Technology

Abstract In this report I shall delineate the various nuances related to computer forensics. Also the primary objective of this report is to excavate the truth behind the Jack brown case. It also showcases how difficult it is to negotiate with the various legal and technical hurdles that come in the way. Also the use of e-mail and various tools which can highlight the cyber train have been highlighted. It is of special attention how the various theories are put into practice.

Computer Forensics plays a pivotal role in finding the criminal. It allows us to go to the grassroots level of the crime. Computer forensics has become a very important factor of criminal investigations. Since computers have become main stream the need for a science that will deal with the technology has become an issue for the judicial and legal system. Computer forensics is the specialized practice of investigating computer media for the purpose of discovering and analyzing available, deleted, or hidden information that may serve as useful evidence in a legal matter. (Steen, Hassell 2004)1

Since Ive regress and reconstruct the entire crime scene unequivocally showcases the need to go back to the grassroots. Ive to stick with the basics of conventional approach to cyber-crime. The processes involved in gathering, searching, seizing, and admitting evidence must follow rules of evidence and other official procedures.

But even before I could get my hands on the evidence I was informed of some really strange aspects of the case. They could not trace finger prints of the accused from any of the places on the keyboard of the desktop. Another startling fact was that thumb drive was formatted in FAT32 whereas the hard drive on the computer was formatted in NTFS. The difference between the two formats is that one cannot copy a file more than 3.6GB in FAT32 format. The hard drive of the laptop was extensively tampered. In fact it was removed from the mother board and seems to be scratched with a knife or a screw driver. The details of the same are discussed further in the report.

The first task that lay ahead of me was to create an image of the hard disc. This prevents any inadvertent damage to the system. The clone image is important because more than 160 alterations are made to files when a computer is turned on which can change or delete important evidence. Several events take place on a computer when a file is changed. A file status maker is set meaning their space is now available. But even though you have deleted the file, it stays in the same spot and is called free or unallocated space and is available until the whole space is written over by another file.

Thus I could retrieve the information from these files accordingly. It also offered me the use of slack space which is basically the unused and undesignated space in the memory. But it cannot be construed as garbage collection. Thus this explains how critical it is to make judicious use of the memory. The execution of this tedious task obviously does not need a hammer and spanner. I duplicated the data using three different techniques. The reason of creating 3 duplicate copies was to make sure that if loose data from one source then I could always make use of the second source and if 2nd source fails then go to the 3rd source.

The easiest way for me to duplicate data was to use the standalone hard drive data duplicator.

I followed it up by using the FTK imager to make redundant data for the second time.  The Forensic Toolkit Imager (FTK Imager) is a commercial forensic  HYPERLINK httpwww.forensicswiki.orgwindex.phptitleImagingactioneditredlink1 o Imaging (page does not exist) imaging software package distributed by  HYPERLINK httpwww.forensicswiki.orgwikiAccessData o AccessData AccessData.
FTK Imager supports storage of disk images in EnCases or  HYPERLINK httpwww.forensicswiki.orgwikiSMART o SMART SMARTs file format, as well as in raw ( HYPERLINK httpwww.forensicswiki.orgwikiDd o Dd dd) format. With Isobuster technology built in, FTK Imager Images CDs to an ISOCUE file combination. This also includes multi and open session CDs.

The best part of creating this was that it can basically store data physically on the hard drive instead of duplicating it as it is done at the sector level. But there was a subsequent disadvantage. Id two computers to deal with. One of them had a mackintosh and other had a Windows Vista. In an attempt to make sure that Ive correctly created an image Id to make sure that I was using a Hardware based writing blocking device thus ensuring that OS (both Macintosh and Windows Vista) do not fiddle with the memory on the hard drive.

Finally verification was taken care by the MD5 algorithms as to whether the imaging has been properly done or not.

But irrespective of the verification of the data the files have to be subjected to hashing to ensure that the evidence is in original state. Hashing is the transformation of a string of  HYPERLINK httpsearchCIO-Midmarket.techtarget.comsDefinition0,,sid183_gci211773,00.html characters into a usually shorter fixed-length value or key that represents the original string. Hashing is used to index and retrieve items in a  HYPERLINK httpsearchSQLServer.techtarget.comsDefinition0,,sid87_gci211895,00.html database because it is faster to find the item using the shorter hashed key than to find it using the original value. It is also used in many  HYPERLINK httpsearchSecurity.techtarget.comsDefinition0,,sid14_gci212062,00.html encryption algorithms.

The following are the hash values were retrieved to confirm the existence of the data. The importance of this data cannot be ignored.

But these hash values and backup data could only be created of the desktop. The hard drive of the laptop is tampered yet workable. The picture below shall provide ample of evidence to corroborate my claims.

Thus now another important piece of material that I was left with was the RAM or Random access memory. It does not come as huge surprise that Ram is volatile and thus can be easily over written. Thus Id to be circumspect while trying to retrieve the information from the volatile memory.
RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cells charge prior to power loss are becoming less common. However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below 60 C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.6

An active VPN connection is used to carry out analysis on the open ports and mapped hard drives as well as encrypted file systems subject to the fact that the computer has not been shut down. But unfortunately the luck was not on our side and there was nothing available either from hard drive or the RAM that could be produced as evidence.

Since Id the access to his computer hard drive one would expect that job would be easy but this was not the case. One would assume that his life was like an open book. On the contrary there wasnt any concrete evidence that could be seen or left out in his computer.

According to preliminary reports it has been found that there wasnt any kind of infringement. The primary accused Jack Brown has allegedly acquired the password. This fact can be corroborated as there was no evidence seen of unauthorized access by either hacking. But there cant be smoke without fire.

The investigation had encountered a road block. With both the computers having nothing unusual it was obvious that there was hardly anything which can corner the suspect. The judicious uses of both the computers portray two aspects of the suspect. One was that hes innocent and second that he has taken calculated risk while carrying out the theft.

The chances of the first case were grim as there was certainly something peculiar about the way the files had been stored. Now I was in desperately in need of a lead. Much to my helplessness I received the answer as a blessing in disguise. The Black Berry of the accused came alive with an SMS.

But what was a bit strange was that there were no messages in the inbox or in the sent messages folder. Now were there any e-mails. That instantaneously caught in my eye. Thus in an effort to unearth the truth it was found out that the Black Berry had a lot more to offer than expected. On consultation with my colleagues I learnt that a mere call to the provider can fetch me more details. Subsequently I called up the service provider to fetch out the details from the service provider and I managed to fish out the last messages sent to the accused cell phone. Everything seemed normal in those messages until my eyes lit up after seeing the name of Irfan Chandrek asking the accused to forward the details to Shaheer. Irfan Chandrek is allegedly the same person from whom the accused the managed to sneak in the password. This very fact set the alarm bells ringing in my mind.

I decided to flush the e-mail account of the accused to find out the relation between the accused Jack Brown, Shaheer and Irfan. By employing Access datas forensic toolkit I managed to retrieve the information from RAM and the registry subsequently retrieved information from the last accessed e-mail websites and their respective login and passwords. Thus I managed to generate  HYPERLINK mailtojack_brownhotmail.com jack_brownhotmail.com and its password is anchorage.

This became the first lead and the case got cracking. The name of Shaheer which had cropped earlier was all over the alleged e-mail account. Now the next task which lay ahead was to retrieve the information about this alleged accomplice who was a stock broker.

Electronic mail and instant messages can be important evidence to find. They provide a more realistic view of the candor of a person because of their ubiquitous use and informality. For both of these technologies, a client program and a server are required. The client program may be resident on a users PC and store data on the hard drive, or the client may be Web-based. Web-based clients often do not leave a complete data trail on the PC itself and may require an investigator to harvest this data from the server or servers involved in the transmission of the message. When trying to recover data from a server, Id to determine the data storage structure being used and the size of the composite data storage pool, plus I need to ensure that I have appropriate authorization to work on the server. Id to compose a good plan with realistic values for time and storage requirements before beginning a forensic review of a server. Using e-mail headers and IM logs can provide additional sources of possible data locations, such as recipientsender PCs and intermediate servers. Tracing the IP addresses may involve the use of regional Internet registries, such as ARIN, to determine the registered owner of an IP address range and a contact address for that owner.

I decided to stick with the e-mail headers. The snapshots below clearly show how the information about the alleged other two accomplices was retrieved.

The following snapshot is of special importance because it is from here that we learn that the transaction has taken place through PayPal between Shaheer and Jack Brown. One of the other important things which cannot be ignored is the address. It shows of New York right in the center of Manhattan and close to the NASDAQ and one of the renowned places for the brokers. Now this can be promulgated without doubt that there is significant involvement of the alleged fraudster jack brown is alliance with an accomplice named Shaheer.

One thing that the evidence form has managed to do clear is that Jack brown is guilty. But the alliance between Jack brown, Irfan Chander and Shaheer is still unknown. Thus to derive this relationship I decided to set a trap for Shaheer by setting up a telephonic interview.

Shaheer Hello
Me Hello, my name is ______ and I wish to but some shares from you. Ive been actually given your reference by Irfan Chandrek. Can we fix an appointment
Shaheer Yes. Irfan is a very dear friend of mine. We can discuss about your financial issues at my office tomorrow.
Me Thank you.
Next Morning I head up to New York with a team of undercover policemen. I also carry a pocket recorder to keep track of my conversation.
ME Hi, Im _____. Yesterday I spoke to you on the phone regarding buying some shares.

Shaheer Oh yes, Please welcome. It is a pleasure to meet you.
Me So Shaheer, what are the chances of my making profits
Shaheer Almost 100 if you go as per my guidelines.
Me How can you be so sure
Shaheer I guess Im an expert and I know how the market moves up and down the hill.
Me So you have the sources who tell you when the market is going up and going down
Shaheer What do you mean
Me Remember Jack Brown. Hes arrested. So will you be. But I can partially save you if you are ready to divulge the details to me as to how did you, jack and Irfan carried out this whole process
Shaheer You cant do that You are lying. You have no evidence against either of us.

Me yes, I do. I have the details of the commission you paid Jack via PayPal. You are in the corner. Accept it. Im offering you chance by making you defense witness if you vomit out the entire details. Now Ive understood that you cannot whistle a symphony alone. You need an orchestra. So tell me your band members.

Shaheer (Crying) it was Jacks idea. He came up with this idea saying that the distance from heaven to earth is not measured in altitude but the by your attitude. He assured me that Everything will go on smoothly. He shall het the information from his office computers and then transfers it into his PC at home which uses a Linux server and thus will be safer. There will no evidence left. Since the audit team will never find anything outlandish in his office PC thus he shall be off the hook and can never be trapped.

Me how is Irfan involved
Shaheer Irfans PC has all the details. It is only PC which is formatted in FAT32. Since the policies of the company prohibit the formatting of the PC it was decided that Irfan would forward the details to Jack in Thumb Drive. In this way the money that I will make will be parted with both of them.    
 
The following details of interview provide ample of proof that all three of them are guilty and the host of evidence lies in the PC of Jack which is kept in the basement. It is imperative to grant the permission to have access to this confidential information for the betterment of the company.