ICOM7125 Digital Forensics

Due: 11pm, 27 Jun 2024

Name:___Yu Chung Ping_________ Student ID: __3036202678________

Part1:

Preface: Teddy is a officer who can access into the thumb drive to edit his contract in
his company, then he want to edit his contract for higher salary during the leave day of HR
and finance department.

Scenario:

Teddy was an employee at a big company. He had a thumb drive that allowed him to access
important files on the company's computer system. Teddy had been feeling unhappy about
his salary for a while, and he wanted to change that.

Teddy came up with a plan. He noticed that the HR and finance departments were going to
be on leave for a few days. This meant that there would be fewer people around to catch
him. Teddy saw this as an opportunity to modify his contract secretly and give himself a
higher salary.

Excited by the idea, Teddy carefully thought about how he would carry out his plan. He
decided to arrive at the office early, before anyone else, so he could have enough time to
make the changes without anyone noticing. It made him feel a bit like a spy, doing
something risky to get what he wanted.
The day finally came when the HR and finance departments were on leave. Teddy felt
nervous but determined. He went to his office and inserted the thumb drive into his
computer. It was like a secret key that unlocked the company's important files. Teddy found
his contract and prepared to edit it.

As Teddy read through his contract, he started to feel guilty. He had always believed in doing
the right thing, but his desire for a higher salary had clouded his judgment. He felt torn
between his ambition and his values.

Just as Teddy was about to make the changes to his contract, a message popped up on his
computer screen. It was an urgent message from his boss, asking him to come to a meeting
right away. Teddy panicked. He quickly removed the thumb drive and left his contract
untouched. He hoped the meeting would buy him more time to complete his plan.

Little did Teddy know, fate had other plans. The meeting he was called to was about a
serious problem. Someone had accessed confidential files without permission, including
important contracts, during the HR and finance departments' absence. The company's
security system had caught the unauthorized access.

Teddy walked into the meeting room and felt a heavy atmosphere. The company's top
executives and the IT security team were investigating the breach. As they presented their
findings, Teddy's heart sank. They had traced the unauthorized access back to his computer.
His secret actions had been discovered.

Caught in his own web of deceit, Teddy's dreams of a higher salary crumbled. He realized the
consequences of his actions and felt the weight of guilt. Teddy understood that integrity and
honesty were more important than personal gain. His misguided attempt had put everything
he had worked for at risk.

In the end, Teddy learned a valuable lesson. Chasing after personal gain should never come
at the expense of one's principles. Facing the consequences, he vowed to rebuild his
reputation and regain the trust of his colleagues. This unexpected turn of events would serve
as a reminder of the importance of integrity and guide Teddy towards a path of redemption
and self-discovery.

Guidelines for Designing the Hypothetical Case Scenario

Synopsis of Case
Teddy edit his contract for higher salary

Is this a case to be investigated by a Private or Public (e.g. law enforcement)

organization?
Private

Victim(s)

Who is/are victim(s)? What happened to victim(s)?

Edit contract
Teddy
Incident

What was the incident? When did the incident take place?
Someone Edit Teddy’s contract 19/06/2024

Where did the incident take place? Who was involved in the incident?
Conpany Teddy
HR and Finance Department

Case/Incident Scene

What was the case/incident scene? Where was the case/incident scene?
 (You are required to provide a sketch
In 8 Appendix and crime scene photos)

Evidence

What evidence was collected? How was the evidence collected and
USB Thumb Drive turned over to investigators?

Suspect(s)

Are there any suspects related to this incident? If so, who is/are the suspect(s)?
NO NA

Has/have the suspect(s) been charged? If so, with what case or violation?
Yes the suspect has been charged NA

Part 2:
1. Abstract
The purpose of this report is to provide the procedures, findings, to the digital evidence
collected, regarding to a case of discovery of improvised explosive device inside a office
building.

The focus of this report is on the digital evidence, an USB thumb drive collected from Teddy,
the suspect arrested by the Police agency after the incident.

Widely accepted digital forensic software are employed to create a bit-for-bit verified
forensic image of the thumb drive. Investigators followed all necessary procedures to
analyze the files found inside the forensic image, including hidden files and deleted files.
Conclusion was drawn by the investigator on whether Teddy had committed any criminal
offence based on the evidence exanimated from the thumb drive.

2.Background of the case

On 19June 2024, a device with a contract was found that unmatch to the record of finance
depart of Teddy’s company. Then, the head of finance depart have to report this case to the
police.

Police agency started the investigation immediately after the report. After reviewing the
footage of every CCTV nearby, a suspect was identified to have appeared near the building
hours before the incident. Teddy, 32, was then arrested one day after the incident.

The search warrants were obtained, and the police has searched of Teddy. Investigators
then searched the computer of Teddy and had found an USB thumb drive on the computer
desk, The police followed all necessary guide procedures to properly seal and transferred
the device to investigators for digital forensics examination.

Teddy was then accused of making or procession of editing his contract for higher salary in
the following part of this report.

3. Evidence Analyzed
A USB thumb drive confiscated from the accused is submitted for analysis.

Details about the device and its forensic image are as follows:

Device Type Imation Flash drive USB Device

Device Interface USB

Evidence 001
 Volume SN C857-F6CE

Examination Tool FTK image

SHA1 checksum d43c2fa30ae7bb215ff3da9fb3a00405c8bfa2a3

MD5 checksum 73fad9c6d1022fea4dd53fbbd9b7c0da

FTK Image:

4.Procedure of examination
Tool:FTK imager 4.7.1.2

The digital forensic imaging process captured the entire content in the
thumb drive,including the hidden files,deleted files and unallocated
spaces which may contain deleted contract.

With the created forensic image of the thumb drive,FTK imager 4.7.1.2
and Autopsy 4.20.0 are employed to analyze the files retrieved from the
Thumb drive confiscated from the accused.All subsequent analysis was
performed on the created image on a dedicated forensic workstation.

Focus of investigation

The investigation will focus on finding digital evidence relevant to the

case,i.e evidence related to deleted files or edit contract or hidden
files.Evidence related to the targeted organization,and information
about the accused will also be analyzed.

Keyword search was the key technique used to identify relevant

information related to the focus mentioned above.By employing the
forensics investigation tools of FTK imager and Autospy,the following
types of files were identified for detailed analyze.

- Deleted files

- Hidden files

- Image files

- Password protected files

5. Analysis on Files

5.1 Deleted Files

The Deleted Files has recovered.The Files contains original information of contract
and recover.

Evidence ID File Name Path Is Deleted

001 Contract- :\7125 homework\ True

teddy.doc

5.2 Hidden Files

The Deleted Files has recovered.The Files contains original information of contract
was hidden by Teddy same name as delted files by Teddy

Evidence ID File Name Path Is Delted

002 Contract- :\7125 homework\ Fulse

teddy.doc

5.3 Password Protected Files

The Password Protected Files contain the security information by HR, But no
information was edit

Evidence ID File Name Path Is Deleted

003 Passwordsafe.doc :\7125 homework\ Fulse

6.Conclusion

1. Relation with the company

The accused was a office employee.His contract was being

terminated by the company on 19/06/2024

2. Possess of information related to the thumb drive.

One files of original contract was deleted,One File was creat and edit
to the same name as the original one.One File was hidden.

With the evidence collected and the facts concluded above,Teddy is very
likely to be the editor of making his contract from 32,000 to 34,000 for
higher salary without the notice of HR and Finance Department

The evidence also indicated that Teddy done in the same day of leave
day of HR and Finance Department on 19/06/2024.

To conclude,Teddy as the originator of this case due to the higher salary

of the contract found on the thumb drive.

7.Reference
ICOM 7125 –Digital Forensics Analysis Report

Homework example 1
8.Appendix
1.case scene of office

3. SN of thumb drive

4. FTK image before Edit contract of the thumb drive

5. FTK image after edit contract of thumbe drive