Scribd
Upload
24 views22 pages

Incident Management CW2

incident coursework

Uploaded by

sadman sakib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views22 pages

Incident Management CW2

incident coursework

Uploaded by

sadman sakib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Incident Management and Incident Response

Sadman Sakib
Student ID: 30049676
Module Lecturer: Ahmed Elmisery
Module Code: IY4S712

March, 2022

Contents
1 Background 1

2 Description of the forensic analysis tools 1

3 Executive summary 1

4 Detailed analysis output 2


4.1 Creating case in autopsy . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4.2 Evidence 1: Suspected conversation emails . . . . . . . . . . . . . . . . . 3
4.3 Evidence 2: Suspected images . . . . . . . . . . . . . . . . . . . . . . . . 8
4.4 Evidence 3: Fraud email . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.5 Evidence 4: Harassment email . . . . . . . . . . . . . . . . . . . . . . . . 12
4.6 Evidence 5: Inappropriate website . . . . . . . . . . . . . . . . . . . . . . 13
4.7 Evidence 6: Important documents . . . . . . . . . . . . . . . . . . . . . . 13

A Appendix A 21

i
1 Background
Digital forensics is the most complex element in the cybercrime investigation stage, and it
frequently generates the most persuasive evidence in legally actionable cases. The scientific
acquisition, analysis, and preservation of data available in electronic media that can be used
as evidence in a court of law are known as digital forensics. Digital Forensics is an integral
aspect of the Incident Response process for organizations. Forensic investigators identify
and capture aspects of a criminal incident to be utilized as evidence by law enforcement.
In many cases, the rules and regulations that govern this process are crucial in determining
innocence in a court of law. Information and communication technology (ICT) now plays a
critical role in all businesses. Our society has gained several benefits as a result of ICT. At the
same time, it has made us exposed to ICT-related system breakdowns and attacks. Because
the crime scene occurs in the digital world, cybercrimes are challenging to investigate. The
evidence gathers in the cyber domain is far less visible. If the attackers tried to conceal their
tracks, it could be tough to figure out how the cyber threat got into the system. This report
will discuss an intellectual property theft placed into a university. We have to find out all the
pieces of evidence, suspicious activities, frauds, and harassment from digital media, which
has been gathered from the university employee’s shared drive, and collect information about
the incident.

2 Description of the forensic analysis tools


To conduct this assessment, we use some forensic tools such as Access data FTK, FK imager,
Autopsy, Bitcrypt software and Photorec. For the investigation purpose, we use Autopsy.

3 Executive summary
The report includes the analysis of an incident case which happened of a university. The
case has been analysed with different kinds of methodologies and forensic tools. One of the
open forensic tool is Autopsy. This is basically used for forensic analysis including hard
drive investigation with features like multi-user cases, timeline analysis, registry analysis
etc. The case summary is presented in the report, which details the information processed
to identify the principal suspect in the digital crime.The evidence which has been gathered
and processed to identify the distinct features such as unlawful purpose, motivation, and so
on have also been covered in the report. Furthermore, the evidence gathered from the case
has been discussed. The document also includes pictures that discuss the information for
setting up the experiment and analyzing and comparing the tool’s performance. Different
web browsers are employed in the experimental setting to collect evidence and evaluate the
tool’s functionality. Inside the report, it includes all the suspected activities between different
persons, deleted items which has been recovered with proper explanation.

1
4 Detailed analysis output
In line with our objectives, we focused on obtaining evidence to support our investigation of
a UK university that hired expertise from the University of South Wales to conduct an IP theft
incident. A number of evidence has been gathered from the crime scene to support the case.
Evidence included a couple of essential files from a staff member’s drive and several emails
which has been recovered from the mail server. At first, we started to find our evidence by
using autopsy. Autopsy is a graphical interface to The Sleuth Kit and other digital forensics
tools and a digital forensics platform. Law enforcement, military, and business examiners
utilize it to figure out what occurred on a computer. It is used to retrieve photographs from the
memory card of the camera and the website of the Organization. The autopsy is essentially a
free, open-source application that supports a variety of additional digital forensics modules
and technologies. The autopsy is software that simplifies the installation of several of The
Sleuth Kit’s open-source tools and plugins. The graphical user interface shows the results of
the forensic search of the underlying volume, making it easier for investigators to identify
relevant data portions (CYBERVIE 2019) and (Subramanian 2020). Some of the features of
autopsy are:

1. Multi-User Cases: On large cases, cooperate with other examiners.

2. Timeline Analysis: Helps identify activities by displaying system events via a graphi-
cal interface.

3. Keyword Search: Text extraction and index searching modules to identify files that
contain specified terms or matching patterns.

4. Web Artifacts: Extracts web activity from popular browsers to assist in identifying
user activity.

5. Registry Analysis: RegRipper is used to locate recently accessed documents and


USB drives.

6. LNK File Analysis: Detects shortcuts and documents that have been accessed.

7. Email Analysis: Messages in MBOX format, such as Thunderbird, are processed.

8. Android Support: Data can be retrieved from SMS, phone logs, contacts and other
applications.

4.1 Creating case in autopsy


To initiate our investigation, we received the image file named "CW_Image.001". We start
the investigation by creating a case in Autopsy showed in figure 1. Then we select the image
file which has been recovered by the expertise on the flash drive shown in figure 2. After
loading the image, we can see all necessary options into the image file to find out the theft.

2
Figure 1: Case Creation

On the left panel of the autopsy tools, we can see different options to find our findings.
We can see data sources, file type, deleted files, emails, etc. On the top, we can access the
timeline, which is used to know the time frame of every conversation, and also, we can
download the report of our investigation.

4.2 Evidence 1: Suspected conversation emails


As mentioned, a number of emails have been recovered, so we have started our investigation
from the email section in figure 3. At first, we have suspect two persons from the email named
"Dr. John Haggerty," who is a lecturer in Information System Security at the University of
Salford, and another one is Freddy, who is a friend of Dr. John. The reason behind suspecting
them is because Dr. John continuously sends a personal message from his university email
to his friend Freddy which he shouldn’t do. After analyzing their conversation, we noticed
that Dr. John is complaining about his wife because of cheating on him, as shown in figure 4,
Freddy and Dr. John is discussing something significant which shouldn’t be disclosed, and
Freddy was asking Dr. John’s number to send him something important which can not be
sent over the email, as shown in figure 5. Also, Dr. John and Freddy both have shared some
long coded messages which make the conversation more suspicious shown in 6 and 7. I have
tried to decode those messages by different websites such as "cyber chef," "cypher tools"
and tried other formats to break the codes as shown in figure 8. Freddy also sent a gift to
Dr. John for something which has been seen in the email from figure 9. The reply of that
email was showing that it was in deleted items as shown in figure 10 and we can see a yellow
arrow indicating something noticeable in the email.

3
Figure 2: Selecting image file

Figure 3: Email Section

4
Figure 4: Conversation 1

Figure 5: Conversation 2

Figure 6: Conversation 3

5
Figure 7: Conversation 4

Figure 8: Decoding text

6
Figure 9: Conversation 5

Figure 10: Conversation 6

7
Figure 11: Suspected picture

4.3 Evidence 2: Suspected images


From our investigation, we also identified two pictures but the same name from the following
case file, which is "Granada_2012(v3).bmp" as shown in figure 11. This picture might be a
sign or a message between Dr. John and Freddy. However, it can be a place where Dr. John
and Freddy will be meeting, or they are hiding secret messages into it. I used a software
named "bit crypt" to decrypt the news as the software was downloaded from a website called
"Softpedia," which I found from the current session section shown in figure 12. Again, to
find out a message from the image, I tried to decrypt the image with the software "Bitcrypt."
But, from figure 13 We can see that it has a secret key to decrypt the image. To find the
key, we started to look for the key "current session" folder shown in figure 14 which may
store all the logs of the device but no such key was found from there. Also, I tried different
ways to recover it. I use kali Linux to find out the differences between them. So, I use the
command "compare -verbose -metric PSNR Granada_2012(v3).bmp Granada_2012(v3).bmp
new.bmp" to check the quality measurement between the original and a compressed image
shown in figure 15. Another exciting part I have noticed is in the image section. In the image
section, we can see 53 images where the "Granada_2012(v3).bmp" image has something
noticeable, and there are some deleted images. From that, we noticed there are some images
which are ".jpg" format has been created with a software called "GIMP" shown in figure 16
and 17. By doing more investigation on "GIMP," we found that it’s an open-source graphic
editor software that has been used to edit a picture or manipulate the image. For more details,
see Appendix A. So, from my point of view, the software has been used to modify the current
images or hide secret messages into them.

8
Figure 12: Current session file

Figure 13: Bitcrypt software

9
Figure 14: Current session of the image file

Figure 15: Comparing differences between two pictures

10
Figure 16: Suspected picture 1

Figure 17: Suspected picture 2

11
Figure 18: Fraud email

Figure 19: Harassment email

4.4 Evidence 3: Fraud email


Next, we have identified another email from "becker,lorie" which seems to be a fraud email
as there is no receiver was found from the email. Inside the email, there was a link which can
be fake to get access someone’s email which is shown in figure 18.

4.5 Evidence 4: Harassment email


After that, we identified an email containing a harassment message from Dr. John to Freddy
about his wife, and Dr. John used his university email to send the message, and it is shown in
figure 19.

12
Figure 20: Inappropriate website link 1

4.6 Evidence 5: Inappropriate website


We also noticed some inappropriate websites link inside the image file at the happy days
section in the current session file shown in figure 20 ,22 ,24 and 26. As we can see from the
current session, we found websites such as unique websites activities in the image, which
might have some connection with Dr. John. So, we tried to open the website and found
different types of information for different problem and it is shown in figure 21, 23, 25 and
27.

4.7 Evidence 6: Important documents


We looked for documents from the suspected case file that could give us any hint in our
investigation. From the file view section, we found a three-word document file named "IN-
TELLECTUAL PROPERTY PROPOSAL.doc", "MetaFor.doc" and "TagSNet.doc" shown
in figure 28. As we can see, there is two yellow arrow icon beside "INTELLECTUAL
PROPERTY PROPOSAL.doc" and "TagSNet.doc," which means it has a possible noticeable
analysis result score. Now, starting from "INTELLECTUAL PROPERTY PROPOSAL.doc,"
where the document is about "Automated forensic search of the hard drive" and the author
of the paper is "John Haggerty, University of Salford." The document is the guidance of
searching files inside the hard disk drive forensically without changing the integrity of the
original file. To perform the analysis couple of processes should be maintained, and proper
precaution should be taken. The whole document is the asset of the University of Salford,
and the background of the paper has a watermark labeled "Confidential," which means only
University of Salford employees have the authority to access the document. No outsider can

13
Figure 21: Suspected website 1

Figure 22: Inappropriate website link 2

14
Figure 23: Suspected website 2

Figure 24: Inappropriate website link 3

15
Figure 25: Suspected website 3

Figure 26: Inappropriate website link 4

16
Figure 27: Suspected website 4

access it. From my findings, it seems Dr. John has sold the paper to someone, or he was
leaking the idea of the University of Salford to someone else. As Dr. John and Freddy’s
email conversation has some suspicious activity, there might be a chance that Dr. John has
sold the document to Freddy. Inside the document section, there is another document named
"TagSNet." The "TagSNet" document is about the process of email data analysis for forensic
investigation and how one examiner can sort out a massive volume of email data. The author
of the document did research on this image file. The paper discusses the email investigation
process by forensic tools such as FTK and Encase and mentions how it is used to analyze
storage media and email data. The author also discussed how email data is processed in two
ways: social network information and textual information. In the document, it also mentioned
an organization called "Enron," which was a big energy organization and described how it
faced bankruptcy, shown in figure 29. From the suspected image, we also identified emails
from the "Enron" organization, as mentioned in figure 30. The author also described two
network narrative approach in his document. One is "Genie folder network narrative" and
"another Mark folder network narrative". Where he mentioned how those networks are
comprised of various types of words, emails, and actors, as shown in figure 31 and figure 32.
Overall, the author gave a piece of knowledge about what’s inside the image file.

17
Figure 28: Identified documents

Figure 29: Information from the document

18
Figure 30: Emails from Enron

Figure 31: Network narrative 1

19
Figure 32: Network narrative 2

References
CYBERVIE (2019), ‘Introduction to autopsy | an open-source digital forensics tool’.

Subramanian, B. (2020), ‘An overview of autopsy: Open source digital forensic platform’.

20
A Appendix A
GIMP is basically a image manipulation program which is used in different operating system
on various purpose figure 33.

Figure 33: GIMP website

21

You might also like