Your Organization / Company LLC

DIGITAL FORENSIC ACTIVITY REPORT

Case Title Case Number

Forensic Report #1 FR1
Organization / Company, LLC Report Date
Address: 1616 McCormick Dr, Largo, MD 20774 02/19/2021
Examiner: Examiner Signature:

Report Subject
Digital Evidence Report – 2GB Lexar Jump Drive (PAGS01_06132014)

BACKGROUND

On February 14, 2021, Mr. James Randell of Practical Applied Gaming Solutions, Inc (PAGS, Inc.)
contacted and requested me to handle a sensitive matter regarding the unexpected resignation of his
company’s Assistant Chief Security Officer, George Dean. Any PAGS’ employees are not allowed to
participate in gaming (gambling) of any kind because the nature of the company being a contractor to
several state gaming commissions. Mr. Dean’s sudden resignation and disappearance is a reportable
security incident under the terms of several of the company’s contracts with state gaming commissions.
Therefor, Mr. Randell requested an outside entity to ensure a fair and unbiased report on the suspectable
facts and reasons behind Mr. Dean’s unexpected resignation.

Mr. Norbert Singh, the company’s Human Resources Officer, reported that Mr. Dean resigned via
voicemail. Mr. Singh requested Mr. Dean’s boss Ms. Betty Mayne, the company CSO, to open and
search the Mr. Dean’s office. She noticed that the office was well-organized and both companies issued
computer workstation and laptop were missing. Following is what Ms. Mayne reported to Mr. Randell
after further investigation during the second meeting.

 Mr. Dean’s workstation was one of three company computers taken to the IT Service Center
earlier in the week to be wiped and reimaged due to infection by a particularly nasty rootkit.
The computers are due back in the office next Friday by 10:00 AM.

 Ms. Mayne contacted the IT service center and requested that they stop all work and
immediately return the three computer systems to the company.

This study source was downloaded by 100000891965077 from CourseHero.com on 10-03-2024 02:49:38 GMT -05:00

https://www.coursehero.com/file/85388871/1-Forensic-Report-1docx/
 Case Name / Case ####

 Mr. Dean was using a company issued laptop in the office as a temporary replacement for his
workstation. The company issued laptop was not found in the office but, an empty laptop case
was found under the desk.

 During their search of the office, Mr. Singh and Ms. Mayne found single 2GB USB drive that
had been left in the laptop case. Ms. Mayne and her staff examined the contents of the USB
Drive and reported to Mr. Randell that it contained files pertaining to Mr. Dean’s duties as
Assistant Chief Security Officer. There were no indications of any involvement in activities
contrary to the company’s best interests. Note: This paragraph provides you with the “previous
examination” results that you will address in the “Assessment of Previous Investigation”
section in your Assessment Report.

TABLE OF CONTENTS
(Feel free to add Addendums to your report as necessary / page #s will vary.)

Background………………………………………………………………………………… 1
Table of Contents………………………………………………………………………….. .2
Legal Authority…………………………………………………………………………….. 3
Initial Processing……………………………………………………………………………3
Preliminary Findings………………………………………………………………………..3
Detailed Analysis…………………………………………………………………………... 4
Conclusions…………………………………………………………………………………8
Software Utilized………………………………………………………………………....... 8
Hardware Utilized…………………………………………………………………………..8
Digital Media Processing……………………………………………………………….......8
Disposition of Evidence…………………………………………………………………….9
Glossary…………………………………………………………………………………….10
ADDENDUM A (Evidence Photograph /Hash Verifications)……..…..…………………..11
ADDENDUM B (Steps Taken)………………….…………………………………………12

This study source was downloaded by 100000891965077 from CourseHero.com on 10-03-2024 02:49:38 GMT -05:00

https://www.coursehero.com/file/85388871/1-Forensic-Report-1docx/
 Case Name / Case ####

LEGAL AUTHORITY

PAGS, Inc has granted me a full legally authorized permission for investigating Mr. George Dean with
provided evidence, the USB drive. The legal authority covers any findings including adult or child
pornography, contraband and any other illegal activities.

INITIAL PROCESSING
On February 12, 2021 PAGS, Inc processed the submitted USB drive. The processing included
inspection, photography, anti-virus (AV) scan, and the forensic imaging of the USB drive. The forensic
imaging of the digital media created forensic evidence files for use in subsequent forensic examination
of the digital media. Methods were forensically sound and verifiable

See ADDENDUM A "Evidence Photos" and ADDENDUM B, “Steps Taken” for more information.

PRELIMINARY FINDINGS

Using AccessData FTK Imager, I created the raw image (PAGS01_06132014.E01) of the Lexar Jump
Drive USB (PAGS01_06132014). I have conducted the initial examination on the raw with WinHex.
Following is the structure of the device:

Name EXT Size sector Volume label

Start sectors 31 KB 0-61
Unpartitionable space 480 KB 1,013,824-1,014,784
Partition 1 FAT16 495 MB; 62-1,013,823 PAGS01

Please see “Detailed Findings” below for more information.

DETAILED FINDINGS / ANALYSIS

I have used EnCase Forensic tool to further investigate the case and have found eight forensically
interesting files. Those files are:
Name Comment MD5
09-14 DI-08-1951 Agency Report.rtf Hidden PDF file 677fee00374928db
a55baaa4de5169c4
2013 Annual Security Briefing.pptx Contains secret raffle 86fb6dd6acfdbe93f
information 9c8c6c16c828c17
BriefingFlyer2013.docx Travel plan 2875074c111d2d0f
80c1c501965189fd
Capture1.PNG Travel plan 34dd18714f31c1bb
da4d5b206bf1067e
Club-PAGS.7z Encrypted file in 7z 7546966f5546c82c

This study source was downloaded by 100000891965077 from CourseHero.com on 10-03-2024 02:49:38 GMT -05:00

https://www.coursehero.com/file/85388871/1-Forensic-Report-1docx/
 Case Name / Case ####

c4eb2d3396cdd3e7
Gambling Winnings.docx Document about winning de703752fe139450
gamble 439a36b473531bc1
JJD_XFER.zip Encrypted file in zip e6e8382c434621e2
efcbb90f76358281
SecurityBriefingAttendeesLists(2012-2013).xlsx Suspicious information in 245e03274d374878
the excel spread sheet 55146843718941ff

CONCLUSIONS

Further investigation and analysis is recommended to confirm these findings and conclusions and may
be the subject of future digital forensic reports.

OFTWARE UTILIZED
Collecting the evidence involved the following software
SOFTWARE HOW USED
AccessData FTK Created a raw forensic image from the USB drive
CalcHash Created hash values
WinHex Verified the structure of the USB device and made sure any
partitions are lost or any files are hidden in any of
unpartitioned structure.
EnCase Analyzed the evidence and created a report
Paladin Made forensically sterile device for forensic image

HARDWARE UTILIZED
Collecting the evidence involved the following hardware.
HARDWARE HOW USED
Forensic device (laptop) Used to investigate the case

DIGITAL MEDIA PROCESSED

The following digital media was submitted and processed.

PHOTOGRAPH OF DESCRIPTION OF ITEMS SUBMITTED

DIGITAL MEDIA&
IMAGING PROCESS
Raw Image of Lexar Jump Drive PAGS01_06132014.E01

This study source was downloaded by 100000891965077 from CourseHero.com on 10-03-2024 02:49:38 GMT -05:00

https://www.coursehero.com/file/85388871/1-Forensic-Report-1docx/
 Case Name / Case ####

DISPOSITION OF EVIDENCE

Lexar Jump Drive marked as PAGS01_06132014 and assigned inventory #1234 is currently secured in
the evidence locker at 1233 .

Note that each piece of evidence in this case has been secured and filed with its own individual chain of
custody form.

GLOSSARY

Data Carving– A process involving the examination of media for content relating to
multiple types of empty space (i.e. slack space, unused space, unallocated space).

Deleted Files–Files that may have been deleted by the computer user or operating system. Normally
deleted files are not removed from the hard drive. The deletion process only alters a directory entry in
most cases. This leaves deleted files accessible to forensic examinations.

Digital Evidence– Information stored or transmitted in binary form that may be relied upon in court.

File Slack – The space between the end of the file data and the end of the cluster. File slack may contain
data from previous files that has been previously overwritten.

Forensic Image – A bit stream copy of the available data. The result may be encapsulated in a
proprietary format (e01, ad1, etc).

Forensic Copy – The data from the source (original) media is copied “bit by bit” and written to other
media in the same bit-by-bit order that it was obtained.

Forensic Evidence File – Consist of one or more files that contain the data from the source media that
can be restored to other media in such a manner that the “bit by bit” order on the source drive is the
same as the restored drive. The file may contain “additional” data written by the backup software. The
additional data is program overhead.

Hash–Numerical values, generated by various hashing functions, used to substantiate the integrity of
digital evidence and/or for inclusion / exclusion comparisons against known value sets.

Message Digest 5 (MD5) Hash–A 128-bit value that uniquely describes the contents of a file. This is a
standard hash value used in digital forensics.

New Technology File System–NTFS (NT file system; sometimes New Technology File System) is the
file system that the Windows NT operating system uses for storing and retrieving files on a hard disk.
NTFS is the Windows NT equivalent of the Windows 95 file allocation table (FAT) and the OS/2 High
Performance File System (HPFS).

This study source was downloaded by 100000891965077 from CourseHero.com on 10-03-2024 02:49:38 GMT -05:00

https://www.coursehero.com/file/85388871/1-Forensic-Report-1docx/
 Case Name / Case ####

Removable Media– Items (e.g., floppy disks, CDs, DVDs, USB Drives, tape) that store data and can be
easily removed.

Unallocated Space – also called free space, is defined as the unused portion of the hard drive.

Universal Time Coordinated– UTC / GMT is the basis for local times worldwide. Other names include
Universal Time Coordinated / Universal Coordinated Time. UTC is the successor to Greenwich Mean
Time (GMT).

ADDENDUM A

The following is a photograph of Lexar Jump Drive (PAGS01_06132014)

MD 5 checksum: 3274f3a406426bbd24c4ad126024d2cf
SHA 1 checksum: e85b6be199a5a08e7c516c995c61e0b94b1fc636

PICTURE(s) SHOWN HERE

The following details the forensic image processing.

Lexar Jump Drive, 2GB,

Digital Forensics Examiner (DFE) created forensic evidence files of one Lexar Jump Drive
PAGS01_06132014_E01. The pre-processing hash results are presented below:

MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e

SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1

The forensic processing subsequently created one file.

Forensic Evidence Files Created: PAGS01_06132014.E01.

The forensic imaging process involved a post processing hash verification of the contents of the
evidence file compared with the pre-processing hash. The hash analysis is presented below.

MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e: verified

SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1: verified

The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of
the hard drive in the form of forensic evidence files.

This study source was downloaded by 100000891965077 from CourseHero.com on 10-03-2024 02:49:38 GMT -05:00

https://www.coursehero.com/file/85388871/1-Forensic-Report-1docx/
 Case Name / Case ####

ADDENDUM B

Steps Taken:
0. The evidence, 2GB Lexar Jump Drive (PAGS01_06132014) was released to (#891920) from PI Smith
(#351) for investigation on 02/15/2021.
1. Using Sumuri Paladin, I have created a forensically sterile media in order to make sure the storing
device is secure to use. The sterile state was verified using DCFLDD’s verify file command (sudo dcfldd
vf=/dev/sdx pattern=00 where sdx is the drive designator for the USB).
2. Using AccessData FTK Imager, I created the raw image (PAGS01_06132014.E01) of the Lexar Jump
Drive USB (PAGS01_06132014). I have conducted the initial examination on the raw with WinHex.
3. I have used EnCase Forensic tool to further investigate the case and have found eight forensically
interesting files.
4. I have made a file inventory in excel spread sheet (FR1 FileInventory; Hash value:
04926B9C08EDBD02DABFAEACDB1756B5) using the EnCase Forensic. I added a comment section
to note anything special about the files after manually analyzing and searching with keywords.
5. The evidence device was returned to Jane Smith, evidence custodian to secure it in the evidence
locker waiting final disposition on 02/19/2021.

This study source was downloaded by 100000891965077 from CourseHero.com on 10-03-2024 02:49:38 GMT -05:00

https://www.coursehero.com/file/85388871/1-Forensic-Report-1docx/
Powered by TCPDF (www.tcpdf.org)