From e589b198d79e928121cffb27a23adc136e85d725 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Fri, 23 May 2014 22:17:05 +0200 Subject: [PATCH] report for lab2 --- report2/content.tex | 153 ++++++++++++++++++++++++++++++++++++++++---- report2/main.tex | 11 ++++ 2 files changed, 151 insertions(+), 13 deletions(-) diff --git a/report2/content.tex b/report2/content.tex index 7128bd4..ba45a85 100644 --- a/report2/content.tex +++ b/report2/content.tex @@ -1,40 +1,81 @@ \newpage\section{Can you find hints or evidence on the personality of the applicant of Charles Prince? (2 points)} +It seems that more than one person was using this computer. +\subsection{Edgar Allen Poe} +\begin{itemize} +\item Most likely the previous owner of this computer. +\item eMail: \emph{\textbf{poe@x-ways.com}}\\ +from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/My Documents/Inbox}} +\end{itemize} +\subsection{Charles Prince} +\begin{itemize} +\item Current owner of the computer as stated by assignment. +\item ebay: \emph{\textbf{n.o.b.o.d.y}} (maybe)\\ +from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm}}\\ +It does not make sense that Charles Prince was interested in bidding for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}} before he knew he was going to steal that car. Also the file was Modified: 2008-11-07 01:07:23 GMT+01:00; Accessed: 2006-11-27 16:08:07 GMT+01:00; Created: 2004-05-03 17:17:40 GMT+01:00. This hints at an incorrect cache file.\\ +\end{itemize} -\newpage\section{In particular, search for name, address or contact information (e.g., online nicknames). (2 points)} -Online nicks: n.o.b.o.d.y (ebay) +\subsection{Robert Jankovics} +\begin{itemize} +\item Note: Facebook friend of Paul Staris.\\ +Last modified the word-document containing the information on there the stolen car is.\\ +from: \emph{\textbf{FORE:/ole/00265432.ole}} +\end{itemize} -\newpage\section{Can you find hard evidence that Charles Prince has stolen the car? (2 points)} -Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm is an ebay bid page for "4 Sommerreifen für Aston Martin V12 Vanquish" +\section{In particular, search for name, address or contact information (e.g., online nicknames). (2 points)} +The applicant is \emph{\textbf{Paul Staris}} also: \emph{\textbf{Paul Starin}}. +\begin{itemize} +\item Phone: \emph{\textbf{0650 42420815}}\\ +from: \emph{\textbf{PAGEFILE:/htm/00152357.htm}} +\item facebook url: \emph{\textbf{\url{http://www.facebook.com/profile.php?id=1591750589&hiq=paul\%2Cstaris}}}\\ +from: \emph{\textbf{PST:/Personal\ Folders/Deleted\ Items/2}} +\end{itemize} -pagefile.sys contains a sms.at-send-sms-page to 42420815 content: I have stolen the Aston. You can get it at the arranged place. greetz, charles prince. +\newpage\section{Can you find hard evidence that Charles Prince has stolen the car? (2 points)} +Based on the premise, that the applicant and Charles Prince would not share the same computer, no hard evidence could be found. -\newpage\section{Search for pictures of the stolen car. (2 points)} -there is a poster. +\begin{itemize} +\item The file \emph{\textbf{PAGEFILE:/htm/00152357.htm}} contains a sms.at-send-sms-page to \emph{\textbf{0650 42420815}} with the content: \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}}\\ +There is no sms-sent-sucessfully response anywhere to be found, which could indicate that this file was planted there for me to be found. +\item There is a confirmation of a bid for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}}, but again no positive response from ebay. Also the file was Modified: 2008-11-07 01:07:23 GMT+01:00; Accessed: 2006-11-27 16:08:07 GMT+01:00; Created: 2004-05-03 17:17:40 GMT+01:00. This hints at an incorrect cache file.\\ +from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm}} -\newpage\section{Can you find any information on where the car is parked for delivery? (2 points)} +\item The file \emph{\textbf{FORE:/ole/00265432.ole}} contains information where the applicant can grab his new car. This document was last modified by \emph{\textbf{Robert Jankovics}}. +\end{itemize} +\section{Search for pictures of the stolen car. (2 points)} +The File \emph{\textbf{FORE:/ole/00265432.ole}} contains an Image which has the location marked by a circle. It could be that the car was parked there while the satellite image was created.\\ -\newpage\section{Find all traces of online activity that is connected with the theft. (2 points)} +The File \emph{\textbf{IMAGE:/\$OrphanFiles/OrphanFile-405}} contains an Image of an ston Martin V12 Vanquish. +\section{Can you find any information on where the car is parked for delivery? (2 points)} +The File \emph{\textbf{FORE:/ole/00265432.ole}} contains the Text \emph{\textbf{You will find the car parked at 20 Park Village E}} and an satellite image which has the location marked by a circle. +\newpage\section{Find all traces of online activity that is connected with the theft. (2 points)} +\begin{itemize} +\item The email in \emph{\textbf{PST:/Personal\ Folders/Deleted\ Items/2}} contains \emph{\textbf{Get the car. I will pay the best price.}}. +\item The file \emph{\textbf{PAGEFILE:/htm/00152357.htm}} contains a sms.at-send-sms-page to \emph{\textbf{0650 42420815}} with the content: \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}} +\item The file \emph{\textbf{FORE:/ole/00265432.ole}} contains information where the applicant can grab his new car. +\item There is an ebay-bid for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}}. But the file was Modified: 2008-11-07 01:07:23 GMT+01:00; Accessed: 2006-11-27 16:08:07 GMT+01:00; Created: 2004-05-03 17:17:40 GMT+01:00. This hints at an incorrect cache file.\\ +from: \emph{\textbf{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm}} +\end{itemize} \newpage\section{Details} -\subsection{Files} -\subsubsection{NTFS\_Image.dd} -NTFS image at the beginning. +\subsection{Sources} +\subsubsection{NTFS\_Image.dd (IMAGE or FORE)} +NTFS image given. It was imported in Autopsy and some interesting files were extracted. Files referenced in this report use the \emph{\textbf{IMAGE}}-prefix. Some files were found using foremost and use the \emph{\textbf{FORE}}-prefix. \begin{quote} \textbf{size}: 271401984 byte\\ \textbf{''file''-output}: DOS/MBR boot sector, Microsoft Windows XP Bootloader NTFS (german)\\ @@ -43,8 +84,92 @@ NTFS image at the beginning. 16f946227a941e31fdfeb5f35f901c6156e500f8d5fce9bb2035d36cfec34cfa} \end{quote} +\subsubsection{IMAGE:/pagefile.sys (PAGEFILE)} +Windows swapfile. All files were extracted using foremost and if referenced, prefixed with \emph{\textbf{PAGEFILE}}. +\begin{quote} +\textbf{size}: 104870095 byte\\ +\textbf{''file''-output}: data\\ +\textbf{sha512}\\\ttfamily{ +2b23031eaefed7b0bb8889f0b9342b1b57dc0df884164abdee21193ca59c10c2\\ +680c8638b67c64e3c7c002f492a33ef7ba820354e1443c52a6a8692189b9ba01} +\end{quote} + +\subsubsection{IMAGE:/\$OrphanFiles/OrphanFile-93 (PST)} +Deleted Outlook.pst file. All emails were extracted using readpst and if referenced, prefixed with \emph{\textbf{PST}}. +\begin{quote} +\textbf{size}: 525312 byte\\ +\textbf{''file''-output}: Microsoft Outlook email folder (<=2002)\\ +\textbf{sha512}\\\ttfamily{ +8fee4e80997aa6d515a3607a63632fa67a5b6dba57c84e3bbae4e1a0eac4a0f8\\ +6c0f0b8e90d0929438a4c76ded597eb56627e0d06b9699884f966410d88310ca} +\end{quote} + +\subsubsection{IMAGE:/Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm} +Internet Explorer cache file. Contains a bid for \emph{\textbf{4 Sommerreifen für Aston Martin V12 Vanquish}}. There is no corresponding file that proves taht the bid was actually placed. +\begin{quote} +\textbf{size}: 9228 byte\\ +\textbf{''file''-output}: HTML document, ISO-8859 text, with very long lines, with CRLF line terminators\\ +\textbf{sha512}\\\ttfamily{ +23de83106dc2d777178854ebcf9c7ce72822c480e62dabbbf3a7e2c307c619ae\\ +674ba389b3ead4f07d52152dfe25508cbfd699f2ae77f7d8ef990e73a2244e98} +\end{quote} + +\subsubsection{FORE:/ole/00265432.ole} +File containing a satellite image of a street and the text \emph{\textbf{You will find the car parked at 20 Park Village E}}. The file was last modified by \emph{\textbf{Robert Jankovics}} and not as expected by \emph{\textbf{Charles Prince}}. +\begin{quote} +\textbf{size}: 5445632 byte\\ +\textbf{''file''-output}: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Author: Robert Jankovics, Template: Normal.dotm, Last Saved By: Robert Jankovics, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Nov 9 18:28:00 2008, Last Saved Time/Date: Sun Nov 9 18:29:00 2008, Number of Pages: 1, Number of Words: 7, Number of Characters: 46, Security: 0\\ +\textbf{sha512}\\\ttfamily{ +0dd969ed0cf32b06a22846b77ef3ac6c94837ea09597979b64576ef3623d7d3b\\ +ae28f237da514060115b38b05f13a1248761ce896369eedd0c9ebe5c1fd01093} +\end{quote} + +\subsubsection{PAGEFILE:/htm/00152357.htm} +File containing a filled in sms.at-send-sms-form with the number: 0650/42420815 and the text \emph{\textbf{I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.}}. The earliest delayed send date is \emph{\textbf{2008-11-09 18:45}}. This could indicate a crafted pagefile.sys, because the source pagefile.sys was last modified \emph{\textbf{2008-11-07 03:13:03 GMT+01:00}}. +\begin{quote} +\textbf{size}: 1048576 byte\\ +\textbf{''file''-output}: HTML document, ISO-8859 text, with very long lines, with CRLF line terminators\\ +\textbf{sha512}\\\ttfamily{ +2b9f0dc441deb8adfbcc3608d2c43d0fc56d18e7caba1a96cd2d1aea06ba6e1c\\ +b6dead07bff0ea905e134cc7351d0431a411443a82d03f79b9405900284fb5d6} +\end{quote} + +\subsubsection{PST:/Personal\ Folders/Deleted\ Items/2} +Deleted unsent draft email containing html and text. It seems like this email was never sent and was only created, saved as a draft and deleted later. The text-content is: +\begin{lstlisting} +Status: RO +From: +Subject: your mission +To: 'charles.prince@freenet.com' +MIME-Version: 1.0 +Content-Type: multipart/mixed; + boundary="--boundary-LibPST-iamunique-1921954641_-_-" + +----boundary-LibPST-iamunique-1921954641_-_- +Content-Type: multipart/alternative; + boundary="alt---boundary-LibPST-iamunique-1921954641_-_-" +--alt---boundary-LibPST-iamunique-1921954641_-_- +Content-Type: text/plain; charset="us-ascii" +Hi charles! + +Get the car. I will pay the best price. + +go for Aston, +your friend, Paul Starin +---------------------------- +http://www.facebook.com/profile.php?id=1591750589&hiq=paul%2Cstaris + +\end{lstlisting} +\begin{quote} +\textbf{size}: 3212 byte\\ +\textbf{''file''-output}: HTML document, ASCII text\\ +\textbf{sha512}\\\ttfamily{ +524d0c7ff4c8029e2fd72c91cc76aa086fd8d12afcaea78919be8fdefa0bd389\\ +b2fb16af06ace979ab7815415adf14b5e95e702814c95f529241380b15961fb0} +\end{quote} + -\subsection{Used tools on GuestVM} +\newpage\subsection{Used tools on GuestVM} Tools that were used for analysis (-{}-version): \begin{itemize} \item Autopsy 3.0.10 @@ -53,6 +178,8 @@ Tools that were used for analysis (-{}-version): \subsection{Used tools on VM-Host} Tools that were used for analysis (-{}-version): \begin{itemize} +\item foremost version 1.5.7 +\item ReadPST / LibPST v0.6.63 \item sha512sum (GNU coreutils) 8.22 \item ls (GNU coreutils) 8.22 \item file 5.18 diff --git a/report2/main.tex b/report2/main.tex index 283d604..1f4b22d 100644 --- a/report2/main.tex +++ b/report2/main.tex @@ -98,6 +98,17 @@ % quotes \usepackage[babel,german=quotes]{csquotes} +\usepackage{listings} +\lstset{literate=% +{Ö}{{\"O}}1 +{Ä}{{\"A}}1 +{Ü}{{\"U}}1 +{ß}{{\ss}}2 +{ü}{{\"u}}1 +{ä}{{\"a}}1 +{ö}{{\"o}}1 +} + % START DOCUMENT \begin{document}\thispagestyle{empty} -- 2.43.0