Digital Forensics: A Case Study on Workplace Crime and Cloud-Based Forensics
Added on 2022-10-17
23 Pages7039 Words53 Views
Contents
Executive Summary.................................................................................................................. 2
Task 1..................................................................................................................................... 2
Introduction............................................................................................................................. 2
Chain of Events........................................................................................................................ 4
Tasks....................................................................................................................................... 8
Detailed Map of the suspects and their victims...........................................................................12
Timeline of events.................................................................................................................. 14
Task 2................................................................................................................................... 14
Introduction........................................................................................................................... 14
Previous Research................................................................................................................... 15
New Digital Forensics Project..................................................................................................17
Conclusion............................................................................................................................. 18
References............................................................................................................................. 20
Executive Summary.................................................................................................................. 2
Task 1..................................................................................................................................... 2
Introduction............................................................................................................................. 2
Chain of Events........................................................................................................................ 4
Tasks....................................................................................................................................... 8
Detailed Map of the suspects and their victims...........................................................................12
Timeline of events.................................................................................................................. 14
Task 2................................................................................................................................... 14
Introduction........................................................................................................................... 14
Previous Research................................................................................................................... 15
New Digital Forensics Project..................................................................................................17
Conclusion............................................................................................................................. 18
References............................................................................................................................. 20
Executive Summary
Due to the increasing proliferation of technology since the middle 20th century as well as the
eventual importance of this technology in the conduct of criminal activity, the field of digital
forensics has become commonplace. The proof is usually visible in conventional forensics,
which could distinguish the suspect, such as skin, saliva, including fingerprints. Digital
forensics, on the other hand, deals with electronically processed data and information from
digital devices. Digital forensic science is a widely used term for identifying, collecting and
analyzing digital evidence from much more than just devices like smartphones, laptops, the
Internet of Things or perhaps even data which are deposited in the cloud. Network forensic
science is a sub-branch of digital forensics related to computer network traffic surveillance as
well as analysis for information collection, legal documentation, including intrusion detection
applications. In this paper, a practical case of workplace crime is analyzed and solved using
tools available in the sub-branch of digital forensics that is network forensics. Further ahead
in the paper, a report-based theoretical analysis on cloud-based forensics is also provided.
Task 1
Introduction
Steps used to carry out the investigation using the primary tool of investigation Wireshark:
● To begin with, several hundred packets were analyzed earlier in an attempt to uncover
the essence of what was going on.
● Upon analyzing, it was clear that the relevant packets were that of the Email protocol
where the essence of the case was.
● As a result, all of the email packets were intercepted and analyzed which then helped
frame the below mentioned chain of events.
● For this to happen, the latest version of Wireshark was used on Windows and step-by-
step each of the Email packets were intercepted and analyzed. The chain of events is
depicted further into the report below.
● Further ahead, network miner was used to help intercept all the files in the packet
capture. It further helped in categorizing different file types and placed it in different
sections.
● Without, Network miner, it would have been very difficult to carve the file as
removing the header information from the captured packets in order to isolate the DD
Due to the increasing proliferation of technology since the middle 20th century as well as the
eventual importance of this technology in the conduct of criminal activity, the field of digital
forensics has become commonplace. The proof is usually visible in conventional forensics,
which could distinguish the suspect, such as skin, saliva, including fingerprints. Digital
forensics, on the other hand, deals with electronically processed data and information from
digital devices. Digital forensic science is a widely used term for identifying, collecting and
analyzing digital evidence from much more than just devices like smartphones, laptops, the
Internet of Things or perhaps even data which are deposited in the cloud. Network forensic
science is a sub-branch of digital forensics related to computer network traffic surveillance as
well as analysis for information collection, legal documentation, including intrusion detection
applications. In this paper, a practical case of workplace crime is analyzed and solved using
tools available in the sub-branch of digital forensics that is network forensics. Further ahead
in the paper, a report-based theoretical analysis on cloud-based forensics is also provided.
Task 1
Introduction
Steps used to carry out the investigation using the primary tool of investigation Wireshark:
● To begin with, several hundred packets were analyzed earlier in an attempt to uncover
the essence of what was going on.
● Upon analyzing, it was clear that the relevant packets were that of the Email protocol
where the essence of the case was.
● As a result, all of the email packets were intercepted and analyzed which then helped
frame the below mentioned chain of events.
● For this to happen, the latest version of Wireshark was used on Windows and step-by-
step each of the Email packets were intercepted and analyzed. The chain of events is
depicted further into the report below.
● Further ahead, network miner was used to help intercept all the files in the packet
capture. It further helped in categorizing different file types and placed it in different
sections.
● Without, Network miner, it would have been very difficult to carve the file as
removing the header information from the captured packets in order to isolate the DD
and PCap file was quite difficult. Therefore, networkminer sped the task here and
helped isolate the two important files being secret.pcap and trash.dd.
helped isolate the two important files being secret.pcap and trash.dd.
Chain of Events
Email thread - Fortunate News (Between Mr. Kidd and Mr. Wint)
The very first exchange between the spectre agents took place on Tuesday, the
12th of September, 2017. The timing for the exchange was at 9.11.22 am. This
exchange took place between the spectre agents known as Mr. Kidd and Mr.
Email thread - Fortunate News (Between Mr. Kidd and Mr. Wint)
The very first exchange between the spectre agents took place on Tuesday, the
12th of September, 2017. The timing for the exchange was at 9.11.22 am. This
exchange took place between the spectre agents known as Mr. Kidd and Mr.
Wint. The message was sent by Mr. Kidd and the recipient being Mr. Fint. The
message was sent from Evolution mail client which is at version 3.22 and was
developed by the GNOME and is part of the Linux environment. The
message’s subject was ‘Fortunate News’ which indicates that Mr. Kidd was
bringing up some critical development updates to Mr. Fint. The message
contained a message that said that Mr. Kidd has found or perhaps intercepted a
file transfer sent by Mr. Whyte who at this point is an unknown entity as to
whether he is a part of Spectre or something else. Also, the relationship with
the other two Spectre agents are unknown at this point. The message said that
the file has been intercepted by Mr. Kidd and that the file had come from
slumber.inc.
A follow-up reply was done by the Spectre agent Mr. Wint who approved of
the message and praised Mr. Kidd. This follow-up reply was sent by Mr. Wint
to Mr. Kidd by 9.14.47 am of the same day which is 12th September, 2017
and was within 3 minutes of the first message being sent. The message
specifically said that Mr. Wint was curious as to whether the file that had been
intercepted by Mr. Kidd had been the ‘one’ that they were after. This means
that, both of these Spectre agents were specifically after some information
involving Mr. Whyte and Slumber.inc and that this file interception could
have been that.
A follow-up reply was done by the Spectre agent Mr. Kidd who initially broke
the fortunate news to Mr. Wint. This message was a bit of disapproval. This
message was sent by Mr. Kidd to Mr. Wint by 9.18 which is again within 3 to
4 minutes of the previous reply by Mr. Wint. The message said that the file
intercepted by Mr. Kidd was encrypted and that it needs a key to decode or
analyze it. The message further said that the file would then be sent by Mr.
Kidd to Mr. Wint so that he can see if he can do anything about it.
Simultaneously, in the same conversation email Mr. Kidd had attached the file
as an attachment. This file was named as ‘secret.pcap’ indicating that this was
perhaps a packet capture of Mr. Whyte’s internet traffic.
message was sent from Evolution mail client which is at version 3.22 and was
developed by the GNOME and is part of the Linux environment. The
message’s subject was ‘Fortunate News’ which indicates that Mr. Kidd was
bringing up some critical development updates to Mr. Fint. The message
contained a message that said that Mr. Kidd has found or perhaps intercepted a
file transfer sent by Mr. Whyte who at this point is an unknown entity as to
whether he is a part of Spectre or something else. Also, the relationship with
the other two Spectre agents are unknown at this point. The message said that
the file has been intercepted by Mr. Kidd and that the file had come from
slumber.inc.
A follow-up reply was done by the Spectre agent Mr. Wint who approved of
the message and praised Mr. Kidd. This follow-up reply was sent by Mr. Wint
to Mr. Kidd by 9.14.47 am of the same day which is 12th September, 2017
and was within 3 minutes of the first message being sent. The message
specifically said that Mr. Wint was curious as to whether the file that had been
intercepted by Mr. Kidd had been the ‘one’ that they were after. This means
that, both of these Spectre agents were specifically after some information
involving Mr. Whyte and Slumber.inc and that this file interception could
have been that.
A follow-up reply was done by the Spectre agent Mr. Kidd who initially broke
the fortunate news to Mr. Wint. This message was a bit of disapproval. This
message was sent by Mr. Kidd to Mr. Wint by 9.18 which is again within 3 to
4 minutes of the previous reply by Mr. Wint. The message said that the file
intercepted by Mr. Kidd was encrypted and that it needs a key to decode or
analyze it. The message further said that the file would then be sent by Mr.
Kidd to Mr. Wint so that he can see if he can do anything about it.
Simultaneously, in the same conversation email Mr. Kidd had attached the file
as an attachment. This file was named as ‘secret.pcap’ indicating that this was
perhaps a packet capture of Mr. Whyte’s internet traffic.
Another follow-up reply was done in the same email thread by Mr. Wint. This
reply was sent by Mr. Wint to Mr. Kidd at 9.34 on the very same day from the
same email client. In this reply from Mr. Wint to Mr. Kidd, he specified that
even if the Packet capture is encrypted and perhaps there was no way to
decrypt it, there might be an alternative method of acquiring their intended
information through another way. He further goes on to say that Mr. Whyte’s
secretary who is known as Ms. Case, might just be able to get the information
from Mr. Whyte by accessing his Trash directory. This means, that the two
spectre agents are after an information which is known or possessed by Mr.
Whyte and that since the Packet Capture method did not turn out the way they
expected, they opted for an alternative involving his secretary Ms. Case who
might manually help them retrieve that information from Mr. Whyte’s trash
directory.
A follow-up reply was done in the same email thread by Mr. Kidd to Mr. Wint
This reply was sent to Mr. Wint by Mr. Kidd at 9.38 am on the same day via
the same email client. In this reply from Mr. Kidd, he said that he might be
knowing Ms. Case which was not made clear as to professionally, personally
or otherwise. He questioned Mr. Wint on how to proceed with Ms. Case and
whether to persuade her in revealing the information they desired or via some
other method.
reply was sent by Mr. Wint to Mr. Kidd at 9.34 on the very same day from the
same email client. In this reply from Mr. Wint to Mr. Kidd, he specified that
even if the Packet capture is encrypted and perhaps there was no way to
decrypt it, there might be an alternative method of acquiring their intended
information through another way. He further goes on to say that Mr. Whyte’s
secretary who is known as Ms. Case, might just be able to get the information
from Mr. Whyte by accessing his Trash directory. This means, that the two
spectre agents are after an information which is known or possessed by Mr.
Whyte and that since the Packet Capture method did not turn out the way they
expected, they opted for an alternative involving his secretary Ms. Case who
might manually help them retrieve that information from Mr. Whyte’s trash
directory.
A follow-up reply was done in the same email thread by Mr. Kidd to Mr. Wint
This reply was sent to Mr. Wint by Mr. Kidd at 9.38 am on the same day via
the same email client. In this reply from Mr. Kidd, he said that he might be
knowing Ms. Case which was not made clear as to professionally, personally
or otherwise. He questioned Mr. Wint on how to proceed with Ms. Case and
whether to persuade her in revealing the information they desired or via some
other method.
End of preview
Want to access all the pages? Upload your documents or become a member.