The hazardous materials team is called suddenly at 3a.m. May 10 to a warehouse
behind Roma St station in Brisbane. Team member Moti identifies the scene as a drug
manufacturing location, and the people there have hurriedly packaged up the loose
powders they were working with, leaving traces on the floor and across many desk
surfaces. Moti makes a decision not to call the forensic squad in when he sees the
drug traces, because he suspects the drug is at the top of the current most dangerous
list and he needs to take samples back to his lab for analysis before identifying it.
However, Moti is familiar with the protocol when there is a computer in the area, and
calls his colleague Sandra, waking her at 3:17a.m. to walk him through a capture of
computer data for forensic analysis. He is able to shut down the laptop, and removes it
from the scene along with several CDs found in the desk.
Later that day, Sandra analyzes the laptop and CDs in the police forensics lab. The
computer is equipped with Windows and only a basic Word document facility and
Internet Explorer, a program called “OpenPuff”, and has software for showing DVDs
and image files. No documents appear to have been stored on the machine. Three of
the CDs are actually DVDs with recent movies. The fourth contains a suspicious ZIP
Sandra makes three forensic copies of all the data and stores two of them safely in the
lab. She then delegates the laptop and CDs to various staff members for analysis,
distributing the third copies to them. As most of the staff are also involved in a large
on-going investigation she decides to ask for the help of an additional team member
who is holidaying overseas.
You receive a secure e-mail from Sandra with an attachment containing two NTLM
hash strings retrieved from the criminal’s laptop, the ZIP file from one of the CDs
along with a request to analyse it as quickly as possible for any pertinent information,
and an apology for interrupting your holiday.
The two NTLM hashes are:
And you are advised that the MD5 hash value of the executable file should be
Analyze this file and report your findings using the outline below. (For marking
purposes, it is strongly recommended that you follow this outline.)
DIGITAL FORENSIC PROCEDURE
1. Explain how you downloaded the file, what precautions you took, and how you
ensured its integrity.
2. Describe how you decrypt the two given NTLM hash values by using OphCrack
including screen shots.
3. Describe the process that you apply to open the downloaded file. Describe whether
there is a relationship between this process and the information obtained in Step 2.
4. Describe the actual content of the encrypted file that you identified in Step 3. If
there are multiple files, list their file names, types and MD5 hash values. Describe
the visual contents in each file.
5. What tools will you now use to proceed your investigation and why?
6. Describe how your investigation proceeded at this point, including screen shots.
DIGITAL FORENSIC REPORT
7. Write a two page report for Sandra listing your findings and recommendations.
Make appropriate suggestions on how a further investigation should proceed.
Construct and complete a single-item evidence form as part of your report.
EasyDue™ 支持PayPal, AliPay, WechatPay, Taobao等各种付款方式!
E-mail: firstname.lastname@example.org 微信:easydue