CMIT424 University of Maryland Digital Forensic Activity Report Student will be provided access to case scenario and course materials in lab environment and complete forensic report with templates provided. Full breakdown of assignment in attached file with grading rubric and sample report from different class. Client Confidential
Restricted Distribution
Examiner: [Hilary Dozier]
Case ID: [PAGS03]
Hilary Dozier
218 Atkinson Street
Fort Bragg, NC 28307
256-652-1044
Hwdozier18@gmail.com
James Randell
Practical Applied Gaming Solutions, Inc.
Rockville, MD
301-555-1212
May 8, 2019
Dear James Randell,
I have completed my forensic examination of the USB drive found within a sealed envelope by
Mr. Singh on May 7, 2019. My examination report is enclosed with this letter. Also enclosed in
the delivery package is report which contains PAGS03_USB, the digital files containing recovered
work products and other information as requested by you. This delivery package completes the
forensic examination of PAGS03.
Please countersign and return one copy of the delivery package inventory to me as your
acknowledgement of receipt of this package.
Sincerely,
Hilary Dozier
ENCLOSURES:
1.
2.
3.
Delivery Package Inventory with Hand Receipt (Client to Sign and Return One Copy)
Forensic Examination Report: Case ID PAGS03
Delivery Media: USB, MD5 Checksum: f311a2152887024bdd0b9155b94c4d b6
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Delivery Package Inventory
Item
File Name
Full Path
MD5 Hash
1
PAGS03_12162014
C:CMIT424PAGS03PAGS03_12162014
f311a2152887024bdd0b9155b94c4db6
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Inv e nto ry
V e r i fie d By :
De l i v e ry
Acce pte d By :
Hi l ar y Do zier
Date
Date
May 8, 2019
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Forensic Examination Report: Case ID: PAGS03
Date: May 8, 2019
Examiner: Hilary Dozier
RESTRICTED DISTRIBUTION
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Table of Contents
Executive Summary …………………………………………………………………………………………………………1
Case Overview …………………………………………………………………………………………………………………2
Client Interview……………………………………………………………………………………………………………2
Case Objectives / Questions ………………………………………………………………………………………….3
Onsite Examination………………………………………………………………………………………………………3
Examination of George Dean’s Office ……………………………………………………………………………3
Examination of George Dean’s Computer ……………………………………………………………………..3
Onsite Acquisition Report for Forensic Image(s) ……………………………………………………………3
Preparation ………………………………………………………………………………………………………………3
Forensic Duplication (Imaging)…………………………………………………………………………………..3
Summary of the In-Lab Forensic Examination……………………………………………………………………3
Pre-Processing …………………………………………………………………………………………………………….4
Examination and Analysis of the USB …………………………………………………………………………….4
Files and Folders: Examination and Analysis of the File Systems ……………………………………..4
Summary of Findings……………………………………………………………………………………………………….4
1. Question 1: Is there any indication of any activities by any persons which would violate
the company’s employment agreement? ………………………………………………………………………..4
Summary Conclusions ……………………………………………………………………………………………………..4
Appendix A: Recovered Files…………………………………………………………………………………………….6
Appendix B: Supporting Documentation……………………………………………………………………………1
Appendix C: Glossary and Bibliography …………………………………………………………………………….1
Glossary of Terms ………………………………………………………………………………………………………..1
Bibliography………………………………………………………………………………………………………………..1
Appendix D: Schedule of Forensics Equipment and Software ……………………………………………..1
Appendix E: Policies…………………………………………………………………………………………………………1
Attestation of Ownership and Licensing Status ………………………………………………………………1
Attestation of Anti-Virus Software Use …………………………………………………………………………..1
Policies………………………………………………………………………………………………………………………..1
Appendix F: Examiner Resume & Credentials…………………………………………………………………….1
i
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Table of Figures
No table of figures entries found.
ii
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Executive Summary
The following investigation was conducted to determine if Mr. George Dean, the former
Assistant Chief Security Officer at Practical Applied Gaming Solutions Inc., was participating in actions
that were in direct violation of company policies. A search of Mr. Dean’s office uncovered a missing
company laptop that was being used during the time when his workstation was sent to be wiped for a
noted rootkit. Prior to the workstation being sent for repair, an image had been made of the contents by
Ms. Valentina Reyes, PAGS Inc.’s IT Support Technician. Ms. Reyes copied the entire directory of Mr.
Dean’s user profile to a USB. The USB was given to Mr. Singh, the head of Human Resources, and placed
within a sealed envelope. The investigation was performed to examine and analyze the contexts of the
image to determine if Mr. Dean was acting in violation of any company policies or participating in illegal
activities prior to his hasty resignation from the organization.
After verifying the image integrity, the image was processed with several forensic tools in which
produced evidence of several files containing pornographic materials and evidence of gambling by Mr.
Dean. E-mails were also found to contain information about virtual machines and other pornographic
material. Based upon the evidence found, it is possible to conclude that Mr. Dean was addicted to
gambling and was participating in activities involving gambling within the workplace. His workstation
also contained pornographic material. There is enough evidence uncovered to determine that Mr. Dean
was in direct violation of the PAGS Inc. company policies.
1
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Case Overview
Mr. James Randell, President and Owner of Practical Applied Gaming Solutions, Inc., reached out
to request additional assistance in investigation a sensitive situation concerning the hasty and
unexpected resignation of an upper-level employee within his organization. Concern about the situation
arose out of a voicemail left by Mr. George Dean, former Assistant Chief Security Officer at PAGS Inc.,
stating his resignation effective immediately. After agreeing to provide assistance with the case, a
meeting occurred between myself, Mr. Randell and Mr. Singh within the offices of Practical Applied
Gaming Solutions in Rockville, Maryland. Within the timeframe of that meeting, I signed an investigative
agreement. I was then handed a sealed envelope by Mr. Singh holding the USB drive that contained the
image of Mr. Dean’s workstation contents. I also reviewed the original copy of Mr. Dean’s signed
employment agreement, but was not provided a copy of my own. The investigation was requested to
determine if Mr. Dean participated in any actions that were in a direct violation of the company policies
that he agreed to within his signed employee agreement at PAGS Inc.
Client Interview
During the interview with Mr. Randell and Mr. Singh, the following was discovered:
1. PAGS is a contractor to several state gaming (gambling) commissions. The company and its
employees are required to maintain high ethical standards and are not allowed to
participate in any forms of gaming or gambling, including lotteries, due to their involvement
as security consultants to the gaming commissioners.
2. Before starting work, each employee must sign an employment agreement which includes
a. Acceptance of restrictions on personal activities (no gambling or gaming in any form);
b. Consent to search and monitoring of computers, media, and communications used by
the employee in the performance of his or her duties for the company.
3. Immediately before his departure, Mr. Dean was using a company issued laptop in the office
as a temporary replacement for his workstation; an empty soft-sided laptop case was found
under Mr. Dean’s desk but the company issued laptop was not found in the office.
4. Mr. Dean’s company provided workstation was sent out for repair earlier in the week; the
repair ticket listed repeated operating system crashes as the primary symptom. The IT
Support Center reported that the workstation had been infected with a “nasty rootkit”
which required a complete wipe and reload of the hard disk (operating system and software
applications).
5. The IT Support technician, Ms. Valentina Reyes, has already re-imaged the hard drive for Mr.
Dean’s workstation. Per company standard practice, she saved a copy of Mr. Dean’s profile
(entire directory) and the user registry file. Ms. Reyes copied the user profile from Mr.
Dean’s workstation hard drive to a USB which she provided to Mr. Singh at his request. This
USB was placed in a sealed envelope by Mr. Singh.
2
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Case Objectives / Questions
1. Is there any indication of any activities by any persons which would violate the company’s
employment agreement?
2. Provide copies of files and information of forensic interest which were recovered from the
USB drive.
Onsite Examination
Examination of George Dean’s Office
The office of Mr. George Dean was search by Mr. Singh and Mr. Randell. A soft-sided laptop case
was discovered beneath the desk. Within the laptop case, although the actual laptop was missing, but a
USB drive was found.
Examination of George Dean’s Computer
The company computer that belongs in George Dean’s office was not located within the office. It
was later discovered that the computer was sent to be repaired due to the device being infected with
what was described as a “nasty rootkit”. The computer needed the operating system to be completely
wiped clean. Mr. Dean’s workstation was re-imaged onto a USB drive by the IT Support specialist, Ms.
Valentina Reyes before being sent for repair. The USB containing the contents of Mr. Dean’s workstation
was used within the investigation to make a determination if any violations of company policies
occurred during Mr. Dean’s employment at Practical Applied Gaming Solutions Inc.
Onsite Acquisition Report for Forensic Image(s)
Sumuri Paladin was used to create forensically sterile media. The forensically sterile media was
then used for imaging, which was performed using Forensic ToolKit Imager.
Preparation
FTK Imager was utilized to make a bit-for-bit copy of the USB drive.
Forensic Duplication (Imaging)
A bit-for-bit copy was created of the contents provided suing AccessData FTK Imager. The copy
was then saved and stored within the sterile USB drive that was formerly created by Paladin. Following
the successful completion of the forensic imaging, the evidence was returned to Mr. Singh and placed
within the correct location in accordance with the company’s safe-keeping policy. The Chain of Custody
was updated with the new documentation concerning the handling of the evidence.
Summary of the In-Lab Forensic Examination
The sterilized media was created using Sumuri Paladin and was then verified using DCFLDD’s
verify file command. The MD5 hash values of the original drive was identical to the created image,
3
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
ensuring that the integrity of the data was maintained during the re-imaging of the file. The created E01
image was proceeded to be uploaded within FTK Imager and converted to a raw image for examination.
Pre-Processing
The USB image was loaded into Forensic ToolKit to examine, analyze, and process evidence.
Examination and Analysis of the [physical or logical media]
PAGS03_USB contained the following:
Cylinders: 243
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 3,913,344
One 10GB NTFS Partition
MD5 checksum: 96ad19aa2971da3ff44b99cbccb45609
Files and Folders: Examination and Analysis of the File Systems
Appendix A provides a detailed list of forensically interesting files that were recovered during
the investigation of the USB drive.
Summary of Findings
It is apparent the Mr. Dean was involved in violations of the employment agreement that he consented
to during his employment at PAGS Inc. The investigation of his workstation showed images of narcotics,
adult pornography, and images related to gambling. There were also documents related to research of
gambling addiction leading to the belief that this is an issue that has continued for quite some time .
1. Question 1: Is there any indication of any activities by any persons which would
violate the company’s employment agreement?
There were a number of forensically interesting photographs which were processed within FTK. Some
graphics contained adult pornography, narcotics, and gambling activity/addiction. There were more
than 50,000 documents processed by FTK, with few being of forensic interest. Most of those files
contained information about ethics, the lottery, and gambling.
Summary Conclusions
This investigation determined that there were multiple violations of the employee agreement in which
Mr. Dean consented to during his time at PAGS Inc. The company policies include employees not
involving themselves gambling activity or using company assets to view any pornographic or narcotic
materials. The evidence recovered suggests that each of the company policies were violated by Mr.
4
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Dean a number of times. Appendix A shows the evidence recovered that led to this conclusion. A chain
of custody document and a file inventory of forensically interesting evidence are attached to this
document.
5
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Appendix A: Recovered Files
•
Aurora_2.jpg: Item #1145- Image of dogs (Adult Pornography)
•
Chinook_2.jpg: Item #1144- Image of dog sleeping (Adult Pornography)
•
Chrysanthemum.jpg Item#3241 – Image of flower (narcotics)
A-6
Client Confidential
Restricted Distribution
•
Dog2.jpg Item #1143 – Image of puppy (Adult Pornography)
•
Garden.jpg Item#10317 – image of flowers (Narcotics)
Examiner: Hilary Dozier
Case ID: PAGS03
A-7
Client Confidential
Restricted Distribution
•
Header[1].jpg Item#10392 – image related to gambling
•
Hydrangeas.jpg Item#3238- Image of flowers (narcotics)
•
Images.jpg Item#1142 – Image of dogs(Adult Pornography)
•
Images2.jpg Item#1141 – Image of dogs(Adult Pornography)
Examiner: Hilary Dozier
Case ID: PAGS03
A-8
Client Confidential
Restricted Distribution
•
Images3.jpg – Item#1140- Image of dog(Adult Pornography)
•
Images4.jpg- Item#1139- Image of dog(Adult Pornography)
•
Images5.jpg – Item#1138- Image of dog(Adult Pornography)
•
Images6.jpg- Item#1137- Image of dog(Adult Pornography)
•
Images7.jpg- Item#1136- Image of dog(Adult Pornography)
Examiner: Hilary Dozier
Case ID: PAGS03
A-9
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
•
Index.jpg – Item#1135 – multiple images of dogs(Adult Pornography)
•
MARG_photo[1].jpg Item#10486 – Flyer relating to gambling addiction
A-10
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
•
MD_map_locations[1].jpg Item#10852 – image of casinos in Maryland
•
Roses.jpg Item#9944 – Image of flowers (Narcotics)
•
Tulips.jpg Item#3233 – Picture of flowers (narcotics)
Email files have also been found containing the following:
VM Item # 74907: “Oh. Sorry. I missed Tatianna … nice photos BTW. Where did you get
them?
Beauty didn’t get moved. Wasn’t that your kiddie gallery?
Suki”
A-11
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
VM Item #1667: “JD
What are you talking about? I only moved the files you asked me to move.
Suki”
VM Item # 74908: “JD
What are you talking about? I only moved the files you asked me to move.
Suki”
VM Item # 74906: “OK, ok, stop yelling at me. I get it. Just use the wiper I put up on the
cloud drive to get rid of the VM on the laptop before you get to the airport. If they ask, tell the
TSA guys that you don’t use the VM stuff … it’s just there because your company loads it on all
the laptops. I’ll build you a new VM after lunch. You’ll get everything except for Beauty and
Tatianna … that stuff is a quick trip to jail in a couple of countries. You’ll just have to do without
your “pretties” while you’re gone.Download the VM after you get to your hotel and then wipe it
when you’re done.
Anything else you want from me today? When do you leave on your trip?
Suki”
A-12
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Appendix B: Supporting Documentation
1.
2.
Employment agreement signed by George Dean
Consent to search and monitoring of computers, media, and communications
performed or used by the employee during their employment for the company
3. PAGS Inc. Acceptable Use Policy: acceptance of restrictions on personal activities (no
gambling or gaming)
B-1
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Appendix C: Glossary and Bibliography
Glossary of Terms
A. File: A collection of information logically grouped into a single entity and referenced
by a unique name.
B. Operating System: A program that runs within a computer and provides a software
platform on which other programs can run.
Bibliography
1.
2.
3.
4.
5.
C-1
Client Confidential
Restricted Distribution
Examiner: Hilary Dozier
Case ID: PAGS03
Appendix D: Schedule of Forensics Equipment and Software
Forensics Laboratory: Access provided by University of Maryland University College, Adelphi,
MD.
1. Forensic Software and Hardware Used in this Examination:
a. AccessData FTK Imager 4.1.1.1
b. AccessData Forensic ToolKit 6.2
2. Forensic Workstation Configurations:
a. Computer Name: CMIT-424-WINFOR1
i. Machine Type: Virtual
ii. Network Connection:
iii. Operating System: Windows 7 Enterprise
iv. Operating System: Windows 7 Enterprise
v. Anti Virus: McAfee
b. Computer Name:
i. Machine Type:
ii. Network Connection:
iii. Operating System:
iv. Anti Vir…
Purchase answer to see full
attachment
