Lab 2: Network Forensics with Autopsy

Devin Nakano

University of Maryland University College

Sandro Tuccinardi

CSEC 650 Cyber Crime Investigations and Digital Forensics

Spring 2016
B. Log of Forensic Analysis (10 points): Create a numbered list or table to document the step-by-

step actions taken by the examiner. Include date, time, devices, tools, data files, and logs

generated. You only need to describe the data files and logs; no need to attach them.

Step 1 Launch Terminal at 3/21/16 at 3:01

Step 2 Mount drive at 3/21/16 at 3:01:30s

Step 3 Mount Mount drive 2 at 3/21/16 at 3:02

Step 4 entered ls –lah /media/sda1 into terminal 3/21/16 at 3:02

Step 5 entered cd /media/sdb1 into terminal 3/21/16 at 3:03:

Step 6 entered mkdir -p /media/sdb1/evidence/autopsy into terminal 3/21/16 at 3:03:22s

Step 7 edited the autopsy configuration file located at gedit /usr/share/autopsy/conf.pl to

editchange the $LOCKDIR variable to ‘/media/sdb1/evidence/autopsy’ 3/21/16 at 3:03:45s

Step 8 Ran the autopsy command from terminal 3/21/16 at 3:04

Step 9 Open firefox and typed localhost:9999/autopsy 3/21/16 at 3:04:25s

Step 10 click new case tab and enter case name along with my name. 3/21/16 at 3:05

Step 11 Clicked the add host name, entered lab220071001a and devinnakanoLab2CSEC650 into

description 3/21/16 at 3:06

Step 12 Clicked the add image tab twice and entered type disk, import method sysmlink and then

clicked next. 3/21/16 at 3:06:30

Step 13 Confirmed the data integrity function along with mount point and file type and clicked

add 3/21/16 at 3:07

Step 14 Waited for MD5 hash to calculate and confirmed they match at 3:10

Step 15 Clicked the c drive to analyze 3/21/16 at 3:10:15

Step 16 Clicked the file analysis tab reviewed information displayed 3/21/16 at 3:10:45
Step 17 Clicked the notes tab for review 3/21/16 at 3:11

Step 18 Generate MD5 Hash for files and examined the file of hash value 3/21/16 at 3:12

Step 19 clicked the ASCII report and examined the information 3/21/16 at 3:13

Step 20 Examined the Hex code 3/21/16 at 3:14

Step 21 Attempted to export information and declined 3/21/16 at 3:15

Step 22 Examined the File analysis browser of red and blue text to look at non-deleted files,

deleted and overwritten files 3/21/16 at 3:17

Step 23 Keyword Search tab and lawless to examine results 3/21/16 at 3:18

Step 24 Clicked the File type and entered Barzini to examine files related to the case 3/21/16 at

3:20

Step 25 Examined the Image Details tab 3/21/16 at 3:21

Step 26 Clicked the Metadata tab and examined the results 3/21/16 at 3:22

Step 27 Clicked the allocation entry to see detailed report of contents 3/21/16 at 3:23

Step 28 Clicked the X icon and clicked the Event Sequencer tab 3/21/16 at 3:24

Step 29 Clicked the view notes tab 3/21/16 at 3:25

Step 30 Click the Image Integrity to calculate MD5 hashes of image and evidence files 3/21/16

at 3:26

C. Report Letter to the Professor (10 points): Write a letter to the Professor sharing your

experience of what you learned by performing this analysis. Why is this work valuable? What

was attempted, what succeeded, what failed? Note: For the Report Letter to the Professor, you

can use the major action information from the Log of Forensic Analysis deliverable but should

focus on the forensic objectives, attempts, and results of accomplishment or failure, followed by
a reflection on what you have learned through the lab. Use a business letter format with at least

four or five paragraphs related to the forensic work.

Part II: Lab Questions (70 points): Give your answer to each of the following questions based on

your lab work and relevant readings. The original question must be visible. Each answer should

be within one or two paragraphs and should be clear and correct in grammar. Please provide

citations of sources should follow proper APA format with a reference section at the end of your

Part II answers.

1. Given an image to analyze, an analyst's first thought is to open an up an Open

Source/commercial tool. Comment

The first thought through an investigator's mind should be whether the image has been

duplicated properly and that Chain of Custody has been properly maintained to ensure that the

evidence maintains the highest level of integrity. This step is crucial to maintaining evidence

admissibility in court. Without this step, any evidence obtained will be thrown out due to a

probability that evidence may have to be corrupted.

2. Based on the Request for Analysis pdf document, come up with five keywords that would be

good to search for in this investigation. Please provide a justification for each choice.

Based on the Request for Analysis, I would choose Lawless, Barzini, Extortion,

Racketeering, and Money Laundering. Each keyword deals directly with aspects that they

believe Lawless conspired to commit. These keywords also deal with evidence that authorities

want to obtain.
 I choose Lawless because he is the subject of this specific investigations. Authorities

wish to obtain evidence of Extortion, Money Laundering, Racketeering and conspiracy likely in

an attempt to get Mr. Lawless to flip on Emilio Barzini. Once a solid case has been built against

Mr. Lawless, he will most likely be offered a deal of a reduced or vacated sentence in return for

testimony against Mr. Barzini. The authorities believe that Mr. Lawless has been in direct

contact with Mr. Barzini which leads to conspiracy charges. A similar deal will likely be offered

toMr. Barzini to provide evidence or testimony to wrap the entire crime family and its affiliates.

3. Research and provide an overview of the Locard Exchange Principle. How is this principle

relevant to digital forensics analysis?

The Locard Exchange Principle (LEP) was developed by Dr. Edmond Locard. Dr. Locard

speculated that every time contact is made with another person, place or things that some

exchange of material took place between these physical things. He believed that no matter where

or what the criminal does they will leave evidence of the crime either at the scene or on their

person like fingerprints, clothing fibers and DNA. This trace evidence no matter how small can

tell a detailed story of what happened. This trace evidence is unavailable if care is taken to

collect and examine this information (Locard's Exchange Principle - Forensic Handbook). LEP is

essential of Digital Forensics and provides the foundation of how digital evidence can be found.

The LEP is important even in the cyber world. Evidence of an attack exists even after the

fact. It could be in the form of access logs to a building or a particular account. Evidence resides

in the Metadata that details every action of a user if the access a file or email a friend. There

could be rootkits still installed with backdoors which are a common practice to maintain

persistence for further exploitation. LEP explains that the attacker's actions are still visible even

after the attacker has left the system.

weapons used for the assault can be destroyed or disregarded. Clothes can be burned. The same

goes for cyber crimes. Logs can be deleted, manipulated and overwritten to hide any trace of

evidence. Metadata can be altered to show no intrusion or activity ever occurred. Malware can be

so stealthy hidden that it will never be discovered. Steps can be taken to eliminate any trace

evidence and no evidence will remain to show any crime was committed.

Citations

Locard's Exchange Principle - Forensic Handbook. (2012, August 12). Retrieved March 22,

2016, from http://www.forensichandbook.com/locards-exchange-principle/

4. What is a raw image? From data acquisition point of view, raw images are easier to manage.

Why?

A RAW image as known as Forensic Duplicate is a bit-for-bit image file. This image file

is used for investigations as it is a copy of the actual hard drive of suspect's computer. It is

widely used and respected for forensic images used for forensic analysis. The RAW image has

no header or Metadata included but could be in steps are taken to include them in a separate file.

Frequently used file extensions are .dd, .raw and .img. The raw image also contains the name of

the program used to generate the image file and its hash value that is used for later verification of

its integrity (Vandeven, S. 2014, September 15). The duplicate is an exact copy, it also contains

any relevant data.

Raw images are easier to use for multiple reasons. First is the acceptance of these images

for forensic purposes. They are widely used in criminal cases. There are a variety of tools that

can be used to develop like dd.exe, FTK Imager and Encase. RAW images do not require a

Virtual Machine can be mounted with the Linux command mount because they don't have any
metadata. With the mount command, a single uncompressed file is mounted and programs like

Autopsy can be used analyze its content. In an image of the entire physical disk then there would

be a table describing each partition on the formatted disk (Vandeven, S. 2014, September 15).

This acceptance is key to evidence admitted.

Citations

Vandeven, S. (2014, September 15). Forensic Images: For Your Viewing Pleasure. Retrieved

March 22, 2016, from

http://www.sans.org/reading-room/whitepapers/forensics/forensic-images-viewing-

pleasure-35447

5. Find a file of interest to this investigation from the image drive by exploring the image in

Autopsy and explain why you believe the file is of interest in the investigation.

On 3/23/16 at 4:45 pm I found an interesting file is called $BadClus:$Bad. This file is

huge at 8578932736. It is significantly larger than any file on the system. Bad Clusters are

known to hide data in a variety of ways. Given the size of this file, it is likely to contain

something interesting. Additional time should be taken to explore how this cluster is bad and

why it is bigger than any file on the system.

6. Find a deleted file of interest to this investigation from the image drive by exploring the image

in Autopsy and explain why you think the file is of interest in the investigation.

On 3/23/16 at 4:00 pm I found a file or a collection of files rather is VMwarednd files of

varying names like _delaa_15_kdoaa__hecaa_M_bejaa__behaa__. This file, in particular, has a

collection of popular worms, trojans and Adware. The malware had names like Anker, Mydoom,

spy.banker, mybot,Q and others. There seemed to be hundreds of individual malware samples
 These malware samples can be used to spy on those that have been affected with them if

they are combined with keyloggers and code to exploit webcams. The details obtained from the

infections could likely be used for extortion if there illegal or unsavory. Additional time should

analyze the malware samples to determine their capabilities.

7. What type of file system was the forensic image evidence collected from?

On 3/23/16 at 4:56 pm I clicked the image details tab in Autopsy and found that the type of

File System is New Technology File System being used with a Windows XP Operating System.

8. Why should investigators take notes and annotate time/dates? What is this useful for?

It is vital for investigators to take notes and annotate time/dates because the process will

have to be duplicated again. If a suspect is found guilty they will likely appeal the decision. The

appeal process will review all evidence against the convicted. These notes will be used again.

Sometimes by a different investigator. If the process is simple and easy to follow with these

notes then the convicted is not likely to be released on a technicality.

9. Based on the lab, who was Joey Lawless communicating with? Explain with evidence.

On 3/25/1990 at 4:27 found this file with telephone numbers

Contents Of File: C:/Documents and Settings/Joey/Application

Data/Mozilla/Firefox/Profiles/7s485wx6.default/prefs.js 2007-09-30 11:58:58 (EDT)

MintUnique

1
mint.intomobile.com/

1024

2707507968

30619267

525855152

29885013

MintUniqueMonth

1188630000

mint.intomobile.com/

1024

3644741632

29885633

526325152

29885013

On 3/26/16 at 4:28 found this:

ASCII String Contents Of File: C:/Documents and Settings/Billybob/Application

Data/Microsoft/Outlook/Outlook.NK2

SMTP:[email protected]

SMTP:[email protected]

SMTP:[email protected]
SMTP:LYRIS-CONFIRM-

11811329.69C95F2F470A9F8B719ABA76ED1CAF6B@LISTS.WARNERREPRISE.COM

SMTP:[email protected]

On 3/26/16 at 4:33 found evidence of communication with Emilio Barzini

ASCII String Contents Of File: C:/Documents and Settings/Joey/Application

Data/Microsoft/Outlook/Outlook.NK2 2007-09-30 11:59:07 (EDT)

SMTP:[email protected]

SMTP:[email protected]

SMTP:[email protected]

SMTP:[email protected]

SMTP:[email protected]

_Note

10. Based on reviewing the image, what do you think Joey Lawless was communicating about?

Explain with evidence.

Summary

Based on the evidence I have collected listed below. Yes, Lawless and Barzini were in contact.

They talked about herds, and herd masters along with Union dispute. Lawless got into contact

via IRC with h3rd.most3r. He seems to be in control of a botnet. Email chains included

discussion of how long a stampede could last with the answer of 24 hours. H3rd made comments

about stampedes draw attention. It seems that the demonstration went well. The dispute ended in

Barzini’s favor. It seems that Botnet may have been used for extortion. It also seems that Vinnie
Lawless is an accomplice. Suzie knew that they were up to at least along with her son asking for

Ducati Motorcycle. Greater investigation would be needed

On 3/26/16 at 6:00 pm I found emails between Joey and Barzini. It seems that the two families

were very close. The title of the email “Godfather Barzini.” They talked about the passing of

Patriarch of one of the families. The two talked about investing in flocking of animals. Joey

talked about herds with the “Headmaster.”

Fullemail <p class="EC_MsoNormal" style="margin-bottom: 12pt;"><font face="Tahoma"

size="2"><span style="font-size: 10pt; font-family: Tahoma;">From:

[email protected]<br>

To: [email protected]<br>

Subject: Godfather Barzini<br>

Date: Sun, 23 Sep 2007 18:46:50 -0400</span></font></p>

<div>

<p class="EC_MsoNormal"><font color="black" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: black;">Godfather Barzini,</span></font><font face="Tahoma"

size="2"><span style="font-size: 10pt; font-family: Tahoma;"></span></font></p>

<p class="EC_MsoNormal"><font color="black" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: black;">&nbsp;</span></font><font face="Tahoma"

size="2"><span style="font-size: 10pt; font-family: Tahoma;"></span></font></p>

10pt; font-family: Arial; color: black;">Sorry for the delay in getting back to

you.&nbsp; I was out dealing with the union for a week.&nbsp; I enjoyed our

conversations at Vecaro.s before I left and will be pursuing herds with a

herd master. </span></font><font face="Tahoma" size="2"><span style="font-size: 10pt; font-

family: Tahoma;"></span></font></p>

<p class="EC_MsoNormal"><font color="black" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: black;">&nbsp;</span></font><font face="Tahoma"

size="2"><span style="font-size: 10pt; font-family: Tahoma;"></span></font></p>

<p class="EC_MsoNormal"><font color="black" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: black;">On another note, I was sorry to hear of

the passing of your father when I returned from Chicago.&nbsp; The Lawless family shall

always be loyal to the Barzini Family.&nbsp; I look forward to moving further

along with your new investments in flocks. </span></font><font face="Tahoma"

size="2"><span style="font-size: 10pt; font-family: Tahoma;"></span></font></p>

On 3/26/16 at 6:05 pm Joey and Barzini talking managing a waste management operating. No

Further description. Email below

ASCII Contents of Cluster 382355 in lab1_2007-1001a.img-63-16755794

............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................
............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................

............................................................................................................................................................

................................................................................................................-.0.-.0.-.1.-.3.-.1.1.8...>.L.o

.o.k. .a...ed?

<http://www.darkreading.com/document.asp?doc_id=133928>

Dark Reading Gets a Facelift

<http://www.darkreading.com/

document.a...........R.e.g.u.l.a.r...................................................T.u.r.k.i.s.h.....font size=3

face="Times New Roman"><span styledv......ize:... (....... ...............*...........`...`... ..... ...... yo@.

$...... ......................... .....:............... ..<html>

<head>

<style>

.hmmessage P

margin:0px;

padding:0px
}

body.hmmessage

FONT-SIZE: 10pt;

FONT-FAMILY:Tahoma

</style>

</head>

<body class='hmmessage'>

Joey,<br><br>I don't need a limo. Send a town car to come get me. <br><br>See you at the

game. <br><br>Emilio<br><br><blockquote><hr>From: [email protected]<br>To:

[email protected]<br>Subject: RE: Godfather Barzini<br>Date: Wed, 26 Sep 2007

23:31:41 -0400<br><br>

On 3/26 at 6:35 pm

Email regard for flocks for hire. It is suspicious. Botnet, possibly because of the vast amount of

malware Joey had stored.Rest of email is encrypted.

Header here:

Date: Tue, 11 Sep 2007 21:36:35 -0400

From: "Not Gonna" <[email protected]>

To: [email protected]

Subject: Saw Your Post on IRC Channel Flockz for Hire

MIME-Version: 1.0

Content-Type: multipart/alternative;
 boundary="----=_Part_8033_20670449.1189560995211"

On 3/26 at 6:42 pm

In correspondence with h3rd. Talked about sustaining stampedes. Stampedes can also be easily

detected and draw attention. Could be talking about DOS and DDOS attacks. Email exchange

located at ASCII Contents of Cluster 347880 in lab1_2007-1001a.img-63-16755794

On 3/26 at 6:42 pm

Found email exchange about directing flocks, flocking being detected while stampeding and use

of encryption to hide correspondence.

Email here:

ASCII Contents of Cluster 355332 in lab1_2007-1001a.img-63-16755794

On 3/26 at 6:42 pm

Email saying that the demonstration was successful with flocks sheep against the unions. Email

can be found here:

ASCII Contents of Cluster 356989 in lab1_2007-1001a.img-63-16755794

<div class="EC_Section1">

<p class="EC_MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: navy;">Mr. Barzini . I will be there.&nbsp;

As you know I am organizing it and Tony will be facilitating it.&nbsp; Do you

want a limo or car sent to pick you up from the airport? </span></font></p>
<p class="EC_MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p class="EC_MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: navy;">I am sending the figures of the waste

management operations.&nbsp; I am still working on the investments we

discussed. </span></font></p>

<p class="EC_MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p class="EC_MsoNormal"><font color="navy" face="Arial" size="2"><span style="font-size:

10pt; font-family: Arial; color: navy;">Joey</span></font></p>

<p class="EC_MsoNormal"><font color="navy" face="Arial" size="2"><spa

On 3/26 at 7:00 seems that Vinnie is an accomplice.

Email can found here

ASCII Contents of Cluster 346933 in lab1_2007-1001a.img-63-16755794

<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:

12.0pt'>Ducati sounds like a great choice for the kid.&nbsp; I am sure Emilio

will be driving a fine Italian soon with all the money we are making him. <br>

<br>
Uncle V<br>

<br>

<b><i><span style='font-weight:bold;font-style:italic'>Joey Lawless

&lt;[email protected]&gt;</span></i></b> wrote:<o:p></o:p></span></font></p>

<div>

<p class=MsoN

On 3/26 at 7:00 pm Suzie knew that were making money but may not have known exactly what

they knew.ASCII Contents of Cluster 379421 in lab1_2007-1001a.img-63-1675579