report for lab2

[pub/jan/digfor.git] / report2 / content.tex

\newpage\section{Can you find hints or evidence on the personality of the applicant of Charles Prince? (2 points)}
It seems that more than one person was using this computer.
\subsection{Edgar Allen Poe}
\begin{itemize}
\item Most likely the previous owner of this computer.
\item eMail: \emph{\textbf{poe@x-ways.com}}\\
from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/My Documents/Inbox}}
\end{itemize}

\subsection{Charles Prince}
\begin{itemize}
\item Current owner of the computer as stated by assignment.
\item ebay: \emph{\textbf{n.o.b.o.d.y}} (maybe)\\
from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm}}\\
It does not make sense that Charles Prince was interested in bidding for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}} before he knew he was going to steal that car. Also the file was Modified: 2008-11-07 01:07:23 GMT+01:00; Accessed: 2006-11-27 16:08:07 GMT+01:00; Created: 2004-05-03 17:17:40 GMT+01:00. This hints at an incorrect cache file.\\
\end{itemize}

\subsection{Robert Jankovics}
\begin{itemize}
\item Note: Facebook friend of Paul Staris.\\
Last modified the word-document containing the information on there the stolen car is.\\
from: \emph{\textbf{FORE:/ole/00265432.ole}}
\end{itemize}


\section{In particular, search for name, address or contact information (e.g., online nicknames). (2 points)}
The applicant is \emph{\textbf{Paul Staris}} also: \emph{\textbf{Paul Starin}}.
\begin{itemize}
\item Phone: \emph{\textbf{0650 42420815}}\\
from: \emph{\textbf{PAGEFILE:/htm/00152357.htm}}
\item facebook url: \emph{\textbf{\url{http://www.facebook.com/profile.php?id=1591750589&hiq=paul\%2Cstaris}}}\\
from: \emph{\textbf{PST:/Personal\ Folders/Deleted\ Items/2}}
\end{itemize}



\newpage\section{Can you find hard evidence that Charles Prince has stolen the car? (2 points)}
Based on the premise, that the applicant and Charles Prince would not share the same computer, no hard evidence could be found.

\begin{itemize}
\item The file \emph{\textbf{PAGEFILE:/htm/00152357.htm}} contains a sms.at-send-sms-page to \emph{\textbf{0650 42420815}} with the content: \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}}\\
There is no sms-sent-sucessfully response anywhere to be found, which could indicate that this file was planted there for me to be found.

\item There is a confirmation of a bid for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}}, but again no positive response from ebay. Also the file was Modified: 2008-11-07 01:07:23 GMT+01:00; Accessed: 2006-11-27 16:08:07 GMT+01:00; Created: 2004-05-03 17:17:40 GMT+01:00. This hints at an incorrect cache file.\\
from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm}}

\item The file \emph{\textbf{FORE:/ole/00265432.ole}} contains information where the applicant can grab his new car. This document was last modified by \emph{\textbf{Robert Jankovics}}.
\end{itemize}

\section{Search for pictures of the stolen car. (2 points)}
The File \emph{\textbf{FORE:/ole/00265432.ole}} contains an Image which has the location marked by a circle. It could be that the car was parked there while the satellite image was created.\\

The File \emph{\textbf{IMAGE:/\$OrphanFiles/OrphanFile-405}} contains an Image of an ston Martin V12 Vanquish.


\section{Can you find any information on where the car is parked for delivery? (2 points)}
The File \emph{\textbf{FORE:/ole/00265432.ole}} contains the Text \emph{\textbf{You will find the car parked at 20 Park Village E}} and an satellite image which has the location marked by a circle.


\newpage\section{Find all traces of online activity that is connected with the theft. (2 points)}
\begin{itemize}
\item The email in \emph{\textbf{PST:/Personal\ Folders/Deleted\ Items/2}} contains \emph{\textbf{Get the car. I will pay the best price.}}.

\item The file \emph{\textbf{PAGEFILE:/htm/00152357.htm}} contains a sms.at-send-sms-page to \emph{\textbf{0650 42420815}} with the content: \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}}

\item The file \emph{\textbf{FORE:/ole/00265432.ole}} contains information where the applicant can grab his new car.

\item There is an ebay-bid for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}}. But the file was Modified: 2008-11-07 01:07:23 GMT+01:00; Accessed: 2006-11-27 16:08:07 GMT+01:00; Created: 2004-05-03 17:17:40 GMT+01:00. This hints at an incorrect cache file.\\
from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm}}
\end{itemize}



\newpage\section{Details}
\subsection{Sources}
\subsubsection{NTFS\_Image.dd (IMAGE or FORE)}
NTFS image given. It was imported in Autopsy and some interesting files were extracted. Files referenced in this report use the \emph{\textbf{IMAGE}}-prefix. Some files were found using foremost and use the \emph{\textbf{FORE}}-prefix. 
\begin{quote}
\textbf{size}: 271401984 byte\\
\textbf{''file''-output}: DOS/MBR boot sector, Microsoft Windows XP Bootloader NTFS (german)\\
\textbf{sha512}\\\ttfamily{
4caa0188dce8219246af0a5e2c52841140fec8d33513e91d880971b19b87c8c0\\
16f946227a941e31fdfeb5f35f901c6156e500f8d5fce9bb2035d36cfec34cfa}
\end{quote}

\subsubsection{IMAGE:/pagefile.sys (PAGEFILE)}
Windows swapfile. All files were extracted using foremost and if referenced, prefixed with \emph{\textbf{PAGEFILE}}.
\begin{quote}
\textbf{size}: 104870095 byte\\
\textbf{''file''-output}: data\\
\textbf{sha512}\\\ttfamily{
2b23031eaefed7b0bb8889f0b9342b1b57dc0df884164abdee21193ca59c10c2\\
680c8638b67c64e3c7c002f492a33ef7ba820354e1443c52a6a8692189b9ba01}
\end{quote}

\subsubsection{IMAGE:/\$OrphanFiles/OrphanFile-93 (PST)}
Deleted Outlook.pst file. All emails were extracted using readpst and if referenced, prefixed with \emph{\textbf{PST}}.
\begin{quote}
\textbf{size}: 525312 byte\\
\textbf{''file''-output}: Microsoft Outlook email folder (<=2002)\\
\textbf{sha512}\\\ttfamily{
8fee4e80997aa6d515a3607a63632fa67a5b6dba57c84e3bbae4e1a0eac4a0f8\\
6c0f0b8e90d0929438a4c76ded597eb56627e0d06b9699884f966410d88310ca}
\end{quote}

\subsubsection{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm}
Internet Explorer cache file. Contains a bid for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}}. There is no corresponding file that proves taht the bid was actually placed.
\begin{quote}
\textbf{size}: 9228 byte\\
\textbf{''file''-output}: HTML document, ISO-8859 text, with very long lines, with CRLF line terminators\\
\textbf{sha512}\\\ttfamily{
23de83106dc2d777178854ebcf9c7ce72822c480e62dabbbf3a7e2c307c619ae\\
674ba389b3ead4f07d52152dfe25508cbfd699f2ae77f7d8ef990e73a2244e98}
\end{quote}

\subsubsection{FORE:/ole/00265432.ole}
File containing a satellite image of a street and the text \emph{\textbf{You will find the car parked at 20 Park Village E}}. The file was last modified by \emph{\textbf{Robert Jankovics}} and not as expected by \emph{\textbf{Charles Prince}}.
\begin{quote}
\textbf{size}: 5445632 byte\\
\textbf{''file''-output}: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Author: Robert Jankovics, Template: Normal.dotm, Last Saved By: Robert Jankovics, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Nov  9 18:28:00 2008, Last Saved Time/Date: Sun Nov  9 18:29:00 2008, Number of Pages: 1, Number of Words: 7, Number of Characters: 46, Security: 0\\
\textbf{sha512}\\\ttfamily{
0dd969ed0cf32b06a22846b77ef3ac6c94837ea09597979b64576ef3623d7d3b\\
ae28f237da514060115b38b05f13a1248761ce896369eedd0c9ebe5c1fd01093}
\end{quote}

\subsubsection{PAGEFILE:/htm/00152357.htm}
File containing a filled in sms.at-send-sms-form with the number: 0650/42420815 and the text \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}}. The earliest delayed send date is \emph{\textbf{2008-11-09 18:45}}. This could indicate a crafted pagefile.sys, because the source pagefile.sys was last modified \emph{\textbf{2008-11-07 03:13:03 GMT+01:00}}.
\begin{quote}
\textbf{size}: 1048576 byte\\
\textbf{''file''-output}: HTML document, ISO-8859 text, with very long lines, with CRLF line terminators\\
\textbf{sha512}\\\ttfamily{
2b9f0dc441deb8adfbcc3608d2c43d0fc56d18e7caba1a96cd2d1aea06ba6e1c\\
b6dead07bff0ea905e134cc7351d0431a411443a82d03f79b9405900284fb5d6}
\end{quote}

\subsubsection{PST:/Personal\ Folders/Deleted\ Items/2}
Deleted unsent draft email containing html and text. It seems like this email was never sent and was only created, saved as a draft and deleted later. The text-content is:
\begin{lstlisting}
Status: RO
From: <MAILER-DAEMON>
Subject: your mission
To: 'charles.prince@freenet.com'
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--boundary-LibPST-iamunique-1921954641_-_-"

----boundary-LibPST-iamunique-1921954641_-_-
Content-Type: multipart/alternative;
        boundary="alt---boundary-LibPST-iamunique-1921954641_-_-"
--alt---boundary-LibPST-iamunique-1921954641_-_-
Content-Type: text/plain; charset="us-ascii"
Hi charles!
 
Get the car. I will pay the best price.
 
go for Aston,
your friend, Paul Starin
----------------------------
http://www.facebook.com/profile.php?id=1591750589&hiq=paul%2Cstaris

\end{lstlisting}
\begin{quote}
\textbf{size}: 3212 byte\\
\textbf{''file''-output}: HTML document, ASCII text\\
\textbf{sha512}\\\ttfamily{
524d0c7ff4c8029e2fd72c91cc76aa086fd8d12afcaea78919be8fdefa0bd389\\
b2fb16af06ace979ab7815415adf14b5e95e702814c95f529241380b15961fb0}
\end{quote}


\newpage\subsection{Used tools on GuestVM}
Tools that were used for analysis (-{}-version):
\begin{itemize}
\item Autopsy 3.0.10
\end{itemize}

\subsection{Used tools on VM-Host}
Tools that were used for analysis (-{}-version):
\begin{itemize}
\item foremost version 1.5.7
\item ReadPST / LibPST v0.6.63
\item sha512sum (GNU coreutils) 8.22
\item ls (GNU coreutils) 8.22
\item file 5.18
\end{itemize}


\subsection{Machines}
\begin{itemize}
\item \textbf{Virtual machine}\\
Windows XP Version5.1 (Build2600.xpsp\_sp3\_qfe.130704-0421 : Service Pack3)
\item \textbf{Oracle VirtualBox} 4.3.10
\item \textbf{Host machine}\\
 Linux rebx 3.14.0-gentoo-somenet.org \#1 SMP Sun Apr 6 01:00:17 CEST 2014 x86\_64 Intel(R) Core(TM)2 Duo CPU T9300 \@ 2.50GHz GenuineIntel GNU/Linux
\end{itemize}