The employee of the Art Gallery Mr. Donald Price which is based in Melbourne, Australia. He was recently suspended for suspicious behaviour as well as the audit discovered that the pieces he is responsible for have been disappeared from the art gallery. As the investigation could proceed it was found that Mr. Price have deleted the data from Hard disk completely leading to the data recovery difficult as he has used some software to wipe the disk clean. But investigators found a CD in the CD rom of the CPU and the device along with the CD rom was confiscated on the spot, the Price though denied the claim that USB belongs to him but the investigator were able to reach the conclusions based on footage of the security room of the Mr. Price that indeed the CD belongs to him.
As the office is raided of the Mr. Price the Computer system with the Hard disk (which is already wiped) was collected and CDROM drive with CD in it was recovered as well. It seems Mr. Prince was unable to destroy the disk or forgot in the hurry. As concluded by the investigating officers:
Following are the summary of the records that were found on the CD rom from the Mr. Prince and the forensics approaches that were applied to it. The detailed steps were made into the report and all the investigations are being:
The office as raided on 3rd March 2003 and the System along with the CD rom was handed over to the investigating officer at 4th March 2003, till then the evidences were in the secure custody of the investigating officer. The copies of the HDD data along with the CD-ROM were created using the special software and hardware so that nothing is written to the devices even accidentally.
The environment that we are using the analyze the system is the Windows system running on windows 7 based operating system running over Core 2 duo based processor. The image is verified using the MH5 hash as well as the SHA256 hash to be sure of the image being intact and no changes have been made to the evidences.
The system software that are used are ProDiscover and WinHex for the forensic purposes. The WinHex has the special ability to work on the image files and able to read the file sector by sector providing the flexibility in the research.
The imaging of the entire device disk was carried out using the ProDiscover software, the CD Rom is being copied using the ISOManager to develop the respective ISO file of the device CD.
The disk is copied using the bit by bit option and we obtain a disk that is an exact copy of the system under consideration and all the forensic activities can be done over this HDD copy created.
Once the devices are being copied we would now being our investigation using the WinHex tool, which is ideal in the case where the CD rom data is needed to be analyzed.
MD5 Hash of the Image File:
The MD5 of the image of the CD rom is done in order to be sure that we are working on the same disk and the file copy is intact and no changes have been made to the ISO image of the disk.
SHA 256: F9CE6605722A954EC94594F529AB2B14F9A4BA944254231D6AA2912FBE05A3A5
The multiple hash values make sure that the image have not been manipulated and the data is secured properly, the hash of single type is more than enough but in order to be double sure the hash value is checked for another algorithm under certain conditions. As it is quite difficult to have the same hash if any changes are being made to the system.
The Operating system was installed fresh in a virtual machine and the networking components were disabled hence no external interference was possible. The image was transferred and was double checked for the Hash values and then further instructions were performed.
There were total number of 15 files that were recovered from the system, their names and respective MD5 hashes have been listed below:
|
Filename |
MD5 (128-Bit) |
|
01.jpg |
7AEFE0CB11258D42BF06F07468C58AAE |
|
02.jpg |
2C3150497EBACD954148CAE4C27B8FED |
|
03.jpg |
D3CE976CA25B8E2614F7D0E6236BDE79 |
|
04.jpg |
F367A94C8DBD420F0B64E8BCF7B24EC7 |
|
05.jpg |
59E32500E3ECA624BAA463315637323A |
|
06.jpg |
51A1C61B19B652E9A47F098A904CA996 |
|
07.jpg |
61D60898ADE86F97DB14778610E79651 |
|
08.jpg |
B01CE55D01875A4449535BFF93CC4B13 |
|
Autorun.ini |
470940D5770C990EDBCA9F165FC77C9A |
|
Index.html |
D0E3CC26D2378F672BDF066353ED0990 |
|
msvcr100.dll |
67EC459E42D3081DD8FD34356F7CAFC1 |
|
Okay.exe |
39A2AC1A1274D0DAEE64FFFF480A16E4 |
|
Oz.tc |
79240D4082BAF6D3613CB55F7E0873E3 |
|
OzTrailer.mp4 |
C191732D3F8789A1A8E46A783D213E43 |
|
Script.js |
C0E1DD663B4953AE2F398F91099A0611 |
Further investigation was done to search for special terms like jpg and jpeg as it’s an old saying that “picture reveals more than thousand words”.
The serious offence done by the Mr. Prince can be gauged using the simple logic that entire hard disk partitions were deleted and Mr. Prince have encrypted the images that are there in the CD Rom hence it shows the seriousness and advance planning done by Mr. Prince. The exe file that was recovered from the Cd rom can logout the user from the system and may intent to harm the files of the system.
After there were many files that were traced of 8 image files the files seems to be suspicious and their names were not as they seems to be, using the s-tools we would now check for the related tasks and steganography images and try to reveal the data. The keywords for the passphrase we would be trying are:
We may try to use the different encryption techniques used in the S-tools to reveal the data and keywords based combinations. The encryption techniques that are available in the Stools are:
Using the various combinations and right clicking on the images that are under investigations we checked them for revealing any type of data.
After the successful attempts, we were able to recover the data from one of the disk that contains the lot of information about the system and how the artifacts have been sale off with back account numbers and other details related to the case enough evidence to prove that Mr. Prince is guilty.
The content of the revealed text is:
|
name |
num |
bank |
|
Clarke |
16590223 6313 |
5340 3503 3729 8415 |
|
Erasmus |
16641214 0367 |
5262 7430 0450 5910 |
|
Lucius |
16830620 3939 |
526154 655727 0670 |
|
Noble |
16390503 6053 |
5310 0802 3580 5856 |
|
Marshall |
16540226 2330 |
545757 230469 1020 |
|
Ishmael |
16950106 4258 |
553302 218514 9258 |
|
Hammett |
16840708 3925 |
5350 0329 8029 3086 |
|
Baker |
16830323 2972 |
558172 8783357462 |
|
Ross |
16891005 6020 |
5209 3696 3543 9059 |
|
Giacomo |
16691006 0604 |
530833 953915 8345 |
|
Addison |
16990302 7408 |
5408 8183 0374 1138 |
|
Magee |
16320309 5967 |
538299 4875155344 |
|
Kuame |
16060521 5888 |
5.26254E+15 |
|
Jackson |
16570408 3889 |
5.39804E+15 |
|
Randall |
16040428 0851 |
554616 9594263660 |
|
Leonard |
16890513 2208 |
5372 8139 3200 5320 |
|
Armando |
16480910 4831 |
5349 6294 0432 3300 |
|
Clinton |
16120204 7120 |
548 89062 40416 980 |
|
Alvin |
16011222 2930 |
5.16224E+15 |
|
Abraham |
16980508 3913 |
5.35726E+15 |
|
Zeus |
16170326 9892 |
545652 6985083205 |
|
Hasad |
16340810 0810 |
529814 612255 2780 |
|
Stephen |
16880820 3353 |
5.26831E+15 |
|
Trevor |
16310501 5287 |
5521 4531 2676 4984 |
|
Jack |
16391014 7622 |
5550 2309 1279 8556 |
|
Nathaniel |
16380920 3163 |
5.43813E+15 |
|
Bruce |
16120602 7128 |
5451 3417 8716 2008 |
|
Hunter |
16650224 0176 |
540013 189145 5865 |
|
Graham |
16640819 0434 |
552 12044 98725 396 |
|
Wing |
16281014 0513 |
541 04829 75451 819 |
|
Melvin |
16610219 0540 |
536 05538 01883 704 |
|
Jack |
16351208 5683 |
5.49117E+15 |
|
Porter |
16210812 5531 |
510343 9815234732 |
|
Wesley |
16950213 0868 |
5339 2352 8036 8096 |
|
Raphael |
16351018 5097 |
5457 6502 0478 3467 |
|
Yardley |
16900919 1553 |
5322 8959 7856 0301 |
|
Jonas |
16110512 1683 |
549288 054152 9748 |
|
Basil |
16151015 2240 |
510851 7030645033 |
|
Simon |
16920929 6533 |
526256 335928 2034 |
|
Dennis |
16561228 3704 |
555311 0012667538 |
|
Leroy |
16930724 5523 |
5272 2775 5915 1927 |
|
Wyatt |
16290405 7029 |
5417 2553 8247 2534 |
|
Steven |
16031020 2593 |
555167 085912 9126 |
|
Elliott |
16650521 4830 |
544 14052 13791 418 |
|
Jameson |
16831123 6940 |
537331 8144159195 |
|
Hayden |
16800301 7350 |
541152 376946 2147 |
|
Ryder |
16510918 6402 |
5451 4432 6467 9643 |
|
Baker |
16110208 9172 |
5.11919E+15 |
|
Eagan |
16060620 7868 |
551 56395 22579 897 |
|
Elvis |
16100830 4790 |
5.31761E+15 |
|
Elmo |
16690910 7861 |
5.23573E+15 |
|
Lars |
16080710 1134 |
5.52941E+15 |
|
Griffith |
16350217 0388 |
5.36521E+15 |
|
Lewis |
16240112 3480 |
5.17084E+15 |
|
Kelly |
16480102 1108 |
5.12911E+15 |
|
Gray |
16111113 0298 |
514 60791 40962 711 |
|
Victor |
16610302 0324 |
533025 9650723820 |
|
Colton |
16250813 1360 |
5.31669E+15 |
|
David |
16420414 3327 |
5431 4478 3371 9124 |
|
Reed |
16180314 5471 |
521333 310097 8417 |
|
Caldwell |
16981128 2145 |
526310 754884 4517 |
|
Mohammad |
16360830 6415 |
531 78434 74437 167 |
|
Grant |
16790506 9428 |
539 06818 93736 334 |
|
Bruno |
16761106 2113 |
511537 090736 0828 |
|
Cameron |
16121125 5813 |
530 80300 17446 308 |
|
Lars |
16101025 5568 |
5182 2740 8908 3976 |
|
Brian |
16191116 9090 |
510 13807 14069 203 |
|
Malik |
16880416 1654 |
520 06355 58942 397 |
|
Quinn |
16710925 4289 |
5419 5676 3422 8136 |
|
Elliott |
16690806 1085 |
5.51826E+15 |
|
Walter |
16080528 3520 |
546528 690541 8325 |
|
Brendan |
16070613 6702 |
5.24231E+15 |
|
Holmes |
16100223 5933 |
5133 1384 7034 6427 |
|
Allistair |
16971029 8226 |
537555 194317 5107 |
|
William |
16060405 7455 |
5.43836E+15 |
|
Clarke |
16010430 6303 |
558863 452951 6630 |
|
Mohammad |
16230224 5010 |
555 20643 20146 332 |
|
Lane |
16470221 4026 |
529 03440 70782 511 |
|
Hall |
16781203 5975 |
5221 7898 6982 7501 |
|
Russell |
16100513 6534 |
516708 8067924301 |
|
Tad |
16870703 9221 |
5590 8845 0932 8383 |
|
Quinlan |
16340815 0021 |
5.43848E+15 |
|
Lewis |
16260727 4475 |
5501 2676 9018 1183 |
|
Joel |
16280307 5767 |
5.41662E+15 |
|
Chadwick |
16871117 6902 |
554618 5507559408 |
|
Berk |
16350502 0606 |
527266 390780 8278 |
|
Travis |
16850620 9355 |
5.19111E+15 |
|
Erasmus |
16970827 6655 |
518 30245 34042 518 |
|
Nathaniel |
16320906 9313 |
5.35862E+15 |
|
Yoshio |
16180315 5330 |
527450 484549 4136 |
|
Giacomo |
16500822 5913 |
534793 1848437932 |
|
Jerry |
16571019 9513 |
535 79348 25855 776 |
|
Merrill |
16200519 5793 |
537362 7422920262 |
|
Wyatt |
16620119 8139 |
512517 5264030429 |
|
Ira |
16450809 5876 |
531 31961 03712 987 |
|
Julian |
16180130 9541 |
535 94651 35793 264 |
|
Harding |
16371222 2029 |
5.35695E+15 |
|
Nathaniel |
16251109 7236 |
543352 2415300739 |
|
Bruce |
16960726 3309 |
533052 8451566269 |
|
Walter |
16590816 4345 |
532411 104215 8108 |
Charges that could be framed on the Mr. Prince
There are number of charges that can be framed upon the Mr. Prince, the destruction of the evidences that carry maximum of two years in jail according to the Australian law.
Mr. Prince as per the investigations has the data that could have been used to commit serious crime and missing artifacts can now be seen as tip of the iceberg. The article 247E according to the law of Victoria state that:
(a) having possession of a computer or data storage device that holds or contains the data; and
(b) having possession of a document in which the data is recorded;
(c) having control of data held in a computer that is in the possession of another person (whether the computer is in Victoria or outside Victoria).
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download