Use a Forensic Investigation Tool such as Deft's Sleuth Kit (+Autopsy), ProDiscover Basic, Ubuntu's SANS Investigative Forensic Toolkit (SIFT), Caine, or Oxygen to produce a Forensic Report that addresses the following tasks:
1. Case Summary
Some days back Mr. John Doe filed a First Information Report regarding his laptop and digital data stolen. The laptop was having a genuine Windows ®10 and some registered software. Laptop was recovered by the police. After watching the important data Mr. Doe found that some amount of data is modified, also a piece of data has stolen and some emails are forwarded. So he requested for a forensic report about theft data.
2. Data Acquisition
ABC labs used standard tools and techniques. On the basis of FIR filed following observations are done:
Details about the used media are included below.
Device Model |
Device No. |
Device Description |
Device Serial No. |
Device Capacity |
Sony flash drive |
AALPF1544G |
USB flash drive (black) USB 2.3 |
UID: 152266FGT65DER |
64 GB |
3. Data Analysis
ABC labs used the following tools for forensic analysis
There were more than 5 folders in the hard drive of Mr. Doe’s laptop. Every folder was having the modified accessed and created date 24-02-2015, followed by the modified and created time stamps between 24-02-2015 3:36:03 UTC and 13-09-2015 04:57:35 UTC. When a folder is copied from source to destination, it will result in the creation of a new modified and created time and date Stamp on the destination drive. The date and time stamp from the source drive directory does not carry over to the directory created on the destination drive.
This is observed that the date and the time for the folders residing in the hard drive are indicating that the folders are made copied from the hard drive to the flash drive and in another drive of hard disc for modification.
The below table shows strong evidence.
Directory Name |
Created |
C:\Program Files\Windows Mail\en-US1 |
2015-09-13 03:36:47 UTC |
C:\Program Files\Windows Mail\en-US2 |
2015-09-13 03:36:03 UTC |
C:\Program Files\Windows Mail\en-US3 |
2015-09-13 03:36:32 UTC |
C:\Program Files\Windows Mail\en-US4 |
2015-09-13 03:36:15 UTC |
C:\Program Files\Windows Mail\en-US5 |
2015-09-13 03:36:26 UTC |
Browser history is also observed, It is found that some emails are also forwarded after logging in from Mr. John Doe’s account to malicious account of Mr. Richard Roe. Screenshot is enclosed of login and email.
4. Investigators Comments
After our investigation, ABC labs summarized findings as follows:
Use a Forensic Investigation Tool such as Deft's Sleuth Kit (+Autopsy), ProDiscover Basic, Ubuntu's SANS Investigative...