A young girl (Amy Capri) is missing after an argument with her parents. They call the police on May 28. A police investigator shows up after 48hours to interview them. The investigation officer finds out that the daughter had spent a lot of time on the Internet. The parents agree to let him have the computer notebook.
You have acquired the notebook of the assumed kidnapped victim. You will then need to image the notebook using the most effective forensic tool. In order to preserve the integrity of the evidence obtain, you have deploy a method(s) to perform this. Your team decides to use FTK or other tool to determine which file(s) have bad extension and further examine the file headers of these file(s) using a hex editor.
Using the evidence image of the drive "Kidnapping.1", the team searched for the missing girl's name and the man she met on the Internet is Gary Cleary. The team continues to analyze the image of the drive where the focus is on the images and email that maybe of evidentiary value.
Your team need to put together clues from the evidences found to show how she might be enticed away by an older man on the Internet, bought a bus ticket to Oregon, and emailed her friend regularly about how things were progressing with him. Finally your team prepared the evidences, reports, listings and procedure performed to conduct a final case defense or presentation as an expert witness.
Describe what would the police investigator do to the notebook after the parents have passed the notebook to them?
First and foremost, the notebook would be handed over to a computer forensic analyst, information or date forensic investigator and network investigator.
They would then obtain and study the digital information to find evidence and details which might be presented on court to prosecute cyber behaviors that are considered illegal under the law. At times, information that is crucial though is still on the hard disk, might not be easily attainable. Information might be deleted, and at times, corrupted. Therefore, a network investigator is needed. Network forensics investigator would use the log files to try understand habits of the users, and if possible, they to determine whether the computer has been compromised by hackers.
Investigators would examine a computer disk not knowing if the disk would contain important clues or evidence, and in an event that they discover data, they would need to piece the data together logically to produce substantial and solid evidence.
Computer forensics is used to discover hidden or deleted data files which might be used as evidence to a case. Often, these evidences play an important role can in convicting or clearing the name of the suspect.
What hardware resources are needed to analyze a notebook?
Resources needed to analyze the notebook would be a forensics hardware tools kit. In the industry, these kits are further categorized into initial-response kit and extensive-response kit.
Compare the architectural hardware differences between a notebook and a desktop computer, along with the different tools or equipment that might be needed to perform a forensic image acquisition.
A desktop computer is a personal computer (PC) in a form intended for regular use at a single location, as opposed to a mobile laptop or portable computer. Prior to the wide spread of microprocessors, a computer that could fit on a desk was considered remarkably small. Desktop computers come in a variety of types ranging from large vertical tower cases to small form factor models that can be tucked behind an LCD monitor. "Desktop" can also indicate a horizontally-oriented computer case usually intended to have the display screen placed on top to save space on the desk top. Most modern desktop computers have separate screens and keyboards. Tower cases are desktop cases in the earlier sense, though not in the latter. Cases intended for home theater PC systems are usually considered to be desktop cases in both senses, regardless of orientation and placement.
Desktops have the advantage over laptops that the spare parts and extensions tend to be standardized, resulting in lower prices and greater availability. For example, the form factor of the motherboard is standardized, like the ATX form factor. Desktops have several standardized expansion slots, like Conventional PCI or PCI express, while laptops only tend to have one mini PCI slot and one PC card slot (or ExpressCard slot). This means that a desktop can be customized and upgraded to a greater extent than laptops. Procedures for assembly or disassembly of desktops tend to be simple and standardized to a great extent too. This tends not to be the case for laptops, though adding or replacing some parts, like the optical drive, rechargeable battery, hard disk, and adding an extra memory module is often quite simple.
Laptops are personal computers designed for mobile use and small and light enough to sit on a person's lap while in use. A laptop integrates most of the typical components of a desktop computer, including a display, a keyboard, a pointing device (a touchpad, also known as a track pad) speakers, and often including a battery, into a single small and light unit. The rechargeable battery (if present) is charged from an AC adapter and typically stores enough energy to run the laptop for two to three hours in its initial state, depending on the configuration and power management of the computer.
Laptops are usually shaped like a large notebook with thicknesses between 0.7-1.5 inches (18-38mm) and dimensions ranging from 10x8 inches (27x22cm, 13" display) to 15x11 inches (39x28cm, 17" display) and up. Modern laptops weigh 3 to 12 pounds (1.4 to 5.4kg); older laptops were usually heavier. Most laptops are designed in the flip form factor to protect the screen and the keyboard when closed. Modern tablet laptops have a complex joint between the keyboard housing and the display, permitting the display panel to swivel and then lie flat on the keyboard housing.
Computer forensics tools are divided into 2 major categories: hardware and software.
Hardware Forensics Tools
Tools range from single-purpose components to forensics orientated computer systems. Single purpose devices are write blockers such as blocking an IDE drive or SCSI drive. Forensics orientated computer systems would include F.R.E.D systems or DIBS advanced workstations.
Software forensics tools
Tools are often categorized into 2 groups, namely, command based and GUI based. Often, command line tools are made to perform only a single task such as disk acquisition. These days, GUI tools developed often comprises of many tasks (Helix). Tools are intensively used in duplicating the suspect's hard disk into an image file. GUI tools these days are able to read multiple formats in the image files as though it is a standalone hard drive.
Base on the scenario, decide whether you want to use more than one tool to create the image, write a brief outline on the choice of tool.
For this case, I decided to use ILook Investigator Iximager and helix to construct my image.
IXimager runs from a bootable floppy or CD. It's a standalone proprietary format acquisition tool designed to work only with ILook Investigator. It can acquire single drives and RAID drives. It supports IDE (PATA) , SCSI, USB, and Fire Wire devices. The IXimager proprietary format can be converted to a raw format if other analysis tools are used.
IXimager has three format options:
IDIF - A compressed format
IRBF - A raw format
IEIP - AN encrypted format for added security
Helix is the simplest suites readily available suites available today. It consists of shareware, as well as freeware, making it free for use. Its unique in a way as Helix can be loaded on a live Windows system and it would load itself up as a bootable Linux OS when started in a cold boot.
Besides these tools, AccessData FTK is selected to recover e-mails that might have been deleted.
What additional evidence could you look for at the victim's home or school to obtain clues about her whereabouts?
Other than using the computer, we could arrange to interview her parents and friends to try know more about the lifestyle of the victim.
Also, we can try to get a warrant to get data logs from the service provider of the victim's cell phone or landline to detect abnormalities before she went missing.
Explain what method would be used to preserve the integrity of the evidence obtain, and why the importance of obtaining the data from this method.
The following steps should be used when copying image file:
- Copy the image file into a hard drive larger than the image file.
- Start the forensics tool on the copied image file to analyze the evidence, use only the copied image file.
- Run an MD5 or SHA-1 hash on the image file to get a digital hash. Ensure that the hash values are the same to ensure the integrity of the copied image.
- After copying of the image files to a larger drive is completed, secure the original media in an evidence locker, which can be accessed only by authorized personnel.
If integrity of the data is not ensured, the evidence cannot be used in court and would be of no use to the case even if the evidence is valid and extremely important. Thus, ensuring that the integrity is preserved should be of upmost concern.
Determine which file(s) have bad extension and further examine the file headers of these file(s) using a hex editor. Why is it important to carry out such procedure that it may help the team in solving the case?
In an event that a file has a bad extension, the files might not be accessed by investigators easily. Investigators might not attempt to open the files as they consider it "low risk" and important pieces of information inside the file might never be discovered. On the other hand, if investigators change the size of file via a format convertor, due to increase in file size, data hidden inside of the file's slack might be overwritten. Thus, we should use a hex editor to try figure out the correct extension in order to correct the header and after, open the file via its default application.