COMPUTER FORENSICS

CSEB 554

ASSIGNMENT 7

(FORENSIC INVESTIGATOR)

N0 GROUP MEMBERS N0 ID

1. MUHAMMAD AQIL BIN TAJUDDIN SW 090601

2. FAIZUL BIN BABA SW 090716

3. NANI HARYATI BINTI SW 089008

4. KARTHIGA A/P RAJANDRAN SW 088907

5. KAVITHA A/P SANKAL SW 088908

6. NIZAR MOHAMMED YAMANI

7 MOHD RIDZUWANN BIN CHE HALIM SN 088999

8. MARHANUM BINTI MOHAMED SW 090750

9 SITI HARYANI BINTI CHE AWANG SW 090622

10 SITI MARIAM BINTI AB RAHIM SW 090806

LECTURER : DR YUNUS BIN YUSOFF

FORENSIC SCENARIO

Denso Corporation is a global automotive components manufacturer headquartered in the city of

Kariya, Aichi Prefecture, Japan. Denso Corporation consisted of 184 subsidiaries with a total of

132,276 employees. The company is known for developing and manufacturing various auto-parts

including gasoline and diesel engine components, hybrid vehicle components, climate control

systems, instrument clusters, air-bag systems, pre-crash radar systems and spark plugs.

Moreover, Denso also develops and manufactures non-automotive components such as

household heating equipment, industrial robots and QR Code.

Mr Henry is one of the staff working in Denso plant based in Malaysia. He is 35 years old and

holds the position as head of the finance department. He has the full access and privileged to

access the company private data.

The audit department suspected that someone from the finance department is selling out the

tender information to the competitor company based on the data evaluated.

After a closed meeting with the board directors, a group of forensic investigator is hired to

investigate the evidence and the suspected crime scene which is Mr Henry workstation at his

office.

After the company lodge a report, based on the facts stated and supported with valid reason the

forensic team are able to obtain a search warrant to investigate mentioned premise. After

assigning each member tasks to be done, the investigation begins.

EVIDENCES FOUND IN WORKPLACE

1. Samsung External DVD Writer

The person that was at charge, he would use it to copy and run suspicious software to copy all

important files to the company with grantee that CD/DVD will not hang inside the PC if that

happen and he can make as product from workplace without take back to his house to do that.

2. TDS Meter (hold) HM Digital

The measurement of impurities and dissolved salts degree in drinking water that he need it to

hide sleeping pills after solubility in water if show him there are something different in

water/juice without test it to give his teammate in workplace to steel freely.

3. Microsoft LifeCam VX-2000

It is s webcams that use it to do conversation with buyers to deal about the information from

workplace and he can also use it to check who’s near to their office as monitor.

4. Rambo, Strontium-8GB, Cruzer Edge USB flash drive SanDisk and Imation C-DR.

Are storage media that the defendant backup of secret information of the company and

information about their customers.

5. HP PC with his components 

The defendant was connect to the server and from servers was steeling the information about the

company and their customers and copy it into storage media’s

TYPE OF EVIDENCE

1. Samsung External DVD Writer SE-S084

SE-S084C/RSBN

October 2009

2. Rambo 128 mb

3. TDS Meter (hold) HM Digital

4. Microsoft LifeCam VX-2000

Model : 1381

Made in China

5. Strontium-8GB

Red color

6. Cruzer Edge USB flash drive SanDisk

Blue color

8GB

Made in China

7. HP Compaq Pro 6305 Small Form Factor

Windows® 7 Home Basic

8. Imation C-DR

9. HP Compaq Monitor. - Hewlett Packard.

SITUATION

2.50pm – search warrant

2.52pm – start to snap a pictures at the location

2.52pm – at location in BW-4-L04 found evidence 7 and 9.

2.55pm – found 1 located at the right of keyboard and 4 located at the right side of

monitor.

2.57pm – found 3 and 8 in the keyboard holder.

2.58pm – found 8 have a fingerprint.

3.00pm – found 2 in the Nokia casing.

3.04pm – justify the mouse contain the fingerprint

3.05pm – justify the fingerprint at the power ON button of CPU

3.06pm- justify the network cable still active

3.08pm – the PC turn on and the last login is STUDENT\SN090321

3.12pm – finish investigation.

EVIDENCE NO.1- External DVD-RW Samsung

As the case that we received from head management we are investigating the suspect location

work without the suspect knowing. The first evidence that is found by investigator is Samsung

External DVD drive rewritable model number SE-S084 and with serial number product is SE-

S084C/RSBN release from factory on October 2009. This Samsung external DVD writer using

USB 2.0 and it had a 6x maximum DVD+R DL and DVD-R DL write speed 8x maximum

DVD+R and DVD-R write speed for fast disc burning. It also has 8x maximum DVD+RW and

6x maximum DVD-RW rewrite speeds to erase discs and write new data to them quickly. With

those advantage in this hardware will make the suspect faster to write all data into the CD-R

without knowing by others.

FIGURE 1.1: Samsung External DVD drive found by an investigator

We are suspecting the suspect using this External DVD rewritable to burn all data private

confidential into the CD-R in evidence 8. We are suspecting the suspect are using the external

DVD writer are because the suspect doesn’t want to be get caught from the history log file

system computer that he had doing write data to CD-R from the internal drive DVD writer. If the

suspect are using the external DVD writer the log file on the system just written known as

removable device.

EVIDENCE NO.2 - USB Flash Drive Rambo, EVIDENCE NO.5 - USB Flash Drive

Strontium, EVIDENCE NO.6 - Cruzer Edge USB Flash Drive San Disk

On the criminal table, we as computer forensic investigator have found some evidences. At the

criminal table, we have found three different type of USB flash drive. Those three different types

of USB flash drive have been labelled by number. Here is list of USB flash drive that we found.

i. Evidence No.2 : USB Flash Drive Rambo, size 128mb

ii. Evidence No.5 : USB Flash Drive Strontium, size 8GB

iii. Evidence No.6 : Cruzer Edge USB Flash Drive San Disk

FIGURE 2.1: Evidence No.2: USB Flash Drive Rambo, size 128mb

FIGURE 2.2: Evidence No.2: USB Flash Drive Rambo, size 128mb

FIGURE 2.3: Evidence No.5: USB Flash Drive Strontium, size 8GB

FIGURE 2.4: Evidence No.5: USB Flash Drive Strontium, size 8GB

FIGURE 2.5: Evidence No.6: Cruzer Edge USB Flash Drive San Disk

FIGURE 2.6: Evidence No.6: Cruzer Edge USB Flash Drive San Disk

All this physical evidence may be connected to criminal activities. The suspect may be use all

the USB Flash Drive to selling out the tender information to the competitor company based on

the data evaluated. We, as investigator only cannot access all the information inside the USB

Flash Drive. The evidence need to return to its place as before we touch the evidence for more

detail about the USB flash Drive. Some of the USB Flash Drive having extra information, some

of them are just a plain USB Flash Drive. Here is some information that we all got for the

accessing the evidence at the criminal suspect table:-

i. USB Flash Drive Strontium

8GB memory

Red color

ii. Cruzer Edge USB Flash Drive San Disk

Blue color

8GB memory

Made in China

iii. USB Flash Drive Rambo

128mb memory

We also cannot be so sure that all the USB Flash Drive is connected to the PCs on suspect

table. The type of PCs is HP Compaq Pro 6305 Small Form Factor and run in Windows® 7

Home Basic. For our experience, the USB Flash Drive is compatible to the current operating

system that runs inside those PCs. This can be very useful evidence when these case a brought

into a court.

EVIDENCE NO. 3 – TDS Meter (Hold) HM Digital

FIGURE 3.1: Location of TDS Meter (Hold) HM Digital

The evidence, TDS Meter (Hold) HM Digital was found located at the left side of keyboard

holder. The TDS Meter was seized, sealed in a static bag and delivered to the forensic lab for

further investigation.

FIGURE 3.2: TDS Meter (Hold) HM Digital

FIGURE 3.3: TDS Meter (Hold) HM Digital

FIGURE 3.4 : TDS Meter (Hold) HM Digital

Total Dissolved Solids (TDS) meter is used to calculate the total amount of mobile charged ions,

including minerals, salts or metals dissolved in a given volume of water, expressed in units of mg

per unit volume of water (mg/L), also referred to as parts per million (ppm). This TDS meter is

related to the purity of water and the quality of water purification systems and affects everything

that consumes, lives in, or uses water, whether organic or inorganic, whether for better or for

worse.

Assumption

The suspect might have used the TDS meter to detect the acidity of water that may cause

corrosion that gradually eats away the pipes, appliances, heaters, boilers and air-conditioning

units. As Denso is an industry specialist in high quality and technologically advanced automotive

components, one of their products is car air-conditioning. The suspect must have been testing the

acidity level of hard water in the air-conditioner and has been sending this result secretly to the

competitor company as well.

EVIDENCE NO.4 - Microsoft LifeCam VX-2000, MODEL: 1381

FIGURE 4.1: Microsoft LifeCam VX-2000, model: 1381 (Front view)

FIGURE 4.2: Microsoft LifeCam VX-2000, model: 1381 (Description)

Product description

Microsoft LifeCam VX-2000, model: 1381 is a Microsoft product where it comes with little

important or unique functionality on its own. The product dimensions are it comes with 2.50

inches of webcam length, 1.81 inches of webcam width, 0.92 inches of webcam depth/ height,

2.98 ounces of its weight and 72.0 inches of its cable length.

Other than that, this product’s interface was designed with High-speed USB compatible with the

USB 2.0 specification. It has Microsoft Windows 7, Windows Vista, and Windows XP with

Service Pack 2 (excluding Windows XP 64-bit) as its operating system. To use this product also,

a PC should fulfilled some requirements, which is it must have been installed with Intel

Platinium 4 3 GHz (dual Core 1.8 GHz recommended), 1GB of RAM (2GB RAM

recommended), 1.5 GB hard drive space, Windows compatible speakers or headphones, USB 1.1

and few others more.

This Microsoft LifeCam VX-2000, model: 1381 is a product manufactured from Republic of

China (PRC). It also has ISO quality certified with ISI 9001 and ISO 14001.

Item original position

FIGURE 4.3: Microsoft LifeCam VX-2000, model:

1381 (Original position- zoomed version)

FIGURE 4.4: Original scene view and the position of evidence number 4

This evidence location:

On the right hand side of the PC.

It is still placed in packed.

Very good condition

Item sealing and assumption

This evidence also has been sealed and brought it back by the forensic investigators. First before

start with the procedure, we all the investigators wear gloves to avoid fingerprints. We have

taken whole scene picture before moving or touch any evidence. Then after taken pictures of the

evidences, we have placed the Microsoft LifeCam VX-2000 into an envelope and then into

forensically clean plastic bag. Then the evidence has been brought it back to investigation lab.

The criminals can use this Webcam tool to communicate with outsiders to pass all the company’s

information. Face to face communication is a simple way of transferring information’s and it can

be done very fast. Even when they use the PC, they can still on the webcam and minimize the

tab. So they can also record any sort of information even without anyone notice.

EVIDENCE NO. 7 – PC, EVIDENCE NO. 9 HP Compaq Monitor. - Hewlett Packard.

FIGURE 7.1: HP Compaq Pro 6305 Small Form Factor PC

The HP Compaq Pro 6305 Small Form Factor and its components (shown in figures 7.1 and

7.2) that were the media that connecting to servers in server room in Petronas company and that

were from Hewlett-Packard (HP).

With the AMD processor technology, advanced graphics and manageability, employees and the

IT team are pleased. Customize your set up with multi-display support and loads of expansion

options. Plus, your data has enhanced security with HP Client Security. With a long lifecycle and

reliable warranty, even the boss is in a good mood. Deliver rich, effective presentations with

stunning media-enhanced content on the affordably priced HP Compaq Pro 6305 Small Form

Factor. Loaded with the AMD A-series processors, you'll also benefit from up to a 21 percent

productivity gain. Browse the web and enjoy rich, smooth streaming webcast videos, trainings

and video conferencing, thanks to the available AMD Accelerated File Converter. Avoid flipping

back and forth between source documents and new files. Instead, multi-task by extending your

view across multiple screens with a DisplayPort video output for multi-monitor support. Built-in

intelligence makes things easier. Stay focused with less disruption, and let Bandwidth Manager

prioritize critical applications. Run multiple applications smoothly and quickly with automatic

system boosts from AMD Turbo Core 3.0 technology.

Specification:

CPU Family AMD (Dual Core) A4

Processor Number 5300B

CPU Speed 3.4 GHz

L2 Cache 1 MB

Motherboard

Chipset AMD A75

Integrated Network Yes

PCI Express Slot

2 x PCI Express x16 (Low Profile) • 1 x PCI Express x1 (Low

Profile) Slots

PCI 32 bit 1 x Low Profile PCI Slots

Memory

Memory Size 4096 MB

Memory Bus Speed 1600 MHz

Memory Type DDR3 SDRAM

Memory Slot 4 x DIMM

Storage

Total Hard Disk Size 500 GB

Number of Hard Disks 1

Hard Disk Size 500 GB

Hard Disk Speed 7200 RPM

Hard Disk Type Serial ATA II (SATA 2.0) 3 Gbit/s

Internal Expansion Bays 1 x 3.5 inch

External Expansion Bays 1 x 3.5 inch • 1 x 5.25 inch

Graphics Card

Video Card AMD Radeon HD 7480D

Graphics Form Factor Dedicated

Optical Drive Type DVD Writer Super Multi

Sound

Sound Card Realtek ALC221 codec (all ports are stereo)

Audio Features High Definition Audio

Interfaces/Ports

VGA Port 1 x 15-pin D-Sub

Keyboard Port 1 x PS/2

Mouse Port 1 x PS/2

USB Ports 4 x USB 3.0 • 6 x USB 2.0

Serial Ports 1 x Serial Port

RJ-45 Ports 1 x RJ-45

Microphone In Port 1 x Microphone In

Audio Line In Ports 1 x Audio Line In

Headphone Ports 1 x Headphone Jack

Audio Line Out Ports 1 x Audio Line Out

DisplayPort 1 x DisplayPort

Media Adaptor

Removable Flash Memory

Adaptor 22-in-1 Card Reader

Network

Network Card Broadcom NetXtreme BCM 5761

Network Card Data Link

Protocol Gigabit Ethernet

Network Card Speeds 10/100/1000 Mbps

Wired Network Yes

Compliance

Certifications BFR/PVC-free

System

Operating System Windows® 7 Home Basic

Electrical

Electrical Power Available 240 W

Environmental

Operating Humidity 10 to 90 %

EVIDENCE NO. 8 – CD-R

FIGURE 8.1: Imation CD-R held by an investigator

Storage devices vary in size and the manner in which they store and retain data. First responders

must understand that, regardless of their size or type, these devices may contain information that

is valuable to an investigation or prosecution. Removable media is one of storage devices

available. Removable media are cartridges and disk-based data storage devices. They are

typically used to store, archive, transfer, and transport data and other information. These devices

help users share data, information, applications, and utilities among different computers and

other devices. Floppy disks, Zip disks, Compact Discs (CD) and Digital Versatile Discs (DVD)

are examples of removable media. Figure 8.1 shows an Imation CD-R found at the crime scene.

CD-R (Compact Disc-Recordable) is a digital optical disc storage format. A CD-R disc is a

compact disc that can be written once and read subjectively many times.

CD-R disks (CD-Rs) are readable by most plain CD readers, i.e., CD readers manufactured prior

to the introduction of CD-R. This is an advantage over CD-RW, which can be re-written but

cannot be played on many plain CD readers.

FIGURE 8.2: Evidence No. 8

Figure 8.2 shows the CD-R found in the keyboard holder. This evidence is labelled as number 8

and was found suspiciously in a location that appeared to hide the CD-R. The CD-R is with

Imation brand. Imation is a data storage producer company with its Head Quarter in Oakdale,

Minnesota, US. The CD-R has 700MB of data storage capacity. The CD-R might contain

important data as it was observed that there is burnt CD line which shows that the CD has data in

it. The burnt CD line shows the boundary between used disc space (inner side of the CD) and

free disc space which is on the outer side of the CD as shown in figure 8.3.

FIGURE 8.3: Burnt CD line

Storage devices such as hard drives, external hard drives, removable media, thumb drives, and

memory cards may contain information such as e-mail messages, Internet browsing history,

Internet chat logs and buddy lists, photographs, image files, databases, financial records, and

event logs that can be valuable evidence in an investigation or prosecution.