SlideShare a Scribd company logo

Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.00.docx

Download as DOCX, PDF
N
nettletondevon

Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.003 Property Record Number: ________________________ Anywhere Police Department EVIDENCE CHAIN OF CUSTODY TRACKING FORM Case Number: ________________________ Offense: ______________________________ Submitting Officer: (Name/ID#) _______________________________________________ Victim: ______________________________________________________________________ Suspect: _____________________________________________________________________ Date/Time Seized: __________________Location of Seizure: ______________________ Description of Evidence Item # Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches) Chain of Custody Item # Date/Time Released by (Signature & ID#) Received by (Signature & ID#) Comments/Location APD_Form_#PE003_v.1 (12/2012) Page 1 of 2 pages (See back) EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM (Continued) Chain of Custody Item # Date/Time Released by (Signature & ID#) Received by (Signature & ID#) Comments/Location Final Disposal Authority Authorization for Disposal Item(s) #: __________ on this document pertaining to (suspect): ____________________________________________ is(are) no longer needed as evidence and is/are authorized for disposal by (check appropriate disposal method) ☐ Return to Owner ☐ Auction/Destroy/Divert Name & ID# of Authorizing Officer: ____________________________ Signature: ______________________Date: _______________ Witness to Destruction of Evidence Item(s) #: __________ on this document were destroyed by Evidence Custodian ___________________________ID#:______ in my presence on (date) __________________________. Name & ID# of Witness to destruction: ________________________ Signature: ______________________Date: _______________ Release to Lawful Owner Item(s) #: __________ on this document was/were released by Evidence Custodian ________________________ID#:_________ to Name _____________________________________________________________________________ Address: ________________________________________________ City: ____________________State: _______ Zip Code: __________ Telephone Number: (_____) ___________________________________ Under penalty of law, I certify that I am the lawful owner of the above item(s). Signature: _______________________________________________________ Date: __________________________ Copy of Government-issued photo identification is attached. ☐ Yes ☐ No This Evidence Chain-of-Custody form is to be retained as a permanent record by the Anywhere Police Department. APD_Form_#PE003_v.1 (12/2012) Page 2 of 2 pages (See front) Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology. 2013. Technic.

Education
1 of 35
Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.003 Property Record Number: ________________________ Anywhere Police Department EVIDENCE CHAIN OF CUSTODY TRACKING FORM Case Number: ________________________ Offense: ______________________________ Submitting Officer: (Name/ID#) _______________________________________________ Victim: _____________________________________________________ _________________ Suspect: _____________________________________________________ ________________ Date/Time Seized: __________________Location of Seizure: ______________________ Description of Evidence Item #
Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches) Chain of Custody Item # Date/Time Released by (Signature & ID#)
Received by (Signature & ID#) Comments/Location
APD_Form_#PE003_v.1 (12/2012) Page 1 of 2 pages (See back) EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM (Continued) Chain of Custody Item # Date/Time Released by (Signature & ID#) Received by (Signature & ID#) Comments/Location
Final Disposal Authority Authorization for Disposal Item(s) #: __________ on this document pertaining to (suspect): ____________________________________________ is(are) no longer needed as evidence and is/are authorized for disposal by (check appropriate disposal method) ☐ Return to Owner ☐ Auction/Destroy/Divert Name & ID# of Authorizing Officer: ____________________________ Signature: ______________________Date: _______________ Witness to Destruction of Evidence Item(s) #: __________ on this document were destroyed by Evidence Custodian ___________________________ID#:______ in my presence on (date) __________________________. Name & ID# of Witness to destruction: ________________________ Signature: ______________________Date: _______________ Release to Lawful Owner Item(s) #: __________ on this document was/were released by Evidence Custodian
________________________ID#:_________ to Name _____________________________________________________ ________________________ Address: ________________________________________________ City: ____________________State: _______ Zip Code: __________ Telephone Number: (_____) ___________________________________ Under penalty of law, I certify that I am the lawful owner of the above item(s). Signature: _____________________________________________________ __ Date: __________________________ Copy of Government-issued photo identification is attached. ☐ Yes ☐ No This Evidence Chain-of-Custody form is to be retained as a permanent record by the Anywhere Police Department. APD_Form_#PE003_v.1 (12/2012) Page 2 of 2 pages (See front) Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology. 2013. Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology. 2013.
Forensic Analysis with Linux Digital Forensic Examination Assignment Instructions Part I. Examination Request: You have been hired as a computer forensic examiner by the FSB (Federal Security Bureau). Mel Torme, your supervisor, brings you a hard drive containing an acquired forensic image. Mr. Torme tells you that the image was created from a suspect hard drive that was found on the side of the road by a Deputy Sheriff. Factual Case Background: The Sheriff’s Office examination request report says that an anonymous caller telephoned the
Sheriff’s Office and told a Sheriff’s Investigator where the suspect hard drive could be found, and that it contained evidence of possible illegal hacking activity. The Sheriff’s Office investigators obtained a search warrant from a judge that authorized the Sheriff’s Office Investigators to search the suspect hard drive for possible evidence of illegal hacking activity. Examination Tools: You will use Linux to conduct a logical digital forensic examination and analysis of the suspect drive. Your Examination Responsibilities: Your job is to conduct a digital forensic examination and analysis of the suspect image in order to identify any possible illegal hacking activity PER the search warrant (password hacking). Practice Note: It is not uncommon for a digital forensics examiner, while conducting a digital forensic examination , to inadvertently come across or discover evidence of other illegal activity that is NOT PART OF THE AUTHORIZED SCOPE OF THE ORIGINAL SEARCH WARRANT. When this
inadvertent discovery occurs, the examiner MUST stop the examination, report the suspected new evidence to his/her supervisor(s) or case agent, and a NEW search warrant authorizing a broader digital forensics examination scope must be obtained, based on the newly discovered evidence. For example, if you have a search warrant for suspected illegal hacking activity (as in this digital forensics examination assignment you are working on) and you inadvertently come across ANY OTHER possible evidence of a different type of criminal activity than you are originally authorized to search for, you MUST obtain a new search warrant to continue your digital forensic examination. Possible Illegal Activity Clues You May Find If I were a betting Professor, I would assume that there might be some evidence of other illegal activities on the hard drive, besides hacking (hint hint, nod nod, wink wink). The following is a list of possible illegal activities that come to mind. If any evidence of these possible illegal activities exists on the suspect hard drive, it will be very apparent to you during a thorough digital forensics investigation.
Your examination might reveal any of the following illegal activities: • Gun running • Underage drinking • Insider trading • Kitty porn (any photos of underage kittens) • Credit card fraud/theft (stolen credit card numbers) • Impersonating an officer • Jay walking Based upon our limited knowledge of the background case facts, I am certain the owner of the hard drive was NOT involved in ALL of the above listed illegal activities, but I am confident he/she was involved in a FEW of them. Let’s see what your examination reveals. Part II. Getting Started -Known Tool Hash Values: We’ll start our examination by searching for password cracking
tools. Listed below are some known SHA-1hash values of popular password cracking tools: • 620aca6bff27950df3ec81e9909be3e05b6bed81 john.exe • 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe • c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe • 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe • 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe Case Examination Assumptions: 1. IF YOU FIND EVIDENCE OF ANY OF THE ABOVE- LISTED ADDITIONAL CRIMINAL ACTIVITIES, YOU MUST ACKNOLEDGE IT IN YOUR NOTES AND IN YOUR LAB REPORT AS A BASIS FOR REQUESTING A SEARCH WARRANT. a. You must tell me WHAT you found and request a new search warrant 2. You will download the “UpdatedLab.dd” file from the project resources download page to your lab virtual machines “Downloads” folder as instructed in Step II below. Then, you will work from the “Downloads” folder of your lab Virtual Machine
“NIXATK01”, as your evidence folder. 3. All commands will be run from the “~/Downloads/lab2” command line prompt unless otherwise noted. 4. Important: You should run the date command before running each command identified in this examination assignment. Although I don’t indicate running the date command in each of the following command instructions, running the date command should be your continuous practice to get valid results, as you perform your lab examination. 5. Complete your Lab Notes WHILE you are working through this exercise! Steps Taken (A Simple Version) 1. Received evidence 2. Mount the drive read only 3. Hash files 4. Use hashes to search for password cracking tools 5. Identify last usage of password cracking tools 6. Find other evidence of password cracking, such as password hashes
7. Search for graphics files 8. Search for compressed files Important: Your “Steps Taken” notes should be a bit more detailed than above) Access to Virtual Lab Environment Virtual Machine Credentials Username: StudentFirst Password: [email protected] Steps to access the Linux Virtual Machine Part II. Step 1. Login to “NIXFOR01” Enter the VM Credentials to connect to it. Press the space bar on your keyboard to get the login prompt
Enter the StudentFirst for the “Username” and [email protected] for the password. Step II. Double Click Lab Resources Click on > Applications Click on > Download Project Resources Click on > “UpdatedLab.dd” under Project 2 > Save File
Note: Depending on the browser being used, the above step might be different. Go to the Applications menu > Click on “Terminal” to open a Terminal window Step 3 Forensic Procedures 1. Receive the evidence (see examination tasking) [Can’t follow this-Review] In the NIXFOR01 VM: Type: cd Downloads Then Type and Enter :
ls Note the listed file name :____________________ 2. T o v erify the hash value of the image file, Type and Enter: sha1sum UpdatedLab.dd _____________________________________________ Note: the sha1 hash value number displayed 3. Compare your hash value number above to the Original file hash value below for the “UpdatedLab.dd” file image; Original 42ba069b68620a8c0ea6c4804c9e371d1bb358ba “UpdatedLab.dd” 4. N ow , c reate a new directory “lab2” in the “~/Downloads” directory of “NIXFOR01”. a. Type and Enter:
mkdir lab2 b. To verify the lab2 directory exists, Type and Enter: ls 5. Mount the image on the new directory: a. Type and Enter : sudo mount –t auto –o ro,loop ./UpdatedLab.dd ./lab2 b. To verify that the image mounted is properly by running, Type and Enter: mount 6. Change directory to lab2, Type and Enter: cd lab2 7. Create a hash set for all the files on the hard drive (mounted image). a. Type and enter the following command:
sudo find . –exec sha1sum {} ; > ../updatedlab.sha1 2>/dev/null Note: This command finds all files, then, runs sha1sum on them. Then, it saves the file into the directory above in lab2. The commands at the end tell the shell to ignore any errors. b . T o view the file “updatedlab.sha1”. Type and Enter: less ../updatedlab.sha1 Note that the list is not sorted. c. Run the command below to sort the list by hash value and then save results to a new file. Type and Enter:
sort ../updatedlab.sha1 > ../sortedupdatedlab.sha1 d. To view the file, Type and Enter: less ../sortedupdatedlab.sha1 e. You should see a display that looks like the display below: Note: The lines are now sorted by hash value N o w , w e can search the sorted list for the hashes of the password crackers listed in Part I. “Getting Started -Known Tool Hash Values” Hint section above. f. Press “Q” on your keyboard to exit 8. Search for “John the Ripper” first. The first few characters of the sha1 hash are 620aca
a. T y p e the forward slash ‘/’ and then type the first few sha1 hash characters “620aca”, then, press “Enter”. ________________________________________________ Note: Whether you found the John the Ripper hash value? b. Continue looking for the remaining password cracker hash values listed in the Part I. “Getting Started -Known Tool Hash Values” Hint section above. Repeat Steps 8 and Step 8a above to locate the following hash value strings: • 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe • c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe • 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe
• 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe __________________________________ How many did you find? ________________________________________ Identify where each hash value you found is located? Report your hash value findings in your notes! c. Press “Q” on your keyboard to exit 9. View the date and time stamps for John.exe a. Navigate to the directory where John.exe is located (the location is listed in the sorted_updatedlab.sha1 file) - Please see illustration in the screenshots that follow (Make sure to that you are in the run directory where the “John.exe” file is located. b. Type, cd Documents and Settings
Type and Enter: cd hax0r Type and Enter: cd Desktop Type and Enter: cd john179 Once in the “john179”directory, navigate to the “run” directory). Type and Enter: ls Type and Enter: cd run c. R un the following command: stat john.exe > ~/Downloads/john.stat d. To display the content of “john.stat” type the following command while still in the “run” directory shown above: Type and Enter: less ~/Downloads/john.stat Note the different file date and time stamps above (access, modify, change).
List the file changes below: John.exe was changed on _______________at ______________. John.exe was last accessed on ___________ at ______. Explain what this date and date stamp data means? ____________________ _____________________________________________________ ______ _____________________________________________________ ___________ e. The John.exe password cracking program saves passwords it has cracked to a file called ‘john.pot.’ See if the “john.pot” file exists using the following command to list all files in a long listing format. Type and Enter: ls –al f. If you find that the “john.pot” does exist in the file list, you can view the text file contents of the “john.pot” file using the following command in terminal while still in the “run” directory:
Type and Enter: less john.pot __________________________________________ Explain what you found? 10. View the date and time stamps for all other password crackers you found by Repeating Steps 9a through 9d above for the following password cracker program strings: • 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe • c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe • 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe • 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe Look at the date and time stamps and make a note of your observations. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ a. Is there any indication that the programs were used?
Explain. Password Hash Search 11. Now, search for password hash strings. Password hash strings for a md5 hash are formatted as follows: a. $1$<8 character salt>$<22 characters> b. R e t u r n t o yo u r l a b 2 d i r e ct o r y : T yp e a n d E n t e r : c d Dow nloa d s/lab2 c . U se the following grep expression command in Step “d” below to perform your md5 hash string search: d. Type and Enter: grep -R '$1$[[:graph:]]{8}$[[:graph:]]{22}'
e. Review the output list above and make a note of your observations.. - --- -- --- -- --- --- --- --- --- -- --- -- --- -- --- - --- --- --- -- --- -- --- - List the md5 - related files you found here ____________________________________________________ Where were the file(s) located? f. What is the password for the following Users? i. Vilkp?___________________________________ ii. Showe?__________________________________ iii. Damad?__________________________________ 12. Continue to search for evidence of password hacking (authorized in your original warrant). Search for Graphic Files Now, let’s search for graphics files. a. Make a “graphics” file directory under “~/Downloads”. Call it ‘graphics’. Type and Enter: cd ~/Downloads Type and Enter: mkdir graphics b. T o f ind the graphics files by their common file extensions in Lab 2:
Type and Enter the following: find -name *.jpg -or -name *.png -or -name *.tiff -or -name *.gif -or -name *.bmp - exec cp {} ../graphics ; 13. Change directory to the “graphics” directory and run the file command on each file: Type and Enter: cd graphics a.Type and Enter: file *.* > graphics.file b.Type and Enter: less graphics.file b. Review and describe whether all file types match the file extensions displayed? _______________________________________________ Examining Graphic Files 14. Go to the Applications menu >Click Graphics> Click and open “gThumb”
15. In “gThumb”, view the files contained in the in the “graphics” directory. a. Do you see anything that might make is necessary for you to request another search warrant to expand your authority to conduct a broader examination of the suspect hard drive? (Hint- You can refer to the list in Part I. Possible Illegal Activity Clues You May Find above) ________________________ If no, proceed to the next step. Searching for Compressed Files 16. Let’s search further for the possibility of finding other hidden information. To search for compressed files: Type and Enter: cd .. to go back to the Downloads directory prompt
Type and Enter: cd lab2 to go to the “lab2” folder Type and Enter the following command: find -name *.zip -or -name *.tgz -or -name *.tar.gz > ../updatedlab.compressed a. The above commands should find all the compressed files related to the file extensions provided in the command. b. T yp e a n d E n t e r : less ../updatedlab.compressed to view the content of the file “updatedlab.compressed”. _____________________________________________________ ___________________ c. What did you find? Do you see any file that is “interesting” to you?
d. Make a new directory called “compressed” in the Downloads directory. Type and Enter: mkdir ~/Downloads/compressed e. Copy the “interesting” compressed file above into that newly created “compressed” directory. (Note: You may use the Graphical User Interface to copy and paste file into the evidence folder as seen below). _____________________________________________________ ____________________ f. Do you feel you need to obtain a new search warrant at this point? Explain. Unzipping a File g. Let’s try to unzip the file using this command format “unzip <name of file>”: h. Type and Enter: cd ../compressed i. Type and Enter: ls
j. Type and Enter: unzip kitty.zip g. What happened? You can do one of two things, Option 1: Ask the suspect for the password, or Option 2: You can guess. Try to guess first. N o t e : f i r s t , Google “most common passwords” and use some of those to see if any work. The password should be within the top ten of most lists and starts with “P”. Note: What password worked for you? ___________________________________________ 17. Assume now that you have an additional search warrant authorizing a search for stolen credit card numbers. Type and Enter: cd .. Type and Enter: cd lab2 Then, Search Lab2 using the following grep expression:
a. Type and Enter: grep -R -n '[45][[:digit:]]{15}' > ~/Downloads/creditcards.txt b. This regular grep search looks for Visa or MasterCard number formats. c . Use the “less” command to display the contents of the file. Type and Enter: less creditcards.txt Are there any notable credit card numbers? End of Lab Sheet1Revised CSEC 650 Lab 2 Grading Rubric 7/07/17CSEC
650 2175 3131CriteriaComments and Feedback 100 pointsPart II, Step 3 -1.a.(5 points)You included screen shots of file results after using :ls" command Part II, Step 3 -1.a. - NotesPart II, Step 3 -2. (5 points)You included screen shots of results after using " sha1sum UpdatedLab.dd" command, Part II, Step 3 -2. - NotesPart II, Step 3 -5.b. (5 points)You included screen shots of results after using " mount" command, Part II, Step 3 -5.b. - NotesPart II, Step 3 -8.a. (5 points)You included screen shots of results after using “/620aca” command, Part II, Step 3 -8.a. - NotesPart II, Step 3 -8.b. (5 points)You included screen shots of results after locating hash value strings for "Cain.exe, password.exe, Abel64.exe and badcracker.exe" files, Part II, Step 3 -8.b. - NotesPart I Step 13 (5 points)You included screen shots of results noting file change differences for "John.exe, with last access date and date stamp data, Part II, Step 3 -9.d. - NotesPart II, Step 3 -9.f.(5 points)You included screen shots of results using “less john.pot” file, Part II, Step 3 -9.f. - NotesPart II Step 3 (5 points)You included screen shots of results listing “md 5-related files and where they were located, Part II, Step 3 -11.e. - NotesPart II, Step 3 -11.f. (5 points)You included screen shots of results passwords for "Vilkp, Showe and Damad", Part II, Step 3 -11.f. - NotesPart II, Step 3 -13.b. (5 points)You included screen shots of results after using “less graphics” command, Part II, Step 3 -13.b. - NotesPart II, Step 3 -13.b. (5 points)You included screen shots of results after using “gThumb” command, Part II, Step 3 -13.b. - NotesPart II, Step 3 -15.a. (5 points)You included screen shots of graphic results to determine necessity of requesting a search warrant, Part II, Step 3 -15.a. - NotesPart II, Step 3 -16.c. (5 points)You included screen shots of results after using “less ../updatedlab.compressed” command, Part II, Step 3 -16.c. - NotesPart II, Step 3 -16.g. (5 points)You included screen shots of results after using passwords to unzip files, Part II, Step 3 -16.g. - NotesLab Notes Sheet (10 points)You completed Lab Notes Sheet, including screenshots and relevant informationChain of Custody Form (5 points)You completed a
Chain of Custody Form to include in your final Forensics Examiner Report for Lab 2Report Writing Format Step 10 (20 points) (6 Parts I,II, III, IV, V & VI)You completed Final Report using format, answering all questions, incorporating relevant Lab Notes, including using chain of custody form.DFCI Revised 7/07/2017 Sheet2 Sheet3

Recommended

ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
edmondpburgess27164
 
Scenario CharactersYou Data Security Analyst, Allied Technolog.docx
Scenario CharactersYou Data Security Analyst, Allied Technolog.docxScenario CharactersYou Data Security Analyst, Allied Technolog.docx
Scenario CharactersYou Data Security Analyst, Allied Technolog.docx
todd331
 
Evidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docxEvidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docx
gitagrimston
 
Computer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdfComputer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdf
feetshoemart
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptx
aratibhavsar
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
Tiago Henriques
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
ShanaAneevan
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 

Recommended

ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
edmondpburgess27164
 
Scenario CharactersYou Data Security Analyst, Allied Technolog.docx
Scenario CharactersYou Data Security Analyst, Allied Technolog.docxScenario CharactersYou Data Security Analyst, Allied Technolog.docx
Scenario CharactersYou Data Security Analyst, Allied Technolog.docx
todd331
 
Evidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docxEvidence IdentificationYour initial task in an investigation is .docx
Evidence IdentificationYour initial task in an investigation is .docx
gitagrimston
 
Computer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdfComputer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdf
feetshoemart
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptx
aratibhavsar
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
Tiago Henriques
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
ShanaAneevan
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
gamemaker762
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
Ambuj Kumar
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
forensicsnation
 
FNC Corporate Protect
FNC Corporate ProtectFNC Corporate Protect
FNC Corporate Protect
forensicsnation
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshop
forensicsnation
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
AliAshraf68199
 
1.0 OverviewCase Summary Example 1. On todays date,
1.0 OverviewCase Summary Example 1. On todays date,1.0 OverviewCase Summary Example 1. On todays date,
1.0 OverviewCase Summary Example 1. On todays date,
TatianaMajor22
 
Cyber
CyberCyber
Cyber
PuttaRahul
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
FORnSECSolutions
 
The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
Applied Forensic Research Sciences
 
Scope of Cyber forensics
Scope of Cyber forensicsScope of Cyber forensics
Scope of Cyber forensics
Applied Forensic Research Sciences
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
Johnson Ubah
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
FORnSECSolutions
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
i need this paper written 2.docx
i need this paper written 2.docxi need this paper written 2.docx
i need this paper written 2.docx
write4
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
Shashi Mishra
 
Cyber crime - and digital device.pptx
Cyber crime - and digital device.pptxCyber crime - and digital device.pptx
Cyber crime - and digital device.pptx
AlAsad4
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
Varun Sehgal
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
Somya Johri
 
Your NamePractical ConnectionYour NameNOTE To insert a .docx
Your NamePractical ConnectionYour NameNOTE To insert a .docxYour NamePractical ConnectionYour NameNOTE To insert a .docx
Your NamePractical ConnectionYour NameNOTE To insert a .docx
nettletondevon
 
Your namePresenter’s name(s) DateTITILE Motivatio.docx
Your namePresenter’s name(s) DateTITILE Motivatio.docxYour namePresenter’s name(s) DateTITILE Motivatio.docx
Your namePresenter’s name(s) DateTITILE Motivatio.docx
nettletondevon
 

More Related Content

Similar to Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.00.docx

03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
forensicsnation
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshop
forensicsnation
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
1.0 OverviewCase Summary Example 1. On todays date,
1.0 OverviewCase Summary Example 1. On todays date,1.0 OverviewCase Summary Example 1. On todays date,
1.0 OverviewCase Summary Example 1. On todays date,
TatianaMajor22
 

Similar to Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.00.docx (20)

cyber forensics
cyber forensicscyber forensics
cyber forensics
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
 
FNC Corporate Protect
FNC Corporate ProtectFNC Corporate Protect
FNC Corporate Protect
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshop
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
 
1.0 OverviewCase Summary Example 1. On todays date,
1.0 OverviewCase Summary Example 1. On todays date,1.0 OverviewCase Summary Example 1. On todays date,
1.0 OverviewCase Summary Example 1. On todays date,
 
Cyber
CyberCyber
Cyber
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
 
The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
 
Scope of Cyber forensics
Scope of Cyber forensicsScope of Cyber forensics
Scope of Cyber forensics
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
i need this paper written 2.docx
i need this paper written 2.docxi need this paper written 2.docx
i need this paper written 2.docx
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Cyber crime - and digital device.pptx
Cyber crime - and digital device.pptxCyber crime - and digital device.pptx
Cyber crime - and digital device.pptx
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 

More from nettletondevon

Your NamePractical ConnectionYour NameNOTE To insert a .docx
Your NamePractical ConnectionYour NameNOTE To insert a .docxYour NamePractical ConnectionYour NameNOTE To insert a .docx
Your NamePractical ConnectionYour NameNOTE To insert a .docx
nettletondevon
 
Your namePresenter’s name(s) DateTITILE Motivatio.docx
Your namePresenter’s name(s) DateTITILE Motivatio.docxYour namePresenter’s name(s) DateTITILE Motivatio.docx
Your namePresenter’s name(s) DateTITILE Motivatio.docx
nettletondevon
 
Your nameProfessor NameCourseDatePaper Outline.docx
Your nameProfessor NameCourseDatePaper Outline.docxYour nameProfessor NameCourseDatePaper Outline.docx
Your nameProfessor NameCourseDatePaper Outline.docx
nettletondevon
 
Your name _________________________________ Date of submission _.docx
Your name _________________________________ Date of submission _.docxYour name _________________________________ Date of submission _.docx
Your name _________________________________ Date of submission _.docx
nettletondevon
 
Your NameECD 310 Exceptional Learning and InclusionInstruct.docx
Your NameECD 310 Exceptional Learning and InclusionInstruct.docxYour NameECD 310 Exceptional Learning and InclusionInstruct.docx
Your NameECD 310 Exceptional Learning and InclusionInstruct.docx
nettletondevon
 
Your Name University of the Cumberlands ISOL634-25 P.docx
Your Name University of the Cumberlands ISOL634-25 P.docxYour Name University of the Cumberlands ISOL634-25 P.docx
Your Name University of the Cumberlands ISOL634-25 P.docx
nettletondevon
 
Your Name Professor Name Subject Name 06 Apr.docx
Your Name Professor Name Subject Name 06 Apr.docxYour Name Professor Name Subject Name 06 Apr.docx
Your Name Professor Name Subject Name 06 Apr.docx
nettletondevon
 
Your midterm will be a virtual, individual assignment. You can choos.docx
Your midterm will be a virtual, individual assignment. You can choos.docxYour midterm will be a virtual, individual assignment. You can choos.docx
Your midterm will be a virtual, individual assignment. You can choos.docx
nettletondevon
 
Your local art museum has asked you to design a gallery dedicated to.docx
Your local art museum has asked you to design a gallery dedicated to.docxYour local art museum has asked you to design a gallery dedicated to.docx
Your local art museum has asked you to design a gallery dedicated to.docx
nettletondevon
 
Your job is to look at the routing tables and DRAW (on a piece of pa.docx
Your job is to look at the routing tables and DRAW (on a piece of pa.docxYour job is to look at the routing tables and DRAW (on a piece of pa.docx
Your job is to look at the routing tables and DRAW (on a piece of pa.docx
nettletondevon
 
Your job is to design a user interface that displays the lotto.docx
Your job is to design a user interface that displays the lotto.docxYour job is to design a user interface that displays the lotto.docx
Your job is to design a user interface that displays the lotto.docx
nettletondevon
 
Your instructor will assign peer reviewers. You will review a fell.docx
Your instructor will assign peer reviewers. You will review a fell.docxYour instructor will assign peer reviewers. You will review a fell.docx
Your instructor will assign peer reviewers. You will review a fell.docx
nettletondevon
 
Your initial reading is a close examination of the work youve c.docx
Your initial reading is a close examination of the work youve c.docxYour initial reading is a close examination of the work youve c.docx
Your initial reading is a close examination of the work youve c.docx
nettletondevon
 
Your initial posting must be no less than 200 words each and is due .docx
Your initial posting must be no less than 200 words each and is due .docxYour initial posting must be no less than 200 words each and is due .docx
Your initial posting must be no less than 200 words each and is due .docx
nettletondevon
 

More from nettletondevon (20)

Your NamePractical ConnectionYour NameNOTE To insert a .docx
Your NamePractical ConnectionYour NameNOTE To insert a .docxYour NamePractical ConnectionYour NameNOTE To insert a .docx
Your NamePractical ConnectionYour NameNOTE To insert a .docx
 
Your namePresenter’s name(s) DateTITILE Motivatio.docx
Your namePresenter’s name(s) DateTITILE Motivatio.docxYour namePresenter’s name(s) DateTITILE Motivatio.docx
Your namePresenter’s name(s) DateTITILE Motivatio.docx
 
Your nameProfessor NameCourseDatePaper Outline.docx
Your nameProfessor NameCourseDatePaper Outline.docxYour nameProfessor NameCourseDatePaper Outline.docx
Your nameProfessor NameCourseDatePaper Outline.docx
 
Your name _________________________________ Date of submission _.docx
Your name _________________________________ Date of submission _.docxYour name _________________________________ Date of submission _.docx
Your name _________________________________ Date of submission _.docx
 
Your NameECD 310 Exceptional Learning and InclusionInstruct.docx
Your NameECD 310 Exceptional Learning and InclusionInstruct.docxYour NameECD 310 Exceptional Learning and InclusionInstruct.docx
Your NameECD 310 Exceptional Learning and InclusionInstruct.docx
 
Your Name University of the Cumberlands ISOL634-25 P.docx
Your Name University of the Cumberlands ISOL634-25 P.docxYour Name University of the Cumberlands ISOL634-25 P.docx
Your Name University of the Cumberlands ISOL634-25 P.docx
 
Your Name Professor Name Subject Name 06 Apr.docx
Your Name Professor Name Subject Name 06 Apr.docxYour Name Professor Name Subject Name 06 Apr.docx
Your Name Professor Name Subject Name 06 Apr.docx
 
Your muscular system examassignment is to describe location (su.docx
Your muscular system examassignment is to describe location (su.docxYour muscular system examassignment is to describe location (su.docx
Your muscular system examassignment is to describe location (su.docx
 
Your midterm will be a virtual, individual assignment. You can choos.docx
Your midterm will be a virtual, individual assignment. You can choos.docxYour midterm will be a virtual, individual assignment. You can choos.docx
Your midterm will be a virtual, individual assignment. You can choos.docx
 
Your local art museum has asked you to design a gallery dedicated to.docx
Your local art museum has asked you to design a gallery dedicated to.docxYour local art museum has asked you to design a gallery dedicated to.docx
Your local art museum has asked you to design a gallery dedicated to.docx
 
Your letter should include Introduction – Include your name, i.docx
Your letter should include Introduction – Include your name, i.docxYour letter should include Introduction – Include your name, i.docx
Your letter should include Introduction – Include your name, i.docx
 
Your legal analysis should be approximately 500 wordsDetermine.docx
Your legal analysis should be approximately 500 wordsDetermine.docxYour legal analysis should be approximately 500 wordsDetermine.docx
Your legal analysis should be approximately 500 wordsDetermine.docx
 
Your Last Name 1Your Name Teacher Name English cl.docx
Your Last Name 1Your Name Teacher Name English cl.docxYour Last Name 1Your Name Teacher Name English cl.docx
Your Last Name 1Your Name Teacher Name English cl.docx
 
Your job is to delegate job tasks to each healthcare practitioner (U.docx
Your job is to delegate job tasks to each healthcare practitioner (U.docxYour job is to delegate job tasks to each healthcare practitioner (U.docx
Your job is to delegate job tasks to each healthcare practitioner (U.docx
 
Your job is to look at the routing tables and DRAW (on a piece of pa.docx
Your job is to look at the routing tables and DRAW (on a piece of pa.docxYour job is to look at the routing tables and DRAW (on a piece of pa.docx
Your job is to look at the routing tables and DRAW (on a piece of pa.docx
 
Your job is to design a user interface that displays the lotto.docx
Your job is to design a user interface that displays the lotto.docxYour job is to design a user interface that displays the lotto.docx
Your job is to design a user interface that displays the lotto.docx
 
Your Introduction of the StudyYour Purpose of the stud.docx
Your Introduction of the StudyYour Purpose of the stud.docxYour Introduction of the StudyYour Purpose of the stud.docx
Your Introduction of the StudyYour Purpose of the stud.docx
 
Your instructor will assign peer reviewers. You will review a fell.docx
Your instructor will assign peer reviewers. You will review a fell.docxYour instructor will assign peer reviewers. You will review a fell.docx
Your instructor will assign peer reviewers. You will review a fell.docx
 
Your initial reading is a close examination of the work youve c.docx
Your initial reading is a close examination of the work youve c.docxYour initial reading is a close examination of the work youve c.docx
Your initial reading is a close examination of the work youve c.docx
 
Your initial posting must be no less than 200 words each and is due .docx
Your initial posting must be no less than 200 words each and is due .docxYour initial posting must be no less than 200 words each and is due .docx
Your initial posting must be no less than 200 words each and is due .docx
 

Recently uploaded

Recently uploaded (20)

How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health Education
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactistics
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 

Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.00.docx

  • 1. Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.003 Property Record Number: ________________________ Anywhere Police Department EVIDENCE CHAIN OF CUSTODY TRACKING FORM Case Number: ________________________ Offense: ______________________________ Submitting Officer: (Name/ID#) _______________________________________________ Victim: _____________________________________________________ _________________ Suspect: _____________________________________________________ ________________ Date/Time Seized: __________________Location of Seizure: ______________________ Description of Evidence Item #
  • 2. Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches) Chain of Custody Item # Date/Time Released by (Signature & ID#)
  • 3. Received by (Signature & ID#) Comments/Location
  • 4. APD_Form_#PE003_v.1 (12/2012) Page 1 of 2 pages (See back) EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM (Continued) Chain of Custody Item # Date/Time Released by (Signature & ID#) Received by (Signature & ID#) Comments/Location
  • 5.
  • 6. Final Disposal Authority Authorization for Disposal Item(s) #: __________ on this document pertaining to (suspect): ____________________________________________ is(are) no longer needed as evidence and is/are authorized for disposal by (check appropriate disposal method) ☐ Return to Owner ☐ Auction/Destroy/Divert Name & ID# of Authorizing Officer: ____________________________ Signature: ______________________Date: _______________ Witness to Destruction of Evidence Item(s) #: __________ on this document were destroyed by Evidence Custodian ___________________________ID#:______ in my presence on (date) __________________________. Name & ID# of Witness to destruction: ________________________ Signature: ______________________Date: _______________ Release to Lawful Owner Item(s) #: __________ on this document was/were released by Evidence Custodian
  • 7. ________________________ID#:_________ to Name _____________________________________________________ ________________________ Address: ________________________________________________ City: ____________________State: _______ Zip Code: __________ Telephone Number: (_____) ___________________________________ Under penalty of law, I certify that I am the lawful owner of the above item(s). Signature: _____________________________________________________ __ Date: __________________________ Copy of Government-issued photo identification is attached. ☐ Yes ☐ No This Evidence Chain-of-Custody form is to be retained as a permanent record by the Anywhere Police Department. APD_Form_#PE003_v.1 (12/2012) Page 2 of 2 pages (See front) Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology. 2013. Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology. 2013.
  • 8. Forensic Analysis with Linux Digital Forensic Examination Assignment Instructions Part I. Examination Request: You have been hired as a computer forensic examiner by the FSB (Federal Security Bureau). Mel Torme, your supervisor, brings you a hard drive containing an acquired forensic image. Mr. Torme tells you that the image was created from a suspect hard drive that was found on the side of the road by a Deputy Sheriff. Factual Case Background: The Sheriff’s Office examination request report says that an anonymous caller telephoned the
  • 9. Sheriff’s Office and told a Sheriff’s Investigator where the suspect hard drive could be found, and that it contained evidence of possible illegal hacking activity. The Sheriff’s Office investigators obtained a search warrant from a judge that authorized the Sheriff’s Office Investigators to search the suspect hard drive for possible evidence of illegal hacking activity. Examination Tools: You will use Linux to conduct a logical digital forensic examination and analysis of the suspect drive. Your Examination Responsibilities: Your job is to conduct a digital forensic examination and analysis of the suspect image in order to identify any possible illegal hacking activity PER the search warrant (password hacking). Practice Note: It is not uncommon for a digital forensics examiner, while conducting a digital forensic examination , to inadvertently come across or discover evidence of other illegal activity that is NOT PART OF THE AUTHORIZED SCOPE OF THE ORIGINAL SEARCH WARRANT. When this
  • 10. inadvertent discovery occurs, the examiner MUST stop the examination, report the suspected new evidence to his/her supervisor(s) or case agent, and a NEW search warrant authorizing a broader digital forensics examination scope must be obtained, based on the newly discovered evidence. For example, if you have a search warrant for suspected illegal hacking activity (as in this digital forensics examination assignment you are working on) and you inadvertently come across ANY OTHER possible evidence of a different type of criminal activity than you are originally authorized to search for, you MUST obtain a new search warrant to continue your digital forensic examination. Possible Illegal Activity Clues You May Find If I were a betting Professor, I would assume that there might be some evidence of other illegal activities on the hard drive, besides hacking (hint hint, nod nod, wink wink). The following is a list of possible illegal activities that come to mind. If any evidence of these possible illegal activities exists on the suspect hard drive, it will be very apparent to you during a thorough digital forensics investigation.
  • 11. Your examination might reveal any of the following illegal activities: • Gun running • Underage drinking • Insider trading • Kitty porn (any photos of underage kittens) • Credit card fraud/theft (stolen credit card numbers) • Impersonating an officer • Jay walking Based upon our limited knowledge of the background case facts, I am certain the owner of the hard drive was NOT involved in ALL of the above listed illegal activities, but I am confident he/she was involved in a FEW of them. Let’s see what your examination reveals. Part II. Getting Started -Known Tool Hash Values: We’ll start our examination by searching for password cracking
  • 12. tools. Listed below are some known SHA-1hash values of popular password cracking tools: • 620aca6bff27950df3ec81e9909be3e05b6bed81 john.exe • 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe • c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe • 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe • 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe Case Examination Assumptions: 1. IF YOU FIND EVIDENCE OF ANY OF THE ABOVE- LISTED ADDITIONAL CRIMINAL ACTIVITIES, YOU MUST ACKNOLEDGE IT IN YOUR NOTES AND IN YOUR LAB REPORT AS A BASIS FOR REQUESTING A SEARCH WARRANT. a. You must tell me WHAT you found and request a new search warrant 2. You will download the “UpdatedLab.dd” file from the project resources download page to your lab virtual machines “Downloads” folder as instructed in Step II below. Then, you will work from the “Downloads” folder of your lab Virtual Machine
  • 13. “NIXATK01”, as your evidence folder. 3. All commands will be run from the “~/Downloads/lab2” command line prompt unless otherwise noted. 4. Important: You should run the date command before running each command identified in this examination assignment. Although I don’t indicate running the date command in each of the following command instructions, running the date command should be your continuous practice to get valid results, as you perform your lab examination. 5. Complete your Lab Notes WHILE you are working through this exercise! Steps Taken (A Simple Version) 1. Received evidence 2. Mount the drive read only 3. Hash files 4. Use hashes to search for password cracking tools 5. Identify last usage of password cracking tools 6. Find other evidence of password cracking, such as password hashes
  • 14. 7. Search for graphics files 8. Search for compressed files Important: Your “Steps Taken” notes should be a bit more detailed than above) Access to Virtual Lab Environment Virtual Machine Credentials Username: StudentFirst Password: [email protected] Steps to access the Linux Virtual Machine Part II. Step 1. Login to “NIXFOR01” Enter the VM Credentials to connect to it. Press the space bar on your keyboard to get the login prompt
  • 15. Enter the StudentFirst for the “Username” and [email protected] for the password. Step II. Double Click Lab Resources Click on > Applications Click on > Download Project Resources Click on > “UpdatedLab.dd” under Project 2 > Save File
  • 16. Note: Depending on the browser being used, the above step might be different. Go to the Applications menu > Click on “Terminal” to open a Terminal window Step 3 Forensic Procedures 1. Receive the evidence (see examination tasking) [Can’t follow this-Review] In the NIXFOR01 VM: Type: cd Downloads Then Type and Enter :
  • 17. ls Note the listed file name :____________________ 2. T o v erify the hash value of the image file, Type and Enter: sha1sum UpdatedLab.dd _____________________________________________ Note: the sha1 hash value number displayed 3. Compare your hash value number above to the Original file hash value below for the “UpdatedLab.dd” file image; Original 42ba069b68620a8c0ea6c4804c9e371d1bb358ba “UpdatedLab.dd” 4. N ow , c reate a new directory “lab2” in the “~/Downloads” directory of “NIXFOR01”. a. Type and Enter:
  • 18. mkdir lab2 b. To verify the lab2 directory exists, Type and Enter: ls 5. Mount the image on the new directory: a. Type and Enter : sudo mount –t auto –o ro,loop ./UpdatedLab.dd ./lab2 b. To verify that the image mounted is properly by running, Type and Enter: mount 6. Change directory to lab2, Type and Enter: cd lab2 7. Create a hash set for all the files on the hard drive (mounted image). a. Type and enter the following command:
  • 19. sudo find . –exec sha1sum {} ; > ../updatedlab.sha1 2>/dev/null Note: This command finds all files, then, runs sha1sum on them. Then, it saves the file into the directory above in lab2. The commands at the end tell the shell to ignore any errors. b . T o view the file “updatedlab.sha1”. Type and Enter: less ../updatedlab.sha1 Note that the list is not sorted. c. Run the command below to sort the list by hash value and then save results to a new file. Type and Enter:
  • 20. sort ../updatedlab.sha1 > ../sortedupdatedlab.sha1 d. To view the file, Type and Enter: less ../sortedupdatedlab.sha1 e. You should see a display that looks like the display below: Note: The lines are now sorted by hash value N o w , w e can search the sorted list for the hashes of the password crackers listed in Part I. “Getting Started -Known Tool Hash Values” Hint section above. f. Press “Q” on your keyboard to exit 8. Search for “John the Ripper” first. The first few characters of the sha1 hash are 620aca
  • 21. a. T y p e the forward slash ‘/’ and then type the first few sha1 hash characters “620aca”, then, press “Enter”. ________________________________________________ Note: Whether you found the John the Ripper hash value? b. Continue looking for the remaining password cracker hash values listed in the Part I. “Getting Started -Known Tool Hash Values” Hint section above. Repeat Steps 8 and Step 8a above to locate the following hash value strings: • 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe • c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe • 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe
  • 22. • 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe __________________________________ How many did you find? ________________________________________ Identify where each hash value you found is located? Report your hash value findings in your notes! c. Press “Q” on your keyboard to exit 9. View the date and time stamps for John.exe a. Navigate to the directory where John.exe is located (the location is listed in the sorted_updatedlab.sha1 file) - Please see illustration in the screenshots that follow (Make sure to that you are in the run directory where the “John.exe” file is located. b. Type, cd Documents and Settings
  • 23. Type and Enter: cd hax0r Type and Enter: cd Desktop Type and Enter: cd john179 Once in the “john179”directory, navigate to the “run” directory). Type and Enter: ls Type and Enter: cd run c. R un the following command: stat john.exe > ~/Downloads/john.stat d. To display the content of “john.stat” type the following command while still in the “run” directory shown above: Type and Enter: less ~/Downloads/john.stat Note the different file date and time stamps above (access, modify, change).
  • 24. List the file changes below: John.exe was changed on _______________at ______________. John.exe was last accessed on ___________ at ______. Explain what this date and date stamp data means? ____________________ _____________________________________________________ ______ _____________________________________________________ ___________ e. The John.exe password cracking program saves passwords it has cracked to a file called ‘john.pot.’ See if the “john.pot” file exists using the following command to list all files in a long listing format. Type and Enter: ls –al f. If you find that the “john.pot” does exist in the file list, you can view the text file contents of the “john.pot” file using the following command in terminal while still in the “run” directory:
  • 25. Type and Enter: less john.pot __________________________________________ Explain what you found? 10. View the date and time stamps for all other password crackers you found by Repeating Steps 9a through 9d above for the following password cracker program strings: • 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe • c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe • 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe • 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe Look at the date and time stamps and make a note of your observations. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ a. Is there any indication that the programs were used?
  • 26. Explain. Password Hash Search 11. Now, search for password hash strings. Password hash strings for a md5 hash are formatted as follows: a. $1$<8 character salt>$<22 characters> b. R e t u r n t o yo u r l a b 2 d i r e ct o r y : T yp e a n d E n t e r : c d Dow nloa d s/lab2 c . U se the following grep expression command in Step “d” below to perform your md5 hash string search: d. Type and Enter: grep -R '$1$[[:graph:]]{8}$[[:graph:]]{22}'
  • 27. e. Review the output list above and make a note of your observations.. - --- -- --- -- --- --- --- --- --- -- --- -- --- -- --- - --- --- --- -- --- -- --- - List the md5 - related files you found here ____________________________________________________ Where were the file(s) located? f. What is the password for the following Users? i. Vilkp?___________________________________ ii. Showe?__________________________________ iii. Damad?__________________________________ 12. Continue to search for evidence of password hacking (authorized in your original warrant). Search for Graphic Files Now, let’s search for graphics files. a. Make a “graphics” file directory under “~/Downloads”. Call it ‘graphics’. Type and Enter: cd ~/Downloads Type and Enter: mkdir graphics b. T o f ind the graphics files by their common file extensions in Lab 2:
  • 28. Type and Enter the following: find -name *.jpg -or -name *.png -or -name *.tiff -or -name *.gif -or -name *.bmp - exec cp {} ../graphics ; 13. Change directory to the “graphics” directory and run the file command on each file: Type and Enter: cd graphics a.Type and Enter: file *.* > graphics.file b.Type and Enter: less graphics.file b. Review and describe whether all file types match the file extensions displayed? _______________________________________________ Examining Graphic Files 14. Go to the Applications menu >Click Graphics> Click and open “gThumb”
  • 29. 15. In “gThumb”, view the files contained in the in the “graphics” directory. a. Do you see anything that might make is necessary for you to request another search warrant to expand your authority to conduct a broader examination of the suspect hard drive? (Hint- You can refer to the list in Part I. Possible Illegal Activity Clues You May Find above) ________________________ If no, proceed to the next step. Searching for Compressed Files 16. Let’s search further for the possibility of finding other hidden information. To search for compressed files: Type and Enter: cd .. to go back to the Downloads directory prompt
  • 30. Type and Enter: cd lab2 to go to the “lab2” folder Type and Enter the following command: find -name *.zip -or -name *.tgz -or -name *.tar.gz > ../updatedlab.compressed a. The above commands should find all the compressed files related to the file extensions provided in the command. b. T yp e a n d E n t e r : less ../updatedlab.compressed to view the content of the file “updatedlab.compressed”. _____________________________________________________ ___________________ c. What did you find? Do you see any file that is “interesting” to you?
  • 31. d. Make a new directory called “compressed” in the Downloads directory. Type and Enter: mkdir ~/Downloads/compressed e. Copy the “interesting” compressed file above into that newly created “compressed” directory. (Note: You may use the Graphical User Interface to copy and paste file into the evidence folder as seen below). _____________________________________________________ ____________________ f. Do you feel you need to obtain a new search warrant at this point? Explain. Unzipping a File g. Let’s try to unzip the file using this command format “unzip <name of file>”: h. Type and Enter: cd ../compressed i. Type and Enter: ls
  • 32. j. Type and Enter: unzip kitty.zip g. What happened? You can do one of two things, Option 1: Ask the suspect for the password, or Option 2: You can guess. Try to guess first. N o t e : f i r s t , Google “most common passwords” and use some of those to see if any work. The password should be within the top ten of most lists and starts with “P”. Note: What password worked for you? ___________________________________________ 17. Assume now that you have an additional search warrant authorizing a search for stolen credit card numbers. Type and Enter: cd .. Type and Enter: cd lab2 Then, Search Lab2 using the following grep expression:
  • 33. a. Type and Enter: grep -R -n '[45][[:digit:]]{15}' > ~/Downloads/creditcards.txt b. This regular grep search looks for Visa or MasterCard number formats. c . Use the “less” command to display the contents of the file. Type and Enter: less creditcards.txt Are there any notable credit card numbers? End of Lab Sheet1Revised CSEC 650 Lab 2 Grading Rubric 7/07/17CSEC
  • 34. 650 2175 3131CriteriaComments and Feedback 100 pointsPart II, Step 3 -1.a.(5 points)You included screen shots of file results after using :ls" command Part II, Step 3 -1.a. - NotesPart II, Step 3 -2. (5 points)You included screen shots of results after using " sha1sum UpdatedLab.dd" command, Part II, Step 3 -2. - NotesPart II, Step 3 -5.b. (5 points)You included screen shots of results after using " mount" command, Part II, Step 3 -5.b. - NotesPart II, Step 3 -8.a. (5 points)You included screen shots of results after using “/620aca” command, Part II, Step 3 -8.a. - NotesPart II, Step 3 -8.b. (5 points)You included screen shots of results after locating hash value strings for "Cain.exe, password.exe, Abel64.exe and badcracker.exe" files, Part II, Step 3 -8.b. - NotesPart I Step 13 (5 points)You included screen shots of results noting file change differences for "John.exe, with last access date and date stamp data, Part II, Step 3 -9.d. - NotesPart II, Step 3 -9.f.(5 points)You included screen shots of results using “less john.pot” file, Part II, Step 3 -9.f. - NotesPart II Step 3 (5 points)You included screen shots of results listing “md 5-related files and where they were located, Part II, Step 3 -11.e. - NotesPart II, Step 3 -11.f. (5 points)You included screen shots of results passwords for "Vilkp, Showe and Damad", Part II, Step 3 -11.f. - NotesPart II, Step 3 -13.b. (5 points)You included screen shots of results after using “less graphics” command, Part II, Step 3 -13.b. - NotesPart II, Step 3 -13.b. (5 points)You included screen shots of results after using “gThumb” command, Part II, Step 3 -13.b. - NotesPart II, Step 3 -15.a. (5 points)You included screen shots of graphic results to determine necessity of requesting a search warrant, Part II, Step 3 -15.a. - NotesPart II, Step 3 -16.c. (5 points)You included screen shots of results after using “less ../updatedlab.compressed” command, Part II, Step 3 -16.c. - NotesPart II, Step 3 -16.g. (5 points)You included screen shots of results after using passwords to unzip files, Part II, Step 3 -16.g. - NotesLab Notes Sheet (10 points)You completed Lab Notes Sheet, including screenshots and relevant informationChain of Custody Form (5 points)You completed a
  • 35. Chain of Custody Form to include in your final Forensics Examiner Report for Lab 2Report Writing Format Step 10 (20 points) (6 Parts I,II, III, IV, V & VI)You completed Final Report using format, answering all questions, incorporating relevant Lab Notes, including using chain of custody form.DFCI Revised 7/07/2017 Sheet2 Sheet3