal, we have to anticipate the
types of evidence that may be available as well as the types of media or expertise that may be encountered
in a subsequent investigation. This perspective allows an investigator to better understand the scope of the
skills used as well as the items most likely to be of value. The only negative aspect to this exercise was the
requirement to make the evidence discoverable by providing adequate clues. As this is extremely unlikely to
happen in a real life scenario, it provides little benefit to the primary skills instilled during the practise. De-
spite this, it is clear why these clues are necessary due to the systems used in the second term. If the creation
of a system was permitted with no hints and no restriction on the applications that could be used, it would
be very easy to create a system that would take even professional investigators an excessively long period to
31
break. Due to the time constraints of the second term, this would be unfair and as such the necessity of clues
makes sense.
Appendix
1 – Easy evidence table
32
2– Medium evidence table
33
3– Hard evidence table
34
4 – Alpha2591 source code
package gui;
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.util.Properties;
import java.util.Scanner;
import javax.swing.JOptionPane;
/**
* @author Brown
*/
public class frontPage extends javax.swing.JFrame {
/**
35
* Creates new form frontPage
*/
public frontPage() {
initComponents();
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
* regenerated by the Form Editor.
*/
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">
private void initComponents() {
jLabel1 = new javax.swing.JLabel();
jButton1 = new javax.swing.JButton();
jTextField1 = new javax.swing.JTextField();
36
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
jLabel1.setText("Password Generator");
jButton1.setText("Submit");
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
});
jTextField2.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
});
jLabel2.setText("Puzzle1");
jLabel3.setText("lower case");
jLabel4.setText("number");
jLabel7.setText("no space");
jLabel8.setText("Puzzle 2");
37
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addContainerGap()
.addComponent(jLabel2)
.addComponent(jLabel10, javax.swing.GroupLayout.Alignment.TRAILING))
.addComponent(jLabel11))
.addGap(18, 18, 18)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 130,

javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel3, javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
38




.addComponent(jLabel4)))
.addGap(0, 0, Short.MAX_VALUE))))
.addGap(90, 90, 90)
.addComponent(jButton1)))
.addContainerGap())
39
.addGap(74, 74, 74)
.addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGap(21, 21, 21)
.addGap(18, 18, 18)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
40
.addComponent(jButton1)
.addContainerGap(22, Short.MAX_VALUE))
);
pack();
}// </editor-fold>
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
Interface.a[0] = jTextField1.getText();
41
try {
Interface.check();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch(UnsupportedEncodingException e)
public void jButton2ActionPerformed(java.awt.event.ActionEvent evt) {
/**
* @param args the command line arguments
*/
public static void sendNotification()
try {
Runtime.getRuntime().exec("python C:\\WINDOWS\\notify.py");
} catch (IOException e) {
System.exit(0);
public static void mount(String pass)
42
{
try {
Runtime.getRuntime().exec("\"C:\\Program Files\\TrueCrypt\\TrueCrypt.exe\" /s /l
x /v \"C:\\Documents and Settings\\NetworkService\\Desktop\\256845235785\" /p "
+ pass + " /q");
System.exit(0);
public static OutputStream out;
public static File props;
public static void main(String args[]) {
/* Set the Nimbus look and feel */
//<editor-fold defaultstate="collapsed" desc=" Look and feel setting code (op-

tional) ">
/* If Nimbus (introduced in Java SE 6) is not available, stay with the default

look and feel.
* For details see

http://download.oracle.com/javase/tutorial/uiswing/lookandfeel/plaf.html
*/
props = null;
props = new File("C:\\WINDOWS\\System\\system.dat");
File notifier = new File("C:\\WINDOWS\\notify.py");
try {
Scanner scan = new Scanner(props);
String cont = scan.useDelimiter("\\Z").next();
Interface.attempts = Integer.parseInt(cont);
43
scan.close();
} catch (FileNotFoundException e) {
JOptionPane.showMessageDialog(null, "I feel alone :(", "Something was removed",

JOptionPane.INFORMATION_MESSAGE);
System.exit(0);
System.exit(0);
try {
for (javax.swing.UIManager.LookAndFeelInfo info :

javax.swing.UIManager.getInstalledLookAndFeels()) {
if ("Nimbus".equals(info.getName())) {
javax.swing.UIManager.setLookAndFeel(info.getClassName());
break;
} catch (ClassNotFoundException ex) {
java.util.logging.Logger.getLogger(frontPage.class.getName()).log(java.util.logg
ing.Level.SEVERE, null, ex);
} catch (InstantiationException ex) {
} catch (IllegalAccessException ex) {
} catch (javax.swing.UnsupportedLookAndFeelException ex) {
44
//</editor-fold>
/* Create and display the form */
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new frontPage().setVisible(true);
});
// Variables declaration - do not modify
private javax.swing.JButton jButton1;
private javax.swing.JLabel jLabel1;
private javax.swing.JTextField jTextField1;
45
// End of variables declaration
////////////////////////////////////////////////////////////////////////////////
/ / / / / / / / / / / /
////////////////////////////////////////////////////////////////////////////////
////////////
package gui;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Array;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Scanner;
import javax.swing.JOptionPane;
public class Interface {
static String[] p = new String[]{"rg+szPCjcjre+9/nAMCXtshD2/0G5c0yVgLsE7I2H4s=",

"a4ayc/80/OGda4BO/1o/V0etpOqiLx1JwB5S3beHW0s=",
"aVfxQ0DFP2yimnZjBv9vMNTz7JgDN2AgZqqdO7uvgX0=", "acBP/
46
ZhnTx2GzwRgvBuxfUFRJ2OvvavdRCMuG7MGKfE=", " r k l L 6 k Y k d m d D R w j R V D s k Q D l Y A U-
j2h5Bappv1rbSPgJA="};
static String[] a = new String[5];
static String[] b = new String[5];
static int attempts;
static String pass;
static boolean flag;
public static void check() throws NoSuchAlgorithmException, UnsupportedEncodin-

gException
flag = true;
ArrayList<String> entriesArray = new ArrayList<String>(Arrays.asList(a));
int counter = 0;
for(String ent : entriesArray)
hashemup(ent, counter);
counter++;
if(flag == false)
JOptionPane.showMessageDialog(null, "Incorrect Input", "Failure",

return;
String comp = a[0] + a[1] + a[2] + a[3] + a[4];
hashemup(comp, 0, true);
47
frontPage.mount(pass);
JOptionPane.showMessageDialog(null, "Hidden password is : " + pass, "Well Done",

public static void hashemup(String password, int counter) throws NoSuchAlgorith-

mException, UnsupportedEncodingException
MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
byte[] passBytes = password.getBytes("UTF-8");
byte[] passHash = sha256.digest(password.getBytes("UTF-8"));
String tester = Base64.getEncoder().encodeToString(passHash);
System.out.println(tester);
System.out.println(p[counter]);
if(tester.equals(p[counter]))
System.out.println("pass");
else
attempts++;
try {
FileWriter writer = new FileWriter(frontPage.props, false);
writer.write(Integer.toString(attempts));
writer.close();
48
flag = false;
if(attempts >= 10)
frontPage.sendNotification();
return;
public static void hashemup(String password, int counter, boolean trigger)

throws NoSuchAlgorithmException, UnsupportedEncodingException
MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
byte[] passBytes = password.getBytes("UTF-8");
byte[] passHash = sha256.digest(password.getBytes("UTF-8"));
String tester = Base64.getEncoder().encodeToString(passHash);
pass = tester;
return;
5 – notify.py code
stringThing = 'nkaewurgb94bgqubo83ub4g825gb3un02ugtj92p58jt209p58yj2495gnh0g92d'
bytesThing = stringThing.encode(encoding='UTF-8')
fh = open("C:\\Documents and Settings\\NetworkService\\Desktop\\256845235785",

"r+b")
fh.seek(0)
fh.write(bytesThing)
fh.close()
49
Terrorism case 
Introduction
This case is originally triggered from the concern of neighbours following frequent suspicious visits to a prop-
erty. As described in the case biography, this has led to the arrest of an individual, named Geoff Baker, under
suspicion of terrorism. The evidence seized was a simple USB storage drive, with full information of this de-
vice provided in the biography to aid the chain of custody.
Within the seized drive, forensic examiners can expect to find a series of evidence that frames Geoff for
blackmailing an accomplice, Jack Jobs, with illegal pornographic content to partake in a job which proposes
a terrorist attack at the opening match of the FIFA World Cup 2018 (at the Luzhniki Stadium on 14th June
2018). The USB device contains evidence of Geoff planning the trip for Jack (in a false name of Ralph
Boswell), Geoff purchasing goods that will facilitate the attack, and providing Jack with guidance of exactly
how the attack should be carried out. There is additional evidence that points the examiners to a drug deal-
ing crime, however this evidence provides means for Geoff to ensure he had sufficient funds to carry out
such a large-scale attack.
Overleaf is a case timeline. This timeline indicates at which date particular events have occurred and also
identifies the events that have been planned. This timeline indicates the order in which evidence should be
presented for it to make logical sense when found, providing a firm case against Geoff for terrorism, plus ad-
ditional crimes along the way. All of the evidence described in this timeline has been further described later
in this report.
50
Case Biography
The police were tipped off by a nervous neighbour who saw a consistent flow of people who did not live at
the address coming and going at all hours of the day/night via a back gate, never using the front door. In re-
sponse, the police have carried out regular surveillance on the property in question, identifying that a few
known drug dealers were regularly attending the property.
Police then raided the property of Geoff Baker, finding a USB in an envelope addressed to Jack Jobs at a Bir-
mingham address. This individual is known to MI5 in connection with terrorism and has been known for pro-
viding a false identity to the police. At this time, no additional information is known about Geoff Baker or
Jack Jobs.
Geoff Baker was arrested on 17th January 2018 at 14:23 and is currently being held in custody under suspi-
cion of terrorism. The USB storage device found at the property at the time of arrest was seized and stored
as evidence for forensic investigation.
51
Evidence Seized
Time and Date - 17/01/2018 15:01:24
Make - SanDisk cruzer 8GB
Model No. - SDCZ6-8192RB
Serial No. - BIO902NSQB
MD5 Hash - 1EAE852F897D435E3D723679521C9670
SHA1 Hash - 759202AF7E92D59458FCEA80C6756CC87473291C
Note: This screenshot provides evidence of the USB drive’s hash when compared to the image file we cre-
ated of it, which matches.
Evidence Summary
This section summarises the evidence hidden on the seized evidence. The first table contains the red her-
rings, evidence that has been specifically put into the case to distract an investigator from the original evi-
dence. The red herrings have not been discussed in the report as they are not considered to be evidence for
the case/criminal activity.
52
This table documents all of evidence that contributes to proving the terrorism case. It has been grouped in
easy, medium, and hard, which mirrors the layout of the next section to this report. All of this evidence is
case related and should be uncovered to prove the case of terrorism against Geoff Baker.
53
Evidence Hiding
This section fully documents the evidence overviewed in the previous table. Exact file locations and names
have been provided for each hidden file, with any adaptations to the file detailed here. An image showing a
preview of each file is included to prove the file that should be uncovered in the investigation. Any pass-
words have been documented here, with an explanation of how the passwords can be reasonably found by
the investigator. Contained within the device is a program called BulkFileChanger.exe. From researching this
program, an investigator will see that this edits the file times of all files in a selected folder or device, mean-
ing that the file time attributes of these files cannot be trusted anymore, however, the timeline can still be
pieced together using the dates and times within the files themselves. Any tools mentioned throughout this
report are included within the ‘\Info\01110100011011110110111101101100’ directories sub directories,
which are all executable for the investigator.
Easy Evidence
Checklist.doc A physical piece of evidence, which will house the USB, will be an envelope that also contains
the checklist for “Ralph Boswell”. This will contain some hints as to what he will need to do and how he can
access the boarding pass evidence with the word “Boarding_Pass” in bold. This also indicates to the investi-
gating officers that there are items to look for such as hotel confirmation, tickets, emails, a plan of the jour-
ney and that there is a task that is still to be completed by Jack.
A soft copy of this document will also be included on the device.
File Location: \Checklist.docx
54
Screenshot of Evidence:
Fundrasing.zip
Drug dealing is a way that Geoff Baker has funded his terrorism. To provide evidence to Jack of how he
raised the money for the operation, a ZIP folder contains three images of a conversation via WhatsApp indi-
cating that drug dealing has occurred. The three images are of three separate transactions between Geoff
and a customer. Each of the images have been password protected using 7Zip, with the password being Rus-
sia_2018, a potential title for Geoff’s operation. A file named “Russia_2018” will be located near the ZIP
folder (\files\c3R1ZmY=\journey\Russia_2018) containing these conversations as a clue for this password.
File Location: \files\c3R1ZmY=\journey\evidence\Fundraising.zip
55
Moscow Attractions.pdf
This is a PDF containing the contents of a website from The Telegraph which contains information about the
attractions in the Russian city of Moscow, home to the Luzhniki Stadium where the proposed attack will take
place. This document will be of assistance to Jack Jobs, the receiver of the device, as it will provide some
guidance on how he can spend his free time in Moscow before the attack takes place. This file is not hidden
or modified in any way to aid it to be the first link away from the evidence of the drug supply offenses and
bring the focus of the evidence to the correct destination.
File Location: \Info\01110100011100100110100101110000\Moscow Attractions.pdf
56
Additional Website Evidence: In addition to the PDF of Moscow attractions, there will be a number of links
on the USB that talk about travelling to Russia, details regarding events in Russia at the time of travel, and
the weather at that time of year. Geoff has included these files on the device to further assist Jack in plan-
ning his trip to Russia, ensuring that he can also explore what the city has to offer during his time there. This
tourist information will point the investigators in the right direction for the setting of the attack.
These files are distributed among various folder paths.
57
Screenshot of Evidence Files:
Bag of Onions.docx
A Microsoft Word document has been created to show ‘Ralph Boswell’ (the false identity Geoff has given to
Jack for the duration of this case) how to gain access to the dark web, containing a link of how to access Tor,
a download link for the Tor browser and a supporting YouTube video. Accessing the dark web will be vital for
Jack to safely plan his trip to Russia in advance, for example, obtaining a false passport, something Geoff has
not provided on this device.
The file extension of this file has been changed from a .docx to a .xlsx. This will need to be changed to be
able to open the file in a readable format.
File Location: \Evidence is all here\Notyourbin\Bag of Onions.xls
58
House_Keys.txt
This is a file that is easily recoverable, yet appears useless at first sight. The content of this text file will play a
bigger part in the uncovering a piece of hard evidence later in the case. The file contains the public and pri-
vate PGP key that will aid the uncovering of the email contained within The_Day.txt.
The keys in this file have been encrypted using ASCII, using an online text-to-ASCII tool. Decrypting these in
an ASCII-to-text tool will reveal both the public and private PGP keys that are needed later.
File Location: \!IMPORTANT\Bin\a2V5cw==\House_Keys.txt
59
Bus_Ticket.png
This file is an image that contains a screenshot of the National Express website, where a bus journey from Bir-
mingham to Heathrow Airport has been searched. The screenshot illustrates the user of the site adding one
journey to their basket, however no evidence of purchasing a ticket can be seen here and this alone is not
evidence that Geoff has obtained a ticket, it simply shows he was searching the site.
File Location: \!IMPORTANT\bookinginfo\Kz\heathrow\Bus_Ticket.png
60
Bus_Ticket.pdf
This file contains a booking confirmation email from National Express for the purchase of a bus ticket from
Birmingham to London. This is evidence that the owner of g.baker@gmail.com has purchased a ticket for
travel from Birmingham to London, which a forensics investigator is likely to associate this email address to
Geoff Baker.
The file is password protected with the password being “heathrow”, the destination of the booked journey.
This evidence is also used to throw the investigator off the real attack location, Russia. This is classified as evi-
61
dence against the attack as ‘Ralph Boswell’ (a.k.a. Jack) will need to travel from Birmingham to Heathrow on
this date to catch his plane, however, the investigator may consider Heathrow Airport to be the target for the
attack at first, which would be incorrect. The password will be able to be found as this is nested in a folder
called ‘heathrow’, additionally a further clue will come from the investigator linking it to the unprotected file
of similar name, Bus_Ticket.png, which identifies Heathrow as a destination.
File Location: \!IMPORTANT\bookinginfo\Lz\info\printdocs\Bus_Ticket.pdf
Hotel_Room.png
This file is an image showing a hotel in Moscow called Clean&Cozy Rooms that is being advertised online.
This screenshot shows that the user of the device accessing this website has searched for hotels in Moscow
62
between 11/06/18 and 14/06/18, with the user selecting to view this hotel for further details. This file does
not classify as evidence of a hotel being booked, simply showing that someone, likely to be Geoff, has been
browsing for hotels.
This is hidden very simply by changing the file attribute to “hidden” in Windows Explorer. This means that
unless the investigator is viewing the device with the “Show Hidden Files” box ticked, this file will not be
shown on the device. The name of this hotel is used to generate a password to access the hotel confirmation
evidence later in this documentation.
File Location: \!IMPORTANT\bookinginfo\Kz\heathrow\mw\Hotel_Room.png
63
....txt File
This text file contains five lines that are encrypted in base64. Once decoded, they provide the same identical
filenames that can be found elsewhere on the device, which simply contains photos of places in Russia that
are an essential piece of hard evidence, discussed later to uncover evidence of Geoff blackmailing Jack to
assist him with this case. This file alone serves very little purpose, however, uncovering it will present a huge
clue for an investigator later in the case.
File Location: \!IMPORTANT\Bin\beqre\....txt
Medium Difficulty Evidence
Качественныематериалы.pdf (Quality Supplies)
This file is a pdf document that contains the explosive products catalogue Geoff receives from the Quality
Supplies store. This catalogue simply contains images of the products, alongside product names, codes and
costs. Geoff uses this catalogue to make his order to the company in the email stored within the purchase
email.
64
The file extension has been changed to MP3 format. In addition, the entire document and filename is in Rus-
sian as the location of this company is in Russia. Geoff ensures to use a Russian store to order these products
to prevent any issues concerning the transportation of these dangerous goods. This file will be housed in a
folder with other Russian music, helping the file to be camouflaged among the others to determine which
one is actually the PDF file.
Finally, in the email from Quality Supplies, it states that an English version of the catalogue has also been
sent to Geoff. This file is also stored on the USB as a ‘hidden’ file, however this is discussed further later in
this report at the purchase email.
File Location: \files\ZmlsZXM=\System_Files\Music\ Качественныематериалы.mp3
65
se3rv1c3R3qu35T.docx
This evidence contains an email where Geoff Baker hires “Melvyne The Hacker” to complete a social engi-
neering attack on “Vladamir Petrov”. This is the first time Vladamir has been identified within this case,
which, after uncovering the email from Quality Supplies later, will explain that Vladamir works for this com-
pany and is responsible for the delivery of goods from the company. Geoff’s motive to conduct this attack on
Vladamir is to find some leverage that can be used to entice him into delivering the items purchased, even
when he becomes knowledgeable that their products are to be used against a large event for their country,
which may cause him doubt. The email also states that a report has been sent that contains the results, link-
ing this evidence to the Vladamir_Petrov_SE.pdf file.
The email text has been encrypted in two different ways. Melvyne’s emails have been encrypted in Rot13. Us-
ing a Rot13 decoder will uncover this evidence and allow an investigator to read what was sent from
Melvyne. Geoff Baker’s emails have been encrypted the following way: text to Morse code, then to Hex.
When an investigator tries to expose these emails, they will need to use a Hex to text converter, exposing
the Morse code that can be decoded with a Morse Code translator.
In addition to the encryption, the file extension and signature have been changed to produce xml before
storing it in the location below.
File Location: \FYI_JackJobs\service\xml\script\msg\se3rv1c3R3qu35T.xml
66
Train_Ticket.doc
This file is the train ticket that Ralph Boswell will be using to travel from the Sheremetyevo Airport, in Mos-
cow, to his destination, the city centre. However, this file alone, without placing into the timeline of events,
simply shows that a train ticket has been booked by Geoff with AeroExpress.
Using the Glue software, this file is glued to the Train_Timetable.xls file, which is an Excel file containing a
copy of the train times from the airport to the city. Upon opening this file, it simply appears to be just a list of
67
train times, however the investigator will be required to change the file extension to .doc, where the file can
then be opened in Microsoft Word, exposing the train ticket confirmation.
File Location: \files\c3R1ZmY=\journey\details\Train_Timetable.xls
Hotel_confirmation.pdf
This file is an email confirmation that Geoff has received from booking.com to confirm his hotel reservation
in the hotel highlighted in the screenshot that was discussed earlier. Geoff has booked this hotel for Jack to
stay at whilst he is in Russia to carry out the attack, with the arrival date being 11th June 2018, matching with
the flight booking, and the departure date being the 14th June 2018, matching with the date of the attack.
Hotel Confirmation file is hidden and no longer visible using the ‘WinMend Folder Hidden’ software, mean-
ing that the investigator will need to use this program to uncover the hidden file, located in the “print this”
folder. They will not have to specifically search each folder on the drive, the software will identify any hidden
folders on the drive, however, the software will require the password that was used on the drive previously to
68
be entered before exposing the hidden files. The password that they must use is the hotel name that was un-
covered earlier in the easy evidence of the hotel screenshot, however the ampersand symbol will not work in
this password field, which the investigator will soon realise. For this reason, the password is CleanAndCozy,
an adaptation of the name given the password character constraints.
File Location: \files\c3R1ZmY=\journey\info\print_this\Hotel_confirmation.pdf
Fan_ID.jpg
To ensure Jack can enter the Luzhniki Stadium on this date as Ralph Boswell, he will require a Fan ID. Geoff
has arranged this ID using a photo of Jack and the false name that he will be going by for the duration of
this operation.
69
The Fan ID is hidden within another image using the OpenPuff software. The file is hidden within the
‘worldcup.png’ file alone and the password required for extraction of the ID is “worldcup”, the filename of
the image it is hidden within. ‘worldcup.png’ is hidden within a selection of other football-related images,
meaning that the investigator needs to identify this image as containing steganographic content among the
others, before being able to easily extract it.
File Location: \files\c3R1ZmY=\football_gallery\worldcup.png
70
Directions Folder
Within the directions folder, the information that Jack will need when he arrives in Russia is stored. This in-
cludes a local area map (Local_Area_Stadium_Map), a train map (Map_Train), and the directions to the sta-
dium from the airport (Sheremetyevo International Airport to Luzhniki stadium - Google Maps). These files
will assist an investigator in piecing together the various locations around Russia that have been previously
identified, providing evidence of the likely reason for the hotel and flight browsing.
This folder has been encrypted using 7Zip, with the password being ‘Sheremetyevo’, the name of the airport
that is concerned with these directions. This password can also be found within the file name of the flight in-
formation, which is much easier to uncover and discussed further later. The investigator is, however, required
to make the connection between the airport locations previously identified and the need for directions,
hence this folder.
File Location: \files\c3R1ZmY=\journey\info\print_this\Directions.7z
71
Floor_plan.png
This file is the stadium floor plan that contains the target of where the attack should happen within the sta-
dium. Someone has marked on the plan where this should occur and also where the exits are for Jack to dis-
creetly bring the products Geoff has ordered into the grounds.
This is hidden by using the PhotoCrypt software with the password “Luzhniki”, which refers to the name of
the stadium. This software encrypts the image file, making it only accessible where the investigator loads the
encrypted ‘.bin’ file with the correct password. This password will be found using the local area stadium map
from the directions folder.
File Location: \FYI_JackJobs\service\plan\future_plan\Floor_plan.PNG.bin
72
sheremetyevo.png
This file contains a screenshot of the proposed flight that may or may not be booked for Jack to travel to
Moscow. This evidence simply shows that someone has been searching for flights from Heathrow (LHR) to
Moscow, with the search returning a result from LHR to SVO, where SVO is Sheremetyevo Airport. As previ-
ously discussed, the name of this airport, which can be found from searching SVO or from the file name, is
key to providing the correct password to access the encrypted directions folder.
This evidence has been hidden by altering the file signature and file extension. The extension has been
changed to .doc, with the signature being changed to 00 00 00 00, meaning that just changing the file exten-
sion in this case will not reveal the file, but MS Word will not be able to open the file either.
File Location: \!IMPORTANT\Bin\nsuwrnls\krinfe\sheremetyevo.doc
73
Hard Difficulty Evidence
Whatsapp.zip
The zipped file that is hidden contains two images of a WhatsApp conversation between Geoff Baker and
Jack Jobs. Geoff blackmails Jack to help with his task by using the illegal pornography that he had known
about of Jack from a previous job. This evidence is key to the investigation, identifying exactly how Jack fits
into this case. In addition, it is important to note that although Geoff suggests in his messages that these im-
ages are from Jack originally, there is no proof of this, however, this does prove that Geoff is in possession of
illegal pornographic content, which in itself is an criminal offense that can be proved from using reliable
sources that document how WhatsApp works to prove that Geoff was the sender of the images, hence prov-
ing that Geoff’s device sends the messages on the right, in the green bubbles.
This evidence is simply five images that have a ZIP folder hidden within them. The five images are relating to
Moscow and are placed within a folder that contains various images from different global locations, meaning
that the correct set of images will need to be selected from the folder. Using OpenPuff, a forensic investiga-
tor will be able to extract the ZIP folder and gain access to the conversation. However, to expose this folder,
they will need to be aware of the correct order of the images and the password. The password for this file is
simply “jackjobs”, which is given away from the initial loading of the device, where Jack’s full name is pro-
vided in one of the folder names. The order of these images is given in the ‘....txt’ file that was discussed ear-
lier. By decoding the filenames provided in this file, it will give the order required of these images, which are
included below.
The order of the images is:
1. RussiaToday Studio.jpg
2. st.basils.jpg 3.
3. Temple@Night.jpg
4. St.Petersburg.jpg
5. Stadium.jpg
74
Without uncovering the text file previously, an investigator will have great difficulty in trying to identify which
order these images must be within. In addition, two versions of these same images are included on the USB
device, one in this location, where all file names are in English, and one in the Pictures folder of the System
Files folder, where all the image names are encoded in base64. This will initially fool the investigator, where
they have uncovered the aforementioned text file, finding images that match in name. However, these im-
ages will not uncover the ZIP folder, only the decoded file name versions will expose the ZIP file.
File Location:
\Info\01110100011100100110100101110000\2767cc3ede7592a47bd6657e3799565c\1c625cc86f82
4660a320d185916e3c55\63b04a371849694ef3864687adcb410a
75
Explosive Purchase Email
As previously mentioned, there is a second catalogue from Quality Supplies that is in English, hidden using
the ‘hidden’ file attribute. A conversation that Geoff has had between himself and Anatoly, from Quality Sup-
plies, is hidden within this PDF file (Catalogue.pdf). The conversation has been hidden within the slack space
of this catalogue file, which has been written into the file using the HexEdit program, however, this will be
visible using any software which can examine the slack space of a file. This file is evidence of Geoff purchas-
ing the explosives from Anatoly, mentioning Vladamir as a member of staff from Quality Supplies, explaining
exactly how these two characters are connected to the case.
Note: If the investigator saves the PDF file before finding the email conversation in the slack space using the
same file name and location, this will overwrite the meta data and the conversation will be deleted. However,
as forensics investigators, it is a known fact that to use the evidence as proof, the files cannot be altered dur-
ing investigation, therefore the investigators should not wish to save any changes they make to any files on
the device.
File Location: \files\ZmlsZXM=\System_Files\Music\Catalogue.pdf
76
boarding.jpg
This file contains the boarding pass that Jack will use, as Ralph Boswell, to travel to Moscow. This is a key
piece of evidence that puts focus onto the case and places Jack at the scene of the attack. A clue has been
provided in the checklist for uncovering this evidence, where the investigators can see that they need to re-
move the boarding pass from the bin. Despite the array of bin files and folders added to the drive to add dis-
traction, as mentioned in the red herring section previously, this is actually referring to the Recycle Bin con-
tained within the System Files folder, which contains an array of system folder, where most of them link to the
folders of the system the investigator is using. For example, the Recycle Bin folder used to hide this file does
simply just open the PCs Recycle Bin at first. Until in identifying the tool used on the device, the investigator
is unlikely to know this folder is hiding something.
Using a tool called “Disguise Folder 1.0”, Geoff was able to disguise files as system files. The boarding pass
image was hidden using this tool to replicate the Recycle Bin. The password required to expose this evi-
dence is the folder name that has been hidden, “Boarding_Pass” which is given to the investigators in the
unusual formatting of the words boarding pass in the checklist. When the Recycle Bin folder is revealed, a
‘boarding.txt’ file is presented within the ‘Boarding_Pass’ folder. This file requires the extension to be
changed to boarding.jpg where the boarding pass will be shown. Again, it is this evidence that places Jack
at the scene of the attack proposed in Moscow.
File Location: \files\ZmlsZXM=\System_Files\Recycle Bin
77
The_Day.txt
This file contains a final email to be sent by Jack (as Ralph Boswell) once he is in Moscow to ensure that prod-
ucts Geoff has ordered from Quality Supplies are delivered to the stadium as agreed in Geoff’s previous
email to the company. As the supplier was of Russian descent, Geoff feels it is important to ensure that
Vladamir had not backed out from the service Geoff has paid for. From the social engineering they were able
to find some kind of leverage, which is detailed in this email from examining his Facebook Profile. This email
uses this leverage against Vladamir to ensure he doesn’t back out, however, this email should not be sent to
Vladamir until the day before the attack. This can be identified from the content of the email here, and it is
important that the investigators identify that the email has not been sent.
The email was encrypted in PGP. With the keys being found in the file “House_Keys.txt” that was easily
found. The password for the keys used to decrypt, that can be done using a variety of online tools, is “Mos-
cow” which is a generic case related password that the forensic investigators should be able to guess. Fur-
thermore, the keys need to be decrypted from ASCII to text before they are inserted into the decrypt PGP
online tool. Upon decryption of this text file, the email will be viewed.
File Location:
\FYI_JackJobs\78cce544bc088ca5fea9c99fcae9d10f\4049cf76aecd83e075d7b9c12d082625\do_not_
open\bmV3IGZvbGRlcjMNCg==\MTQvMDYvMjAxOA==\c2VuZCB0byB2bGFkYW1pcg==\The_Day.txt
78
Vladamir_Petrov_SE
A social engineering report of Vladamir has been created by ‘Melv the hacker’ for Geoff, which is contained
within this file. This report details Melv’s findings from the social engineering attack, providing Facebook cre-
dentials of Vladamir’s account, which the investigators will require a warrant for. From the report, the investi-
gators will be able to gain a warrant as this report is sufficient evidence that pornography may exist within
this profile, however, once they obtain a warrant and investigate this, they will see that all of the content is
legal. From this profile, however, is where the leverage of Vladamir’s grandma is identified, which was used in
the previous evidence discussed, the final email to ensure he doesn’t back out.
This is a PDF that has been locked with the password “bWVsdg==” which is the base64 encryption of
“melv”. To provide a further clue, the password is then hidden within the slack space of the email chain be-
tween the two of them that was exposed earlier.
File Location: \FYI_JackJobs\service\details\result\report\Vladamir_Petrov_SE.pdf
79
Additional Files
In addition to all of the case-related evidence files included on this device, a number of non-related files
have also been added onto the device to ensure the evidence blends in with the usual files. Although these
are not evidence, these files have all been hidden in a similar fashion to those of the evidence files, offering
a distraction to the user from the original files. Many of these files are simple image files or text files that con-
tain encrypted text. Many of the image files are humorous images, ensuring that it is clear to the investiga-
tors that these files are not to be considered as evidence, however, many are case related, such as mention-
ing Russia, Moscow or explosives. Some of these images are simply of other places and are used to com-
plete the gallery-style folders and mix within the image files detailed in the evidence section. Furthermore,
many of the text files simply contain encrypted riddles that have been obtained from various web sources,
again, trying to ensure that it is clear to the investigator that these are irrelevant files. Finally, some MP3 files
have been included within the device. This is simply to complete the ‘Music’ folder and make the evidence
file here appear realistically located. Overall, it is important to conclude that this evidence has no impact on
the case itself and is not related to it.
Individual Evaluation and Reflection
Overall, this was one of the more enjoyable experiences of completing a coursework. I believe that we did
underestimate the time it would take to complete this as having never completed these tasks before such as
creating evidence and hiding. There was a small case of having to re-learn how to use some of the tools, but
this was a quick task as once I played with them I was on my way. Once we had started to create a structure
of what the crime was, how it was committed, a target, etc, then everything started to flow better. Ideas and
different ways to hide the evidence became clearer and more cunning.
Having to hide files like a criminal did seem like a fun task and thinking how certain bits of evidence would
never be found, however, there was a moment when reality hit. Forensic investigators have a huge job on
their hands. There are many tools out there that do make hidden files near impossible to find. Yes, it was fun
hiding and hoping that no one finds the evidence, but this is a regular occurrence that criminals will under-
take to not get caught. From the experience of hiding the evidence, it did make me wonder what crimes are
out there being electronically stored that will probably never be uncovered due to the techniques available
to prevent being caught and the timescales forensic investigators must work towards. In addition to this, it
80
makes me think what is the point to commit these crimes as to hide evidence well, takes a long time and ef-
fort.
In addition, there was another hindsight moment as to when, with the knowledge we have of forensics stu-
dents, the criminals that do undertake the hiding of evidence, they have to have a certain degree of intellect.
That’s where it does become a battle of minds with the covering and uncovering of evidence. Obviously,
there are a fair amount who are obnoxious and believe they will never get caught, who always end up being
caught.
With now having had to play both sides of the coin, the next coursework of having to uncover evidence
again, I now believe I can put my mind in the head of the criminal. I am now aware of the tools that can be
used, the techniques that are used. I can now think “how would I have hidden that”, “that file extension
would not fit that type of file”, etc.
I do wish that we had started working on this coursework earlier. There are so many new ideas that kept com-
ing to mind towards the end due date. I would include the tampering of registry files and inclusion of hidden
partitions. This would have bolstered the hiding techniques to a bigger variety than already included.
In summary, I have learned a new approach to forensic investigations in being able to think in different mind-
sets for my approach. I have also learned that there are different tools that can complete the same task; for
instance, folders can be hidden within system files or within images. I have also gained a new-found respect
for what forensic investigators have to do. They have to go off basic short pieces of information to uncover a
web of evidence.
81
Murder case
Part One:
Your group will be given a crime that you must create the evidence for.
We have been assigned the ‘Murder’ case for this coursework.
Create a biography for the case – Write an overview of the crime and how this person/persons were arrested.
You should also include the details of all equipment seized for the forensics investigators, with dates and
times. It should also include the names of any criminals and associates. These names must also be present in
the evidence to facilitate a search using forensics tools. Details of the arrest should also be included.
1. Introduction:
1.1 Nature of Incident
Cindy and Derek Slaughter are a British couple who have been married for 10 years. Living in Blackheath of
South East London raising two children, Derek is a self-employed painter and decorator whilst Cindy is the
managing director of a small accounting firm in the City. Their sons, Ben and Jerry Slaughter, both attend pri-
mary school in the neighbouring town of Lewisham.
Additional individuals who are involved in this case include Bernard and Michelle Slaughter. Bernard is a
Technical Solutions Specialist for Raytheon UK and Michelle works in a book shop in Lewisham, the area
where they live. Bernard is the brother of Derek and has been married to Michelle for nearly eight years. At
the time of documenting this incident, Derek was 36 years of age and Bernard was 34 (born in 1981 and
1983 respectively).
Despite Derek and Cindy being married for an extended period, Cindy has fallen victim to physical and men-
tal abuse from her husband consistently over the past five years. Derek has been reported to the police on
multiple occasions by Cindy’s family members and has been charged with counts of Grievous Bodily Harm
(GBH) prior to this incident.
82
On the morning of 05/12/2017, one Cindy Slaughter was found dead on the river bank in front of the
University of Greenwich gates, near the Cutty Sark Ship on the south side of London. Cindy was not wrapped
in any sheets or coverings but laid bare among the rubble at the foot of the River Thames.
Following the retrieval of Cindy’s body, Derek was taken into custody and questioned, following an arrest at
the family home that same morning. Derek is being treated as the primary suspect following his track record
of abusing Cindy and this appears to be the only motive to murder Cindy, according to officers. Derek also
claims to be the last person to see Cindy the morning before her body was found, when she left the house
to go to work. At this stage, Derek has not provided any information or a confession about this murder.
1.1.1 Location
The location of the body was in front of the University of Greenwich on the south side of the River Thames.
However, detectives indicated that Cindy’s body may have been disposed of at least the evening before she
was found at a location west of the University as her attack wounds were still relatively fresh. The body was
also not decomposed. An image of the location of the body is as follows:
Two critical pieces of evidence have been retrieved both from the primary suspect and the family home,
which was searched by police officers following the arrest. The first piece of evidence was an iPhone 5 mo-
bile device found on Derek’s person and the second piece was a Universal Serial Bus (USB) device identified
on a desk in the family home next to a desktop computer. At the time of retrieval, the USB device was not
83
plugged in and the desktop was switched off. A forensic image of the USB’s contents needs to be made for
investigation.
2. Victims:
2.1 Victim Details
Cindy Slaughter is the victim of a murder against the potential assailant: Derek Slaughter. Derek is the pri-
mary suspect in this investigation having been found guilty of previous offences. This will lead to an addi-
tional investigation into Bernard, who reported a sighting of the dead body to the police.
The victim was found washed out from the tide on the edge of the river bank of the Thames, in plain sight
and fully clothed. However, there were serious blood stains on Cindy’s clothes. She was found to have two
lacerations, one to her abdomen and one to her chest.
The timeframe for the victim’s body retrieval and the arrest of Derek on 5/12/2017 are as follows:
07:30 Police receive a phone call from Bernard telling them that he has identified a body on the river bank
of the Thames in front of the University of Greenwich.
07:45 Two first responder police officers and paramedics arrive at the scene. After a short deliberation, the
body was declared dead by paramedics.
07:55 Officers call in a homicide unit to conduct a physical forensic investigation to identify the body and
cause of death.
08:05 Bernard was taken in a police car to the local station for questioning over the discovery of the body.
09:00 Investigators declare that the victim was murdered following stab wounds to the abdomen and chest.
They also explain that the body was recently washed up on the river bank and was murdered approximately
18-24 hours prior to the investigation. Investigators also find a small purse in the victim’s jacket pocket that
contained a UK driving license. The license enclosed details of a Cindy Slaughter who resided at an address
in Blackheath, London.
84
09:30 Detectives visit Cindy’s home and find Derek in the house with their two sons. Derek was arrested on
suspicion of murdering Cindy following his track record and potential motive, so he could be questioned at
the police station. Derek’s possessions, including his iPhone 5 mobile device, were seized immediately.
13:00 After an in-depth search of the family home, a USB device was seized from the property as part of a
digital forensic investigation in association with the iPhone 5 device belonging to Derek.
15:00 Following news coverage of this incident, detectives receive a call from a neighbour of Bernard who
spotted Cindy leaving Bernard’s house the evening before her body was found in the Thames. Bernard is re-
tained in custody for further questioning.
2.2 Evidence Description
2.2.1 System, Network, Server Descriptions
No direct computer system, network or system activity has been captured or assessed during this forensic in-
vestigation. Only the USB and iPhone 5 devices belonging to the suspect have been temporarily repos-
sessed from Derek’s home residence. The USB device’s details have been saved in the form of an ‘AD1’ im-
age, which needs to be examined for investigation. The iPhone 5 mobile device requires every page of it to
be photographed before any investigation takes place. A comparison of the SHA256 hash values will take
place at multiple points during the imaging process. This will ensure that all actions have been carried out
legitimately with no evidence contaminated during the process by the forensic investigator.
2.2.2 USB Device
Disk Drive Type: USB Drive
File System Type: FAT 32
Disk Drive Name: NO_NAME
Disk Capacity: 14.4 GB Allocation Space: 758 MB
Free Space: 13.6 GB
85
2.2.3 iPhone 5 Mobile Device
Device Type/Version: 10.3.3 (14G60)
Device Name: iPhone
Device Capacity: 13.08 GB
Allocation Space: 2.92
Free Space: 9.7 GB
2.2.4 Book
Device Type / Version: Hardcover Published Book
Device Name: Action and Reaction – The Life and Adventures of a Couple
ISBN: 1-890951-20-X
2.2.5 Pencil Case
Device Type / Version: Pencil Case
Device Name: Black Eastpak Pencil case with two additional buttons attached.
Contents: Pens (11), Pencils (3), Eraser (1), Highlighter (2), Sharpener (1), Stylus (1).
2.2.6 Camera
Device Type / Version: Disposable Camera
Device Name: N/A
2.3 Seizure Details
2.3.1 Seizure of iPhone
Derek’s iPhone 5 mobile device was seized upon the arrest at his house. The device was already switched off
and placed in a forensic evidence bag for investigation at the police station.
86
2.3.2 Seizure of USB
The USB device was found on the desk by the desktop computer in the family home. According to Derek, he
believed that this USB device belonged to Cindy who used it for work related purposes. This was also placed
in a forensic evidence bag and labelled for investigation.
2.3.3 Seizure of Book
The book, ‘Action and Reaction – The Life and Adventures of a Couple’, was found positioned on top of the
desktop computer in the family home. Derek claimed ownership of this book but emphasizes that his late
wife, Cindy (the victim) was currently reading it.
2.3.4 Seizure of Pencil Case
The Pencil Case was discovered on Derek’s person upon being arrested. The contents contained have not
been removed and the auditing or documentation should be carried out prior to any examination.
2.3.5 Seizure of Camera
A camera was discovered when searching the vehicle belonging to Derek Slaughter. The film has not yet
been developed, whereas all photos have been used. It is evident that the camera has been opened and the
film removed.
You should have a reasonable amount of easy evidence (minimum 10 to 15), some middling difficulty (mini-
mum 5 to 10) and a small amount of challenging evidence (minimum 5). You should include a few “red her-
rings”. Summarise this in a table for your interim report, including the level of difficulty, the passwords and
the tool used.
3. Table of Evidence:
The following table presents a high-level view of the evidence collected for this case, including the folder
structures of the USB device and placement of physical evidence. The table lists all the easy, medium and
hard pieces of evidence in this case plus any red herrings, clues and filler files used to place around the core
evidence files.
87
88
89
To summarize the above table, we have 14 pieces of easy evidence, 10 medium and 6 hard. This totals 30
pieces of core evidence overall. In addition, there are 15 files that act as clues, 45 files acting as fillers and 14
red herrings. After speaking to Diane, we were advised that it was not necessary, and we would not lose any
additional marks for not including the registry files associated with the encrypted files or containers.
Create your given crime using any tools as appropriate and thoroughly document this activity (step by step)
on such a way that someone could follow your instructions and reproduce your results.
90
4. Evidence Overview:
The Evidence ID numbers listed throughout the documentation part of this report correspond to the cell IDs
of the table in section three.
4.1 Logical Evidence Overview:
4.1.1 Evidence ID: 7
Brief Description:
This is an image of a high-rise block of flats, which contains a hidden text file behind it. The text file is written
as a base64 encoded message, which requires the use of an online tool to uncover it. The password for this
text file can be found elsewhere within the evidence case file.
Method of Detection:
1. Upon obtaining access to the USB after entering the encrypted password for it, you will be presented with
a combination of 11 files and folders. One of the files is called ‘availabilityblock.bmp’, which appears to be
an image of a high-rise block of flats as per the above screenshot.
91
2. As the image is stored in a ‘.bmp’ format, ‘Stools.exe’ is required to reveal a hidden text file. This is a form
of steganography, where the image is password-protected and contains an easy piece of evidence. The
password for this file is: D1R7Yli771353CR37. Coupled with this, you are required to select ‘3DES’ (Triple
DES) as the encryption format in order to discover the contents of the file behind the image. The pass-
word D1R7Yli771353CR37 is linked to a clue that is described later in this document, named
‘slideshow(see_behind).pptx’.
3. After entering the password and encryption format correctly, you are presented with ‘Availability.txt’. This
is a text file containing a base64 encoded message as per the following screenshot:
4. Translate the base64 encoded message using the following website: https://www.base64decode.org/.
Copy and paste the message into this website, and you are presented with the following outcome: Michelle
is out this evening. Come to my house when you're available. Set the decoding format to ‘ISO-8859-2’.
92
Brief Description:
The included ‘Partition.exe’ file has been included as a red herring in an attempt to mislead the investigators
in focusing their attention and resource here, rather than other pieces of genuine evidence. When the pro-
gram starts, it will prevent an investigator from running Task Manager and will kill any current instances. Upon
selection of the ‘Yes’ or ‘No’ button, the investigator will first be presented with an appropriate message and
then presented with a percentage progress bar. This progress bar is set to increment sequentially every sec-
ond and will stop increasing once it hits 100%. Upon reaching 100%, the program will enter an infinite loop
creating Windows message boxes stating ‘Critical Error Detected. Please Reboot Without Mass Storage’. It
should be reiterated that this program does not cause any damage and is classified as Scareware, although
the program reduces computer processing speeds due to the program being resource intensive.
1. Gain access to the USB
2. Run Partition.exe in the root USB directory
3. Attempt to terminate the process
4. Review Partition.exe Product name and Product version via Right click > Properties or when opened in a
text editor
93
Brief Description:
The ’Customer.7z’ compressed folder is a password protected folder which is used to host the following
three files: ‘131 Techno Terrace.xlsx’, ‘Wall Cleaning.pdf’ and ‘Blood Stain Removal.pdf’, which will be de-
scribed in the proceeding descriptions. As the contents of this folder contains two easy pieces of evidence
and one red herring, we have decided to password protect the file with ‘rjX5bbq576’ which is stored within
the Password subdirectory located within the ‘My Calculator’ application. This has been documented in more
detailed later in this report.
Methods of Detection:
1. Gain access to the iPhone 5
2. Identify and unlock the ‘My Calculator’ application
3. Navigate to Files Subdirectory
4. Navigate to Password File
5. Decompress ‘Customer.7z’ Folder with the correct password
94
Brief Description:
The Microsoft Excel document ‘131 Techno Terrace.xlsx’ contains four sheets: ‘PD Invoice’, ‘Personal In-
come’, ‘Materials’ and ‘Sheet 4’. The first two sheets are related directly to Derek’s work, which have been
utilised to hide the third sheet used to describe the materials used to carry out the murder of Cindy Slaugh-
ter. We have classed this as an easy evidence due to the simple procurement methods required and the cir-
cumstantial nature of this evidence.
6. Open ‘131 Techno Terrace.xlsx’ 7. Navigate to the ‘Materials’ sheet
95
Brief Description:
The wall cleaning PDF is included within the password protected ‘Customer.7z’ compressed file. This docu-
ment refers to cleaning a variety of items from a wall. This document has not been included in the evidence
list, as Derek’s occupation is a full-time painter / decorator and would be required to remove stains from
walls. However, the inclusion of hiding this document is being used to mislead the investigators to believe
hints may be used from this file.
6. Open ‘Wall Cleaning.pdf’
96
Brief Description:
The inclusion of the ‘Blood Stain Removal.pdf’ has been incorporated as an easy piece of evidence. This
document details information on how to remove any blood stains. This evidence should be linked with other
pieces to identify that Derek stabbed Cindy twice to the torso. This file has been password protected and in-
cluded within the ‘Customer.7z’ file.
6. Open ‘Blood Stain Removal.pdf’
97
Brief Description:
The included ‘Gun Magazine.pdf’ file is a red herring and has been included to mislead in the investigation
of this case. This piece of evidence is not related to the case as the synopsis clearly states the victim was
found with ‘stab wounds to the chest and abdomen’. In addition, firearms are not identified to have had any
relevance to the murder.
2. Open “Gun Magazine.pdf” located in the root directory of the recovered USB drive.
3. Re-read case synopsis to identify cause of death.
Brief Description:
‘PasswordList.txt’ is an additional red herring containing 100 alphanumeric passwords, which hold no rele-
vance to the case. The purpose of including these is to deter investigators from obtaining any correct pass-
words. The full ‘Password List’ is comprised of 100 alphanumeric passwords but do not have any relevance to
the case. This list has been included to distract an investigator and slows down the investigation.
98
2. Open the ‘Password List.txt’ file in the recovered USB root directory
Brief Description:
This email details a conversation between the two brothers, describing the use of cleaning equipment re-
lated to the murder that is being plotted. The email was written and saved in Google Mail, but downloaded
to the USB in a PDF. No passwords are required to open the file.
99
1. The PDF document can be found in the ‘Bernard’ folder, stored on the USB. Upon opening the file, you
are presented with an email from Bernard to Derek.
2. Note: the five Word documents that are attached to the email within the PDF document are not located
anywhere in this case’s evidence files. They just contribute to the same piece of easy evidence as per the
above screenshot.
Brief Description:
This file is classified as a clue among our evidence files. It is an image of the University of Greenwich campus,
the location where Cindy’s body was found washed up on the embankment. However, this image does not
display a dead body, rather it is masked with a 16 x 6 grid containing references placed around it as per the
above screenshot:
1. The image file has two red boxes located within the grid. The small box on the left-hand side is positioned
within grid reference E4. The larger box on the right-hand side is positioned across many grid references. In
the case of this evidence, the two references of importance are E9 and FF. The three references are com-
bined to make a password for the mobile phone vault application, called ‘My Calculator’.
2. Change the three grid references from hexadecimal to standard numerical format as per the following:
100
E4 = 56
E9 = 126
FF = 255
3. Open ‘My Calculator’ in the mobile phone, and add the three numbers together before pressing the per-
centage button: 56 + 126 +255 = 437%. This will open the vault containing a number of medium evidence
files.
Brief Description:
The included ‘Single.bat’ file has been used to switch off the investigator’s computer. The purpose for includ-
ing this file is to identify when an unauthorised user has attempted to gain access and in doing so executes a
fake ‘deletion script’. However, due to contents potentially being moved to personal USB devices, we have
simply executed a shutdown command as follows: ‘shutdown -s -f -c “An unexpected error has occurred. Re-
starting your computer.”’
1. Navigate to the Bernard subdirectory and execute the ‘Single.bat’ file.
101
Brief Description:
This is an encrypted folder containing two files hidden within it, stored in the ‘Bernard’ folder of the USB as
per the above screenshot.
1. Right-click on ‘Surprise.7z’ and under ‘7-zip’, choose ‘Extract here’. Enter the password ‘10595’ when
prompted and wait for the two files to be successfully extracted. The password can be found in the bay
window of the Audi TT car in ‘Alterior Motives.tt’, representative of the price of the car.
2. The two files extracted after entering the password are listed in the following screenshot:
102
Brief Description:
This file was also extracted after entering the password for ‘Surprise.7z’. It is a code listing for a random com-
puter program.
1. The 3rd line of the file, which is commented out, contains a definition called ‘_PASSWORD_FOR_VM_’.
However, this is a red herring and has no relevance to the case or evidence files at all as per the above
screenshot.
Brief Description:
Mounting and decrypting an encryption container is the most significant part of this case, as it leads to key
pieces of evidence which are all classified as hard. VeraCrypt, an upgrade from the previously cracked True-
Crypt, has been used to create a volume that acts as an encryption container. This is password protected and
requires VeraCrypt to mount the drive and reveal the hidden file. The file that has been hidden is
103
‘Bernard.ova’, a Linux Virtual Machine (VM) created on Oracle VirtualBox. The Linux VM contains additional
hard pieces of evidence, with a series of additional passwords required to progress further into the case. The
encryption container file, which appeared after unlocking the ‘Surprise.7z’ folder, is called ‘ToAndFrom’.
1. Install VeraCrypt using the ‘VeraCrypt Setup 1.21.exe’ installer found in the ‘Software’ folder of the USB.
This must be done on a computer that has administrative access
2. Run VeraCrypt and click ‘Mount Drive’ after clicking on drive ‘W:’
3. Select the ‘ToAndFrom’ encryption container file
4. Enter the password ‘C1NDYS1AUGH1ER’ to successfully mount the file to the drive
5. Go to the ‘W:’ drive in Windows File Explorer and uncover the ‘Bernard.ova’ file located there
6. 6. Open ‘VirtualBox’, using a machine that has administrative access, before loading in the ‘Bernard.ova’
file and running it to begin the Linux side of the investigation.
Brief Description:
Once revealing the ‘Slaughter.ova’ the investigators will need to mount the snapshot of the encrypted VM
and attempt to boot it. The VM will then prompt the investigators for an encrypted key and user credentials.
After successfully achieving this, multiple pieces of evidence will be available. The evidence contained within
this VM are all considered hard due to the steps required to obtain it. Evidence includes: ‘.withLove.dat’,
‘youFoundMe.txt’, ‘.confessionsOfAnAlocholic’, ‘conspiracyNotes.conf’, ‘theEnd’ and ‘cindyMyLove.sh’.
These pieces of evidence require different levels of permission and are in different directories.
2. Navigate to Bernard
3. Identify and unlock ‘Surprise.7z’
4. Mount and decrypt ‘Slaughter.ova’
104
5. Enter Decryption Key ‘013418006744691’
6. Enter Credentials (Username: ‘bernard’ Password: ‘90762852106’)
Brief Description:
The hidden document, within Bernard’s Documents directory, ‘.withLove.dat’ is a letter which Cindy intends
to send to her soon to be ex-husband Derek. She has included the letter on the VM so that the draft can be
read by Bernard, given her current concern about Derek’s wellbeing.
7. Enter Red Herring Credential (‘Password’)
8. Navigate to ‘/home/Bernard/Documents/’
105
9. Open ‘.withLove.dat’
Brief Description:
The file ‘youFoundMe.txt’ contains a private message from the victim, Cindy, to Bernard. It details her con-
cerns about Derek falling into his old habits and relying on alcohol again. The message suggests that she is
uncertain due to the wide range of receipts she discovered. It later goes on to detail that she intends to con-
front him about his drinking issue. This file has been stored within a hidden subdirectory.
8. Navigate to ‘/home/Bernard/.tmp/’
9. Open ‘youFoundMe.txt’
106
Brief Description:
‘.confessionsOfAnAlcoholic’ is a secret message written by Cindy to her secret lover Bernard, Derek’s
brother. This document details how the two listed in the document are having an affair, which has been com-
mented on several times throughout the case, are intending to leave both partners and elope elsewhere.
This file also references the file documented in Evidence ID: 23. ‘.confessionsOfAnAlcoholic’ is password pro-
tected by Bernard’s password and hidden within the root directory.
8. Obtain Root Permissions
9. Change to the ‘/root/’ directory and open the ‘.confessionsOfAnAlocholic’ file
107
Brief Description:
There has been a substitution cipher included within the VM. The key for this cipher was hinted within Evi-
dence ID: 11. When decoding the message, the cipher translates to: ‘Hey D, I don’t think what you are plan-
ning is a good idea. You should be very careful with how you are messaging me. Stop talking over emails
and I’ll give you a call tomorrow evening. Just hang in there for now. B’. This is to show the murder was or-
ganized and planned.
8. Obtain Root Permissions
9. Navigate to /etc/ directory and open the file ‘’
10. Change permissions so the file is readable by either the owner or users
108
11. Open the file
Brief Description:
Included within the ‘/tmp/’ directory on the Linux VM is a suicide note left by Derek. He has detailed how he
is struggling with life and the issues within the relationship. This is meant to identify that Derek is not cur-
rently in a good mindset and intends to take his own life. A crucial part of why Derek changed his mind was
the discovery of Evidence ID: 25, which lead to the murder of Cindy with the help of Bernard.
19. Obtain Root Permissions (49:62:BD:26:A0:49)
20. Change to the ‘/tmp/’ directory and open the ‘theEnd’ file
109
Brief Description:
Upon successful decryption of the Linux VM and correct login details, the investigators will be prompted to
enter a further password. We have intentionally not included any hits to the identification of this password in
other pieces of evidence. As the password used will be in the majority of publicly available rainbow tables,
we did not think this necessary. However, should the investigators enter anything other than ‘Password’ then
a red herring message will be displayed to them detailing, ‘Files changed. Please revert back to see original
content.’ In contradiction to this, should the correct password be entered, then a hint will be revealed stating
‘You’ll need root permissions for this next phase, etc...’, referencing the directory ‘/etc/’ where a piece of evi-
dence may be found.
110
Brief Description:
There has been a clue inserted into the comments of the ‘Wishy Washy.rft’ file, which has been base64 en-
coded. To decipher this clue, the investigators will need to use an online converter
(https://www.base64decode.org/) to reveal the message ‘Just to let you know, it'll all wash up in the end in
E9’. This corresponds to one of the mappings required to unlock the My Calculator application. The use of
several pages is to appear as a red herring, as is the message ‘Ubuntu’ in the header.
2. Navigate to Bernard Subdirectory
3. Open ‘Wishy Washy.rtf’
4. Select Review and change the markup of the document to ‘All Markup’
Brief Description:
The included ‘21. VHS Credits.aiff’ file is a renamed copy of Evidence ID: 9 and features an alternative file ex-
tension. This piece of evidence has been included to delay the investigators. A detailed explanation of this
programs operation can be found in the brief description of Evidence ID: 9. It should be reiterated that this
program does not cause any damage and is classified as Scareware although the program may cause signifi-
cant degrading performance to the system.
111
2. Navigate to Music > 21. VHS Credits.aiff
3. Try to open the file
4. Change file extension from .aiff to .exe
5. Run application
6. Try to close/kill program
7. Review 21. VHS Credits.exe Product name, Product version and Original File name via Right click > Proper-
ties or when opened in a text editor
112
Brief Description: There are 22 files stored within the ‘Music’ folder on the USB, all appearing to be ‘.aiff’ mu-
sic files. However, there is one file that is significantly smaller in size compared to the rest, which is ‘Adam
and Noah.aiff’ of 42 KB (track 12).
1. Change the file extension from ‘.aiff’ to ‘.pdf’
2. Upon changing the file extension and opening it, you will see a sample document for a divorce settle-
ment. This represents the separation of Cindy’s marriage to Derek, as she has requested the divorce and
sent the papers to him as per the following screenshot:
113
Brief Description:
The ‘Alterior Motives.tt’ image contains multiple pieces of critical information that are relevant to this case, in
the form of providing clues. The most significant piece is the price value of the Audi TT car, listed in the front
window as £10,595 from an RAC dealership. As this car is located behind the main focal point, which is the
Mini car, users need to look closely so they can read the price clearly. The value of the car is then used as a
password for another area of the case. The ‘Surprise.7z’ folder requires the password of ‘10595’ to unlock offi-
cial pieces of evidence. However, to view the image appropriately and determine the nature of the pass-
word, users will need to change the file extension of ‘Alterior Motives.tt’ to ‘Alterior Motives.jpg’.
1. On the USB device, click on the ‘Pictures’ folder
2. Change the file extension of ‘Alterior Motives.tt’ to ‘Alterior Motives.jpg’
3. Open the newly adjusted image
4. Zoom in to the black Audi TT car in the background of the image and identify the value as ‘10595’
5. The above screenshot demonstrates the identification of the password from this clue after zooming in on
the image
114
Brief Description:
This file can be found in the ‘Pictures’ folder, stored on the USB. Upon opening the file, you will be pre-
sented with an image of The London Eye, taken from Westminster Bridge as per the above screenshot.
password for this file is: Tm90aGluZyB0byBzZWUgaGVyZSB1bmZvcnR1bmF0ZWx5Lg==. This password is
written using base64 encoding, and can be viewed via this link: https://www.base64decode.org/. If you
translate this message back into its original state, it reads as Nothing to see here unfortunately. This
phrase can also be found as a clue in the ‘Seeking.docx’ document, stored in the ‘Private’ folder of the
USB. Coupled with this, you are required to select ‘DES’ as the encryption format in order to discover the
contents of the file behind the image.
115
2. After entering the password and encryption format correctly, you are presented with ‘Knives.txt’. This is a
text file containing a base64 encoded message as per the following screenshot sample:
3. The screenshot above demonstrates a sample of the encoded message. The full message is printed as fol-
lows:
QSBrbmlmZSBpcyBwcmltYXJpbHkgYSB0b29sIHVzZWQgZm9yIGN1dHRpbmcuIE9mdGVuIG1hZGUgdXAg
b2YgdHdvIHBhcnRzIGEga25pZmUgY29tcHJpc2VzIG9mIGEgaGFuZGxlIGFuZCB0aGUgYmxhZGUuIFRo
ZXkgY2FuIGJlIHVzZWQgaW4gbWFueSBhcHBsaWNhdGlvbiBzdWNoIGFzIG1lYWwgcHJlcGFyYXRpb24s
IGh1bnRbmcgYW5kIGNvbWJhdC4gS25pdmVzIGNvbWUgaW4gYWxsIHNoYXBlcyBhbmQgc2l6ZXMgcmFuZ
2luZyBmcm9tIHNtYWxsLCBmb2xkaW5nIGV2ZXJ5ZGF5IGNhcnJ5IGtuaXZlcyB0byA2IGluY2ggZml4Z
WQgYmxhZGUgY29tYmF0IGtuaXZlcyBpc3N1ZWQgdG8gc29sZGllcnMgaW4gdGhlIGFybXkuIEluIGFkZ
Gl0aW9uLCB0aGUgc2l6ZSBhbmQgc2hhcGUgb2YgYSBrbmlmZSB0aGV5IGNhbiBiZSBtYWRlIGZyb20gY
SB2YXJpZXR5IG9mIG1hdVyaWFscyBpbmNsdWRpbmcgbWV0YWwsIHBsYXN0aWMgYW5kIGNlcmFtaWMuIF
RoZSB2YXJpZXR5IG9mIGuaWZlIG1hdGVyaWFscyBjYW4gbWFrZSB0aGVtIGRpZmZpY3VsdCB0byBkZXR
lY3QgdXNpbmcgY29udmVudGlvbmFsIHRlY2huaXF1ZXMgc3VjaCBhcyBtZX RhbCBkZXRlY3RvcnMu.
Copy and paste the message into this website, and you are presented with the following outcome: A knife is
primarily a tool used for cutting. Often made up of two parts a knife comprises of a handle and the blade.
They can be used in many application such as meal preparation, hunting and combat. Knives come in all
shapes and sizes ranging from small, folding everyday carry knives to 6 inch fixed blade combat knives is-
sued to soldiers in the army. In addition, the size and shape of a knife they can be made from a variety of ma-
terials including metal, plastic and ceramic. The variety of knife materials can make them difficult to detect
using conventional techniques such as metal detectors. Set the decoding format to ‘UTF-8’.
116
Brief Description:
In the ‘Pictures’ folder of the USB, you will find a series of gun images. As a gun was not the choice of mur-
der weapon used in this case, they are all deemed to be red herrings. The biggest hint that guns are red her-
rings comes in the form of ‘guns3.mp4’.
1. Change the file extension to ‘.png’ as per the above screenshot
2. Open the file and you are presented with another gun image as per the following screenshot:
117
Brief Description:
This file can also be found in the ‘Pictures’ folder of the USB. This image contains the getaway vehicle used
to dispose of Cindy’s body from Tower Bridge as per the above screenshot.
1. The screenshot above is not officially classified as a piece of evidence until you have uncovered the text
file hidden behind the ‘rockfallimage.bmp’ image, stored in the same folder on the USB. This explains a
desire for red Mini cars, thus acting as a clue and additional piece of evidence to this case.
2. 2. The registration plate on the car reads ‘YD61 ROU’. This piece of evidence also acts as a clue whereby
it is a password for the ‘Accounts.7z’ folder, stored within the ‘Work’ folder of the USB. In this case, the
password is reversed and works as ‘UOR16DY’.
Brief Description:
Throughout the given case, there have been hints to weapons being used when committing the crime, espe-
cially guns. To reinforce this theme, an image of Derek having access to purchasing a hand pistol has been
118
included within the Pictures subdirectories. Despite this, the murder weapon remains a knife and no evi-
dence will be found to prove Cindy was murdered any other way or that Derek has possession of a pistol.
2. Navigate to the Pictures subdirectory
3. Open ‘Purchases.png’
Brief Description:
This is the location where Derek disposes of Cindy’s body, before it is washed up at the University later in the
night.
1. After uncovering the route map from Lewisham to Tower Bridge within the mobile phone application
vault, the above image is classified as an easy piece of evidence.
119
Brief Description:
This file can be found in the ‘Pictures’ folder, stored on the USB. Upon opening the file, you will be pre-
sented with an image of a rockfall, as per the above screenshot.
password for this file is: MDIwNzg5NjIxNTY=. This password is written using base64 encoding, using
https://www.base64decode.org/. If you translate this message back into its original state, it reads as
02078962156. This phrase can also be found as a clue in the ‘CV.docx’ document, stored in the ‘Work’
folder of the USB. Coupled with this, you are required to select ‘IDEA’ as the encryption format in order to
discover the contents of the file behind the image.
2. After entering the password and encryption format correctly, you are presented with ‘Mini.txt’. This is a
text file containing a base64 encoded message as per the following screenshot:
120
Copy and paste the message into this website, and you are presented with the following outcome: Red Mini
cars are the best. Very easy to drive and use. Set the decoding format to ‘Windows-1252’. This piece of evi-
dence proves that a red Mini car was used as the getaway vehicle after disposing of Cindy’s body, and links
to the ‘Prized Possession.png’ image file.
Brief Description:
‘Behind the Scenes of iOS Security.mp4’ is a video taken from a conference video filmed at Black Hat, Las Ve-
gas 2016. We have manipulated the video to include the registration of the red Mini Cooper, which has been
used as a password later in the coursework. The password is only shown for 11 frames, commencing at
24:42. However, the code shown (YD61RO) is not the correct or complete password, instead this is a hinting
to the importance of the registration.
121
2. Navigate to the Pictures subdirectory
3. Open ‘Behind the Scenes of iOS Security.mp4’
4. Watch until 24:42.
Brief Description:
The first of two PowerPoint presentation clues in this case, ‘slideshow(see_behind).pptx’ contains a key pass-
word that is used elsewhere to uncover additional evidence. In this scenario, one of the slides hosts a pass-
word to unlock a hidden text file behind ‘availabilityblock.bmp’ in the base directory of the USB device. How-
ever, the password in this file is also hidden behind an image, but in a less technical format compared to the
steganographic images, which are used as alternative hiding mechanisms.
1. Navigate to the ‘Private’ folder within the USB device.
122
2. Open the ‘slideshow(see_behind).pptx’ presentation file, without changing to any other file extension.
3. Scroll down to slide 72 and delete the image of the red Mini. Click ‘Ctrl+A’ to highlight all the text in the
slide.
4. Change the colour of the text, contained in the text box, to red. The password for the steganographic im-
age appears as ‘D1R7Yli771353CR37’, which is listed in figure 37.
Brief Description:
This document contains three images laid out over two pages. There are two images on the first page, both
of which are covered by white text boxes. The third image on the document’s second page is a SanDisk USB
as per the above screenshot.
1. Click the two text boxes on the first page and select ‘Delete’. This will uncover two images of stab
wounds, which is classified as an easy piece of evidence for this case. The first image demonstrates a clear
stab wound to the hand, and the second image shows another person assisting with bandaging up the
wound.
123
2. 2. Click on the USB image and the text box that it is contained within. Reduce the size of the image and
click on the text box containing it again. Change the colour of the text to ‘red’ and you will be presented
with the following text: Nothing to see here unfortunately. This message acts as a password for uncover-
ing the hidden text file behind ‘eyeofthetigerlandscape.bmp’, a clue used for cracking steganography in
this case.
The following screenshot demonstrates the process of completing parts 2 and 3 of this sub-section:
Brief Description:
The included ‘Bernard.bat’ file has been used to switch off the investigator’s computer. This has the same
contents as described in Evidence ID: 18, but renamed to ‘Bernard.bat’.
2. Navigate to Private subdirectory
3. Open ‘Bernard.bat’ in a text editor
124
Brief Description:
This file contains a similar document name to another one in the same ‘Private’ folder, stored on the USB.
However, this particular document acts as a clue that contains a password to uncover another piece of evi-
dence.
1. Within PowerPoint, scroll down to slide 72 of the document. Click ‘Ctrl+A’ to highlight all the text on that
page. A password is hidden within the green bush to the right of the car.
2. Change the colour of the text to ‘red’. On the right-hand side of the slide, change the transparency of the
text from 66% to 0% so you can fully read the phrase.
3. Identify the password as ‘C1NDYS1AUGH1ER’. This password will be used to uncover the mounted drive
on the Linux Virtual Machine (VM). The above screenshot demonstrates how to uncover the password in
the slideshow.
125
Brief Description:
John the Ripper is a password cracking software that attempts to break passwords using a brute force ap-
proach. Despite Bernard being in a Computer Software role, his specialty remains in programming as does
his occupation. Therefore, by having this software indicates that he was attempting to break passwords for
various accounts. This has been included as an easy piece of evidence.
2. Navigate to Software subdirectory
3. Identify ‘john179w2.zip’ as John the Ripper
Brief Description:
‘Stego Suite.7z’ is a password-protected compressed file that contains an easy piece of evidence and five ad-
ditional random files. The password can be identified from the image contained within the ‘My Calculator’
application on the phone storing information about the phone’s carrier: ‘vodafone UK 28.2.5’.
2. Navigate to the Software folder
126
3. Input the correct password to decrypt the archive
Brief Description:
The encrypted archive folder contains one piece of easy evidence (Screen Shot 2017-09-21 at 13.58.15) and
five other non-related documents. The easy evidence features a screenshot of a knife on Amazon, which was
later used as the murder weapon.
5. Navigate to the Software folder
6. Input the correct password to decrypt the archive
7. Browse files
127
Brief Description:
The batch file enables the automatic running of ‘For Derek.ps1’. Rather than enabling the investigators to
double click the PowerShell script and detect the red herring and mitigate the powering off the machine, this
file will execute the command.
2. Navigate to Software subdirectory
3. Open ‘For Derek.bat’ in a text editor
Brief Description:
The included ‘For Derek.ps1’ file has been used to switch off the investigator’s computer. The purpose for in-
cluding this file is to establish when an unauthorised user has attempted to gain access and in doing so exe-
cutes a fake ‘deletion script’. However, due to contents potentially being moved to personal USB devices,
we have simply executed a shutdown command similar to the one described in Evidence ID: 18. However,
this script required the investigators to either run the script via PowerShell or use the ‘For Derek.bat’ file.
2. Navigate to Private subdirectory
3. Open ‘For Derek.ps1’ in a text editor or PowerShell
Brief Description:
The included ‘Discover.exe’ file is a renamed copy of Evidence ID: 9. This red herring has been included to
hinder the investigation. A detailed explanation of this program’s operation can be found in the brief descrip-
128
tion of Evidence ID: 9. It should be reiterated that this program does not cause any damage and is classified
as Scareware although the program may cause delay of the investigator’s computer.
2. Navigate to Software
3. Run Discover.exe application
4. Try to close/kill program
5. Review Discover.exe Product name, Product version and Original File name via Right click > Properties or
when opened in a text editor
Brief Description:
‘S-Tools.exe’ is an executable file found in the ‘Stools.zip’ folder of the ‘Software’ folder, within the USB. This
tool is classified as an easy piece of evidence because of the crucial role it plays in hiding and uncovering
other pieces of evidence, from a steganography perspective.
1. The executable file can be found among its information guide plus other configuration files (ending in
‘.dll’). The three files which require the use of ‘S-Tools.exe’ are: ‘availabilityblock.bmp’,
‘eyeofthetigerlandscape.bmp’ and ‘rockfallimage.bmp’.
129
Brief Description:
This is an executable file found in the ‘Software’ folder, stored on the USB. This is classified as an easy piece
of evidence because it potentially uncovers all the hard pieces of evidence associated with this case.
The purpose of this tool is to enable users to mount a drive and enter a password before unlocking files that
are saved on the drive in an encrypted format. This is linked to the Linux VM, which contains the hard pieces
of evidence as per the above screenshot.
130
Brief Description:
The ‘Accounts.7z’ compressed file has been password-protected with the reverse of the registration for the
getaway vehicle, UOR16DY. This compressed file contains two documents inside: ‘Invoice Template.xlsx’ and
‘Routes.png’. The password for this file has been hinted several times throughout the coursework such as Evi-
dence ID: 68 and Evidence ID: 72.
2. Navigate to ‘Work’ subdirectory
3. Decompress ‘Accounts.7z’ folder with correct password
Brief Description:
The file ‘Routes.png’ contains an image of the planned route from the assailant’s house, where the murder
was committed, to the dumpsite of the body. This was not the final route taken but shows planning of the at-
tack and disposing of the body.
131
4. Open ‘Routes.png’
Brief Description:
Upon successful opening of the ‘Accounts.7z’ folder, two files will be extracted. The ‘Invoice Template.xlsx’
file is a disguised cipher key created by Bernard. The file will originally look like an invoice for Slaughter Tech-
nologies, but the selective green boxes correspond to the cipher key needed to unlock the message in Evi-
dence ID: 26. The columns align to a number, which is the true representation of the required letter. An exam-
ple of this has been included below.
B = 22nd Letter of the Alphabet (V)
132
4. Open ‘Invoice Template.xlsx’
Brief Description:
This document can be found in the ‘Work’ folder, stored on the USB. This is a clue that contains the pass-
word for uncovering the hidden text file behind ‘rockfallimage.bmp’. This refers to the telephone number
listed at the top of Bernard’s CV as per the above screenshot.
133
1. You need to take the telephone number and convert it to a base64 encoded message, which officially acts
as the password for the steganographic image elsewhere. Upon translation, the number should read:
MDIwNzg5NjIxNTY=.
Brief Description:
After gaining access to the USB and navigating to the Work subdirectory, the investigator is presented with
the file ‘Keys.txt’. This file contains a substitution ciphered message from Bernard to Derek detailing ‘You’ll
be the prime suspect’.
2. Guess the substitution cipher
3. Navigate to ‘Work’ subdirectory 4. Open ‘Keys.txt’
134
Brief Description:
This is a medium piece of evidence found on the menu page of the mobile phone being used in this case.
1. Firstly, begin with logging in to the mobile phone by entering the USB’s SHA256 hash as the password.
2. Upon logging in, scroll right to the third menu page. This page demonstrates a message, hidden within
the application icons downloaded from the App Store as per the above screenshot.
3. This message indicates that Cindy attempted to stab Derek at some point leading up to her murder. This
piece of evidence is classified as ‘medium’ because it shows that Derek may have acted in self-defence of
Cindy attacking him in the first instance.
4. Note: For the purpose of this forensics investigation, screenshots or photographs will need to be taken
and documented of every page in the mobile device before proceeding to identify any pieces of evi-
dence.
Brief Description:
The IMEI number of the phone has been used to encrypt the USB. To gain more information, the investiga-
tors will need to identify the engraved number on the rear of the device, ‘013418006744691’. Alternatively,
should they gain access to the phone, the IMEI number is also detailed within the settings menu on the de-
vice. This has been classed as a clue, due to the password being used to obtain the majority of the informa-
tion stored on the encrypted USB.
135
1. Physical: Locate the IMEI Number on the rear of the device.
or
1. Software: Enter Passcode
2. Settings
3. General
4. About
136
Brief Description:
This piece of evidence is located on the mobile device that belongs to Derek. Using a password-protected
mobile application called ‘My Calculator’, a picture of a knife is found within the ‘Passwords’ folder. This is a
medium piece of evidence, as it is an image of the murder weapon Derek uses to kill Cindy.
1. Login to the mobile device using the SHA256 hash that was generated for the USB
2. Open ‘My Calculator’ in the mobile phone, and add the following three numbers together before press-
ing the percentage button: 56 + 126 + 255 = 437%. This will open the vault containing a number of me-
dium evidence files
3. Click on the ‘Pictures’ folder
4. There should be four images stored in the ‘Pictures’ folder. Click on the knife image to view its contents as
per the above screenshot
137
Brief Description:
This piece of evidence is classified as medium because it is also stored on Derek’s mobile device, within the
‘My Calculator’ password vault. A screenshot of a route map from Lewisham to Blackheath can be found in
the vault, taken on Google Maps. Lewisham is the location of Bernard’s house and Blackheath is the location
of Derek’s house (where Cindy also resided prior to her death).
dium evidence files
4. There should be four images stored in the ‘Pictures’ folder. Click on the route map image to view its con-
tents as per the above screenshot
138
Brief Description:
This piece of evidence is classified as a clue because of its location in Derek’s mobile device, using ‘My Calcu-
lator’ to store the image with a complex password required to enter. A breakdown of the mobile device’s key
information including the capacity, version number and model number are listed in the image. This is listed
as a clue because the ‘Carrier’ is partly used as a password to unlock the ‘Stego Suite.7z’ folder: vodafone
UK 28.2.5.
dium evidence files
4. There should be four images stored in the ‘Pictures’ folder. Click on the phone description image to view
its contents as per the above screenshot
139
Brief Description:
After gaining access to the secret vault decoyed as the ‘My Calculator’ application with the passcode previ-
ously described, the investigator will then be presented with four subdirectories: ‘Picture’, ‘Video’, ‘Audio’
and ‘File’. Should the investigator continue to navigate to the ‘Pictures’ folder and open ‘IMG_2362.png’
then a conversation between the two brothers will be displayed. This message has a general conversation to
start, then references the disposal and murder of Cindy Slaughter. Derek sends two messages detailing that
the murder will be concluded at 20:00, ‘Pick up time 20:00, don’t make me wait’ and requires picking up and
disposing of the body. However, Bernard suggests a different time, ‘How about 23:00, as I’ve got to send
something off first?’; the item he is referring to is Cindy. The affair is reinforced with the letter found within
the Linux Virtual Machine (VM). The newly proposed time is then confirmed by both parties.
3. Navigate to ‘Pictures’ Subdirectory
4. Open ‘IMG_2362.png’
140
Brief Description:
The screenshot below is a view of the browsing history that was found on Derek’s phone. Upon opening Sa-
fari from the main menu page of the mobile device, there is one tab open that is relevant to the case. This
tab is entitled ‘Entry requirements – Mexico travel advice’ from the UK Government’s website. This is classi-
fied as a medium piece of evidence, as Derek is attempting to escape the country and fly to Mexico follow-
ing the murder of Cindy in London.
2. Open Safari at the bottom of the main menu after logging in to the phone
3. Click the tab button at the bottom right hand side of the page in Safari
4. Scroll to the middle of the open tabs to find the one related to Mexico as per the above screenshot
141
Brief Description:
There are specific calendar events that have been added into the mobile device belonging to Derek. Some
of the events in November 2017 are trivial or circumstantial. However, there is one of particular interest
dated the 4th December 2017, where Derek had noted a ‘Private Appointment’ in the early evening. The rea-
son why this is classified as a medium piece of evidence is because the location is listed as ‘Tower Bridge’,
which coincides with the images of the same bridge in other areas of the case. Also, this is the location
where Derek disposes of Cindy’s body after murdering her. The 4th December 2017 is the day before the
Cindy’s body is found washed up on the embankment of the River Thames, in front of the University of Green-
wich.
2. Open the ‘Calendar’ application on the main menu page after logging in to the phone
3. Scroll down to December 2017 and click on the 4th day (listed as a Monday) to see the appointment
4. Click on other dates earlier in the year. Notice that they do not correspond or link to the one on the 4th
5. December 2017 as per the above screenshots
142
Brief Description:
A password file has been included within the ‘My Calculator’ application, which contains a total of 20 pass-
words. Whilst 95% of the passwords listed have no relevance to the investigation, the entry ‘rjX5bbq576’ can
be used to unlock the ‘Customer.7z’ folder previously described.
3. Navigate to File subdirectory
4. Open Passwords subdirectory
5. Open the remaining file.
143
Brief Description:
This file can be found as a screenshot image in the ‘Pictures’ folder of the mobile phone application vault
called ‘My Calculator’. As it is password-protected, users will need to login to the application prior to viewing
this image’s contents. This is a medium piece of evidence and contains a set of text about bleach, written as
a base64 encoded message. Users will need to convert this message using an online tool to identify the
meaning behind it.
1. Login to the mobile device using the SHA256 hash that was generated for the USB.
dium evidence files.
3. Click on the ‘Pictures’ folder.
4. There should be four images stored in the ‘Pictures’ folder. Click on the bleach text image to view its con-
tents as per the above screenshot.
144
Brief Description:
An email message from Bernard sent to Derek’s account has been included. The message has been en-
crypted using the cipher detailed in Evidence ID: 116. This translates to ‘Derek, I can’t believe you’ve gone
ahead with it! What do we do now? I feel like we should come clean!’.
1. Unscrew/detach pen
2. Remove film
3. Hold in front of light source
4. Sign into Derek’s email account
5. Browse to email from Bernard
6. Identify and decrypt email using Evidence ID: 116.
Brief Description:
The password for Derek’s email address, 81dslaughter@gmail.com, has been included on the reverse of a
photograph. The password details with a handwritten code, 000818739. This has been cut from the remain-
ing film, which was included in the physical evidence and placed within a pen to make it harder to detect.
145
2. Remove film
Brief Description:
An image has been included in Derek’s Google Drive to confirm Cindy’s suspicion of him turning to alcohol.
2. Remove film
4. Navigate to Google Drive
5. Identify ‘mybeauties.png’
146
Brief Description:
As part of our evidence, we have included a book that features three words written in invisible ink that can
only be viewed under a UV (ultraviolet) light, pages 64, 128 and 256. In addition to the book, we have in-
cluded a pencil case that contains an assortment of pens, pencils and a UV light. The three hidden words,
when combined, form the password for the recovered USB drive. Investigators are expected to deduce this
from inspecting the content of the included pencil case and manually trawl through the book for any mes-
sages.
1. Search through the contents of the pencil case to find the UV light.
2. Search through the book with the UV light for anything relating to the case.
147
Brief Description:
A Rotation Cipher Key has been included within chapter seven of the book ‘The Life and Adventures of a
Couple’, which requires rotating the total number of pages within the book, in order to reveal the substitu-
tion cipher key used for the email previously explained in Evidence ID: 98. The cipher can be identified by
highlighting the shaded word and taking the first letter of each word. We have limited the cipher to one key
per page.
1. Navigate to Chapter 7 of ‘The Life and Adventures of a Couple’
2. Identify the keyed word. This will be shaded in pencil with one keyed word per page
3. Identify and record the first shaded letter of the word
4. Repeat these steps until the full alphabet has been identified
5. Rotate the cipher 461 times (number of pages in book)
6. Insert newly decoded cipher key and email (Evidence ID: 98) to the online tool
(http://practicalcryptography.com/ciphers/simple-substitution-cipher/)
148
4.2 Physical Evidence Overview:
Brief Description:
The inclusion of a password regarding Derek Slaughter’s email address has been written on the reverse of
the film taken from the camera detailed in Evidence ID: 113. The camera film has then been rolled up and
placed within the BAE Systems pen located within the pencil case. Two following images detail the hiding of
this clue.
149
1. Open pencil case and identify the correct pen
2. Unscrew the nib of pen and identify the film
3. Unroll the film and see reverse side to identify the password
Brief Description:
The background hints to a number of settings that can be used as a passcode to unlock the USB. The fields
with information removed detail: ‘Capacity’, ‘Version’, ‘Model’, ‘Wi-Fi Address’ and ‘IMEI’, of which the IMEI
number is the required key. Although the number isn’t present, it has been engraved on the reverse of the
phone and can be detected that way. In addition to this, the passcode required to unlock this device is the
SHA256 hash of the encrypted USB device. Once the investigators have detected this, they will have full ac-
cess of the phone and be able to investigate other layers previously specified in this report.
150
1. Download and Run appropriate hashing tool application
2. Insert encrypted USB device and obtain the SHA256 hash
3. Enter the hash into the phone’s locked screen
Brief Description:
The pencil case incorporates the pen described previously to hide the evidence. Included within are several
other pieces of stationery. However, the most important part is the UV light that can be used to detect the
secret messages written in the book, Evidence ID: 115.
1. Given as a piece of investigatory evidence
151
Brief Description:
The book will be included as a piece of evidence and refers to every action having a reaction. There have
been multiple red herrings, passwords and cipher keys included within this book. This has been explained at
various points throughout the report.
1. Given as a piece of investigatory evidence.
152
Brief Description:
The camera was initially used to reveal a password, only detectable when the film was held up to a light
source. However, when trialing this, it was clear that the investigators will not be able to identify this pass-
word. Therefore, the camera has been included as a red herring, attempting to consume the investigator’s
time and resources.
153
Brief Description:
The UV light will be included as a piece of evidence and can be used to identify the password required to de-
crypt the USB. This has been explained in more depth within Evidence ID: 115.
You must include the hash of your evidence file in your report
5. SHA256 Hash:
Using FTK Imager we converted our USB evidence to an .ad1 file. The hash of this file is:
51971B344000E2B4EAE8CD986B3F5DD5A3070687480C9B6176A62A828AFDC47D. This has also been pro-
vided in the below screenshot.
6. Overall Reflection:
6.1 Conclusion
Overall throughout this coursework, I have been able to identify relevant and current techniques and tech-
nologies that can be used to hide or disguise evidence. Albeit this coursework has been fictional, it can be
clearly identified that the skills and concepts required and utilised can be applied to a real-world scenario
used across industry. I have found this coursework to be one of the most enjoyable undertaken by having the
range to create evidence files and explore aspects of computer forensics that I find the most intriguing and
relevant. I believe this is limited in other modules due to a set guideline of tasks, ultimately limiting the learn-
ing experience.
154
6.2 Reflection
6.2.1 What I have learnt
Having previously completed the Computer Forensics 2 module, I was able to identify areas in which I be-
lieve would be more beneficial and successful in disguising evidence. Furthermore, having studied the foren-
sics of iPhones during my Industrial Placement, I have been able to implement my knowledge and under-
standing physically. It is my opinion that by obtaining more than a theoretical approach and physically hiding
our created evidence that I have been able to recognise and absorb a greater level of understanding. An ex-
ample of this would include how the Secure Enclave within iOS works.
Before the completion of this coursework, I was unfamiliar with some of the tools used, such as: TrueCrypt,
VeraCrypt and BitLocker to Go. By attempting to use these tools and conducting secondary research, I have
identified tools and algorithms that have now been broken and are no longer suitable to use. This typically
included SHA1, MD5 and TrueCrypt. By identifying this, the team and I have been able to use more applica-
ble tools and algorithms that prove harder to break such as: SHA256 and VeraCrypt. It is clear that experts
are required to keep up to date with subjects similar to this, in order to maintain the confidentiality, integrity
and availability of files.
Finally, I originally had a very limited understanding of cryptography and encryption. However, the group
and I believed that by not including the use of these would hinder our chances of all the evidence being dis-
covered. This was one of the primary reasons for researching and implementing these techniques, which I
have found enjoyable and less complex than originally thought.
6.2.2 What I have enjoyed
Prior to starting this coursework, I was unaware of the different forms of cryptography and how valuable
these techniques could be in ensuring the confidentiality of information. After conducting additional re-
search and using publicly available tools, I have grown a new fondness for cryptography as a new area of
computer forensics. This was reinforced after confusing which key belonged to which text and having to
break the ciphers manually.
In total, I have thoroughly enjoyed this coursework and would highly recommend this module to other stu-
dents. It is my opinion that having the freedom to disguise and hide evidence at our discretion has enabled
155
us to pursue our personal interests within computer forensics. An example of this includes the use of perform-
ing steganography, hiding images within images.
6.2.3 What I have found challenging
One aspect I personally, and from a group perspective, found challenging is the number of evidence files cre-
ated and the organisational structure required for this. When previously creating our evidence, we did not
detail the evidence, passwords or methods required to discover the files and therefore got confused to what
password corresponded to which file. However, upon identifying this issue, we incorporated the table in-
cluded within section three of this report, which helped overcome this issue.
In additional to this, one mistake made by a group member was revealing a vital password that could be
used to gain a significant discovery within the case. Due to this mistake, the group was required to change
the password and spend multiple hours overcoming this issue. In hindsight, I would emphasise the conse-
quences of his actions, attempting to mitigate this mistake.
6.2.4 What would you change?
One aspect I would recommend reviewing is the amount of evidence files required for the coursework. In my
experience, I found that creating 25 individual pieces of evidence to be tedious and believe my time would
have been better utilised in identifying other hiding techniques. I would also encourage other groups to ex-
pand their evidence from a generic USB to other forms of media storage due to the diverse range available
within today’s environment.
Overall, I believe the skills and techniques used throughout this coursework will prove fundamental should I
pursue a career in computer forensics.
1https://www.gre.ac.uk
156
ROCHESTER
INSTITUTE OF
TECHNOLOGY,
DUBAI
THE AUTHOR OF THIS ARTICLE, RAINA ZAKIR, HAS RE-
CENTLY GRADUATED FROM RIT. SHE STUDIED SCIENCE IN
COMPUTING SECURITY. THIS PROGRAM OFFERS A HANDS-

ON CURRICULUM AND HIGH LEVEL OF SPECIALIZATION BE-
YOND WHAT IS PROVIDED BY MORE GENERAL MAJORS IN
INFORMATION SYSTEMS OR INFORMATION
TECHNOLOGY.1
DMA Attacks for Memory Acquisition causes the operating system on the target machine
to assume that an SBP-2 device has been connected

using FireWire
on the FireWire port. As the target OS thinks that an
by Raina Zakir SBP-2 device is connected, it enables DMA for the
device connected to get ready for large data trans-

Abstract
fers. This results in the host machine running Incep-
The FireWire interface, as standardized by the IEEE tion to get read and write permissions to the RAM
1394, is one of the easy ways of getting Direct Mem- on the target system, which then searches at certain
ory Access (DMA) on a target system. This article dis- offsets of the authentication module to look for sig-
cusses a way to use the FireWire interface to per- natures to get the operating system password to
form a live memory forensics on a target system us- elude an incorrect password check once it is gener-
ing a tool called Inception, which enables execution ated. This results in bypassing the login by entering
of invasive and non-invasive memory hacks on a live any password or dumping of the memory based on
target. In the latter part, some limitations are dis- the commands provided.
cussed for the attack.

To use Inception, the requirements include:
Direct memory access is one of the techniques used

• A machine with a FireWire port running Linux or
in forensic analysis and rootkit detection. The Fire-
Mac OSX, Linux works best. In the demo, we will
Wire attack that takes place using the IEEE 1394 Fire-
be using Kali Linux Operating system (in which all
Wire interface enables you to dump the RAM of the
the dependencies will be installed). The target OS
locked target system, inject processes into memory,
that can be attacked by Inception includes x86
increase privileges to the administrator by patching
and x64 versions of Windows XP (SP-0,1,2,3), Win-
authentication mechanism and even bypass user log-
dows Vista (SP-0,1,2), Windows 7 (SP-0,1), Win-
ins to gain access to the system, even the ones that
dows 8, Mac OS X (Leopard, Snow Leopard, Lion,
have full disk encryption such as BitLocker, FileVault,
Mountain Lion), Ubuntu (Saucy, Raring, Quantal,
TrueCrypt etc. enabled on them. One tool that
Precise, Oneiric, Natty, Maverick, Lucid) and Linux
makes this possible is ‘Inception’.
Mint
Inception works by offering a Serial Bus Protocol 2

• Install the cmake package manager and git using
(SBP-2) group directory to the target machine that
the following command:
has to be analyzed using the FireWire interface. This
158
Build the installation file by issuing the ‘cmake
CMakeLists.txt’ command, which will result in the
output below:
• Python 3 and pip needs to be installed using the

following command:
Install ‘libforensics’ using the command below:
• libforensics:
The key dependency of Inception is ‘libforen-

Change directory to ‘python’ in the same ‘libforen-
sics1394’, an open-source library that supports per-
sic1394’ folder and run the setup file to complete
forming of live memory forensics using the FireWire
the installation:
interface on Linux or Mac OS X systems. Download
‘libforensics1394’ using the git command below and
open the directory:
159
• To Install Inception, download the files by cloning If the following error is encountered:
into the git repo. Then change directory to ‘incep-
tion’ and run the setup using the command below
to install Inception:
The FireWire cable is not connected or being de-
tected. Instead of a FireWire, a Thunderbolt, Express-
Card or PC Card interface can be used too.
The Attack and Execution:
1. Connect the FireWire cable from the host ma-
chine running Kali with all the dependencies in-
stalled to the target machine:
Run the ‘incept’ command, if the following screen
appears, the installation in successful:
160
3. When the success message specifying ‘Signature
2. Run the ‘incept unlock’ command from the host found’ appears with patch verification being success-
machine. Once a FireWire connection to the target ful, enter any dummy random password to the target
machine is detected, choose the target OS when machine and the OS log in will be bypassed:
prompted (in this case no. 3 is chosen as the target
OS in Windows 7), this will start searching for signa-
tures to unlock the system:
161
4. To attain a RAM dump of the target system, issue References:
the incept dump command:

• https://github.com/FreddieWitherden/libforensic1
394
• https://github.com/carmaa/inception
About the Author

Raina Zakir is recent graduate in Cybersecurity,
currently pursuing Masters in Robotics. She has a
keen interest in Pentesting, Forensics, Reverse En-
gineering, Cybersec research and Blockchain.
The RAM dump attained can be analyzed with an
Some of her research areas include DPI for Cryp-
analysis framework like volatility. tojacking, GPS Spoofing and D2D communica-
tion in Public Safety Networks using Blockchain.
Limitations:
After working in UNWFP as part of her coop, she
- Direct Memory Access using FireWire is dis- is currently working at Kitsune Security. Her hob-
bies include participating in CTFs, including the
abled in Mac OS X Lion and above as well as
Du Cybersec Conference CTF in which her team
Windows 8.1 and above if the user has locked
won the 3rd Prize.
out of the system. As a result, Inception will
only work if the user is logged in to the target
system.
1https://www.rit.edu/dubai/
- Inception is known to not run well with target
systems having more than 4GB RAM because
the signatures that are being looked for may
be located at the memory addresses above
0xffffffff, however memory dumping is not lim-
ited by this. This problem might be overcome
by removing one of the 2 GB RAM and then
running ‘incept’ to search for signatures on
one of the RAMs first and then searching the
other one for signatures.
162
NORWICH
UNIVERSITY
NORWICH UNIVERSITY (BESIDES REGULAR
COURSES) OFFERS ONLINE/DISTANCE LEARNING
PROGRAMS. CERTIFICATES IN COMPUTER FOREN-
SICS AND VULNERABILITY MANAGEMENT ARE DE-
SIGNED ESPECIALLY FOR INDIVIDUALS WITH THE
NECESSARY BACKGROUND IN NETWORKING, PRO-
GRAMMING AND OPERATING SYSTEMS.1

Detecting and Combating Phishing
by Matthew Kafami
Introduction: Chances are you have seen phishing emails; you may have even been the victim of one. You
know, the email claiming to be from your bank warning you that your account may have been compromised
and requesting you verify your identity by providing your username, password, and answers to your security
questions. Additionally, this email will more than likely contain a link to a webpage that looks identical to the
site you are familiar with, with a similar layout, choice of text and font, and accurate logos. Do not enter your
information. In fact, don’t even click on the link provided in the email without first performing the steps that
follow.
Phishing – An Overview: Phishing is a common attack employed by hackers that focuses heavily on psychol-
ogy by crafting messages that usually create a sense of urgency and stem from a place of authority. Attackers
commonly use tools like the Social Engineering Toolkit to imitate an official webpage to make their malicious
sites harder to distinguish, thus increasing the likelihood of success. These messages often look something
like this:
Dear Valued Member,
Our records indicate the password for your bank account is about to expire, in which case your account will
be frozen until proper identity verification can be provided at your local branch. Please use the secure link
provided below to update your password and avoid your account being frozen.
Your Bank
The link provided in most of these emails will likely be a domain in one of two formats: domain squatting or
a hijacked domain. A squatted domain is one that looks similar to a legitimate link. For example, instead of
linking to USBank.com, the link might show USBaank.com, with two instances of the letter “a”. The second
letter “a” may go unnoticed if read fast enough with other priorities on your mind, like your bank account po-
tentially being frozen because of an expired password. Hijacked links on the other hand are URLs that start
completely different from whatever organization the attacker is attempting to mimic. This is usually due to
hackers gaining administrative access to other sites and adding the necessary HTML, CSS, PHP, and or Javas-
cript code to that compromised site in order to appear like the intended site. For example, a locally owned
164
and operated florist’s website may have been compromised and now has a webpage with a URL like this:
localflorists.com/USBank/reset-password, where the primary domain is localflorists.com and /USBank/reset-
password has been added as a subdirectory.
However, some, if not most, email services offer some way to change the text displayed on a link. For exam-
ple, in Gmail there is an option to insert link a few icons to the right of the send button. Clicking this will sum-
mon a new window as seen below:
The Text to display option will be the only text visible when the link is added to the email, which means a
hacker could potentially provide what appears to be a completely legitimate link that masks the malicious
URL you will be directed to upon following the link.
Often, the page you will be directed to will include form boxes (the space in which you enter your responses)
for the “old” or “current” password, your “new password” and another box to confirm that password. Some
hackers even go so far as to replicate the password recovery page and include form boxes for your security
questions, complete with dropdown menus and some of the most common questions from which to choose
(i.e. mother’s maiden name, city of birth, first pet’s name, etc.) in an attempt to increase the success rate of
the attack. An illustration of this can be seen below:
165
Figure 1: An email mimicking the same format, style, and even using the
same logos as USAA Bank has been sent in an attempt to phish a potential
victim. Using the “Edit Link” feature available via most email providers was
used to make the link appear legitimate. We will see that is not the case
upon examining Figure 2. Notice how this email attempts to create a sense
of urgency by stating “For immediate and continuous access to restore your
account…”
166
Figure 2: Upon clicking the link, the user is redirected to a page that shows what appears to
be the USAA home page. The “Online ID”, “Password”, and “Log On” features of the
website are the only reactive components on this page. Limited site functionality is often a
sign that the site is illegitimate. Additionally, the URL shows usaa-com-account-online.
lexqmi.com, which is a clear indicator of a hijacked site. The true domain lexqmi.com has
been compromised and is now being used to host this phishing content.
167
Figure 3: Assuming the user enters information into the ID and Password forms shown on the page in
Figure 2, the site then directs the user to a page with six security questions to collect even more
information. Each dropdown provides several possible security questions (shown in Figure 4).
168
Figure 4
If the user misses all of the signs of phishing up to this point, Figure 5 shows the next web page in this hi-
jacked site requesting the user update contact information, except the contact information being requested
is highly suspect: a USAA Member Number (something a user should not be able to manipulate in any form
from a legitimate bank), the user’s email password, Social Security Number, PIN, and card information. No
contact form requests this information.
169
Figure 5
Reacting To Phishing Content: When you come across what you suspect to be phishing content, you need
to react using a three-step process:
• Confirm – confirm the email is truly phishing content and is intended to be malicious.
• Report – report the malicious content to the organization being impersonated.
• Alert – alert the organization being impersonated to monitor your account for suspicious activity.
Confirm: As you saw in Figures 1-5, it is important to be able to discern legitimate emails from phishing con-
tent. Once you know how to detect phishing content, you need to know what to do if you receive an email
from any organization or individual appearing to represent an organization that holds any of your personal,
financial, or health related information, read the message completely. Look for typos and grammatical errors,
most legitimate organizations will send correspondence that is free of error. Additionally, look at what, if any-
thing, is being asked of you. Some organizations, in an effort to combat phishing, will simply alert you of an
upcoming password expiration and prompt you to navigate to their website yourself to log in, rather than in-
clude a link within the message.
If a link is included in the message, you can display the actual address you will be directed to by hovering
your cursor over the link. This display will appear in the lower left corner of your browser window. If the dis-
played text matches the link in the message, the likelihood of the message being legitimate increases. If
you’re still not sure, you can click on the link and then start removing subdirectories from the URL. For exam-
ple, the link will likely look like this: bank.com/login/password-reset. If you removed “password-reset” from
the link and hit enter, a legitimate link should still display something that resembles something similar to or-
ganization’s official site. If you remove the “login” subdirectory, the “bank.com” link should definitely directly
you to the official webpage. Often times, whether a dedicated domain or a hijacked domain, the base direc-
tory of a phishing site will be a basic HTML page with links to the actual phishing content, and look nothing
like the organization’s official page.
If you’re still not sure, you can take the link and drop it through a search bar in a site like CentralOps.net, you
can reference information such as the owner’s contact information, registration date, and geographical loca-
tion information to help determine whether the link is legitimate. Official domains will usually show as having
locations similar to that of the organization’s headquarters and some sort of owner’s information. Malicious
URLs will usually hide the owner’s information and will also have a noticeably shorter registration date.
170
If you’re still not entirely sure after having taken all these steps, take the initiative to contact whichever organi-
zation is requesting information from you to verify the correspondence is legitimate. For example, if you’ve
received a legitimate email from a bank, that bank will more than likely be able to check your account in their
system and confirm whatever the email is claiming. If it turns out that the organization has no record of what-
ever the email is claiming, they may be able to help give some direction on which actions to take.
It is especially important to note that if you do happen to become a victim of phishing, you may need to up-
date security settings on more accounts than just the account that was compromised, as people are crea-
tures of habit and you have likely used the same security credentials across several accounts.
Report: This next step is crucial to helping prevent others fall victim to the same phishing content sent to
you; report it. Most email service providers have an easy way to report email addresses being used to spread
phishing content. For example, within the message itself in Gmail, there is a button composed of 3 dots to
the far right of the email header. Clicking on this will provide a dropdown menu with an option to report
phishing. A new window will appear to confirm that you want to report the email as phishing, at which time
the message will be sent to Google for review.
You can also report the malicious link in an effort to have the content removed by using tools like
CentralOps.net to obtain contact information for the hosting provider and domain registrar, which both more
than likely have an abuse contact email address dedicated to accepting reports of malicious and illegal con-
tent from people like yourself. In the case of hijacked sites, you might even go so far as to reach out to the
site’s owner (if their contact information is not protected by an anonymity service such as WhoIsGuard) and
let them know their site has been hijacked.
Alert: Alert the organization being impersonated. This will let the organization know to monitor your account
for suspicious activity and keep you informed of any anomalies. Also, if you receive an email looking for such
detailed information, it’s likely that others have received the same malicious requests. Alerting the organiza-
tion often helps prevent more than just you from being at risk of compromise. Most organizations will have a
security team monitoring for suspicious activity as well as compromised credentials using sites like PasteBin
and HaveIBeenPwned, websites where compromised credentials usually end up.
171
Conclusion: Using the information gained from this article you now have a better idea of how hackers at-
tempt to gain access to your account information, how to react to such attempts, and how to verify the con-
tent’s legitimacy. Additionally, you now have the resources necessary to help prevent others from becoming
victims of the same attack by reporting the content in an attempt to have it removed.
About the Author
Matt Kafami has been working in information security
since 2015 and took a particular interest in social engi-
neering while working on contracts to protect various cus-
tomers of organizations in the communications, financial,
and entertainment industries from becoming victims of
social engineering. This interest has also sparked Matt's
passion for educating others in how to keep information
and information systems secure.
1https://www.norwich.edu
172
UNIVERSITY OF
SOUTH WALES
DURING THE COMPUTER FORENSICS DEGREE OF
UNIVERSITY OF SOUTH WALES YOU CAN STUDY
TOPICS THAT INCLUDE COMPUTER FORENSICS
PROCESS, TOOLS AND PROCEDURES, UNDER-
STANDING DIGITAL EVIDENCE, CRYPTOGRAPHY, IN-
FORMATION SECURITY, LAW AND ETHICS, AND
COMPUTER CRIME.1
Are Digital Forensic Investigators There are many examples of steganography from
centuries ago, one example is shaving the hair of a

under-estimating the Importance of
slave, tattoo the message on the scalp and then
Steganography within Criminal Investi- send the slave to the destination when the hair had
gations? grown back.
During World War II microdots were used; these are

by Rachael Medhurst
miniaturised photos that can be hidden in plain
Firstly, what is Steganography? sight. Recipients were able to read the message us-
ing magnifiers to understand the alert.

Steganography is often referred to in the Digital Fo-
rensic industry as a science or art. Steganography Modern technology started to develop in 1985. Since
has been used for many years to enable people to then, a number of stenography software packages
hide data from unauthorised viewers. have been created that are free and available to the
public. Some of the software packages include:

This process works by the user hiding information in-
side another file, message, image or video. 1. Openpuff
The image below shows the process of steganogra- 2. S-Tools

phy:
3. Steghide
4. Hide n Send
5. OpenStego
An example of the use of modern steganography is
back in 2012 when Al-Qaeda used steganography to
hide documents in porn videos located on a USB de-

Where does Steganography originate?
vice. While Maqsood Lodin, a 22-year-old Austrian,
Steganography is a science that has been happening was stopped and questioned by Berlin police, he was
for centuries, however, as technology has evolved, so found with a USB device in his underwear that con-
has this science. The word ‘steganography’ origi- tained two porn videos. Through thorough analysis,
nated from Greece, which means ‘concealed writing’, 100 documents were located, which contained Al-
which has been traced back to 440 BC. Qaeda training manuals and operational details.
174
What does this mean for Law Enforcement? tected by the general public and potential criminals,
which could have a huge impact to our safety.

As the data is encrypted and hidden within a file, any
interceptor of an effective steganography file will not To help counteract this, a form of detection called
be able to view the data. This presents a problem to ‘steganalysis’ has been introduced. Steganalysis is
law enforcement agencies as when searching de- the method investigators will use to detect hidden
vices, potential evidence could go undetected due messages that have been implemented using stegan-
to this scientific method. ography. However, are digital forensic investigators
using ‘steganalysis’ actively in their cases?

Consider the following scenarios, which may be go-
ing undetected: Questionnaires:
By pre-agreement, a criminal hides an indecent im- A number of questionnaires have been handed out
age of a child in a legitimate image, which is later to Digital Forensic Investigators to gain a better un-
sent to another via email. That legitimate image derstanding of their knowledge of steganography
does not cause any concern to a Digital Forensic In- and if they are actively completing ‘steganalysis’ on
vestigator and has now gone undetected but the re- their cases.
cipient knows the passkey to retrieve the illegal data.

Upon asking 40 different Digital Forensic Investiga-
Another concern is if a drug dealer communicates tors currently completing criminal cases, I have found
with their customer using steganography to place an that each participant had a limited understanding of
order. This would include the type of drug, the steganography and had never come across it in their
amount and where to meet. casework.
With steganography being used to communicate Examples of the questions and the answers provided
without prying eyes, this could result in terrorists plot- from Digital Forensic Investigators are as follows:
ting an attack using this method that could go unde-

• What is your understanding and knowledge of steg-
tected and resulting in potentially a large amount of
anography and its anti-forensic effects within a
injuries and deaths.
criminal investigation?
Are Investigators completing Steganalysis?

There were mixed answers regarding this question,
From the examples provided, it just shows the about half of the participants responded with a very
amount of data that could be hidden and unde- limited knowledge of steganography, some investiga-
175
tors not understanding the process, just knowing the they have not seen any information that would indi-
word means ‘concealed writing’ in Greek. The other cate this to be the case.
half stated they had a good understanding of this

Upon reflection of this, is it that the public and crimi-
process.
nals are not using this software or that investigators
• Have you ever worked on a criminal case that in- under-estimate the use of steganography and are
volved steganography? If so, was the data found under-equipped to deal with this type of scientific
and how did this affect the investigation? method? However, what does that mean for poten-
tially a large number of undetected criminals and the

There was a mixture of responses for this question;
safety of the public?
some of the responses were as follows:
How can this be addressed?

One participant was very firm in their response of;
“No- have done 100s forensic computer investiga- Firstly, as a lecturer, I am aware that steganography is
tions in the last 10 years not one of which featured taught within universities with taster days available
steganography”. and other activities. However, new and upcoming in-
vestigators often read about steganography; there is

The rest of the responses from the other 39 partici-
a lot of information about this not being an issue to
pants had a consistent wording of ‘No’, ‘not to my
modern society. This is why this article has been cre-
knowledge’ and ‘not that I have identified within a
ated to ensure that people are not just under-
criminal investigation’.
estimating the impact that steganography can have
• Do you believe that the use of steganography will
on society and the dangers this poses.
increase and affect investigations dramatically?
Further to this, if investigators are not looking for
This question had the participants very split; half of
steganography, how do we know that this isn’t a
the participants said they do believe that the use of
problem? To overcome this, a forensic technique
steganography will increase because of the simplicity
called ‘steganalysis’ should become standard on
of hiding data and the how difficult it is to crack as an
every digital forensic case to ensure that all possible
investigator.
criminals are being caught. This would require train-
However, the other half stated there is no reason to ing of Digital Forensic Investigators on steganogra-
believe that this method would increase because phy, the dangers that this can pose and how to over-
come this problem effectively.
176
How does Steganalysis Work? ages for any inconsistencies. This will indicate to the
digital forensic investigator if there is any hidden

‘Steganalysis’ is basically the method of detecting
data within a file. The investigator will compare the
any hidden content in other files. The main aim of
original files and the steganography files and try to
steganalysis is to identify suspect packages and re-
detect any differences; this is known as a cover at-
cover the hidden data.
tack. This will enable the investigator to complete fur-
With the developments made in steganography,
ther analysis on the potential stenographic image.
there has been a development in steganalysis soft-
Statistical Detection
ware. A number of these tools are presented below:
Statistical analysis is an effective method that is used

1. StegSecret
to process data and report trends. This works by filter-
2. StegDetect
ing LSBs (Least Significant Bit) of an image to identify
3. Stego Suite steganographic patterns and algorithms. This is com-
pleted because when the data is inserted into the im-

The Stego Suite software contains four-specialist soft-
age, the LSB will change and no longer contain infor-
ware, which is stego watch, stego hunter, stego ana-
mation about the original image. This is an effective
lyst, and stego break. This software package enables
method to determine whether the data has been
digital investigators to identify, examine and analyse
modified or seems suspicious to the investigator.
digital images or audio files to discover hidden mes-
sages that may exist within these files. Structural Detection
Apart from steganalysis software, there are a number The Digital Forensic Investigation can look at the me-
of ways a Digital Forensic Investigator can detect if tadata of files; this could include size differences,
steganography has been used, some are shown be- date/time differences and contents. As an example
low: of this, if you have two image files that appear to
look the same, but one image file is unusually large

Visual Analysis
compared to the other file, this would be an indica-
Visual analysis, which is often referred to as visual de- tion that there is hidden data in the larger image file.
tection, works by the Digital Forensic Investigator
Program Files
looking through all the files for repetitive patterns.
This is a very simple form of steganalysis, as the Digi- Another method would be the digital forensic investi-
tal Forensic Investigator just has to view all the im- gator looking at the programs that are installed or
177
previously installed; if the digital forensic investigator
About the Author
finds a steganography tool that has been run, this
would be a big indication that steganography has
been used. As the Digital Forensic Investigator is
now aware of the program installed upon a device
and utilised, once the investigator locates the carrier
(file containing the hidden data), they can then try to
extract the hidden data using the same program.
Conclusion
Throughout this article, a real case has been ex-
plained when Al-Qaeda utilised this method to hide
data; fortunately, this was detected. However, with
the examples that have been provided on the poten- Rachael Medhurst is a graduate of the University
tial of different crimes being hidden, can we ensure of South Wales where she gained her Digital Fo-
that we are not under-estimating the importance of rensic qualifications at both Bachelor's and Mas-
steganography. ter’s level. After graduating, Rachael became a

Digital Forensic Investigator for a private firm that
With the results from the primary research question-
offered their assistance to a variety of forces
naires aimed at current Digital Forensic Investigators throughout the country, while here she completed
within the criminal sector; they clearly lack the knowl- hundreds of cases and attended court as an Ex-
pert Witness. In the summer of 2018, Rachael de-
edge of steganography but have stated they do not
cided to fulfill a role as a Digital Forensics and Cy-
see this anti-forensic method in their investigations.
ber Security lecturer within the University of South
Is it that digital forensic investigators do not see steg-
Wales for their initiative BSc Applied Cyber Secu-
anography in their cases or that we are under- rity program at the ‘National Cyber Security Acad-

estimating the potential of this anti-forensic method emy.
and not looking for this method?
1https://www.southwales.ac.uk
178
UNIVERISTY OF
THE WEST
ENGLAND
FORENSIC COMPUTING AND SECURITY IS ONE OF
UWE’S HIGHEST-RANKING DEGREES FOR GRADUATE
EMPLOYMENT. THIS HAS LED THE UK GOVERNMENT
TO HIGHLIGHT AN URGENT NEED FOR SKILLED
GRADUATES IN FORENSIC COMPUTING.1

Introduction to IoT: Forensics rapidly. The below table shows the number of inter-
connected devices from 1990 until what it is ex-

Challenges pected to be in 2025.
Year Number of connected devices

by Kevin Rice 1990 0.3 Million
1999 90 Million
Abstract 2010 5 Billion
2013 9 Billion
The internet of things is becoming more popular 2025 1 Trillion
and very sophisticated. Like many new emerging (https://www.analyticsvidhya.com/blog/2016/08/10-

technologies, the internet of things is required to youtube-videos-explaining-the-real-world-applicatio
have digital forensics completed on the device ns-of-internet-of-things-iot/)
should the device become involved or infected with
There are several areas in which the internet of
malware or other illegal activities. In this article we
things is having a larger impact than in other areas.
will discuss the technology of the internet of things
One of these areas is healthcare. Healthcare could
and how this can relate to digital forensics.
be considered a considerate use of the internet of
What are Internet of things (IoT) devices & How things infrastructure to enable doctors to monitor
can digital forensics relate to IoT? the progress of patients both inside and outside the
The internet of things has been a topic of discussion hospital in different geographical locations.
for many years. An internet of things device is any Digital forensics is still a major topic for discussion in
device that is always connected to the internet and relation to the internet of things. There are several
can be accessible this way. A few examples of IoT reasons why completing digital forensics on an IoT
devices are smart televisions, Smart Watches, smart device is considered rather complicated now, which
energy meters and even the Amazon Echo and other is since most IoT devices use cloud applications and
similar speakers. These are just a small sampling of storage, meaning that fragments of the information
the larger variety of devices that are interconnected are stored on different physical servers which is
via the internet. This, of course, gives the devices known as the cloud. You would therefore have to
more functionality and can begin to complete tasks perform digital forensics both on the local IoT de-
a lot quicker and easier than in previous years. The vice and the cloud system they use. The digital foren-
Internet of things area has been vastly growing in sics on the local device’s storage could tell us many
the last five years and is expected to keep growing things about the owner of the device including the
180
commands recently used, however, much of the con- coming a botnet. Using an IoT device as a botnet
tent is usually stored and accessed on the cloud. Be- could be even more lucrative for a hacker because
sides this, there is a range of different reasons why many IoT devices have sensors and actuators. The
you may need to perform digital forensics on an IoT IoT devices would have a small amount of comput-
device. The process of a forensic analysis would in- ing power to perform other tasks for the hacker such
clude the identification of an infected device, the as sending emails. Since there will be trillions of IoT
preservation of the data the forensic analyst will re- devices as time goes on, the hacker would not be
quire, the analysis of the data by the analyst and required to gain malicious access to so many net-
then a report to type up to present their findings to works but only to a few to make a botnet successful
assist a jury in the prosecution. in carrying out their task.
Issues with IoT device security & Privacy The sensors will detect an event or a physical object
and the actuators will act on commands given. This

There are many issues associated with the security
could be especially true for an Amazon Echo device
and privacy of an IoT device, which includes the vul-
due to the fact you are able to control your heating,
nerabilities the attackers may discover to be able to
lighting and many other events just using your voice.
successfully compromise a device. IoT devices can
This would mean that all the malicious user would
be manipulated and attacked like any other machine
have to do is tell the actuator (the electronic compo-
that is connected to the internet. One issue with an
nent that triggers an action) what to do, such as turn
IoT device is that many are not very secure because
off all lights or turn off the heating in the case of an
security is usually an afterthought, meaning that an
Amazon Echo. This action would be harmless, al-
IoT device is theoretically easier to ‘hack’ than a PC
though very annoying for the end user that has no
or server. There are several ways in which a hacker
idea why this is happening.
can maliciously use an IoT device, however, one of
the easiest methods is to infect the device with mal- Another scenario in which an IoT device infected
ware and then use it as a botnet where the attacker with malware would be more likely to cause harm
is able to use the devices resources, such as comput- would be in healthcare. If a medical IoT device be-
ing power, to perform malicious tasks without the came infected with malware this could potentially
owner’s knowledge. Since an IoT device is always become life threatening to the patient and concern-
connected to the internet, it is susceptible to many ing for the medical institution. Another name for IoT
conventional computing attacks, which includes be- devices in healthcare is mIoT (medical IoT).
181
Examples of IoT devices becoming infected shocks to the person with the device. This could
therefore lead to a deadly shock being administered

There are a few examples where a device can be-
by the hackers and the device could malfunction.
come infected with malware that can affect any IoT
device and that includes medical devices as will be A further prediction of attacks on the IoT could be
discussed further on in this article. considered the best targets for a ransomware attack.
This is because currently the devices aren’t very se-

The first example where an IoT device can become
cure but also can ensure a user cannot control their
infected is for the device to become a botnet. The
device until the ransom has been paid. This would
malware is called the Mirai botnet which is also
make collecting data for a forensic investigation
known as a Dyn attack. This can cause huge portions
quite difficult since the investigators would have to
of the internet to become available for many people
separate what was completed by the end user and
since many IoT devices try to access the same serv-
by the hacker or the ransomware.
ice at the same time, therefore rendering it unavail-
able for everyone else. Once infected with this mal- How to ensure IoT devices do not become in-
ware, the computer would then search for a list of fected
well-known IoT devices that are insecure and then

IoT security is a very recent topic in relation to the
use their default usernames and passwords to login
internet of things. This is because the security of
to the device and infect the IoT device. This malware
technology is often regarded as less important than
only affected devices such as DVRs and digital cam-
implementing the new technology. This poses a new
eras and therefore could be considered inconvenient
risk to the infrastructure as it has very low security, it
but not life-threatening like in our next example.
is very easily attacked. This complicates things in a
Another example of how an IoT device can become digital forensics investigation since the data could
infected and cause harm to a person’s health and po- quite easily be erased by the hacker prior to the in-
tential life is the hackable cardiac devices that allow vestigation. There are a few ways in which you can
doctors to remotely view a patient’s heart rate and protect your IoT devices in today’s world which in-
rhythm to see how many times the internal defibrilla- clude:
tor is having to shock the patient’s heart. Once a

Changing the device’s default password to a pass-
hacker has gained access to the device, they are
word only you will remember :
able to change the rhythm outputs or even adminis-
• Remove devices with telnet backdoors
ter unnecessary and potentially life-threatening
182
• Run port scans on all networked devices and close ing in different geographical locations, it would virtu-
all ports not required for the operation of your IoT ally become impossible to take fragments from each
devices device and map them all together to produce the
evidence. Therefore, cloud forensics must be used,

• Connecting the device to a secure network where
however, this can also be difficult because most
other people may not have access it the devices.
cloud providers require the users to have an account
All the above can make it easier for the manufac-
to access their data and accessing the person’s ac-
turer to assist you in troubleshooting and fixing your
count without finding the password would become
IoT device, however, these open ports and back-
very difficult.
doors also make it increasingly easier for a malicious
Another challenge with completing digital forensics
user or hacker to gain access to your device and
on IoT devices is that each device manufacturer
cause havoc with it. You can use popular tools to en-
could use different protocols and file formats for stor-
sure whether a device has a telnet backdoor or open
ing the local data of the device and, therefore, each
ports that should be closed for free, which should
investigator would have to learn what the protocols
make it easier for you to make your network more
are that are used by the manufacturer prior to collect-
secure.
ing any data. Also, because of the lack of interface
How can digital forensics be completed on IoT de-
that an IoT device provides, due to its nature, it
vices?
would be very difficult to identify what is going on
Digital forensics is proving a challenging matter in with a device and transferring the data from one de-
relation to IoT devices. This is due to the nature of vice to another would become very challenging with-
an IoT device, which is predominantly cloud based, out being specialised in embedded systems and the
and therefore cloud forensics will play a part in an IoT infrastructure, which brings us to the interfaces
IoT device digital forensic investigation. Completing that could be used to interact with many IoT de-
digital forensics on the cloud is a very contentious vices.
issue since the preservation of data in a forensic in-

One of these interfaces, and the most popular inter-
vestigation is paramount, although the data of an
face chosen by manufacturers. is the use of JTAG.
IoT device could have been shared with other de-
The use of JTAG to remove ‘data’ from a device isn’t
vices and processed by the cloud many times before
for the use of removing files stored on the device,
being extracted from the device or the cloud. Since
for we could use a USB cable, which many devices
the cloud is made up of many, many servers all resid-
183
will have access to. JTAG could be used to gather ered that devices should be used behind a secure
data about what the chips of the device are doing network and usually a firewall to keep unwanted con-
and the output of certain registers. This could aid nections off the network they are connected to as
the investigators to discover if a device is infected well as changing passwords and closing the unneces-
since the chips will likely be outputting their own pro- sary open ports on a device. Many manufacturers,
tocols and maybe triggering events from the device such as Amazon with the Echo, will not give you
with no user interaction. The use of JTAG is also many options of security, therefore, connecting it to
popular for manufacturers since this interaction can a secured network may work best and be the most
discover if all the embedded systems devices are suitable option.
wired properly to each other. JTAG is an industry

Bibliography
standard to be able to test the designs of circuits
• JTAG Explained (finally!): Why "IoT", Software Se-
and many IoT devices that have no display to see
curity Engineers, and Manufacturers Should Care –
what the device is completing and, therefore, the
Available from:
use of JTAG is to debug the device before it is
https://blog.senr.io/blog/jtag-explained Accessed:
widely used. JTAG can also be used to monitor a de-
26th October 2018 at 10:28am
vice’s behaviour and compare it with the manufac-
turer’s specification. If this is not the case, then the • Anatomy of an IoT malware attack – Available
device may have been infected by malware or other from:
malicious data. The use of JTAG could therefore be https://developer.ibm.com/articles/iot-anatomy-iot
considered a best practice to be able to find out -malware-attack/ Accessed: 26th October 2018 at
how an IoT device is operating at a component level 10:28am
to discover if a device has been infected or not.
• The dark side of IoT devices – Available from:
Conclusion https://blog.avast.com/the-dark-side-of-iot-device
s Accessed: 26th October 2018 at 10:28am

As discovered, there are many ways of interacting
with an IoT device, either through the cloud infra- • Digital evidence challenges in the internet of
structure or through the local device with the use of things – Chapter 2 WDFIA Papers - R.C.Hegarty,
technologies such as JTAG to discover if the device D.J.Lamb and A.Attwood
has become infected and, therefore, could need to
be forensically investigated. We have also discov-
184
About the author
Kevin Rice has studied a BSc Forensic computing and degree programme at UWE Bristol and now has
been developing an IT business that offers a variety of services for both individuals and small busi-
nesses called Kevs IT. I am always ready to help people with their computer and technology problems
as well as learn new things myself. I am also currently looking for graduate employment with a com-
pany to be able to keep challenging myself in the field. In my spare time, I like to research emerging
technology and deepening my understanding of both current and emerging trends in technology.
1https://www.uwe.ac.uk
185
PURDUE UNIVERSITY
GLOBAL
WALDEN UNIVERISTY
WESTERN
GOVERNORS
UNIVERSITY
Intro to data breaches tentially put at risk because of exposure. This expo-
sure can occur either electronically or in paper for-

and why get into IT field mat. The ITRC will capture breaches that do not trig-
ger data breach notification laws. The breaches usu-

by Kevin Moore
ally consist of compromised user names, passwords
Data breaches and emails without involving sensitive personal iden-
tifying information. Data breaches cost a company

Information security and its management are of
plenty so the art (and it is an art) of protecting the
grave importance to each and every one of us.
consumers, businesses, and governments are very
Young or old, richer or poorer, as consumers we all
much in need and I don’t see the market slowing
are at risk for identity theft or theft of private informa-
any time soon. There will always be data that needs
tion. Information is critically important to employees,
protecting and technology will be advancing in
employers, companies, and governments across the
leaps and bounds.
globe. The Identity Theft Resource Center
(https://www.idtheftcenter.org) has been tracking se- Those metrics create a formula for a very lucrative
curity breaches since 2005. They focus on patterns career with the right guidance and preparation. The
in data breaches and any new trends that seem to ranks of cyber security threats have now reached the
be developing to better protect and educate con- attention of national security. It has been said that
sumers and businesses on the threats and their im- our campaigns are waged by land, air, sea, and now
portance in the realm of information security. The by cyber. The government has now mandated a cer-
laws that protect our data have become increasingly tain level of security which is deemed as a baseline
more stringent for those who wish to parlay those to thwart most of your general attacks. In this new
skills to obtain financial, personal or political gain. In era of cyber-attacks, companies must do their due
the past few years, we have been hearing quite a bit diligence to protect the identities and personal iden-
about data breaches and the damage it has caused tifiable information of all individuals who participate
to various companies, not only economically but to in e-commerce as well as other areas where PII
their overall integrity as well. Exactly what is a data needs to be protected. Without attention to these
breach? The ITRC defines a data breach as an inci- factors, your company could be putting valuable
dent in which an individual’s name plus a Social Secu- data assets at risk, not to mention the possibility of
rity number, driver’s license number, medical record, fines.
or financial record (credit/debit cards included) is po-
187
There are no foolproof methods to prevent data study are limitless. Many in the field enjoy cyber se-
breaches but care must be taken to at least have curity for the sheer excitement of deciphering and
the basics of data security vulnerabilities mitigated. strategizing the next move of the cyber security mav-
Think of the task of security professionals in this con- ericks. We, as security professionals, must become
struct. There are thousands of vulnerabilities that well versed in several areas of security and network
must be mitigated and the hackers only have to find functions as well as forensics. There is no shortage of
one to have success against your network. Want to subjects to tackle when it comes to out-maneuvering
be a security professional? No pressure, just another your opponents. Anything is possible and the vulner-
day at the office. Cool, calm, and collected and the abilities are without measure. This is what drives
weight of a billion-dollar enterprise hanging on your learning and conceptualizing new techniques that
ability to be calculating, creative, and most of all pre- require the ingenuity of a hacker, the methodology
pared. I love what I do and can’t think of anything used by scientists, the instincts of a detective to rec-
else I’d rather be doing. We are looking for a few reate an event, as well as being a technological gen-
good students so join the team and let’s have a ball. ius traversing through tools and techniques you find
the most effective in your line of work. Sounds pretty

Why get into IT field
intimidating but if you have an interest in what you
Cyber Security, often referred to as information secu-
do then that will be overcome by the days spent
rity or “InfoSec” for short, is the attempt to protect
learning and creating techniques that are unique to
computers, networks, applications, programs, and
the areas you choose to focus on. It could take a life-
data from intended or otherwise unintended or unau-
time of study to actually obtain the mastery at which
thorized access, change, or destruction. The miscon-
you feel you’re competent to hold the position be-
ception that has been relayed quite often is that the
cause threats are always changing. At the same
protection only applies to computers, but nothing
time, that’s how you know you are in the right profes-
can be further from the truth. The actual area of fo-
sion because you will see the career of lifelong learn-
cus is the data or the information that resides on any
ing as an asset, not a job. To protect the data, it
digital device such as cell phones, PDAs (yes some
would only make sense to restrict or encrypt the
still utilize them), tablets and any other form of digi-
data so that if it resides on a device that was lost or
tal device that stores data. The data needs to be pro-
stolen, the data would be of no use to the individual
tected at rest, in transit, or while in use. There are
trying to access it. If this simple technique was ap-
many opportunities in this field and the areas of
plied in some of the major breaches that have oc-
188
curred in recent years, companies would feel a little mised and a host of events transpire after the breach
more secure and have confidence that we are clos- is detected. One of the vestiges of a security breach
ing the gap on some of these threats. If you have cer- that really needs to be relayed is the loss of con-
tain tools and technologies at your disposal but you sumer confidence. That pertains to the customer re-
do not realize the potential of the tool, then you are tention factor as well as future prospective clients. A
doing you and your organization a disservice by not significant breach can cause significant damage to a
doing your due diligence to find out what the tools thriving company as well as destroy a burgeoning
can do. Once tested, use your own creativity to ap- enterprise. That’s the significance of cyber security
ply those tools in a security environment. and its importance is tacit throughout the realm of
information technology and business. Business is syn-

The information is neither hyperbole nor aggrandize-
onymous with IT and it is the vehicle that drives inno-
ment of the profession. Information security counts
vation and access. You can’t have one without the
and it is one of the most sought-after skills with very
other and that access has to be guarded at all costs.
few qualified professionals to fill the void. However,
because of its integral association in business, gov- Education, along with experience and certifications,
ernment, social networks, and life in general, we are was my route to achieving my profession but work
embarking upon some of the most revealing times in experience in the profession and or licenses, certifi-
our history of technology. Computers have become cations, and registrations may be an avenue. Some
more powerful and less expensive, thereby opening reach this goal by career advancement. I have heard
the door for less sophisticated attackers to gain ac- of some IT professionals starting out at an organiza-
cess to some pretty secure networks. In technology, tion with a totally unrelated job function and making
you would think that the more complex the design their way to IT. It can be done but I would advise the
of your application, the better security. Quite the more traditional route. Purdue University Global was
contrary - the more complex a system, the more ave- an excellent vehicle for my advancement and enrich-
nues that can be exploited and scanned for vulner- ment that definitely propelled my career to new
abilities. This concept of complexity is being manipu- heights and I am grateful for its program, achieving
lated by some hacker whose main focus is to seek my master’s degree in October of 2014. The degree
one weakness in a sea of many. After the vulnerabil- is not a prerequisite of an IT security position but it
ity has been discovered, there are steps that an at- is definitely a vehicle that provides more options and
tacker initializes (left out of this article for security opens more doors, which inherently leads to greater
concerns) that can render an entire network compro- career advancement.
189
About the author
I will close by telling you some necessary attributes
that are indicia of a competent IT security profes-
sional, in no order of importance:
1. Analytical skills. Information security analysts must
carefully study computer systems and networks and
investigate any irregularities to determine if the net-
works have been compromised. My name is Kevin, I reside in Roanoke, Texas, I hold an
AAS in Computer and Electrical Engineering, a BS in IT Se-
2. Detail oriented. Because cyber attacks can be diffi- curity and Forensics, a Master’s in IT Security & Assurance,
a Master’s in Information Systems Management, and ulti-
cult to detect, information security analysts pay care-
mately a doctorate as I am in the doctoral study phase of
ful attention to their computer systems and watch my doctorate degree. I hold a CompTIA Security+ Certifi-
cation and a Cisco CCENT certification. I also hold about
for minor changes in performance.
30 Dell certifications in repair and break/fix. I also hold 10
certificates from the Dept. Homeland Security in conjunc-
3. Ingenuity. Information security analysts try to out-
tion with FEMA through Texas A&M Engineering under
think cybercriminals and invent new ways to protect Cyber Security frameworks. I've been involved in IT for
about 30 years dating back to my first Computer Repair
their organization’s computer systems and networks.
certificate while attending half a day of high school then
the other half I attended vocational school through my
4. Problem-solving skills. Information security ana-
11th and 12th-grade years. I build and repair computers as
lysts uncover and fix flaws in computer systems and a hobby and I also repair some systems for very little to no
networks. charge for the less fortunate. I formerly worked for the
great state of Arkansas' Office of Systems and Technology
department for DHS as the Sr. Information Cyber Security
Engineer as Head of the Cyber Forensics Department. I
help to formulate the Computer Forensics program as well
as documentation and chain of custody procedures. I
played an integral role on an incident response team for
the state as well as head up the investigations for the foren-
sics department. I also executed malware analysis and over-
saw its reverse engineering. I was also formerly the EnCase
Administrator in charge of the forensic investigations for
the state of Arkansas. I also executed penetration testing
and advanced the implementation and adherence of secu-
rity protocols and policies in a secure network environ-
ment. I formerly authored a column on Cybersecurity for
Purdue University's GITA organization. I am currently a Sr.
Cybersecurity Engineer for a global financial services com-
pany as well as a faculty member of a university.
190
EDINBURGH
NAPIER
UNIVERSITY
EDINBURG NAPIER UNIVERSITY OFFERS A LOT OF
UNDERGRADUATE AND POSTGRADUATE COURSES
RELATED TO COMPUTING - AMONG OTHERS: CY-
BERSECURITY & FORENSICS, ADVANCED SECURITY
& DIGITAL FORENSICS AND ADVANCED SECURITY
& CYBERCRIME.1
Forensic Analysis of Web Browsers in Private mode
by Tamunoibiton Adoki
Abstract
The importance of the privacy of personal data in the modern era is one of great concern. Users are becom-
ing aware of their digital footprint and are taking precautions to keep their data from prying eyes. There is an
attempt to reduce the footprint created online across websites visited and locally on the user’s personal de-
vices while also attempting to make personal data inaccessible by unauthorised people.
The use of encryption is one such method used to prevent unauthorised access of data and is mostly applied
to data stored online. A solution created to ensure that the local footprint is kept small is the use of private
browsers. The implementation of private browsing is often a subject of research among academia.
This work focuses on the local footprint created and aims to contribute to perhaps a never ending research
on privacy. Four major browsers are studied in this research using a combination of different experimental ac-
tivities to investigate the efficiency of these browsers in private mode at keeping a small local footprint.
An experiment is performed in which a set of activities are used to seed each browser with data after which
forensic methods are used in an attempt to recover data stored locally in the primary storage devices. The
behaviours of these browsers is also studied to make a comparison on observable differences in behaviour
while in normal and private mode. This will give an insight to how private browsers go about implementing
private browsing.
The results of the experiment show that Google Chrome and Mozilla Firefox are the most successful in keep-
ing a small footprint on the primary storage device after the use of private browsing and this is attributed to
an operation that occurs in the above mentioned browsers. Internet Explorer and Microsoft Edge were the
least effective in private mode as data was recovered with relative ease using forensic tools. In physical mem-
ory, however, related data is recovered using a keyword search but this does not show a flaw but rather identi-
fies it as a rich source of evidence. An attempted use of the Volatility tool to extract data from a captured im-
age of physical memory, however, proved to be unsuccessful.
192
Acknowledgements
I would like to show appreciation to a number of people whose advice and support proved to be invaluable
for the duration of this project.
Firstly, I would like to say thanks to my parents, their constant advice and support both morally and financially
throughout my program kept me going and focused. They made it possible to enroll in the university to pur-
sue a master’s degree
I would also like to thank my uncle for the support provided throughout my stay in Edinburgh.
Special thanks goes to my supervisor Alsnousi Ali who kept me going in the right direction for this disserta-
tion.
Introduction
Background
According to Kishore et al., forensics is the science applied in the resolution of legal problems. While digital
forensics is a branch of forensics, it involves the collaboration of computer science and investigative proce-
dures for the identification, collection, preservation, analysis and presentation of data that is admissible as evi-
dence in a courtroom (Kishore, Saxena, & Raina, 2017).
In the early years, digital forensics began as a result of the use of information collected during audits per-
formed by system administrators to improve the accuracy at which the systems processed data (Politt, 2010).
These audits performed by the system administrators were to ensure accurate and efficient processing of
data, however; law enforcement agencies could also use system audit information for the investigation of
cyber-crimes. The proliferation of cyber-crime cases necessitated the creation of volunteer groups of law en-
forcement agents who were trained as investigators in obtaining information from suspect computers. Most
digital forensic investigations were performed by officers who had basic training and often used personal
equipment; there was an absence of digital investigation frameworks and formal supervision (Vincze, 2016).
The technology boom in 1995 and cases related to child pornography stressed the need for formal methods
of performing digital investigations. Between 1999 and 2000, various regulatory bodies published guidelines
and standards for digital forensic investigations leading to the rise of different organisations that provide fo-
rensic services (Politt, 2010). Better tools were developed and the command line tools in use paved the way
for the creation of more user friendly tools such as Encase and the Forensic Toolkit (Vincze 2016). To some,
193
digital forensics might seem like a new development but It can be traced to the 70s when engineers were
able to recover a database that had been accidentally deleted (Caviglione, Wendzel, & Mazurczyk, 2017).
The year 2018 has seen an increase in the revenue generated from IoT devices and the worldwide revenue
from the IoT platform will reach USD3.2 billion as more enterprises invest more on the technology (Rich,
2018). With the increase in the sales of IoT enabled devices, the challenge of performing forensic investiga-
tions on these devices also increases as there is a rise in the development of embedded operating systems.
The use of IoT devices means that evidence no longer resides only on PCs or mobile phones but also on vehi-
cles, RFID cards, wearable devices and sensors. Most IoT devices leverage on cloud technology and this cre-
ates the problem of knowing the exact location of data required for an investigation and this creates the main
problem of IoT forensics, which is the problem of data acquisition because standard processes that involve
search and seizure do not apply to IoT devices (MacDermott, Baker, & Shi, 2018).
In RFC 3227 (Brezinski & Killalea, 2007), the internet engineering task force produced a set of guidelines that
can be applied in the acquisition stage. According to the RFC, procedure involved during acquisition must
not alter data, but in some cases this is inevitable; however, the document suggests that these changes to
data must be properly documented. Evidence must be collected first before analysis and this should proceed
according to the level of volatility of data as follows; registry information, temporary files, network configura-
tion information, remote sessions and then the hard drive itself.
According to Grande and Guadron, the preservation of recovered evidence is required to prevent any dam-
age or alteration that makes the evidence non-admissible in the court of law. Copies of recovered media such
as hard drives are made to prevent any modifications to the original medium after which it is signed with a
cryptographic hash used to make comparisons to ensure the integrity of the evidence (Grande & Guadron,
2016).
Aim and Objectives
The importance of the protection of private information nowadays is one of the great concerns and one way
users try to ensure privacy is the use of private browsing.
The aim of this project to determine the extent to which browsers protect user data by analysing four popular
web browsers to evaluate the efficiency of private browsing at protecting user’s private activity.
194
Accomplishing this aim will require the following objectives to be met:
1. Conduct a literature review to identify current and previous studies conducted in the field of digital foren-
sics, with an emphasis on research involving web browsers
2. Design a methodology that will be used to evaluate the efficiency of private browsers
3. Conducting an experiment that will observe the differences in the behaviour of browsers in private and nor-
mal mode while using forensics tools in an attempt to recover data left behind after private browsing
4. Discussing the results obtained and making a comparison between the tested web browsers
Research Questions
The main research questions this work will address include:
1. What information do web browsers store about users and to what extent does it store information?
2. Is it possible to recover data after a private browsing session?
3. How do browsers in private mode differ from browsers in non-private mode in terms of interaction with the
file and operating systems?
Motivation
The motivation for carrying out this academic project stemmed from the curiosity that arose from completing
a practical lab involving portable web browsers. Portable web browsers alongside private web browsers are
seen as solutions to prevent traces of a user’s activity on the internet from being stored locally. The possibility
of recovering data after the use of a portable browser raised the question of the effectiveness of the private
modes of web browsers.
Methodology
Introduction
The design of this experiment adopted a methodology similar to Montasari and Peltola, (2015) and Horsman
(2017). Montasari and Peltola investigated the level of privacy offered by various browsers. They set up a vir-
tual machine that was deliberately seeded with data using a predefined set of activities they attempted to re-
cover in order to validate or refute the claims of enhanced privacy provided by the private modes of various
browsers deployed within the Windows 7 operating system. Horsman (2017) studied the behaviour of Google
195
Chrome with a focus on the file system and the process level activity between both browsing modes. A file
monitoring tool was used to monitor the various interactions with the file system to make a comparison be-
tween how both browsing modes interact differently with the file system while attempting to identify how pri-
vate browsing is implemented.
A similar experiment is performed based on the Windows 10 operating system and the browsers; Google
Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer are examined and a comparison is made be-
tween their private and normal modes.
Previous research by Montasari and Peltola (2015) and Horsman (2017) have studied browsers deployed in the
Windows 7 environment while this experiment is focused on the Windows 10 operating system and the latest
versions of web browsers, which might have a significantly different behaviour from the older versions that
have been tested previously.
Experimentation
Previous research focused on older Windows operating systems and up to this point, there is an absence of
an up to date study involving the behaviour of web browsers deployed in the Windows 10 operating system
This research extends the research done by Montasari and Peltola (2015) by providing an up to date study of
browsers in the Windows 10 environment by attempting to recover data after a private browsing session. The
research performed by Horsman (2017) is also extended by studying the process level behaviour of three addi-
tional browsers while also identifying all possible locations where data could be stored and all files created by
the browser.
This experiment involves the analysis of three different browsers and to avoid mixing artefacts produced by
the browsers, different options were considered before the use of a virtual environment was chosen. The first
option was to install the same base operating system on different physical hard drives to which the browsers
were installed. This option was not chosen as it would require three different hard drives and creating an im-
age of each hard drive would be time consuming as hard drives obtainable are typically one terabyte or more
in size. The option of virtualization was chosen because Virtual Box, the virtualization software, is a free and
open source tool and there would not be a need to use different physical hard drives. The second reason was
that while setting up each virtual machine, the size of the virtual disk can be scaled down to the minimum size
196
required to run the operating system and install the tools needed for the experiment. This would drastically
reduce the time needed to create an image of the virtual drive.
Prior to analysing each browser, a predefined set of activities were carried out to populate each browser with
artefacts. During the data population process, the various processes created by each browser, both in its nor-
mal mode and private mode, were monitored to make a comparison between the number of total events oc-
curring in the normal and private modes level of interactions between the browser and the file system. The
write operation to the file system is particularly important as this could give an insight to the files being cre-
ated and being written to, and it is assumed that a private browsing window will have a significantly lower
process level activity compared to a normal browser window to reduce its footprint on the operating system.
Additional research was performed to identify the location of artefacts produced by each browser, however,
the location of Microsoft Edge artefacts was not found in the location specified in the reviewed literature for
unknown reasons and a minor experiment was performed to discover where the artefacts produced by Micro-
soft Edge were located. This involved using process monitor to identify the files written to by the Edge
browser processes.
Experiment Tools
FTK Imager
FTK Imager is an industry standard tool which is popular with law enforcement agencies and academics inter-
ested in digital forensic research. It is used to create byte for byte images of hard drives and other storage me-
dia during the process of acquisition, it has the capability to perform on-the-fly hashing of files in the hard
drives and it also calculates a hash value of the entire hard disk before and after acquisition to prove the integ-
rity of the storage media has not been tampered with.
Autopsy
Autopsy is a graphical user interface to its open source counterpart, The Sleuth Kit. It is capable of recovering
deleted files, performing timeline analysis and keyword searching. The functionality of Autopsy most vital to
this experiment is its file indexing feature, which creates an index of all files present in a disk image and per-
forms different classifications based on file type.
197
Process Monitor
Process monitor is an advanced monitoring tool used for monitoring file system, registry and process activity.
It is capable of performing filtering that classifies occurring processes based on activity type.
Software Version
VirtualBox 5.2.14
Windows 10 Pro 1703
Process Monitor 3.50.0.0

Win Hex 19.6.0
Autopsy 4.70
Google Chrome 67.0.3396.99
Mozilla Firefox 61.01

Microsoft Edge 42.17134.1.0
FTK Imager 3.4.5
Volatility 2.6
Table 1: list of software tools utilized in experiment

Table 1 below gives a summary of software used in this research.
Procedure
This section explains in detail each activity carried out in conducting this experiment. The processes include
the Virtual Machine configuration, reasons for the choice of tools, the process of creating browser artefacts
with predetermined activities, creating an image of the virtual hard disk and the collection of results after the
experiment.
VM Configuration
A simulation of a Windows 10 operating system was created using Oracle VirtualBox version 5.2.14 as it re-
quires less time to setup than utilizing a physical machine. VirtualBox was favoured as the choice emulation
software mainly because it is an open source tool and, therefore, free to use compared to a similar software
VMware, which requires purchasing a license to use the software. VirtualBox utilizes a virtual hard disk file to
store the operating system environment and, during installation, the size of the virtual hard drive can be
scaled down to the minimum storage size required to perform the experiment to reduce the time it takes to
create an image of the virtual hard drive using FTK imager.
198
Each experiment was run in a similar environment created from the snapshot of an initial installation to ensure
results from one experiment do not corrupt the results when performing the next experiment. The initial instal-
lation was cloned two times, after which one browser was installed to each. The hardware specifications for
the virtual machine are shown below:
• Processor: Intel Core i7 – 7700HQ
• Processor speed: 2.8GHz
• Processor Count: 4
• Memory: 2 GB
• Storage: 30 GB
• VM Storage Format: Virtual Machine Disk (VMDK)
• OS: Microsoft Windows 10 Pro
Browser Selection
The study of the behaviour of Web browsers in their normal and private modes was the primary objective of
this experiment and as such the browsers with the highest popularity among desktop users were selected
based on statistics retrieved from w3counter.com, an online statistics website. The browsers selected were
Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. The Safari browser was the second
most popular browser for desktop users but it was not included in this experiment as it was not popular
among users of the Windows operating system. Having an overall popularity of 66.7 percent, these browsers
were the most common browsers with private modes utilised in this experiment.
During the browser selection process, a different class of browsers was also considered. These browsers are
used to provide online anonymity through the use of protocols like onion routing, these browsers were not
selected for study as they were outside the scope of this research, which focused on local privacy.
Data Population
The chosen browsers were used to carry out a predefined set of activities using different websites to search
for items, log in with usernames and passwords, watching videos, reading PDF documents, viewing images
and creating bookmarks. The activities were carried out in an attempt to simulate user behaviour during a
199
browsing session and to produce a variety of artefacts that were chosen because, if found, the correlation of
information from the various artefacts can be used to identify a user’s browsing habits.
The various activities that were carried out to populate the browsers with data is listed below. The data popu-
lation process was preceded by launching the file monitor tool and letting it run for the entire duration the
browser windows are open. The activities carried out to simulate user behaviour is shown in Appendix 1.
It should be noted that the keywords searched for were selected mainly to reduce the likelihood of false posi-
tives during the post data population file system analysis.
Research on web browser artefact locations
Additional research was carried out to discover the known locations where each browser stores its data. Each
browser shared a similar storage location. All browsers analysed stored artefacts in their application folders.
The list below shows the locations of the file names of browser artefacts files. Only artefacts that include
browsing history, cookies, bookmarks, credentials, keywords and typed URLs are stored in the locations listed
below.
Browser Artefact Location

Google Chrome C:/Users/[username]/Appdata/Local/
Google/Chrome/user data/default
Mozilla Firefox C:/Users/Username/Appdata/local/Mozilla/
Profile/*.default/
Table 2: artefact locations of Chrome and Mozilla

browsers
It is important to note that the locations reported for Microsoft Edge browser artefacts in various literature
was inconsistent and a separate experiment was conducted to discover the location Edge browser stored its
artefacts. The experiment involves the use of the Process Monitor tool to monitor the processes created by
the Edge browser to discover which folders it accessed and which files were being written to. The location of
Edge browser’s default folder was found to be
C:\...\Appdata\Local\Packages\Microsoft.MicrosoftEdge_*\Ac\MicrosoftEdge\user\De
fault
The location of Edge browser primary database was found to be:
200
C:\...\Appdata\Local\Packages\Microsoft.MicrosoftEdge_*\Ac\MicrosoftEdge\user\De
fault\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
This database was found to contain tables for artefacts such as auto form fill data, bookmarks, browser exten-
sions, reading list, top sites, typed URLs and URL history.
Limitations of research methodology
There are several drawbacks of the methods used in this research; the various activities carried out to simulate
user behaviour are not sufficient to duplicate a real browsing experience that involves different variables.
There was prior knowledge of what information to search for and this makes the recovery of data from a pri-
vate browsing session relatively easy, unlike in a real scenario where no keywords would be available.
Due to a license for Encase being expensive to obtain and being unavailable for use in this project, it was not
possible to know if Encase would have discovered artefacts from Google Chrome and Mozilla Firefox, which
Autopsy was unable to recover. Relying on physical memory, a source of evidence will not be practical in a
real scenario due to the loss of data in physical memory after a shutdown.
With the increasing popularity of solid state drives, it is not known if the artefacts recovered in this experiment
would also be recovered from solid state drives. A solid state drive uses garbage collection technology to
wipe disk blocks marked as dirty due to their content being overwritten. This happens automatically and
might perhaps permanently delete the artefacts that might not be properly deleted by the browser, thereby
making the recovery of data after private browsing almost impossible.
Experimentation and Findings
Disk image analysis
In the search for artefacts left behind after carrying out a private browsing session, an image of the virtual ma-
chine disk was analysed using Autopsy following the data population process. This phase of experimentation
involves only the private modes of the browsers. The browsing artefacts were searched for in both allocated
and unallocated space of the disk. Files in unallocated space are no longer accessible by a user due to the de-
letion of the file. When a file is deleted from the NTFS file system, only the metadata of the file is deleted.
This file metadata includes details such as the file name, file size, last modified, last accessed and file creation
date. Although the file metadata is deleted, the contents of the file still remain intact until it is overwritten by
201
another file. Unallocated files are vital in this experiment because they are a potential source of data regard-
ing deleted files. If any private browsing artefacts are present in the unallocated space, it is likely that they will
not be discovered by the average user due to an absence of the knowledge of the inner workings of a file sys-
tem. Allocated files, on the other hand, still reside on the disk and can be accessed by navigating through the
file system directory tree structure.
A keyword search is performed to find files containing data relating to the activities carried out using the key-
word search functionality of the Autopsy tool. A list of keywords was generated based on the websites visited
and the various activities carried out. The list of keywords is shown in Appendix 1. A manual search of arte-
facts is also performed alongside the keyword search to search for artefacts located in known locations (re-
ported in literature). This phase of the experiment is carried out in an attempt to provide an answer to the re-
search question of the possibility and data being recovered after a private browsing session
Mozilla Firefox
Analysis of the disk image on which Mozilla Firefox was installed did not reveal any data that could identify
the activities of a user during a private browsing session, the keyword search did not produce any matches.
While navigating through the file system tree, it was discovered that Mozilla Firefox had a separate location
for storing data different from its default folder in the directory:
“C:/../Appdata/Roaming/Mozilla/Firefox/Profiles/urnipy0x.default/storage/
permanent/chrome/idb”
Autopsy revealed SQLite database files that were linked to Mozilla Firefox due to the timestamps that show
they had been accessed within the timeframe the browser was launched. Some of these files had been de-
leted, but Autopsy was able to recover them to reveal their contents. The analysis of the contents of the de-
leted and non-deleted SQLite database files, showed the absence of any information that could be used to
identify a user’s activity. The only information that could be retrieved from the files is their recently accessed
timestamp, which indicates that the browser was used recently, although from this information, it is not possi-
ble to make a deduction as to whether it was a private browsing or a normal browsing session.
Further navigation through the file system structure revealed a deleted file located in the “.
$OrphanedFiles/credential” directory. This file contained information revealing that a private browsing
202
window was opened, as shown in figure 4.3. Figure 4.4 shows the accessed timestamp of the file, which re-
veals the exact time when the private browsing window was opened.
Figure 4.3: File Content revealing the use of a private browser
Figure 4.4: file timestamp shows time Private browsing

window is opened
Given that these files are located in a particular user directory; this information can be used to identify the par-
ticular user that had used private browsing. A cookie persisted revealing the fact that a private browsing ses-
sion had taken place and its metadata had information about the time in which a private browsing session
took place, as shown in figure 4.5.
203
Figure 4.5: Cookie retained after private browsing
Google Chrome
An initial keyword search performed using Autopsy did not match any of the keywords, but while manually
navigating through the file system directory tree, a photo was discovered in the $CarvedFiles directory, which
is located in the root directory and is not accessible to a user unless a tool like Autopsy is used. The file found
was a thumbnail file that was probably created when the PDF file was viewed during the data population proc-
ess. Although the file MAC times have been deleted, the content of the file still remains, as shown in figure
4.6.
Figure 4.6: Photo recovered

from carved files
This file was found among a number of files discovered in unallocated space, but all files had their MAC times
deleted, the contents of these files does not give any evidence that a private browsing session had taken
place. The search for artefacts in allocated space did not yield positive results and the only information pre-
sent were the timestamps of the files in Chrome’s default directory that show the browser had recently been
used. The fact that the files had been recently accessed but contained no information also tells us that private
browsing had taken place or the browsing data had been deleted manually.
Microsoft Edge
The analysis of Microsoft Edge’s InPrivate mode produced the highest amount of data that could be used to
identify the activities of a user after a private browsing session. An initial keyword search produced matches
for each of the keywords; the number of matches for each keyword is shown in Appendix 2 (Table 12). Most of
the files whose contents produced matches were found in unallocated space and merely relying on the
names of the files would not give away the information they contain. Additional data was recovered through
manually navigating to the “$CarvedFiles” directory visible within the Autopsy GUI. Data recovered from the
carved files included whole chunks of HTML code that was used to construct the visited pages. Careful man-
204
ual inspection revealed that some of these files not only contained HTML code but also the links to the web
pages visited, as shown in figure 4.7 and 4.8.
Figure 4.7: Content of recovered file showing visits to Amazon
Figure 4.8: HTML code from Amazon web page
205
The last location examined was the default folder of Microsoft Edge. Within this location, deleted files identi-
fied earlier in the process monitoring experiment were discovered and these files contained precise informa-
tion about the contents of the web pages a user viewed, as shown in figure 4.9 and 4.10.
Figure 4.9: deleted files recovered from Microsoft Edge’s default directory
Figure 4.10: content of a deleted file
206
Internet Explorer
Results from the experiment on Internet Explorer shows that it produced the largest number of recoverable
artefacts. The keyword search performed produced matches for the keywords listed in Appendix A, screen-
shots of the contents of the files that matched the keywords are shown below. From the data recovered, it can
be observed that the browser also stores data for pages linked to the current page as items related to the
web page viewed directly was also saved.
Autopsy’s Exif Metadata module recovered a large number of images different from the images intentionally
viewed as part of the data population process. Two such images are shown in figure 4.11 and 4.12. It is as-
sumed that Internet Explorer cached all elements of the web pages visited.
Figure 4.11: photo related to viewed content
207
Figure 4.12: Recovered photo related to viewed content
When the $CarvedFiles directory was analysed, it was found to contain a large number of unallocated files
whose content was still intact and when viewed manually were found to also be elements of the web pages.
This directory also contained chunks of HTML code that could be used to reconstruct the web pages to see
exactly what the user saw while browsing.
Manual navigation to Internet Explorer’s cached file directory located at:
C:/Users/Experiment/AppData/Local/Microsoft/Windows/INetCache/Low/IE revealed the exis-
tence of deleted cached files whose metadata had been deleted but the contents were still intact. These files
were easily retrieved but some of these files could not be retrieved due to the contents being deleted as
shown in figure 4.13 and 4.14.
208
Figure 4.13: Cached file with contents deleted
Figure 4.14: Cached file with intact content
Also discovered while manually navigating to known locations where artefacts are stored was the WebCache
directory containing the WebCacheVO1.dat file and log files that also contain data, as shown in figure 4.15.
These files still existed in allocated space with their contents intact. The WebCacheV01.dat file matched most
keywords and these files contained information that includes all links visited and items searched for.
Figure 4.15: WebCache files present in allocated space
Process Activity
Monitoring the processes created and the interaction with the file system will give an insight as to how brows-
ers in private mode differ from the same browsers operating in their normal browsing modes while attempt-
209
ing to provide an explanation why Chrome and Firefox are better at maintaining privacy than Internet Ex-
plorer and Microsoft Edge. The information of interest in this phase of experimentation is the total number of
events occurring and the events that are write related because data being written to files increases the
chances of revealing user activity. Information obtained in this phase of experimentation will answer the re-
search question of how browsers in private modes differ from their normal modes.
The sections below describe the results that were obtained from this phase of experimentation from the
tested browsers.
Google Chrome (Incognito)
Analysis of Google Chrome’s process activity in Incognito mode shows the various files created and directo-
ries that were accessed. It was discovered that the highest number of write operation was to the file paths:
C:\...\Chrome\User Data\Default\GPUCache\data_0
C:\...\Chrome\UserData\ShaderCache\GPUCache\data_0
C:\$ConvertToNonresident
with 262, 174 and 54 write operations respectively to these files. The .tmp files identified by Horsman (2017) in
his experiment were also found to exist in these directories:
C:\...\Appdata\Local\Google\Chrome\User Data
C:\...\Appdata\Local\Google\Chrome\User Data\Default
However, with the Incognito window open, an attempt was made to navigate to the above directories but the
files were not found in the specified directories. On two separate experiments with slight variations in the ap-
proach used, it was found that the number of write operations to the “C:\$ConvertToNonresident” path coin-
cided with the number of .TMP files discovered and it is believed that the data written to the above directory
might be responsible for the .tmp files not being discovered.
Data was also discovered to have been written to some of Chrome’s databases; History, Web Data and Login
Data. However, upon the examination of the SQLite database files, no data was found relating to the private
browsing session. Google Chrome browser is able to interact with its SQLite databases using structured
query language (SQL) and it is believed that the entries in the databases might have been deleted after the
browsing session was terminated.
210
Google Chrome
Analysis of Chrome’s process activity in its normal mode shows a big difference in the number of write opera-
tions and the number of files written to when compared to incognito mode. A summary is shown in Table 4.1.
Data from the Process Monitor tool shows the highest number of write operations was to the files:
C:\...\Chrome\User Data\Default\Cache\data_0
C:\...\Chrome\User Data\Default\Cache\data_1
with 96,633 and 17,879 write operations respectively. 127 TMP files were identified to be created in the directo-
ries:
C:\...\Appdata\Local\Google\Chrome\User Data
C:\...\Appdata\Local\Google\Chrome\User Data\Default
An attempt was also made during this experiment to verify the existence of these files but, upon navigation
to the directories listed above, the files were not found even after setting Windows file explorer to view hid-
den files. It was also discovered that data was written to the directory “C:\$ConvertToNonresident”, and the
number of writes to this files coincided with the number of TMP files that exist. Results from both incognito
and normal mode further increased the likelihood of data written to the above file being responsible for the
absence of the TMP files. Data was also found to have been written to Chrome’s databases; History, Top Sites,
Favicons, Cookies and their journal files; History-Journal, Top Sites-Journal, Favicons-Journal and Cookies-
Journal. Data being written to these files is not surprising as they will persist until they are manually deleted
by the user. A summary of the files created is shown in Table 4.1
Mozilla Firefox
Analysis of Mozilla Firefox process activity operating in normal mode shows that with the predetermined ac-
tions to populate the browsers with data, the highest numbers of write operations was carried out on the
“cookie.sqlite-wal”, “places.sqlite-wal” and “cookies.sqlite” database files with 29,120, 11,370 and 2357 write
operations, respectively.
There was a large number of cache files created in the directory,
C:\...\AppData\Local\Mozilla\Firefox\Profiles\yx50t4rf.default\cache2\entries
211
with 5,201 events. This represents a large volume of the processes that occurred during the browsing session.
However, the contents of these files that remained after the browsing session was terminated, when exam-
ined with a hex editor, was unreadable text, but further analysis of the files shows that it contains the date and
time for a digital certificate request. Also discovered in this test was a total of 18 writes to “C:\
$ConvertToNonResident”
Mozilla Firefox (Private)
Results from the experiment on Mozilla Firefox private mode show that it writes significantly less data to the
file system when compared to its normal mode. The file paths involved in the highest number of write opera-
tions differ greatly from its normal mode, with 917 write operations made to the revocations.txt file present in
the browser’s default directory. Analysis of this file shows that it contains non-readable characters. Data from
Process monitor show that Mozilla Firefox while in private mode writes session related data to SQLite data-
bases different from the normal databases. These database files were identified with random file names while
having the SQLite file extension. It was also found that data was written to the “C:\$ConvertToNonResident”
directory a total number of 31 times, which is more than the amount of times data was written to this directory
in normal browsing mode.
Microsoft Edge
Results from the monitoring of Microsoft Edge browser in normal mode shows that 66,857 write operations to
the file system were initiated during the browsing session. A significantly large portion of the files written to
had the file extension “.dat” and were located in the directory:
C:\...\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft
Edge\User\Default\Recovery\Active
During the browsing session, a large number of cache files relating to the contents of the pages visited with
data were written to Microsoft Edge’s main database file, ‘Spartan.edb’ located in the directory:
C:\Users\Experiment\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore
The directory, C:\$ConvertToNonResident, which was identified as one of the locations where data was writ-
ten to in the experiment with Mozilla Firefox, both in normal and private modes, was not identified as a loca-
tion where Microsoft Edge wrote data. The reason for this behaviour, which varies from what was observed
212
with the other browsers, is not yet known, although, it might be due to the fact that the Microsoft Edge
browser is shipped by default with the Windows 10 operating system.
Microsoft Edge (InPrivate)
Microsoft Edge’s InPrivate mode carries out significantly less operations when compared to its normal brows-
ing mode. The highest number of writes occurred to temporary files that had the .TMP and the “.dat” exten-
sions. For each browser tab that was created in the data population process (12 in total), there existed two
files that presumably hold information related to the contents of the pages visited, one file with the “.dat” ex-
tension and one file with the “.TMP” extension. 127,380 events occurred in Microsoft Edge’s private browsing
compared to the non-private mode with 332,933, which is a 61.7% decrease for events that occurred. Of the
total events that occurred, 6,286 events were write-related in InPrivate mode compared to the normal mode
with 66,857 write – related events.
It is also important to note that there was no evidence of data being written to the
C:\$ConvertToNonResident directory, which is a similar behaviour shared with its non-private browsing
mode.
Internet Explorer
Analysis of the process activity of Internet Explorer shows the total events that occurred to be 233,647 with
20,403 write operations. Just like the other browsers examined, it had written data to files with “.dat” file ex-
tensions and stored a lot of content related data in its cache folder. Files were created for images, videos and
web pages accessed and could be identified from the file extensions in the cache folder. The write operations
were spread out across a large number of files with .jpg, .css and .htm file extensions. With the amount of files
created and cached, it is assumed the Internet Explorer caches whole web pages, which might be to reduce
the time to load pages during the next visit to the same web page. With a similar behaviour observed in Mi-
crosoft Edge, there is no indication of any writes to the C:\$ConvertToNonResident directory.
Internet Explorer (InPrivate)
Internet explorer in its private mode had a total of 221,959 events with 15,567 write related operations. The
files created by this browser during this experiment had file names that easily gave away the contents of the
web pages a user had accessed even without manually viewing the files. These files were cached in their na-
213
tive extensions, videos with .mp4 file extension and photos with .jpg extension. A large number of the files
created were multimedia files just as with internet explorer in its non-private mode, a large number of tempo-
rary files were created in the directory:
“C:\Users\EXPERIMENT\AppData\Local\Microsoft\Windows\INetCache\Low\IE\” Different files related to
the same content were stored in the same cache directory and some of the filenames give away the nature of
activities. Also observed was the absence of any data written to “C:\$ConvertToNonResident”.
Summary of Events
Table 4.1 below provides a summary of the number of events occurring in the private and non-private modes
the browsers tested in the process activity-monitoring phase of the experiment:
Browser Total Total Total Write Total Write Percentage Percentage

Normal private related related decrease in decrease in
browsing browsing events events Total events write
events events (Normal) (private) operations
Google 426,700 241,250 122,333 1,023 43.5% 99.1%

Chrome
Mozilla 306,608 125,932 29120 5589 58.9% 80.8%
Firefox
Microsoft 332,933 127,380 66,857 6,286 61.7% 90.6%
Edge
Internet 233,647 221,959 20,403 15,567 5% 23%
Explorer
Table 4.1 Summary of browser process activities in private and normal

modes
The data presented in Table 4.1 above is visualised using two graphs, as shown in figure 4.1 and 4.2.
214
Figure 4.1 Visual representation of occurring events in Normal browser
Figure 4.2 Visual representation of occurring events in private browser
215
Discussion
This research sought to answer the questions; is private browsing really private? is it possible to recover data
after a private browsing session? and how much data does a browser store about a user?
There are individuals who are heavily concerned about their privacy and would not want traces of their activi-
ties on the internet to be stored on their computer. The main concern of these individuals is someone else po-
tentially discovering information about what activities were carried out using the internet and who they may
have communicated with (Gao G., 2015). For these individuals, this research is of the relevance to identify
which web browsers would prevent their activities from being discovered. On the opposite spectrum is the
significance of this work to law enforcement and those who are tasked with the responsibility of performing a
forensic examination of a computer. Most often, computer forensic examiners are in search of any data that
may be hidden by an individual. For forensic examiners, it is necessary to understand the recovery of data af-
ter the use of private browsing by having knowledge of where to look for such data, as well as understanding
what could be found, as this will reduce the time required to search for such data.
This study employed the methodologies used by Montasari and Peltola (2015) and Horsman (2017). Both in-
volved an analysis of private browsers but Montasari and Peltola focused on analysing web browsers for the
possibility of recovering any data. Their study was based on the Windows 7 operating system. This work also
employed a similar methodology to Horsman (2017) in which an analysis of Google Chrome web browser was
carried out to discover how well the web browser is able to maintain privacy.
This research focused on the Windows 10 operating system and analysed four web browsers; Google
Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer to know if data could be recovered after a pri-
vate browsing session, while also studying the behaviour of these web browsers on a process level to under-
stand how browsers in private mode differ from the same browsers in normal mode. While this research has
similarity to Monatasari and Peltola (2015) and Horsman (2017), it went a step further by applying the method-
ology of Horsman to provide a possible explanation to why Google Chrome and Mozilla Firefox are better
than Microsoft Edge and Internet Explorer in rendering data from a private browsing session unrecoverable.
Autopsy was used conduct a forensic analysis of the disk images on which the various browsers were installed.
Although Autopsy was used in this study, EnCase and Forensic toolkit, tools with the same capabilities as
216
Autopsy, were not chosen due to the inability to obtain software licenses. This brought about the limitation of
not knowing if these tools would have performed better than Autopsy.
From the experiment performed, Mozilla Firefox and Google Chrome did not leave behind any trace of data
related to the activities performed. Microsoft Edge and Internet Explorer left behind traces of data pointing
directly to the activities performed. The data retrieved was located both in the allocated and unallocated
space and the data retrieved included search items, viewed photos and typed URLs. Also recovered were ele-
ments of the viewed elements that included HTML code, styling sheets and other photos that were not di-
rectly accessed but were present on the web page. The data recovered were from files present in the $Carved-
Files directory available in Autopsy’s user interface. Autopsy extracts and indexes files whose metadata have
been deleted but their contents remain intact; these files are named by Autopsy and stored in $CarvedFiles.
Indeed, Microsoft Edge and Internet Explorer deleted these files containing information about activities car-
ried out while in private but these browsers could not render these files unrecoverable as Google Chrome
and Mozilla Firefox did.
A separate experiment was performed using Process Monitor to observe the four browsers to understand
how these browsers behave differently while in private and normal mode and also to look for a possible expla-
nation as to why Google Chrome and Mozilla are able to render the files deleted after private browsing unre-
coverable while Internet Explorer and Microsoft Edge are not able to do so. The experiment performed in-
volved monitoring the process activity of the web browsers while in normal and private mode to understand
how these browsers are able to implement private browsing.
The results obtained by Horsman (2017) show that Google Chrome, while in private mode, wrote significantly
less data to the file system From this experiment performed on Google Chrome, an assumption was made re-
garding the fact that other browsers would follow suit in writing less data to the file system while in private
mode. This assumption was confirmed by the experiment performed in this study as Mozilla Firefox, Microsoft
Edge and Internet Explorer wrote significantly less data to the file system with Google Chrome experiencing
a 99.1% drop in write activity, Microsoft Edge with a 90.6 % drop, Mozilla Firefox and Internet Explorer with
80.8 % and 23% respectively. These figures, however, do not give an explanation as to why data from Google
Chrome and Mozilla Firefox are unrecoverable. This further contradicts the idea that browsers that write the
least data to the file system are better at preserving privacy, as Microsoft Edge wrote less data to the file sys-
217
tem than Mozilla Firefox. A further analysis involved monitoring all files created and directories accessed by
all four browsers, paying special attention to write operations to the file system.
Monitoring the file system activity of the browsers revealed a peculiar activity unique to Google Chrome and
Mozilla Firefox. Observing all four browsers shows the creation of various files, special attention was paid to
the ones created with the .tmp file extension just as Horsman (2017) had observed but an additional observa-
tion was made. For the number of files with the ‘.tmp’ extensions, a corresponding number of write opera-
tions was performed by Google Chrome and Mozilla Firefox to ‘C:\$ConvertToNonresident’ but not Microsoft
Edge and Internet Explorer. This behaviour, peculiar to Google Chrome and Mozilla Firefox raised the ques-
tions, what data is being written to this location? What is the content of this location? Is this responsible for
the inability to recover data from Chrome and Firefox? These questions raised will form the basis for further
research involving these web browsers.
The concept of privacy is often interpreted differently depending on the context in which it is used. When the
privacy of a private browser is discussed by most researchers, it is being referred to as how well a browser is
able to remove all traces of user activity after a private browsing session. Most of the time, the level of privacy
is often judged by the activities that take place locally on the user’s computer rather than how well a browser
ensures that data sent over the internet is secure.
The expectations researchers have about private browsing often exceeds what is promised by the vendors.
Most vendors’ statements about private mode is that browsing history, cookies and site data will not be saved
and, from what is observed, this statement is implemented, but is only effective against the user with average
knowledge of a computer. In the experiment performed, it can be seen that a deep knowledge of computers
and forensic data recovery methods is required for the recovery of private browsing data to be possible. An-
other statement made by the vendors is that any data created during private browsing is deleted. The key-
word in this statement is “deleted”. With regards to a file system, when data is deleted, the pointer to the lo-
cation of the file is removed but its content remains intact until it is overwritten by another file. The word “de-
leted” is very much different from “overwritten”, which is when the contents of a deleted file is replaced with
zeros or by the contents of another file. Most researchers make poor remarks about the privacy of a browser
when deleted files that have not been overwritten are successfully recovered but this is outside the scope of
the vendor’s statement. Also outside the scope of the vendor’s statement is the deletion of data remaining in
physical memory. From this argument, it can be seen that private browsing is private when considered from
218
the angle of the browser vendors as they keep to their statement of the deletion of files and data after a pri-
vate browsing session.
The second question of the possibility of recovering data after a private browsing session actually depends
on the browser in question. The process level behaviour of the selected web browsers was studied and com-
pared. The study reveals every possible location were the browsers could store data. These locations were in-
vestigated using Autopsy to reveal any deleted files that could be recovered. The study shows that Google
Chrome and Mozilla Firefox effectively deleted any data that could identify the activities carried out in private
browsing. Microsoft Edge and Internet Explorer, when compared to the former, left traces of data both in allo-
cated and unallocated space. The non-recovery of data from Google Chrome and Mozilla Firefox was attrib-
uted to the writes involving the “$ConvertToNonResident” directory, as this behaviour was not discovered in
Microsoft Edge.
The question of the possibility of recovering data after a private browsing session also depends the size of
the primary storage device. During a test run of the experiment process, it was discovered that a smaller sized
storage device will reduce the chances of recovering deleted data due to deleted files in unallocated space
getting overwritten as the space is required to store new files.
From this study, it can be seen that the amount of data a browser stores about user activity is also dependent
on the browser being used. The results of the experiment show that Internet Explorer, both in its private and
normal mode, stores a large amount of data related to the activities carried out. It was observed that data di-
rectly linked to the activities carried out, like typed URLs and the pictures viewed, were stored in its cached
folders alongside the contents of linked pages that were not viewed directly. Google Chrome is deemed to
store the least amount of data about user activity due to having the lowest number of write operations to files
while in private mode.
The concept of privacy is interpreted differently depending on the context in which it is used. When the pri-
vacy of a private browser is discussed by most researchers, it is being referred to as how well a browser is able
to remove all traces of user activity after a private browsing session. Most of the time, the level of privacy is
often judged by the activities that take place locally on the user’s computer rather than how well a browser en-
sures that data sent over the internet is secure.
219
Conclusion
This project sought to contribute towards the pursuit of better implementation of privacy in technology with a
focus on web browsers.
The reviewed literature provided a brief summary of the broad background area of digital forensics in which
this project lies. The concerns end users of services have about their privacy is highlighted in this project and
this concern for privacy largely contributes to vendors implementing private browsing. This implementation,
however, to some level, provides sufficient protection locally against an attacker with only a basic knowledge
of the workings of a computer. To an advanced attacker, the implementation of private browsing, especially in
Microsoft Edge and Internet Explorer, proves to be ineffective.
The experiment performed in this project further magnifies the level of ineffectiveness by easily recovering
traces of information left behind after using these browsers. The reason for this ineffectiveness is seen in the
experiment, which involves monitoring the processes created by these browsers. A small difference occurred
in the process activity of Google Chrome, Mozilla Firefox and Internet Explorer.
The literature reviewed highlights the works done by other researchers while also describing their research
methodology. Comparing the results obtained in this study to work done previously by researchers, it can be
seen that improvements have been made by browser vendors in improving the privacy of the private browser
but this is only said with regards to Google Chrome and Mozilla Firefox.
220
References
• Akbal, E., Gunes, F., & Akbal, A. (2016). Digital Forensic Analyses of Web Browser Records. Journal of soft-
ware, 631-637.
• Alabdulsalam, S., Schaefer, K., Kechadi, T., & Le-Khac, N.-A. (2018). Internet of things forensics: Challenges
and Case Study. 14th Annual IFIP WG11.9 International Conference on Digital Forensics. New Delhi.
• Bhosale, S. T., Patil, T., & Patil, P. (2015). SQLite: Light Database System . International Journal of Computer
Science and Mobile Computing , 882-885.
• Brezinski, D., & Killalea, T. (2007). RFC 3227-Guidelines For Evidence Collection and Archiving . Retrieved
from https://tools.ietf.org/html/rfc3227
• Caviglione, L., Wendzel, S., & Mazurczyk, W. (2017). The Future of Digital Forensics: Challenges and the
Road Ahead. IEEE Security & Privacy, 12-17.
• Feng, X., & Zhao, Y. (2017). Digital Forensics Challenges to Big Data in the Cloud. 2017 IEEE International
Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom)
and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). Exeter: IEEE.
• Gao, G. (2015, May 29). What Americans think about NSA surveillance, national security and privacy. Re-
trieved from Pewresearch:
http://www.pewresearch.org/fact-tank/2015/05/29/what-americans-think-about-nsa-surveillance-national-se
curity-and-privacy/
• Gao, X., Yang, Y., Fu, H., Lindqvist, J., & Wang, Y. (2014). Private Browsing: an Inquiry on Usability and Pri-
vacy Protection. Proceedings of the 13th Workshop on Privacy in the Electronic Society (pp. 97-106). Scotts-
dale: ACM.
• Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Proceedings of the Tenth Annual DFRWS
Conference, (pp. 64-73).
• Gartner. (2018, March 21). Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018. Re-
trieved from Gartner: https://www.gartner.com/newsroom/id/3869181
221
• Grande, L. C., & Guadron, R. S. (2016). Computer Forensics. 2016 IEEE 36th Central American and Panama
Convention. IEEE.
• Horsman, G. (2017). A process-level analysis of private browsing behavior: A focus on Google Chrome’s In-
cognito mode. 2017 5th International Symposium on Digital Forensic and Security (ISDFS) (pp. 1-6). Tirgu
Mures: IEEE.
• Information Commissioner's Office. (2018, June 26). Retrieved from ICO:

https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
• Kishore, N., Saxena, S., & Raina, P. (2017). Big data as a challenge and opportunity in digital forensic investi-
gation. Telecommunication and Networks. India.
• Lacroix, K., Loo, Y. L., & Choi, Y. B. (2017). Cookies and Sessions: A Study of What They Are, How They Work
and How They Can Be Stolen. International Conference on Software Security and Assurance (ICSSA) (pp.
20-24). Altoona: IEEE.
• MacDermott, A., Baker, T., & Shi, Q. (2018). IoT Forensics: Challenges for the Ioa Era. New Technologies, Mo-
bility and Security. Paris: IEEE.
• Marrington, A., Baggili, I., Ismail, T. A., & Kaf, A. A. (2012). Portable web browser forensics: A forensic exami-
nation of the privacy benefits of portable web browsers. 2012 International Conference on Computer Sys-
tems and Industrial Informatics. Sharjah: IEEE.
• Messier, R., & Mackay, K. (2015). Operating System Forensics. Waltham, MA: Syngress.
• Montasari, R., & Peltola, P. (2015). Computer Forensic Analysis of Private Browsing Modes. International Con-
ference on Global Security, Safety, and Sustainability (pp. 96-109). Springer.
• Muir, B. (2015, September 9). Windows 10 - Microsoft Edge Browser Forensics. Retrieved June 28, 2018,
from Kinja: https://bsmuir.kinja.com/windows-10-microsoft-edge-browser-forensics-1733533818
• Murdock, J. (2018, April 4). Facebook Is Tracking You Online, Even If You Don’t Have an Account. Retrieved
July 7, 2018, from newsweek:
https://www.newsweek.com/facebook-tracking-you-even-if-you-dont-have-account-888699
222
• Nemetz, S., Schmitt, S., & Freiling, F. (2018). A standardized corpus for SQLite database forensics. Proceed-
ings of the Fifth Annual DFRWS Europe (pp. 121-130). Europe: Elsevier.
• Noorulla, E. S. (2014). Web Browser Private Mode Forensics Analysis.
• Ohana, D. J., & Shashidar, N. (2013). Do Private and Portable Web Browsers Leave Incriminating Evidence?
A Forensic Analysis of Residual Artifacts from Private and Portable Web Browsing Sessions. 2013 IEEE Secu-
rity and Privacy Workshops (pp. 135-142). San Francisco: IEEE.
• Politt, M. (2010). A History of Digital Forensics. IFIP International Conference on Digital Forensics (pp. 3-15).
Springer, Berlin, Heidelberg.
• Rathod, D. (2017). Web Browser Forensics: Google Chrome. international Journal of Advanced Research in
Computer Science.
• Rich, W. (2018, June 5). Retrieved from globalbankingandfinance:

https://www.globalbankingandfinance.com/iot-device-management-revenue-grows-58-in-2018/
• Satvat, K., Forshaw, M., Hao, F., & Toreini, E. (2014). On the privacy of private browsing - A forensic ap-
proach. Journal of Information Security and Applications, 88-100.
• Shoeb, A. A. (2018). Is Private Browsing in Modern Web Browsers Really Private.
• StatCounter. (2018, June 27). Desktop Browser Market Share Worldwide - May 2018. Retrieved from Stat-
counter: http://gs.statcounter.com/browser-market-share/desktop/worldwide
• Tillbury, C. (2015, June 3). ESE Databases are Dirty! Retrieved June 15, 2018, from Sans:
https://digital-forensics.sans.org/blog/2015/06/03/ese-databases-are-dirty
• Travis, A. (2018, january 30). UK mass digital surveillance regime ruled unlawful. Retrieved from theguardian:
https://www.theguardian.com/uk-news/2018/jan/30/uk-mass-digital-surveillance-regime-ruled-unlawful-app
eal-ruling-snoopers-charter
• Vincze, E. A. (2016). Challenges in digital forensics. Police Practice and Research, 17(2), 1-12.
• Wei, W. (2018, April 15). Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer. Re-
trieved from thehackernews: https://thehackernews.com/2018/04/iot-hacking-thermometer.html
223
• Xu, M., Jang, Y., Xing, X., Kim, T., & Lee, W. (2015). UCognito: Private Browsing without Tears. Proceedings
of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 438-449). Colorado:
ACM.
Appendix 1
• List of activities used to simulate user behaviour
• Booted Virtual Machine
• Launched browser into private mode
• Searched for the items listed below using Google search engine:
• mbappe
• lewandowski
• Cristiano
• Neymar
• Mandzukic
• Ribery
• Visiting the following URLs in separate tabs
• Http://www.nairaland.com
• http://www.nigerianmonitor.com
• http://www.jumia.com.ng
• http://www.konga.com
• Searched for the items listed below on Amazon.co.uk
• Pikachu
• Pokémon
• Tamagotchi
224
• Raspberry PI
• Indomie
• Shuriken
• Watching a video on YouTube
• Viewing a PDF document available at https://www.americanexpress.com/myca/pdf/pdftest.pdf
• Viewing 5 images at https://cheezburger.com/9197300480
• Viewing 5 images at https://pixabay.com/en/photos/bike/
• Logged into Gmail and Yahoo email accounts
• thesisexperiment1122@gmail.com
• edissertation@yahoo.com
• Send the randomly generated string “qww2qo3fi1fbyrt5mplv” from the Gmail account to the Yahoo mail ac-
count
• Send the randomly generated string “usps6cznp19c0p8hzk3q” from the Yahoo mail account to the Gmail
account
• Read the received emails from both accounts
1https://www.napier.ac.uk
About the author

Tamunoibiton is a graduate of computer science and has recently completed a mas-
ter’s degree in cyber security from Edinburgh Napier University. Although he comes
from an IT background, he is looking to start a career in cyber security. Apart from
being interested in technology and how it can make our lives easier, he is also inter-
ested in music and basketball.
225

Eforensics Magazine 2018 07 Academic Trends in Digital Forensics UPDATED PDF

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Eforensics Magazine 2018 07 Academic Trends in Digital Forensics UPDATED PDF

Загружено:

Авторское право:

Доступные форматы

TEAM

We couldn’t be happier to announce the newest issue of eForensics Magazine - Academic

and the eForensics Magazine Editorial Team

by Diane Gan & David Gresty - lecturers from University of Greenwich

Drug dealing case 10

DMA Attacks for Memory Acquisition using FireWire 158

Detecting and Combating Phishing 164

Are Digital Forensics Investigators under-estimating Steganography? 174

Introduction to IoT: Forensics Challenges 180

Intro to data breaches and why get into IT field 187

Forensic analysis of Web Browsers in Private Mode 192

by Tamunoibiton Adoki - graduate from Edinburg Napier University

by Diane Gan & David Gresty

subject, they will learn more effectively.

by these final year students. These reports have been anonymised.

form part of the “noise” around a case.

dents created Facebook pages for their “criminals”.

marking the investigators who were allocated that case.

into their case.

developing the skills appropriate to a forensics investigator.

About the Author

Dr Diane Gan is an Associate Professor in the School

Student from University of Greenwich

be found linking them to drug dealing activities.

sible for supplying large quantities of narcotics to the metropolitan area.

Kent and other eastern areas.

would indicate as such.

pleaded ignorance to any personal information on the two.

this level is new and out of character.

may also determine their level of involvement.

Born: 5 April 1973

fine art and medieval writings as a form of recreation.

Address: 54 Brick Ln, London E1 6RL

Born: May 10, 1990

may be more than professional.

Address: 78 Whitechapel High Street, London

Born: 18 January 1988

ers and areas known for their drug related activities.

Address: 54 Brick Ln, London E1 6RL

1. William Brown and James Redman had social media accounts:

1.1. https://www.facebook.com/profile.php?id=100014111462825 – James Redman

1.2. https://www.facebook.com/profile.php?id=100014126972439 – William Brown

involvement with Redman.

investigating the USB drive

4. Olivia Demoria email address: demoira12122@gmail.com Password: apricot123

5. Brown is known to have an interest in medieval art and writings.

These tools are typically open source and free to use.

dence, we used a combination of “Hex Workshop” and HxD.

in acquirement. The easy evidence consists of:

- A glossary of drug names (Word)

- A rota of meeting locations (Notepad)

- Facebook profile wall posts

- Images of Amazon orders (GIMP)

- Images of drugs (Downloaded)

were classed as easy pieces of evidence.

Images of Amazon orders

dence consists of:

- Delivery information from supplier M, no use of drug terminology though (Notepad)

- HTML code for a drug dealing website idea (Notepad)

- Marijuana growing guide (Word)

- Document referencing container numbers (Notepad)

Marijuana growing guide