Expert Technical Report

And Findings

 

 

 

 

 

 

 

 

 

Customer:                        Joe Bloggs

 

Disklabs® Reference:      DL/0000/06

 

Forensic Analyst:             Simon Steggles

 

Date:                                 07th August 2006

 

 

I declare that this statement containing 16 (sixteen) pages is true to the best of my knowledge and belief and understand it will be placed before the court

 

 

 

 

 

……………………………………………………..

Simon Paul Steggles MBCS

Forensic Analyst

Disklabs® Computer Forensics

Contents Page

 

1.     Background to the Case..................................................................................... 3

2.     Remit of the investigation.................................................................................... 3

3.     Case Activities..................................................................................................... 3

4.     Conclusion............................................................................................................ 3

5.     Executive Summary............................................................................................. 3

6.     Exhibits submitted for analysis........................................................................... 3

7.     Analysis Results................................................................................................... 3

7.1.      Examination of SWL/1/H1.............................................................................. 3

7.1.1.      OS Details............................................................................................ 3

7.1.2.      LTD Files.............................................................................................. 3

7.1.3.      Keyword Search.................................................................................. 3

8.     Generated Material.............................................................................................. 3

Generated Appendices............................................................................................... 3

 

 

1.   Background to the Case

A mSPSer of staff from Joe Bloggs Limited is suspected of siphoning monies from the company account into their own personal account. The suspect is believed to have deleted log files which show any transactions made.

2.   Remit of the investigation

Disklabs® have been commissioned by Joe Bloggs Limited to interrogate exhibit reference SPS/1, from Disklabs® case reference DL/0000/06, for the recovery of all log files associated with the transactional system in place, in particular transactions containing ‘J Blogg’ or ‘J Bloggs’.

3.   Case Activities

The activities undertaken to produce this report and the conclusion drawn were:

ü      Recovery of partitions

ü      File and Folder Recovery

ü      Case initialisation

ü      Archive file mounting

ü      File signature analysis and hash computation

ü      Keyword Search

Full technical details of each activity can be seen within the Technical Appendices. Contemporaneous notes were made for each activity and are now stored with the case archive.


4.   Conclusion

4.1.  Files with the extension ‘.AAA’ are created for every ‘batch’ of transactions that occur with the transaction application, bank money transfer. The file contains a list of transactions to be processed including recipients and amounts

4.2.  There is only one instance of a ‘.AAA’ file with the recipient ‘J Blogg’

4.3.  Several ‘.AAA’ files exist containing the name ‘J Bloggs’

5.   Executive Summary

5.1.  The purpose of this examination was to examine any media found within exhibit SPS/1 relating to Disklabs® case reference DL/0000/06

5.2.  Detailed descriptions of the steps taken to come to these results can be seen in the Technical Appendices

5.3.  1 ‘.AAA’ file was found in ‘C:\’

5.4.  57 ‘.AAA’ files were identified in the folder ‘C:\Transaction\’

5.5.  75 ‘.AAA’ files were found in the recycle bin of user ‘J Bloggs’, these were deleted on the DATE at TIME

5.6.  3 ‘.AAA’ files were found within unallocated space

5.7.  12 fragments of ‘.AAA’ files were found

5.8.  All identified ‘.AAA’ files are now produced on CD-R


6.   Exhibits submitted for analysis

The following exhibits were submitted for forensic analysis by Joe Bloggs Limited:

Exhibit №

Description

SPS/1

One (1) HP Compaq Base Unit

 

The exhibit was logged in on Disklabs® DL01 Receipt Form (see Appendix 1) and then secured in Disklabs® secure storage.

 

6.1.  Exhibit Details

All details of exhibit handling and exhibit descriptions are logged onto Disklabs® DL02 Continuity Form (see Appendix 2) and Disklabs® DL03 Computer Equipment Log (see Appendix 3).

 

Each exhibit was inspected following Disklabs® Evidence Handling Procedures (presented within the Technical Appendices). The following details were noted:

 

SPS/1

The exhibit was a single HP Compaq base unit, with serial number ABCDEFGH. The exhibit was photographed (see Appendix 4) and it was noted that:

·        A Windows XP product key was present on the top panel

·        A Windows XP and Pentium logo stickers were present on the front panel

 

A single hard drive was found within the base unit, this was given the exhibit reference SPS/1/H1, and the following details apply:

Make

Model

Serial Number

Size

Seagate

ST340015A

FDGHTEY

40GB

 

 

A premastered CD-ROM was found within the CD-ROM drive, this had the title “CD-ROM”. No further action was taken with this media. No other media was found in the other drives of the exhibit.

 

The BIOS settings of the system were checked with the following results

Parameter

Description

BIOS key

<F10>

System Date, Time

04/08/2006 12:52

Rugby Synchronised Date, Time

04/08/2006 12:52

 

6.2.  Exhibit Acquisition

Exhibit

Acquired as

MD5 Hash

SPS/1/H1

SPS-1-H1.E01

MD5 hash

A forensic image was made of the exhibit using EnCase® 5.04a, the forensic image was then verified using a MD5 hash to confirm the integrity of the data.

7.   Analysis Results

7.1.  Examination of SPS/1/H1

Only one active partition was found on the system, no deleted partitions were found.

 

7.1.1.     OS Details

Product Name:              Microsoft Windows XP

Product ID:                1234

Install Date and Time:     13/Apr/05 04:37:18

 

Last Shutdown Time:        03/Aug/06 18:17:39

 

7.1.2.           AAA Files

Within the root of C:\ exists a folder named Transactions. An investigation of this folder identified it as the root folder for the application Transaction, see Figure 1. Within this folder exists a total of 57 files with the extension ‘.AAA. The file ‘C\Transaction\Data\Send\00006AF3.AAA’ was found to contain the names ‘J BLOGG’ and ‘J Bloggs’. This file was created on the 13/06/2006 at 16:50. No further ‘.AAA’ files were identified within this ‘Transaction folder’.

 

 

Figure 1 Transaction Folder Structure

 

A search was conducted for any further files with the extension ‘.AAA’, this identified a duplicate of ‘00006AF3.AAA’ on the root of ‘C:\’ this was created on the 03/08/2006 at 08:37.

 

A further 75 were found in the recycle bin of user ‘J Bloggs’ these were deleted on the 09/05/2005 at 14:45:12. None of these files were found to contain pertinent data as they were before the time of the incident. The folder structure, see Figure 2, was deleted from ‘C:\Transactions’.

 

 

Figure 2 ‘J Bloggs’ deleted transaction folder strucutre

 

Details descriptions of the files found have been produced as a spreadsheet on the CD-R.

 

The entire drive was cloned on to a clean hard drive. The application ‘Transaction’ was executed. The following login details were provided by Joe Bloggs Limited:

Username

Password

Permissions

 

 

Bank transfers

 

 

Bank transfers

manager

 

Authorisation of bank transfers and user management

auditor

 

Audit log examination and user control

 

When logged in as user ‘auditor’ it is possible to view the process of each transaction, however the specific details of the transactions are not viewable. From the logs it can be seen that the majority of the transactions are executed under the user ‘Joe Bloggs’, on numerous occasions it appears that the transaction was deleted immediately after the successful submission to Lloyds bank.

 

No further information was gleaned from these records.

 

7.1.3.           Keyword Search

A keyword search was conducted over the entirety of the ‘image’ files to identify further files.  

 

This search identified 12 fragments of what appear to be ‘.AAA’ files and 3 full ‘.AAA Files’ found in unallocated space. These are produced on the CD-R with more detailed description of the file attributes produced as part of a spreadsheet.

.

 

 

8.   Generated Material

Expert Technical Report and Findings

 

Information found on ExhibitSPS/1/H1

Details: One (1) CD-R containing identified AAA files

 

Technical Appendices

Details: Detailed description of activities undertaken, details of examiner and Disklabs®

Generated Appendices

 

The following list of generated appendices has been created to allow Joe Bloggs Limited to see the continuity of evidence

 

Appendix 1

DL01

Appendix 2

DL02

Appendix 3

DL03

Appendix 4

DL04

Appendix 5

Original Exhibit Photographs

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 1

 

DL01 Receipt Form

 

 

 

Cannot be shown for Client Confidentiality Reasons

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 2

 

DL02 Continuity form

 

 

 

Cannot be shown for Client Confidentiality Reasons

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 3

 

DL03 Equipment Log Form

 

 

Cannot be shown for Client Confidentiality Reasons

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 4

 

DL04 Dispatch Form

 

 

Cannot be shown for Client Confidentiality Reasons

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 5

 

Exhibit Photographs

 

 

 

Cannot be shown for Client Confidentiality Reasons