Digital Forensics Investigation: Operation Mulberry Bear Case Analysis

Verified

Added on 2022/10/09

AI Summary

This assignment involves a digital forensics investigation of a computer image obtained from the Operation Mulberry Bear case. The process begins with acquiring the image using tools like FTK Imager, emphasizing the importance of preserving data integrity through MD5 hash values and creating multiple copies to avoid tampering with the original evidence. The analysis utilizes Autopsy, a free and feature-rich tool, to add the image, examine files, conduct keyword searches, and analyze browser history and documents. The investigation aims to identify and highlight data relevant to the case, create timelines of events, and report findings. The assignment requires downloading the provided image files (Win10k.E01, Win10k.E02, Win10k.E03, Win10k.E04) and analyzing them to identify the suspect's name, date, location, and method of any suspected attack. The overall objective is to apply digital forensics techniques to uncover evidence and understand the activities of the suspects, Casandra Coles and Bertram Donnachie, in the context of the Operation Mulberry Bear investigation, which involves a product contamination threat.

Step 1 : performed we used FTK imager for making an image
Acquiring an image
Image can be acquired in 3 methods, We need to look into the evidence drive before choosing the
method type.
1. If the disk size is small and portable, then we can use a normal method of connecting it to a
machine and make image of it using tools like FTK image or Autopsy or some other tool.
2. If the evidence is present in a cloud scenario then we got to use tools like Ncat to make
image of the drive and transfer the drive.
3. There is also another scenario if the computer with an SSD or HDD hard disk then we got to
use non-writable tool and make an image of whole disk using some cable like SATA or IDE.
Preserving the data - we took md5 value of the image using FTK imager.
We took image in .dd format here. This copies all thee data present on the disk image.
1. We need to take hash value of the image.
2. We (need to take) took 3-4 copies of the image.
3. We work on one of the copied image.
4. We don’t touch original evidence.
5. If original image is touched it is considered as tampering. If tampered it won’t be considered
as evidence in court.
Why did we use autopsy ? why not FTK imager
Autopsy is a free tool with many additional features compare to FTK imager. Autopsy is easy to use.
How did we add image to autopsy?
We added basic information about case on autopsy.
Then we clicked on add image and added it.
After that we looked into files present on the image.
Initially investigation started with keyword search.
Then we looked into documents and images.
After that we looked into his browser search.
Then browser history.
Then later on we highlighted all the data related to this case.
Then we created time line on events were perfromed.