DC3 2009

Print Friendly

Windows Registry Information

Please refer to registryanalysis.doc for screenshots and identification of suspicious software, typed URLs, and other information extracted from the registry.

NTUSER.DAT

  1. Evidence Eliminator 5.0

  2. Grisoft STEG_IT_v7

  3. URL History shows only typed URL as www.yahoo.com

  4. Multiple USB Storage Devices are indicated consistant with The Documents’ notations about siezed drives. The device information including serial numbers will show the devices were used on this machine linking evidence on them to Stallman.

$Orphan Files\Challenge Graphics

evidence/Search Screenshots/OrphanFiles_Challenge_Graphics.png shows the results from a search in the Lucene index mentioned earlier. There is a deleted folder called Challenge Graphics filled with images. As you can see in the picture, some of these files are recoverable and text has been extracted from their header fields. Note the pictures were taken by a Cannon PowerShot, etc. Because we believe the improper sanitizing was unintentional we did not use the information past confirming it was recoverable. A copy of this data is located in the Challenge_Graphics subdirectory of the evidence directory.

Included Directories

  • DC3DFC09.dd_lucene – Lucene index of the image

  • Report.doc – This report

  • registryanalysis.doc – Registry analysis with screenshots

  • Evidence – Evidence directory

    • Autopsy_Notes.html – Short notes and file locations tagged during analysis

    • autopsy_notes_files – Images used by Autopsy_Notes.html

    • Challenge_Images – Files recovered from $Orphan Files\Challenge Graphics

    • Chat Logs – Chat log information

      • MSN – MSN chat logs

      • Skype – Skype chat logs

    • clocks – Crystal clock images and extracted text

    • deleted file list – list of deleted file entries from C,D,&E

    • encrypted – Encrypted word documents

    • guns – Images of guns found in the system

    • search screens – Screen shots of searches using Luke for demonstration purposes

    • Suspicious Software – extract of the directories in Program Files which we identified as suscpicious

    • letter[108391].doc – threatening letter recovered with file carving

    • login[2][42362].html – html cache page recovered with file carving showing creation of yogibear1953@yahoo.com account

    • Screenshot-vol4-E..Users.Master.of.Disaster.Desktop.store.list.xls – Guns Revealed.png – screenshot of spreadsheet with hidden images exposed

    • vol4-E..Users.Master.of.Disaster.Desktop.store.list.xls – Spreadsheet containing the hidden images exposed above

    • vacation.ppt – power point slides used to hide an image

    • vacation.ppt_extractedimage.png – Incriminating image extracted from vacation.ppt

    • vol4-E..Users.Master.of.Disaster.ipods.bmp – Image of ipods with incriminating text

    • vol4-E..Users.Master.of.Disaster.map.bmp – Map 1 of the crime

    • vol4-E..Users.Master.of.Disaster.map2.bmp – Map 2 of the crime

Posted in Digital Forensics Tagged with: , , , , ,