Digital Forensic Analysis Report Of Suspicious Activities At Exotic Mountain Tours Service

Forensic Examination of Graphic Files

The Exotic Mountain Tour Service and the Superior Bicycles (LLC) entered into a deal in which the later was to roll out an advert of its new product, but with conjunction with the former. The deal, it appears was supervised by a contract travel agent, Bob Aspen, and part of the deal was not to reveal any critical information or data to outside competitors. Bob, however appears to have breached the contract and has engaged in a series of malicious activities that have left the management at EMTS suspicious. Key to these activities are a USB drive believed to have been used to transfer some critical information that could be part of the deal between the two firms as well. The web-based email filter at the EMTs systems has revealed a series of blocked conversations that Bob could have initiated. Now that the USB has been found at a desk that was assigned to the agent, it sends the management to undertaking a digital forensic analysis in a bid to establish whether in actual sense, Bob entered into malicious engagements with their competitors.

This report is step-wise analysis of the evidence given, as run in ProDiscover digital examination tool and conclusion of the finding.

In forensic examination involving graphic files, locating and recovering such files from the suspects’ drive and determining which are key to the examination is an important undertaking, while ensuring that data is not compromised in the process of locating, recovery and analysis, as well as presentation (Enos & H). This means that the collected evidence has to be specially handled, and stored for both analysis and presentation purposes. Additionally, it is wise to examine all materials found with the suspect, or on their premises to ascertain whether a crime or data breach occurred or not (forensicsciencesimplified.org, 2013).

This analysis undertaking involves examination of a USB drive, to check if it contains any sensitive data, whether hidden or not, and an analysis of two screen shots obtained from the email-based on a web-server system. Exchangeable image file formats can be examined based on information in the pictures/graphics since each picture, represented in pixels, contains a header section which gives instructions and information in regard to image display, and the file format (Philip , 2011). Although it is hard to memorize details contained in the header, it is wise to do a comparison of the images with the suspected ones. Once this is established, examination can take place, but one has to ensure that any fragmented files on a disk are reconstructed so as to help identify any useful patterns used in the graphics files. Any damaged headers should be repaired as well.

Step by Step Analysis of the Drive

The analysis of the presented media and media device was conducted on a ProDiscover Basic platform, and conclusions made based on the unmasking made or observed.  

Exponential growth in the field and manufacture of flash drives has been experienced thanks to the ever evolving technology. Data stored in external and internal drives could be a reflection of human behavior and depending on the circumstances, may be subjected to forensic analysis (Krishnum). A USB device believed to have been used by Bob Aspen is under investigation in this case, and this analysis will be focusing on searching for any available data that could lead to meaningful evidence, from both allocated and unallocated disk space, or to determine any related data was actually deleted.

Following is a step by step analysis of the drive:

On opening the flash drive on my personal computer, it was found that it was empty and no files in it. This prompted a logical capture of the drive’s image using ProDiscover software, an undertaking that revealed that in fact, the disk had some data in it since a 27.0 MB memory space was marked as used/allocated while a total of 7.49 GB was unallocated.

Upon capturing the image in ProDiscover, the log file was checked for any errors a process that unmasked many deleted files. As a consequent, these deleted files were dinged in order to unmask any suspected files. A total of seven files were classified as being suspicious.

Since the suspicious files were corrupted and could not work, winhex tool was used to try read the content of these files leading to the realization that the file extensions had indeed been changed thus rendering them unreadable.

Among those files was a file with an .html extension. This prompted further analysis bringing to my knowledge the existence of some message conversations.

Another evidence unmasked was that there was a picture hidden in a text file. On opening it the picture was under passport number “123456” that was obtained from the html file. On accessing the content of the text file under the name SECRET, it was revealed that in deed some malicious engagements took place between Bob and some outside parties.

The following images (chain of custody) were obtained from the web filter system, a system that ‘listens’ to email communications taking place within the organization’s intranet, and blocks any if it finds them as being malicious or if they have questionable attachments.

Forensic Investigation of Hidden Data

Since there is little information as to what to search for in the presented USB drive as at no, some assumptions ought to be made based on what can currently work? An analysis of the first picture of the interrupted email conversation reveals the following.

1. That the email was sent from an individual whose address is [email protected] the intended recipient was Bob Aspen, the firm’s contract as indicated by the recipient’s email address [email protected]
2. Looking at the date in which the conversation took place, it was established that the exchange took place on February 4, 2007 at 9:21 Pm time.
3. Casting an eye to the second screen shot gave the following facts:
4. The sender was identified as Jim Shu, and the conversation took place on February 5, 2007 at 5: 17 AM- 0800 GMT.

The findings from these two conversations is that Jim in actual sense sent the first one, later forwarded to [email protected]’,  an argument that is validated by the timestamps of each mail- Jim Shu’s timestamp is later than that of terry, although the two could be in different time zones, with Jim somehow East of Terry Sadler. If this is not the case, then we shall have to infer that the email server timestamp is or was rather off, given the fact that timestamp to any activity in the network system is provided by the server itself.

From the first message, Jim tells Terry to have Bob change some unknown file extensions from .txt to .jpg. These files, it is revealed are about some new kayaks. Terry replies, in the last line, that Bob can’t receive the message. The greater assumption that is made at this point is that the person being referred to is actually the contract travel agent- Bob Aspen and the following facts remain irrefutable.

• That Jim Shu’s email in fact refers to JPEG files,
• That the attached files- by Jim, are actually .txt files, only that the extensions have been changed possibly to cover up a fraud.
• That these attachments could be photographs of the new kayaks that Jim refers to in his email.
• And that the email accounts engaged in this conversation are [email protected], [email protected] [email protected]

Second email leads us to the conclusions that;

• Jim has in real sense visited the kayaks factory, thus directly implicating him, and the trio in general.
• There is another party who has shown interests in the factory.
• The modified (using a hexadecimal editor) JPEG photos have in real sense been smuggled out by Jim.
• Jim instructs his counterparts to reedit the photos and add the .jpeg extension to make them viewable.
• Jim in real sense thinks that Bob works in the EMTs and a copy of this email was sent to (cc) [email protected]

Could be that Bob downloaded the files in question to his USB drive and deleted them, and as such an extensive search in all sections became necessary. Here understanding the core difference between the JFIF JPEG and EXIF JPEG file formats was crucial here, so as to understand how to do the search. While the JFIF format contains 0x FFD8 FFE0 in its first four bytes, the EXIF has 0x FFD8 FFE1 as its the sixth byte.

 In the second e-mail, Jim Shu mentions 0x FF D8 FF E0, which is a JFIF JPEG format. Requesting its sixth byte to be changed to a 0x4A, an upper case character J. (Melanie, 2017).

These files could have been downloaded to the USB drive, altered and then deleted by Bob, and a thorough search- both in the allocated and unallocated sections of the drive- was therefore done using the forensics tool aforementioned.

Procedure for search:

1. Start ProDiscover Basic-as an admin, click the New Project toolbar button. In the New Project dialog box, typeC10InChpfor the project number and filename, and then click OK.
2. Click Action from the menu, point to Add, and click Image file.
3. In the Open dialog box, navigate to your work folder, clickC10InChp.eve, and then click Open. If necessary, click yes in the Auto Image Checksum message box.
4. To start the search process, click the Search tool bar button or click Action, the menu to open a search dialog box.
5. Click the Cluster Search tab, and then click the Case Sensitive check box. Under Search for the pattern(s), typeFIF Under Select the Disk(s)/Image(s) you want to search in, click theC10InChp.evefile, and then click OK.
6. Once the search is complete, click the first search hit, 4CA (1226), to display the cluster’ Searching clusters in ProDiscover Locating and Recovering Graphics Files393
7. When the search is done, click the first search hit, 4CA (1226), to display the cluster’s content.
8. Double-click the highlighted row4CA (1226) to display the cluster view.
9. Next, you need to locate the file. Right-click cluster block4CA (1226) and click Find File, and then click Yes in the warning message. From the List of Clusters dialog box, click Show Fi, and then click Close.
10. In the work area, right-click the gametour2.exefile and click Copy File. In the Save As dialog box, delete the original filename, typeRecover1.jpg, and then click Save to save this file in your work folder.
11. Click File, Exit from the menu, and then click yes to save this project in your work folder.

Conclusion

From the email conversations and the results of rebuilding damaged file headers, and that it was hard reading from some of the recovered fields, it became evident that Bob in fact engaged in data breach activities. This information was specifically shared to stakeholders in a newly established firm that was dealing with the same product, Kayaks.

The analysis of the evidence presented was done on a ProDiscover digital forensic software running on Windows PC.

References

Enos, K. M., & H, S. V. (n.d.). User-generated Digital Forensic Evidence in Graphic Design Applications. Retrieved May 22, 2018, from users.cs.fiu: https://users.cs.fiu.edu/~fortega/df/research/images/paper5.pdf

forensicsciencesimplified.org. (2013). A Simplified Guide To Digital Evidence. Retrieved May 22, 2018, from forensicsciencesimplified.org: https://www.forensicsciencesimplified.org/digital/how.html

JenningsSmith Associates. (n.d.). Computer Hacking Investigations, Evidence Collection, and Data Recovery Services. Retrieved May 22, 2018, from JenningsSmith Associates: https://www.jsainvestigations.com/private-investigation-services/cyber-forensic-investigations-evidence-collection-data-recovery/

Krishnum, S. (n.d.). A forensics overview and analysis of USB flash memory devices. Proceedings of the 7th Australian Digital Forensics Conference . Edith Cowan University . Retrieved May 22, 2018, from https://pdfs.semanticscholar.org/4ebd/c730818d801841bbdb3879bebdb67fcb8f54.pdf

Melanie, N. (2017, October 17). Recovering Graphics Files. Retrieved May 22, 2018, from SLIDEX.TIPS: https://slidex.tips/download/recovering-graphics-files

Philip , C. (2011). Digital Forensics Tool Testing –Image Metadata in the Cloud. Retrieved May 22, 2018, from brage.bibsys: https://brage.bibsys.no/xmlui/bitstream/handle/11250/143978/Philip%20Clark.pdf?sequence=1