SlideShare une entreprise Scribd logo

Lab 1 Bag & Tag (cyber forensics)

M
MUSAAB HASAN

This report presents the work done in the Bag and tag lab by group #3 members. The scenario of the crime is described in Investigative Scenario section. The procedures followed for tagging and seizing evidences are mentioned in Procedures section. Analysis of seized evidences section presents the logical way that has been followed in determining the main evidences, their importance according to triage concept, and their relation to the crime to help in providing the investigators with useful details about the crime. A set of conclusions and suggested recommendations for the process of seizing evidences was listed in Conclusions and Recommendations section. The references that were used in conducting the lab and writing the report are mentioned in the References section. All processing forms that were filled and completed by the team are attached to this report in the Appendices section.

Technologie
1  sur  14
Télécharger pour lire hors ligne
College of Technological Innovation MSIT 10, CIT 530 Cyber Forensics Lab 1: Bag & Tag Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared By Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh M80006988@zu.ac.ae M80007225@zu.ac.ae M80007043@zu.ac.ae August 24, 2016
| Page 1 Table of Contents Executive Summary ...............................................................................................3 Investigative Scenario............................................................................................3 Objectives..............................................................................................................3 Procedures ............................................................................................................4 A. Identification of Expected Useful Evidences.............................................5 B. Distributing tasks and duties among team members...............................5 C. Securing the crime scene..........................................................................5 D. Disconnecting remote access and peripherals connections.....................6 E. Drawing rough sketch for the crime scene...............................................6 F. Capturing, documenting, and seizing evidences .........................................7 G. Updating the sketch..................................................................................8 H. Handing seized items to the authorities...................................................8 Analysis of seized evidences..................................................................................9 Evidence H: Z2A77AN5 Seagate 500GB Hard Disk.............................................9 Evidence I: A-Data USB flash drive.....................................................................9 Evidences B, F, G: Handwritten notes on multiple evidences .........................10 Evidence E: Imation 1.44MB Floppy disk .........................................................10 Evidence D: MSDN Windows 2000 CD.............................................................11 Evidences A, C: Journals and Magazines..........................................................11 Conclusions and Recommendations ...................................................................12 References...........................................................................................................12 Appendices..........................................................................................................13
| Page 2 List of Figures Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab....4 Figure 2: Crime scene picture before starting the seizer process.........................5 Figure 3: Removing network connections to prevent altering the data through remote connection................................................................................................6 Figure 4: Crime scene sketch.................................................................................7 Figure 5: Seized evidences in the anti-static bags.................................................7 Figure 6: Seized hard disk......................................................................................9 Figure 7: Seized USB flash drive ............................................................................9 Figure 8: Pictures for the evidences that included handwritten notes...............10 Figure 9: The seized Floppy disk with a label of "@GoD"....................................10 Figure 10: Seized CD............................................................................................11 Figure 11: Seized magazines and journals pictures.............................................11
| Page 3 Executive Summary This report presents the work done in the Bag and tag lab by group #3 members. The scenario of the crime is described in Investigative Scenario section. The procedures followed for tagging and seizing evidences are mentioned in Procedures section. Analysis of seized evidences section presents the logical way that has been followed in determining the main evidences, their importance according to triage concept, and their relation to the crime to help in providing the investigators with useful details about the crime. A set of conclusions and suggested recommendations for the process of seizing evidences was listed in Conclusions and Recommendations section. The references that were used in conducting the lab and writing the report are mentioned in the References section. All processing forms that were filled and completed by the team are attached to this report in the Appendices section. Investigative Scenario Search and seizure warrant notice was received for seizing and documenting evidence from a child pornography case. The person involved in the case was chatting to a 13-year-old girl. In the scene of the crime, a computer system was found without the presence of the criminal involved in the case. The group team was expected to seize the hard drive and all other related evidence. Objectives - To understand and learn how to secure and interact with computer crime scene. - To keep track of the events, document, and sketch the scene of the crime. - To acquire the skills of seizing digital and non-digital evidences using the proper forensics tools and packaging. - To present the process of collection and seizing in a professional report that is authentic and reproducible.
| Page 4 Procedures The steps followed by the group members in performing the lab are introduced in figure 1 and an explanation of each step is listed in the following subsections. Identification of the expected useful evidences Distributing tasks and duties among team members Capturing crime scene and evidences Documenting evidences state and location Seizing useful evidences Securing and preventing unauthorized individuals from entering the crime scene Disconnecting remote access and peripherals connections Handing seized evidences to the authorities Drawing rough sketch for the crime scene Updating the sketch Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab.
| Page 5 A. Identification of Expected Useful Evidences Based on the crime type and the suggested search scope by the group members, a list of main evidences that were expected to provide a useful information in the case were written and are listed as follows: - Storage devices. - Notes/letters. - Date and time stamps. - Digital cameras. - Images. B. Distributing tasks and duties among team members Distributing tasks and duties among team members ensure that a good documentation for the event will be accomplished with less number of missed information. According to that, a team member was responsible for capturing the steps one by one using the digital camera. Another member was in charge of writing notes about the crime scene and everything done by the team with the corresponding exact time. The last member was the one who is wearing the anti- static gloves and was responsible for tagging and putting the useful evidences in the appropriate bags for seizing it and transferring it to the responsible authorities. C. Securing the crime scene Securing and preventing unauthorized individuals from entering the crime scene is an important task and it was performed directly upon the arrival to the crime scene. This action makes sure that no destruction or damage to the evidences will occur in the crime scene. Figure 2 shows the crime scene directly upon the arrival and before starting the process. Figure 2: Crime scene picture before starting the seizer process
| Page 6 D. Disconnecting remote access and peripherals connections The first step performed after securing the crime scene was to remove the Ethernet cable since it was connected to the computer to prevent remote access connection to the device. Figure 3: Removing network connections to prevent altering the data through remote connection E. Drawing rough sketch for the crime scene A rough drawing to the crime scene was done before touching anything or performing any action and this drawing was added to it later on the location of each seized element and was redrawn using CAD software. The final sketch for the crime scene is shown in figure 4.
| Page 7 Evidence #G Evidence #I Evidence #A Evidence #E Evidence #D Evidence #F Evidence #B Evidence #C * * * * Evidence #H *The position of the evidence changed just for demonstration and the actual location is mentioned in the report 24 August 2016 | 1820 MSIT10, AbuDhabi Lab #1: Bag & Tag CIT530: Cyber Forensics Crime Scene #3 Sketch Title: Date & time: Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared by: Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh Evidences List: Tag Description #A #B #C #D #E #F #G #H American academy forensics magazine # I IEEE Spectrum magazine Journal of forensic sciences Floppy disk written on it @GoD MSDN Windows 2000 CD A Data Flash Drive 500GB Seagate hard disk inside Tower PC case Sticky note written on it Pass. Lamof !D Sticky note written on it 9/9/ 16 Figure 4: Crime scene sketch F. Capturing, documenting, and seizing evidences The process of capturing by camera and documenting by notes and seizing the evidences were done in parallel to ensure not missing important details of the event. The tools used in accomplishing this task were anti-static bags and gloves, cable tags, evidence tags, notepad, marker, labels, digital camera, and phone flashlight. Figure 5 shows the seized elements in the anti-static bags. Figure 5: Seized evidences in the anti-static bags
| Page 8 G. Updating the sketch The exact actual location of each seized evidence is pointed in the crime scene sketch for further analysis and investigations. The final sketch was shown earlier in figure 4. H. Handing seized items to the authorities At the end, the seized items were handed to the authorities while documenting and completing the processing and chain of custody forms. The proper recommendations for securing and protecting the evidences while transporting them to the lab were explained clearly the person in charge.
| Page 9 Analysis of seized evidences According to the type of the crime and the evidences seized from the crime scene, triage concept was followed to prioritize the level of importance of each evidence in a way that helps in revealing the circumstances of the crime. Seized evidences are stated below starting with the most to the least important evidence. Evidence H: Z2A77AN5 Seagate 500GB Hard Disk The evidence was mounted inside the PC that was in running mode upon the arrival of the team. Computer hard disk is the place where all data are stored and is expected to help in getting the precedents made by the accused and the crimes he intends to. The criminal was locking the computer via a password, as well as the access to the BIOS; that brings the probability of having valuable data that can be acquired from the hard disk to lead to the accused person in the case. Figure 6 shows a picture of the seized hard disk. Figure 6: Seized hard disk Evidence I: A-Data USB flash drive The evidence was stashed below the monitor in a way that is difficult to be seen. USB flash drive is a portable plug & play memory that is used in most cases to save pictures and media files. Its content is expected to help in getting the precedents made by the accused and the crimes he intends to. A picture of the seized flash drive is shown in figure 7. Figure 7: Seized USB flash drive
| Page 10 Evidences B, F, G: Handwritten notes on multiple evidences Handwritten notes could lead to important information that helps in identifying and analyzing the crime. Evidence B included random handwritten notes and it was located on the top of the computer tower case; these notes include numbers for males and females with some symbols. Evidence F was located above the right chair and a password was written on it; this password could be the password for an OS login page, email, chatting software, or any other useful system. A date was written on evidence G that was hidden inside one of the pages of evidence C; this date indicates a day that has not been passed yet so more details are required to be collected about it. The pictures for the collected evidences that include handwritten notes are shown in figure 8. Figure 8: Pictures for the evidences that included handwritten notes Evidence E: Imation 1.44MB Floppy disk The evidence was hidden under the computer CPU with the BIOS password written on it, and the PC in the crime scene does not have floppy drive reader. The Floppy size is 1.44 MB which means the data on it is small and may contain passwords, numbers or some related information that can help on the case. BIOS password on sticky note was discovered on the outer shell of the floppy as shown in figure 9. Figure 9: The seized Floppy disk with a label of "@GoD"
| Page 11 Evidence D: MSDN Windows 2000 CD The evidence was found in the Optical CD Reader and the computer on working mode. That gives us the probability of the accused person working on it before he escapes the primary crime scene. Thus this CD may contain information that could help in finding him. Although the disk contains Microsoft's cover, but this does not exclude that the case of trying to mislead who find it. "04618054" was written on it. This number could be a password to open the CD, to access the device, or just a beneficial information to the case during the investigations. A picture of the CD is shown in figure 10. Figure 10: Seized CD Evidences A, C: Journals and Magazines These magazines and journals may lead to useful information that help in recognizing the interests and desires of the defendant. Evidence C was Located on the drawer of the left table with 4 folded pages inside it which may indicate some useful information on the case. These evidences are no so useful from the digital side, but from them we may know the impressions of the accused person that enable us to reach him in an indirect way. Figure 11 shows the pictures of the seized magazines and journals. Figure 11: Seized magazines and journals pictures
| Page 12 Conclusions and Recommendations - All electronic evidences must be kept away from magnetic sources. - Each evidence must be labeled with the appropriate tag and kept in the appropriate packing that will not cause any damage to it. - After the arrival to the scene of the crime, all remote access and peripherals connections must be removed. - Each detail must be documented properly in a way that allows the investigator to reconstruct the crime scene and analyze it at any time in the lab. References [1] Technical Working Group on Crime Scene Investigation, & United States of America. (2001). Electronic Crime Scene Investigation: A Guide for First Responders. [2] National Institute of Standards and Technology (NIST), & United States of America. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. [3] Wilkinson, S., & Haagman, D. (2010). Good practice guide for computer-based electronic evidence. Association of Chief Police Officers.
| Page 13 Appendices

Recommandé

Cyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital DomainCyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital Domainppd1961
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensicsChaitanya Dhareshwar
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
BPAT LECTURE FOR EXECUTIVES.pptx
BPAT LECTURE FOR EXECUTIVES.pptxBPAT LECTURE FOR EXECUTIVES.pptx
BPAT LECTURE FOR EXECUTIVES.pptxGlesOlaGuillen
 
2018 Crime Scenes, Collection and Preservation of Evidence2.pptx
2018 Crime Scenes, Collection and Preservation of Evidence2.pptx2018 Crime Scenes, Collection and Preservation of Evidence2.pptx
2018 Crime Scenes, Collection and Preservation of Evidence2.pptxdravidmishra1
 
Intelligence presentation
Intelligence presentationIntelligence presentation
Intelligence presentationiChange
 
Image processing in forensic science
Image processing in forensic scienceImage processing in forensic science
Image processing in forensic sciencevenati munishareddy
 

Recommandé

Cyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital DomainCyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital Domainppd1961
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensicsChaitanya Dhareshwar
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
BPAT LECTURE FOR EXECUTIVES.pptx
BPAT LECTURE FOR EXECUTIVES.pptxBPAT LECTURE FOR EXECUTIVES.pptx
BPAT LECTURE FOR EXECUTIVES.pptxGlesOlaGuillen
 
2018 Crime Scenes, Collection and Preservation of Evidence2.pptx
2018 Crime Scenes, Collection and Preservation of Evidence2.pptx2018 Crime Scenes, Collection and Preservation of Evidence2.pptx
2018 Crime Scenes, Collection and Preservation of Evidence2.pptxdravidmishra1
 
Intelligence presentation
Intelligence presentationIntelligence presentation
Intelligence presentationiChange
 
Image processing in forensic science
Image processing in forensic scienceImage processing in forensic science
Image processing in forensic sciencevenati munishareddy
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Cyber crime - and digital device.pptx
Cyber crime - and digital device.pptxCyber crime - and digital device.pptx
Cyber crime - and digital device.pptxAlAsad4
 
Collection, Preservation, Packaging and Forwarding of Forged Documents
Collection, Preservation, Packaging and Forwarding of Forged DocumentsCollection, Preservation, Packaging and Forwarding of Forged Documents
Collection, Preservation, Packaging and Forwarding of Forged Documentspinkihablani
 
Crime scene sketching basics
Crime scene sketching basicsCrime scene sketching basics
Crime scene sketching basicsnruhland
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Hair and Fibers.pptx
Hair and Fibers.pptxHair and Fibers.pptx
Hair and Fibers.pptxHaroonRiazRiaz
 
Forensic photography
Forensic photographyForensic photography
Forensic photographyVaibhav Laur
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Multimedia (Social Forensics)
Multimedia (Social Forensics)Multimedia (Social Forensics)
Multimedia (Social Forensics)Sebastiano Battiato
 
POLICE-BLOTTER_01.19.ppt
POLICE-BLOTTER_01.19.pptPOLICE-BLOTTER_01.19.ppt
POLICE-BLOTTER_01.19.pptAlleli Faith Leyritana
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imagingDetectalix
 
Encryption & interception of communication
Encryption & interception of communicationEncryption & interception of communication
Encryption & interception of communicationUc Man
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
 
Crime investigation
Crime investigationCrime investigation
Crime investigationCapt SB Tyagi, COAC'CC*,FISM,CSC,
 
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear EviGrossmont College
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics KakshaPatel3
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and videoUTD Computer Security Group
 
Crime Scene Documentation_Sketching
Crime Scene Documentation_Sketching Crime Scene Documentation_Sketching
Crime Scene Documentation_Sketching Palash Mehar
 
Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDamaineFranklinMScBE
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist- Mark - Fullbright
 

Contenu connexe

Tendances

Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Cyber crime - and digital device.pptx
Cyber crime - and digital device.pptxCyber crime - and digital device.pptx
Cyber crime - and digital device.pptxAlAsad4
 
Collection, Preservation, Packaging and Forwarding of Forged Documents
Collection, Preservation, Packaging and Forwarding of Forged DocumentsCollection, Preservation, Packaging and Forwarding of Forged Documents
Collection, Preservation, Packaging and Forwarding of Forged Documentspinkihablani
 
Crime scene sketching basics
Crime scene sketching basicsCrime scene sketching basics
Crime scene sketching basicsnruhland
 
Forensic photography
Forensic photographyForensic photography
Forensic photographyVaibhav Laur
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imagingDetectalix
 
Encryption & interception of communication
Encryption & interception of communicationEncryption & interception of communication
Encryption & interception of communicationUc Man
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
 
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear EviGrossmont College
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics KakshaPatel3
 
Crime Scene Documentation_Sketching
Crime Scene Documentation_Sketching Crime Scene Documentation_Sketching
Crime Scene Documentation_Sketching Palash Mehar
 

Tendances (20)

Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
Cyber crime - and digital device.pptx
Cyber crime - and digital device.pptxCyber crime - and digital device.pptx
Cyber crime - and digital device.pptx
 
Collection, Preservation, Packaging and Forwarding of Forged Documents
Collection, Preservation, Packaging and Forwarding of Forged DocumentsCollection, Preservation, Packaging and Forwarding of Forged Documents
Collection, Preservation, Packaging and Forwarding of Forged Documents
 
Crime scene sketching basics
Crime scene sketching basicsCrime scene sketching basics
Crime scene sketching basics
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Hair and Fibers.pptx
Hair and Fibers.pptxHair and Fibers.pptx
Hair and Fibers.pptx
 
Forensic photography
Forensic photographyForensic photography
Forensic photography
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Multimedia (Social Forensics)
Multimedia (Social Forensics)Multimedia (Social Forensics)
Multimedia (Social Forensics)
 
POLICE-BLOTTER_01.19.ppt
POLICE-BLOTTER_01.19.pptPOLICE-BLOTTER_01.19.ppt
POLICE-BLOTTER_01.19.ppt
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Intro to digital forensic imaging
Intro to digital forensic imagingIntro to digital forensic imaging
Intro to digital forensic imaging
 
Encryption & interception of communication
Encryption & interception of communicationEncryption & interception of communication
Encryption & interception of communication
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
 
Crime investigation
Crime investigationCrime investigation
Crime investigation
 
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi
19 Forensic Science Powerpoint Chapter 19 Forensic Footwear Evi
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Crime Scene Documentation_Sketching
Crime Scene Documentation_Sketching Crime Scene Documentation_Sketching
Crime Scene Documentation_Sketching
 

Similaire à Lab 1 Bag & Tag (cyber forensics)

Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDamaineFranklinMScBE
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist- Mark - Fullbright
 
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxBerkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxAASTHA76
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelCSCJournals
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensicsJohnson Ubah
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxwillcoxjanay
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxVaishnaviBorse8
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesBRNSSPublicationHubI
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJDavid Sweigert
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsShanaAneevan
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingDr. Ramchandra Mangrulkar
 
1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docx1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docxjackiewalcutt
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceDr. Richard Otieno
 
76 s201924
76 s20192476 s201924
76 s201924IJRAT
 

Similaire à Lab 1 Bag & Tag (cyber forensics) (20)

Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and Unicaf
 
Sensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident ChecklistSensitive Data Exposure Incident Checklist
Sensitive Data Exposure Incident Checklist
 
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docxBerkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
 
Cyber evidence at crime scene
Cyber evidence at crime sceneCyber evidence at crime scene
Cyber evidence at crime scene
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation Model
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docx
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
Crime scene-investigation
Crime scene-investigationCrime scene-investigation
Crime scene-investigation
 
PACE-IT: Basic Forensic Concepts
PACE-IT: Basic Forensic ConceptsPACE-IT: Basic Forensic Concepts
PACE-IT: Basic Forensic Concepts
 
Review on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptxReview on Cyber Forensics - Copy.pptx
Review on Cyber Forensics - Copy.pptx
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic Evidences
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Computer Forensics.pptx
Computer Forensics.pptxComputer Forensics.pptx
Computer Forensics.pptx
 
Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ Best Practices For Seizing Electronic Evidence -- DoJ
Best Practices For Seizing Electronic Evidence -- DoJ
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
 
1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docx1. What are two items to consider when creating a malware analysis.docx
1. What are two items to consider when creating a malware analysis.docx
 
Applying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital EvidenceApplying Data Mining Principles in the Extraction of Digital Evidence
Applying Data Mining Principles in the Extraction of Digital Evidence
 
76 s201924
76 s20192476 s201924
76 s201924
 

Plus de MUSAAB HASAN

Communication & switching networks lab manual
Communication & switching networks lab manualCommunication & switching networks lab manual
Communication & switching networks lab manualMUSAAB HASAN
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E ArchivingMUSAAB HASAN
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E ArchivingMUSAAB HASAN
 
A Security Study for Smart Metering Systems
A Security Study for Smart Metering SystemsA Security Study for Smart Metering Systems
A Security Study for Smart Metering SystemsMUSAAB HASAN
 
Engineering design via autocad
Engineering design via autocadEngineering design via autocad
Engineering design via autocadMUSAAB HASAN
 
Android Applications development Using APP inventor
Android Applications development Using APP inventorAndroid Applications development Using APP inventor
Android Applications development Using APP inventorMUSAAB HASAN
 
Engineering Design vis Microsoft Visio
Engineering Design vis Microsoft VisioEngineering Design vis Microsoft Visio
Engineering Design vis Microsoft VisioMUSAAB HASAN
 
Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi MUSAAB HASAN
 
Using PCB wizard for PCB implementation
Using PCB wizard for PCB implementationUsing PCB wizard for PCB implementation
Using PCB wizard for PCB implementationMUSAAB HASAN
 
PC techniques software and Hardware
PC techniques software and HardwarePC techniques software and Hardware
PC techniques software and HardwareMUSAAB HASAN
 
Datasheets & Searching information
Datasheets & Searching informationDatasheets & Searching information
Datasheets & Searching informationMUSAAB HASAN
 
Cyber forensics lab 4
Cyber forensics lab 4Cyber forensics lab 4
Cyber forensics lab 4MUSAAB HASAN
 
Cyber forensics Lab
Cyber forensics LabCyber forensics Lab
Cyber forensics LabMUSAAB HASAN
 
2016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-20152016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-2015MUSAAB HASAN
 

Plus de MUSAAB HASAN (14)

Communication & switching networks lab manual
Communication & switching networks lab manualCommunication & switching networks lab manual
Communication & switching networks lab manual
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E Archiving
 
Instruction manual for E Archiving
Instruction manual for E ArchivingInstruction manual for E Archiving
Instruction manual for E Archiving
 
A Security Study for Smart Metering Systems
A Security Study for Smart Metering SystemsA Security Study for Smart Metering Systems
A Security Study for Smart Metering Systems
 
Engineering design via autocad
Engineering design via autocadEngineering design via autocad
Engineering design via autocad
 
Android Applications development Using APP inventor
Android Applications development Using APP inventorAndroid Applications development Using APP inventor
Android Applications development Using APP inventor
 
Engineering Design vis Microsoft Visio
Engineering Design vis Microsoft VisioEngineering Design vis Microsoft Visio
Engineering Design vis Microsoft Visio
 
Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi Microcontrollers programming Raspberry Pi
Microcontrollers programming Raspberry Pi
 
Using PCB wizard for PCB implementation
Using PCB wizard for PCB implementationUsing PCB wizard for PCB implementation
Using PCB wizard for PCB implementation
 
PC techniques software and Hardware
PC techniques software and HardwarePC techniques software and Hardware
PC techniques software and Hardware
 
Datasheets & Searching information
Datasheets & Searching informationDatasheets & Searching information
Datasheets & Searching information
 
Cyber forensics lab 4
Cyber forensics lab 4Cyber forensics lab 4
Cyber forensics lab 4
 
Cyber forensics Lab
Cyber forensics LabCyber forensics Lab
Cyber forensics Lab
 
2016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-20152016 ieee uae_student_day_sep_description_aau-dec-01-2015
2016 ieee uae_student_day_sep_description_aau-dec-01-2015
 

Dernier

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Dernier (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 

Lab 1 Bag & Tag (cyber forensics)

  • 1. College of Technological Innovation MSIT 10, CIT 530 Cyber Forensics Lab 1: Bag & Tag Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared By Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh M80006988@zu.ac.ae M80007225@zu.ac.ae M80007043@zu.ac.ae August 24, 2016
  • 2. | Page 1 Table of Contents Executive Summary ...............................................................................................3 Investigative Scenario............................................................................................3 Objectives..............................................................................................................3 Procedures ............................................................................................................4 A. Identification of Expected Useful Evidences.............................................5 B. Distributing tasks and duties among team members...............................5 C. Securing the crime scene..........................................................................5 D. Disconnecting remote access and peripherals connections.....................6 E. Drawing rough sketch for the crime scene...............................................6 F. Capturing, documenting, and seizing evidences .........................................7 G. Updating the sketch..................................................................................8 H. Handing seized items to the authorities...................................................8 Analysis of seized evidences..................................................................................9 Evidence H: Z2A77AN5 Seagate 500GB Hard Disk.............................................9 Evidence I: A-Data USB flash drive.....................................................................9 Evidences B, F, G: Handwritten notes on multiple evidences .........................10 Evidence E: Imation 1.44MB Floppy disk .........................................................10 Evidence D: MSDN Windows 2000 CD.............................................................11 Evidences A, C: Journals and Magazines..........................................................11 Conclusions and Recommendations ...................................................................12 References...........................................................................................................12 Appendices..........................................................................................................13
  • 3. | Page 2 List of Figures Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab....4 Figure 2: Crime scene picture before starting the seizer process.........................5 Figure 3: Removing network connections to prevent altering the data through remote connection................................................................................................6 Figure 4: Crime scene sketch.................................................................................7 Figure 5: Seized evidences in the anti-static bags.................................................7 Figure 6: Seized hard disk......................................................................................9 Figure 7: Seized USB flash drive ............................................................................9 Figure 8: Pictures for the evidences that included handwritten notes...............10 Figure 9: The seized Floppy disk with a label of "@GoD"....................................10 Figure 10: Seized CD............................................................................................11 Figure 11: Seized magazines and journals pictures.............................................11
  • 4. | Page 3 Executive Summary This report presents the work done in the Bag and tag lab by group #3 members. The scenario of the crime is described in Investigative Scenario section. The procedures followed for tagging and seizing evidences are mentioned in Procedures section. Analysis of seized evidences section presents the logical way that has been followed in determining the main evidences, their importance according to triage concept, and their relation to the crime to help in providing the investigators with useful details about the crime. A set of conclusions and suggested recommendations for the process of seizing evidences was listed in Conclusions and Recommendations section. The references that were used in conducting the lab and writing the report are mentioned in the References section. All processing forms that were filled and completed by the team are attached to this report in the Appendices section. Investigative Scenario Search and seizure warrant notice was received for seizing and documenting evidence from a child pornography case. The person involved in the case was chatting to a 13-year-old girl. In the scene of the crime, a computer system was found without the presence of the criminal involved in the case. The group team was expected to seize the hard drive and all other related evidence. Objectives - To understand and learn how to secure and interact with computer crime scene. - To keep track of the events, document, and sketch the scene of the crime. - To acquire the skills of seizing digital and non-digital evidences using the proper forensics tools and packaging. - To present the process of collection and seizing in a professional report that is authentic and reproducible.
  • 5. | Page 4 Procedures The steps followed by the group members in performing the lab are introduced in figure 1 and an explanation of each step is listed in the following subsections. Identification of the expected useful evidences Distributing tasks and duties among team members Capturing crime scene and evidences Documenting evidences state and location Seizing useful evidences Securing and preventing unauthorized individuals from entering the crime scene Disconnecting remote access and peripherals connections Handing seized evidences to the authorities Drawing rough sketch for the crime scene Updating the sketch Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab.
  • 6. | Page 5 A. Identification of Expected Useful Evidences Based on the crime type and the suggested search scope by the group members, a list of main evidences that were expected to provide a useful information in the case were written and are listed as follows: - Storage devices. - Notes/letters. - Date and time stamps. - Digital cameras. - Images. B. Distributing tasks and duties among team members Distributing tasks and duties among team members ensure that a good documentation for the event will be accomplished with less number of missed information. According to that, a team member was responsible for capturing the steps one by one using the digital camera. Another member was in charge of writing notes about the crime scene and everything done by the team with the corresponding exact time. The last member was the one who is wearing the anti- static gloves and was responsible for tagging and putting the useful evidences in the appropriate bags for seizing it and transferring it to the responsible authorities. C. Securing the crime scene Securing and preventing unauthorized individuals from entering the crime scene is an important task and it was performed directly upon the arrival to the crime scene. This action makes sure that no destruction or damage to the evidences will occur in the crime scene. Figure 2 shows the crime scene directly upon the arrival and before starting the process. Figure 2: Crime scene picture before starting the seizer process
  • 7. | Page 6 D. Disconnecting remote access and peripherals connections The first step performed after securing the crime scene was to remove the Ethernet cable since it was connected to the computer to prevent remote access connection to the device. Figure 3: Removing network connections to prevent altering the data through remote connection E. Drawing rough sketch for the crime scene A rough drawing to the crime scene was done before touching anything or performing any action and this drawing was added to it later on the location of each seized element and was redrawn using CAD software. The final sketch for the crime scene is shown in figure 4.
  • 8. | Page 7 Evidence #G Evidence #I Evidence #A Evidence #E Evidence #D Evidence #F Evidence #B Evidence #C * * * * Evidence #H *The position of the evidence changed just for demonstration and the actual location is mentioned in the report 24 August 2016 | 1820 MSIT10, AbuDhabi Lab #1: Bag & Tag CIT530: Cyber Forensics Crime Scene #3 Sketch Title: Date & time: Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared by: Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh Evidences List: Tag Description #A #B #C #D #E #F #G #H American academy forensics magazine # I IEEE Spectrum magazine Journal of forensic sciences Floppy disk written on it @GoD MSDN Windows 2000 CD A Data Flash Drive 500GB Seagate hard disk inside Tower PC case Sticky note written on it Pass. Lamof !D Sticky note written on it 9/9/ 16 Figure 4: Crime scene sketch F. Capturing, documenting, and seizing evidences The process of capturing by camera and documenting by notes and seizing the evidences were done in parallel to ensure not missing important details of the event. The tools used in accomplishing this task were anti-static bags and gloves, cable tags, evidence tags, notepad, marker, labels, digital camera, and phone flashlight. Figure 5 shows the seized elements in the anti-static bags. Figure 5: Seized evidences in the anti-static bags
  • 9. | Page 8 G. Updating the sketch The exact actual location of each seized evidence is pointed in the crime scene sketch for further analysis and investigations. The final sketch was shown earlier in figure 4. H. Handing seized items to the authorities At the end, the seized items were handed to the authorities while documenting and completing the processing and chain of custody forms. The proper recommendations for securing and protecting the evidences while transporting them to the lab were explained clearly the person in charge.
  • 10. | Page 9 Analysis of seized evidences According to the type of the crime and the evidences seized from the crime scene, triage concept was followed to prioritize the level of importance of each evidence in a way that helps in revealing the circumstances of the crime. Seized evidences are stated below starting with the most to the least important evidence. Evidence H: Z2A77AN5 Seagate 500GB Hard Disk The evidence was mounted inside the PC that was in running mode upon the arrival of the team. Computer hard disk is the place where all data are stored and is expected to help in getting the precedents made by the accused and the crimes he intends to. The criminal was locking the computer via a password, as well as the access to the BIOS; that brings the probability of having valuable data that can be acquired from the hard disk to lead to the accused person in the case. Figure 6 shows a picture of the seized hard disk. Figure 6: Seized hard disk Evidence I: A-Data USB flash drive The evidence was stashed below the monitor in a way that is difficult to be seen. USB flash drive is a portable plug & play memory that is used in most cases to save pictures and media files. Its content is expected to help in getting the precedents made by the accused and the crimes he intends to. A picture of the seized flash drive is shown in figure 7. Figure 7: Seized USB flash drive
  • 11. | Page 10 Evidences B, F, G: Handwritten notes on multiple evidences Handwritten notes could lead to important information that helps in identifying and analyzing the crime. Evidence B included random handwritten notes and it was located on the top of the computer tower case; these notes include numbers for males and females with some symbols. Evidence F was located above the right chair and a password was written on it; this password could be the password for an OS login page, email, chatting software, or any other useful system. A date was written on evidence G that was hidden inside one of the pages of evidence C; this date indicates a day that has not been passed yet so more details are required to be collected about it. The pictures for the collected evidences that include handwritten notes are shown in figure 8. Figure 8: Pictures for the evidences that included handwritten notes Evidence E: Imation 1.44MB Floppy disk The evidence was hidden under the computer CPU with the BIOS password written on it, and the PC in the crime scene does not have floppy drive reader. The Floppy size is 1.44 MB which means the data on it is small and may contain passwords, numbers or some related information that can help on the case. BIOS password on sticky note was discovered on the outer shell of the floppy as shown in figure 9. Figure 9: The seized Floppy disk with a label of "@GoD"
  • 12. | Page 11 Evidence D: MSDN Windows 2000 CD The evidence was found in the Optical CD Reader and the computer on working mode. That gives us the probability of the accused person working on it before he escapes the primary crime scene. Thus this CD may contain information that could help in finding him. Although the disk contains Microsoft's cover, but this does not exclude that the case of trying to mislead who find it. "04618054" was written on it. This number could be a password to open the CD, to access the device, or just a beneficial information to the case during the investigations. A picture of the CD is shown in figure 10. Figure 10: Seized CD Evidences A, C: Journals and Magazines These magazines and journals may lead to useful information that help in recognizing the interests and desires of the defendant. Evidence C was Located on the drawer of the left table with 4 folded pages inside it which may indicate some useful information on the case. These evidences are no so useful from the digital side, but from them we may know the impressions of the accused person that enable us to reach him in an indirect way. Figure 11 shows the pictures of the seized magazines and journals. Figure 11: Seized magazines and journals pictures
  • 13. | Page 12 Conclusions and Recommendations - All electronic evidences must be kept away from magnetic sources. - Each evidence must be labeled with the appropriate tag and kept in the appropriate packing that will not cause any damage to it. - After the arrival to the scene of the crime, all remote access and peripherals connections must be removed. - Each detail must be documented properly in a way that allows the investigator to reconstruct the crime scene and analyze it at any time in the lab. References [1] Technical Working Group on Crime Scene Investigation, & United States of America. (2001). Electronic Crime Scene Investigation: A Guide for First Responders. [2] National Institute of Standards and Technology (NIST), & United States of America. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. [3] Wilkinson, S., & Haagman, D. (2010). Good practice guide for computer-based electronic evidence. Association of Chief Police Officers.