Computer Forensics Report

Pat Smith – Acme Industries

Investigator: Chris Simone

11/5/06


Investigator Information

The following report was conducted by Chris Simone. My job is to take the evidence presented to me and deliver facts that would seem relevant to the case. The evidence being reviewed has been collected by a previous investigator and verified to be unaltered. Any questions or concerns pertaining to the acquisition of the evidence can be found in his/her report.

Case Description

Acme Industries’ Pat Smith is being investigated under the fear that he may be offering proprietary company information to a competitor in exchange for a job.

Computer and Forensic Tool Statistics

The computer was removed from its position in ACME Industries at 4/12/04 8:27:03 PM where it was carted out to a nearby secure forensics facility. Once settled at the forensics lab the hard drive was imaged to begin the research and testing. The image of the hard drive was tested using the program EnCase Forensic Edition Version 4.17b by Guidance Software. This program has been proven in the court of law to provide valid and accurate results when scanning and analyzing a system.

Investigation

The following was the procedure that I took to extract what data I found to be relevant to the case.

I created a new case called Case Study. I added to this case the already captured image file (C:\forensicsfile\winlabencase.image) by going to File à Add Device, clicking sessions, and clicking on add evidence file.

With the case loaded I immediately set the time zone by right clicking on the image à Modify Time Zone. From the following screen I selected the time zone that I was working in. This is done to adjust the evidence to all correlate in the same time zone.

The next step was to recover any hidden or deleted folders on the system. Doing this step now would allow my searches to be more complete in the future and determine if there were any actions taken to hide or destroy evidence. In order to do this I right clicked on the image à Recover Folders.

I ran a script next to determine the specifications about the computer because I had not been the one to create the image from the suspect machine. The script comes preloaded into EnCase V4. I went to View à Scripts and selected the Initialize Case script which prompted me to enter information of the investigator and person conducting the examination. Once the information was entered the script asks where I would like the data saved. I chose to add it to the bookmark section under the folder Encase Computer Analysis Report. I also needed to check which information I would want present. I chose to display the Windows version and registration, time zone settings, network information, user information, and last shutdown time. The report generated can be found on the following page. The important information pulled from the report is that the machine is running a FAT16 file system with Windows XP. The total capacity of the partition is only 22MB. Now that this information has been discovered I can begin my investigation.

Volume

File System: / FAT16 / Drive Type: / Fixed
Sectors per cluster: / 1 / Bytes per sector: / 512
Total Sectors: / 45,360 / Total Capacity: / 23,023,616 bytes (22MB)
Total Clusters: / 44,968 / Unallocated: / 13,872,128 bytes (13.2MB)
Free Clusters: / 27,094 / Allocated: / 9,151,488 bytes (8.7MB)
Volume Name: / NO NAME / Volume Offset: / 0
OEM Version: / MSDOS5.0 / Serial Number: / 30E0-8F46
Heads: / 240 / Sectors Per Track: / 63
Unused Sectors: / 12,292,560 / Number of FATs: / 2
Sectors Per FAT: / 176 / Boot Sectors: / 8


Device

Evidence Number: / Lab5 image
File Path: / C:\forensicsfiles\WinLabEnCase.image.E01
Actual Date: / 04/12/04 08:27:03PM
Target Date: / 04/12/04 08:27:03PM
Total Size: / 23,224,320 bytes (22.1MB)
Total Sectors: / 45,360
File Integrity: / Completely Verified, 0 Errors
EnCase Version: / 4.17b
System Version: / Windows XP
Acquisition Hash: / F70C5FFF082E526A368E2C0A13ABB093
Verify Hash: / F70C5FFF082E526A368E2C0A13ABB093

Daylight Saving Time settings

Hour / Day of Week / Week of month (5=last) / Month
Daylight start / 2 / Sunday / 1 / 4
Standard start / 2 / Sunday / 5 / 10


Time Zone Settings (minutes)

Time Zone Bias: / 300
Daylight Bias: / -60
Standard Bias: / 0
Time Zone: / (GMT-05:00) Eastern Time (US & Canada)

My first task was to compile a list of keywords that I would need to search the file system for. Knowing what words to start searching on could help me eliminate loads of irrelevant data. The list contained the following: ACME Industries (ACME and ACME Industry as different variations as well), Raytheon, Boeing, and promotion. With this list in hand I created a keyword list by clicking on View à Keywords. I right clicked Keywords à Add New Folder. I named the folder PSmith Keywords. Once the folder was created I can right click the PSmith Keywords folder à Insert Keyword List. The list box gets stored with the keywords previously mentioned. The new keywords were then selected and a search was performed by going to Search at the top. The search was done under the following criteria: search each file for keywords, search file slack, and selected keywords only. The table below shows the numerical results of the search.


Search Summary

Hits / First Searched / Last Searched / Search Text
5 / 11/05/06 04:57:01PM / acme industries
0 / 11/05/06 04:57:01PM / acme industry
67 / 11/05/06 04:57:01PM / acme
253 / 11/05/06 04:57:01PM / raytheon
127 / 11/05/06 04:57:01PM / boeing
1 / 11/05/06 04:57:01PM / promotion

With so many hits for Raytheon and Boeing I concluded that I was on the right track. I started with the smallest and worked my way up. Promotion’s results were just a spam e-mail. The files found under ACME Industries were project files and some e-mail items. At this point I was more interested in evidence relating to some kind of contact between Pat Smith and Rayteheon and Boeing. The results from ACME came back with 4 interesting hits. Amidst the e-mail files were 4 temporary files found at:

Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK50.TMP
Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK52.TMP
Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK54.TMP
Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK56.TMP

These files all contained the message: “I’d like to offer you some material from my company in exchange for a position in your company.” – . These files grabbed my attention so I made sure to take down the access times (all last accessed on 3/9/04 around 11:38 AM). I took note by book marking the four files by selecting them and right clicking à Bookmark Files. I created a new folder called TMP Files (ACME) and the four were imported there for further consideration later. Boeing’s results were next shuffled through but they were mostly HTML files that Pat Smith must have been visiting. The bulk of the hits came from Raytheon. They were a mix of web files including data and content. The web files came from the Raytheon website where the company’s about and contact pages were visited. Also mixed in were a few e-mails to a . I selected a few files which I saved to bookmarks in the DBX Files (Raytheon) folder. Two e-mails in particular stood out that contained information that seemed to relate to this case. The following below is where the files can be located.

Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Application Data\Identities\{E893F19B-C77A-4082-9435-87534CCECF93}\Microsoft\Outlook Express\Deleted Items.dbx
Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Application Data\Identities\{E893F19B-C77A-4082-9435-87534CCECF93}\Microsoft\Outlook Express\Sent Items.dbx

The e-mails were both from to . The following are the content of the two e-mails.

"Pat Smith" <>

To: ""

Subject: A Proposition

Date: Fri, 23 Jan 2004 12:06:52 -0500

I'd like to offer you some material from my company in exchange for a position in your company.

Pat Smith

From: "Pat Smith" <>

To: ""

Subject: My Proposition

Date: Fri, 01 Jul 2003 10:04:39 -0500

It's been a week since I sent you my proposal. Have you had a chance to consider it?

Pat

The first email was the same information found in the temporary files that I had found earlier from the results of the ACME Industries keyword search.

I was getting closer and closer to when with just the help of the keyword search. I decided to take a look at the timeline of the operating system which documents when a file was created, accessed, and modified. It places each entry in a nice calendar view so an investigator can see when there is a surplus of changes. By selecting the case I was working on and going to Timeline I found that there was heavy traffic on 1/23/04, 3/9/04, and 3/15/04. Starting with the earliest date and moving forward I examined the data by honed in on each date where it gets more detailed by hour and minute the closer you zoom in. The traffic generated on 1/23/04 was mainly searching for a new job through sites like Monster.com, Yahoo Jobs, and searching the Raytheon and Boeing website. The web files and cookies that were created on this date confirm this; they are found at:

Case Study\Lab5 image\Documents and Settings\PSMITH\Cookies

The files on 3/9/04 and 3/15/04 are the heaviest in traffic. They include many cookies and website files being created and deleted in temporary files space along with the two e-mails previously started above being modified and deleted.

There were still a few more tests I could complete on this test case. One was to go through the image Gallery and check the images found on the file system. In order to do this I had to specify which folders contained images. I decided to check the entire case and brought open the Gallery view. There were many images from the Raytheon website as well as images pertaining to finding a new job, adding nothing more than we already know.

I had found clues on the who, the when, and the where but I was still missing what and how. My next step was to run a signature analysis to see if any files were still hidden that I may have overlooked because their extensions were modified. Running a signature analysis will take the proper signature that a file should be and see if it matches up against the extension that it actually is. If there is a mismatch it will be labeled as so and Encase will tell me what extension it should be. Running a signature analysis has me selecting the complete image and doing a Search (the same Search as done prior). The only option that should be selected is Verify File Signatures and to have the results saved to a bookmark called Signature Mismatch. A few files stuck out from the others:

Case Study\Lab5 image\Documents and Settings\PSMITH\My Documents\Confidential\Project 238x.pdf
Case Study\Lab5 image\Documents and Settings\PSMITH\My Documents\Confidential\Project 47x.xls

Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00000.SPL
Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00001.SPL

The first two files are project files from ACME Industries that were kept in a confidential folder with altered file extensions. The last two files are printing spools that look like they have been altered. The spools correspond to each of the first two files being sent to the IP address of 192.168.1.106. The Project 238x was sent to that address on 3/9/04 and the Project 47x file was sent on 3/15/04 by the user name PSMITH. The IP address is mapped to the HP LaserJet 4000 Series PCL6 at ACME Industries. Both spool files can be found at:

C:\Windows\system32\spool\Printers

Just to make sure I had covered all pertinent data I ran two more scripts before completion of my investigation. I ran the IE history parser with keyword search script to make sure that all the websites that I had seen through the cookies and temporary web files were actually visited and to make sure that I had not missed any others. In order to run this script I went to the Scripts menu and added the options of add bookmarks and create web page and tab-delimited files and to search all files. The report did not deliver any new information that had not already been discovered. The last script I ran was to see if there was any information I could obtain from the NTFS INFO2 file. This is the Recycle Bin file that would contain any deleted file information. By running the script NTFS INFO2 Record Finder and selecting to only read INFO2 files only and saving it to the bookmark Recovered NTFS Info2 Records I came up with only one file deleted from the My Documents folder of PSMITH relating to Boeing. It did not seem to be of any value to this case.

Conclusion

This report has pointed out pieces of information relating to the case of Pat Smith from ACME Industries and his relations with the companies Raytheon and Boeing. It is now up to the judge reading this report to determine if this information is of any value to the case. It is important to state that there was no evidence present that B. Conrad from Raytheon contacted Pat Smith or that the printed files ever left the officer. It is interesting though that the printing spools and project files were altered after printing. The printing spool files are often not touched except by the operating system so it is obvious that they were targeted. Determining any further information on this cause is up to be conducted by a crime scene investigator and falls out of my jurisdiction. My job is to present the facts as I have found them on the suspect machine.