fip report
TRANSCRIPT
CE00267-7 Forensic
Investigation Project
TPR Investigation Report
By Paul Kevin Green, Ravindu Meegasmulla and Muhammad Taiyib Parvez
MSc Digital Forensics and Cybercrime Analysis
Staffordshire University
Award Leader: Hatem Tammam
Module Leader: Stilianos Vidalis
April 2013
Word Count – 5,265
1 | P a g e
Key AcronymsTerm UseHDD Explains media known as a Hard Disc DriveCD Explains media known as a Compact DiscDVD Explains media known as a Digital Versatile DiscNTFS The file system use on the modern Windows operating systems –
stands for New Technology File SystemOS A generic term used to explain the Operating Systems installed
on a machineRAM Random Access Memory – the main area for devices to
temporarily store current processesROM Read Only Memory – permanent area of storage and used for
holding configuration detailsSID Security Identifier – used on Windows to identify a userMBR Master Boot Record – Used for indicating the primary partitionsVBR Volume Boot Record – Used for booting an OS from a volume
Form AbbreviationsTerm UseCEC1 Case Evidence CollectionCRR1 Case Report RequestCSR1 Case Scene ReportEAL1 Evidence Analysis LogETAG Evidence TagsHDA1 Hard Drive AnalysisUIP1 Use ID Profile
2 | P a g e
Case SummaryTPR Group was called to investigate a case involving a computer laboratory at Staffordshire
University where a single hard disk was located unplugged in a machine. The Forensic Manager was
contacted by a member of Staffordshire University to attend the K113 laboratory, located in the
building called the Octagon, to analyse and acquire the evidential media located at the scene.
When briefed by the universities representative, the description of the case was as below:
The employee attended the laboratory to set up the room for a class they were conducting that day
and found a single computer that would not boot into the operating system. Upon further
investigation the employee opened the computer case to find the hard disk disconnected from the
motherboard. After deeper analysis they found the disk drive to be of not the one previously
connected to the laboratories machine. At this point the employee then contacted TPR Group to
conduct an investigation into the owner of the disk drive.
The scope of the crime scene was the single desk holding the computer system, which can be seen in
the Case Report documentation. The investigative team attended the scene and acquired all
evidential media that was deemed to be of use and took it back to the forensic laboratory to further
investigation by the Forensic Examiner.
3 | P a g e
ContentsKey Acronyms.......................................................................................................................................2
Form Abbreviations...............................................................................................................................2
Case Summary.......................................................................................................................................3
Contents.................................................................................................................................................4
1 Phase One - Case Management.....................................................................................................6
1.1 Introduction............................................................................................................................6
1.2 Case Documentation..............................................................................................................6
1.3 Procedures..............................................................................................................................6
2 Phase Two - Evidence Analysis..................................................................................................11
2.1 Introduction..........................................................................................................................11
2.2 Analysis Process..................................................................................................................11
2.3 Validation and Verification.................................................................................................12
2.4 Partitions..............................................................................................................................12
2.5 Operating Systems...............................................................................................................13
2.6 User Accounts......................................................................................................................13
3 Phase Two - Findings..................................................................................................................17
3.1 Introduction..........................................................................................................................17
3.2 Partitions..............................................................................................................................17
3.3 Operating Systems...............................................................................................................17
3.4 Structure of the Drive..........................................................................................................17
3.5 User Accounts......................................................................................................................17
3.6 Timeline of Drive................................................................................................................19
4 Phase Three – Conclusion and Completion of Case....................................................................20
5 Bibliography................................................................................................................................21
5.1 Mobile Forensics.................................................................................................................21
5.2 MBR Information................................................................................................................21
5.3 User ID’s and SID’s.............................................................................................................21
5.4 Guidelines............................................................................................................................21
4 | P a g e
6 References....................................................................................................................................22
Appendix A Case Management...........................................................................................................24
Appendix A.1 Authorisation Documentation..................................................................................24
Appendix A.2 Case Evidence Collection Form...............................................................................28
Appendix A.3 Crime Scene Management Diagrams.......................................................................31
Appendix A.4 Forensic Examiners Toolkit.....................................................................................36
Appendix A.5 Questions for Cases..................................................................................................38
Appendix B ACPO Guidelines – 2012 Edition...................................................................................41
Appendix C Analysis Procedures........................................................................................................42
Appendix C.1 Hard Drive Analysis Form.......................................................................................42
Appendix C.2 Evidence Analysis Log Form...................................................................................43
Appendix C.3 User ID Profile Form................................................................................................44
Appendix D Analysis Process Diagrams.............................................................................................45
Appendix D.1 Initial Analysis (MBR and VBR).............................................................................45
Appendix E Findings...........................................................................................................................48
Appendix E.1 Initial Acquisition.....................................................................................................48
Appendix E.2 Drive Structure.........................................................................................................52
Appendix E.3 Folder Structure........................................................................................................55
Appendix E.4 Volume Creation......................................................................................................56
Appendix E.5 Timeline of File........................................................................................................57
Appendix E.6 User Accounts..........................................................................................................60
Appendix E.7 Email.........................................................................................................................63
Appendix E.8 Internet History.........................................................................................................64
Figure 2.1 - Recycling Bin Naming Convention.................................................................................15
Table 2-1 - OS User Characteristics....................................................................................................14
Table 3-1 - Priority User Accounts......................................................................................................18
5 | P a g e
1 Phase One - Case Management
1.1 IntroductionThe case in question, being managed by the TPR Group that has three members, has all agreed the
contract for team positions. The contract can be found attached to the report within the folder signed
at the start and end of the case. The case has three phases; Phase One – Case Request, Phase Two –
Case Analysis and Phase Three – Case Completion.
1.2 Case Documentation
1.2.1 Case Request and Authorisation
Prior to a case being created for a client, there must first be a consultation with the perspective
client to allow them to request the groups’ services. This consultation can be done using any
means, such as email or telephone.
Upon the client contacting TPR Group to handle a case, the Forensic Manager will create a
CRR1 form, initially starting the case. This then allows the Forensic Manager to formulise a
team to manage the investigation. The report will then be taken, by the Case Manager, to every
meeting to update TPR Groups’ records. Upon updating the report, the collected information
can be compiled and added to the case for the examiner to undertake a full investigation. The
report template can be located in Appendix A.1 and must be signed off by client to confirm the
investigation is being undertaken to their expectations.
To ensure that TPR Group has sufficient authorisation to access, assess, manage and acquire the
scene, including all evidence located at the scene the TPR Group Authorisation must be signed.
This document must be sign in ink and no photocopies are to be accepted. The template form
can be location within Appendix A.1. The authorisation documentation must state explicitly that
the group are entitled to access the machines and all hardware within them to be able to
successfully analyse the media. This must also state, with reference if needed the scope of the
scene in question.
1.3 ProceduresThe following procedures have been agreed by the TPR Group with accompanying diagrams located
in Appendix A.3. These procedures are to aid the Case Manager so that they are able to successfully
manage the search and seizure team to acquire the evidence and pass this media onto the examiner to
analyse for evidential data.
1.3.1 Preparation
There are general guidelines that are to be followed through any seizure of evidence which are:
6 | P a g e
A consultation with the Case Officer is required to determine the equipment required to
take to each individual crime scene, the list can be seen in Appendix A.4.
Ensure the team will have sufficient search and seizure authorisation to access and
acquire evidence, if not this must be obtained; including the scope to go beyond the
scene if needed.
If the evidence is unable to be removed from the scene, it must be copied whilst at the
scene where safe to do so.
Upon entering the vicinity of the scene, all witnesses, suspects and other individuals not
directly related to the crime must be moved to a safe and secure location, ensuring they
do not hold possession of evidence.
Solicit information from members of staff (administrators, witnesses etc.) where
possible.
All scenes must be searched thoroughly and systematically for evidence.
All first responders (Search and Seizure) should understand the ability to locate hidden
evidence, including digital and non-digital evidence.
At all times each examiner must abide by the following procedures, which are the TPR Groups
interpretation of the ACPO Guidelines located in Appendix B :
Do not go beyond the scope of the authorisation.
Keep the chain of custody up-to-date when working with evidential media.
Keep a record of all evidence obtained, including descriptions, any communications
related to the evidence and condition upon receipt.
The examination documentation should always be case specific to ensure that any other
case examiner could continue with the work at any point.
All Examination Reports completed should:
o Meet TPR Groups standards using the formalised templates.
o Address the needs of the company/person who requested them.
o Provide all relevant information in a concise and clear manner.
7 | P a g e
1.3.2 Assessing the Crime Scene & Managing
Upon entering the scene the following procedures are required to be followed. If at any time, a
member of the team is unsure, the Case Officer must be immediately contacted.
The initial phase of any scene is to ensure that the scene is safe to enter, if the scene is deemed
unsafe by the Case Officer, the investigation will immediately stop, until it is made safe.
1. Ensure the scene and surrounding areas are safe to enter;
2. Contact the main scene contact and conduct brief.
3. Secure and protect the scene, ensuring no unauthorised personnel are located at the
scene.
Upon successfully taking control of the scene, it now needs to be managed to ensure that the
collection, preservation and acquisition of evidence takes place to procedure. For a
diagrammatic breakdown of the steps when attending a scene, see Appendix A.3.1.
1.3.3 Collection and Preservation
Upon entering the crime scene, the following procedures are to be followed to acquire evidence.
This phase has been split into two sections; Acquisition of the Scene and Device Acquisition.
The kit mentioned in Appendix A.4 must also be used at every scene.
1.3.3.1 Acquisition of the Scene
The Case Officer, or Case Supervisor, will do the initial scene walk over to assess vital
equipment with the client. This process will ensure that media that cannot be shutdown is
highlighted prior to any acquisitions. This will also assess the evidence volatility to ensure that
the most volatile evidence is to be secured and protected as a priority. The steps for the
acquisition of the scene can be seen in diagrammatic form in Appendix A.3.2.
Upon the Case Officer completing the initial scene walkover, the following procedure is to be
followed by the team entering, using the accompanying diagrams.
1. Check the surrounding areas and scene is still safe to enter;
a. If the scene is unsafe, leave immediately and contact the Case Officer, to
ensure it is made safe prior to continuing.
2. Ensure all documents are to hand, including copies.
3. Search and Seizure team walkover scene to locate evidence;
a. Location of volatile media highlighted by Case Officer,
b. Document every piece of evidence including location,8 | P a g e
c. Photograph and sketch the scene prior to moving items, photos will be attached
to case documentation in electronic form.
1.3.3.2 Device Acquisition
Upon locating the volatile media, the evidence acquisition is initiated. The following is to be
followed at every scene and is an overview of the diagrams and procedure located in Appendix
A.3.3 and Appendix A.3.4.
1. Secure devices of evidentiary value.
2. Assess the system status and acquire;
3. Check scene for further evidence
4. Document scene
5. Hand back to Case Officer
6. Case Officer to have final check of scene
7. Hand back to client
1.3.4 Questioning of Witnesses
Upon attending the scene, all witnesses should have been removed from the immediate scene
ready for questioning. There are several questions which are to be answered in relation to each
type of scene, found in Appendix A.5.
Each witness should be moved to a separate secure room to ensure that any talking and
swapping of evidential information is not undertaken. Ensuring that each witness is removed
from the immediate scene will ensure that they do not contaminate any of the evidence located
within the scene and the acquisition/examination teams are able to undertake their jobs
efficiently. The questions provided are a general overview and must be modified for each
individual scene.
1.3.5 Photography
When acquiring photographs of the scene, these will be stored in a manner relevant to the
evidential artefacts and provided to the case contact in digital form, not printed for economic
reasons. However, if requested they can be printed at no additional cost. For every photograph
taken, a digital copy will be saved in a photograph folder labelled with the evidence number.
1.3.6 Analysis and Examination
Upon all the evidence arriving at the forensic laboratory; the following procedures are to be
adhered to during analysis and examination phase:
9 | P a g e
Any and all examiners should review the legal documentation to ensure they are
authorised to perform analysis on the media, if not they must contact the Case Officer
for authorisation.
Prior to starting any examination, the following should be considered:
o Are there any other forensic examinations scheduled to take place on this media
where it will be required?
o The priority this case has for information from the requestor.
o Are there any other evidentiary items which may offer a better choice for
evidence?
o A strategy must be agreed between the examiners undertaking the case and the
requestor, with all information documented and added to the case file.
If possible, examination should not be taken upon the original media and must be
conducted using forensically sound copies.
A Chain of Custody must be kept at all times with the evidence.
An Access Log must be kept for each individual piece of evidence to ensure an audit
trail can be followed.
Any examination undertaken should be taken in a systematically and logical manner.
o All examinations should be undertaken in a secure room with supervision if
required and note taking to ensure the same outcome can be accomplished by
another person.
The findings are to be confirmed using a spate forensic tool, if no difference is found no
additional documentation is required. If there are differences, they will need to be
pointed out and documented. This is to ensure evidence integrity and validation through
cross verification.
A template copy of the Evidence Log form can be found in Appendix A.2 which also
incorporates the Chain of Custody documentation for each piece of evidence.
10 | P a g e
2 Phase Two - Evidence Analysis
2.1 IntroductionThis section of the report will detail the processes to be undertaken during the analysis phase of the
investigation. This section has been divided into several sections to enable the procedures to be
clearly identified.
2.2 Analysis ProcessAs an investigation is required to be undertaken on all evidential artefacts acquired at the scene,
procedures and guidelines are required to be created so that all examinations are undertaken in a
similar method.
As mentioned previously, TPR Group will be following the guidelines set down by the Association
of Chief Police Officers that have been interpreted and expanded. Additionally, several documents
have been created to aid the examiner during the analysis of the media. These forms are:
Hard Drive Analysis (HDA1) – See Appendix C.1
Evidence Analysis Log (EAL1) – See Appendix C.2
User Identification Profile (UIP1) – See Appendix C.3
The HDA1 form details the key points that need to be done during the analysis of a disk drive that
contains or suspected to contain the Windows Operating system. On this form is a checklist that
details the steps taken by the examiner. This ensures that the important steps are not overlooked.
The EAL1 form is used to plan each time the evidence is analysed. This document would be agreed
with the Case Officer in advance so that when the examiner undertakes any analysis, they are aware
of what is needed to be completed prior to the evidence being resubmitted back to the store room.
The UIP1 form is used in conjunction with the two forms above to document any user profiles that
are present on the system. The form will be used to log the SID details that will be found during the
analysis of a suspect machine. The details found and inserted onto this form will form part of the
main section of the report when identifying user actions on the system.
When the evidence is being analysed, the chain of access must be kept up-to-date. This can be found
under the CEC1 form, found under Appendix A.2. On this form, the times, dates and persons
analysing the drive can be logged to ensure the integrity of the evidence throughout. It can then be
referred back to in a court of law to validate the times the drive was out of the evidence storage
room.
11 | P a g e
2.3 Validation and VerificationUpon acquiring the drive in question, the evidence needs to be hashed to enable the integrity to be
validated throughout the analysis process. This can be completed using a forensic application during
the acquisition phase. A hash will be created of the evidence drive and this will be stored with the
files on the target drive. This hash can then be used as a validation technique when analysing the
evidence at any stage.
During the analysis of an artefact, to aid the examiner, file signature analysis can be completed. This
is the process of checking the validity of a file against the file signature stored within the first few
bytes of the file. The process will check whether the signature has been edited from the original, if it
has this could have been a method used to hide data.
By undertaking a file signature analysis, it is possible to eliminate known good files, for example,
those that have not been altered since installation. This can be done by using add-ons within the
forensic application to remove the files from view to save the examiner analysing files that have no
evidential value.
2.4 PartitionsThe following section details the procedures relating to the location of partitions on the evidence
drive. Detailed here will are steps that are taken during the initial analysis with the evidence. The
diagrammatic representation of the process can be found in Appendix D
2.4.1 Locating the MBR
Part of the examination process is locating partitions on the storage device which can be
accomplished via a number of methods. The first method is to locate the MBR and within the
MBR will be a series of four partition tables. Typically the MBR would be located at the first
sector of the drive, as this is where the booting process will locate the instructions for booting
the device. However, if no MBR is present this would indicate that the drive is a non-bootable
drive.
2.4.2 No MBR
If the device is a non-bootable drive, then the partition analysis would need to be undertaken
using a different approach. This would be to locate the VBR, which on a non-bootable drive
should be stored in the first sector, the same place as where the MBR would be.
Upon locating the VBR, the backup VBR will then be located and is typically stored in the last
sector of the volume. The location of these elements can be undertaken using EnCases’ Disk
view application. Using this it is possible to view the entirety of the disk in one sector chunks
which can easily be scrolled through to locate the first and last sectors of the volume.
12 | P a g e
2.4.3 Additional Partitions
If additional partitions tables are available, by analysing the MBR, then these will be analysed
individually to that of the main partition. This is as to concentrate the work onto the main
storage area that the user may have used for installing applications and actions undertaken on
the computer system.
2.4.4 Unallocated Space
When the drive is being analysed, there may be segments of the drive that are unallocated,
which is known as unallocated space. Unallocated space on the drive is the area of the drive that
has not been used, or contains files that have been deleted but not yet overwritten. This can be
analysed to identify remnants of lost or deleted files.
Using forensics tools, it is possible to analyse the unallocated space and rebuild parts of files,
with the possibility to rebuild complete files. However, complete files can only be rebuilt if the
cluster the file was using has not been overwritten since deletion.
2.5 Operating SystemsUpon locating the MBR, this indicates that the storage device in question is the primary booting
device. If this was not the main booting device this may indicate that the device in question in an
additional storage device attached to the system and only a VBR would be located.
If the device is the main bootable device, the operating system can be identified by locating the
primary partition, within the partition table entries, marked as active with hexadecimal 80 at byte
offset 446. The primary partition will then need to be analysed to locate the type of partition to
identify the file system. After locating the file system type, this will then narrow down the type of
operating systems available to be used. As an example, if the NT file system was located, this may
indicate that the operating system would be a Windows based operating system.
Once the primary partition and file system are identified, the starting sector can be located where the
partitions storage space begins. This could then be analysed to indicate the type of operating system
in question on the storage device. The structure and partition types can be located in Appendix D.1.
2.6 User AccountsOn a primary storage device, there will need to be an OS in which there will be user accounts to
access the OS. The types of user accounts and locations will depend upon the type of OS in question.
On a typical Windows based system, the user accounts would be in a similar location to all
variations of the OS, and this is normally located with the main C:\ drive under a folder call
‘Documents and Settings’ or ‘Users’ for the newer variations.
However, if the drive in question is not the primary bootable drive, this would indicate that there
may not be any user profiles stored on this drive, unless the user has redirected their account profiles
13 | P a g e
to a secondary drive. In this instance, there may not be a standard location where the profile details
are stored.
2.6.1 Profile Characteristics
The characteristics of a profile will depend entirely upon the OS that has been used. The OS
type can be narrowed down by the type of file system in use.
A typical Windows based system would carry similar characteristics across all versions and as
previously mentioned the locations are typically standard. Additionally, by identifying the
location folder, the folders within can also be quickly identified, see Table 2-1.
Table 2-1 - OS User Characteristics
OS Version User Root Folder Typical sub folders
Windows 2000
Windows XP
C:\Documents and Settings\
ACCOUNT NAME
My Documents
My Music
My Pictures
Desktop
Cookies
Favourites
Windows Vista
Windows 7
Windows 8
C:\Users\ACCOUNT NAME Documents
Desktop
Favourites
Music
Pictures
However, in the later versions of Windows, the typical folders (Music, Documents etc.), have
been relocated to a directory called ‘Libraries’ which contains all folders for all users. This has
been done to enable a better sharing platform within the Windows OS.
An additional file that is of interest to an examiner is the NTUSER.DAT file which contains all
the users’ personalisation settings for both software installations and OS modifications. Upon
the user logging onto a system, this file becomes merged with the registry key
HKEY_CURRENT_USER to keep a record of modifications.
2.6.2 Windows Recycling Bin (Recycler)
On every device a folder will be located to keep track of deleted items. This folder, dependent
upon the OS version, will be named either Recycling Bin or Recycler. This folder is stored in
the root directory of every partition and contains deleted data by the user until emptied.
14 | P a g e
The folder itself contains a folder for each user that logs onto the system, and this folder is
named using the users’ SID to uniquely identify the files deleted by a user. This SID will also
be used on additional storage devices that are not the primary drive. Using this information, an
examiner will be able to indicate which users have used and deleted files on the system.
Within each user folder, located in the recycling bin folder, are the files are stored when deleted
and use a standard naming convention to aid restoring if needed. The naming convention is as
shown in Figure 2.1.
Figure 2.1 - Recycling Bin Naming Convention
(Microsoft Support, 2007)
2.6.3 E-Mail Activity
Email recovery is dependent upon the type of email system used. If using an application such as
Outlook, then the email activity would be stored within the configuration files stored in the
folder ‘AppData’ in the user profile.
However, if the user has been using an online email system such a Gmail, Hotmail or
Outlook.com then the emails would not be stored locally. Due to this the emails may not be able
to be fully recovered. To overcome this, the internet history and cookies could be used to
identify commonly used sites and highlight email addresses stored within those files.
2.6.4 Internet Activity
As can be seen from Table 2-1, a folder within every user account contains all the cookies used
when the user has browsed the internet. However, in later versions this folder has been
relocated to a folder within the hidden ‘AppData’ folder that is also located within every user
account folder.
15 | P a g e
This has been done to ensure that all the users’ data is secured within the user profile so that it
cannot be accessed by another profile without administrative privileges. If the drive in question
is not that of a primary drive, then there may not be many internet related files stored on the
drive due to the issue of the user profile not being located on that drive.
The internet history will depend upon the browser that has been used, such as Internet Explorer,
Google Chrome or Mozilla Firefox. The most common browser, by installation, is Internet
Explorer as this comes standard with all versions of Microsoft Windows. The internet history is
typically stored under the users’ folder and located within the ‘AppData’ folder, similar to that
of the cookies location. Within that folder will be the browser configuration folder that will then
contain the cookies and browsing history.
2.6.5 Personal Account Files
Within a user account directory are several important sub folders that can be used to identify the
type of user, their activities and the files they store. Under the main user directory within a
Windows system would be the folders such as Downloads, Documents, Pictures and Music.
Within these folders would be the personal documents that relate to a user. Analysing these
folders, it would be possible to locate possible pictures of users, documents they have created
and the timeline of possible events.
A timeline can be created of file creation and modification by analysing the metadata of each
file. The metadata can be used to determine when a file had been created and the user account
that created the file, with the retrospective details for modification.
16 | P a g e
3 Phase Two - Findings
3.1 IntroductionThis section of this report will detail all the findings during the analysis of the evidential artefacts.
The initial steps, as per procedure, are to locate the partitions and boot records.
3.2 PartitionsDuring the initial analysis it was noted that the main drive itself is not of a bootable kind, as this can
be confirmed by the lack of an MBR in sector 0 of the drive. In the place where the MBR was to be
expected, the VBR had been located. By locating only a VBR, this indicates that the drive in
question is that of a secondary drive on a computer system.
3.2.1 VBR Analysis
Upon locating and analysing the VBR, located in sector 0 of the drive, it is noted that the drive
in question was formatted with the file system type NT, see Appendix E.2. Within the VBR it
can be seen that the entire drive is of the same partition with no additional partitions. This can
also be noted by the presence of a backup VBR located in the last usable sector of the drive, see
Appendix E.2.2.
Located in the first three bytes of the VBR it is noted that the bytes per sector are 512 and the
sectors per cluster are 8, confirmed in Appendix E.2.
3.3 Operating SystemsDuring the analysis of the drive, it was confirmed by the examiner that no operating system has been
installed onto this drive. The drive in question, confirmed to have the NT file system, does not
contain an MBR and therefore is a non-bootable device. However, if the drive were to have
contained remnants of an MBR, it would have indicated there may have been an OS at some point.
3.4 Structure of the DriveThe drive is structured in a way that the user has been saving files directly to the drive. It can be seen
there is no direct root folder of the drive and all folders are stored directly under the main volume.
This can be seen from Appendix E.3 which documents the top level folder structure.
3.5 User AccountsAs the drive in question is that not of an operating system drive, there is no user accounts folder.
Due to this factor it is not possible to identify usernames of users that have accessed the system.
However, it is possible to identify the SID of accounts that has accessed the drive. This can be done
by analysing the $MFT and $Recycler folder. Within Appendix E.6, are the accounts that were in
use on the volume, along with the breakdown SID information.
17 | P a g e
3.5.1 Identified User SID Accounts
Table 3-2 shows the accounts that have been highlighted to be owners or creators of folders
located within the root of the drive. This can be confirmed from the analysis undertaken on the
folder creation and permissions shown in Appendix E.6.3. The user accounts highlighted below
indicate two users, who access the machine in two methods which are local and domain access.
Table 3-2 - Priority User Accounts
Name SID
S-1-5-21-1077148053-4198568005-59594
Domain Users S-1-5-21-1077148053-4198568005-513
Olga Angelopoulou S-1-5-21-725345543-1532298954-1003
None S-1-5-21-725345543-1532298954-513
Using the information above, it is indicated that the owners of the drive are that of either of the
account SID’s above. The SID that has a name alongside has been highlighted due to the fact
that several additional files have been noted to have been created under this username.
3.5.2 Profile Characteristics
As there are no user profiles on the volume, there is very little to indicate the characteristics of a
user. However, the characteristics found are that the drive was used by the indicated SID’s for
external storage.
3.5.3 E-Mail Activity
Using the above SID’s and names, a search was undertaken to highlight possible email
addresses and emails. After the initial analysis, two folders were highlighted, one deleted and
one live. Both of these folders were named ‘Email’ which indicated that these folders contained
possible emails.
Upon analysis of the live folder this was deemed to be empty and contained no files. The folder
that was deleted contained two sub folders that contained emails for a username of ‘oangelop’,
as can be seen from Appendix E.7. This username is a shortened version of the username, Olga
Angelopoulou, highlighted during the SID analysis. After analysing the folders, the permissions
were again checked with the owner of the folder being that of the SID for the unknown account
in Table 3-2.
3.5.4 Internet Activity
As the drive is that not of an operating system volume, there are no folders that stores cookies
or other internet related files. Typically the internet files on a Windows system, as the drive is
an NT file system, are stored under the user account folder to keep those files secure to that
18 | P a g e
user. After undertaking several searches for web addresses, there were several results that had
been highlighted for searches of the internet. The majority of the searches were for that of
general use and searches relating to files stored on the drive. Several of the results have been
indicated in Appendix E.8.
3.5.5 Personal Account Files
Upon analysing the drive structure, it was indicated that a two users had been using the drive to
store files outside of their normal computer system. This was indicated by the presence of
folders called ‘Docs’ and ‘Email’. Analysing the docs folder indicated this was a storage
repository for documents that have been created, downloaded or copied. Within the deleted
Email folder, several emails containing pictures were found along with a folder with several
additional picture files.
3.6 Timeline of DriveUpon analysing the drive, the volume was created in 2004 when the volume was formatted with the
NT file system, as seen from Appendix E.4. Since this date the drive has had steady use with files
being created and stored, as seen from Appendix E.5. However, upon analysing the entire timeline of
the drive, it is seen that there has been files with dates prior to that of 2004. Analysis of these files
indicated they were copied from another source and saved to this drive by the user. The files located
date back towards the early 1990’s.
19 | P a g e
4 Phase Three – Conclusion and Completion of CaseConcluding the analysis phase of the investigation, it was deemed that the drive in question is not a
booting drive and rather a storage drive, in the form of wired or caddy. This finding posed several
issues for the investigation as not being able to indicate it was an OS volume meant the analysis had
to indicate the creators and owners of folders stored within the volume.
By analysing the folders, both live and deleted, it was possible to find information relating to SID’s
that have access the drive. By also analysing the permissions of these folders it was possible to
pinpoint the actual creators and owners of these folders.
To conclude the findings of the investigation, it has been highlighted that the drive was used for
secondary storage only and not of OS use which means it is not possible to pinpoint a single owner
of the drive without access to a machine or domain of the same ID. However, the analysis indicated
that four SID’s were the primary users’ and can be pinpointed as the owners, or past owners of the
drive.
The drive was formatted with NTFS in 2004, but does contained files dated previous to this, which
indicated that the drive was used prior to this and was formatted since to be used again. However,
the ownership could have changed which may have caused the formatting to be undertaken.
The owner of the drive cannot be completely verified without the original computer that the drive
was used with. This means that further investigations need to be undertaken to highlight possible
computers or networks where the drive would have been used. It was also indicated that the drive in
question was used in conjunction with Glamorgan University which could be a starting point to
undertake further investigation.
Once a network is located with the same domain identification, the computers and users’ could be
located and then their computers analysed. Due to the lack of user information on the drive it is not
possible to identify who the actual volume creator is. However, due to the creation date stamps it is
indicated that the possible creator is that of one of the SID’s. The information regarding the findings
of SID’s through the investigation can be found in Appendix E.6 which states the different areas that
user ID’s were found. This also indicates the specific creators and owners of folders on the drive.
As can be indicated from the findings in phase 2, the drive does not contain an operating system due
to the lack of an MBR and that only a VBR is found on the drive as see in Appendix E.2. The
outcome of this indicated that the drive only contained a single partition, proved by the findings in
Appendix E.4.
Upon the analysis being completed, the Case Officer has now taken control of the report and will
submit it to the client upon agreeing the conclusions.
20 | P a g e
5 Bibliography
5.1 Mobile Forensicshttp://www.cftt.nist.gov/AAFS-MobileDeviceForensics.pdf
http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf
http://csrc.nist.gov/publications/nistir/nistir-7387.pdf
5.2 MBR Informationhttp://superuser.com/questions/420557/mbr-how-does-bios-decide-if-a-drive-is-bootable-or-not
http://technet.microsoft.com/en-us/library/cc940349.aspx
http://books.google.co.uk/books?
id=wuUuTXMkNx8C&pg=PA72&lpg=PA72&dq=mbr+partition+popularity&source=bl&ots=Qan
CnIdhMD&sig=_731e1jnYlKChbxBJRu8BuuTCVY&hl=pt-
PT&ei=RpGgTb7EGY6FtgfMy7meAw&sa=X&oi=book_result&ct=result&redir_esc=y#v=onepage
&q&f=false
http://thestarman.pcministry.com/asm/mbr/mystery.htm
5.3 User ID’s and SID’shttp://support.microsoft.com/kb/136517/EN-US
http://support.microsoft.com/kb/243330
5.4 Guidelines
ACPO Guidelines - http://library.npia.police.uk/docs/acpo/digital-evidence-2012.pdf
21 | P a g e
6 ReferencesPolice.uk (2012) ACPO Good Practice Guide for Digital Evidence: March 2012. [Online] Available
from: http://library.npia.police.uk/docs/acpo/digital-evidence-2012.pdf. [Accessed: 14th March 2013]
Microsoft Support (2007) How the Recycling Bin Stores File. [Online] Available from:
http://support.microsoft.com/kb/136517/EN-US. [Accessed: 17th March 2013]
22 | P a g e
AppendicesThe follow section of this report documents all additional appendices that are attached to this case.
23 | P a g e
Appendix A Case Management
Appendix A.1 Authorisation Documentation
TPR Group: Case Request Report
Case Request Report CRR1Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Critical Urgent Standard
Case officer Date & Time call
received
_ _ / _ _ / _ _ _ _
_ _ : _ _
Client Name Company Name
Contact Email Address Contact Phone No
Fax No Alternative Mobile No
Address of incident Address 1Address 2CountyPostcodeCountry
Size of organisation Small / Medium / Large National / International
Nature of incident
Date of incident: _ _ / _ _ / _ _ _ _
Number of Items
involvedIsolated / Un-isolated network
Operating system used
within the organisation
Windows / Unix Based / Mac OSX / Mobile
OS / Other……………………………
Shared devices /
Personal
Is the scene safe Yes / No If No please state:
Client Signature Name Printed
Date _ _ / _ _ / _ _ _ _ Time (HH:MM) _ _ : _ _
24 | P a g e
25 | P a g e
Case Request Report Initial Meet
Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Date _ _ / _ _ / _ _ _ _
Case officer Time _ _ : _ _
Client Name Company Name
Contact Email Address Contact Phone No
Fax No Alternative Mobile No
Any Additional new
information
Name of persons who
have access to items
Usernames for items involved (if relevant) Account passwords (if relevant)
Client Signature Date _ _ / _ _ / _ _ _ _
Case Officer Signature Date _ _ / _ _ / _ _ _ _
26 | P a g e
TPR GROUPAUTHORISATION FOR RELEASE, ACQUISITION AND ANALYSIS
OF ALL RELATED MEDIA DURING THE FORENSIC INVESTIGATION
Please carefully read and understand this authorisation form to enable the release of information,
documentation and media for the reported case, then sign and date.
I Authorise any representative of the TPR Group to enter the scene of the incident; for the purpose to examine; and extract if required, media related to the reported case.
I Authorise any representative of the TPR Group entering the scene of the incident to; photograph, document and report all relevant details required for investigation.
I Authorise any representative of the TPR Group to gather additional information from witnesses at the scene of, or related the incident when reasonable and relevant.
I Authorise all media and evidence collected, including documentation found or created, to be released to relevant organisations if found to be related to terrorist or illegal activity.
I Authorise all media and evidence collected, including documentation found or created, to be released to relevant organisations upon request by any legally authorised parties.
This form is valid up until the point the case is released from TPR Group at which time release documents will be signed, and all case materials to the authorised person below, or their representative, if legally possible.
TPR Representative:
__________________________ ____________________ _ _ / _ _ / _ _ _ _Print Name Signature Date Signed
The Clients Authorised Representative:
__________________________ ____________________ _ _ / _ _ / _ _ _ _Print Name Signature Date Signed
__________________________ _____________________________________________Position within Organisation Organisation
27 | P a g e
TPR Group: Case Scene ReportCLIENT AUTHORISATION
Signature Date _ _ / _ _ / _ _ _ _TPR DETAILS
Enter Date _ _ / _ _ / _ _ _ _ Enter Time _ _ : _ _ (HH:MM)Case No TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Case ManagerIs the scene safe to enter? Yes / No (state why)TEAM ATTENDING – (Cross out blank boxes)Name Position Time
(HH:MM)Signature
_ _ : _ __ _ : _ __ _ : _ __ _ : _ __ _ : _ _
ENTRANCE & EXITSNumber of Exits Are any Fire Exits Yes / NoSCENE DOCUMENTATIONPanoramic Photo Yes / No Witnesses Yes / No Secured Witnesses Yes / No
CCTV Available Yes / No CCTV Acquirable No / Yes --> CCTV Evidence No Case No +
_ _ _ _Draft Blueprint of Scene
TPR STAFF DETAILS
Exit Date _ _ / _ _ / _ _ _ _ Exit Time _ _ : _ _ (HH:MM)Signature
Case Officer Client
28 | P a g e
Appendix A.2 Case Evidence Collection Form
TPR GROUP
Investigations Unit
This form is to be used for only one piece of evidenceFill out a separate form for each piece of evidence.
Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Evidence number Case No + _ _ _ _
Case Manager Original / Duplicate Original No _ _ _ _
Evidence Type
Evidence
Location:
Vendor Name Model No Serial No Additional Notes
Description of evidence:
Evidence
Recovered ByDate
_ _ / _ _ / _ _ _
_
Time
(HH:MM)_ _ : _ _
Signature
29 | P a g e
Investigations UnitThis form is to be used for only one piece of evidence
Fill out a separate form for each piece of evidence.Case number TPR _ _ _ _ _ _ / _ _ - _ _ - _ _ Evidence number Case No + _ _ _ _Case Manager Original / Duplicate Original No _ _ _ _Evidence TypeEvidence Location:
Vendor Name Model No Serial No Additional Notes
Description of evidence:
EvidenceRecovered By Date _ _ / _ _ / _ _ _ _ Time (HH:MM) _ _ : _ _
Signature
CHANGE OF CUSTODY
This form is to be used for only one piece of evidence
Fill out a separate form for each piece of evidence.
Who To Reason Comments Authorisations Signatures Date & Time
From_ _ / _ _ / _ _ _ _ _ _ : _ _To
From _ _ / _ _ / _ _ _ _ _ _ : _ _To
From _ _ / _ _ / _ _ _ _ _ _ : _ _To
From_ _ / _ _ / _ _ _ _ _ _ : _ _To
Additional Page Signature: __________________________ Page ___ Of ___
Initial ___ ___
30 | P a g e
CHAIN OF ACCESS
This form is to be used for only one piece of evidence
Fill out a separate form for each piece of evidence.
Name Date & Time Out Reason Signature Date & Time In Signature
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
_ _ / _ _ / _ _ _
_ _ _ : _ _
_ _ / _ _ / _ _ _ _ _
_ : _ _
31 | P a g e
Appendix A.3 Crime Scene Management Diagrams
Appendix A.3.1 Attending the Crime Scene
32 | P a g e
Appendix A.3.2 Acquisition of the Scene
Appendix A.3.3 Device Acquisition
1. Secure devices of evidentiary value.
2. Assess the system status;
a. If the system is live;
i. Collect write block, if none available contact Case Officer,
ii. Set up Forensic Acquisition Workstation,
33 | P a g e
iii. Connect Write blocker,
iv. Connect evidential device,
v. Start acquisition of volatile media,
vi. Confirm acquisition,
vii. Follow the procedure for the specific device and Operating System
type.
b. If the system is switched off;
i. Do not turn it on
ii. If the device is not openable, acquire entire device if possible
iii. If not possible, can the storage media be removed,
1. No, then image at the scene as a live system
2. Yes, acquire media if possible and continue
iv. Bag and Tag the evidence,
v. Store for transportation,
vi. Check for other evidential media within device and acquire,
vii. Close device and document
3. Check scene for further evidence
4. Document scene
5. Hand back to Case Officer
6. Case Officer to have final check of scene
7. Hand back to client
34 | P a g e
35 | P a g e
Appendix A.3.4 Device Specific Acquisition
36 | P a g e
Appendix A.4 Forensic Examiners Toolkit
Appendix A.4.1 Specialist Forensic Hardware
All of the following equipment will be taken to every crime scene.
Check Item
Network Cables (Multiple) – Both straight through and crossover
Floppy Drive (External with USB connector)
CD/DVD Drive (External with USB Connector)
Hard Drives (Several Sizes) – with SATA, PATA, IDE connectors
EnCase Acquisition Kit
Digital Camera & Backup photographic device
Connection Cables (USB, HMDI, Firewire, VGA, IDE, etc.)
Female-Male Cable Convertors for all above
Compact Discs (CD) spindle with several discs
Digital Versatile Discs (DVD) spindle with several discs
Acquisition Machine with forensic software as below & Backup
Network Detector
Network Blocker
Internet Dongle
Write Blocker
Battery Power backup device
XRY Mobile Acquisition Kit
Card Reader
Mouse Giggler
Second Monitor
External Hard Disc Caddy (2.5inch and 3.5inch)
Appendix A.4.2 Specialist Forensic Software
Check Item
LinEn Disc or USB
EnCase 6 & 7
Linux Bootable
Personalised Windows Operating System Backup
Personalised Mac OS Backup
Forensic Tool Kit 4
Micro Systemation XRY (Latest stable version)
Backup of Forensic Software & Licences
37 | P a g e
Appendix A.4.3 General Forensic Equipment
Check Item
Seizure Bags
Tags
Cable Ties
Archival- grade permanent marker
Voice Recorder
Magnifying Glass
Tools (Nonmagnetic and magnetic)
Straight head, Philips Screwdrivers and specialist head variations Pliers Wrench
Anti-static wrist band
Power Extension leads (5m, 10m, 15m, 20m, 25m)
Dust Brush
Gloves
Mirror
Faraday Bag
Evidence Forms
Keyboard
Mouse
Authorisation / Warrant
Identification
Bubble Rap
Certifications (Copies)
Contact Numbers
Photo Card & Numbers for photographing evidence
38 | P a g e
Appendix A.5 Questions for Cases
Appendix A.5.1 Initial Contact Questions
Company and Contact Details
What is your name and position?
Are you in charge of day to day activities at the location of the device?
If not, do you have enough technical knowledge to answer preliminary questions
that are used to assess the situation for TPR to prepare for your specific case?
What is the name of and nature of the Company?
What is the Size of company?
How many people are employed
Over how many sites does the company span
What is the location of the company the enquiry is regarding, and who is the person in
charge?
Incident details
What is the nature of your call, and when did the incident occur?
Were there other members of staff or civilians involved?
If so who are they?
What is their position or authority at the time of the incident?
Device details
What are the devices?
Where is or are the devices in question located within the company?
Is the device(s) connected within a networked environment
If so what is the size of the network?
Is the device(s) isolated?
Do you know the Operating system of the machines?
39 | P a g e
Explain that the devices in question should not be used for any reason at all, as any potential
evidence may be destroyed or changed.
Stop any persons from accessing the scene with any electronic devices.
Appendix A.5.2 At the Scene Questions
Initial questions
Is the computer networked to external sources?
To a server?
Intranet?
File server?
What access rights does this particular user hold?
To the internet?
Through a wireless connection?
Wired connection?
Security measure in place
Preliminary questions
Has anything changed from the last time we talked?
If so add these details to the CSR1 form.
Has anyone been or had access to the computer?
If so add these details to the CSR1 form.
Appendix A.5.3 Witness Questioning
The following questions are not case specific and must be tailored to suit each individual case
which will be managed and prepared by the Case Officer.
Before conducting an interview the case officer must explain the purpose of the interview and
introduce themself to the witness. Throughout the interview case office must be polite to the
witness and the punctuality is important all the time.
What are your role and responsibilities?
Who is your supervisor?
40 | P a g e
Is there anyone else has the authorisation to this department except you?
What are the procedures relating to the IT equipment within this department?
What are the administrative passwords?
Are there any security measures currently in place protecting this equipment?
Explain the crime scene according to your knowledge?
Who did you contact first after seeing the incident?
Is there any wireless connection?
Would you provide your contact details?
41 | P a g e
Appendix B ACPO Guidelines – 2012 EditionThe ACPO Guidelines is a document developed by 7Safe in conjunction with the Association of
Chief Police Officers. Within this document are four principles that are used as a guide which are:
Principle 1:
No action taken by law enforcement agencies, persons employed within those agencies or their
agents should change data which may subsequently be relied upon in court.
Principle 2:
In circumstances where a person finds it necessary to access original data, that person must be
competent to do so and be able to give evidence explaining the relevance and the implications of
their actions.
Principle 3:
An audit trail or other record of all processes applied to digital evidence should be created and
preserved. An independent third party should be able to examiner those processes and achieve the
same level.
Principle 4:
The person in charge of the investigation has overall responsibility for ensuring that the law and
these principles are adhered to.
The above principles were taken directly from the ACPO Good Practice Guide for Digital Evidence
document, (Police.uk, 2012).
42 | P a g e
Appendix C Analysis Procedures
Appendix C.1 Hard Drive Analysis Form
TPR GroupExamination Process Procedure – Windows
Upon successful acquisition of the storage device, the drive is then required to be duplicated onto a
sterile storage drive.
This drive is then to be analysed and not the original artefact. The drive is then to be analysed using
the following procedure:
Task Notes Completion
Verify drive image against original hash ☐Locate Master Boot Record ☐Locate Volume Boot Record ☐Locate Backup Sectors ☐Locate Logical Size of Disc (Sectors) ☐Locate Physical Size of Disc (Sectors) ☐Locate Hidden Sectors ☐Locate Operating System Version ☐Locate Useful Windows Files (SWAP etc.) ☐Locate Installed Applications ☐Locate Unallocated Space ☐Locate Deleted Artefacts ☐Complete File Signature Analysis ☐Complete Hash of Every File ☐Complete Keyword Search`1 ☐Search for File Types ☐Search for Emails ☐Search for Email Addresses ☐Search for Internet History ☐Search for Folder Structure ☐Search for Timeframe of Artefacts ☐
43 | P a g e
Appendix C.2 Evidence Analysis Log Form
TPR Group – Evidence Analysis LogDate Time Case Number Investigator
_ _ - _ _ - _ _ _ _ - _ _ TPR _ _ _ _ _ _ / _ _ - _ _ - _ _Requirements:
Notes
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
____________________________________________________________________________
44 | P a g e
Appendix C.3 User ID Profile Form
TPR Group – User ID ProfileUser ID (SID)
Alias (Name of
Account)
Location Found
Description ____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
User ID (SID)
Alias (Name of
Account)
Location Found
Description ____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
45 | P a g e
Appendix D Analysis Process Diagrams
Appendix D.1 Initial Analysis (MBR and VBR)
46 | P a g e
Appendix D.1.1 Partition Tables
Bytes
Offset
Name Description
446 Boot This will be either hexadecimal 80 for an
Active partition of 00 for non-active
447 Start Head This is the starting head for the partition
448 Start cylinder and
head
Starting cylinder (10 bytes) and sector (6
bytes)
450 Partition Type This will stipulate which type of partition
this is
451 End Head This is the ending head for the partition
452 End cylinder and
head
Ending cylinder (10 bytes) and sector (6
bytes)
454 Relative Sector Number of sectors prior to the start of the
partition
458 Total Sectors Total number of sections within the partition
47 | P a g e
Appendix D.1.2 Partition Types (File Systems)
Hexadecimal
Code
Partition Type
00 Unused Partition Entry
01 FAT 12
04 FAT 16
06 FAT 16B
07 NTFS
A8 UFS
AF HFS (HFS+)
48 | P a g e
Appendix E Findings
Appendix E.1 Initial AcquisitionCase Creation Details
Accessing the drive for acquisition
49 | P a g e
Identification of the drive in question.
Confirmation that the drive was write blocked to prevent alteration.
50 | P a g e
Parsing the details of the evidence drive.
Adding the acquisition files to the case.
51 | P a g e
Acquisition details regarding the actual acquisition.
52 | P a g e
Evidence added ready for analysis.
Hash confirmation of the drive confirming no alteration has occurred during acquisition.
53 | P a g e
Appendix E.2 Drive StructureThe following details are regarding the drive in question and the acquisition machine. The first two
tables below detail the serial numbers for the evidence drives, the file system types and the drive
specification details.
The third table details the acquisition with regards to the storage locations, verification hashes and
whether the drive was write blocked during acquisition.
Serial Number 9683-E291Full Serial Number 29683F09683E291Driver Information NTFS 3.1
File System NTFSSectors per cluster 8Bytes per sector 512Total Sectors 37,190,412Total Capacity 19,041,488,896 Bytes (17.7GB)Total Clusters 4,648,801Unallocated 18,930,753,536 Bytes (17.6GB)Free Clusters 4,621,766Allocated 110,735,360 Bytes (105.6MB)Volume Name Data AreaVolume Offset 0Drive Type Fixed
Name TPR000001-27-02-13-0003Actual Date 04/03/13 16:43:04Target Date 04/03/13 16:43:04File Path D:\Cases\TPR000001-27-02-13\Evidence\TPR000001-27-02-13-0003.E01Case Number TPR000001-27-02-13Evidence Number TPR000001-27-02-13-0003Examiner Name P.Green
54 | P a g e
Notes Investigation in Forensic Laboratory computer systemLabel FastBlocModel _FE_v2,_GuidanceDrive Type FixedFile Integrity Completely Verified, 0 ErrorsAcquisition MD5 824d4cc6e7aaae196a0f662d5c8a862eVerification MD5 824d4cc6e7aaae196a0f662d5c8a862eAcquisition SHA1 c168adaabd6acf4d0f699c1caf32569ef7f6a320Verification SHA1 c168adaabd6acf4d0f699c1caf32569ef7f6a320GUID d7d9cd26b0c1574bb7bd071f04d12c7aEnCase Version 6.19.4System Version Windows 7Write Blocked FastblocNeutrino FalseIs Physical FalseRaid RHS FalseRaid Stripe Size 0Error Granularity 64Process ID 0Index File D:\Cases\TPR000001-27-02-13\Index\TPR000001-27-02-13-0003-
d7d9cd26b0c1574bb7bd071f04d12c7a.IndexAcquisition Info FalseSources FalseSubjects FalseRead Errors 0Missing Sectors 0Disk Elements FalseCRC Errors 0Compression GoodTotal Size 19,041,490,944 Bytes (17.7GB)Total Sectors 37,190,412Disk Signature 00000000Partitions Valid
55 | P a g e
Appendix E.2.1 Volume Boot Record
56 | P a g e
Appendix E.2.2 Backup Volume Boot Record
Appendix E.3 Folder Structure└─TPR000001-27-02-13-0003 ├─$Extend ├─b3020c27961fa086e56fff75 ├─b7a4536994c56db768be6df31111da80 ├─Docs ├─e5bfa4a130271a7db945be5d16d0 ├─Email ├─Email ├─msdownld.tmp ├─MSIb03d4.tmp ├─MSIbdd2c.tmp ├─MSIefae2.tmp ├─MSOCache ├─RECYCLER ├─System Volume Information ├─Temp ├─webmail └─Lost Files
57 | P a g e
Appendix E.4 Volume CreationThe following table documents the creation, access and modification dates of the $MFT which is
created when the drive is formatted with the NT file system.
Bookmark Type Notable FileComment $MFT CreationPage Break FalseShow Picture TrueEntry Selected FalseFile Offset 0Name $MFTIn Report TrueDescription File, Internal, Hidden, SystemIs Deleted FalseLast Accessed 16/06/04 09:18:24File Created 16/06/04 09:18:24Last Written 16/06/04 09:18:24Entry Modified 16/06/04 09:18:24File Acquired 04/03/13 16:43:04Logical Size 5,931,008Initialized Size 5,931,008Physical Size 5,931,008Starting Extent 0TPR000001-27-02-13-0003-C786432File Extents 1Permissions TrueReferences 1Physical Location 3,221,225,472Physical Sector 6,291,456Evidence File TPR000001-27-02-13-0003File Identifier 0Code Page 0Hash Properties FalseFull Path TPR000001-27-02-13\TPR000001-27-02-13-
0003\$MFTIs Duplicate FalseIs Internal TrueIs Overwritten FalseBookmark Path Drive Specifications\NoNameBookmark Start 3,221,225,472Bookmark Sector 6,291,456Notable FalseExcluded FalseSequence ID 1
TPR000001-27-02-13\TPR000001-27-02-13-0003\$MFT
$MFT Creation
58 | P a g e
Appendix E.5 Timeline of File
59 | P a g e
60 | P a g e
61 | P a g e
Appendix E.6 User Accounts
Appendix E.6.1 User Account Structure
The user account structure is similar across all operating systems using the NT file system. The
structure is divided into five sections:
String Identifier – for user accounts this is always ‘S’.
Revision level of the string – the currently revision level is 1.
Identifier of the authority value – see table below.
Identifier of the local computer or domain – this depends upon the computer or domain.
Relative Identifier – typically used to identify a user or group that is not created as
default by the system.
Value Authority
0 None
1 World
2 Local
3 Creation
4 Non-unique
5 NT
9 Resource Manager
Appendix E.6.2 User Accounts with the $MFT
Name Preview Hit Text$MFT K3íÔxrÊ K3íÔxrÊ K3íÔxrÊ K3íÔxrÊ . S - 1 - 5 - 2 1 - 1
0 7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6S-1-5-
$MFT 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å S - 1 - 5 - ~ 3 - 1 0 0 ¸ \ 2ØÔnð#Å 2ØÔnð#Å
S-1-5-
$MFT 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å 2ØÔnð#Å / S - 1 - 5 - 2 1 - 1 0 7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6
S-1-5-
$MFT µ> BHúÄ ? BHúÄ ? BHúÄ þ r '#Å , S - 1 - 5 - 2 1 - 8 5 4 2 4 5 3 9 8 - 1 5 6 3 9 8 5 3 4 4 - 8 3 9 5 2
S-1-5-
$MFT 2Û€„� SÄ à‡dl…SÄ à‡dl…SÄ þ r '#Å S - 1 - 5 - ~ 1 Q h R \ µ> BHúÄ ? BHúÄ ? BHúÄ
S-1-5-
$MFT µ> BHúÄ ? BHúÄ ? BHúÄ þ r '#Å S - 1 - 5 - ~ 2 ÿÿÿÿ‚yG
S-1-5-
$MFT 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ S - 1 - 5 - ~ 1 - 3 2 0 ° ˜ \ 2Û€„� SÄ 2Û€„� SÄ
S-1-5-
$MFT 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ 2Û€„� SÄ + S - 1 - 5 - 2 1 - 3 2 9 0 6 8 1 5 2 - 1 9 7 2 5 7 9 0 4 1 - 7 2 5 3 4
S-1-5-
$MFT l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ S - 1 - 5 - ~ 4 - 1 0 S-1-5-
62 | P a g e
0 ¸ \ l(4ÿ �NÆ l(4ÿ �NÆ$MFT l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ l(4ÿ �NÆ / S - 1 - 5 - 2 1 - 1 0
7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6S-1-5-
$MFT ¤€ ÕtãÉ ¤€ ÕtãÉ ¤€ ÕtãÉ ¤€ ÕtãÉ / S - 1 - 5 - 2 1 - 1 0 7 7 1 4 8 0 5 3 - 4 1 9 8 5 6 8 0 0 5 - 1 1 0 6
S-1-5-
$MFT µ> BHúÄ µ> BHúÄ µ> BHúÄ µ> BHúÄ S - 1 - 5 - ~ 2 - 8 5 0 ¸ š \ µ> BHúÄ µ> BHúÄ
S-1-5-
$MFT µ> BHúÄ µ> BHúÄ µ> BHúÄ µ> BHúÄ , S - 1 - 5 - 2 1 - 8 5 4 2 4 5 3 9 8 - 1 5 6 3 9 8 5 3 4 4 - 8 3 9 5 2
S-1-5-
$MFT P<Ó‰Š-Ë P<Ó‰Š-Ë P<Ó‰Š-Ë P<Ó‰Š-Ë - S - 1 - 5 - 2 1 - 7 2 5 3 4 5 5 4 3 - 1 5 3 2 2 9 8 9 5 4 - 1 6 0 6 9
S-1-5-
Appendix E.6.3 Owner of Folders
63 | P a g e
Appendix E.6.4 User – Olga Angelopoulou
64 | P a g e
Appendix E.6.5 Owner of Deleted Emails
Appendix E.7 Email└─Email ├─oangelop.PAB │ └─PST Volume │ ├─Lost Items │ └─Message store └─oangelop.pst └─PST Volume ├─Inbox props ├─Lost Items ├─Message store ├─name-to id-map └─Root folder
65 | P a g e
Appendix E.8 Internet HistoryAvast Anti-virus
www.xamogelo.org
www.musicgr.com
www.greek-music-forum.com
66 | P a g e