Forensic Report

Instructions: For the Final Exam Report, you will be doing a simple forensic investigation of a hard drive image. In the scenario below you are asked to answer certain questions through examination of this system.

This part of the exam is worth 60 points (3 points per question, 3 points for any grammar or spelling errors per question).

You will submit a forensic report that includes the answer to the questions, along with supporting evidence to show how you got the answers. Keep in mind the answer to a question might be that there is no evidence of something actually occurring (because it didn’t), so if you can’t find evidence that something did happen, then that’s your answer (and how you confirmed it). This is designed to test your investigation skills, applying the lab/homework assignments we’ve done over the semester, and the reading you’ve been assigned. Remember the way to answer a question may come from your reading assignments, not necessarily something I covered in a lecture.

Since this will be similar to an “official” report, make sure you include things like:

· Software used and versions

· Any testing you did to confirm your findings

Ground Rules:

1) Your final report is to be submitted to me electronically by 12/16/2022 at 6:00pm Central. NO EXCEPTIONS.

2) Make sure your name is on EVERY page of the report. Put it in the header or footer.

3) You are allowed to ask for help from your fellow classmates or work in groups.

4) You are allowed to search for information online to help you answer the questions.

5) You are NOT allowed to ask for help from anyone outside of your classmates in the Fall 2022 CS340/440 class.

6) You must submit your own individual report. I don’t want to receive 20+ copies of the same report.

7) I will take off points for spelling/grammatical errors!

8) You may use any forensic software tool to find the answers. Not just the tools on your Windows 10 VM.

9) You can copy the hard drive image to another machine. You do not have to do the examination on the Lab VM’s. OneDrive folder with the image can be found here: Final Exam Evidence

10) You must submit your report via Sakai in the Assignments section. If your file is too large for Sakai you can either email it to me, or send me a link to where I can download it.

11) DO NOT SIMPLY SUBMIT A DOCUMENT WITH THE QUESTIONS AND THE ANSWERS. You will lose 30 points right off the bat for doing that.

12) You do not HAVE to use all the sections of a report we discussed in class. Use whatever headings are appropriate for your report.

Take advantage of the SANS DFIR Posters under Resources (Week Fifteen) for locations of different artifacts in Windows.

Scenario: On December 16th, 2022 you were contracted to perform a forensic analysis for Dewey, Cheatum, and Howe, LLP. The CEO of Kidco, William L. Howard has been compromised by an unknown individual. He believes it began sometime around November 19th, 2021. Mr. Howard is concerned that company information has been stolen off of his computer. He recalls receiving an email with an attachment that would not open prior to the 19th, but he’s not sure on the exact date.

Kidco had another security incident in 2020, but that was handled by another firm. As part of the company’s security improvements from that incident, they started testing an open source program called Velociraptor to monitor their workstations and servers. However the software has not been fully implemented yet and was unavailable for this current incident.

A third party forensic firm, Grouppunch, was brought in to image the hard drive of Mr. Howard’s computer. A copy of that image has been provided for your investigation.

Along with the EWF files in your Case Evidence folder is a text file (verification_hashes.txt) that contains the SHA256 hashes for the individual files. This is NOT the hash for the acquisition of the entire hard drive image, that is contained in the 2022FALL340-440.E01.txt file.

Remember when you drag and drop the first E01 image file into EnCase, it will automatically load the other EWF/E0* files in the directory.

You are being tasked with examining the evidence, and providing a forensic report on your findings based on the following questions:

1) What is the Disk Signature?

2) Parse out the Master Boot Record and provide the following data for the valid partitions:

a. Partition Type

b. Starting sector

c. Partition Size

3) Find out the following information about the machine:

a. Computer Name

b. Time Zone of Computer

c. Last Shutdown Time

4) When did the unknown individual get access to Mr. Howard’s laptop?

5) How did the unknown individual get access to Mr. Howard’s laptop?

6) Is there any evidence the unknown individual placed malware on Mr Howard’s laptop?

7) Was any information potentially stolen off of Mr. Howard’s laptop?

8) Is there any possible indication that Mr. Howard was in on the scheme?

9) Is there any evidence that the unknown individual accessed any other systems on the network?

10) Put a timeline together that shows the activity of the unknown individual on Mr. Howard’s machine.