SIT703 Advanced Digital Forensics: A Detailed Case Investigation

Verified

Added on 2023/06/07

AI Summary

This case study delves into a computer crime involving unauthorized access to a user's laptop. It explores methods of password cracking, including physical access techniques and the use of tools like Ettercap for sniffing credentials. The investigation covers the identification of suspicious programs through registry analysis and the utilization of tools like Ophcrack with rainbow tables to crack password hashes. Analysis of Windows event logs, including security, application, setup, system, and forwarded event logs, is crucial in determining the timeline of unauthorized access, identifying created accounts, and understanding actions performed. The report also discusses techniques for scanning rootkits, repairing log files, and securing Windows systems against unauthorized access, highlighting the importance of log file analysis in tracking events and rectifying security breaches. Finally, the study concludes by emphasizing the critical role of digital forensics in investigating computer crimes and utilizing stored information in log files to track events and rectify problems.

SIT703: ADVANCED DIGITAL FORENSICS
TASK: CASE INVESTIGATION REPORT
STUDENT NAME:
STUDENT ID:
DATE:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Introduction
Computer crime is a crime that is directed at computers or other devices where the computer is
an integral part of the offence. Such crimes can be in forms of hacking, online scams, identity
theft, attacks on computer system and many others, (Agarwal et al 2011).
There are many ways through which one can gain access into somebody’s computer without his
or her permission. This can be by stealing the person’s computer and cracking the password.
This is known as advanced cybercrime. It involves interference with the computers software and
hardware, (Beebe 2009). Unauthorized computer access can also be done through hacking where
an individual applies spamming or phishing in order to acquire the computer user’s details to use
in cracking his or her password.
In the case of Amy, we are considering her case that her laptop was accessed by someone who
cracked her password and created another account, (Biggs & Vidalis 2009).
This case study is about how the unknown person possibly cracked the password of Amy’s
computer, the time he logged in, the type of activities he performed and the time he terminated
her activities.
In addition, the work will look on the important log files that are to be checked in the event of
unauthorized log in into the computer.
Lastly, the security of the windows system shall also be discussed. On how one’s password and
user name can be generated, how passwords can be generated using rainbow tables from hashes
generated by passwords, (Cao et al 2010).

Task 1. Two programs to scan for rootkit programs.
I will use Avast antirootkit and AVG anti root kit. These programs have the ability to detect and
remove the malwares using rootkit technologies, (Perumal, Norwawi & Raman 2015).
Fig 1. Avast antirootkit

Fig 2. AVG antirootkit.
Task 2. The four windows logs found after decompressing the windows registry are event,
auditing, security and access logs. The windows event log contained a detailed record of
application, security, setup, system and forwarded events of the system.
The application event log had information on the type and time that a computer software was
installed into the computer, (Casey 2011).
The security event log contained the computer’s audit policy which included the time of invalid
logins, number of attempts, and place from which the attempts were made, attempts to create and
edit objects in the system such as user account and system files.
The setup event log contained information on the application setup events performed on the
system such as windows updates, (Chung et al 2012).
The system event log contained information on the current state of the computer drivers after
configuration, including windows failure to start.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Forwarded event log contained information from the device from which another user used to
remotely access Amy’s computer by forwarding them.
To repair the logfiles and view the contained information on event viewer, I clicked to the start
button and entered “event viewer” into search field. I then selected the critical level event log.
Fig 3. Event viewer.
Arif then clicked on the filter in order to view the application, security, setup, system and
forwarded event log for trouble shooting and repair. On the action menu of the event viewer, he
selected “open saved log” then proceeded to event log file and then navigated to the windows
registry logfiles and selected application event log and opened it. The event viewer automatically
converted the application event log file into event log format which was displayed and read on an
event viewer. He did the same process for security, setup, system and forwarded event logs
respectively to view their file log contents, (Dykstra & Sherman 2013).

Task 3. The logfile having information on the creation of new account was security event log.
Event ID 4720 was used to create a new local user account which was recognized by the existing
account, (Martini & Choo 2012). To locate this ID,Security on “event viewer” was clicked and
ID number was keyed in as shown below.
Fig 4. Event ID number

The account creation event is as shown below.
Fig 5. Account-creation event.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Task 4. There are many ways that her password would have been cracked either by the hacker
accessing his computer through malware or by having it physically. In this case, we are cracking
a password by having a physical access to the computer, (Raghavan 2013).
The first step is to restart the computer.
Fig 6. Restarting computer

Once the computer starts to restart by displaying “starting windows”, abruptly shut it down by
pressing the power button, (Garfinkel et al 2009).
After starting the computer, windows error recovery will be displayed as shown below.

Click on the “launch startup repair” (recommended), the startup repair will start as shown below.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

When the startup repair is done, you will be given an option either to restore your system or not.
Do not restore the system but click on cancel.
The repair will run as shown below.

Once the repair is successfully canceled, click on the view problem details. The list of links will
be displayed. Scroll down to the last link. The link will open a text file as shown in below
respectively, (Nance, Hay & Bishop 2009).