Ccsi460 Week 4 Lab

CCSI460 Forensic Lab Report

Investigator’s Name:

Date of Investigation:

Lab Number and Title: Lab 4 – Hard Drive Image Analysis

Summary of Findings:

I was given the task of reviewing an Image of a suspect hard drive containing 1744 evidence files. The investigation was to ascertain how the company’s source code was exposed, who did it and when it happened. I was also asked to look for any other questionable activity within the company to include civil liability and criminal activity. I reviewed the 1744 files in question, using keyword searches on the file folders. Several files showed suspicious activity, but one particular email with an attachment was the main piece of evidence found. The particular file was an email that was sent from Denny Vette to the email address mrbig@second.source.ru, on Tuesday, January 1, 2002 at 23:09:06 -0500. The email body said, “Big, here’s the picture that I promised you. As agreed, you’ll pay me $100K now and the rest later.” The picture that was attached appeared to be of the Grand Canyon, but in fact was a steganographic file, harboring a text file with the company’s source code contained within it. It is therefore my belief that Denny Vette is the employee who exposed the company’s source code for monetary gain of $100,000. I didn’t find other files that I thought specifically indicated other civil liability or criminal activity. The suspicious files that I did find all seemed to relate to the source code exposure.

Details of Investigation:

This investigation took place at………… The investigation was begun by (Name) at 8:15pm on Thursday, March 28, 2013 and ended at 11:15pm on Monday, April 1, 2013.

Thursday, March 28, 2013, 8:15pm — Opened the previously added Image evidence file in FTK and began the investigation.

Thursday, March 28, 2013, 8:16 – 8:26pm – Reviewed 3 deleted files on the image, which all appeared to be emails. Didn’t really see any suspicious content here....