Final Project Digital Forensics

Due Date: Friday of Finals Week 23:59:59

• Final Project Digital Forensics
  • All Students
    • Introduction
      • Electronic Identities
    • What you must do
    • What you get
    • What to turn in
  • Graduate Students
    • Introduction
    • What you must do
    • What to turn in

All Students

Introduction

M57.biz is a new company that researches patent information for clients.

Facts of the company:

• 1 president / CEO
• 3 additional employees
• The firm is planning to hire more employees, so they have a lot of inventory on hand (computers, printers, etc).

Current employees:

• President: Pat McGoo
• Information Technology: Terry
• Patent Researchers: Jo, Charlie

Employees work onsite, and conduct most business exchanges over email. All of the employees work in Windows environments, although each employee prefers different software (e.g. Outlook vs. Thunderbird).

A functioning workstation originally belonging to m57.biz was purchased on the secondary market. The buyer (Aaron Greene) realizes that the previous owner of the computer had not erased the drive, and finds illegal digital images and videos on it. Aaron reports this to the police, who take possession of the computer.

Police forensics investigators determine the following:

• The computer originally belonged to m57.biz
• The computer was used by Jo, an M57 employee, as a work machine.

Police contact Pat McGoo (the CEO). Pat authorizes imaging of all other computer equipment onsite at M57 to support additional investigation. Police further pursue a warrant to seize a personal thumb drive belonging to Jo.

Electronic Identities

• Pat McGoo (President): pat@m57.biz (email password: mcgoo01)
• Terry Johnson (IT Administrator): terry@m57.biz (email password: johnson01)
• Jo Smith (Patent Researcher): jo@m57.biz (email password: smith01)
• Charlie Brown (Patent Researcher): charlie@m57.biz (email password: brown01)

What you must do

You are given disk images from all of the computers and USB devices found onsite at M57, along with a USB thumb drive belonging to Jo. You are also provided with four detective reports and a search warrant and affidavit associated with seizure of the USB drive.

• For the purposes of the scenario, illegal images have been simulated with pictures and videos of cats produced exclusively for this corpus.

Questions to answer:

• Is Jo the owner of these files? What evidence is there to confirm or reject this?
• How did the computer come to be sold on the secondary market?
• Who (if anyone) was involved in the sale (theft?) of the computer?
• Were any attempts made to hide these activities?
• Are there any other suspicious activities occurring within M57? What evidence of this is there?
• A number of professional contacts and outside persons (friends of the employees) appear in this scenario. Who are they? Are they involved in any of the activities uncovered?

What you get

You will be given the following:

• Hard drive images from all workstations in the office:
  • charlie-2009-12-11.E01
  • jo-2009-12-11-002.E01
  • pat-2009-12-11.E01
  • terry-2009-12-11-002.E01
• Three company USB drives found on-premises and one personal USB drive seized from Jo:
  • charlie-work-usb-2009-12-11.E01
  • jo-work-usb-2009-12-11.E01
  • terry-work-usb-2009-12-11.E01
  • jo-favorites-usb-2009-12-11.E01
• Detective reports:
  • detectivereport1.pdf
  • detectivereport2.pdf
  • detectivereport3.pdf
  • detectivereport4.pdf
  • m57-affidavit-warrant-final.pdf

All of the above files can be found in /stash/forensics/final/ directory on the department servers (ada.cs.pdx.edu or babbage.cs.pdx.edu).

What to turn in

You will be submitting this via your gitlab repo, in a markdown file called final/final.md. This should contain all of the necessary details to follow your work, including what you did, how you did it, and where you did it. You should include any pertinent evidence you found, including screenshots, files, and any other relevant information. You should also include a timeline of events that you uncovered during your investigation.

Graduate Students

Introduction

While this section of the final is intended to be for graduate students, undergraduate students who choose to perform this portion of the final will receive extra credit.

What you must do

In the same path as above (/stash/forensics/final) you will find an Android 14 image. Explore it. Try to create a timeline of events for each of the apps installed. Can you combine that into a greater timeline?

Document anything else of note that you find. This is very open-ended, so try to be thorough, but know when to stop. You will not be graded on the amount of information you find, but rather on the quality of your analysis and the thoroughness of your documentation.

What to turn in

You will be submitting this via your gitlab repo, in a markdown file called final/final-593.md. This should contain all of the necessary details to follow your work, including what you did, how you did it, and where you did it. You should include any pertinent evidence you found, including screenshots, files, and any other relevant information. You should also include a timeline of events that you uncovered during your investigation.