Forensics Lab Excercises atSUNY Buffalo

Instructor: David Murray

Tracing Email

Roughly 16 Billion emails are sent on the Internet each day. Much of that email is in the form of unwanted spam and junk email. Using common networking utilities and programs, a forensics investigator can usually trace the origins of an email to the originating IP address of the sending computer. These techniques can also be used to track the origin of unknown, spoofed or harassing emails and for tracking down criminals.

You do not need to use the forensics lab to complete this exercise. Any Internet connected computer can be used to complete this lab.

In order to trace the origins of an email, you will have to examine the email message headers to determine that information.  Viewing the headers for a particular email message is different on each email program.  For example, in MS Outlook, you have to open the email and select View, Options.  Other email clients will require a different set of steps to view the headers.

Identifying the sending machine hostname and IP address

Here is a sample email header from a message sent to Professor Murray by the departmental secretary Val.  The line that is bolded and underlined shows the hostname and IP address of the machine that the message was sent from.

Return-Path: <limpert@buffalo.edu>Received: from murder ([unix socket])  (authenticated user=djmurray bits=0)  by email1.acsu.buffalo.edu (Cyrus v2.2.12-UB_mail1_2005_03_01) with LMTPA;  Wed, 08 Feb 2006 14:37:58 -0500Delivered-To: djmurray@mailspool08.dyn.acsu.buffalo.eduReceived: (qmail 11306 invoked from network); 8 Feb 2006 19:37:58 -0000Received: from unknown (HELO mailscan7.acsu.buffalo.edu) (128.205.6.158)  by mail1 with SMTP; 8 Feb 2006 19:37:58 -0000Received: (qmail 12527 invoked by uid 22493); 8 Feb 2006 19:37:57 -0000Delivered-To: djmurray@buffalo.eduReceived: (qmail 12514 invoked from network); 8 Feb 2006 19:37:57 -0000Received: from smtp1.acsu.buffalo.edu (128.205.6.84)   by front2.acsu.buffalo.edu with SMTP; 8 Feb 2006 19:37:57 -0000Received: (qmail 29820 invoked from network); 8 Feb 2006 19:37:57 -0000Received: from jac335-limpert.mgt.buffalo.edu (HELO JAC325VALERIE) (128.205.203.82)   by smtp1.acsu.buffalo.edu with SMTP; 8 Feb 2006 19:37:57 -0000From: "Valerie Bartkowiak" <limpert@buffalo.edu>To: "'David J. Murray'" <djmurray@buffalo.edu>Subject: RE: Conference Room FurnitureDate: Wed, 8 Feb 2006 14:37:49 -0500MIME-Version: 1.0Content-Type: text/plain;  charset="us-ascii"Content-Transfer-Encoding: 7bitX-Priority: 3 (Normal)

X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook, Build 10.0.6626X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180Importance: NormalX-UB-Relay: (jac335-limpert.mgt.buffalo.edu)X-PM-EL-Spam-Prob: : 7%X-DCC-Buffalo.EDU-Metrics: email1.acsu.buffalo.edu 1029; Body=0 Fuz1=0 Fuz2=0

Using Nslookup to find a hostname

Sometimes the message header will only have an IP address and not a hostname. In the previous example, both the machine name and IP address were included in the message header. But what can you do to track down a machine if you only know the IP address? Here is another sample email header which includes only an IP address. See below the message for some specific things you can do.

Return-Path: <mgs351@hotmail.com>Received: from murder ([unix socket])

(authenticated user=djmurray bits=0) by email1.acsu.buffalo.edu (Cyrus v2.2.12-UB_mail1_2005_03_01) with LMTPA; Thu, 9 Feb 2006 23:21:45 -0500

Delivered-To: djmurray@mailspool08.dyn.acsu.buffalo.eduReceived: (qmail 14244 invoked from network); 10 Feb 2006 04:21:45 -0000Received: from unknown (HELO mailscan5.acsu.buffalo.edu) (128.205.6.137) by mail1 with SMTP; 10 Feb 2006 04:21:45 -0000Received: (qmail 19652 invoked by uid 22493); 10 Feb 2006 04:21:45 -0000Delivered-To: djmurray@buffalo.eduReceived: (qmail 19642 invoked from network); 10 Feb 2006 04:21:45 -0000Received: from bay105-f39.bay105.hotmail.com (HELO hotmail.com) (65.54.224.49) by front3.acsu.buffalo.edu with SMTP; 10 Feb 2006 04:21:45 -0000Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 9 Feb 2006 20:21:44 -0800Message-ID: <BAY105-F3985E65AD8211242644D0281FA0@phx.gbl>Received: from 65.54.224.200 by by105fd.bay105.hotmail.msn.com with HTTP; Fri, 10 Feb 2006 04:21:44 GMTX-Originating-IP: [69.163.26.172]X-Originating-Email: [mgs351@hotmail.com]X-Sender: mgs351@hotmail.comFrom: "Dave Murray" <mgs351@hotmail.com>To: djmurray@buffalo.eduBcc: Subject: Check the email headerDate: Thu, 9 Feb 2006 23:21:44 -0500Mime-Version: 1.0Content-Type: text/plain; format=flowedX-OriginalArrivalTime: 10 Feb 2006 04:21:44.0284 (UTC) FILETIME=[53FB91C0:01C631E7]X-UB-Relay: (bay105-f39.bay105.hotmail.com)X-PM-Spam-Prob: : 7%X-DCC-Buffalo.EDU-Metrics: email1.acsu.buffalo.edu 1028; Body=0

There is a DOS command called nslookup and a parallel command in UNIX called host which will lookup a hostname based on an IP address and vice versa. Open a

DOS command prompt and run the nslookup command to determine the hostname of the machine that sent the email message above. The syntax of the command is: nslookup IPaddress (where IPaddress is the IP of the machine you want to lookup)

Record the IP address of the sending computer: _______________________________Record the hostname of the sending computer: ________________________________

Testing this in UB Webmail

Your next task is to analyze the email headers of any message you have in your UB Webmail account. You should use the Simple Interface for UB Webmail and you must configure your web browser to allow popup windows on the UB Webmail site. To view the message headers, login to Webmail, open a message to view, and click on the View Headers button on the left menu. The email header will appear in a popup window.

Include a copy of the message headers to submit. Also:

Record the IP address of the sending computer: _______________________________Record the hostname of the sending computer: ________________________________

Next, go to the following website and try the IP Locater and Spam Locater tools with your message. http://www.geobytes.com/FreeServices.htm Record your findings.

You can also perform a whois query of the data on the geobytes.com website. Using the website, try a query on different whois databases and record your findings.

Alternatively, there is also a whois command in UNIX which can be used to lookup the domain registration information for a particular domain. The syntax is:whois Domainname | more (where Domainname is the domain you want to check)

Additional Questions

1) What is DHCP? Does using DHCP make tracing email more or less difficult? Why?

2) What are the IP addresses for www.mgt.buffalo.edu? What tool did you use to find this information?

3)  What domain name is associated with 128.205.4.175? What tool did you use?

4) Provide an example of one other network tool, utility or website that would be useful when investigating email.

5) Given the spam message below, who should be contacted about the email abuse? Hint: You might have to check multiple whois databases for this information

Return-Path: <PrFriedrickGxkF3TriggianoV@centex.net>Received: from edge2.adelphia.net ([196.207.204.30]) by mta3.adelphia.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id <20060203171446.WGDR2031.mta3.adelphia.net@edge2.adelphia.net>; Fri, 3 Feb 2006 12:14:46 -0500Received: from [68.168.78.104] (really [196.207.204.30]) by edge2.adelphia.net (InterMail vG.2.00.00.02 201-2161-108-103-20050713) with SMTP id <20060203171445.NRNT24782.edge2.adelphia.net@[68.168.78.104]>; Fri, 3 Feb 2006 12:14:45 -0500Received: from highspeed.com (s660-402-58-007.stalk.net.nz[196.207.204.30]) by cigi58.bt.com (zsvauqme18) with SMTP id <29365405902v32550fur7w>; Fri, 03 Feb 2006 14:14:38 -0300Message-Id: <8285753468.12051608316@lgcy.com>From: "Mycah Heinonen" <MmNialTeiO7PiecaitisN@firstva.com>To: "Dheisler" <dheisler@adelphia.net>Subject: Re: dusenburyDate: Fri, 03 Feb 2006 10:08:38 -0700MIME-Version: 1.0

Dear HomeOwner,

Your credit doesn't matter to us! If you OWN real estateand want IMMEDIATE cash to spend ANY way you like, or simply wishto LOWER your monthly payments by a third or more, here are the dealswe have TODAY (hurry, these offers will expire TONIGHT) :Low as

$432,000.00 at a 3.30,% fixed-rate$381,000.00 at a 3.72,% variable-rate$407,000.00 at a 3.00,% interest-only$290,000.00 at a 3.49,% fixed-rate$110,000.00 at a 3.48,% variable-rate

Hurry, when these deals are gone, they are gone!Simply fill out this one-minute form

Don't worry about approval, your credit will not disqualify you!

http://<.pyrolyse.ref789.com

Sincerely,Verna SteevesApproval Manager

Acquiring and Validating Digital Evidence

In this information age, digitized data is everywhere you turn. Businesses thrive on the ability to quickly process this data into information to use as a competitive business advantage. Unfortunately, it may be disastrous for a company if sensitive data or information falls in the hands of a competitor. A disgruntled (or greedy) employee may attempt to copy sensitive data and redistribute it to competitors. A digital forensics investigation and analysis may not prevent this from happening, but is part of a proper business response to this type of situation.

For this exercise, you will use the Encase software and hardware write blockers to image a hard drive and verify the digital evidence. This is generally considered the first step in any forensics investigation. If any illegal activity is suspected, it would be best to inform law enforcement and involve them in the process. Officers are the only people who legally can acquire evidence to present in a court of law so if you suspect a trial may result from your investigation, get law enforcement involved!

The forensics lab is in Jacobs 323. Swipe your UB card at the entrance to gain access to the lab.

Removing the hard drive from the suspect’s PC

Your first step is to get your hands on the physical hard drive (or drives) that you want to image and analyze. The suspect PC is labeled Crash Machine and is on the table opposite the Forensic Workstations. There is a toolkit with screwdrivers on the table as well. Do NOT power the suspect’s PC on! Booting a computer will change many files on the hard drive which will compromise your investigation. A savvy employee may even have some sabotage code that runs when the PC is not booted in a particular fashion. This sabotage code may delete important evidence for your investigation.

Although you don’t need to do this for the lab, it is usually a good idea to take pictures of the desk and surrounding area in order to 1) document your findings and 2) restore the work area back to its original state when you’re done. These preliminary investigations usually happen without the employee knowing, so making sure everything is put back in its place will help prevent the employee from being tipped off that they’re being investigated.

Before handling any electronic equipment, it should be unplugged and you should take care to ground yourself to limit the transfer of static electricity. To remove the hard drive, you first must remove the outer case of the computer. Each PC will have a different mechanism for removing the case. Some are easy and some not so easy to remove. For this particular Dell machine, one half of the case can be removed to access the internal components of the computer.

First, in the back of the PC towards the bottom, locate the metal locking mechanism. The arrow on the picture below shows where the locking mechanism is. Next, slide the metal locking mechanism towards the center of the PC so that the two rings are not lined up. This will disengage part of the locking mechanism that holds the case on. In the picture, it should be moved to the left as far as possible.

Next, press the small plastic button on the front of the case at the bottom to release the one side of the PC case. The arrow in the above picture shows where the button is on the front of the PC. The case can be lifted up and then removed. Here is a visual from Dell’s website which illustrates how the case is removed.

Now that the case is removed, you can locate the hard drive (or hard drives) for removal. If you’ve never seen a hard drive, there is a picture of one on the left below. The image on the right shows the underside of a hard drive, and the locations where the IDE ribbon cable (top) and power cable (bottom) connect to the drive.

Each PC hard drive will have a hard drive ribbon cable and a power cable connected to it. Sometimes, multiples devices (CD ROMs, DVD ROMs, etc) will be daisy chained on a single drive and/or power cable. For this exercise, there is only one hard drive in the PC that you must acquire.

To remove the metal chassis that holds the hard drive, look for a sticker of a green arrow pointing to a single screw. Once you remove that single screw, the entire metal chassis that holds the hard drive can now rotate out towards you. At this point, you will need to disconnect the IDE drive cable and the power cable from the drive. Once the hard drive chassis is rotated out 90 degrees towards you, you can then slide the entire chassis unit up and out. To save some time, I don’t recommend removing the hard drive from the chassis since you can image the drive even though it’s still attached to the metal chassis.

Record the make, model, capacity and other relevant information about the hard drive you just removed.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Connecting the write blockers

The hardware write blockers are used to prevent any data from being written to the suspect’s hard drive during the imaging (copying) process. The specific write blocker cables, power supplies and bridge are already set out on the forensics bench for you.Login to the Encase forensics machine (on the right) with the username Forensics and password mgtMSS100.

Connect the FireWire 800 IDE Bridge to the Hard Drive ensuing that the drive pins line up. Next, connect the firewire cable from FireWire 800 IDE Bridge to firewire port in the front panel of the Alienware PC. The firewire port is next to 2 USB ports on the front of the PC. You may need an adapter for the firewire cable.

Connect the power cable to the FireWire 800 IDE Bridge, Hard Drive and Forensic Computers Drive Power Switch. Make sure the switch is in the Off position.

Connect the power adapter cord from the Forensic Computers Drive Power Switch to the Tableau Power Adapter. Plug the Tableau Power Adapter into the power strip under the table.

Switch the Forensic Computers Drive Power Switch to the On position. You will hear the hard drive begin to make a whirring noise as it powers up. The PC should now recognize another device (drive) attached to the computer.

Open My Computer to browse for the attached devices. It will be listed under the Hard Disk Drives. Double click on the drive letter for that drive and write down the message that appears. If no message appears, try renaming a file on the drive and record that message instead.

______________________________________________________________________

______________________________________________________________________

Imaging and verifying (hashing) the hard drive image

Start the EnCase program by double clicking on the EnCase icon on the desktop.

Click File, New and enter your new Case information. Change the Name to your name or group. Change the Examiner Name to your name. Click Finish.

Click the Add Device button on the Toolbar. Select Local Drives on the right pane and click Next. Select the drive letter (possibly K:) of the added hard drive and click Next.

Is the Write Blocked option selected? Why or why not?

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Click Finish.

Click on the View Menu and make sure the Auto Fit option is checked.

Click the check box next to the drive letter of the acquired drive in the tree pane (see arrow below).

An Acquire button should now appear on the toolbar. Click on this button to begin the imaging process.

Make sure the Search, Hash and Signature Analysis option is checked. Click Next. Click Next again. Select None for Compression. Click Finish.

You will see a flashing message "Acquiring Evidence" and a countdown timer in the bottom right hand corner. This process will take about 15 minutes. While you're waiting for the drive partition to image, you can research and answer the questions on the following page. The only PC with internet connectivity is the Forensics Research Workstation on the left hand side of the Forensics room when you enter.

Additional Questions

1) Aside from MD5, what other hashing algorithms can be used to verify digital evidence?

2) Would it be useful for a digital forensic investigator to use multiple hashing algorithms to verify the digital evidence?

3) For this exercise, you were required to image an IDE hard drive. Identify two other hard drive technologies commonly used today. Hint: Check the write blockers in the tackle box on top of the filing cabinet to see what other hardware write blockers exist.

4) Research and identify an open source drive imaging program.

5) Why don’t the primary forensic workstations have Internet connectivity?

By now that the hard drive should be imaged and you should record the results of the Acquire process. The results should include the status, start and stop time, total time, name, path, GUID and Acquisition Hash value. You can easily copy and paste the results from that screen.

______________________________________________________________________

______________________________________________________________________

Next, you should hash the entire drive to get a unique hash value. To do this, Right click on the drive letter in the tree pane and select Hash from the context menu that appears. Click OK to start the hashing process which takes about 2-3 minutes. Record the hash value and compare it with the hash value generated during the Acquire process. You can easily copy and paste the results from that screen. If done properly, it will match the Hash value generated during the Acquire process.

______________________________________________________________________

Once you are finished with the lab, everything must be reset back to its original configuration. First, switch the Forensic Computers Drive Power Switch to the off position and disconnect the hard drive power cord and IDE Bridge. Reinstall the hard drive chassis back into the original Dell computer and reconnect the IDE and power cables to the hard drive. Don’t forget to attach the screw that holds the chassis in place. Lastly, place the cover back on the Dell computer in reverse order that it was removed.

CASE on ForensicsDigital Evidence Analysis

In this information age, digitized data is everywhere you turn. Businesses thrive on the ability to quickly process this data into information to use as a competitive business advantage. Unfortunately, it may be disastrous for a company if sensitive data or information falls in the hands of a competitor. A disgruntled (or greedy) employee may attempt to copy sensitive data and redistribute it to competitors. A digital forensics investigation and analysis may not prevent this from happening, but is part of a proper business response to this type of situation.

For this exercise, you will use the Encase software and other software utilities to analyze the contents of a drive image. This is considered the analysis phase in a forensics investigation. If any illegal activity is suspected, it would be best to inform law enforcement and involve them in the process.

The forensics lab is in Jacobs 323. Swipe your UB card at the entrance to gain access to the lab.

Scenario

Company X has a quantity discount policy that gives a discount to its customers who purchase the company’s products in bulk (e.g., over 50 or 100 units). However, Mr. Robin Williams, the sales manager of company X, has received several complaints from his customers, since summer 2004, saying that the actual discount amount was less than they expected. Also, he recently noticed an increase in the number of customers requesting to change their credit card numbers registered for automatic payment due to becoming victims of identity theft. Although Company X was not blamed for the identity theft incidents, Mr. Williams needs to make sure that no one in his department is involved in the incidents. He also needs to investigate the complaints about inconsistent discount amounts for volume purchases.

As Mr. Williams observes his staffs more closely, he begins to piece anecdotal evidence together casting suspicion on a sales representative, Mr. John Wayne. Mr. Williams recalls seeing Mr. Wayne often working with his computer in the office on Saturdays, even when Mr. Wayne’s workload was very low.

Mr. John Wayne has been working for Company X as a sales representative since 2003. He has been a reputable employee, though not a stellar performer in the department. He was excluded from the annual promotion, which was announced last month, but he didn’t seem too disappointed. In spite of his average sales performance (and average sales commissions), Mr. John Wayne indulges in expensive things. For example, he purchased a new car 3 months ago and recently bought a new high-end digital SLR camera (Cannon digital EOS-1D Mark II) and laptop (Toshiba Qosmio G35).

The company has an information security policy that allows the company to inspect any computers and digital storage media in its office area. The company can just notify its employees 24 hours before the inspection, but does not need to seek consent from the employees. On April 3, 2006, Mr. Williams announced an information assurance audit, and seized all digital storage media in the department office on April 4.

Mr. Williams is aware of three customers who became a victim of identity theft. Antonio Moreno’s credit card was charged for a P.O. Box that he never used. $3,999 was charged, by beachcamera.com, to Yang Wang’s credit card for a

digital SLR camera that Mr. Wang neither ordered nor received. Marie Bertrand’s credit card was charged for a laptop computer ($2,299.88 by

www.newegg.com), which was, of course, never ordered nor delivered to Ms. Bertrand.

Your job on the information assurance staff at Company X is to examine all the hard disks and memory cards found in the sales department’s office on April 4, 2006. A primary goal in this internal investigation is to limit the disruption of your companies business. As a result, you acquired images of all the memory cards and returned them to the employees on April 7. You have examined several images of storage media, and now you are now about to examine the image of Mr. Wayne’s secure digital memory card.

Analysis

Connect the Read Only digital media card reader on the shelf to the EnCase forensics PC and insert Mr. Wayne’s secure digital memory card. Using Windows Explorer, attempt to browse and identify the files on the media. What files, if any, can you see?

______________________________________________________________________

Your next step is to open the previously imaged evidence file in EnCase. The evidence in stored in the My Documents\ForensicsLab\MemoryCardAnalysis folder and is named JohnWayneSD1.E01. Simply double click the JohnWayneSD1.E01 file to open it in EnCase.

When the Case Options window pops up, enter your team name as the case name and the first names of your team members as the examiner name. Save the case with your team name as the file name in the My Documents \ForensicsLab\Teams folder

Q1. The hash value of the secure digital memory card was: “F619D18D1FD7D8684B57B008D1E30E64” Is your copy of evidence file the same as the original evidence file?

______________________________________________________________________

Adding Keywords Click on the View Menu and make sure the Auto Fit option is checked.

In the upper left corner menu bar, select Cases and then Keywords submenu.On the Keywords icon in the upper left pane (Tree Pane), right click and select New.

When New Keyword pops up, type ####-?####-?####-?####[^#] in the Search expression line, and enter “Credit card numbers” as the name.

Check mark GREP and Active Code-Page, but nothing else.

Click the OK button.

Q2. What does the search expression mean? Why would you search for this keyword?

______________________________________________________________________

______________________________________________________________________

Add the names of the three identity theft victims as three new keywords. Make sure that GREP is unchecked for these text keywords.

Check the Keywords icon in the tree pane. This will select (check mark) all the keywords on the right upper pane (Table pane).

Selecting file signatures

In the upper left corner menu bar, select File Signatures. You want to use every file signatures that you have so check the File signatures icon in the Tree pane as indicated in the image below.

*Keep in mind that some signatures you have registered with EnCase are not 100% accurate. Your file signature data (fingerprints of different file types) can help you find fake/incorrect file extensions, but can’t point out every fake file extension name for you.

Searching for keywords and inconsistent file types

In the main menu bar, select Search. When the Search window pops up, checkmark Search each file for keywords and Verify file signatures. This enables you to search file slack and undeleted files before searching. Also, you want to search for those 4 keywords that you previously inserted. Refer to the following screen shot for the recommended search setting.

Q3. How many Signature Mismatches did you find?

______________________________________________________________________

Q4. How many Search & Added Search hits did you find?

______________________________________________________________________

Analyzing the findings

In the upper left corner menu bar, select Cases and then Search Hits in the submenu bar.

Q5. How many credit card numbers (or numbers in a credit card number format) did you find?

______________________________________________________________________

Check and bookmark those hits by right-clicking and selecting the Bookmark Selected Items option in the context menu that appears (refer to above image).

Q6. Did you find any of the victims’ names in Mr. Wayne’s memory card? If yes, which one?

_____________________________________________________________________

In the upper left corner menu bar, select Cases and then Entries in the submenu bar. If necessary, drag the Signatures and File Ext columns next to the Name column in the Table Pane. To sort on multiple columns, 1) double click the Signature column heading, 2) double click the Name column heading while holding Shift key down, 3) double click the File Ext column heading while pressing the Shift key down.

Q7. Did you find any files that have a file extension that doesn’t match the signature of the file type? If so, how many?

______________________________________________________________________

As suggested by the mismatching signature, “Order Details.jpg” may be a MS Office document file. You need to rename the extension and try to open the file with every office application. To do so, you need to save the evidence item as a file on the PC.Select (check) only the Order Details.jpg file, right-click on the file, and select the Copy/Unerase option in the context menu that appears. See above image for example.

Click Next, Next, and select a folder that you want to save the suspicious file (make sure you don’t overwrite other teams’ file.) Click Finish.

Use Windows Explorer to rename the file with various MS Office extensions (e.g., .doc, .xls, .ppt, etc.). Try opening the file each time you change the file extension.

Q8. What did you find from this file? Do both worksheets contain data? What did you find on the Org worksheet? Look carefully!

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Image recovery

To easily inspect the images saved in the memory card, select Cases – Entries – Home, and then click the home plate shaped icon ( )in the Tree Pane (which will shows all files in the folder and its all subfolders). It will turn the color green when selected. When you get the list of every file in the evidence file in the Table Pane, select the “Gallery” icon in the Table Pane tool bar.

Q9. Did you find any images that could be used in sales document forgery?

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Q10. Did you find any images relevant to the identity theft incidents?

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Q11. Did you find any interesting html files saved in the memory? How can you relate the html files to the identity theft incidents?

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

Bookmark (refer to Q5 if needed) every file that you believe is important evidence of Mr. Wayne’s information misuse, breach of the company’s IA policy, and any other committed crime. The evidence (bookmarked file items and one copied file) should support the following:

1. Beginning March 1, Mr. John Wayne downloaded MS Excel files that contain the company’s transaction history to his secure digital memory card several times.

2. Mr. Wayne has appropriated $43,890.15 of company money by not giving the full quantity discount to the customers, yet reporting full discount to the company. He used MS Excel to prepare fake sales reports and to keep track of the money he stole.

3. In the process of illegally appropriating the money, he forged some sales transaction documents using scanned signatures of his supervisor (Mr. Tom Cruise), the sales manager (Mr. Robin Williams), an accountant (Mr. Jerry Seinfeld), and the vice president of the company (Mr. Mel Gibson).

4. Mr. Wayne purchased several items over the Internet using credit card numbers of the company’s customers. (He could do this by impersonating the card owners and having the items delivered to a P.O. Box, which was also borrowed using a customer’s information.)

5. Mr. Wayne attempted to destroy the evidence of his crime when Mr. Williams announced IA audit on April 3. He wasn’t aware that the contents of deleted files can still be recovered by an IA investigator like you!

* Make sure to save your case file before you close EnCase. Your deliverables for this lab assignment are your answers to Q1-Q11 and your case file saved in the My Documents\Forensics\Teams folder.

** Do not delete other teams’ case files in Teams folder!