Question

Use a Forensic Investigation Tool such as Deft's Sleuth Kit (+Autopsy), ProDiscover Basic, Ubuntu's SANS Investigative Forensic Toolkit (SIFT), Caine, or Oxygen to produce a Forensic Report that addresses the following tasks:

• Task 1: Professional and well Formatted Forensic Report
• Task 2: Report has a section showing Data Acquisition
• Task 3: Report has a section showing Data Analysis
• Task 4: Report has a section showing Investigator's concluding statements.

Answer 1

1. Case Summary

Some days back Mr. John Doe filed a First Information Report regarding his laptop and digital data stolen. The laptop was having a genuine Windows ®10 and some registered software. Laptop was recovered by the police. After watching the important data Mr. Doe found that some amount of data is modified, also a piece of data has stolen and some emails are forwarded. So he requested for a forensic report about theft data.

2. Data Acquisition

ABC labs used standard tools and techniques. On the basis of FIR filed following observations are done:

1. Incident and Crime Scene is processed.
2. Computer network, internet service provider, other servers, and data copying devices are analyzed.
3. ABC labs employed modern tools and techniques during handling, processing, and analysis of the evidence.
4. A USB flash drive was found during the investigation on September 17, 2015 at 8:35 AM (MST)
5. Questioning with Mr. Doe did for complete detail of data.
6. Types of file formats were discussed.

Details about the used media are included below.

Device Model	Device No.	Device Description	Device Serial No.	Device Capacity
Sony flash drive	AALPF1544G	USB flash drive (black) USB 2.3	UID: 152266FGT65DER	64 GB

3. Data Analysis

ABC labs used the following tools for forensic analysis

• Guidance® Software's EnCase® 6.17
• SANS Investigative Forensic Toolkit (SIFT) Version 2.0
• Internet Evidence Finder v3.3
• Microsoft® Excel 2016

There were more than 5 folders in the hard drive of Mr. Doe’s laptop. Every folder was having the modified accessed and created date 24-02-2015, followed by the modified and created time stamps between 24-02-2015 3:36:03 UTC and 13-09-2015 04:57:35 UTC. When a folder is copied from source to destination, it will result in the creation of a new modified and created time and date Stamp on the destination drive. The date and time stamp from the source drive directory does not carry over to the directory created on the destination drive.

This is observed that the date and the time for the folders residing in the hard drive are indicating that the folders are made copied from the hard drive to the flash drive and in another drive of hard disc for modification.

The below table shows strong evidence.

Directory Name	Created
C:\Program Files\Windows Mail\en-US1	2015-09-13 03:36:47 UTC
C:\Program Files\Windows Mail\en-US2	2015-09-13 03:36:03 UTC
C:\Program Files\Windows Mail\en-US3	2015-09-13 03:36:32 UTC
C:\Program Files\Windows Mail\en-US4	2015-09-13 03:36:15 UTC
C:\Program Files\Windows Mail\en-US5	2015-09-13 03:36:26 UTC

Browser history is also observed, It is found that some emails are also forwarded after logging in from Mr. John Doe’s account to malicious account of Mr. Richard Roe. Screenshot is enclosed of login and email.

4. Investigators Comments

After our investigation, ABC labs summarized findings as follows:

• Mr. Doe’s claim was right, some data is stolen and some data is modified.
• No software is additionally installed on the hard drive of Mr. Doe’s laptop.
• No registered software removed from the hard drive of Mr. Doe’s laptop.
• A malware is found which in future can harm data in hard drive.