Course Resource

Investigator Case Notes

Name: Samantha R. Deerstalker

Date: Tuesday May 5, 2020

Case Number or Incident Identification: CYB670-P3S10 (Reveton Incident)

Evidence Tags: USB_001_CYB670-P3S10, USB_001(COPY1)_CYB670P3S10

Recovery and Processing of Evidence Item

  1. On May 4, 2020, a 4GB Verbatim Store-n-Go USB storage device was found by maintenance staff in the rear compartment of computer server cabinet during a scheduled maintenance period. Since the facility is under lockdown after multiple cybersecurity incidents, the maintenance technician R. S. Johnson called the shift supervisor and requested guidance regarding handling and disposition of the storage device.
  2. The shift supervisor, M. R. Smith, took possession of the device, placed it in a sealed and labeled envelope, and then locked the envelope in a desk drawer overnight. The next morning, the envelope containing the recovered USB device was turned over to the Digital Investigations team (S. R. Deerstalker) for processing as possible evidence in the ongoing cybersecurity incidents. At that time, it was noted that the USB device was of a type and brand in common use within the organization.
  3. A chain of custody document was initiated at the time of receipt from the shift supervisor. Evidence tag USB_001_CYB670-P3S10 was assigned to the storage device. The recovered USB device is blue in color and has an external label “USB7” on the front; the external device serial number as printed on the left side of the device is 12082217302G67AAX.
blue USB device with a white label, on which "USB 7" is printed
Recovered Evidence Item USB_001_CYB670-P3S10 (Front)
blue USB device on its side with the serial number "12082217302G67AAX" displaying
Recovered Evidence Item USB_001_CYB670-P3S10 (Left Side) - External Serial Number
  1. A 4GB Verbatim Store-n-Go USB storage device (External Serial Number NG04G3509008878DML) was obtained from general supplies. This device was visually similar to the recovered device. USB NG04G3509008878DML was processed to render it forensically sterile using DFLDD per standard lab procedures.
  2. A forensic copy of USB_001_CYB670-P3S10 was then made by S. R. Deerstalker using FTK Imager to the verified forensically sterile 8GB USB (Serial Number NG04G3509008878DML). The copy process followed standard lab procedures. The FTK Imager Image Summary (completion report) is shown below.

Created By AccessData® FTK® Imager 4.3.0.18

Case Information:

Acquired using: ADI4.3.0.18

Case Number: CYB670-P3S10

Evidence Number: 001

Unique description: Toshiba USB

Examiner: S. R. Deerstalker

Notes: 

--------------------------------------------------------------

Information for C:\Users\User\Desktop\CYB 670\CYB670-P3S10May2020:

Physical Evidentiary Item (Source) Information:

[Device Info]

 Source Type: Physical

[Drive Geometry]

 Cylinders: 243

 Tracks per Cylinder: 255

 Sectors per Track: 63

 Bytes per Sector: 512

 Sector Count: 3,913,344

[Physical Drive Information]

 Drive Model: Verbatim STORE N GO USB Device

 Drive Serial Number: 0A7F01272080

 Drive Interface Type: USB

 Removable drive: True

 Source data size: 1910 MB

 Sector count:    3913344

[Computed Hashes]

 MD5 checksum:    e46fcecc58bef443213c3fbe3742c6af

 SHA1 checksum:   8a1ef5790fcdefa9b526933847d9002104cba46a

Image Information:

 Acquisition started:   Wed May 6 12:48:31 2020

 Acquisition finished:  Wed May 6 12:51:16 2020

 Segment list:

  C:\Users\User\Desktop\CYB 670\CYB670-P3S10May2020.E01

Image Verification Results:

 Verification started:  Wed May 6 12:51:16 2020

 Verification finished: Wed May 6 12:51:31 2020

 MD5 checksum:    e46fcecc58bef443213c3fbe3742c6af : verified

 SHA1 checksum:   8a1ef5790fcdefa9b526933847d9002104cba46a : verified

  1. Evidence Tag USB_001(COPY1)_CYB670P3S10 was assigned to the forensic copy.
  2. The original USB (Evidence Tag: USB_001_CYB670P3S10) was stored in the lab evidence locker and the chain of custody document was updated.

Quick Look Forensic Examination

  1. A “quick look” forensic examination of USB_001(COPY1)_CYB670P3S10 was conducted by S. R. Deerstalker immediately after the forensic copy was generated. This examination was conducted using FTK Imager.
  2. The examination found that the USB storage device had been divided into four (4) partitions. This is an unusual occurrence. USB Storage devices normally have a single partition.
screenshot showing disk structure as displayed by FTK Imager for USB_001_CYB670P3S10
Disk Structure as Displayed by FTK Imager for USB_001_CYB670P3S10
  1. One file was found in the root directory of Partition 1: Backup [FAT16]. This file was an MS Word Document titled “To Whom It May Concern.docx” with size 45Mb and a last modified date of 5/4/2020 11:23:26 AM.
  2. The remaining three partitions had no files or folders present. No indicators of deleted files or folders were found on visual inspection of the root directory using FTK Imager. Since this was a preliminary “quick look” examination, file carving was not performed. This examiner noted that partitions 2, 3, and 4 would not be visible or accessible using the standard file and directory utilities on a Microsoft Windows server or workstation. The partitions would, however, be visible and accessible on a Linux based server or workstation.
  3. The file “To Whom It May Concern.docx” was exported from FTK Imager to a sandbox directory on Lab Workstation A. The file was then opened and inspected. The contents appeared to be a standard business letter. The file has been provided to the Human Resources team for further investigation.  This examiner cautioned the HR team leader, MJ Sheavers, that the creation and modification date and time stamps on the file (and as recorded in the directory entry) could not be relied upon since these can easily be spoofed by knowledgeable personnel.

## end of report ##