Reference Number: DPEA-31080 FACULTY OF COMPUTER SYSTEMS & SOFTWARE ENGINEERING UNIVERSITY MALAYSIA PAHANG ---------------------------------------------------------------------------------------- BCN3233 – CYBERCRIMES AND FORENSIC COMPUTING SEMESTER 3 (2021 | 2022) (PROJECT REPORT) (EVIDENCE ANALYSIS IN CASE #DPEA-31080) LAB SECTION: 01A LECTURER NAME: DR. SYIFAK BINTI IZHAR HISHAM ***************************************************************************** GROUP MEMBERS MATRIC ID JOACHIM A/L AGOSTAIN CA20017
Reference Number: DPEA-31080 DIGITAL FORENSICS REPORT EVIDENCE ANALYSIS IN CASE #DPEA-31080 ---------------------------------------------------------------------------------------------------------- INVESTIGATOR : JOACHIM S/O AGOSTAIN (Student at University Malaysia Pahang) ---------------------------------------------------------------------------------------------------------- FORENSICS LEAD : DR. SYIFAK BINTI IZHAR HISHAM (Professor at University Malaysia Pahang) 016-9876543 ---------------------------------------------------------------------------------------------------------- SUBJECT : CAR THEFT FORENSIC INVESTIGATION REPORT. Reference No : DPEA-31080. Offence : Car theft racket with an electronic communication system Specialist Field : Digital Forensics. Date of Seizure : 12 December 2021. Date of Conclusion : 3 February 2022.
Reference Number: DPEA-31080 TABLE OF CONTENT NO. CONTENTS PAGES 1 INTRODUCTION 1 Criminal’s Forensic Report 2 1.1 Summary of case and tasking 2 1.2 Statement of Compliance 3 1.3 Forensic Examination Process 3 1.4 Processing Location 3 2. FORENSIC EXAMINATION 4 2.1 Tools used in the Investigation 4 i. AccessData FTK Imager – Version 4.5.0.3 4 ii. Autopsy Sleuth Kit – Version 4.19.9 4 iii. AccessData Password Recovery Toolkit (PRTK) 4 iv. StegSpy – Version 2.1 & StegBrute 4 2.2 Acquisition of Digital Image Evidence 5 i. Image Disk Information and Hash Value Verification 5 3. CHAIN OF CUSTODY 7 - 14 i. Description of Evidence & Chain of Custody 7 - 10 ii. Chronology 10 – 12 iii. List of Evidence 12 iv. Forensic Tool Used 12 - 13 v. Findings and Analysis 14 4. PROCESSING EVIDENCE INFORMATION 15 - 38 4.1 File Analysis Results (Evidence Classes) 16 4.1.1 Evidence Class 1 – Email Conversation 16 - 27 4.1.2 Evidence Class 2 – Encrypted Archive (Codes.zip) 28 – 33 4.1.3 Evidence Class 3 – Same Hash Value with duplication 34 4.1.4 Evidence Class 4 – Steganography found in the image 35 – 36 4.1.5 Evidence Class 5 - Data artifacts in image Dl5.bmp 37 – 38 5. FINDINGS OF THE EVIDENCE CLASSES 39 - 40 6. SUMMARY OF CONCLUSION 40 - 41 7. REFERENCES 41 - 42
CHAIN OF CUSTODY Reporting Agency: Cyber Defence Industry Case Number: DPEA-31080 Offense: Car theft racket with the electronic communication system. Forensic Investigator: Joachim S/O Agostain, Cyber Division Incident: Physical Attack on modern luxury cars systems using Car theft racket with an electronic communication system. Digital Evidence: According to the case identification DPEA-31080, the suspect's computer was seized through a search warrant granted. The purpose of this search was to acquire evidence of the suspect's criminal activities. Tag: .001 (The suspect's digital image drive was seized) Filename: DPEA-31080.001 Date/Time Seized: September 12, 2007 (Wednesday) - 00:36:07 Location of Seizure: University Malaysia Pahang. Description of Evidence Item# Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches: 1 1 Disk Image: DPEA-31080.001 Drive Model: DPEA-31080 Size: 1033 MB Drive Interface Type: IDE Sector Count: 2,116,800
CHAIN OF CUSTODY No # Date / Time Released By Received By: Comments / Location 1. 12/12/2021 05:10 PM Dr. Syafik SYAFIK Joachim JOACHIM Perform an imaging investigation to verify the hashing algorithms of the physical details of the suspect's computer disc to validate the MD5 and SHA-1 hash values of the image presented. Disk Image: DPEA-31080.001 Total number of sectors: 2,116,800 The size of the source data is 1033 MB. MD5 Checksum Hash 65c64f16ad8e21793e7f7b7b6ef44e8b (Verified) SHA1 Checksum Hash fb5c7fda4419705d7af7183579b2ded1d68702ae (Verified) Image completion time 2007-0912 (Wed) 00:36:07 Imaging of the Disc was done through a live disk of FTK Imager Software 2. 13/12/2021 08:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Retrieve all email conversation and graphics information including images and Metadata files In the DPEA-31080.001 Examining the impact on the integrity of data that will be assessed through metadata tag analysis and hash value.
No # Date / Time Released By Received By: Comments / Location 3. 13/12/2021 12:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Examine the impact of integrity on deleted file artifacts that will be completely accessible during the recovery process. 4. 13/12/2021 03:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Examine evidence artifacts were identified through an analysis of Email Communication. 5. 14/12/2021 08:00 AM Dr. Syafik SYAFIK Joachim JOACHIM Examine evidence artifacts were gathered from an investigation of the Encrypted zip files in the email conversation with the subject Wildlife. 6. 14/12/2021 03:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Assess Password Recovery Toolkit to crack the zip file password to retrieve the information from the Encrypted codes.zip file. It took 7 hours to break the password using the brute force and dictionary attacks on the password combinations of letters and numbers in the codes file, resulting in the finding of "mosquito936." 7. 15/12/2021 12:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Examine evidence artifacts were revealed from an investigation of the same hash value Image files found in various directories, including the recycled folder, that contains Steganography content inside the attachments on an email conversation.
8. 16/12/2021 04:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Evaluate evidence artifacts were obtained during the investigation of the Steganography files detected in the Wildlife image attachment of the email conversation. 9. 18/12/2021 12:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Extract the Steganography picture, Dl5.bmp that contains crucial information including data artifacts regarding the crime in the DPEA-31080 image file Chronology No # Date / Time Event Details Attach 1. 28/08/2007 23:18:35 SGT Email subject: Business Proposal From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie advised Beven to delete the email conversation as soon as possible to avoid CSI finding proof. "I don't want to communicate over the phone." You've probably seen all the CSI series recently, and they can simply obtain phone records. Only use email to communicate." he stated. None 2. 02/09/2007 23:20:21 SGT Email subject: Setup From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie provided Beven with an encrypted file including the names of some of their unique Australian wildlife. Ozzie can open the encrypted file if Beven sends him a password. None 3. 09/09/2007 16:44:13 SGT Email subject: Storing object From: mailto:[email protected] To: mailto:[email protected] None
Evidence: Ozzie is waiting for some images from Beven. He has an email conversation, for example, with Ozzie, who asks him, "Where are you putting your acquisitions?" " said Beven. Ozzie requested some images from Beven. On the same day, at 22:17:15pm, Ozzie replied to Beven's email stating that he had received the Wildlife animal images. Ozzie tells Beven that he is excited to receive more beautiful animal images from the Gold Coast. 4. 29/08/2007 13:21:41 SGT Email subject: Business deal email From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven decides to meet with Roja to discuss the business idea. None 5. 29/09/2007 13:22:51 SGT Email subject: Ozzie calling foxy to meet and check out some business. From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie informs Foxy that he will meet Roja that evening at about 9 p.m. He also called Foxy to meet and inspect the same business. None 6. 03/09/2007 22:54:46 SGT Email subject: Wildlife (Sharing picture that Ozzie requested) From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven replies in the email saying he has 18 various sorts of animal images to share with Ozzie. Ozzie sent another email at 23:15:57 pm, this time with an attachment file named Codes.zip, and request a possum image if Bevan had one. Yes 7. 09/09/2007 19:56:38 SGT Email subject: Tools suggestion From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie suggests Beven open the image with BMP & JPG tools. Yes
8. 09-09-2007 21:53:45 SGT Email subject: Sending possum picture From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven tells Ozzie that he will send the picture by tonight the acquisitions are stored at a mate’s place he has a large shed on his 100- hectare place at logan village and that he eventually sent a Possum picture. Yes 9. 11-09-2007 14:38:33 SGT Email subject: Kingfisher From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven send Kingfisher, Pied Butcher and Swan image to Ozzie in the email attachment which it’s contains steganography file. Yes No List of Evidence Types of Items 1 Communication in the email conversation Emails Emails 2 Encrypted zip file in the email conversation Archive File 3 The same hash value for the Image occurrence found in multiple directories JPEG/JPG/ZIP 4 Steganography is found in the image. JPG/BMP No Forensic Tool used Software Type 1 Date/ Time: 12/12/2021 (05:10 PM) i. AccessData FTK Imager – Version 4.5.0.3 We used AccessData FTK Imager software during the investigation to verify data preview and provide electronic evidence for non-intrusive data imaging, in which files are transferred from the suspect's computer hard drive while preventing write access to the hard drive to maintain evidential integrity. After that, the files are compressed into a DPEA31080-disc image of the case file. Imaging Tool
No Forensic Tool used Software Type 2 Date/ Time: 12/12/2021 (05:10 PM) ii. Autopsy Sleuth Kit – Version 4.19.9 We applied the Autopsy tool, an Open-Source Digital Forensics Software that allows us to perform complex evidence in various file formats, corrupted file systems, encrypted data, and email communications in the image file investigations with precision and efficiency. It also allows us to manage large volumes of computer image DPEA-31080 evidence and view computer drive contents such as files, operating system artifacts, file system artifacts, and deleted files or file fragments located in file slack or unallocated space while enabling non-invasive computer forensic investigations. Data preview & 3 Date/ Time: 12/12/2021 (05:10 PM) iii. AccessData Password Recovery Toolkit (PRTK) – Version 8.2.1 In this analysis, we also used AccessData Password Recovery Tools, a complete evidence discovery toolkit, to immediately process password recovery and a successful decrypt key for the encrypted file identified on an Image file called Codes.zip during scanning. Furthermore, this software offers the capacity to perform instant decryption of hard disc images from the seized computer image, as well as a variety of dictionary and brute force attacks to break the combination of alphabet and numbers of passwords in the codes file, which is "mosquito936." Password Cracker 4 Date/ Time: 12/12/2021 (05:10 PM) iv. Steg Spy – Version 2.1 and StegBrute Tool We used the StegSpy software to detect steganography signals and secret messages within digital images used in the car theft racket crime during the investigation. Additionally, we also used the StegBrute tool, which is a powerful steganography brute force cracking tool developed in Rust that introduces a threading mechanism to improve its performance, allowing us to search for and extract information, as well as quickly brute force steganographic content in case file image CTF competitions. Steg Detect
No Findings and Analysis 1 EVIDENCE CLASS 1- Communication in the email conversation The Email Conversations contains the Ozzie, Foxy, Bevan, and Roja email domains, relevant email addresses, devices they communicate with, and attachment files in the domain which shows the evidence of suspicious activity such as hidden information inside the Wildlife pictures using the steganography techniques to hidden secret message and encrypted files where a suspect was found being part of a Car theft racket with an electronic communication system using a computer to penetrate modern luxury cars. 2 EVIDENCE CLASS 2- Encrypted zip file in the email conversation Encrypted (Codes.zip) file in an email conversation on September 3, 2007 (23:15:57 SGT) between [email protected] and [email protected] with the subject Wildlife containing car theft racket information such as car name, model, and code that will be important evidence in the Car theft case in which they discussed the specific vehicle details during the crime secretly with the wildlife images. 3 EVIDENCE CLASS 3- Same hash value for the Image occurrence found in Multiple Directory. The same hash value for the Image occurrence found in multiple directories, including the deleted files in the recycled folder, that contains Steganography information inside the attachment's file on an email conversation between [email protected] and [email protected] from September 3 to 11, 2007, and the hash value that matched, was crucial evidence in the Car theft racket case that concealed secret image of Cars in the Wildlife image as shown in the Evidence Class 3 table. 4 EVIDENCE CLASS 4 - Steganography is found in the image. Using the Steg Spy tool, the Steg content found in the 14 Wildlife image attachments in the email conversation detected steganographic signals with the information on the identified marker, which will be key evidence in the Car theft racket case. 5 EVIDENCE CLASS 5 – Investigation of Data artifacts in Steganography image Dl5.bmp. Using the Autopsy tool to extract the essential information including data artifacts and IP Address configuration regarding the crime in the DPEA-31080 image file.
Reference Number: DPEA-31080 Page 1 of 42 1. INTRODUCTION The purpose of this forensic report is to provide investigation, examination procedures, findings, and recommendations from a suspicious activity where a suspect was found being part of a Car theft racket with an electronic communication system using a computer to hack and penetrate modern luxury cars systems. This information provides for the observation and presentation stage of an investigation. This report included all the policies of digital forensic standards, principles, methods, and legal procedures that may impact the court’s decision. This written report provides all the details for the evidence as presented in the Digital Evidence of DPEA-31080 image file of the hard disk from the suspect’s computer. The objective of this forensic report investigation is on the Digital evidence collected using multiple Forensic software programs in Windows and Linux distro to extract, recover and parse registry data from the suspect’s computer system. Example of software we used to analyze and investigate this case is FTK Imager, Pro Discover, Autopsy, Bulk Extractor, PhotoRec, Exiftool, S-Tool, Steg Hide, and AccessData Password Recovery Toolkit (PRTK).
Reference Number: DPEA-31080 Page 2 of 42 CRIMINAL’S FORENSIC REPORT Reporting Agency: Cyber Defence Industry (UMP Malaysia) Prepared by: Joachim S/O Agostain, Cyber Division Case Identifier: DPEA-31080 Incident: Physical Attack on modern luxury car systems using Car theft racket with an electronic communication system. Date of Seizure December 12, 2021 (Sunday) 1.1 SUMMARY OF CASE AND TASKING. This project's case involves suspicious behaviour in which a suspect was discovered to be a part of a car theft racket that used an electronic communication system to hack and exploit modern luxury car systems. Basically, with today's advanced AI features in modern vehicles, modern cars are essentially giant moving to supercomputers. So, by this, bugs and viruses can infect them, and any hacker who knows how to bypass vehicle security systems can easily control them remotely. So as a private investigator, we analyzed the cloning of the suspect's computer electronic disc image as evidence to provide additional details about the case suspect’s email communications with attachments, files, and essential secret steganography information and password-protected file systems in a proper way to track and prosecute digital crimes in a Digital forensic investigation manner. This procedure entails using imaging computing systems to gather credible evidence about the crime, analyzing the evidence to figure out who committed the crime and why, and documenting the Chain of Custody and findings for prosecution and right of appeal.
Reference Number: DPEA-31080 Page 3 of 42 1.2 STATEMENT OF COMPLIANCE. As expert witnesses, we believe it is our responsibility to provide independent assistance in the form of objective advice on issues within our expertise. 1.3 FORENSIC EXAMINATION PROCESS. As forensic investigators, we ensure that the procedures and actions performed in the collecting and analysis of evidence are verifiable, according to legal frameworks, and reflect industry standards. A proper analysis of the evidence is hampered by compromising the reliability of the forensic investigation procedure. We performed all examinations, measurements, tests, and experiments related to the DPEA-31080 Digital image of the accused's computer, and we summarised our results on which the expert is focused. In addition, we will establish a reliable chain of custody and document all activities carried out after the inquiry begins. On the other hand, documentation ensures that all aspects of the investigation process are recorded for future analysis and review. 1.4 PROCESSING LOCATION Evidence was processed at the accredited Cyber Security Computer Forensics Laboratory at University Malaysia Pahang, Malaysia. The lab is a dedicated digital forensic laboratory and accredited by the Malaysian Society of Crime Laboratory Directors and Laboratory Accreditation Board. The laboratory provides examinations by certified professionals who undergo the Digital Forensic certification process. The services are performed by independent, impartial, and objective professionals. The forensic lab has been given about 35 Days to locate and evaluate evidence and report on findings. Because of the laboratory's high standards, the court can be confident that: i. Evidence will be well documented. ii. Appropriate evidence packaging, transportation, and storage. iii. Electromagnetic interference and harmful compounds are not present in storage places. iv. Evaluate the quality and condition of the gadgets regularly.
Reference Number: DPEA-31080 Page 4 of 42 2.1 TOOLS USED IN THE INVESTIGATION The forensic tools employed in the performance of this investigation were as follows: i. AccessData FTK Imager – Version 4.5.0.3 We used AccessData FTK Imager software during the investigation to verify data preview and provide electronic evidence for non-intrusive data imaging, in which files are transferred from the suspect's computer hard drive while preventing write access to the hard drive to maintain evidential integrity. After that, the files are compressed into a DPEA-31080-disc image of the case file. ii. Autopsy Sleuth Kit – Version 4.19.9 We applied the Autopsy tool, an Open-Source Digital Forensics Software that allows us to perform complex evidence in various file formats, corrupted file systems, encrypted data, and email communications in the image file investigations with precision and efficiency. It also allows us to manage large volumes of computer image DPEA-31080 evidence and view computer drive contents such as files, operating system artifacts, file system artifacts, and deleted files or file fragments located in file slack or unallocated space while enabling non-invasive computer forensic investigations. iii. AccessData Password Recovery Toolkit (PRTK) – Version 8.2.1 In this analysis, we also used AccessData Password Recovery Tools, a complete evidence discovery toolkit, to immediately process password recovery and a successful decrypt key for the encrypted file identified on an Image file called Codes.zip during scanning. Furthermore, this software offers the capacity to perform instant decryption of hard disc images from the seized computer image, as well as a variety of dictionary and brute force attacks to break the combination of alphabet and numbers of passwords in the codes file, which is "mosquito936." iv. STEG SPY – Version 2.1 and STEGBRUTE - (Steganography Application) In the investigation, we applied the StegSpy software to detect steganography signals and secret messages within digital images used in the car theft racket crime. The most recent version of this software may also pinpoint the location of secret content.
Reference Number: DPEA-31080 Page 5 of 42 On the other hand, we used the StegBrute tool, which is a powerful steganography brute force cracking tool developed in Rust and introduces a threading mechanism to improve its performance, allowing us to search for and extract information, as well as quickly brute force steganographic content in CTF competitions of the case file image. 2.2 ACQUISITION OF DIGITAL IMAGE EVIDENCE As forensic investigators, we examine the forensic imaging investigation process to confirm the hashing algorithms of the physical disk details of the suspect's computer to validate the MD5 and SHA-1 hash value of the image presented, and if it matches the values at the time of acquisition, we perform the Chain of Custody and chronological documentation of the evidence in the case as stated below. i. Image Disk information and Hash Value Verification: According to the case identification DPEA-31080, the suspect's computer was seized through a search warrant granted. The purpose of this investigation was to acquire evidence of the suspect's criminal activities. Physical Evidentiary Item Information: [Drive Geometry] Case Identifier: DPEA-31080 Tag: #001 (The digital image of the drive obtained by the suspect) Filename: DPEA-31080.001 Source data size: 1033 MB Sector count: 2116800 DPEA-31080 Image File Report in Pro-Discover
Reference Number: DPEA-31080 Page 6 of 42 Hash Value Matching Original Evidence: Computed Hashes MD5 Checksum: 65c64f16ad8e21793e7f7b7b6ef44e8b SHA1 Checksum: fb5c7fda4419705d7af7183579b2ded1d68702ae Image Verification Results: MD5 Checksum: 65c64f16ad8e21793e7f7b7b6ef44e8b (Verified) SHA1 Checksum: fb5c7fda4419705d7af7183579b2ded1d68702ae (Verified) Date and Time: September 12, 2007 (Wednesday), Time: 00:36:07 According to the information in the image verification results, the MD5 Algorithm hash value is "65c64f16ad8e21793e7f7b7b6ef44e8b," while the SHA-1 Algorithm hash value is "fb5c7fda4419705d7af7183579b2ded1d68702ae." is the same as the original evidence. As a result, the cloned evidence file can be proven to be identical to the original evidence. Figure 1: Image Verify Results
Reference Number: DPEA-31080 Page 7 of 42 3.0 CHAIN OF CUSTODY Reporting Agency: Cyber Defence Industry Case Number: DPEA-31080 Offense: Car theft racket with the electronic communication system. Forensic Investigator: Joachim S/O Agostain, Cyber Division Incident: Physical Attack on modern luxury car systems using Car theft racket with an electronic communication system. Digital Evidence: According to the case identification DPEA-31080, the suspect's computer was seized through a search warrant granted. The purpose of this search was to acquire evidence of the suspect's criminal activities. Tag: .001 (The suspect's digital image drive was seized) Filename: DPEA-31080.001 Date/Time Seized: September 12, 2007 (Wednesday) - 00:36:07 Location of Seizure: University Malaysia Pahang. i. Description of Evidence Item# Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches: 1 1 Disk Image: DPEA-31080.001 Drive Model: DPEA-31080 Size: 1033 MB Drive Interface Type: IDE Sector Count: 2,116,800
Reference Number: DPEA-31080 Page 8 of 42 3.0 CHAIN OF CUSTODY No # Date / Time Released By Received By: Comments / Location 1. 12/12/2021 05:10 PM Dr. Syafik SYAFIK Joachim JOACHIM Perform an imaging investigation to verify the hashing algorithms of the physical details of the suspect's computer disc to validate the MD5 and SHA-1 hash values of the image presented. Disk Image: DPEA-31080.001 Total number of sectors: 2,116,800 The size of the source data is 1033 MB. MD5 Checksum Hash 65c64f16ad8e21793e7f7b7b6ef44e8b (Verified) SHA1 Checksum Hash fb5c7fda4419705d7af7183579b2ded1d68702ae (Verified) Image completion time 2007-0912 (Wed) 00:36:07 Imaging of the Disc was done through a live disk of FTK Imager Software 2. 13/12/2021 08:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Retrieve all email conversation and graphics information including images and Metadata files In the DPEA-31080.001 Examining the impact on the integrity of data that will be assessed through metadata tag analysis and hash value.
Reference Number: DPEA-31080 Page 9 of 42 No # Date / Time Released By Received By: Comments / Location 3. 13/12/2021 12:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Examine the impact of integrity on deleted file artifacts that will be completely accessible during the recovery process. 4. 13/12/2021 03:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Examine evidence artifacts were identified through an analysis of Email Communication. 5. 14/12/2021 08:00 AM Dr. Syafik SYAFIK Joachim JOACHIM Examine evidence artifacts were gathered from an investigation of the Encrypted zip files in the email conversation with the subject Wildlife. 6. 14/12/2021 03:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Assess Password Recovery Toolkit to crack the zip file password to retrieve the information from the Encrypted codes.zip file. It took 7 hours to break the password using the brute force and dictionary attacks on the password combinations of letters and numbers in the codes file, resulting in the finding of "mosquito936." 7. 15/12/2021 12:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Examine evidence artifacts were revealed from an investigation of the same hash value Image files found in various directories, including the recycled folder, that contains Steganography content inside the attachments on an email conversation.
Reference Number: DPEA-31080 Page 10 of 42 8. 16/12/2021 04:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Evaluate evidence artifacts were obtained during the investigation of the Steganography files detected in the Wildlife image attachment of the email conversation. 9. 18/12/2021 12:00 PM Dr. Syafik SYAFIK Joachim JOACHIM Extract the Steganography picture, Dl5.bmp that contains crucial information including data artifacts regarding the crime in the DPEA-31080 image file Chronology No # Date / Time Event Details Attach 1. 28/08/2007 23:18:35 SGT Email subject: Business Proposal From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie advised Beven to delete the email conversation as soon as possible to avoid CSI finding proof. "I don't want to communicate over the phone." You've probably seen all the CSI series recently, and they can simply obtain phone records. Only use email to communicate." he stated. None 2. 02/09/2007 23:20:21 SGT Email subject: Setup From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie provided Beven with an encrypted file including the names of some of their unique Australian wildlife. Ozzie can open the encrypted file if Beven sends him a password. None 3. 09/09/2007 16:44:13 SGT Email subject: Storing object From: mailto:[email protected] To: mailto:[email protected] None
Reference Number: DPEA-31080 Page 11 of 42 Evidence: Ozzie is waiting for some images from Beven. He has an email conversation, for example, with Ozzie, who asks him, "Where are you putting your acquisitions?" " said Beven. Ozzie requested some images from Beven. On the same day, at 22:17:15pm, Ozzie replied to Beven's email stating that he had received the Wildlife animal images. Ozzie tells Beven that he is excited to receive more beautiful animal images from the Gold Coast. 4. 29/08/2007 13:21:41 SGT Email subject: Business deal email From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven decides to meet with Roja to discuss the business idea. None 5. 29/09/2007 13:22:51 SGT Email subject: Ozzie calling foxy to meet and check out some business. From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie informs Foxy that he will meet Roja that evening at about 9 p.m. He also called Foxy to meet and inspect the same business. None 6. 03/09/2007 22:54:46 SGT Email subject: Wildlife (Sharing picture that Ozzie requested) From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven replies in the email saying he has 18 various sorts of animal images to share with Ozzie. Ozzie sent another email at 23:15:57 pm, this time with an attachment file named Codes.zip, and request a possum image if Bevan had one. Yes 7. 09/09/2007 19:56:38 SGT Email subject: Tools suggestion From: mailto:[email protected] To: mailto:[email protected] Evidence: Ozzie suggests Beven open the image with BMP & JPG tools. Yes
Reference Number: DPEA-31080 Page 12 of 42 8. 09-09-2007 21:53:45 SGT Email subject: Sending possum picture From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven tells Ozzie that he will send the picture by tonight the acquisitions are stored at a mate’s place he has a large shed on his 100- hectare place at logan village and that he eventually sent a Possum picture. Yes 9. 11-09-2007 14:38:33 SGT Email subject: Kingfisher From: mailto:[email protected] To: mailto:[email protected] Evidence: Beven send Kingfisher, Pied Butcher, and Swan images to Ozzie in the email attachment which contains a steganography file. Yes No List of Evidence Types of Items 1 Communication in the email conversation Emails Emails 2 Encrypted zip file in the email conversation Archive File 3 The same hash value for the Image occurrence found in multiple directories JPEG/JPG/ZIP 4 Steganography is found in the image. JPG/BMP 5 Examine Data artifacts in Steganography image Dl5.bmp BMP No Forensic Tool used Software Type 1 Date/ Time: 12/12/2021 (05:10 PM) i. AccessData FTK Imager – Version 4.5.0.3 We used AccessData FTK Imager software during the investigation to verify data preview and provide electronic evidence for non-intrusive data imaging, in which files are transferred from the suspect's computer hard drive while preventing write access to the hard drive to maintain evidential integrity. After that, the files are compressed into a DPEA31080-disc image of the case file. Imaging Tool
Reference Number: DPEA-31080 Page 13 of 42 No Forensic Tool used Software Type 2 Date/ Time: 12/12/2021 (05:10 PM) ii. Autopsy Sleuth Kit – Version 4.19.9 We applied the Autopsy tool, an Open-Source Digital Forensics Software that allows us to perform complex evidence in various file formats, corrupted file systems, encrypted data, and email communications in the image file investigations with precision and efficiency. It also allows us to manage large volumes of computer image DPEA-31080 evidence and view computer drive contents such as files, operating system artifacts, file system artifacts, and deleted files or file fragments located in file slack or unallocated space while enabling non-invasive computer forensic investigations. Data preview & 3 Date/ Time: 12/12/2021 (05:10 PM) iii. AccessData Password Recovery Toolkit (PRTK) – Version 8.2.1 In this analysis, we also used AccessData Password Recovery Tools, a complete evidence discovery toolkit, to immediately process password recovery and a successful decrypt key for the encrypted file identified on an Image file called Codes.zip during scanning. Furthermore, this software offers the capacity to perform instant decryption of hard disc images from the seized computer image, as well as a variety of dictionary and brute force attacks to break the combination of alphabet and numbers of passwords in the codes file, which is "mosquito936." Password Cracker 4 Date/ Time: 12/12/2021 (05:10 PM) iv. Steg Spy – Version 2.1 and StegBrute Tool We used the StegSpy software to detect steganography signals and secret messages within digital images used in the car theft racket crime during the investigation. Additionally, we also used the StegBrute tool, which is a powerful steganography brute force cracking tool developed in Rust that introduces a threading mechanism to improve its performance, allowing us to search for and extract information, as well as quickly brute force steganographic content in case file image CTF competitions. Steg Detect
Reference Number: DPEA-31080 Page 14 of 42 No Findings and Analysis 1 EVIDENCE CLASS 1- Communication in the email conversation The Email Conversations contains the Ozzie, Foxy, Bevan, and Roja email domains, relevant email addresses, devices they communicate with, and attachment files in the domain which shows the evidence of suspicious activity such as hidden information inside the Wildlife pictures using the steganography techniques to hidden secret message and encrypted files where a suspect was found being part of a Car theft racket with an electronic communication system using a computer to penetrate modern luxury cars. 2 EVIDENCE CLASS 2- Encrypted zip file in the email conversation Encrypted (Codes.zip) file in an email conversation on September 3, 2007 (23:15:57 SGT) between [email protected] and [email protected] with the subject Wildlife containing car theft racket information such as car name, model, and code that will be important evidence in the Car theft case in which they discussed the specific vehicle details during the crime secretly with the wildlife images. 3 EVIDENCE CLASS 3- Same hash value for the Image occurrence found in Multiple Directory. The same hash value for the Image occurrence found in multiple directories, including the deleted files in the recycled folder, that contains Steganography information inside the attachment's file on an email conversation between [email protected] and [email protected] from September 3 to 11, 2007, and the hash value that matched, was crucial evidence in the Car theft racket case that concealed secret image of Cars in the Wildlife image as shown in the Evidence Class 3 table. 4 EVIDENCE CLASS 4 - Steganography is found in the image. Using the Steg Spy tool, the Steg content found in the 14 Wildlife image attachments in the email conversation detected steganographic signals with the information on the identified marker, which will be key evidence in the Car theft racket case. 5 EVIDENCE CLASS 5 – Investigation of Data artifacts in Steganography image Dl5.bmp. Using the Autopsy tool to extract the essential information including data artifacts and IP Address configuration regarding the crime in the DPEA-31080 image file.
Reference Number: DPEA-31080 Page 15 of 42 4.0 PROCESSING EVIDENCE INFORMATION Brief Indication: FTK Imager and Autopsy tools were used to conduct this forensic investigation analysis of the suspect's photographs, executable files, and email activities in the DPEA-31080 image file. The inquiry was helped by the analysis of the seized email account, which revealed information about co-conspirators, email conversations, attachments, and other valuable forensic data regarding the car theft investigation. Results of Evidence Analysis. The "DPEA-31080 image" file obtained from the acquisition and preservation operation is evaluated at this step. In the initial analysis step, the Autopsy tool is used to examine and identify the suspect's computer files, Data Sources, Data Artifacts, Analysis Results of a system file, Emails, and metadata of the information in file fragments found in the file slack or unallocated space. The procedure of importing events (cases) into the Autopsy tool, seen in Figure 2, is the initial step in starting the "image" analysis phase. Figure 2: Image Identification Stage
Reference Number: DPEA-31080 Page 16 of 42 Autopsy detects all the details and evidence in the image file that has been appropriately organized and has become a data source in the Autopsy “Analysis Results”. It is divided into various parts. 4.1 FILE ANALYSIS RESULTS EVIDENCE CLASSES In line with our objective, we focused on obtaining evidence to support the investigation of the suspicious activity where a suspect was found being part of a Car theft racket with an electronic communication system using a computer to hack and penetrate modern luxury cars systems. Evidence Class Description Type of items Evidence Class 1 Communication in the email conversation Emails Evidence Class 2 Encrypted zip file in the email conversation Archive File Evidence Class 3 The same hash value for the Image occurrence found in multiple directories JPEG/JPG/ZIP Evidence Class 4 Steganography is found in the image. JPG/BMP Evidence Class 5 Examine Data artifacts in Steg image Dl5.bmp BMP 4.1.1 EVIDENCE CLASS 1 – Exhibit A, B, C, D, E The table below summarises the information acquired on the suspect's email domains, relevant email addresses, devices they communicate with, and items in each domain. i. Email Communication Exhibit Class 1 Name of the domain Device Items Exhibit A [email protected] DPEA-31080.001 18 Emails Exhibit B [email protected] DPEA-31080.001 17 Emails Exhibit C [email protected] DPEA-31080.001 9 Emails Exhibit D [email protected] DPEA-31808.001 6 Emails Exhibit E [email protected] DPEA-31080.001 2 Emails
Reference Number: DPEA-31080 Page 17 of 42 4.1.1 EVIDENCE CLASS 1 – Email Conversations These evidence artifacts were obtained from an analysis of Email Communication artifacts between Ozzie, Foxy, Bevan, and Roja in the Digital Image file, as described below. EXHIBIT – Domain Name ([email protected]) This table shows an email conversation between [email protected] and [email protected] from August 28 to September 11, 2007. Type Email From [email protected] To [email protected] Email Conversation 1 Date 2007-09-11 (Tuesday) Time 14:44:13 SGT Subject pick up time Content Metadata (Headers) Attachments None
Reference Number: DPEA-31080 Page 18 of 42 Email Conversation 2 Date 2007-09-11 (Tuesday) Time 14:38:33 SGT Subject Swan Content Metadata (Headers) Attachments 1 File Attachment File Metadata File Name Swan.jpeg Mime Type Image/jpeg File Path /img_DPEA-31080.001/vol_vol4/Program Files/Mozilla Thunderbird/Profiles/Sent/Swan.jpeg Size 776509 Hash Value MD5: c9f54ecad95a63f4ada861e4984dc9e0 Sha-256: abfeee618a74569b22fc5896a2539ff52cd20d10bd9386a3930dcb74fa073ffc File Content
Reference Number: DPEA-31080 Page 19 of 42 Email Conversation 3 Date 2007-09-11 (Tuesday) Time 14:36:37 SGT Subject Pied Butcherbird Content Metadata (Headers) Attachments 1 File Attachment File Metadata File Name PiedButcherBird.jpg Mime Type Image/jpeg File Path /img_DPEA-31080.001/vol_vol4/Program Files/Mozilla Thunderbird/Profiles/Sent/PiedButcherBird.jpg Size 824965 Hash Value MD5: 38ab4dc995dc3e4ec637f2e7745335df Sha-256: d7a880c98f87be8dbb78ac918ccff693f4b4b40de8ac367266f3b91086728f3c File Content
Reference Number: DPEA-31080 Page 20 of 42 Email Conversation 4 Date 2007-09-11 (Tuesday) Time 14:33:10 SGT Subject Kingfisher Content Metadata (Headers) Attachments 1 File Attachment File Metadata File Name Kingfisher.jpg Mime Type Image/jpeg File Path /img_DPEA-31080.001/vol_vol4/Program Files/Mozilla Thunderbird/Profiles/Sent/Kingfisher.jpg Size 786931 Hash Value MD5: d7da00525b50f893d9ee1db1e524cc92 Sha-256: 6429f38515d636d11f859ee11a128cff9fe27aa96dc208c39b70378d33b1fe61 File Content
Reference Number: DPEA-31080 Page 21 of 42 Email Conversation 5 Date 2007-09-09 (Sunday) Time 22:17:15 SGT Subject Wildlife received Content Metadata (Headers) Attachments None
Reference Number: DPEA-31080 Page 22 of 42 Email Conversation 6 Date 2007-09-09 (Sunday) Time 22:12:43 SGT Subject Lorikeets Content Metadata (Headers) Attachments 1 File Attachment File Metadata File Name Lorikeets.jpg Mime Type Image/jpeg File Path /img_DPEA-31080.001/vol_vol4/Program Files/Mozilla Thunderbird/Profiles/Sent/Lorikeets.jp Size 363837 Hash Value MD5: 63afee4018c9e79c9ab60b88669b6858 Sha-256: bdd0eabf1bdb3396c3b5f40aba7d4074a440f1fa3b88d8595a74cb1b4ef7b6f1 File Content
Reference Number: DPEA-31080 Page 23 of 42 Email Conversation 7 This table shows an email conversation between [email protected] and [email protected] on September 06, 2007. (04:37:19) Type Email From [email protected] (Bevan White) To [email protected] (Oswaldo Jones) Date 2007-09-06 Time 04:37:19 SGT Subject Re: Possum Content Metadata (Headers) Attachments None
Reference Number: DPEA-31080 Page 24 of 42 Email Conversation 8 This table shows an email conversation between [email protected] and [email protected] on September 06, 2007. (04:37:19) Type Email From [email protected] (Bevan White) To [email protected] (Oswaldo Jones) Date 2007-09-09 Time 19:56:38 SGT Subject Re: Possum Content Metadata (Headers) Attachments None
Reference Number: DPEA-31080 Page 25 of 42 Email Conversation 9 Date 2007-09-09 (Sunday) Time 21:53:45 SGT Subject Possum Content Metadata (Headers) Attachments 1 File Attachment File Metadata File Name Possum.jpg Mime Type Image/jpeg File Path /img_DPEA-31080.001/vol_vol4/Program Files/Mozilla Thunderbird/Profiles/Sent/Possum.jpg Size 921747 Hash Value MD5: 382b38f9c9716c463dced7f03df4a4da Sha-256: a65b9dddf7dbdfcd4f6fc9f7061cadb995326b318885d890f89985517d947393 File Content
Reference Number: DPEA-31080 Page 26 of 42 Email Conversation 10 Date 2007-09-03 (Sunday) Time 23:15:57 SGT Subject Wildlife Content Metadata (Headers) Attachments 1 File Attachment File Metadata File Name Codes.zip Mime Type application/zip File Path /img_DPEA-31080.001/vol_vol4/Program Files/Mozilla Thunderbird/Profiles/bevan/Inbox/Codes.zi Size 2395 Hash Value MD5: 02f35b8df56fbcb723678e987c6fe9e4 Sha-256: 8f84b6cdd499697f52a45e9e11ca2d2b0e2520ce4f4631c5b9d633359910f086 File Content Item: Codes.zip Aggregate Score: Notable Type: Encryption Detected Comment: Full Encryption (Archive File)
Reference Number: DPEA-31080 Page 27 of 42 Email Conversation 11 From [email protected] (Bevan White) To [email protected] (Oswaldo Jones) Date 2007-09-03 (Sunday) Time 22:54:46 SGT Subject Wildlife Content Metadata (Headers) Attachments None
Reference Number: DPEA-31080 Page 28 of 42 4.1.2 EVIDENCE CLASS 2 – Encrypted Archive (Codes.zip) File These evidence artifacts were gathered from an investigation of the Encrypted zip files in the email conversation on September 3, 2007 (23:15:57 SGT) between [email protected] and [email protected] with the subject Wildlife. File Metadata File Name Codes.zip Mime Type application/zip File Path /img_DPEA-31080.001/vol_vol4/Program Files/Mozilla Thunderbird/Profiles/bevan/Inbox/Codes.zi Size 2395 Hash Value MD5: 02f35b8df56fbcb723678e987c6fe9e4 Sha-256: 8f84b6cdd499697f52a45e9e11ca2d2b0e2520ce4f4631c5b9d633359910f086 File Content Item: Codes.zip Aggregate Score: Notable Type: Encryption Detected Comment: Full Encryption (Archive File) We applied Password Recovery Toolkit to crack the zip file password to retrieve the information from the Encrypted codes.zip file. PASSWORD RECOVERY TOOLKIT (PRTK) ANALYSIS
Reference Number: DPEA-31080 Page 29 of 42 PASSWORD CRACKING DETAILS. Job Information Attack Type: ZIP Dictionary Attack Module: ZIP Password Module Profile: PRTK Status: Completed Level: Difficult Begin Time: 24/01/22 (22:14:35) End Time: 25/01/22 (2:02:08) Decryptable: Yes Result: mosquito936 Comments: DPEA-31080 Forensic Investigation File Information File Name: Codes.zip Size: 2395 MD5 Hash Value: 02f35b8df56fbcb723678e987c6fe9e4 SHA-1 Hash Value: 763b144e742ef9ec96da717cf46f18de06ae014a Report on Encrypted File Password Crack
Reference Number: DPEA-31080 Page 30 of 42 These artifacts were gathered through an investigation of the Encrypted Codes.zip files, which contained car theft racket information such as car name, model, and code. Make Model Code Audi TT 2 crimson rosellas BMW 3 series 2 pied butcherbirds BMW 4 series 2 kookaburras BMW 5 series 3 kookaburras Ford Falcon 4 kookaburras Holden Astra bearded dragon Holden Commodore crimson rosella Honda NSX grey butcherbird Mazda CX7 kingfisher Mazda RX8 king parrot Mazda 3 kookaburra Mazda 6 lorikeets Mazda MX5 pied butcherbird Mercedes Benz CLK possum Mercedes Benz SLK ringtail possum Porsche 911 scrub turkey Porsche 928 swan Subaru Impreza wallaby METADATA & VERIFICATION OF CODE IMAGES IN THE CODES.ZIP FILE Metadata and the Hash algorithm value of the code pictures described by the suspects in the Encrypted zip file on the seized digital hard drive image for reference evidence. No File Details 1. File Name: Date Created: MD5: SHA-256: Device Model: 2CrimsonRoseellas.jpg 2006-07-08 15:55:58 SGT f8095a5328bd7285b7c3463ef599a26e 699f5b49649a887013f458a95374679e22cd2e3c6431be66b494b688688ca66b Canon PowerShot A70 Excel Contents in Codes.zip file
Reference Number: DPEA-31080 Page 31 of 42 No File Details 2. File Name: Date Created: MD5: SHA-256: Device Model: 2PiedButcherBirds.jpg 2004-05-22 10:18:19 SGT e900d89e9714e866455b7d59f5f50265 9e67f5b561562d20e6d45f4d9dcbdd493667466de814a941fb9cb7e895d52d37 Canon PowerShot A70 3. File Name: Date Created: MD5: SHA-256: Device Model: 3Kookaburras.jpg 2004-05-22 10:25:42 SGT 7eb56f00541e40ad4a80100f2efc3f8b 2a78124bb4ceb9fe4bee7f7414525bfe5406601063466e1aca6a66dd208e9699 Canon PowerShot A70 4. File Name: Date Created: MD5: SHA-256: Device Model: 4Kookaburras.jpg 2004-05-22 10:24:56 SGT 62db609a5b5de80d1a3a748d5d5a88da 327e57829a5bb87417b18ef95bfe39be3a4a0b79b96069b06804521c62c43451 Canon PowerShot A70 5. File Name: Date Created: MD5: SHA-256: Device Model: BeardedDragon.jpg 2004-01-01 08:25:11 SGT 5bc97d06db8de790cd0146089253e2cf 3513b6f8bac7dd7c27f9d882f82a5f6a1e366d839fb9a774e43a947d89bb11b8 Canon PowerShot A70 6. File Name: Date Created: MD5: SHA-256: Device Model: CrimsonRosella.jpg 2007-01-11 14:15:55 SGT 1493c96a52932f3dbbbd65e0f26d6ec1 1330176483579ed95d1ff073b5e6af358813830397a6983c29de4a8fd9a6c41c Canon PowerShot A710 IS 7. File Name: Date Created: MD5: SHA-256: Device Model: GreyButcherBird.jpg 2007-07-01 10:38:12 SGT 7a5daf9762052046b641eae82987a4cc 86e9962d591ebdc32dffc9f18c8aec721b3f5d77c7b8c0fa54cd08d72a2474bf Canon PowerShot A710 IS
Reference Number: DPEA-31080 Page 32 of 42 No File Details 8. File Name: Date Created: MD5: SHA-256: Device Model: Kingfisher.jpg 2007-07-01 10:11:00 SGT d7da00525b50f893d9ee1db1e524cc92 6429f38515d636d11f859ee11a128cff9fe27aa96dc208c39b70378d33b1fe61 Canon PowerShot A710 IS 9. File Name: Date Created: MD5: SHA-256: Device Model: KingParrot.jpg 2007-06-28 15:14:18 SGT 414a90876f9d1ff68e3d25b29358f275 e10bd5591979b316b4490caf158d36d45a7ee4208a9d72ac46a9f81c88cad82b Canon PowerShot A710 IS 10. File Name: Date Created: MD5: SHA-256: Device Model: Kookaburra.jpg 2004-05-22 10:24:47 SGT 1154b24e6517ce13e1a6367683fda1f8 3f7b3a9b0e2a42aaf7989320a5f99528138671e52c2910f7dffc6a7c4ae2bc93 Canon PowerShot A70 11. File Name: Date Created: MD5: SHA-256: Device Model: Lorikeets.jpg 2007-06-28 15:12:52 SGT 63afee4018c9e79c9ab60b88669b6858 bdd0eabf1bdb3396c3b5f40aba7d4074a440f1fa3b88d8595a74cb1b4ef7b6f1 Canon PowerShot A710 IS 12. File Name: Date Created: MD5: SHA-256: Device Model: PiedButcherBird.jpg 2004-05-22 10:18:38 SGT 38ab4dc995dc3e4ec637f2e7745335df d7a880c98f87be8dbb78ac918ccff693f4b4b40de8ac367266f3b91086728f3c Canon PowerShot A70 13. File Name: Date Created: MD5: SHA-256: Device Model: Possum.jpg 2005-05-28 18:20:29 SGT 382b38f9c9716c463dced7f03df4a4da a65b9dddf7dbdfcd4f6fc9f7061cadb995326b318885d890f89985517d947393 Canon PowerShot A70
Reference Number: DPEA-31080 Page 33 of 42 No File Details 14. File Name: Date Created: MD5: SHA-256: Device Model: RingtailPossum.jpg 2005-05-28 18:14:57 SGT b02f9fa9580f9f7e772faee548f7f2c1 7afae53c3f0f772767bfcc149f7b336958e59e1df7e09c7ae900d6df42a2aa74 Canon PowerShot A70 15. File Name: Date Created: MD5: SHA-256: Device Model: ScrubTurkey.jpg 2007-01-11 16:23:36 SGT 985013369b755fab8fe7e37a6a2a0c4a dc1e577cc6075a890b7c6c4e4e0481d6ff5a00e43f1e3412c70d622fd29b8e7c Canon PowerShot A710 IS 16. File Name: Date Created: MD5: SHA-256: Device Model: Swan.jpg 2004-03-21 10:58:52 SGT c9f54ecad95a63f4ada861e4984dc9e0 abfeee618a74569b22fc5896a2539ff52cd20d10bd9386a3930dcb74fa073ffc Canon PowerShot A70 17. File Name: Date Created: MD5: SHA-256: Device Model: Wallaby.jpg 2006-07-09 17:43:50 MYT c62021f95f769fcd89ce7a85885b9504 8df4fe40c7e82ae69dbddcdb5336ae75e940bdcd1b84e16260d3a80500b467f5 Canon PowerShot A70 Metadata of the code images described by the suspects in the Encrypted file (Codes.zip)
Reference Number: DPEA-31080 Page 34 of 42 4.1.3 EVIDENCE CLASS 3 – Same hash value with duplicate Image occurrence found in multiple directories These evidence artifacts were gathered from an investigation of the same hash value with duplicate Image files found in various directories, including the deleted files in the recycled folder, that contains Steganography content inside the attachments on an email conversation between [email protected] and [email protected] from September 3 to 11, 2007. The same hash value for the Image occurrence found in multiple directories 1. File Attachment Possum.jpg File Path /Program Files/Mozilla thunderbird/profiles/sent/possum.jpg /recycled/dl3.jpg – dl3.jpg /recycled/dl1.zip/possum.jpg – possum.jpg Hash Value 382b38f9c9716c463dced7f03df4a4da – Matched Verification Different files in the recycle folder that containing the Steganography content with the duplicate image hash value 2. File Attachment Swan.jpg File Path /Program Files/Mozilla thunderbird/profiles/sent/swan.jpg /pictures/copies/swan.jpg Hash Value c9f54ecad95a63f4ada861e4984dc9e0 – Matched 3. File Attachment PiedButcherBird.jpg File Path /Program Files/Mozilla thunderbird/profiles/sent/swan.jpg /pictures/copies/piedbutcherbird.jpg Hash Value 38ab4dc995dc3e4ec637f2e7745335df – Matched 4. File Attachment Kingfisher.jpg File Path /Program Files/Mozilla thunderbird/profiles/sent/kingfisher.jpg /pictures/copies/kingfisher.jpg Hash Value d7da00525b50f893d9ee1db le524cc92 – Matched 5. File Attachment Lorikeets.jpg File Path /Program Files/Mozilla thunderbird/profiles/sent/lorikeets.jpg /recycled/dl4.jpg – dl4.jpg Hash Value 63afee4018c9e79c9ab60b88669b6858 – Matched File Metadata
Reference Number: DPEA-31080 Page 35 of 42 4.1.4 EVIDENCE CLASS 4 – Steganography is found in the image. These evidence artifacts were obtained during the investigation of the Steganography files detected in the Wildlife image attachment of the email conversation between [email protected] and [email protected] from September 3 to September 11, 2007. Image with Steganography Content We used the Steg Spy tool to detect Steganography files during the investigation. Based on the test findings, we discovered that 14 files contained steganographic signals with the information on the identified marker. Table: Steganography File Analysis Results No File Name Format Information Marker MD5 Hash Value 1 1075-Possum.jpg .jpg Found 292423 382b38f9c9716c463dced7f03df4a4da 2 2502-Possum.jpg .jpg Found 292423 382b38f9c9716c463dced7f03df4a4da 3 2844-f0001963.jpg .jpg Found 1564978 88e78fb55b8f4c01388758b112d91b7d 4 2845-b0006990.jpg .jpg Found 382426 3e82e25a8eb7dbc319459565cfcaeebc 5 837-Dl2.jpg .jpg Found 2081391 425f33aac43eae670e0fb3e685913485 6 839-Dl3.jpg .jpg Found 292423 382b38f9c9716c463dced7f03df4a4da 7 908-_ORIKE~1.JPG .jpg Found 382426 3a78cb2805999278e023dcdf8d13cbbd 8 910-ScrubTurkey.jpg .jpg Found 414709 985013369b755fab8fe7e37a6a2a0c4a 9 923-Kookaburra.jpg .jpg Found 609232 1154b24e6517ce13e1a6367683fda1f8 10 931-Wallaby.jpg .jpg Found 21764 c62021f95f769fcd89ce7a85885b9504 11 935-Possum.jpg .jpg Found 13091 471fc0abc77d07c65dd2a8addb728996 12 965-_MG_0087.JPG .jpg Found 1564978 88e78fb55b8f4c01388758b112d91b7d 13 971-Lorikeets.jpg .jpg Found 382426 3a78cb2805999278e023dcdf8d13cbbd 14 Dl5.bmp .jpg Found 8965747 fb782cd544454354abe2179d4f47de64
Reference Number: DPEA-31080 Page 36 of 42 The findings of the investigation into the presence of hidden files are reported in Table below. Table: Files with Steganographic Content No File Details 1. File Name: 1075-Possum.jpg MD5: 382b38f9c9716c463dced7f03df4a4da Steg Content An image of a black car MD5: 3dd43442b6eadf0b13afcf622a4edb72 2. File Name: Lorikeets.jpg MD5: 63afee4018c9e79c9ab60b88669b6858 Steg Content An image of a blue car on a beach MD5: 4c6df6de0dfb466 c71129c3181a84f le 3. File Name: Kingfisher.jpg MD5: d7da00525b50f893d9eeldble524cc92 Steg Content An image of a black car MD5: f8cafefeleaa7551099bled7eadlca73 4. File Name: PiedButcherBird.jpg MD5: 38ab4de995dc3e4ec637f2e7745335df Steg Content An image of a grey car MD5: 4b7311a4cacf323c68f46e05784d178c 5. File Name: Swan.jpg MD5: c9f54ecad95a63f4ada 861e4984dc9e0 Steg Content An image of a grey car MD5: df702a0dde221f28b4f516c75be6499b According to the Table, Steg Seek successfully detected 5 steganographic files hidden steg content in.jpg (Joint Photographic Expert Group) file type and provided information on the MD5 Hash Algorithm value.
Reference Number: DPEA-31080 Page 37 of 42 4.1.5 EVIDENCE CLASS 5 – Steganography Picture, Dl5.bmp that contains crucial information regarding the crime in the DPEA-31080 image file These evidence artifacts were discovered during the investigation of the Steganography files found in the Wildlife image Dl5.bmp in the /recycled/ path with the MD5 Hash value of fb782cd544454354abe2179d4f47de64, created on 2007-09-05 00:37:22 SGT and modified on 2007-09-05 00:37:28 SGT No File Details 1. File Name: Size: Date Created: Date Modified: Date Accessed: MD5: SHA-256: Path: Dl5.bmp 9437240 2007-09-05 00:37:22 SGT 2007-09-05 00:37:28 SGT 2007-09-10 00:00:00 SGT fb782cd544454354abe2179d4f47de64 77c24ae675eeee0fb619fb52d92347e89715cea4ffb86025cf634117c92f05c7 /img_DPEA-31080.001/vol_vol8/Recycled/Dl5.bmp From the Sleuth Kit Tool Verification
Reference Number: DPEA-31080 Page 38 of 42 Data Artifacts and Analysis Results of Dl5.bmp No. Type Value 1. Account Type CREDIT_CARD 2. Card Number 4548929629627848 3. Set Name Credit Card Numbers Data Artifacts Analysis Result IP Configuration Internet Protocol address belongs to 59.27.16.16 Dl5.bmp contains crucial information regarding the crime in the DPEA-31080 image file
Reference Number: DPEA-31080 Page 39 of 42 5. FINDINGS OF THE EVIDENCE CLASSES *********************************************************************************** i. EVIDENCE CLASS 1- Communication in the email conversation The Email Conversations contains the Ozzie, Foxy, Bevan, and Roja email domains, relevant email addresses, devices they communicate with, and attachment files in the domain which shows the evidence of suspicious activity such as hidden information inside the Wildlife pictures using the steganography techniques to hidden secret message and encrypted files where a suspect was found being part of a Car theft racket with an electronic communication system using a computer to penetrate modern luxury cars. *********************************************************************************** ii. EVIDENCE CLASS 2- Encrypted zip file in the email conversation Encrypted (Codes.zip) file in an email conversation on September 3, 2007 (23:15:57 SGT) between [email protected] and [email protected] with the subject Wildlife containing car theft racket information such as car name, model, and code that will be important evidence in the Car theft case in which they discussed the specific vehicle details during the crime secretly with the wildlife images. *********************************************************************************** iii. EVIDENCE CLASS 3- The same hash value for the Image occurrence found in (Multiple Directories) The same hash value for the Image occurrence found in multiple directories, including the deleted files in the recycled folder, that contains Steganography information inside the attachment's file on an email conversation between [email protected] and [email protected] from September 3 to 11, 2007, and the hash value that matched, was crucial evidence in the Car theft racket case that concealed secret image of Cars in the Wildlife images. ***********************************************************************************