5250 Computer Forensics - Semester

Project
Overview/Case Summary
Today November 5th, 2018 Detective Ketchum needs requested that I process a
Desktop computer for him. There is a local Group of criminals that are involved in check
fraud, credit card fraud, bad checks, ATM scams, and an assortment of other financial
crimes. The criminals have shown varying degrees of tech savviness and the use of
steganography, encryption, and anti-forensics. I’ve been asked to account for how the
space on the computer hard drive was used, identify the file system, OS version and
service pack information. I need to find the date the operating system was installed and
identify the timezone information for the computer. Show the owner of the computer, the
most active user, along with a list of all of its users. Identify user accounts and who uses
the account along with the respective passwords for the accounts. I need to find the last
date Wes Mantooth logged onto the computer and identify the files he placed in the
recycle bin. The user picture for the account needs to be recovered, and any pictures of
wes mantooth. Any pictures related to the fraud or financial crimes, and identify any
software that may have been used to encrypt, obscure or forensically analyze data or
beat forensics. Identify the most commonly opened programs. Provide a list and a total
number of deleted files. File carve and list and provide a count of the number of files
found. Any cameras, USB drives or other devices that have been attached to the
computer. Identify the most recently run programs. Identify the URL that were visited by
manually typing the address. Identify and credit card numbers on the drive. And a few
search terms to be used to return anything useful.
Forensic Acquisition/Exam Preparation
Today, November 5th, 2018 I received the file “Mantooth.E01” which is a forensic
image of a hard drive that was given to me to be examined by Detective Ketchum. I will
be using several tools for this examination including...

● AccessData FTK Imager Version 4.1.1.1

● AccessData FTK Version 6.3
● AccessData Registry Viewer Version 1.8.0.5
● www.epochconverter.com
● PRTK - Password Recovery ToolKit Version 8.1.0 Build 946
● HxD - Hex Viewer Version 1.7.7.0

Prior to actually starting my examination I loaded the Mantooth.E01 file into AccessData
FTK Imager to verify the image and to get the MD5 and SHA1 Checksum values at the
beginning to the exam, so that upon completion of the exam I can run the verification
again to show that the image file was not altered in anyway during the exam.

With this picture above you can clearly see the computed MD5 & SHA1 hash value
checksum and the date and time of the verification in the bottom right corner.

Findings & Report (Forensic Analysis)

a) Account for how all the space on the computer hard drive was used
(partitions, used/free).
After the acquisition of the files and verification I began my examination by taking note
of how the space on the hard drive is accounted for.

In the Image above on the right We can account for the Drive geometry in which we can
see the Size in Bytes, and the bytes per sector. If we multiply these numbers together
we can get the original size of the hard drive. 512 * 250,879 = 128,450,048 total bytes.
To the left i’ve taken a screenshot of the Evidence Tree to so how the hard drives space
is used. There is one partition of 109MB or Megabytes which equals to be 115,121,664
total bytes. While the second partition is 7MB or Megabytes which equals 8,225,280
total bytes. The rest of the space on this hard drive is unallocated Space which equates
to 5,103,104 total bytes of unallocated space.
b) Identify the type of file systems in use.

If you take a closer look to the Partitions you can see they file systems that each
partition is using. The first partition labeled “Partition 1” is using the New Technology
File System or NTFS and the second partition labeled “Partition 2” uses an Ext2 or
Extended file system. Which is a new and improved version of Ext.

c) Identify the version and service pack of the Operating System

To find this information I needed to take a look into the registry to find more information
about the version and service pack of the operating system. I located the registry hives
in FTK and found the “SOFTWARE” hive and opened it in FTK Registry Viewer and
navigated down to the “Windows NT” in the subfolder “CurrentVersion” I found the
information that I was looking for. In the screenshot below we can look at the Operating
System that is installed on the Hard Drive which is Windows Vista (TM) Ultimate. We
can see that the current version of the operating system is 6.0. When it comes to the
service pack of the operating system we can look at the CSDBuildNumber near the
bottom of the page and see that the build number is 2. After some research I found at
superuser.stackexchange.com this means that there is no service pack currently
installed. You can view all of this information in the screenshots below.

d) Find the date the Operating System was installed.

In the screenshot included above we can also find the installation date of the Operating
System. Currently it is displayed in epoch time which is the number of seconds since
January 1st 1970. We can find a converter online at www.epochconverter.com
As you can see in the screenshot above the epoch date 1172604123 is February 27,
2007 which is the date the Operating system was installed.

e) Identify the Time Zone Information for the computer

To identify the time zone information for the computer i needed to look into the SYSTEM
registry hives under ControlSet003 to find the information.

Looking at the screenshot above the timezone this particular computer used what
Mountain Standard Time.
f) Show the Owner of the computer

In order to determine the owner of the computer we can revert back to a previous
screenshot taken from the Software Registry Hives. About halfway down the list it
shows Wes Mantooth being the Registered Owner of the computer. This information
would have been entered during the installation and setup of the operating system.
g) Show the most active user of the computer, and list all of the users.

Opening the SAM registry hive in FTK Registry Viewer It will contain all of the users that
currently have an account. There is an Administrator, Dracula, Guest, Laurent and
Wes Mantooth. Wes Mantooth is the most active user on the computer with 96
logon attempts.

h) Identify user accounts and who uses the account

In the screenshots above i’ve captured the properties of each user that has an account
of the computer. Two of the accounts are Generic “Guest” and “Administrator” accounts
to be used for guests using the computer and administrative tasks respectively. The
other three accounts, Wes Mantooth, Dracula and Laurent are all user specific. Its easy
to understand who uses each account. Wes Mantooth uses the account associated with
his name. Dracula, or as seen in the properties, his full name is Count Dracula. The
third being someone named Laurent. There is no full name that was included when this
account was created. It’s worth noting that whoever Laurent is, has never logged on the
machine.

i) Acquire user passwords

To acquire the user passwords we needed to use the AccessData PRTK - Password
Recovery Tool Kit. I first created a new folder in my SemesterProject directory on my
desktop and exported the SAM and SYSTEM registry hives into the folder. I thnen
opened PRTK and loaded the SAM registry hive. And used the SYSTEM hive as the
start key.
Out of the 5 users on the computer PRTK cracked the passwords for two of them. The
other three(Administrator, Guest, Laurent) did not have passwords.
Wes Mantooths Password: tooth
Draculas Password: canine

j) Identify the last date Wes Mantooth logged on

Located in the SAM registry hive you can find all of the users that have accounts on the
computer. After selecting Wes Mantooth's account folder you can see here in the
properties pane that the last logon by Wes is February 12th, 2008. (2/12/2008) at
2:12pm
k) Identify files placed in the recycle bin by Wes Mantooth
Using the explore tab I navigated to the $Recycle.Bin Directory and Within this directory
we can find several files that were placed in the Recycle Bin By Wes Mantooth. The
screenshots below represent a few different files that were placed in the recycle bin by
Wes Mantooth. In the “Original Name” space you can see where each came from in the
case of these 3 files in particular they came from C:\Users\Wes Mantooth which
means that these files were placed in the recycle bin by the user Wes Mantooth.
We Can also determine that by the SID unique identifier associated with Wes
Mantooth’s account, in the second field of image 1. Is the same as the SID Unique
Identifier at the end of the file listing highlighted in the second image. Wes Mantooth’s
SID Identifier is 1000 and the last 4 digits of the directory is also 1000 as depicted
by image 2. Therefore we can conclude that the user Wes Mantooth put these files in
the Recycle bin.

[1]

[2]
In the image below you can see most of the files that were placed in the recycle bin by
the SID 1000, which is the user Wes Mantooth.
l) Recover the user picture tile for Wes Mantooth’s account (or find where it is
supposed to be.)

The picture tile for Wes Mantooths account should be stored at the path MANTOOTH/
[root]/ProgramData/Microsoft/User Account Pictures however it doesn't seem to be
present at this time. Will keep looking though.
m) Identify any pictures of Wes Mantooth

This picture was found using the overview tab and searching through the .jpg file
extension. It was a .jpg image that was titled “Wes.jpg” The file path screenshot which
this image was found in is included below.

Mantooth32.E01/Partiton 1/MANTOOTH [NTFS]/[root]/Users/Wes

Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Sent
Items/20401532-00000003.eml/>>Wes.jpg
n) Identify and picture related to the fraud or financial crimes mentioned above.

There were many pictures that were found that could be related to fraud or financial
crimes. One thing in particular that looks like a credit card skimmer that fits on an ATM
machine to read the magnetic strip off of the victims cards once they are inserted into
the atm. In addition there appears to be a camera being disguised as a brochure box to
capture what's in the screen and the users pin number.

[1] [2]

[3]
In image 2 & 3 there are arrows pointing to the line of sight for the camera that was
planted in the brochure box that goes on the ATM probably to capture what is displayed
on the screen, and to see the users pin as they type it into the ATM machine.
The images above detail a particular skimmer looks very realistic and victims would be
none the wiser when walking up to use the atm.

Included with these images were several images found of different styles of checks both
blank, and filled out. I will include the images and their respective paths underneath
come of the images. All of these check can also be found at the path
Mantooth32.E01/Partiton 1/MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks
The three checks below are all on the same file, It is a GIF which cycles through all
three of these check styles. Which is at the path
There was a particular picture where someone is pouring water on the check. It can't be
concluded what the reasoning is however it is necessary to note this picture for this
report.

There is also a check that has “Before and after” pictures where on the before picture
titled “seanbefore.jpg” there is writing on the check, and in the check title
“seanafter.jpg” the check seems to be blank. Which could be an indication that the
person taking the pictures was successful in erasing the writing off of the checks.
Along with images there were several emails sent, tasks created, and notes created that
seemed to be relevant to the investigation. Using the email tab in FTK i was able to see
the emails sent and received as well as email attachments.

This particular appointment was titled “go check stealing” created by Wes Mantooth.
This email is from “Rasco Badguy” at the email [email protected] the email comes
with an attachment titled “How to steal credit numbers.doc” In order to find the actual
document I viewed the file content in hex within FTK and copied all of the hex values
and pasted them into a new page in HxD Hex editor and downloaded it to my desktop.
This file is password protected so, FTK’s PRTK will be used here.

This was another task that i found within the Email tab on FTK, titled “Wash checks”
This screenshot was found with the title “Go to the apartment complex and rip
checks”.

o) Identify any software that could be used to encrypt, obscure, or forensically

analyze data, or defeat forensics.
Looking into the SOFTWARE registry hive I found a particular program that is called
“jetico” which is an encryption software i found out using a google search. Based on the
screenshot and a little research this software is not only an encryption software it could
also be used to wipe data to render it unrecoverable which could hinder any forensics
effort to view this data.
Looking at the explore tab within FTK and looking into the program files subdirectory I
found another piece of software named “TrueCrypt” which is a discontinued “Encryption
on-the-fly” software or in layman's terms is a free open source disk encryption software.
Another piece of software that could be used to defeat forensics or keep messages
secret is the use of Trillian which is a free secure instant messenger like messaging
app. Its an encrypted message service they may inhibit the ability to recover these
messages.
p) Identify the most commonly opened programs
In the system prefetch file at the path Mantooth32.E01/Partition
1/MANTOOTH[NTFS]/[root]/Windows/Prefetch you can see the recent run programs
how many times they were run, and they last time they were executed. FTK imager and
internet explorer were the most commonly run programs at 38 & 56 times executed
respectively.
q) Provide a list of all deleted files (TOTAL NUMBER OF)
As of now according to the explore tab within the evidence tree, We can see 3 seperate
folders that have a red “X” on them which indicate that they were deleted and recovered
by FTK by the file carving options selected at the beginning when I loaded the images
into FTK.

Within these files there were 11 total files that were deleted along with the folder
themselves.

I found some other deleted files after doing an index search for “scam” and following
the path to a particular letter that i was interested in. This brings the total count of
deleted items up to 13.
r) Perform a file carving and list or provide a TOTAL NUMBER OF carved files
found

In FTK when you loading an image you have the option to chose refinement options
included in those options are file/data carving options that make it easier faster to carve
files so you don't have to do it by hand. In the Overview tab you can expand the “File
Status” category and select the “Data Carved Files” subdirectory and this will give you a
total number of files that FTK carved. In this case a total of 48 files were carved.
s) Identify and cameras , USB drives, or other devices that have been attached to
the computer.

Going into the SYSTEM registry hive under the ControlSet001/USBSTOR

subdirectories you can see that windows creates a registry entry to show that there was
a device plugged in. In this case we can see by the titles of entries that there was an
IPOD plugged into the computer along with several other USB media which appears to
be Flash drives.

Going into the SYSTEM/ControlSet001/USB registry hives we can see that there was a
camera plugged in, more specifically a Canon Powershot SD500 digital camera.
t) Identify the most recently run programs

You can find the most recently run programs in the NTUSER.dat registry hive at the
path
NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/Explorer/ComDlg32/La
stVisitedPidMRU

There were eight total programs that I found in this hive, I will include the screenshots i
took below.

This first program is aol, noted by the test in the bottom right corner.
FTK imager

Notepad
MS Paint
SnagIt32 - Which is a screen grab software.
WinMail, or Windows mail, is an email application
u) Identify any URLS that were visited by manually typing the address

In the NTUSER.dat registry hive I found at the path

NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/Explorer/RunMRU

I found some commands that were manually typed into the run command box in
windows.

According to https://support.accessdata.com/hc/en-
us/article_attachments/201717329/Registry_Quick_Find_Chart_9-27-10.pdf this
particular hive holds the most recent operations that were typed inteo the windows run
command.

The URLs include, www.sourceforge.net, www.bigbadandugly.com,

www.hellokitty.com, and www.google.com

v) Identify any credit card numbers on the drive (Requires live search with regular
expression)

To conduct a live search you must first go to the live search tab in FTK, and select the
pattern tab, at the end of the text box there is a white arrow and you can select from a
list of pre determined expressions and in this list is is a list of all the Credit Card Issuers.

Add this to the list and click search. It came up with two hits. Both hits appear to return
the same number which is 4625184200003590. There was nothing returned to indicate
what type of card its from.
Earlier in the investigation I came across an excel file that is password protected. After
trying several times to crack the password with PRTK I was unsuccessful. This excel file
is named “CC Nums.xls”. This excel file could potentially contain more credit card
numbers.
w) Detective ketchum has provided a list of search terms: Theft, Title, Checks,
Scam, Forensics, Provide ONLY a few examples of results of these that you
believe may be relevant.

After running a index search of the word scam I came across a letter that highlights
what looks like to be an illegal money transfer.

Also in the same search i came across a Word Document it looks like, titled “Let’s scam
the people.” signed by Skimmerman27, from Rip Them Off, Inc.
After another Index search i can across this document that details the top 10 best way
to steal a car. I included the first few ways in the screenshots below.
Conclusion

In conclusion after processing the Mantooth.E01 image file i loaded the file back
into FTK imager to re verify the hash checksum to ensure that no data was harmed in
the creation of this report.

[1]
 [2]

These two images above represent the verification results in FTK imager, where image
1 is the final verification after I did my examination and image 2 is the beginning
verification I did on the first day that i started this examination. Based on these two
hashes the original E01 file has not been altered. In this examination I was asked to find
several artifacts pertaining to the Mantooth32.E01 image given to me by Detective
Ketchum. Using all of the tools noted above in the Forensic Acquisition section of this
report some of the artifacts include. Users to the computer the image was taken from,
and passwords related to the user accounts on the computer, which were found using
AccessData PRTK. The most active user of the computer, and a picture of the most
active user, Wes Mantooth. All of the credit card numbers found in the live search, as
well as any images that were found that relate to fraud or financial crimes were all
included in this report. Although I have only recapped a few of the artifacts Detective
Ketchum has asked me to recover, all of the artifacts that Detective Ketchum asked for
are accounted for in this report.