Comments on Computer Forensics, Malware Analysis & Digital Investigations: Forensic Practical Exercise #3

I just downloaded. Ill see if it works for me! i&...

2011-10-11T19:57:49.750-07:00

I just downloaded. Ill see if it works for me! i'm excited to try it out!

hi in have a macbook pro and in tried using spada ...

2011-07-12T08:29:00.759-07:00

hi in have a macbook pro and in tried using spada for image but it gave an error 16, someone assist

oh nice article i like it , i am a teacher of engl...

2011-01-18T05:55:52.776-08:00

oh nice article i like it , i am a teacher of english as a second language and i do feel the content of your article so much.

2010-11-30T02:12:25.545-08:00

This comment has been removed by a blog administrator.

I will provide an exact explanation of what was do...

2010-11-07T01:37:54.901-08:00

I will provide an exact explanation of what was done to the device and file to those who submit answers so you can compare it with what you see.

2010-01-29T11:57:08.093-08:00

This comment has been removed by a blog administrator.

cdtdelta, The accountant had the flash drive for...

2010-01-07T17:41:12.537-08:00

cdtdelta,

The accountant had the flash drive for several minutes, and although I didn't watch everything he did, he stated he could not read the drive and tried several things. I am not sure what he clicked but when he returned it to me he explained that he tried several times and could not read anything from the drive.

Okay so there's that jpeg header.....er

2010-01-07T15:59:48.701-08:00

Okay so there's that jpeg header.....er

Mr President, When the accountant received the mes...

2010-01-07T14:50:58.704-08:00

Mr President,
When the accountant received the message on his/her computer, did s/he recall clicking any buttons on the screen? Or did s/he just remove the USB device and return it to you?

Thank you.

One note: if you don't have enCase, you can co...

2010-01-07T09:23:53.210-08:00

One note: if you don't have enCase, you can convert the image into a RAW image using the Sleuth Kit:

img_cat -v -i ewf Forensic_Practical_3.E01 > dd.raw

Just know that the resulting file will be ~4G, since it is the image of a 4G stick.

Regards.

In response to the questions directly above: No, ...

2010-01-07T00:27:57.733-08:00

In response to the questions directly above:

No, there was no password set or any type of encryption used.

I use a laptop and a desktop, both of which use Windows XP SP3

The thumbdrive is fairly generic that I bought at bestbuy. It says "Transcend JF v30 / 4GB" on the outside. IT is primarily black with a green edge where the cap goes on.

Mr President, When you plugged this USB into your...

2010-01-06T14:38:21.307-08:00

Mr President,

When you plugged this USB into your computer, in order to access the file, did you first have to enter any password ?

From what type of computer did you use to access this thumbdrive ? (Windows Vista, Windows 7, Windows XP ?)

Do you recall the name of the manufacturer of the Thumbdrive ? The name is typically emblazoned on the thumbdrive itself...for example "SanDisk"?

Well, I don't want to give away anything but I...

2010-01-06T06:51:57.220-08:00

Well, I don't want to give away anything but I just wanted to say thank you for posting this eventhough it is doing my head in! I've found some bits but am certainly no where near solving it.

Thanks again - I'm looking forward to reading the answer!

I received an email asking similar follow-up quest...

2010-01-05T01:21:28.769-08:00

I received an email asking similar follow-up questions, which I have posted below, along with my answers.

> How many partitions were on USB drive before it became unreadable?

What do you mean by partitions? I dont know what that is ;) I would just plug it in and it would show up in "My Computer"

> What type of file used to be on the USB drive before it was inaccessible?
> (picture, document, etc)

It was a picture file

> When the accountant placed the USB drive in the Mac system did he get any
> message on the screen such as “initialize, ignore or eject”? Does the
> president know if the accountant pressed the initialize button?

He did have problems with it and does remember a message popping up with an error, but cannot remember what it said, but it did have a red symbol on it.

hmm good questions.. No back up, that's why I...

2010-01-04T11:29:07.414-08:00

hmm good questions..

No back up, that's why I am willing to pay you an absorbent amount of money to recover it ;)

The name of the file was hd.jpg

No other data other than a picture and the account number. No reference to a client name (it's my offshore account in Belize).

Yes he did state there was some type of error screen, but he could not access the drive and does not remember what it said, although he said it has some type of red warning symbol.

El Presidente Does the file reside on your primary...

2010-01-04T11:14:39.619-08:00

El Presidente
Does the file reside on your primary computer or another device that may have been backed up?

Didn't think so...

What type of file contained the data?
What was the name of the file? If you're not sure exactly, provide a guess as to what it may have been.
What other data was in the file? Did the account number reference a specific customer/entities name, etc.?
Does the accountant recall receiving any errors or onscreen messages when plugging in the device?