Duaa Shoukat presented on investigating a cyber crime case involving a former bank employee, Alina Smith. The objectives were to analyze Alina's computer hard drive using digital forensics techniques to find any evidence she stole confidential bank information. Analysis of her email files revealed 9 messages with identical image attachments containing hidden data, indicating the use of steganography. Her browser history also showed she researched and downloaded steganography software. The findings provided evidence that Alina attempted to steal bank loan details by hiding the data in image attachments sent via email.
1. Duaa Shoukat
BSCS-11-60
Institute of Computing
Bahauddin Zakariya University
Multan, Punjab, 60,000
Pakistan
Email: duaam.Shoukat@gmaol.com
www.bzu.edu.pk
Investigating Cyber Crimes
Using Internet and E-mail Forensics
06 November 2015
2. Duaa Shoukat
Presentation Overview
Project Scope and Objectives
Digital Forensics
Internet and Email Forensics
Contribution: Email and Internet analysis using Digital
Forensics Techniques
• Case Scenario
• Challenges
• Collection & Bit stream Image Creation
• Analysis & Evidence Findings
• Email Analysis
• Internet Analysis
Conclusion
2
3. Duaa Shoukat
4
Scope of the project
Digital Forensics are very useful in criminal investigation. This project is limited
to the category internet and email Forensics. I focus on some of the common
Email and Internet artifacts stored in a PC such as Outlook Data files, Index.dat
files and other browser history files.
Objective of project
– Learning Internet and Email Forensics (Digital Forensics)
– Data Collection from digital device by applying different Forensics
techniques.
– Experiment of a project by performing internet and email forensic
techniques.
– Extracting files from a device
– Finding any useful data/evidence from suspected system.
– Analyze and use them as an evidence in court of law.
Project Scope and Objective
4. Duaa Shoukat
According to the Ken Zatyko Digital Forensics is defined as:
The application of computer science and investigative procedures for a legal purpose
including the analysis of digital evidence after proper search authority, chain of custody,
validation with mathematics, use of validated tools, repeatability, reporting, and possible
expert presentation.
Digital Forensics process
– Collection
• Search Authority
• Chain of custody
• Imaging/Hashing Functions
– Examination
• Examination of data
• Tools validation
– Analysis
• Analysis of data and Repeatability (Quality Assurance)
– Reporting
• Final report and Possible Expert Presentation
4
Digital Forensics
5. Duaa Shoukat
• Email Forensics
– E-mail forensic analysis is used to study the source and content of e-mail
message as evidence, identifying the actual sender, recipient and date and time it
was sent, etc. to collect believable evidence to bring criminals to justice.
• Internet Forensics
– The investigation of criminal activity that has occurred on the Internet. It deals with
the analysis of the origins, contents, patterns and transmission paths of email and
Web pages as well as browser history and Web server scripts and header
messages.
• Goals
• To discover why the suspect has chosen the target machine
• To gather as much evidence of the criminal act as possible
• To obtain information that may narrow the list of suspects
• To document the damage caused by crime
5
Internet and Email Forensics (I)
7. Duaa Shoukat
• Hardware used for investigation
On hardware side I am using Toshiba laptop of following description:
• Model: Toshiba Intel Core i3
• RAM: 4GB
• Processor: 2.13GHz, 2.13GHz
• Hard Drive(Internal): 500GB
• Operating System: Windows 8 64-bit
• Softwares used
•Accessdata FTK imager 3.3.0.5.
•Outlook OST File Viewer
•Kernel for OST to PST - Evaluation Version
•SysTools Outlook PST to PDF Converter
•Steganography tool – QuickStego
•BrowserHistorySpy
7
Environment setting
8. Duaa Shoukat
Alina Smith is working in HBL National Bank in Multan, Pakistan, for
many years as a corporate loan officer.
She suddenly resigned from the bank recently, without any reason.
After two to three days of her resignation the CEO of the Bank,
named John Marshall, suspected that Alina has used her position to
send confidential loan information to someone outside the bank by
using her official Email ID.
The bank has the policy to wipe the hard disk of resigned officer
with unrecoverable wipe tool.
Before wiping the entire disk this investigation must be carried out in
complete confidentiality due to FDIC Federal Deposit Insurance
Corporation requirement.
8
Case Scenario (I)
9. Duaa Shoukat
Case Scenario (II)
John Knows little bit about the forensic investigations and he has a
relative namely Duaa Shoukat, who is researching on Digital
Forensics.
John called her to investigate and prove Alina’s crime, which was
considered as a theft of confidential data.
Investigator’s job on this case is to get all the case related data and
proves about Alina Smith’s theft, if attempted.
9
10. Duaa Shoukat
Case Challenges
• As an investigator my main challenges are:
• To find any data files that can prove the suspect’s theft.
• To find files that have information about the theft attempted information.
• To find theft related visited links and downloads
• To examine all the data of hard drive in logical drive C.
o Internet and email related data
• Chain of custody of evidence media acquired in a report
• Store original media or Hard disk in a secure location
10
11. Duaa Shoukat
• After Search authority
• I visited Alina Smith’s office and collected the digital device she regularly used for financial
work and removed the hard drive from her computer SONY PCG-3E2L.
• I placed the hard drive in an anti-static bag and transported it to my forensic laboratory.
• Imaging
• Imaging tool used: FTK Imager 3.3.0.5
• Image format selected: AFF
• Hard Drive
o Elapsed Time: 7 hours 32
minutes and 40 seconds
o Image file size: 72 GB
11
Data Collection
• Case Evidence Information
12. Duaa Shoukat
Data Imaging / Hashing process
12
• Hashes Verification
• Hashes matched
• I stored the original hard drive in a secure location after imaging/hashing.
13. Duaa Shoukat
• Tools validation
• Tools checked and works fine.
• I loaded evidence images into FTK imager and it showed files in Evidence tree
window from images of hard drive taken.
13
Examining evidence image
data(I)
• Hard Drive Tree shows
the following in root
folder.
14. Duaa Shoukat
• Files in Hard Drive (root Folder)
14
Examining and extracting
data(II)
• I exported out the users folder
as it contains the information
about internet and email
activities, by default.
15. Duaa Shoukat
• In users folder, I have found the folder named “Outlook”
Users/Alina/AppData/Local/Default/Microsoft/Outlook
• The folder contains only
one outlook data file which
contains all the data about email messages.
15
Examining extracted data
• alinasmithusa@gmail.com.ost file found
16. Duaa Shoukat
• Scanning .ost file in OST viewer
16
Evidence Analysis (I)
• About 9 of files found, all
with the same .png
attachment containing no
mail text
17. Duaa Shoukat
• I then converted the .ost files to .pst files using osttopst converter for
exporting them as evidence. It is also used to recover the corrupted
files.
• After converting the files I selected them to export in pdf format to
see and analyze the attachment.
17
Evidence Analysis (II)
18. Duaa Shoukat
• After exporting the files into PDF I checked the size of attachment.
• A same file contains different sizes. No one can guess that data
may be hidden in the image.
Evidence Analysis (III)
18
19. Duaa Shoukat
• A same attachment make sense that steganography may be applied
on the picture to hide some sort of data.
• She loaded the attachment picture into the QuickStego
Evidence Analysis (IV)
19
• Every picture shows
the different official
data about bank loan.
20. Duaa Shoukat
I checked for her browser history to prove that Alina Smith has downloaded
the steganography tool to attempt theft by applying steganography on a
picture.
UsersAlinaAppDataLocalGoogleChromeUser DataDefaultHistory
Evidence Analysis (V)
20
21. Duaa Shoukat
• Alina Smith visited these sites and downloaded the steganography tool from
sourceforge.net
• http://www.garykessler.net/library/steganography.html
• http://listoffreeware.com/list-of-best-free-steganography-software-for-windows/
• http://www.quickcrypto.com/free-steganography-software.html
Evidence Analysis (VI)
21
Chrome Web History Report by BrowserHistorySpy
22. Duaa Shoukat
Case Findings
• alinasmithusa@gmail.com.ost file is contained in outlook data folder.
• This file contains Alina Smith’s sent messages.
• In sent item folder:
9 e-mail messages with the same image attachment found
Containing no text
Data is hidden in the image attachment
Applied steganography to hide confidential Data
• Internet analysis shows the sites visited to get the knowledge about
data hiding techniques.
• Steganography tool downloaded from the site sourceforge.net
22
23. Duaa Shoukat
Conclusion
This information used how to apply/use Digital Forensics
Techniques and tools.
These skills help to find and analyze evidence from any
suspected system.
This project tells that the use of email and internet is very
suspicious for criminal in case of any crime.
Even the data is deleted from everywhere in your
system, it will be found on the servers or path you are
using.
23