This report presents the work done in the Bag and tag lab by group #3 members. The scenario of the crime is described in Investigative Scenario section. The procedures followed for tagging and seizing evidences are mentioned in Procedures section. Analysis of seized evidences section presents the logical way that has been followed in determining the main evidences, their importance according to triage concept, and their relation to the crime to help in providing the investigators with useful details about the crime. A set of conclusions and suggested recommendations for the process of seizing evidences was listed in Conclusions and Recommendations section. The references that were used in conducting the lab and writing the report are mentioned in the References section. All processing forms that were filled and completed by the team are attached to this report in the Appendices section.
Potential of AI (Generative AI) in Business: Learnings and Insights
Lab 1 Bag & Tag (cyber forensics)
1. College of Technological Innovation
MSIT 10, CIT 530 Cyber Forensics
Lab 1: Bag & Tag
Supervised by:
Dr. Farkhund Iqbal Ms. Mona Bader
Prepared By
Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh
M80006988@zu.ac.ae M80007225@zu.ac.ae M80007043@zu.ac.ae
August 24, 2016
2. | Page 1
Table of Contents
Executive Summary ...............................................................................................3
Investigative Scenario............................................................................................3
Objectives..............................................................................................................3
Procedures ............................................................................................................4
A. Identification of Expected Useful Evidences.............................................5
B. Distributing tasks and duties among team members...............................5
C. Securing the crime scene..........................................................................5
D. Disconnecting remote access and peripherals connections.....................6
E. Drawing rough sketch for the crime scene...............................................6
F. Capturing, documenting, and seizing evidences .........................................7
G. Updating the sketch..................................................................................8
H. Handing seized items to the authorities...................................................8
Analysis of seized evidences..................................................................................9
Evidence H: Z2A77AN5 Seagate 500GB Hard Disk.............................................9
Evidence I: A-Data USB flash drive.....................................................................9
Evidences B, F, G: Handwritten notes on multiple evidences .........................10
Evidence E: Imation 1.44MB Floppy disk .........................................................10
Evidence D: MSDN Windows 2000 CD.............................................................11
Evidences A, C: Journals and Magazines..........................................................11
Conclusions and Recommendations ...................................................................12
References...........................................................................................................12
Appendices..........................................................................................................13
3. | Page 2
List of Figures
Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab....4
Figure 2: Crime scene picture before starting the seizer process.........................5
Figure 3: Removing network connections to prevent altering the data through
remote connection................................................................................................6
Figure 4: Crime scene sketch.................................................................................7
Figure 5: Seized evidences in the anti-static bags.................................................7
Figure 6: Seized hard disk......................................................................................9
Figure 7: Seized USB flash drive ............................................................................9
Figure 8: Pictures for the evidences that included handwritten notes...............10
Figure 9: The seized Floppy disk with a label of "@GoD"....................................10
Figure 10: Seized CD............................................................................................11
Figure 11: Seized magazines and journals pictures.............................................11
4. | Page 3
Executive Summary
This report presents the work done in the Bag and tag lab by group #3 members.
The scenario of the crime is described in Investigative Scenario section. The
procedures followed for tagging and seizing evidences are mentioned in
Procedures section. Analysis of seized evidences section presents the logical way
that has been followed in determining the main evidences, their importance
according to triage concept, and their relation to the crime to help in providing
the investigators with useful details about the crime. A set of conclusions and
suggested recommendations for the process of seizing evidences was listed in
Conclusions and Recommendations section. The references that were used in
conducting the lab and writing the report are mentioned in the References
section. All processing forms that were filled and completed by the team are
attached to this report in the Appendices section.
Investigative Scenario
Search and seizure warrant notice was received for seizing and documenting
evidence from a child pornography case. The person involved in the case was
chatting to a 13-year-old girl. In the scene of the crime, a computer system was
found without the presence of the criminal involved in the case. The group team
was expected to seize the hard drive and all other related evidence.
Objectives
- To understand and learn how to secure and interact with computer crime
scene.
- To keep track of the events, document, and sketch the scene of the crime.
- To acquire the skills of seizing digital and non-digital evidences using the
proper forensics tools and packaging.
- To present the process of collection and seizing in a professional report that is
authentic and reproducible.
5. | Page 4
Procedures
The steps followed by the group members in performing the lab are introduced
in figure 1 and an explanation of each step is listed in the following subsections.
Identification of
the expected
useful evidences
Distributing tasks
and duties among
team members
Capturing crime
scene and
evidences
Documenting
evidences state
and location
Seizing useful
evidences
Securing and preventing
unauthorized individuals
from entering the crime
scene
Disconnecting remote
access and peripherals
connections
Handing seized
evidences to the
authorities
Drawing rough
sketch for the
crime scene
Updating the
sketch
Figure 1: Flowchart for the procedures followed in conducting Bag & Tag lab.
6. | Page 5
A. Identification of Expected Useful Evidences
Based on the crime type and the suggested search scope by the group members,
a list of main evidences that were expected to provide a useful information in the
case were written and are listed as follows:
- Storage devices.
- Notes/letters.
- Date and time stamps.
- Digital cameras.
- Images.
B. Distributing tasks and duties among team members
Distributing tasks and duties among team members ensure that a good
documentation for the event will be accomplished with less number of missed
information. According to that, a team member was responsible for capturing the
steps one by one using the digital camera. Another member was in charge of
writing notes about the crime scene and everything done by the team with the
corresponding exact time. The last member was the one who is wearing the anti-
static gloves and was responsible for tagging and putting the useful evidences in
the appropriate bags for seizing it and transferring it to the responsible
authorities.
C. Securing the crime scene
Securing and preventing unauthorized individuals from entering the crime scene
is an important task and it was performed directly upon the arrival to the crime
scene. This action makes sure that no destruction or damage to the evidences
will occur in the crime scene. Figure 2 shows the crime scene directly upon the
arrival and before starting the process.
Figure 2: Crime scene picture before starting the seizer process
7. | Page 6
D. Disconnecting remote access and peripherals connections
The first step performed after securing the crime scene was to remove the
Ethernet cable since it was connected to the computer to prevent remote access
connection to the device.
Figure 3: Removing network connections to prevent altering the data through remote connection
E. Drawing rough sketch for the crime scene
A rough drawing to the crime scene was done before touching anything or
performing any action and this drawing was added to it later on the location of
each seized element and was redrawn using CAD software. The final sketch for
the crime scene is shown in figure 4.
8. | Page 7
Evidence
#G
Evidence
#I
Evidence
#A
Evidence
#E
Evidence
#D
Evidence
#F
Evidence
#B Evidence
#C
*
*
*
*
Evidence
#H
*The position of the evidence changed just for demonstration and the actual location is mentioned in the report
24 August 2016 | 1820
MSIT10, AbuDhabi
Lab #1: Bag & Tag
CIT530: Cyber Forensics
Crime Scene #3 Sketch
Title:
Date & time:
Supervised by:
Dr. Farkhund Iqbal
Ms. Mona Bader
Prepared by:
Musaab Hasan
Zayed Balbahaith
Abdulrahman Sabbagh
Evidences List:
Tag Description
#A
#B
#C
#D
#E
#F
#G
#H
American academy forensics
magazine
# I
IEEE Spectrum magazine
Journal of forensic sciences
Floppy disk written on it @GoD
MSDN Windows 2000 CD
A Data Flash Drive
500GB Seagate hard disk
inside Tower PC case
Sticky note written on it Pass.
Lamof !D
Sticky note written on it 9/9/
16
Figure 4: Crime scene sketch
F. Capturing, documenting, and seizing evidences
The process of capturing by camera and documenting by notes and seizing the
evidences were done in parallel to ensure not missing important details of the
event. The tools used in accomplishing this task were anti-static bags and gloves,
cable tags, evidence tags, notepad, marker, labels, digital camera, and phone
flashlight. Figure 5 shows the seized elements in the anti-static bags.
Figure 5: Seized evidences in the anti-static bags
9. | Page 8
G. Updating the sketch
The exact actual location of each seized evidence is pointed in the crime scene
sketch for further analysis and investigations. The final sketch was shown earlier
in figure 4.
H. Handing seized items to the authorities
At the end, the seized items were handed to the authorities while documenting
and completing the processing and chain of custody forms. The proper
recommendations for securing and protecting the evidences while transporting
them to the lab were explained clearly the person in charge.
10. | Page 9
Analysis of seized evidences
According to the type of the crime and the evidences seized from the crime
scene, triage concept was followed to prioritize the level of importance of each
evidence in a way that helps in revealing the circumstances of the crime. Seized
evidences are stated below starting with the most to the least important
evidence.
Evidence H: Z2A77AN5 Seagate 500GB Hard Disk
The evidence was mounted inside the PC that was in running mode upon the
arrival of the team. Computer hard disk is the place where all data are stored and
is expected to help in getting the precedents made by the accused and the crimes
he intends to. The criminal was locking the computer via a password, as well as
the access to the BIOS; that brings the probability of having valuable data that
can be acquired from the hard disk to lead to the accused person in the case.
Figure 6 shows a picture of the seized hard disk.
Figure 6: Seized hard disk
Evidence I: A-Data USB flash drive
The evidence was stashed below the monitor in a way that is difficult to be seen.
USB flash drive is a portable plug & play memory that is used in most cases to
save pictures and media files. Its content is expected to help in getting the
precedents made by the accused and the crimes he intends to. A picture of the
seized flash drive is shown in figure 7.
Figure 7: Seized USB flash drive
11. | Page 10
Evidences B, F, G: Handwritten notes on multiple evidences
Handwritten notes could lead to important information that helps in identifying
and analyzing the crime. Evidence B included random handwritten notes and it
was located on the top of the computer tower case; these notes include numbers
for males and females with some symbols. Evidence F was located above the right
chair and a password was written on it; this password could be the password for
an OS login page, email, chatting software, or any other useful system. A date
was written on evidence G that was hidden inside one of the pages of evidence
C; this date indicates a day that has not been passed yet so more details are
required to be collected about it. The pictures for the collected evidences that
include handwritten notes are shown in figure 8.
Figure 8: Pictures for the evidences that included handwritten notes
Evidence E: Imation 1.44MB Floppy disk
The evidence was hidden under the computer CPU with the BIOS password
written on it, and the PC in the crime scene does not have floppy drive reader.
The Floppy size is 1.44 MB which means the data on it is small and may contain
passwords, numbers or some related information that can help on the case. BIOS
password on sticky note was discovered on the outer shell of the floppy as shown
in figure 9.
Figure 9: The seized Floppy disk with a label of "@GoD"
12. | Page 11
Evidence D: MSDN Windows 2000 CD
The evidence was found in the Optical CD Reader and the computer on working
mode. That gives us the probability of the accused person working on it before
he escapes the primary crime scene. Thus this CD may contain information that
could help in finding him. Although the disk contains Microsoft's cover, but this
does not exclude that the case of trying to mislead who find it. "04618054" was
written on it. This number could be a password to open the CD, to access the
device, or just a beneficial information to the case during the investigations. A
picture of the CD is shown in figure 10.
Figure 10: Seized CD
Evidences A, C: Journals and Magazines
These magazines and journals may lead to useful information that help in
recognizing the interests and desires of the defendant. Evidence C was Located
on the drawer of the left table with 4 folded pages inside it which may indicate
some useful information on the case. These evidences are no so useful from the
digital side, but from them we may know the impressions of the accused person
that enable us to reach him in an indirect way. Figure 11 shows the pictures of
the seized magazines and journals.
Figure 11: Seized magazines and journals pictures
13. | Page 12
Conclusions and Recommendations
- All electronic evidences must be kept away from magnetic sources.
- Each evidence must be labeled with the appropriate tag and kept in the
appropriate packing that will not cause any damage to it.
- After the arrival to the scene of the crime, all remote access and
peripherals connections must be removed.
- Each detail must be documented properly in a way that allows the
investigator to reconstruct the crime scene and analyze it at any time in
the lab.
References
[1] Technical Working Group on Crime Scene Investigation, & United States of
America. (2001). Electronic Crime Scene Investigation: A Guide for First
Responders.
[2] National Institute of Standards and Technology (NIST), & United States of
America. (2004). Forensic Examination of Digital Evidence: A Guide for Law
Enforcement.
[3] Wilkinson, S., & Haagman, D. (2010). Good practice guide for computer-based
electronic evidence. Association of Chief Police Officers.