n this digital forensics case study, I utilized Autopsy, a powerful open-source digital forensics platform, to conduct a thorough investigation into a suspected criminal activity involving a computer system. Leveraging my expertise in computer hardware, software, and systems, I meticulously examined digital evidence to uncover any incriminating information.
The investigation began with the acquisition of the suspect's computer system, ensuring the preservation of evidence integrity throughout the process. Using Autopsy's comprehensive tools and features, I conducted a deep analysis of the system's storage devices, including hard drives, solid-state drives, and external storage media.
Throughout the investigation, I demonstrated proficiency in analyzing computer hardware components, understanding software functionalities, and interpreting system artifacts. My ability to compile and present incriminating evidence showcased my competence in digital forensics and my aptitude for uncovering critical information hidden within digital systems.
Ultimately, the successful outcome of this case study highlights my expertise in digital forensics methodologies and my dedication to ensuring the integrity of investigative processes while uncovering vital evidence to support legal proceedings.
2. TABLE OF CONTENTS
01
02
03
04
You can describe the
topic of the section here
SYSTEM
INFORMATION
Person(s) of
Interest
You can describe the
topic of the section here
ARTIFACTS
& EVIDENCE
You can describe the
topic of the section here
Charges of
Indictments
You can describe the
topic of the section here
3. This can be the part of
the presentation where you
introduce yourself, write
your email…
WAS IT A
CRIME?
4. Software Used:
How it works?
To investigate this case
I used Autopsy Report Software. Autopsy is
a premier open source forensics
platform which is fast, easy-to-use,
and capable of analyzing all types of
mobile devices and digital media
Autopsy analyzes major file systems
(NTFS, FAT, ExFAT, HFS+,
Ext2/Ext3/Ext4, YAFFS2) by hashing
all files, unpacking standard
archives (ZIP, JAR etc.)
WAS IT A CRIME?
5. 01
You can enter a subtitle
here if you need it
System
Information
6. PRINCIPAL PLATFORMS
NTFS
NTFS stands for New
Technology File System
use for storing and
retrieving files on a
hard disk
Case NTFS
Volume:
Bill Basher has 1.89
GB of NFTS Volume to
sort = 18,OOO files
to sort
OS:
Bill Basher is using
Microsoft Windows XP
7. —SOMEONE FAMOUS
“This is a quote, words full
of wisdom that someone
important said and can make
the reader get inspired.”
8. PRINCIPAL PLATFORMS
NTFS
NTFS stands for New
Technology File System
use for storing and
retrieving files on a
hard disk
Case NTFS
Volume:
Bill Basher has 1.89
GB of NFTS Volume to
sort = 18,OOO files
to sort
OS:
Bill Basher is using
Microsoft Windows XP
9. Course of Action:
After finding the proprietor of the
device I wanted to look through any
special downloaded software, in
these investigations I look for the
for the following types of software
● Remote Access Tools (RATs),
● Keyloggers
● Stealth Software
● Anonymizing Software
● Hidden or Encrypted Containers
In digital forensics, Registry HIVEs
are valuable sources of evidence.
They can provide insights into system
configuration, user activities,
installed software, network settings,
and other crucial information.
Example Softwares:
● Spyshelter
● Tor
● NordVPN
● TrueCrypt
● Tails
11. From the tree root in a
folder named “Bill” with in
the folder I then encountered
the software folder that
contained a folder by the
name Heidi Computers ltd
Discovery
In digital forensics, Registry
HIVEs are valuable sources of
evidence. They can provide insights
into system configuration, user
activities, installed software,
network settings, and other crucial
information.
Method
Since the name was unknown to me I
looked it up on the internet to
discover what software program is
“Heidi Computers ltd” and from my
research
Heidi Computers ltd provides
the program ”Eraser” which
is an advanced security tool
for Windows which allows you
to completely remove
sensitive data from your
hard drive by overwriting it
several times with carefully
selected patterns
ERASER
14. Bill Basher
Organization
Williams and Sons, Inc.
Method
In the section titled "Data
Source," within the sub-tab
designated as "Data Artifacts
Operating System Information,"
located in the listing panel under
"Source File Metadata," pertinent
details are provided
Owner Within the source denoted
as "BBasher.E01." The
results identification of
both the proprietor and
organizational
affiliations associated
with the aforementioned
data source.
WHAT DO CRIMES CAUSE IN US
WHEN WE READ ABOUT THEM?
15. —SOMEONE FAMOUS
“This is a quote, words full
of wisdom that someone
important said and can make
the reader get inspired.”
16. Course of Action:
To learn the scope of the crime(s)
committed it as advised we first review the
'Recent Documents' section, our mission is
to unveil additional drive letters, beyond
the primary C: drive, utilized by Bill for
accessing files. My goal is to provide
comprehensive insights on understanding
Bill's digital footprint.
17. 03
You can enter a subtitle
here if you need it
Artifacts &
Evidence
18. In the provided images, notable anomalies emerge, including images depicting a Hummer
vehicle juxtaposed with a draft proposal and an abundance of .lnk files referencing
an individual identified as Wendy. .LNK files are widely recognized Windows
shortcuts, indicative of frequent interaction by Bill with the referenced files.
E
19. Who is Wendy?
The substantial volume of files has
directed attention toward an individual of
interest identified as Wendy. As the next
course of action, the objective is to
initiate a systematic search targeting
Wendy, focusing on establishing points of
contact such as email correspondence. This
investigative approach aims to ascertain any
previous interactions between the owner of
this device (Bill) and the person of
interest (Wendy).
20. u
Through this investigative method,
numerous instances of correspondence
originating from the email address
wendy1553@gmail.com. Within these
interactions we find a message
detailing between Bill and Wendy
conspiring to abduct the daughter an
assumed colleague Stewart.
The Email Parser module
identifies Thunderbird MBOX
files and PST format files based
on file signatures, extracting
the e-mails from them, adding
the results to the Blackboard.
The results of this show up in
the "Results", "E-Mail Messages"
portion of the Tree Viewer.
Evidence #1 :
Premeditation
Mbox Files: is a
generic file format
used to store email
messages.
PST format files:
(Personal Storage
Table) commonly
used by Microsoft
Outlook to store
email messages,
contacts, and other
items.
COA:
21. 1550
Venus is the
second planet
from the Sun
1820
Mercury is the
closest planet
to the Sun
1854
Despite being
red, Mars is a
cold place
1
Jupiter is the
biggest planet
of them all
4
Evidence A
22. u
Through this investigative method,
numerous instances of correspondence
originating from the email address
wendy1553@gmail.com. I also found a plot
to plant incriminating images of child
pornogrphy onto his computer followed by
an HR complaint that would have Stewart
terminated and a convenient vacancy of
his position open for Bill.
The Email Parser module
identifies Thunderbird MBOX
files and PST format files based
on file signatures, extracting
the e-mails from them, adding
the results to the Blackboard.
The results of this show up in
the "Results", "E-Mail Messages"
portion of the Tree Viewer.
Evidence A :
Premeditation
Mbox Files: is a
generic file format
used to store email
messages.
PST format files:
(Personal Storage
Table) commonly
used by Microsoft
Outlook to store
email messages,
contacts, and other
items.
COA:
24. COA: Upon
further
investigation
into the
interactions
between Wendy
and Bill. I came
across an email
showing that
Wendy did not
agree with his
plan to remove
Stewart from his
position
Wendy’s Response :
She goes to say
that “ You know I
think the world
of you Bill… That
is Kidnapping..”
This shows that there is a
conflict of interest between the
suspect and his hoped
co-conspirator, yet there is no
found evidence to show Wendy ever
attempting to report this to
management or authorities
27. Who is Stewart?
The correspondence exchanged between Bill
and Wendy serves as a crucial lead in
uncovering the identity and significance of
Stewart, as well as discover the motives
behind their collaborative efforts to
orchestrate the removal of a colleague. By
sifting through the 54 keyword search
results, My objective is to identify any
pertinent exchanges between these two
suspects, shedding light on the rationale
behind targeting Stewart for expulsion from
his position.
28. Bill expresses a
combination of frustration
and vindictiveness stemming
from his perceived
stagnation within the
company, despite his
unwavering dedication to
his role.
Identity:
Vice President
Thomas Stewart, who currently
occupies the coveted position
that Bill aspires to attain.
Bill's discontent is further
exacerbated by his perception
of Stewart's prolonged tenure
within the company
The Email Parser module
identifies Thunderbird MBOX
files and PST format files
based on file signatures,
extracting the e-mails from
them, adding the results to the
Blackboard. The results of this
show up in the "Results",
"E-Mail Messages" portion of
the Tree Viewer.
COA:
30. in the Autopsy tree view
under the 'Data
Artifact’' node it is a
tab a sub region denoted
‘Web Search’ that has
text.dat that entails all
web searched keyed in by
the user.
.
Out of the 386 hits results
i found 2 entries connected
to corroborate the previous
evidence discovered:
● Inappropriate workplace
computer usage
● How to get your boss to
retire
With a motive established and
corroborated by textual evidence,
it is imperative to conduct a
thorough examination of Bill's
browser history. This
investigation aims to uncover any
searches that may corroborate the
motive or shed light on the
strategies he intended to employ
in executing the prior discovered
plans
COA:
35. Charges & Indictments:
(A) Attempted False Imprisonment or False Reporting:
If there is evidence that the suspect attempted
to falsely implicate someone for a crime they
didn't commit, they could be charged with
attempted false imprisonment, false reporting, or
related offense
(B) Conspiracy to Commit Kidnapping: Conspiracy to
commit kidnapping involves planning or agreeing
with others to unlawfully abduct someone. Even if
the kidnapping itself doesn't occur, the act of
conspiring to commit the crime is often
considered a serious offense.
(C) Conspiracy to Commit a Crime: In addition to
conspiracy to commit kidnapping, the suspect could
face charges of conspiracy to commit other crimes if
there is evidence of planning or agreement to engage
in illegal activities with others
(D) Cyber Espionage: Planting
fake digital evidence on a
target's computer to
discredit or undermine their
reputation, business, or
political standing.