THE
CASE:
The hazardous materials team is called suddenly at
3a.m. April 30 to a warehouse behind Roma St station in Brisbane. Team member
Moti identifies the scene as a drug manufacturing location, and the people
there have hurriedly packaged up the loose powders they were working with,
leaving traces on the floor and across many desk surfaces. Moti makes a
decision not to call the forensic squad in when he sees the drug traces,
because he suspects the drug is at the top of the current most dangerous list
and he needs to take samples back to his lab for analysis before identifying
it.
However, Moti is familiar with the protocol when
there is a computer in the area, and calls his colleague Sandra, waking her at
3:17a.m. to walk him through a capture of computer data for forensic analysis.
He is able to shut down the laptop, and removes it from the scene along with
several CDs found in the desk.
Later that day, Sandra analyzes the laptop and CDs
in the police forensics lab. The computer is equipped with Windows and only a
basic Word document facility and Internet Explorer, and has software for
showing DVDs and image files. No documents appear to have been stored on the
machine. Three of the CDs are actually DVDs with recent movies. The fourth
contains a binary file which is suspiciously large for a flash game.
Sandra makes three forensic copies of all the data
and stores two of them safely in the lab. She then delegates the laptop and CDs
to various staff members for analysis, distributing the third copies to them.
As most of the staff are also involved in a large on-going investigation she
decides to ask for the help of an additional team member who is holidaying
overseas.
You receive a secure e-mail from Sandra with an
attachment containing the binary flash program from the game CD along with a
request to analyse it as quickly as possible for any pertinent information, and
an apology for interrupting your holiday.
You can download a copy of the binary file in the
e-mail attachment from
And
you are advised that the MD5 hash value of the executable file should be
126224c4e728f2a47ce361cc0185943f
Analyze this file and report your findings using
the outline below. (For marking purposes, it is strongly recommended that
you follow this outline.)
1. Explain how
you downloaded the file, what precautions you took, and how you ensured its
integrity.
1
mark
2. Describe,
including screen shots, the execution method, the execution behaviour and the
possible origin of this binary file.
2
marks
3. Describe how
you decompressed the file to find further information about the downloaded file.
Give a screenshot on your new findings.
4
marks
4. Describe the
actual content that you identified in Step 3. If there are multiple files, list
their file names, types and MD5 hash values.
3
marks
5. What tools
will you now use to proceed your investigation and why?
1
mark
6. Describe how
your investigation proceeded at this point, including screen shots.
5
marks
7. Write a two
page report for Sandra listing your findings and recommendations. Make
appropriate suggestions on how a further investigation should proceed.
Construct and complete a single-item evidence form as part of your report.
4
marks
For Quality Research Projects: kojalajohn12@yahoo.com
No comments:
Post a Comment