Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Digital Forensic Case Study: Investigating a Company Financial Fraud

Verified

Added on 2023/01/16

AI Summary

This report presents a case study on investigating a company financial fraud using digital forensic tools. It discusses the process, tools used, and the evidence found. The case involves the suspicion of an employee offering proprietary company information to a competitor in exchange for a job.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

4-10-2019

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Contents
Abstract................................................................................................................................1
Introduction..........................................................................................................................1
Case Study Summary...........................................................................................................2
Computer and Forensic Tool Statistics................................................................................2
Investigation........................................................................................................................2
Conclusion and Future Work.............................................................................................21
Abstract
This report conducted during the assignment. The assignment we will work on a case
study, we will work digital case study software, that help gather evidence and deliver
facts .Any questions or concerns pertaining to the acquisition of the evidence can be
found in his/her report.
Introduction
In this project we will work on forensic tools . These tools are Autospy and TrID for
case analysis. In this report we work on case study of a company financial fraud The
report kicks off with a brief description of what this technique of digital forensics is all
about and why is it required in modern data-centric and digital era. Further, it other
evidences could be used to inspect and examine a reported wrongdoing.

Case Study Summary
Mcme Industries’ Monika is being investigated under the fear that he may be offering
proprietary company information to a competitor in exchange for a job.
Computer and Forensic Tool Statistics
The computer was removed from its position in MCME Industries at 4/4/19 9:29:03 PM
where it was carted out to a nearby secure forensics facility. Once settled at the forensics
lab the hard drive was imaged to begin the research and testing. The image of the hard
drive was tested using the program EnCase Forensic Edition Version 4.17b by Guidance
Software. This program has been proven in the court of law to provide valid and accurate
results when scanning and analyzing a system. We use TrID and autopsy software for
forensic digital analysis
Investigation
The following was the procedure that I took to extract what data I found to be relevant to
the case.
I created a new case called Case Study. I added to this case the already captured image
file (C:\forensicsfile\winlabencase.image) by going to File  Add Device, clicking
sessions, and clicking on add evidence file.
With the case loaded I immediately set the time zone by right clicking on the image 
Modify Time Zone. From the following screen I selected the time zone that I was
working in. This is done to adjust the evidence to all correlate in the same time zone.

The next step was to recover any hidden or deleted folders on the system. Doing this step
now would allow my searches to be more complete in the future and determine if there
were any actions taken to hide or destroy evidence. In order to do this I right clicked on
the image  Recover Folders.
I ran a script next to determine the specifications about the computer because I had not
been the one to create the image from the suspect machine. The script comes preloaded
into EnCase V4. I went to View  Scripts and selected the Initialize Case script which
prompted me to enter information of the investigator and person conducting the
examination. Once the information was entered the script asks where I would like the
data saved. I chose to add it to the bookmark section under the folder Encase Computer
Analysis Report. I also needed to check which information I would want present. I
chose to display the Windows version and registration, time zone settings, network
information, user information, and last shutdown time. The report generated can be
found on the following page. The important information pulled from the report is that the
machine is running a FAT16 file system with Windows 10. The total capacity of the
partition is only 22MB. Now that this information has been discovered I can begin my
investigation. For this case study we use Autopsy software . The autopsy software uses
two images for compare ; these are store before and after case study. The step are given
bellow
Autopsy software is provide gui interface .
Data Carving techniques.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

We Import two dd image files extracted from bz2 files to Autopsy and run ‘Ingest
Module’‘PhotoRec Carver.'.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Volume
File System: FAT16 Drive Type: Fixed
Sectors per
cluster:
1 Bytes per sector: 512
Total Sectors: 45,360 Total Capacity: 23,023,616 bytes (22MB)
Total Clusters: 44,968 Unallocated:
13,872,128 bytes
(13.2MB)
Free Clusters: 27,094 Allocated: 9,151,488 bytes (8.7MB)
Volume Name: NO NAME Volume Offset: 0
OEM Version: MSDOS5.0 Serial Number: 30E0-8F46
Heads: 240
Sectors Per
Track:
63
Unused Sectors: 12,292,560 Number of FATs: 2
Sectors Per FAT: 176 Boot Sectors: 8
Device
Evidence Number: Lab5 image
File Path: C:\forensicsfiles\WinLabEnCase.image.E01
Actual Date: 04/04/19 09:29:03PM
Target Date: 04/04/019 09:29:03PM
Total Size: 23,224,320 bytes (22.1MB)
Total Sectors: 45,360
File Integrity: Completely Verified, 0 Errors
EnCase Version: 4.17b
System Version: Windows XP

Acquisition Hash: F70C5FFF082E526A368E2C0A13ABB093
Verify Hash: F70C5FFF082E526A368E2C0A13ABB093
Daylight Saving Time settings
Hour Day of Week Week of month (5=last) Month
Daylight start 2 Sunday 1 4
Standard start 2 Sunday 5 10
Time Zone Settings (minutes)
Time Zone Bias: 300
Daylight Bias: -60
Standard Bias: 0
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
My first task was to compile a list of keywords that I would need to search the file system
for. Knowing what words to start searching on could help me eliminate loads of
irrelevant data. The list contained the following: MCME Industries (MCME and
MCME Industry as different variations as well), Shalin, Anjali, and promotion. With
this list in hand I created a keyword list by clicking on View  Keywords. I right
clicked Keywords  Add New Folder. I named the folder Monika Keywords. Once the
folder was created I can right click the Monika Keywords folder  Insert Keyword List.
The list box gets stored with the keywords previously mentioned. The new keywords
were then selected and a search was performed by going to Search at the top. The search

was done under the following criteria: search each file for keywords, search file slack,
and selected keywords only. The table below shows the numerical results of the search.
Search Summary
Hits First Searched Last Searched Search Text
5 11/05/18 04:57:01PM mcme industries
0 11/05/18 04:57:01PM mcme industry
67 11/05/18 04:57:01PM mcme
253 11/05/18 04:57:01PM Shalin
127 11/05/18 04:57:01PM Anjali
1 11/05/06 04:57:01PM promotion
With so many hits for Shalin and Anjali I concluded that I was on the right track. I
started with the smallest and worked my way up. Promotion’s results were just a spam e-
mail. The files found under MCME Industries were project files and some e-mail items.
At this point I was more interested in evidence relating to some kind of contact between
Monika and Shalini and Anjali. The results from MCME came back with 4 interesting
hits. Amidst the e-mail files were 4 temporary files found at:
Case Study\Lab5 image\Documents and Settings\MONIKA\Local Settings\
Temporary Internet Files\Content.IE5\WVEXGZIP\WBK50.TMP
Case Study\Lab5 image\Documents and Settings\MONIKA\Local Settings\
Temporary Internet Files\Content.IE5\WVEXGZIP\WBK52.TMP
Case Study\Lab5 image\Documents and Settings\MONIKA\Local Settings\

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Temporary Internet Files\Content.IE5\WVEXGZIP\WBK54.TMP
Case Study\Lab5 image\Documents and Settings\MONIKA\Local Settings\
Temporary Internet Files\Content.IE5\WVEXGZIP\WBK56.TMP
These files all contained the message: “I’d like to offer you some material from my
company in exchange for a position in your company.” – Monika@mcme .com. These
files grabbed my attention so I made sure to take down the access times (all last accessed
on 3/9/04 around 11:38 AM). I took note by book marking the four files by selecting
them and right clicking  Bookmark Files. I created a new folder called TMP Files
(MCME ) and the four were imported there for further consideration later. Anjali’s
results were next shuffled through but they were mostly HTML files that Monika must
have been visiting. The bulk of the hits came from Shalin. They were a mix of web files
including data and content. The web files came from the Shalin website where the
company’s about and contact pages were visited. Also mixed in were a few e-mails to a
Anjali@Shalin.com. I selected a few files which I saved to bookmarks in the DBX Files
(Shalin) folder. Two e-mails in particular stood out that contained information that
seemed to relate to this case. The following below is where the files can be located.
Case Study\Lab5 image\Documents and Settings\MONIKA\Local Settings\
Application Data\Identities\{E893F19B-C77A-4082-9435-87534CCECF93}\
Microsoft\Outlook Express\Deleted Items.dbx
Case Study\Lab5 image\Documents and Settings\MONIKA\Local Settings\
Application Data\Identities\{E893F19B-C77A-4082-9435-87534CCECF93}\
Microsoft\Outlook Express\Sent Items.dbx

The e-mails were both from Monika@mcme .com to Anjali@Shalin.com. The following
are the content of the two e-mails.
"Monika" <Monika@mcme .com>
To: "Anjali@Shalin.com"
Subject: A Proposition
Date: Fri, 23 Jan 2019 12:06:52 -0500
I'd like to offer you some material from my company in exchange for a
position in your company.
Monika
Monika@mcme .com
From: "Monika" <Monika@mcme .com>
To: "Anjali@Shalin.com"
Subject: My Proposition
Date: Fri, 01 Jul 2018 10:04:39 -0500
It's been a week since I sent you my proposal. Have you had a chance to
consider it?
Pat

The first email was the same information found in the temporary files that I had found
earlier from the results of the MCME Industries keyword search.
I was getting closer and closer to when with just the help of the keyword search. I
decided to take a look at the timeline of the operating system which documents when a
file was created, accessed, and modified. It places each entry in a nice calendar view so
an investigator can see when there is a surplus of changes. By selecting the case I was
working on and going to Timeline I found that there was heavy traffic on 1/23/04, 3/9/04,
and 3/15/04. Starting with the earliest date and moving forward I examined the data by
honed in on each date where it gets more detailed by hour and minute the closer you
zoom in. The traffic generated on 1/23/04 was mainly searching for a new job through
sites like Monster.com, Yahoo Jobs, and searching the Shalin and Anjali website. The
web files and cookies that were created on this date confirm this; they are found at:
Case Study\Lab5 image\Documents and Settings\MONIKA\Cookies
The files on 3/9/04 and 3/15/19 are the heaviest in traffic. They include many cookies
and website files being created and deleted in temporary files space along with the two e-
mails previously started above being modified and deleted.
There were still a few more tests I could complete on this test case. One was to go
through the image Gallery and check the images found on the file system. In order to do
this I had to specify which folders contained images. I decided to check the entire case
and brought open the Gallery view. There were many images from the Shalin website as

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

well as images pertaining to finding a new job, adding nothing more than we already
know.
I had found clues on the who, the when, and the where but I was still missing what and
how. My next step was to run a signature analysis to see if any files were still hidden that
I may have overlooked because their extensions were modified. Running a signature
analysis will take the proper signature that a file should be and see if it matches up
against the extension that it actually is. If there is a mismatch it will be labeled as so and
Encase will tell me what extension it should be. Running a signature analysis has me
selecting the complete image and doing a Search (the same Search as done prior). The
only option that should be selected is Verify File Signatures and to have the results saved
to a bookmark called Signature Mismatch. A few files stuck out from the others:
The signature analysis we use Trid software that will work on files
The screenshot for given case study
TrID is an utility designed to identify file types from their binary signatures. While there
are similar utilities with hard coded logic, TrID has no fixed rules. Instead, it's extensible
and can be trained to recognize new formats in a fast and automatic way.
TrID uses a database of definitions which describe recurring patterns for supported file
types. TrID software is download by given link we download window base Trid software
that is form of zip we unzip the software when we try to run this software we got the
message no definition need
Screen shot

After this message we update the trid running by python script and download tridfs folder
and unzip the folder .
Now trID is now ready
We download from university link unzipped folder and unzip that we found 6 files
This software is easy to use and installation process . For the installation purpose we just
download and unzip that
We given the command
trID file name

trid 937514.aaa
Trid 84514.aaa

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Trid 73814.aaa

Tri 63814.aaa

Trid 27387.aaa
Trid 19234.aaa

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

This software identify the image file signature and shown the detail of file
Case Study\Lab5 image\Documents and Settings\MONIKA\My Documents\
Confidential\Project 238x.pdf
Case Study\Lab5 image\Documents and Settings\MONIKA\My Documents\
Confidential\Project 47x.xls
Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00000.SPL
Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00001.SPL
The first two files are project files from MCME Industries that were kept in a
confidential folder with altered file extensions. The last two files are printing spools that

look like they have been altered. The spools correspond to each of the first two files
being sent to the IP address of 192.168.1.106. The Project 238x was sent to that address
on 3/9/19 and the Project 47x file was sent on 3/15/19 by the user name MONIKA. The
IP address is mapped to the HP LaserJet 4000 Series PCL6 at MCME Industries. Both
spool files can be found at:
C:\Windows\system32\spool\Printers
Just to make sure I had covered all pertinent data I ran two more scripts before
completion of my investigation. I ran the IE history parser with keyword search script to
make sure that all the websites that I had seen through the cookies and temporary web
files were actually visited and to make sure that I had not missed any others. In order to
run this script I went to the Scripts menu and added the options of add bookmarks and
create web page and tab-delimited files and to search all files. The report did not deliver
any new information that had not already been discovered. The last script I ran was to
see if there was any information I could obtain from the NTFS INFO2 file. This is the
Recycle Bin file that would contain any deleted file information. By running the script
NTFS INFO2 Record Finder and selecting to only read INFO2 files only and saving it to
the bookmark Recovered NTFS Info2 Records I came up with only one file deleted from
the My Documents folder of MONIKA relating to Anjali. It did not seem to be of any
value to this case.

Conclusion and Future Work
This report has pointed out pieces of information relating to the case of Monika from
MCME Industries and his relations with the companies Shalin and Anjali. It is now up
to the judge reading this report to determine if this information is of any value to the case.
It is important to state that there was no evidence present that B. Conrad from Shalin
contacted Monika or that the printed files ever left the officer. It is interesting though
that the printing spools and project files were altered after printing. The printing spool
files are often not touched except by the operating system so it is obvious that they were
targeted. Determining any further information on this cause is up to be conducted by a
crime scene investigator and falls out of my jurisdiction. The autopsy software ,EnCase
and TrId software we used as a case analysis therefore we knew these are the best tools
for forensic tools for analysis that is very help for our case study .The future scope is we
will use online analysis therefore digital fraud on company would be reduce.
References
1. Agarwal, A., Gupta, M., Gupta, S. & Gupta, S. 2011, "Systematic digital forensic
investigation model", International Journal of Computer Science and Security
(IJCSS), vol. 5, no. 1, pp. 118-131.
2. Alharbi, S., Weber-Jahnke, J. & Traore, I. 2011, "The proactive and reactive
digital forensics investigation process: A systematic literature review" in
Information Security and Assurance Springer, , pp. 87-100.
3. Ayers, D. 2009, "A second generation computer forensic analysis system", digital
investigation, vol. 6, pp. S34-S42.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4. Beebe, N.L. & Clark, J.G. 2005, "A hierarchical, objectives-based framework for
the digital investigations process", Digital Investigation, vol. 2, no. 2, pp. 147-
167.
5. Ieong, R.S. 2006, "FORZA–Digital forensics investigation framework that
incorporate legal issues", digital investigation, vol. 3, pp. 29-36.
6. Jones, K.J., Bejtlich, R. & Rose, C.W. 2005, Real digital forensics: computer
security and incident response, Addison-Wesley Professional.
7. Köhn, M., Olivier, M.S. & Eloff, J.H. 2006, "Framework for a Digital Forensic
Investigation.", ISSA, pp. 1.
8. Mandia, K. 2001, Incident response: investigating computer crime, McGraw-Hill
Professional.
9. Nelson, B., Phillips, A. & Steuart, C. 2009, Guide to computer forensics and
investigations, Cengage Learning.
10. Rogers, M.K., Goldman, J., Mislan, R., Wedge, T. & Debrota, S. 2006,
"Computer forensics field triage process model", Journal of Digital Forensics,
Security and Law, vol. 1, no. 2, pp. 19-38.

1 out of 23

+13062052269

info@desklib.com

Digital Forensic Case Study: Investigating a Company Financial Fraud

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Digital Forensic Case Study Analysis and Findings

Digital Forensic Analysis Report

Digital Forensics Discussion 2022

Computer Forensics: Investigation, Resources, and Tools

SANS SIFT Tools: Forensic Analysis on Windows and Linux Systems

Digital Forensics Report for EMTS Organization