Hello all and thank you in advance.
Here is a hypothetical synopsis
The investigation involves the use of a computer to commit multiple acts of credit card fraud. Victims reporting their cards were used on line without their authorization. Followups with the card companies reveal cards were used from I.P. addresses outside the state where the victim resides. Victims are unable to provide any information about where how how their information was breached. A suspect computer is seized and a preliminary preview shows that the suspect has several programs installed denoting that he/she may be committing the frauds. These programs are
Proxifier
VIP72Socks
Truecrypt
CCleaner
All searches are done via Encase 6.19.7. A search in the unallocated space of the hard drive also yields the deleted formhistory.sqlite file that has the names and addresses of the fake names the orders were placed under according to the information provided by the companies where the orders were made. A search for credit card number yields no results.
Log2timeline shows no I.P. addresses of value but does denote that the above programs were launched, but only on one of the days a fraudulent order was made. L2T also reveals that a program called Havij v1.16 Pro Portable was downloaded.
Questions
1) Does Encase provide a search for I.P. addresses that may have been used thru Proxifier and VIP72Socks?
2) If the formhistory.sqlite file stored the values entered when filling out on-line forms why did it not capture the credit card numbers as well?
3) Where else can I look or what other tool may provide more information in this case?
Hi JMT605,
About your questions, question number 1 I can't help you with.
Number 2, I don't know it for sure but maybe the formhistory file just saves unencrypted data. Most webshops doesn't use https in their forms but the creditcardpayment is a separate encrypted page.
Question number 3 a lot of options here. Did you investigate
- prefetch,
- shadow copies,
-link files, they could tell you something about filenames inside a (encrypted) volume
Did you find a truecrypt volume?
I did not find an encrypted volume yet. I am a fairly new investigator and am unsure how to go about locating an encrypted volume. The suspect has two hard drives each with a default directory structure under his name that was set up by win7 and therein is where I located the installed programs. A view of most of the folders in these directories shows data that appears to be encrypted it is not legible in the hex/ascii view pane. I have a list of IP addresses and a credit card number that was used and have created a specific keywords search for them in Encase. Results are pending. The areas I am running the search in are unallocated, pagefile.sys and hiberfile.sys. In a perfect world I would like to find the IP addresses and credit card numbers associated to these hard drives on the dates and times the fraudulent orders were made. If a program like proxifier was used I am guessing that the IP address may be in the pagefile.sys. The size of the pagefile.sys is about 17GB so I am hopeful.
Thanks for the help thus far.
A little research goes a long way! I found Encrypted Disk Detector by Magnet Forensics and better yet it is a FREE download. It does just what I need it to do.
This is for University/School right?
Also just out of curiosity, why did you capitalise FRAUD in your title?
In my head I was reading that out and then screamed fraud in my head, reminded me of Austin Powers when he comes out of cryo freeze and temporarily loses control and shouts odd words….made me giggle )
Also just out of curiosity, why did you capitalise FRAUD in your title?
Possibly it is a BIG fraud… 😉
jaclaz
LOL yes I must admit I did it to be kinda funny. It is a real investigation.
Is it a Law Enforcement investigation or a private company?
Hello all and thank you in advance.
Questions1) Does Encase provide a search for I.P. addresses that may have been used thru Proxifier and VIP72Socks?
You can use EnCase GREP ?
When entering new "New Keyword" in the "Search expression" field, select the GREP checkbox.
This will match 0.0.0.0 to 999.999.999.999[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
If the files generated by the two software are non-textual, you can add a dump of the files themselves to the case file, allowing the search of them.
Do not forget to check Unicode. You can also rewrite this to search for four bytes in hex value instead of the above textual information.
That is, instead of search for dotted decimal, you can search for dotted hex, or even non-dotted hex - just remember endian-ness depends on the app writing it out.
2) If the formhistory.sqlite file stored the values entered when filling out on-line forms why did it not capture the credit card numbers as well?
Firefox by default in most recent versions actually looks at the text around the entry fields, and does not record credit card, CCV, social security and similar numbers by default.
3) Where else can I look or what other tool may provide more information in this case?
I would rerun some other carving tools such as "scalpel" or "
As for locating encrypted volumes, make sure you are using as many and as much as possible of ignorable hash sets, beyond just the basic NSRL. The remaining clusters (or files if you are lucky) may contain what you are looking for.
Just in case
http//
jaclaz
