SlideShare a Scribd company logo

Lab 1 Bag & Tag (cyber forensics)

M
MUSAAB HASAN

This report presents the work done in the Bag and tag lab by group #3 members. The scenario of the crime is described in Investigative Scenario section. The procedures followed for tagging and seizing evidences are mentioned in Procedures section. Analysis of seized evidences section presents the logical way that has been followed in determining the main evidences, their importance according to triage concept, and their relation to the crime to help in providing the investigators with useful details about the crime. A set of conclusions and suggested recommendations for the process of seizing evidences was listed in Conclusions and Recommendations section. The references that were used in conducting the lab and writing the report are mentioned in the References section. All processing forms that were filled and completed by the team are attached to this report in the Appendices section.

Technology
1 of 14
Download to read offline
College of Technological Innovation MSIT 10, CIT 530 Cyber Forensics Lab 1: Bag & Tag Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared By Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh M80006988@zu.ac.ae M80007225@zu.ac.ae M80007043@zu.ac.ae August 24, 2016
| Page 1 Table of Contents Executive Summary ...............................................................................................3 Investigative Scenario............................................................................................3 Objectives..............................................................................................................3 Procedures ............................................................................................................4 A. Identification of Expected Useful Evidences.............................................5 B. Distributing tasks and duties among team members...............................5 C. Securing the crime scene..........................................................................5 D. Disconnecting remote access and peripherals connections.....................6 E. Drawing rough sketch for the crime scene...............................................6 F. Capturing, documenting, and seizing evidences .........................................7 G. Updating the sketch..................................................................................8 H. Handing seized items to the authorities...................................................8 Analysis of seized evidences..................................................................................9 Evidence H: Z2A77AN5 Seagate 500GB Hard Disk.............................................9 Evidence I: A-Data USB flash drive.....................................................................9 Evidences B, F, G: Handwritten notes on multiple evidences .........................10 Evidence E: Imation 1.44MB Floppy disk .........................................................10 Evidence D: MSDN Windows 2000 CD.............................................................11 Evidences A, C: Journals and Magazines..........................................................11 Conclusions and Recommendations ...................................................................12 References...........................................................................................................12 Appendices..........................................................................................................13
| Page 2 List of Figures Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab....4 Figure 2: Crime scene picture before starting the seizer process.........................5 Figure 3: Removing network connections to prevent altering the data through remote connection................................................................................................6 Figure 4: Crime scene sketch.................................................................................7 Figure 5: Seized evidences in the anti-static bags.................................................7 Figure 6: Seized hard disk......................................................................................9 Figure 7: Seized USB flash drive ............................................................................9 Figure 8: Pictures for the evidences that included handwritten notes...............10 Figure 9: The seized Floppy disk with a label of "@GoD"....................................10 Figure 10: Seized CD............................................................................................11 Figure 11: Seized magazines and journals pictures.............................................11
| Page 3 Executive Summary This report presents the work done in the Bag and tag lab by group #3 members. The scenario of the crime is described in Investigative Scenario section. The procedures followed for tagging and seizing evidences are mentioned in Procedures section. Analysis of seized evidences section presents the logical way that has been followed in determining the main evidences, their importance according to triage concept, and their relation to the crime to help in providing the investigators with useful details about the crime. A set of conclusions and suggested recommendations for the process of seizing evidences was listed in Conclusions and Recommendations section. The references that were used in conducting the lab and writing the report are mentioned in the References section. All processing forms that were filled and completed by the team are attached to this report in the Appendices section. Investigative Scenario Search and seizure warrant notice was received for seizing and documenting evidence from a child pornography case. The person involved in the case was chatting to a 13-year-old girl. In the scene of the crime, a computer system was found without the presence of the criminal involved in the case. The group team was expected to seize the hard drive and all other related evidence. Objectives - To understand and learn how to secure and interact with computer crime scene. - To keep track of the events, document, and sketch the scene of the crime. - To acquire the skills of seizing digital and non-digital evidences using the proper forensics tools and packaging. - To present the process of collection and seizing in a professional report that is authentic and reproducible.
| Page 4 Procedures The steps followed by the group members in performing the lab are introduced in figure 1 and an explanation of each step is listed in the following subsections. Identification of the expected useful evidences Distributing tasks and duties among team members Capturing crime scene and evidences Documenting evidences state and location Seizing useful evidences Securing and preventing unauthorized individuals from entering the crime scene Disconnecting remote access and peripherals connections Handing seized evidences to the authorities Drawing rough sketch for the crime scene Updating the sketch Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab.
| Page 5 A. Identification of Expected Useful Evidences Based on the crime type and the suggested search scope by the group members, a list of main evidences that were expected to provide a useful information in the case were written and are listed as follows: - Storage devices. - Notes/letters. - Date and time stamps. - Digital cameras. - Images. B. Distributing tasks and duties among team members Distributing tasks and duties among team members ensure that a good documentation for the event will be accomplished with less number of missed information. According to that, a team member was responsible for capturing the steps one by one using the digital camera. Another member was in charge of writing notes about the crime scene and everything done by the team with the corresponding exact time. The last member was the one who is wearing the anti- static gloves and was responsible for tagging and putting the useful evidences in the appropriate bags for seizing it and transferring it to the responsible authorities. C. Securing the crime scene Securing and preventing unauthorized individuals from entering the crime scene is an important task and it was performed directly upon the arrival to the crime scene. This action makes sure that no destruction or damage to the evidences will occur in the crime scene. Figure 2 shows the crime scene directly upon the arrival and before starting the process. Figure 2: Crime scene picture before starting the seizer process
| Page 6 D. Disconnecting remote access and peripherals connections The first step performed after securing the crime scene was to remove the Ethernet cable since it was connected to the computer to prevent remote access connection to the device. Figure 3: Removing network connections to prevent altering the data through remote connection E. Drawing rough sketch for the crime scene A rough drawing to the crime scene was done before touching anything or performing any action and this drawing was added to it later on the location of each seized element and was redrawn using CAD software. The final sketch for the crime scene is shown in figure 4.
| Page 7 Evidence #G Evidence #I Evidence #A Evidence #E Evidence #D Evidence #F Evidence #B Evidence #C * * * * Evidence #H *The position of the evidence changed just for demonstration and the actual location is mentioned in the report 24 August 2016 | 1820 MSIT10, AbuDhabi Lab #1: Bag & Tag CIT530: Cyber Forensics Crime Scene #3 Sketch Title: Date & time: Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared by: Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh Evidences List: Tag Description #A #B #C #D #E #F #G #H American academy forensics magazine # I IEEE Spectrum magazine Journal of forensic sciences Floppy disk written on it @GoD MSDN Windows 2000 CD A Data Flash Drive 500GB Seagate hard disk inside Tower PC case Sticky note written on it Pass. Lamof !D Sticky note written on it 9/9/ 16 Figure 4: Crime scene sketch F. Capturing, documenting, and seizing evidences The process of capturing by camera and documenting by notes and seizing the evidences were done in parallel to ensure not missing important details of the event. The tools used in accomplishing this task were anti-static bags and gloves, cable tags, evidence tags, notepad, marker, labels, digital camera, and phone flashlight. Figure 5 shows the seized elements in the anti-static bags. Figure 5: Seized evidences in the anti-static bags
| Page 8 G. Updating the sketch The exact actual location of each seized evidence is pointed in the crime scene sketch for further analysis and investigations. The final sketch was shown earlier in figure 4. H. Handing seized items to the authorities At the end, the seized items were handed to the authorities while documenting and completing the processing and chain of custody forms. The proper recommendations for securing and protecting the evidences while transporting them to the lab were explained clearly the person in charge.
| Page 9 Analysis of seized evidences According to the type of the crime and the evidences seized from the crime scene, triage concept was followed to prioritize the level of importance of each evidence in a way that helps in revealing the circumstances of the crime. Seized evidences are stated below starting with the most to the least important evidence. Evidence H: Z2A77AN5 Seagate 500GB Hard Disk The evidence was mounted inside the PC that was in running mode upon the arrival of the team. Computer hard disk is the place where all data are stored and is expected to help in getting the precedents made by the accused and the crimes he intends to. The criminal was locking the computer via a password, as well as the access to the BIOS; that brings the probability of having valuable data that can be acquired from the hard disk to lead to the accused person in the case. Figure 6 shows a picture of the seized hard disk. Figure 6: Seized hard disk Evidence I: A-Data USB flash drive The evidence was stashed below the monitor in a way that is difficult to be seen. USB flash drive is a portable plug & play memory that is used in most cases to save pictures and media files. Its content is expected to help in getting the precedents made by the accused and the crimes he intends to. A picture of the seized flash drive is shown in figure 7. Figure 7: Seized USB flash drive
| Page 10 Evidences B, F, G: Handwritten notes on multiple evidences Handwritten notes could lead to important information that helps in identifying and analyzing the crime. Evidence B included random handwritten notes and it was located on the top of the computer tower case; these notes include numbers for males and females with some symbols. Evidence F was located above the right chair and a password was written on it; this password could be the password for an OS login page, email, chatting software, or any other useful system. A date was written on evidence G that was hidden inside one of the pages of evidence C; this date indicates a day that has not been passed yet so more details are required to be collected about it. The pictures for the collected evidences that include handwritten notes are shown in figure 8. Figure 8: Pictures for the evidences that included handwritten notes Evidence E: Imation 1.44MB Floppy disk The evidence was hidden under the computer CPU with the BIOS password written on it, and the PC in the crime scene does not have floppy drive reader. The Floppy size is 1.44 MB which means the data on it is small and may contain passwords, numbers or some related information that can help on the case. BIOS password on sticky note was discovered on the outer shell of the floppy as shown in figure 9. Figure 9: The seized Floppy disk with a label of "@GoD"
| Page 11 Evidence D: MSDN Windows 2000 CD The evidence was found in the Optical CD Reader and the computer on working mode. That gives us the probability of the accused person working on it before he escapes the primary crime scene. Thus this CD may contain information that could help in finding him. Although the disk contains Microsoft's cover, but this does not exclude that the case of trying to mislead who find it. "04618054" was written on it. This number could be a password to open the CD, to access the device, or just a beneficial information to the case during the investigations. A picture of the CD is shown in figure 10. Figure 10: Seized CD Evidences A, C: Journals and Magazines These magazines and journals may lead to useful information that help in recognizing the interests and desires of the defendant. Evidence C was Located on the drawer of the left table with 4 folded pages inside it which may indicate some useful information on the case. These evidences are no so useful from the digital side, but from them we may know the impressions of the accused person that enable us to reach him in an indirect way. Figure 11 shows the pictures of the seized magazines and journals. Figure 11: Seized magazines and journals pictures
| Page 12 Conclusions and Recommendations - All electronic evidences must be kept away from magnetic sources. - Each evidence must be labeled with the appropriate tag and kept in the appropriate packing that will not cause any damage to it. - After the arrival to the scene of the crime, all remote access and peripherals connections must be removed. - Each detail must be documented properly in a way that allows the investigator to reconstruct the crime scene and analyze it at any time in the lab. References [1] Technical Working Group on Crime Scene Investigation, & United States of America. (2001). Electronic Crime Scene Investigation: A Guide for First Responders. [2] National Institute of Standards and Technology (NIST), & United States of America. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. [3] Wilkinson, S., & Haagman, D. (2010). Good practice guide for computer-based electronic evidence. Association of Chief Police Officers.
| Page 13 Appendices

Recommended

Chap 2 computer forensics investigation
Chap 2 computer forensics investigationChap 2 computer forensics investigation
Chap 2 computer forensics investigationMalobe Lottin Cyrille Marcel
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime sceneSKMohamedKasim
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptxYashPatel132112
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Crime scene investigation
Crime scene investigationCrime scene investigation
Crime scene investigationgururaj lulkarni
 
Intelligence presentation
Intelligence presentationIntelligence presentation
Intelligence presentationiChange
 

Recommended

Chap 2 computer forensics investigation
Chap 2 computer forensics investigationChap 2 computer forensics investigation
Chap 2 computer forensics investigationMalobe Lottin Cyrille Marcel
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime sceneSKMohamedKasim
 
3170725_Unit-1.pptx
3170725_Unit-1.pptx3170725_Unit-1.pptx
3170725_Unit-1.pptxYashPatel132112
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Crime scene investigation
Crime scene investigationCrime scene investigation
Crime scene investigationgururaj lulkarni
 
Intelligence presentation
Intelligence presentationIntelligence presentation
Intelligence presentationiChange
 
Forensic Science: Topic 2 crime scene
Forensic Science: Topic 2 crime sceneForensic Science: Topic 2 crime scene
Forensic Science: Topic 2 crime sceneBob Smullen
 
Bag and Tag
Bag and TagBag and Tag
Bag and TagCTIN
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imagingDetectalix
 
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docx
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docxFUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docx
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docxLloydrafael
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensicsKabul Education University
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
DNA_Extraction_Overview
DNA_Extraction_OverviewDNA_Extraction_Overview
DNA_Extraction_OverviewHossein Baniamerian
 
Dna extraction overview
Dna extraction overviewDna extraction overview
Dna extraction overviewFidy Zegge
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Evidence collection
Evidence collectionEvidence collection
Evidence collectionZeeshan Asghar
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDamaineFranklinMScBE
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist- Mark - Fullbright
 
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxBerkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxAASTHA76
 
Cyber evidence at crime scene
Cyber evidence at crime sceneCyber evidence at crime scene
Cyber evidence at crime sceneApplied Forensic Research Sciences
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelCSCJournals
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensicsJohnson Ubah
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxwillcoxjanay
 

More Related Content

What's hot

Forensic Science: Topic 2 crime scene
Forensic Science: Topic 2 crime sceneForensic Science: Topic 2 crime scene
Forensic Science: Topic 2 crime sceneBob Smullen
 
Bag and Tag
Bag and TagBag and Tag
Bag and TagCTIN
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imagingDetectalix
 
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docx
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docxFUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docx
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docxLloydrafael
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Dna extraction overview
Dna extraction overviewDna extraction overview
Dna extraction overviewFidy Zegge
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh tManesh T
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 

What's hot (15)

Forensic Science: Topic 2 crime scene
Forensic Science: Topic 2 crime sceneForensic Science: Topic 2 crime scene
Forensic Science: Topic 2 crime scene
 
Bag and Tag
Bag and TagBag and Tag
Bag and Tag
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imaging
 
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docx
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docxFUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docx
FUNDAMENTALS OF CRIMINAL INVEST. Q nad A-ROF. TAMPOS.docx
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensics
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
DNA_Extraction_Overview
DNA_Extraction_OverviewDNA_Extraction_Overview
DNA_Extraction_Overview
 
Dna extraction overview
Dna extraction overviewDna extraction overview
Dna extraction overview
 
Digital forensic science and its scope manesh t
Digital forensic science and its scope manesh tDigital forensic science and its scope manesh t
Digital forensic science and its scope manesh t
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Evidence collection
Evidence collectionEvidence collection
Evidence collection
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 

Similar to Lab 1 Bag & Tag (cyber forensics)

Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDamaineFranklinMScBE
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist- Mark - Fullbright
 
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxBerkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxAASTHA76
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelCSCJournals
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensicsJohnson Ubah
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxwillcoxjanay
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxVaishnaviBorse8
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesBRNSSPublicationHubI
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJDavid Sweigert
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsShanaAneevan
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docx1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docxjackiewalcutt
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceDr. Richard Otieno
 
76 s201924
76 s20192476 s201924
76 s201924IJRAT
 

Similar to Lab 1 Bag & Tag (cyber forensics) (20)

Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and Unicaf
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist
 
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxBerkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
 
Cyber evidence at crime scene
Cyber evidence at crime sceneCyber evidence at crime scene
Cyber evidence at crime scene
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation Model
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docx
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
Crime scene-investigation
Crime scene-investigationCrime scene-investigation
Crime scene-investigation
 
PACE-IT: Basic Forensic Concepts
PACE-IT: Basic Forensic ConceptsPACE-IT: Basic Forensic Concepts
PACE-IT: Basic Forensic Concepts
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptx
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic Evidences
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Computer Forensics.pptx
Computer Forensics.pptxComputer Forensics.pptx
Computer Forensics.pptx
 
Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
 
1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docx1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docx
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital Evidence
 
76 s201924
76 s20192476 s201924
76 s201924
 

More from MUSAAB HASAN

Communication & switching networks lab manual
Communication & switching networks lab manualCommunication & switching networks lab manual
Communication & switching networks lab manualMUSAAB HASAN
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E ArchivingMUSAAB HASAN
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E ArchivingMUSAAB HASAN
 
A Security Study for Smart Metering Systems
A Security Study for Smart Metering SystemsA Security Study for Smart Metering Systems
A Security Study for Smart Metering SystemsMUSAAB HASAN
 
Engineering design via autocad
Engineering design via autocadEngineering design via autocad
Engineering design via autocadMUSAAB HASAN
 
Android Applications development Using APP inventor
Android Applications development Using APP inventorAndroid Applications development Using APP inventor
Android Applications development Using APP inventorMUSAAB HASAN
 
Engineering Design vis Microsoft Visio
Engineering Design vis Microsoft VisioEngineering Design vis Microsoft Visio
Engineering Design vis Microsoft VisioMUSAAB HASAN
 
Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi MUSAAB HASAN
 
Using PCB wizard for PCB implementation
Using PCB wizard for PCB implementationUsing PCB wizard for PCB implementation
Using PCB wizard for PCB implementationMUSAAB HASAN
 
PC techniques software and Hardware
PC techniques software and HardwarePC techniques software and Hardware
PC techniques software and HardwareMUSAAB HASAN
 
Datasheets & Searching information
Datasheets & Searching informationDatasheets & Searching information
Datasheets & Searching informationMUSAAB HASAN
 
Cyber forensics lab 4
Cyber forensics lab 4Cyber forensics lab 4
Cyber forensics lab 4MUSAAB HASAN
 
Cyber forensics Lab
Cyber forensics LabCyber forensics Lab
Cyber forensics LabMUSAAB HASAN
 
2016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-20152016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-2015MUSAAB HASAN
 

More from MUSAAB HASAN (14)

Communication & switching networks lab manual
Communication & switching networks lab manualCommunication & switching networks lab manual
Communication & switching networks lab manual
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E Archiving
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E Archiving
 
A Security Study for Smart Metering Systems
A Security Study for Smart Metering SystemsA Security Study for Smart Metering Systems
A Security Study for Smart Metering Systems
 
Engineering design via autocad
Engineering design via autocadEngineering design via autocad
Engineering design via autocad
 
Android Applications development Using APP inventor
Android Applications development Using APP inventorAndroid Applications development Using APP inventor
Android Applications development Using APP inventor
 
Engineering Design vis Microsoft Visio
Engineering Design vis Microsoft VisioEngineering Design vis Microsoft Visio
Engineering Design vis Microsoft Visio
 
Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi
 
Using PCB wizard for PCB implementation
Using PCB wizard for PCB implementationUsing PCB wizard for PCB implementation
Using PCB wizard for PCB implementation
 
PC techniques software and Hardware
PC techniques software and HardwarePC techniques software and Hardware
PC techniques software and Hardware
 
Datasheets & Searching information
Datasheets & Searching informationDatasheets & Searching information
Datasheets & Searching information
 
Cyber forensics lab 4
Cyber forensics lab 4Cyber forensics lab 4
Cyber forensics lab 4
 
Cyber forensics Lab
Cyber forensics LabCyber forensics Lab
Cyber forensics Lab
 
2016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-20152016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-2015
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Lab 1 Bag & Tag (cyber forensics)

  • 1. College of Technological Innovation MSIT 10, CIT 530 Cyber Forensics Lab 1: Bag & Tag Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared By Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh M80006988@zu.ac.ae M80007225@zu.ac.ae M80007043@zu.ac.ae August 24, 2016
  • 2. | Page 1 Table of Contents Executive Summary ...............................................................................................3 Investigative Scenario............................................................................................3 Objectives..............................................................................................................3 Procedures ............................................................................................................4 A. Identification of Expected Useful Evidences.............................................5 B. Distributing tasks and duties among team members...............................5 C. Securing the crime scene..........................................................................5 D. Disconnecting remote access and peripherals connections.....................6 E. Drawing rough sketch for the crime scene...............................................6 F. Capturing, documenting, and seizing evidences .........................................7 G. Updating the sketch..................................................................................8 H. Handing seized items to the authorities...................................................8 Analysis of seized evidences..................................................................................9 Evidence H: Z2A77AN5 Seagate 500GB Hard Disk.............................................9 Evidence I: A-Data USB flash drive.....................................................................9 Evidences B, F, G: Handwritten notes on multiple evidences .........................10 Evidence E: Imation 1.44MB Floppy disk .........................................................10 Evidence D: MSDN Windows 2000 CD.............................................................11 Evidences A, C: Journals and Magazines..........................................................11 Conclusions and Recommendations ...................................................................12 References...........................................................................................................12 Appendices..........................................................................................................13
  • 3. | Page 2 List of Figures Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab....4 Figure 2: Crime scene picture before starting the seizer process.........................5 Figure 3: Removing network connections to prevent altering the data through remote connection................................................................................................6 Figure 4: Crime scene sketch.................................................................................7 Figure 5: Seized evidences in the anti-static bags.................................................7 Figure 6: Seized hard disk......................................................................................9 Figure 7: Seized USB flash drive ............................................................................9 Figure 8: Pictures for the evidences that included handwritten notes...............10 Figure 9: The seized Floppy disk with a label of "@GoD"....................................10 Figure 10: Seized CD............................................................................................11 Figure 11: Seized magazines and journals pictures.............................................11
  • 4. | Page 3 Executive Summary This report presents the work done in the Bag and tag lab by group #3 members. The scenario of the crime is described in Investigative Scenario section. The procedures followed for tagging and seizing evidences are mentioned in Procedures section. Analysis of seized evidences section presents the logical way that has been followed in determining the main evidences, their importance according to triage concept, and their relation to the crime to help in providing the investigators with useful details about the crime. A set of conclusions and suggested recommendations for the process of seizing evidences was listed in Conclusions and Recommendations section. The references that were used in conducting the lab and writing the report are mentioned in the References section. All processing forms that were filled and completed by the team are attached to this report in the Appendices section. Investigative Scenario Search and seizure warrant notice was received for seizing and documenting evidence from a child pornography case. The person involved in the case was chatting to a 13-year-old girl. In the scene of the crime, a computer system was found without the presence of the criminal involved in the case. The group team was expected to seize the hard drive and all other related evidence. Objectives - To understand and learn how to secure and interact with computer crime scene. - To keep track of the events, document, and sketch the scene of the crime. - To acquire the skills of seizing digital and non-digital evidences using the proper forensics tools and packaging. - To present the process of collection and seizing in a professional report that is authentic and reproducible.
  • 5. | Page 4 Procedures The steps followed by the group members in performing the lab are introduced in figure 1 and an explanation of each step is listed in the following subsections. Identification of the expected useful evidences Distributing tasks and duties among team members Capturing crime scene and evidences Documenting evidences state and location Seizing useful evidences Securing and preventing unauthorized individuals from entering the crime scene Disconnecting remote access and peripherals connections Handing seized evidences to the authorities Drawing rough sketch for the crime scene Updating the sketch Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab.
  • 6. | Page 5 A. Identification of Expected Useful Evidences Based on the crime type and the suggested search scope by the group members, a list of main evidences that were expected to provide a useful information in the case were written and are listed as follows: - Storage devices. - Notes/letters. - Date and time stamps. - Digital cameras. - Images. B. Distributing tasks and duties among team members Distributing tasks and duties among team members ensure that a good documentation for the event will be accomplished with less number of missed information. According to that, a team member was responsible for capturing the steps one by one using the digital camera. Another member was in charge of writing notes about the crime scene and everything done by the team with the corresponding exact time. The last member was the one who is wearing the anti- static gloves and was responsible for tagging and putting the useful evidences in the appropriate bags for seizing it and transferring it to the responsible authorities. C. Securing the crime scene Securing and preventing unauthorized individuals from entering the crime scene is an important task and it was performed directly upon the arrival to the crime scene. This action makes sure that no destruction or damage to the evidences will occur in the crime scene. Figure 2 shows the crime scene directly upon the arrival and before starting the process. Figure 2: Crime scene picture before starting the seizer process
  • 7. | Page 6 D. Disconnecting remote access and peripherals connections The first step performed after securing the crime scene was to remove the Ethernet cable since it was connected to the computer to prevent remote access connection to the device. Figure 3: Removing network connections to prevent altering the data through remote connection E. Drawing rough sketch for the crime scene A rough drawing to the crime scene was done before touching anything or performing any action and this drawing was added to it later on the location of each seized element and was redrawn using CAD software. The final sketch for the crime scene is shown in figure 4.
  • 8. | Page 7 Evidence #G Evidence #I Evidence #A Evidence #E Evidence #D Evidence #F Evidence #B Evidence #C * * * * Evidence #H *The position of the evidence changed just for demonstration and the actual location is mentioned in the report 24 August 2016 | 1820 MSIT10, AbuDhabi Lab #1: Bag & Tag CIT530: Cyber Forensics Crime Scene #3 Sketch Title: Date & time: Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared by: Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh Evidences List: Tag Description #A #B #C #D #E #F #G #H American academy forensics magazine # I IEEE Spectrum magazine Journal of forensic sciences Floppy disk written on it @GoD MSDN Windows 2000 CD A Data Flash Drive 500GB Seagate hard disk inside Tower PC case Sticky note written on it Pass. Lamof !D Sticky note written on it 9/9/ 16 Figure 4: Crime scene sketch F. Capturing, documenting, and seizing evidences The process of capturing by camera and documenting by notes and seizing the evidences were done in parallel to ensure not missing important details of the event. The tools used in accomplishing this task were anti-static bags and gloves, cable tags, evidence tags, notepad, marker, labels, digital camera, and phone flashlight. Figure 5 shows the seized elements in the anti-static bags. Figure 5: Seized evidences in the anti-static bags
  • 9. | Page 8 G. Updating the sketch The exact actual location of each seized evidence is pointed in the crime scene sketch for further analysis and investigations. The final sketch was shown earlier in figure 4. H. Handing seized items to the authorities At the end, the seized items were handed to the authorities while documenting and completing the processing and chain of custody forms. The proper recommendations for securing and protecting the evidences while transporting them to the lab were explained clearly the person in charge.
  • 10. | Page 9 Analysis of seized evidences According to the type of the crime and the evidences seized from the crime scene, triage concept was followed to prioritize the level of importance of each evidence in a way that helps in revealing the circumstances of the crime. Seized evidences are stated below starting with the most to the least important evidence. Evidence H: Z2A77AN5 Seagate 500GB Hard Disk The evidence was mounted inside the PC that was in running mode upon the arrival of the team. Computer hard disk is the place where all data are stored and is expected to help in getting the precedents made by the accused and the crimes he intends to. The criminal was locking the computer via a password, as well as the access to the BIOS; that brings the probability of having valuable data that can be acquired from the hard disk to lead to the accused person in the case. Figure 6 shows a picture of the seized hard disk. Figure 6: Seized hard disk Evidence I: A-Data USB flash drive The evidence was stashed below the monitor in a way that is difficult to be seen. USB flash drive is a portable plug & play memory that is used in most cases to save pictures and media files. Its content is expected to help in getting the precedents made by the accused and the crimes he intends to. A picture of the seized flash drive is shown in figure 7. Figure 7: Seized USB flash drive
  • 11. | Page 10 Evidences B, F, G: Handwritten notes on multiple evidences Handwritten notes could lead to important information that helps in identifying and analyzing the crime. Evidence B included random handwritten notes and it was located on the top of the computer tower case; these notes include numbers for males and females with some symbols. Evidence F was located above the right chair and a password was written on it; this password could be the password for an OS login page, email, chatting software, or any other useful system. A date was written on evidence G that was hidden inside one of the pages of evidence C; this date indicates a day that has not been passed yet so more details are required to be collected about it. The pictures for the collected evidences that include handwritten notes are shown in figure 8. Figure 8: Pictures for the evidences that included handwritten notes Evidence E: Imation 1.44MB Floppy disk The evidence was hidden under the computer CPU with the BIOS password written on it, and the PC in the crime scene does not have floppy drive reader. The Floppy size is 1.44 MB which means the data on it is small and may contain passwords, numbers or some related information that can help on the case. BIOS password on sticky note was discovered on the outer shell of the floppy as shown in figure 9. Figure 9: The seized Floppy disk with a label of "@GoD"
  • 12. | Page 11 Evidence D: MSDN Windows 2000 CD The evidence was found in the Optical CD Reader and the computer on working mode. That gives us the probability of the accused person working on it before he escapes the primary crime scene. Thus this CD may contain information that could help in finding him. Although the disk contains Microsoft's cover, but this does not exclude that the case of trying to mislead who find it. "04618054" was written on it. This number could be a password to open the CD, to access the device, or just a beneficial information to the case during the investigations. A picture of the CD is shown in figure 10. Figure 10: Seized CD Evidences A, C: Journals and Magazines These magazines and journals may lead to useful information that help in recognizing the interests and desires of the defendant. Evidence C was Located on the drawer of the left table with 4 folded pages inside it which may indicate some useful information on the case. These evidences are no so useful from the digital side, but from them we may know the impressions of the accused person that enable us to reach him in an indirect way. Figure 11 shows the pictures of the seized magazines and journals. Figure 11: Seized magazines and journals pictures
  • 13. | Page 12 Conclusions and Recommendations - All electronic evidences must be kept away from magnetic sources. - Each evidence must be labeled with the appropriate tag and kept in the appropriate packing that will not cause any damage to it. - After the arrival to the scene of the crime, all remote access and peripherals connections must be removed. - Each detail must be documented properly in a way that allows the investigator to reconstruct the crime scene and analyze it at any time in the lab. References [1] Technical Working Group on Crime Scene Investigation, & United States of America. (2001). Electronic Crime Scene Investigation: A Guide for First Responders. [2] National Institute of Standards and Technology (NIST), & United States of America. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. [3] Wilkinson, S., & Haagman, D. (2010). Good practice guide for computer-based electronic evidence. Association of Chief Police Officers.