Security

Scenario: Investigation- Inappropriate Files

Background

In this scenario, we are presented a case with a suspect possibly involved with child pornography; this individual, Zane Wilkens, teaches history at Fuller Middle School in West Des Moines, IA. Mr. Wilkens, who also coaches girls’ soccer, is believed to be taking images and facilitating inappropriate behavior with his students. With written consent from his school district, we have been granted access to perform an on-site preview to determine the authenticity of the claims against Mr. Wilken.

This investigation will involve other individuals from Fuller Middle School, including the single IT member for the district, Allen Jones, as well as the school’s principal, Samuel Brady. As this is an on-site preview, data/evidence collection will be performed at the scene, allowing us only to obtain information on-premises. As with all criminal investigations, the suspect is innocent until proven guilty; due to this, we must respect the privacy of Mr. Wilkens and all those involved.

Hardware Found at the Scene

Upon the first examination of Mr. Wilken’s classroom, we have found an IBM Lenovo 8808 Pentium D 3.4GHz 80Gb XP Desktop Computer with 1Gb of RAM and 4 USB ports and a 10/100Mb network card. We also located a Canon PowerShot A1300 16MP Digital Camera with a 16GB SDHC card and an 8GB SanDisk Pro Duo USB memory stick.

Software/Programs Found at the Scene

            While performing our initial examination of the hardware we found at Mr. Wilken’s classroom, we found evidence of Windows XP usage, TrueCrypt installed on his PC, access to a school email account, access to a Hotmail account, Internet Explorer 7 browser usage, Facebook usage, Craigslist usage, TrueCrypt usage, and Dropbox usage. We also found several Post-It notes attached to Mr. Wilken’s monitors containing the following information: “Cindy: 555-2367”, “Joann 555-8265”, “HM: Porsche06”, “CL: Ferrari08”, “FB: Camaro04”, and “TC: Mustang02.” Our initial conclusion of what the Post-It notes are used for are student names/ID numbers and password reminders. For the passwords, we suspect that HM = Hotmail, CL = Craigslist, FB = Facebook, and TC = TrueCrypt; this is merely an estimation at this point as we have not verified that these, are in fact, passwords.

The Investigation

            Now that the initial examination of Mr. Wilken’s classroom’s hardware and software has been completed, we will begin the steps for the digital forensic investigation. As this is an on-site preview, we will not be permitted to take any hardware from the premises, and instead, do live forensic analyses to either find incriminating evidence against Mr. Wilkens or prove his innocence.

I would begin by first interviewing both Allen Jones (IT) and Samuel Brady (principal) to determine if Mr. Wilken’s had any access to additional hardware, devices, programs, or school activities, as well as attempt to gather data from them regarding the complaints against Mr. Wilkens, the timeframe that this occurred, as well as determine the deadline I have to complete the investigation (when will Mr. Wilken’s return to his office, is he on leave, etc.?

PC

I will now turn my attention to Mr. Wilken’s IBM Lenovo 8808 Pentium D computer. Since this investigation is an on-site preview, I will utilize a forensic laptop, hardware/software write block tool, and FTK Imager to examine the contents of Mr. Wilken’s PC. In the process of searching the PC, I will perform quick analysis using searches (with keywords that are relevant to this case, determined by my pre-investigation interviews with both Allen Jones (IT) and Samuel Brady (principal), as well as use the names/numbers from the Post-It notes we found attached to Mr. Wilken’s monitor- “Cindy: 555-2367” and “Joann 555-8265”. We would make a copy of the data (if we found any incriminating evidence). I will also use Belkasoft Live RAM Capturer and WinHex to perform a live RAM capture. We would make a copy of the data (if we found any incriminating evidence). As stated in the case details, only 60GB of storage (out of 80 GB) is visible; during the investigation, it was determined that TrueCrypt enabled Mr. Wilken’s to hide a drive/partition. Thanks to several Post-It notes found attached to Mr. Wilken’s monitor, the password to TrueCrypt was determined to be Mustang02. With the password, we were able to locate the hidden drive/partition and view its contents. With access to the hidden partition, we would make a copy of the data (if we found any incriminating evidence).

            As Mr. Wilkens utilizes several email services, social media platforms, Internet Explorer 7, Dropbox, and Craigslist, the investigation will have to extend to all possible websites, programs, and services that Mr. Wilkens uses on his classroom computer. For Mr. Wilken’s Hotmail account, we will perform searches for keywords relevant to the case and make a copy of all Hotmail data. If any incriminating evidence is found, we would then exact data from Hotmail email headers by selecting the options tab on the top navigation bar, selecting Mail Display Settings Link, then Change the Message Headers option to Full. Next, we would click on Ok, then copy and paste the header information and examine it in WinHex to determine if the incriminating emails were indeed sent by Mr. Wilkens, when he sent them, who he sent them to, and also make a record of all incriminating emails and their contents. We would follow the same steps for Mr. Wilken’s school email, but, as we do not know the company of which the school uses for email, I would have to find that at the scene and follow their specific steps of searching for keywords, making copies of incriminating emails (if found), as well as examining header information.

For Facebook, Craigslist, Dropbox, and Internet Explorer 7, I will have to enter each account and collect and analyze as much data as possible within the timeframe I am allotted; this could be performed easier by performing searches for keywords relevant to the case and if any incriminating evidence is found, performing a download of Mr. Wilken’s data from the service, program, or website. I would also have to look for other social media sites, email accounts, and web services that Mr. Wilkens might use as well. As child pornography cases generally involve sending illicit images to others on the dark web and social media sites, if incriminating evidence were found, all of Mr. Wilken’s contacts would have to undergo significant examinations as well, at least through the use of Mr. Wilken’s possessions.

For the Canon Powershot A1300 16Mp Digital Camera with a 16GB SDHC card (with 10GB used), I would connect the camera to my laptop using an applicable cable and examine the 10GBs of used storage. If incriminating evidence is found, I would copy data to a different SDHC card or onto my laptop’s storage (in a secure location). I would also ensure to see if the camera itself has any on-board storage; if so, I would examine that as well. I would perform the same steps to the 8GB SanDisk Pro Duo, viewing the 6GBs of used storage on my laptop and copying any incriminating evidence.

In my investigation, the evidence I would be looking for is illicit images of Mr. Wilken’s students, inappropriate messages, or any trace of material that supports the case against Mr. Wilkens. If any incriminating evidence is found, I would immediately report to Allen Jones (IT) and Samuel Brady (principal), to inform them that this is now an investigation that requires both the police and enhanced investigative measures, including seizing all of Mr. Wilken’s hardware and devices and bringing them to a secure location to thoroughly examine all activities and data. In a child pornography case, I would have to be careful with my storage of the incriminating evidence as being in possession of in it any manner can be a criminal offense; due to this, cooperation with local police will have to be continuously promoted. Furthermore, if incriminating evidence were found, Mr. Wilken’s home residence would have to be examined as well, as long as a search warrant was obtained first.

If the investigation showed no incriminatory evidence, I would report back to Allen Jones (IT) and Samuel Brady (principal), and let them know that I collected no evidence that proved the accusations against Mr. Wilkens; however, I would ask them if they wanted me to go deeper in the investigation and seize all of Mr. Wilken’s hardware and devices and bring them to a secure location to thoroughly examine all activities and data.

Reference

Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s