Question

6 points: Forensics

Install the Autopsy tool from sleuthkit: https://www.sleuthkit.org/autopsy/

Making use of this tool load the 'Lone Wolf' image from: PLEASE NOTE: this image in >12GB.

https://drive.google.com/open?id=1JSvCeZgo2mfnPy8Y41qZqU5bms1PSq0G (Links to an external site.)Links to an external site.

and analyse this image to begin a forensic examination. PLEASE NOTE: this image in >12GB.   A quick 'getting started' guide was presented in this weeks lecture.

Analysis of this image can take ~30 minutes on mid range hardware. This should not affect your ability to do the assignment, but you may like to wait to make use of some of the automatically extracted features.

The Lone Wolf Scenario is based on a (fictional) unstable individual who is alleged to be planning a mass shooting. 

On 6 Apr 18, Special Agent Alpha requested a Digital Forensic Examination of a laptop computer to recover any and all information pertaining to allegations Mr. Jim Cloudy was planning to attack a town hall meeting held to discuss gun violence.

A Search Warrant was approved by Not A. REALJUDGE, United States Magistrate Judge, Eastern District of Virginia authorizing the search of Mr. Cloudy’s residence and the seizure and subsequent Digital Forensic Examination of digital media found within. SA Forensicator, Senior Digital Forensic Examiner (SDFE), Alexandria, VA 22303, concurred the Search Warrant was legally sufficient to conduct the examination as requested within the Laboratory Examination Request.

Jim Cloudy is a resident of Alexandria, VA. He is unhappy with the media’s coverage of gun violence and what he perceived as an attack on the 2nd Amendment. Prior to the start of the scenario, Jim gets into a heated online argument with his brother, Paul Cloudy. During this argument Jim destroys his laptop by throwing it on the floor. Jim disposes of this laptop using his Apartment’s trash chute, which is collected daily. Paul gives Jim one of his old laptops with the promise that he wouldn’t break it. Paul wiped the laptop’s drive prior to giving it to Jim. Jim does not encrypt any data and takes no overt steps to obfuscate data.

Jim gives Paul access to his cloud storage accounts. Paul is suspicious reading some of the files, around Jim’s sudden decision to go on vacation and not come back. When Paul reads some of the documents he notifies police and a Search Warrant of Jim’s apartment is executed and he is apprehended while talking to Paul online.

The task for the investigators is to determine what was planned and if anyone else was involved.

This scenario contains a disk image of a real, physical machine that was actually used to generate these 'fake' documents.

The 2018 Lone Wolf Scenario was created by Thomas J. Moore, a student at George Mason University.

Please remember: this is a fictional scenario about fictional people!  
Scenario Sourced from Digital Corpora (Links to an external site.)Links to an external site.

Questions:

• What was the main users Windows Username? and other email/s used for cloud services?

• What is the Processor Architecture and computer name?

• What is an LNK file? What does it do? Give an example from the provided image?

• Windows has 3 different time stamps in each files metadata, what are they, and how are they different? 

• The user had lots of files on their desktop, what evidence can be found in this folder to help the investigators? Provide file 3 example names and associated paths for each file (HINT: paths, Multiple!! Make use of the search function), MD5 hash, and a one sentence summary of your findings for each file.

• What went on? From all the documents we found can you put together the plans that the suspect wanted to carry out? Remember to stick to the facts only as a forensic expert it's not up to us to tell the story, just present the facts in an unbiased way. Please summarize what we know in a paragraph.

Answer 1

Answer:-

What was the main users Windows Username? and other email/s used for cloud services?

The Sleuth Kit was previously developed with assistance from @stake and was called The @stake Sleuth Kit (TASK). TASK was based on The Coroner's Toolkit(TCT) and TCTUTILs and it added support for FAT and NTFS file systems.

username:@stake

What is the Processor Architecture and computer name?

Brian Carrier has developed most of the code in The Sleuth Kit, Autopsy 1 and 2, mac-robber, and TCTUTILs. Basis Technology has been building Autopsy since veresion 3. Dan Farmer and Wietse Venema developed The Coroner's Toolkit, from which these tools were based on. Credit for all patches and debugging help from users are noted in the CHANGES file in each distribution.

Samir Kapuria helped with the new interface design of Autopsy 1.70.

What is an LNK file? What does it do? Give an example from the provided image?

LNK is a file extension for a shortcut file used by Microsoft Windows to point to an executable file. LNK stands for LiNK. Shortcut files are used as a direct link to an executablefile, instead of having to navigate to the executable.. LNK files contain some basic properties, such as the path to the executable file and the “Start-In” directory. LNK files use a curled arrow to indicate they are shortcuts, and the file extension is hidden (even after disabling “Hide Extensions for Known File Types” in Windows Explorer).

ex:-

D Morils Thunderbird Properties General 94 KB (1 998 bytes) Sae andisk: 400 KB 14096 bytes Ceated Monday. Noveber 03 2015. 125735 PM Modhed ondy, Noverber 2015, 12535 PM Accessed Monday.Novaber 09. 2015, 12 5735 PM pply

converting a file time to a local time, use the following sequence of functions instead of using FileTimeToLocalFileTime:

• FileTimeToSystemTime
• SystemTimeToTzSpecificLocalTime
• SystemTimeToFileTime

You must take care when using file times if the user has set the system to automatically adjust for daylight saving time.

To convert a file time to local time, use the FileTimeToLocalFileTime function. However, FileTimeToLocalFileTime uses the current settings for the time zone and daylight saving time. Therefore, if it is daylight saving time, it takes daylight saving time into account, even if the file time you are converting is in standard time.

The FAT file system records times on disk in local time. GetFileTime retrieves cached UTC times from the FAT file system. When it becomes daylight saving time, the time retrieved by GetFileTime is off an hour, because the cache is not updated. When you restart the computer, the cached time that GetFileTime retrieves is correct. FindFirstFile retrieves the local time from the FAT file system and converts it to UTC by using the current settings for the time zone and daylight saving time. Therefore, if it is daylight saving time, FindFirstFile takes daylight saving time into account, even if the file time you are converting is in standard time.

The user had lots of files on their desktop, what evidence can be found in this folder to help the investigators?

• Provide file 3 example names and associated paths for each file (HINT: paths, Multiple!! Make use of the search function), MD5 hash, and a one sentence summary of your findings for each file.

• What went on? From all the documents we found can you put together the plans that the suspect wanted to carry out?

Most such activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases, and prevent crimes. This article discusses the many types of digital evidence produced by a typical computer user, criminal or not, and demonstrates methods and techniques available to extract that evidence out of the original PC and into the hands of a forensic investigator. (Read Part 1 at www.dfinews.com/article/retrieving-digital-evidencemethods-techniques-and-issues-part-1).

The majority of computer users are not IT security specialists, so most of these obstacles are no more than simple annoyances that can be easily overcome by spending a little effort. The following sections will discuss these techniques in detail, recommending ways to overcome each of the obstacles, whenever possible.

Figure 1: Up to 93% of all information never leaves the digital domain.

Obscuring Information and Why It Works The most obvious way to hide information on a disk is giving a file of interest an obscure name or saving it to an unusual location. This trick is so obvious and provides so little protection that no reasonable security policy would ever let it pass; but why is it still being used by criminals; and, most importantly, why does it still work?

The answer is painfully simple: investigators are pressed for time due to the number of mobile phones, laptops, and seized hard drives to be analyzed. They often have twenty minutes to a few hours, max, in order to extract all possible evidence. To make things even more complicated, investigators are bound by strict rules. By breaking any one of the rules, investigators may invalidate all extracted evidence.

Retrieving Obscured Files: When the File Location Is Changed
One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and history files. This may produce a certain number of false positives (e.g. not every XML file is an MSN history file), so additional checks are often required (e.g. checking the existence of MessageLog.xsl next to an XML file).

In reality, locating any one of the files is an obvious exercise. As applications such as instant messengers or email clients have to have access to their working files, they store files’ locations somewhere in the Windows registry or in their own configuration files. One must know a lot about each application being analyzed, which includes literally hundreds of messengers, e-mail clients, peer-to-peer applications, and browsers. Under the time-constraints of a busy working environment, an automated solution is the only way to go.

Figure 2: Setting locations to search

Hidden and Inaccessible Files and Folders
Computer users often protect information by assigning file attributes and permissions preventing unauthorized access. Hidden and system files and folders are common place these days; these will be displayed and even highlighted by every forensic analysis tool in existence. Most forensic analysis tools can bypass security attributes and permission control management (but not encryption) set by the file system such as NTFS access control rights. Special attention should be paid to inaccessible files and folders; otherwise one can miss evidence in folders having access restrictions.

Destroyed Evidence
Attempts to destroy digital evidence are common. Such attempts can be more or less successful depending on the action taken, time available to destroy evidence, as well as the type of storage device (magnetic hard drive, flash memory card, or SSD drive).

Deleted Files
Important evidence often ends up in the recycle bin. This is especially true for Windows PCs. Thus, deleted files can often be successfully retrieved by analyzing the contents of the Recycle Bin, a temporary storage they’re placed in before being erased.

If deleted files do not show up in the Recycle Bin, there is still a good chance to recover them by using one of the many commercial data recovery tools. The principle of deleted file recovery is based on the fact that Windows does not wipe the contents of the file when it’s being deleted. Instead, a file system record storing the exact location of that file on the disk is marked as “deleted.” The disk space previously occupied by the file is then advertised as available, but not overwritten with zeroes or other data (we’ll discuss the issue of SSD drives in a minute).

By analyzing the file system and/or scanning the entire hard drive looking for characteristic signatures of known file types, one can successfully recover not only files that were deleted by the user, but also discover evidence such as temporary copies of Office documents (including old versions and revisions of such documents), temporary files saved by many applications, renamed files, and so on.

Information stored in deleted files can be supplemented with data collected from other sources. For example, Skype stores its chat logs in the history database and keeps internal data that may contain chunks and bits of user conversations in the “chatsync” folder. The format is not officially disclosed, but there are tools available that can analyze such files. Thus, if a chatsync folder exists, there are definite chances to recover Skype chats even if one has failed to recover a deleted Skype database.

Formatted Hard Drives
Information from hard drives that were formatted by the user may be recoverable through data carving or by using a commercial data recovery tool. However, the recovery of formatted hard drives is iffy and depends on a wide set of parameters.

Full Format. There are two possible ways to format storage media in Windows: full and quick formats. While a quick format simply initializes the disk by creating a new (empty) file system on the partition being formatted, a full format also checks the disk for bad sectors.

From the name of it, one would assume that a full format is always destructive—which is not the case. Prior to Windows Vista (that is, in Windows 95/98/ME, NT4/2000, and XP) a full format operation did not zero the disk being initialized. Instead, Windows would simply scan the disk surface by reading it sector by sector. Unreliable sectors would be marked as “bad.”

This behavior changed with the release of Windows Vista. In Vista and Windows 7, a full format operation will actually wipe the disk clean, writing zeroes onto the disk and reading the sectors back to ensure reliability.

Quick Format. With the exception of SSD drives, a quick format is never destructive. Information from disks cleared with a quick format can usually be recovered by using one of the data recovery tools that support carving.

The Issue of SSD Drives
The information above applies to traditional (magnetic, spinning discs) hard drives and common flash memory such as USB sticks and memory cards. Solid-state drives (SSD) present an entirely new issue.

Solid-state drives represent a new storage technology. They operate much faster compared to traditional hard drives. SSD drives employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.

The culprit here is the TRIM command. Used to release space advertised as available by the operating system, the TRIM command effectively zeroes information as soon as it’s marked as deleted by the operating system. Write-blocking devices do not prevent the effect of the TRIM command. An experiment conducted by American researches demonstrated that a TRIM-enabled SSD completely wiped all deleted information in less than three minutes.

Traditional forensic methods fail when attempting to recover information deleted from SSD drives, or trying to recover anything from an SS