From 715f4f9d060a55dbd7a0f68b453a6dfb1a91664e Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Fri, 23 May 2014 22:32:57 +0200 Subject: [PATCH] lab2 abgegeben. --- report2/content.tex | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/report2/content.tex b/report2/content.tex index ba45a85..04b1408 100644 --- a/report2/content.tex +++ b/report2/content.tex @@ -36,7 +36,8 @@ from: \emph{\textbf{PST:/Personal\ Folders/Deleted\ Items/2}} \newpage\section{Can you find hard evidence that Charles Prince has stolen the car? (2 points)} -Based on the premise, that the applicant and Charles Prince would not share the same computer, no hard evidence could be found. +Based on the premise, that the applicant and Charles Prince would not share the same computer, no hard evidence could be found.\\ +Some timestamps indicate that the filesystem has been tampered with and that incriminating material may have been put in there on purpose.\\ \begin{itemize} \item The file \emph{\textbf{PAGEFILE:/htm/00152357.htm}} contains a sms.at-send-sms-page to \emph{\textbf{0650 42420815}} with the content: \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}}\\ @@ -60,7 +61,7 @@ The File \emph{\textbf{FORE:/ole/00265432.ole}} contains the Text \emph{\textbf{ \newpage\section{Find all traces of online activity that is connected with the theft. (2 points)} \begin{itemize} -\item The email in \emph{\textbf{PST:/Personal\ Folders/Deleted\ Items/2}} contains \emph{\textbf{Get the car. I will pay the best price.}}. +\item The email in \emph{\textbf{PST:/Personal\ Folders/Deleted\ Items/2}} contains \emph{\textbf{Get the car. I will pay the best price.}} and \emph{\textbf{go for Aston}}. \item The file \emph{\textbf{PAGEFILE:/htm/00152357.htm}} contains a sms.at-send-sms-page to \emph{\textbf{0650 42420815}} with the content: \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}} @@ -89,6 +90,7 @@ Windows swapfile. All files were extracted using foremost and if referenced, pre \begin{quote} \textbf{size}: 104870095 byte\\ \textbf{''file''-output}: data\\ +\textbf{last modified}: 2008-11-07 03:13:03 GMT+01:00\\ \textbf{sha512}\\\ttfamily{ 2b23031eaefed7b0bb8889f0b9342b1b57dc0df884164abdee21193ca59c10c2\\ 680c8638b67c64e3c7c002f492a33ef7ba820354e1443c52a6a8692189b9ba01} @@ -99,6 +101,7 @@ Deleted Outlook.pst file. All emails were extracted using readpst and if referen \begin{quote} \textbf{size}: 525312 byte\\ \textbf{''file''-output}: Microsoft Outlook email folder (<=2002)\\ +\textbf{last modified}: 2008-11-07 03:02:26 GMT+01:00\\ \textbf{sha512}\\\ttfamily{ 8fee4e80997aa6d515a3607a63632fa67a5b6dba57c84e3bbae4e1a0eac4a0f8\\ 6c0f0b8e90d0929438a4c76ded597eb56627e0d06b9699884f966410d88310ca} @@ -109,12 +112,13 @@ Internet Explorer cache file. Contains a bid for \emph{\textbf{4 Sommerreifen f \begin{quote} \textbf{size}: 9228 byte\\ \textbf{''file''-output}: HTML document, ISO-8859 text, with very long lines, with CRLF line terminators\\ +\textbf{last modified}: 2008-11-07 01:07:23 GMT+01:00\\ \textbf{sha512}\\\ttfamily{ 23de83106dc2d777178854ebcf9c7ce72822c480e62dabbbf3a7e2c307c619ae\\ 674ba389b3ead4f07d52152dfe25508cbfd699f2ae77f7d8ef990e73a2244e98} \end{quote} -\subsubsection{FORE:/ole/00265432.ole} +\newpage\subsubsection{FORE:/ole/00265432.ole} File containing a satellite image of a street and the text \emph{\textbf{You will find the car parked at 20 Park Village E}}. The file was last modified by \emph{\textbf{Robert Jankovics}} and not as expected by \emph{\textbf{Charles Prince}}. \begin{quote} \textbf{size}: 5445632 byte\\ @@ -169,6 +173,7 @@ b2fb16af06ace979ab7815415adf14b5e95e702814c95f529241380b15961fb0} \end{quote} + \newpage\subsection{Used tools on GuestVM} Tools that were used for analysis (-{}-version): \begin{itemize} -- 2.43.0