Reflections on a first computer forensic investigation

First published October 2006

by Brian Marofsky

What follows is a synopsis of the experience I had of conducting my first computer forensic investigation. It was my no means a text book investigation. I made my share of mistakes but I made every attempt to learn from them. It is my hope that through my experience, those new to the field may learn and be better prepared than I.

I was in my last semester of an AAS degree in Computer Forensics when I started my mandatory internship. After locating, interviewing and being accepted, I was assigned to the engineering pool of a local IT solutions company and began my training by conducting vulnerability scanning using NESSUS. As I neared the end of my 90 hour internship, I approached my manager and requested the opportunity to conduct a forensic investigation of a company computer. As luck would have it, the company had just gone through a small round of layoffs and in the manager’s office were several laptops which had been turned in by the departing employees. I was handed one at random and set off to begin my first “real world” investigation. Before I began, I was given a few directives which were the beginning of many pitfalls in this soon-to-be brief investigation. The first instruction I was given was to boot the suspect computer to the administrator account and retrieve all software product keys, “just in case” as there was no hard copy record of these. The second was to keep the user name and company name confidential in any report I generated. As an overanxious, fledgling investigator, I immediately jumped feet first into the process. As you can see, I have already made several mistakes. I let management dictate investigative procedures and I did not properly assess and plan my investigation.

I quickly learned that I was not prepared to do this type of investigation, I had no storage space for acquired images and I had no forensic software that I was trained in or comfortable with using. I had HELIX and FTK imager as well as a Demo version of FTK. I made the decision to go with a live investigation based on these limitations and because I was going to boot the computer to the Win XP admin account to get the software keys anyway, so why not? I had a little trouble getting the keyfinder program to work because the CD drive was bad in the laptop, but after swapping it out (which required a reboot), I successfully recorded the software keys. Next I inserted the HELIX CD and used some of the Widows-side tools. I ran Retriever 2.0 and located a significant amount of pornography in the internet history and cookies folders. Next I ran some of the live response tools in HELIX such as FRED, IRC2 and FRUC. The output was piped thru netcat to my forensic station. Next I tried out the IE History viewer, IE Cookie viewer, Messenger Password, Mail Password, Network Mail Password and Protected Storage Viewer. All of these I saved to a USB thumb drive. It was at this point that certain content raised a few red flags for me. One was the large amount of pornography and the second were the text files I recovered from the internet history folder. The text files were very graphic, sex stories and one in particular involved a 9 year old. The supervisor had instructed me that if any illegal activity was uncovered that I was to notify him immediately. I showed him the text document and he asked me to continue the investigation and see what else I could find.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


As you can see there was a significant amount of changes to the suspect drive: multiple times booting to the admin account, attaching a USB thumbdrive, and assigning a static IP configuration. I knew at this time I was long overdue in capturing an image of the hard drive. I was able to locate a 150GB external USB drive to use as a destination drive. The problem was I had never used HELIX to obtain an image before. It took a few tries to get it to work, first I had to learn the commands to mount the USB drive as Read/Write and second was learning to use the version of AIR on the HELIX CD to acquire the image. I successfully hashed the suspect hard drive and verified it to the acquired image.

Now, how was I going to examine a 40GB drive with a demo version of FTK? I decided that I would export folders and examine them individually as separate cases in FTK. I used FTK Imager to open the acquired image and export the following folders in the primary user’s profile:

– Content.IE5
– Cookies
– History.IE5
– A subfolder of the Favorites folder (named STUFF)
– A deleted Desktop folder named OTHER
– My Documents

A case was started in FTK for each of the above folders, most of which exceeded the 5000 file limit, but as I started reviewing the images, documents, and cookies, I got a pretty good idea how the user was spending his time on the Internet. Most of what I found was pornography. But it was when I examined the contents of the deleted Desktop folder, that I got the information that would change the course of the investigation and make me wish I had done things differently. The deleted folder contained over 200 sexually explicit stories, 83 of which were tagged by the author as either pedophile or extreme pedophile. There were also dozens of CP images that accompanied these stories.

I stopped my investigation and began putting together report to present to the manager. He contacted the CIO of the company who in turn contacted the corporate attorney. It was at this point that the FBI was called in and all evidence was turned over to them. The Special Agent was impressed with the tools I used and the documentation I presented. Despite this, I spent the next few days reflecting upon my actions and revising my methodology. I broke quite a few rules of forensic investigation. Such as: do not alter the data, keep meticulous documentation and have the right tools (and know how to use them). I made a list of the good and bad:

BAD

– Not assessing the case before starting
– Letting management dictate the course of the investigation
– Not having the proper tools/equipment and knowing how to use them
– Not treating every investigation as if it were going to court
– Not documenting EVERY step
– Not testing my methodology

GOOD

– Knowing when to ask for help – i.e. asking a Linux weenie for help with Linux commands
– Knowing when to stop the investigation
– Having a methodology
– Keeping notes
– Learn from my experiences

I continue to collect, use and validate forensic tools. I am now using a licensed copy of UTK and have obtained several RAW images and am experimenting on them, and revising my methodology as I go. I have also put together a team for the DC3 Challenge. I hope this was helpful to some of the other newbies out there. I can be contacted with any questions/coments at bmarofsky@gmail.com.

Leave a Comment