You are on page 1of 8

Midterm Assessment

Saraquoit Corporation Scenario


This document outlines the investigation performed on
behalf of the Saraquoit Corporation. It covers the tools,
methods, and results of the investigation.
Daniel Howell
11/9/2015

Table of Contents
Abstract ......................................................................................................................................................... 2
Section 1: Evidence ....................................................................................................................................... 2
1-A: Thumb Drive Image ........................................................................................................................... 2
Figure 1: Thumb Drive Hash (MD5). ..................................................................................................... 2
Section 2: Tools ............................................................................................................................................. 2
2-A: FTK imager ......................................................................................................................................... 2
Figure 2: Device in FTK Imager .............................................................................................................. 3
2-B: Cyohash ............................................................................................................................................. 3
Section 3: Investigation Findings .................................................................................................................. 3
3-A: Thumb Drive content......................................................................................................................... 3
Figure 4: NONAME [FAT16] content ..................................................................................................... 3
Figure 5: NONAME [FAT16] [unallocated space] .................................................................................. 4
Figure 6: 00002 hash value ................................................................................................................... 4
3-B: File content ........................................................................................................................................ 4
Figure3 : Time Script ............................................................................................................................. 4
Figure 4: win32 script ............................................................................................................................ 5
Figure 5: Override script ....................................................................................................................... 6
Figure 6: script notation ........................................................................................................................ 6
Section 4: Results .......................................................................................................................................... 6
4-A: Thumb drive ...................................................................................................................................... 6
4-B: files found .......................................................................................................................................... 7
4-C: file content......................................................................................................................................... 7
4-D: Possible intent ................................................................................................................................... 7
4-E: Who.................................................................................................................................................... 7

Abstract
The Saraquoit Corporation has asked for assistance in investigating a disgruntled employee. They are
concerned that the employee is going to attempt to damage the companys network in some manner.
When searching the employees office the company IT department found a company thumb drive and a
digital camera that belonged to the employee in question. The company wants the thumb drive and the
digital camera examined for any evidence that may suggest that the employee in question is attempting
the harm the company in some way. Upon completion of the investigation this report will be sent to
Saraquoit IT member Kal Dalil.

Section 1: Evidence
The section covers the evidence that is provided by the Saraquoit IT department. This is what was
examined and used to determine if the employee in question did have harmful intentions.

1-A: Thumb Drive Image


The thumb drive in question is a 128 MB Saraquoit Corporation drive. The company IT department has
sent a bit for bit image of the drive for the investigation. The image of the drive has been hashed to
show that it is the same as the physical drive in question. Referrer to figure 1 to view the hash of the
thumb drive. The hash value was taken using Cyohash. Referrer to Section 2 of this report for further
information on the use of FTK.
Figure 1: Thumb Drive Hash (MD5).

Section 2: Tools
This section covers the tools that were used in the investigation. It also covers the manner in which the
tools were used during this investigation.

2-A: FTK imager


FTK imager is the data analysis tool that was used to examine the drive. The image that was provided by
the company was loaded into the program. Figure 2 shows that the device showed once loaded into FTK
imager. From here we were able to begin sifting through the data and looking for evidence of malicious
intent. The investigation of this case is covered more in depth in section 3 of this report.

Figure 2: Device in FTK Imager

2-B: Cyohash
This program was used to obtain the hash value of the device and programs used to verify that
everything was legitimate.

Section 3: Investigation Findings


This section covers the findings of the investing.

3-A: Thumb Drive content


The thumb drive contained 1 partition that was 123MB in size and unpartitioned space. This shows that
the owner of the device may have been trying to hide what was on the drive. However, the device is
owned by the company so it could have been a standard security protocol for the device. Further
investigation is required to determine if it is or is not a protocol set by the company. The unpartitioned
space on the drive has a file for unallocated space in it.
The partition on the drive contained a folder called NONAME configured to operate on the FAT16 file
structure. The folder then had two files on it called [root] and [unallocated space]. There were also three
pieces of metadata and a file system slack data stored on the device as well. The three pieces of
metadata did not have any useful information to suggest that the employee in question had any
intention of causing harm to the companys network.
Figure 4: NONAME [FAT16] content

The [unallocated space] folder in the partitioned space of the drive had two files in it. 00002 and 51202
appeared to be deleted by the user in an attempt to hide the files from investigators. The 51202 file

showed a data size of 23,690 but we were unable to view the data that was in the folder. We will
investigate it further if the other data is not sufficient enough for the company. However, the 00002 file
contained a large amount of data that we were able to view. The file was hashes to show that it is the
same file that was found on the original drive and not a written script that was added later.
Figure 5: NONAME [FAT16] [unallocated space]

Figure 6: 00002 hash value

3-B: File content


The 00002 file contained a series of programming scripts that appear to have the intent of scimming
data off of the companys network. Figure 3 show several sections of the scripts that point to malicious
use. The scripts seem to be after the financial information of the company. Since we were unable to
determine what programming language the script was written it was difficult to determine exactly what
each part of the script was doing.
Figure3 : Time Script

The above script seems to be extracting files that were created within a specific time period. This could
be anything from old financial records or employee files. These company records could cause a great
deal of damage to the company as well as its current and former employees.

Figure 4: win32 script

The above script seems to be used to access the win32 file on a system. It is accessing the operating
system of the computer system. They seem to be trying to gain control of the computer system.

Figure 5: Override script

The above script seems to be to be overriding and extracting paths and log information.
Figure 6: script notation

The above notation from the script shows that the script may be used for malicious intent.

Section 4: Results
This section covers the final results of the investigation. Based on these results the investigators

4-A: Thumb drive


The thumb drive image that was provided by Saraquoit Corporation did show signs that someone was
trying to hide something on it. The partition on the drive and script file that was found in the
unallocated space of the partition were clearly there to hide to keep the scripts hidden from others who
may see the drive.

4-B: files found


Several files were found on the drive. The ones that showed information that proved the employee in
question did intend to cause harm to the network were found in unallocated space. We used FTK imager
to access all of the data on the drive.

4-C: file content


The 00002 file that was found contained the scripts that could be used to damage the company. While
we were not able to determine everything that the scripts were going after we can tell that they were
intended to be used in a malicious manner.

4-D: Possible intent


Based on our findings we have determined that the employee in question, Steve Vogon, was disgruntled
and planning to try and get back at the company. The drive that was found by the Companys IT
department contained enough information to prove that he had malicious intend for the company. We
cannot prove that he actually ran the scripts unless we are able to examine the rest of the network. All
we can prove is that he did have the intend to use the malicious scripts.

4-E: Who
The drive was found in Vogons office and he was described as disgruntled by the companys HR
department. These mark him as the prime suspect of the investigation. In order to tie Vogon to the drive
and prove his motives we need to be able to prove the Vogon had in fact at least tried to use the drive in
some way. We could get the log records of the companys network to see if the drive used was plugged
in on any company computer in the build where Vogon worked. By searching for the drive signature on
the system logs we would be able to see where it was used and then using surveillance cameras to put
him at that computer at the time the drive was used.

You might also like