Scribd
Upload
2K views

Digital Forensics Experiment - 2: Generation and Validation of Forensic Report Utilizing Data Set

The document summarizes the findings of a digital forensics experiment analyzing two data sets, Mantooth.E01 and Washerhead. The key findings include: - Mantooth.E01 contained evidence of drug dealing, ATM tampering, check stealing, and fraud based on photos and emails found. - Communications were found between Mantooth and Washer discussing "Special K", indicating their involvement in discussing drugs. - Washer's AOL instant message screen name was identified as "washergonebad" or "SNS_L0" based on analyzing autologin scripts.

Uploaded by

Kshitij Singla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2K views

Digital Forensics Experiment - 2: Generation and Validation of Forensic Report Utilizing Data Set

The document summarizes the findings of a digital forensics experiment analyzing two data sets, Mantooth.E01 and Washerhead. The key findings include: - Mantooth.E01 contained evidence of drug dealing, ATM tampering, check stealing, and fraud based on photos and emails found. - Communications were found between Mantooth and Washer discussing "Special K", indicating their involvement in discussing drugs. - Washer's AOL instant message screen name was identified as "washergonebad" or "SNS_L0" based on analyzing autologin scripts.

Uploaded by

Kshitij Singla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

DIGITAL FORENSICS

EXPERIMENT - 2

Name – Kartik Soni Submitted To:


Registration Number- 17BCE2403 Mr. Aju D.

Generation and validation of forensic report utilizing


Manthooth and Washerhead data set.

1) What type of file is Mantooth.E01


Ans) Image File with MD5 Hash written in Calcutta, India.

2) What is the Operating System?

Ans) Windows NT on Windows Vista Ultimate

3) What is the File System?


Ans) Generally on Windows NT, NTFS file system is used.
4) Provide the account name and last login information for each account
present in Mantooth
Ans)
The account names are:

For OS:
Account name Last login
Wes Mantooth 2008-02-13 02:16:39 IST

Dracula 2008-02-13 02:16:39 IST

For last login information (email) :


ACCOUNT NAME / ID LAST LOGIN DATE:
[email protected] 02 – 08 – 2007
[email protected] 22 – 06 – 2007
[email protected] 20 – 06 – 2007
[email protected] 20 – 06 -2007
[email protected] -
[email protected] -
For each account’s login : 2007-08-04 21:36:26 IST

The dates have been found on the basis of their email history:
5) If there is any evidence of .exe file being deleted, describe the artifact
name and document your findings
Ans) File named $RTHDU55.exe deleted on 2007-06-24 05:53:41 IST

6) Find proof of communication with Gladiator


Ans)

7) What is a "Pranic Vampire"? In which document is it mentioned? When


was the document created?
Ans) It is mentioned in Astral.doc with 2008-12-13, 06:23:11 IST Created
Date and time.
Pranic Vampire:This is a more common and possibly more correct term for psychic vampire. Prana is
the Sanskrit word meaning "life energy", Which does more accurately describe the energy that we
feed on. Pranic Vampires have a broken or in most cases removed Chakra, Generally the Navel, but
in some cases the Heart Chakra. Often times this type of Psychic vampire has a completely reworked
energy system. Pranic vampire is generally a catch all term and may encompass the other types or
psychic vampires as well.

8) What is present in happy.mpeg?


Ans) Happy.mpeg consists of a cctv footage of a person in his office cubicle
who gets frustrated of his work and starts hitting his computer and smacks
his computer monitor with a keyboard.
To access this video we need to extract it from autopsy and view it in our
PC’s video player.
9) Check if picture of any drugs are present? If so name the drugs.
Ans)

Deleted file titled cocaine. Couldn’t access this file as deleted file.

Crack

Hawaiian-ruler

SudaFed
Unknown Drug (Not marked anywhere)

Some Chemicals

Un-named Drugs/Chemicals

Vape
Seconal , Nembutal and Tuinal

SudaFed Cold and Cough Drug

Few unnamed Drugs

Amphetamine
Meth

Unknown Drugs

10) Find the list of criminal activities Mantooth was involved in and the
associated artifacts.
Ans) Criminal Activities Mantooth was involved in were:
a. Drug Dealing
Photos in previous question’s solution.
A mail with make meth as subject:

b. ATM Tampering / Stealing


c. Excessive Cash Collection

d. Check Stealing

Also many photos of checks were found


e. Fraud: Photos of Government issued and bank records
were discovered along with mails with subject:

11) Summarize the finding against Mantooth


Ans) Mantooth has many criminal activities related documents , photos
and emails in his PC and could be guilty of any if these criminal activities
discovered.

12) Mantooth received one Text Internet Email that had no subject about
a stolen ATM. Who sent it to him (name and email) and when was it
sent?
Ans) Mantooth didn’t receive any email with information about a stolen
ATM. However he had photos of ATMs stored in his Temporary Internet
Files that means that he himself browsed this in his internet history.
His browsing history proves so as:
13) Find when and who deleted the file ValidCreditCard.jar?
Ans) There is no file found named ValidCreditCard.jar
PART 2 :
1) What is the starting sector of Partition 2 and what is the size of it?
Ans)

Partition 2 (vol2) starts from sector 63 to 2,40,974.


Size = 2,40,974-63+1 = 2,40,912 sectors

2) What is the file system of the disk image?

The file system is Window NTFS operating in Microsoft Windows XP


environment
3) List the user names?
Ans)

4) Does Washer know Mantooth?


Ans) Yes because of the following discoveries:

Figure 1 Emails between Mantooth and washer


5) How many .doc files are there? Extract all, document what is their
content and their md5 values
Ans)
The following .doc files are present in washer’s Image along with
their MD5 values:
6) Who are all involved in the discussion about "Special K"
Ans)
John Washer and MantoothT

7) Find the URL that is given for making drugs quickly


Ans)
8) What is the AOL IM name of Washer?
Ans) washergonebad or SNS_L0
Auto Login script for AOL.com. I found this by looking into AOL’s
HTML script where for autologin the code was saved in local memory
whose address was provided. In that I searched and found washer’s
screen name in AOL to be ‘washergonebad’.
REGEDIT:

You might also like