Cloud and Ram Analysis and Reporting
CLOUD
Document with short answers and support with screenshots/paths to source artifact.
1. Select the CLOUD -> Cloud Google Activity category.
a. What are three applications that the user used? Facebook, Gmail, Messenger, Skype, sort on the Description Column.
b. Is there any evidence that the user wants to purchase an owl? Yes, Google Activity has searches related to buying owls.
2. What is Justine Beaufort’s phone number and date of birth?? 574-404-1921 and 2/18/1990. This information is contained in the Facebook Profile Info.
3. Has Justine Beaufort ever posted any owl exploitation materials to Facebook? Yes. Facebook Timeline shows two posts of owl materials. Both were on 2/29/2019. One at 8:05:42 and one 8:08:28. On the first post, she commented, “How cute!”
4. 4. Was the user’s Twitter account ever locked out? Yes. In Gmail Messages, there is an email relating that the account is now unlocked.
5. The document owls.pdf was located in the Justine’s Dropbox account. Where did Justine get that file from? https://wdfw.wa.gov/living/owls.pdf. This is located by conducting a search for owls.pdf and then viewing the records in Google Searches.
6. 6. Did Justine send the document owls.pdf to anyone? Yes, she sent it to Jim Turk on 2/19/2019 5:14:02 via Gmail as an attachment. This is located using Connections Explorer for the file name.
7. Clear all filters.
RAM
A suspect is arrested in another jurisdiction for owl trafficking. This suspect computer had an IP address of 216.58.216.202. During an interview with the suspect, he said that he obtained his owl photos using the program Ares. Upon searching his computer, it was determined that the suspect downloaded images from IP address 24.235.54.21 and that one of the images was named cuteowl.jpg. This IP address returned to Justine Beaufort. We want to determine if Justine engaged in owl trafficking with this computer.
1. earch was done for the program, the program was downloaded, and the installation file was executed.
1. Is there any evidence of the program ARES in RAM?? Yes, a Google search was done for the program, the program was downloaded, and the installation file was executed.
2. 2. Is there any evidence that a Peer to Peer site was used? If so, can you determine what searches were done at the site? Under Torrent URLs, there are two artifacts, both for The Pirate Bay. Both of these artifacts were for searches. The first search was for “horned owl” and the second search was for “owl.”
3. 3. Is there any evidence of the file cuteowl.jpg in RAM? If so, where was this file saved and did the user ever open the file?
4. he file was opened. Searching file:/// reveals a LNK file showing that the file was opened on the Camera Card on 3/26/2019 at 11:43:20.
5. 4. Is there any evidence of other files being accessed on the Camera Card? Yes, Connections explorer reveals a number of other owl-related files that were accessed from the Camera card.
6. 5. Is there any evidence that Justine’s computer was ever connected to the other computer? Yes. Network Info (netscan) shows a connection to a Remote IP address of 216.58.216.202. The current status of the connection is closed.
6. Clear all filters.
Both of these artifacts were for searches. The first search was for “horned owl” and the second
REPORTING – Produce a comprehensive digital forensics report
PART 1 – EXPORTING. We want to create an Excel spreadsheet containing all of the searches that were conducted on this computer.
1. In the filter bar, for the drop-down Artifacts, select only search-related artifacts.
2. Right-click on Matching Results and select Create report / export.
3. File path: Holding.
4. Export type: Excel.
5. Items to include: Items in the current view.
6. Level of detail. High-level information in one report.
7. Create.
SECTION 2 – CASE REPORT
1. Create an HTML case report which includes only the bookmarks, tags, and comments from this case.
search was for “owl.”