Forensic Computing Practice UFCFC5-15-3

Forensic Examination Report

Page 1 of 28
Contents
1. Introduction of Case............................................................................................................................................................................2
2. Possible Case Scenario:.......................................................................................................................................................................2
3. Summary of Suspect:...........................................................................................................................................................................2
4. Table of Evidence Found:...................................................................................................................................................................3
5. Evidence Screenshots:.........................................................................................................................................................................5
6. Contemporaneous Analysis Notes:...................................................................................................................................................11
7. Evidence Mapping:............................................................................................................................................................................15
8. References:..........................................................................................................................................................................................16
Page 2 of 28
Page 3 of 28
 1. Introduction of Case

Title: Dev tricks John

Suspect Nickname = Dev

The suspect, known as "Dev," is believed to be involved in stealing banking information from players in the game called PUBG and
hacking their devices through a fake link that resembles the official game link. He allegedly sells the stolen account information in the
black market. There is currently no evidence to convict the suspect, as his laptop was confiscated after several players reported their
concerns to the authorities, leading to his eventual identification. The police wish to determine whether they can secure a conviction and
if the evidence is sufficient to file charges against him or trace the network through which he operates, if it exists

2. Possible Case Scenario:

Guidelines to write the Possible Case Scenario:

During the investigation possible case scenario involvement of stealing banking information from players and hacking of few devices
using fake links. Therefore, person interested to sells the stolen account information in black market. Normally during investigation
process there are multiple challenges occurs therefore better experience required for case solving approach. In early stage need to
configure autopsy tool and load the provided image for forensic analysis because it is standard level analysis tool also provide all
sensitive information free of cost. Based on the given evidence in current report a complete analysis section is given where all required
evidence is included like files, logs, images and other digital resources. The evidence also provides the information about different
incident activities

3. Summary of Suspect:
To solve the current problem during investigation process we need to access an image file about data and need to load in computing
device using software application called autopsy. After the process completion we will get complete report about the evidence and
incident sensitive information then it will prove all evidences are linked each other

Page 4 of 28
 Figure: creation new case

Figure: case other information

Page 5 of 28
Figure: final implementation

Page 6 of 28
Page 7 of 28
Page 8 of 28
Page 9 of 28
4. Table of Evidence Found:

Page 10 of 28
Page 11 of 28
Page 12 of 28
Page 13 of 28
Page 14 of 28
No Description of Significance to Full Provenance Method of
item case Discovery

1 The evidence data The text file Name: For information access
contains a text file contains the /img_Dev and john (1).E01/windows apply the search method
which is proper information about files/link.txt and get the sensitive
encrypted and need attacking linked Name: link.txt information easily
to decrypt hashed activities Is Deleted: No
values Type: File System MIME
Type: file: 8881
File Name Allocation:Allocated
Metadata Allocation: Allocated
Modified: 2024-10-28 14:20:14 GST
Accessed: 2024-10-28 00:00:00 GST
Created: 2024-04-17 23:22:35 GST
Changed: 0000-00-00 00:00:00
MD5:
9f5e22214951d44c9076f60d1c77f66dd1dfb045f489e
2a7047606b936a3af16

2 The evidence Deals.mbox Name: Information access by

found email- This is a MIME- /img_Dev and john (1).E01/windows applying searching
based file encapsulated files/Deals.mbox methods
message Is Deleted: No
Type: File System MIME
Type: file: 34566
File Name Allocation: Allocated
Metadata Allocation: Allocated
Modified: 2024-10-28 14:20:14 GST
Accessed: 2024-10-28 00:00:00 GST
Created: 2024-04-17 23:22:35 GST
Changed: 0000-00-00 00:00:00
MD5: a9463424b370c4bc9bf1e45f339ec63d

3 An image file This picture Name: For the data discovery I

Containing contains the /img_Dev and john (1).E01/Camera/Source/pubg.jpg have checked the
attacking different Is Deleted: No different log files and
information information Type: File System MIME get the information
about PUBG Type: image/jpeg Size: about current malicious
34.4 MB (36,091,712 item
bytes)
File Name Allocation: Allocated
Metadata Allocation: Allocated
Modified: 2024-10-28 14:20:14 GST
Accessed: 2024-10-28 00:00:00 GST
Created: 2024-04-17 23:22:35 GST
Changed: 0000-00-00 00:00:00
MD5: a9463424b370c4bc9bf1e45f339ec63d

Page 15 of 28

4 An image file Image file Name: Apply search and

about PUBG contains the /img_Dev and john (1).E01/Camera/Source/ Is analysis method
game information about Deleted: No
1. Table of Evidence Found:

Page 16 of 28
2. Evidence Screenshots:

In this picture below the evidence contains the different set of text files
Evidence Item1:

Location on
image:
/img_Dev and
john
(1).E01/users/
Public/Docum
ents/National
Instruments/C
ircuit Design
Suite
14.2/samples/
LabVIEW
Multisim API
Toolkit/SPIC
E Command
Line/SPICE
Command
Line.pdf/imag
e1.jpg

In this picture below we see email data details with contains sensitive information
Evidence Item2:

Location on
image:
/img_Dev
and john
(1).E01/users/
Public/Docu
ments/Nation
al
Instruments/
Circuit
Design Suite
14.2/samples/
LabVIEW
Multisim API
Toolkit/SPIC
E Command
Line/SPICE
Command
Line.pdf/ima
ge4.pn

Page 17 of 28
 It contains the PUBG mobile competition and symbolized the image
Evidence Item3:

Location on
image:
/img_Dev
and john
(1).E01/iMazi
ng/Resources
/emojis/64@7
2/u1F308.png

The given figure contains windows based suspected files and provide complete level of
Evidence Item4: sensitive information

Location on
image:
/img_Dev
and john
(1).E01/Win
dows
Mail/w.hc

Page 18 of 28
 A set of link image contains suspected laptop image file involved in criminal activity
Evidence Item5:

Location on
image:

/img_Dev
and john
(1).E01/users/
Public/Docu
ments/Nation
al
Instruments/
Circuit
Design Suite
14.2/samples/
LabVIEW
Multisim API
Toolkit/SPIC
E Command
Line/SPICE
Command
Line.pdf/ima
ge8.png
The given evidence item contains the bill materials in shape of documents
Evidence Item6:

Page 19 of 28
Location on
image:
/img_Dev
and john
(1).E01/users/
Public/Docu
ments/Nation
al
Instruments/
Circuit
Design Suite
14.2/samples/
QuizShowPro
ject/reports/B
illsOfMateria
ls.xls

The given figure contains png images with steganography data

Evidence Item7:

Location on
image:
/img_Dev
and john
(1).E01/user
s/Public/Doc
uments/Nati
onal
Instruments/
Circuit
Design Suite
14.2/samples
/QuizShowP
roject/datash
eets/74AC74
.pdf/image1.
tif

Page 20 of 28
Evidence
Item8:
PUBG image
files
/img_Dev
and john
(1).E01/iMa
zing/Resour
ces/MediaC
opyStatusO
K.png

The given figure contains set of images available steganogrpahy data which contains evidence related
information

Evidence
Item9:
Email
encrypted
data
/img_Dev
and john
(1).E01/iMa
zing/Resour
ces/MediaC The given figure contains the multiple messages with encrypted data and attacker decrypt the information
opyStatus
msg.txt

Page 21 of 28
3. Contemporaneous Analysis Notes:

Examiner Name of Exam Date and time of start of investigation

Examiner: DEV commenced

Other relevant CASE NO:0101 Software

information used, List of tools used for the investigation and analysis
Versions
AUTOPSY
and
licensing FINAL HTML GENERATED REPORT

Action Done Date Time Notes

Load case & verify YES 2024/11/11 17:41:55

image:

In figure we can see all type of case data loaded after proper file
verification approach and necessary data is collected
YES 2024/11/11 18:51:44
A text file inside
encrypted file

There are multiple text files contains the sensitive information

Page 22 of 28
 YES 2024/11/1 19:4:59
Promotional email 1
messages

In given figure we can see the different mail files involved in

criminal activities
YES 2024/11/1 19:41:33
Symbolizing set of 1
images

The images are linked with each other to collect the sensitive
information
Steganography YES 2024/11/2 19:55:33
images 3

The data contains the information about PUBG game

YES 2024/11/2 20:41:55 In given figure we can access information in shape of hashed
3

Word document inside

laptop image

Page 23 of 28
 Evidence of laptop
YES 2024/11/2 21:43:44
Bill based
3
documents:

The given set of information contains the bill-based evidence

file types. YES 2024/11/2 21:50:55

Export doc / office 3
& exe files; look at
Meta data if
required:
The following
image contains the
data item
properties about
the suspected
activities

Gallery of images contains the suspected image items

YES 2024/11/2 23:41:30
Link files: 3
These files contain the
information about user
accounts where each user
is separated with each
other

The given figure contains the information about the suspected

accounts

Page 24 of 28
 YES 2024/11/2 21:43:44
3 Nothing found
Registry analysis
and

Registry protected
area.
YES 2024/11/2 22:43:44
3 Nothing found

IM clients
YES 2024/11/2 22:43:44
3 Nothing found

Clean-up utilities.
Check log files
YES 2024/11/2 23:48:44
3 Nothing found
Examine different
file types.

Export doc / office &

exe files; look at
Meta data if required
YES 2024/11/2 23:50:44
3 Nothing found

Encryption, Steg.
YES 2024/11/2 23:55:44
3 Nothing found

Print artefacts
YES 2024/11/2 23:57:44
3 Nothing found

CD/DVD burning
apps:

check log files

Page 25 of 28
4. Evidence Mapping:

Page 26 of 28
 5. References:

M. A. Neaimi, H. A. Hamadi, C. Y. Yeun and M. J. Zemerly, "Digital Forensic Analysis of Files Using Deep Learning," 2020 3rd
International Conference on Signal Processing and Information Security (ICSPIS), DUBAI, United Arab Emirates, 2020, pp. 1-4, doi:
10.1109/ICSPIS51252.2020.9340141.

O. J. Adebayo, I. Suleiman, A. Y. Ade, S. O. Ganiyu and I. O. Alabi, "Digital Forensic analysis for enhancing information security," 2015
International Conference on Cyberspace (CYBER-Abuja), Abuja, Nigeria, 2015, pp. 38-44, doi: 10.1109/CYBER-Abuja.2015.7360517.

S. Raghavan and S. V. Raghavan, "A study of forensic & analysis tools," 2013 8th International Workshop on Systematic Approaches to
Digital Forensics Engineering (SADFE), Hong Kong, China, 2013, pp. 1-5, doi: 10.1109/SADFE.2013.6911540.

M. H. Ling, H. K. T. Ng, P. S. Chan and N. Balakrishnan, "Autopsy Data Analysis for a Series System With Active Redundancy Under a
Load-Sharing Model," in IEEE Transactions on Reliability, vol. 65, no. 2, pp. 957-968, June 2016, doi: 10.1109/TR.2016.2521766.

Page 27 of 28
Page 28 of 28