Notifications

Clear all

Searching a hard drive for Evidence of FRAUD

JMT605 · 2013-09-26T18:09:37Z

Hello all and thank you in advance. Here is a hypothetical synopsisThe investigation involves the use of a computer to commit multiple acts of credit card fraud. Victims reporting their cards were used on line without their authorization. Followups with the card companies reveal cards were used from I.P. addresses outside the state where the victim resides. Victims are unable to provide any information about where how how their information was breached. A suspect computer is seized and a preliminary preview shows that the suspect has several programs installed denoting that he/she may be committing the frauds. These programs areProxifierVIP72SocksTruecryptCCleanerAll searches are done via Encase 6.19.7. A search in the unallocated space of the hard drive also yields the deleted formhistory.sqlite file that has the names and addresses of the fake names the orders were placed under according to the information provided by the companies where the orders were made. A search for credit card number yields no results.Log2timeline shows no I.P. addresses of value but does denote that the above programs were launched, but only on one of the days a fraudulent order was made. L2T also reveals that a program called Havij v1.16 Pro Portable was downloaded.Questions1) Does Encase provide a search for I.P. addresses that may have been used thru Proxifier and VIP72Socks? 2) If the formhistory.sqlite file stored the values entered when filling out on-line forms why did it not capture the credit card numbers as well?3) Where else can I look or what other tool may provide more information in this case?

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by JMT605 12 years ago

13 Posts

7 Users

0 Reactions

1,450 Views

RSS

eddtta

(@eddtta)

New Member

Joined: 12 years ago

Posts: 1

02/10/2013 11:12 am

I did not find an encrypted volume yet. I am a fairly new investigator and am unsure how to go about locating an encrypted volume. The suspect has two hard drives each with a default directory structure under his name that was set up by win7 and therein is where I located the installed programs. A view of most of the folders in these directories shows data that appears to be encrypted it is not legible in the hex/ascii view pane. I have a list of IP addresses and a credit card number that was used and have created a specific keywords search for them in Encase. Results are pending. The areas I am running the search in are unallocated, pagefile.sys and hiberfile.sys. In a perfect world I would like to find the IP addresses and credit card numbers associated to these hard drives on the dates and times the fraudulent orders were made. If a program like proxifier was used I am guessing that the IP address may be in the pagefile.sys. The size of the pagefile.sys is about 17GB so I am hopeful.

Thanks for the help thus far.

I am new to the investigator field also but this list of file signatures help me find an encrypted program when I compared the HEX values to ones listed on the list. Hope it helps, if not it may be a good reference.

http//www.garykessler.net/library/file_sigs.html

eddtta

ReplyQuote

Belkasoft

(@belkasoft)

Estimable Member

Joined: 17 years ago

Posts: 169

07/10/2013 10:42 pm

2) If the formhistory.sqlite file stored the values entered when filling out on-line forms why did it not capture the credit card numbers as well?

Could it be that information was deleted from this file the history cleaner (I see the reference to CCleaner in your original posting)? If this is the case, some traces of deleted data (or entire records) can be found in so-called "freelists". You can try dealing with that with our tool, Belkasoft Evidence Center (link in my signature).

ReplyQuote

JMT605

(@jmt605)

Active Member

Joined: 12 years ago

Posts: 15

Topic starter 24/10/2013 10:47 pm

Thank for all of your replies. I decided to just supply the investigator with what I had to this point and have pretty much closed my investigation unless the lead investigator needs more. I have received many more cases since this one and all present their own unique problems. Thanks for this forum and those who are willing to share knowledge.

ReplyQuote

Page 2 / 2 Prev

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 22 hours ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 2 days ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 2 days ago

8 Forums
15.7 K Topics
92.3 K Posts
230 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed