Research Project 2: Forensic Challenge Axel Puppe & Joeri - - PowerPoint PPT Presentation

research project 2 forensic challenge
SMART_READER_LITE
LIVE PREVIEW

Research Project 2: Forensic Challenge Axel Puppe & Joeri - - PowerPoint PPT Presentation

May 20, 2023 229 likes •417 views

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Research Project 2: Forensic Challenge Axel Puppe & Joeri Blokhuis June 30, 2010 Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge Outline

slide-1
SLIDE 1

Outline Introduction Method FAT Walker Xarver Investigation Conclusion

Research Project 2: Forensic Challenge

Axel Puppe & Joeri Blokhuis June 30, 2010

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-2
SLIDE 2

Outline Introduction Method FAT Walker Xarver Investigation Conclusion

Introduction Method FAT Walker Xarver Investigation Conclusion

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-3
SLIDE 3

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Digital Forensic Research Workshop (DFRWS)

◮ Founded in 2001, annual meeting ◮ Advancing digital forensic science ◮ Target crowd:

◮ University researchers ◮ Computer forensic examiners ◮ Analysts

◮ Since 2005 annual challenge

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-4
SLIDE 4

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Scenario

◮ Suspected arms dealer ◮ Recovered phone from

canal (memory dumps)

◮ Questions:

◮ Evidence connecting

suspect to the sale of arms

◮ Evidence of the receipt

  • f payment

◮ Recovery of any other

leads: individuals, companies, or bank accounts

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-5
SLIDE 5

Outline Introduction Method FAT Walker Xarver Investigation Conclusion What information can be expected in a mobile phone?

◮ Phone data

◮ Log ◮ Phone calls ◮ Text messages ◮ Calendar ◮ Appointments ◮ Reminders ◮ Birthdays ◮ Address book

◮ File data

◮ Multimedia files ◮ Audio ◮ Video ◮ Photos ◮ Documents

◮ Internet data

◮ Browser ◮ History ◮ Cache ◮ Bookmarks ◮ E-mail ◮ Sent ◮ Received ◮ Drafts ◮ Deleted ◮ Account settings ◮ Instant messaging Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-6
SLIDE 6

Outline Introduction Method FAT Walker Xarver Investigation Conclusion

◮ Standard forensic tools ◮ Developed forensic tools

◮ FAT Walker ◮ Xarver Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-7
SLIDE 7

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Standard Forensic tools

◮ Unsuccessful: Autopsy/Sleuthkit, Encase, FTK, Paraben Cell

Seizure, pyflag

◮ Beneficial: Scalpel(carving), Standard Linux

commands(strings, file, grep), Google goggles.

Figure: Picture taken and identified by Google goggles

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-8
SLIDE 8

Outline Introduction Method FAT Walker Xarver Investigation Conclusion FAT

◮ Extract Directory Table Entries

◮ On physical memory dumps ◮ Filenames/Extension, MAC times

(Modified/Access/Creation)

◮ Benefits for a forensic investigator:

◮ Initial research ◮ Possible user behaviour on the phone ◮ Last created files ◮ Build an absolute path (depending on the parent and current

directory)

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-9
SLIDE 9

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Screenshot

◮ Memory dump 1:

◮ Only two distinct MAC times

◮ Memory dump 2:

◮ Clear gap from 2008 to 2010 ◮ Top files created since 2010: JPG, BIN, DAT and XML.

◮ Not updated: Access and Modification time ◮ Decide possible focus!

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-10
SLIDE 10

Outline Introduction Method FAT Walker Xarver Investigation Conclusion XML

<?xml version="1.0" encoding="UTF-8" ?> <Forensics> <Unit> <Name> The Netherlands Forensic Institute </Name> <City> The Hague </City> </Unit> <Unit> <Name> New Scotland Yard </Name> <City> London </City> </Unit> </Forensics>

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-11
SLIDE 11

Outline Introduction Method FAT Walker Xarver Investigation Conclusion XML

◮ XML Usage:

◮ Sim Cards ◮ Databases ◮ Open Office XML ◮ Mobile phone (Android) applications ◮ And more. . .

◮ Xarver features:

◮ Read raw data ◮ Build XML tree ◮ Deal with damaged XML ◮ Gives offsets of original data Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-12
SLIDE 12

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Screenshot Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-13
SLIDE 13

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Combining the tools Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-14
SLIDE 14

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Xarver results

◮ MMS

◮ Subjects: Look at this, This?, Contact, . . .

◮ Email

◮ Subjects: Buy, Engine, Payment, . . .

◮ Email Settings

◮ Email address ◮ Username ◮ Password ◮ And more. . .

◮ Call log

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-15
SLIDE 15

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Pictures Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-16
SLIDE 16

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Conclusion

◮ Evidence connecting suspect to the sale of arms

◮ Found emails + pictures

◮ Evidence of the receipt of payment

◮ Suspected email (subject: ‘payment’)

◮ Recovery of any other leads: individuals, companies, or bank

accounts

◮ Individuals yes, Companies/Bank account(s) nothing so far. . . Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge

slide-17
SLIDE 17

Outline Introduction Method FAT Walker Xarver Investigation Conclusion Questions

Questions?

Axel Puppe & Joeri Blokhuis Research Project 2: Forensic Challenge