W11 Mon 15102018

Lecture

Topic: mobile forensics.

Different kinds of data can found in smartphone such as text, photos, call history. Special software and tool is needed to mobile history

 

Workshop module 10

1.            Using the skillset you have gained throughout the semester load the Dropbox logical files into Autopsy and expand the Data Sources tree.

2.            Perform a Keyword Search for users in an attempt to identify the username of the associated Dropbox account.

-              releng

3.            Perform a Keyword Search for filecache.dbx to locate a file containing information on shared directories and file transfers. The filecache.dbx is in a base-64 format, so you will require specialised software to interpret and analyse this file. It is recommended that you do some research to find an appropriate tool online to investigate the file.

a.            How many Office files were recovered from this Dropbox account?

b.            How many prefetch files are in this Dropbox account?

c.             What usernames are associated with this Dropbox account?

4.            Close the Dropbox related case and repeat the preceding processes for the Google Drive files.

5.            Perform a Keyword Search for users in an attempt to identify the username of the associated Google Drive account.

-              poppa8109@gmail.com

6.            Click the sync_log.log file to see a detailed list of a user’s cloud based transactions. This log file is not in a base-64 format, so you can view with a text editor or in the Autopsy built-in viewer.

7.            Perform a Keyword Search for RawEvent in an attempt locate the creation, modification and deletion dates for this account’s cloud transactions.

8.            Click on your Keyword Search ‘users’ tab and right-click on the snapshot.db file, point to Extract File(s), and click Save to extract this file to your chosen directory. The snapshot.db file requires an SQLite Database Browser to open an interpret the results. The most current version can be freely downloaded from http://sqlitebrowser.org or alternatively you may use the version that has been placed on Blackboard.

9.            Once the SQLiteBrowser has been downloaded and installed onto your workstation, open the snapshot.db file with the browser software. Click the Browse Data tab to view Google Drive filenames with their modified and created UNIX timestamps, which show the last date and time data was synced with the cloud. To convert the UNIX timestamps, open a web bro       wser and go to https://epochconverter.com – copy a desired timestamp from SQLite Browser and paste it into the text box at the top of the Epoch Converter page, clicking the Timestamp to Human data button to make the conversion.

10.          Use your analysis and investigative skills to determine which of the following Google Drive files contains a list of deleted files; snapshot.db, sync_log.log, RawEvent, or Prefetch.

a.            In what folder are Google Drive user files kept?

b.            There are no PDF files in this Google Drive account. True or False?

c.             How many viewable graphical images were recovered from this account?

d.            When was the file ademco.jpg modified (GMT)?

11.          Close the Google Drive related case and repeat the preceding processes for the OneDrive Cloud Storage files.

12.          Perform a Keyword Search for users in an attempt to identify the username of the associated OneDrive account.

13.          Click the resultant .ini file to identify the username for this OneDrive account.

14.          Perform a Keyword Search for SyncDiagnostics.log and then click the Strings tab to see the metadata about the folder’s transactions associated with the OneDrive account.

a.            How many Office documents were recovered from this OneDrive account?

-              5

b.            How many JPEG files were recovered from this OneDrive account?

-              9

c.             How many SyncEngine files are in this OneDrive account?

-              22

d.            This OneDrive account has only one username associated with it. True or False?

-              True

e.            Information about OneDrive file transactions is stored in the SyncDiagnostics.log file. True or False?         

 

 

Assessment

The report should contain a story that that happened to the suspect and suspect's PC based on evidences.

Minimise the table size by distributing repeated content in running sheet. Simply put paragraphs in report.