• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Assignment 5 - Fall 2013

Page history last edited by Philip Craiger 9 years ago

Web and Email Investigations

Advanced Forensics

Dr. Philip Craiger





The objective is to conduct an examination of an image, paying particular attention to any information related to email and web browsing.



This image was provided to me by the head of a university forensics program.  He indicated that he had used a forensics program to create an image of a partition on a student's workstation.  He said he clicked the 'create forensic copy' button, and 'out popped the copy.'  


I asked him why he was concerned about the student.  He said he thinks the student was involved in 'illegal' activity.  He wanted me to find out if that was the case.


I then asked him for the hash of the evidence so I could verify the image. He said 'what's a hash?'


Ok. I brought the image home and tried to mount the image in Linux.  No joy.  I believe that the image has been corrupted. Darn.  I didn't try any other applications to see if they could interpret the contents of the image.  Maybe you should try. :)


Because the head off the forensics program is clearly clueless, I asked for the student's name, which he provided.  I called the student.  He said his name is George Costanza.  He seemed like a very bright and honest young man.  He said that he uses Linux, and believed that the head of the program imaged a single partition that only included his home directory.  I asked him what applications he used for browsing and emailing, and George said "Firefox and Thunderbird" without hesitation.  I asked him if he had used the computer for illegal purposes, and he said 'No!'   


Not wanting to pry any further regarding his email or web browsing, I hung up the phone, and decided to give this to you as an assignment.  


I believe George.  But you have to prove he hasn't done anything wrong.


Your task:


So I found Linux won't mount the image. Maybe there's another program that will interpret the image.  You should try.  You've already used several different tools in this course, maybe one of these works.  


Answering all the questions below might be done in the tool of your choice. Some may require a physical analysis with Linux.


Specific questions I want answered:


1.  What is George's username on his computer?

2.  What is the computer's 'name?' (can you tell?)

3.  What did George use as a keyword in a Google search?

4.  What websites did George visit?

5.  What websites did George bookmark? (Be careful here, there are only three, and they are all related).

6.  What is George's email address?

7.  What was George's IP address?

8.  To whom did George send an email?  When did he send it?

9.  What were the contents of the email?

10.  Who sent George an email? When did he receive it?

11. What was the email address of the sender?

12. IP address of the sender? (Who 

13. What were the contents of the email?

14. How many music files are in /Music?

15. How many video files in /Videos?

16. How many documents in /Documents?


Get all this right and you get 95 points.


For the remaining 5 points you must use the Linux' dd command to recover the JPEG file whose EXIF contents contain "LEAD technologies.'  Show your work, and the resulting file.


(You've read my book chapter "Computer forensics procedures and methods", right?)




A professional quality report, like your job depended on the quality, consisting of:


1. Non technical summary, no longer than 5-6 sentences, that provides an overview of what you were asked to do, what you did, and what you found.  Was George guilty as the program head charged?


2. A technical summary that explains what you did, the tool you used, and the answers to the questions above.  When I ask for specific information about "What were the contents" of the email, I want to see the contents! (That goes for all questions). Show me a cropped screen shot of the answer to support your answers.  "Full screenshots" will receive 0 points. That's lazy. 


Good luck!


(Hint: What if you exported some of these files or directories and opened them up in another operating system? You might be able to view exactly what George had done, answering some of the questions. I don't know if this will work, you show me.).







All Course Lectures  



Comments (0)

You don't have permission to comment on this page.