- #ACCESSDATA FTK IMAGER 3.2 0.EXE ZIP FILE#
- #ACCESSDATA FTK IMAGER 3.2 0.EXE PASSWORD#
- #ACCESSDATA FTK IMAGER 3.2 0.EXE DOWNLOAD#
What Microsoft program was used to create the Cover Page file.
#ACCESSDATA FTK IMAGER 3.2 0.EXE PASSWORD#
K) Opened the scheduled.exe file with WinZIP using the password found in the slackspace of the Cover Page.jpg file, and found a file named Scheduled Visits.xls.įigure 10. Next, all the data from D000h - D973h copied to a new file as scheduled.exe.
#ACCESSDATA FTK IMAGER 3.2 0.EXE ZIP FILE#
The End of Zip file is four bytes of 00h. After a few search on the web for documentation on the Zip format file, there is reference for decoding the header information in the Zip file. At first copied the sectors from D000h - D96Fh to a new file, the Scheduled.exe was corrupt. J) According to FAT, the Schedu~1.exe was at offset D000h - D3E7h. All the data between the header and the EOI marker (9200h - CEDFh) are copied into a new file (Cover Page.jpg) JPEG files end with an End of Image (EOI) marker of FF D9 which is found at offset CEDFh. Apparently the suspect had used some program to find the file in a different place than the FAT said they should be. I) To recovered Cover Page.jpg, search the image for the header and found it at offset 9200h. H) JPEG files start with a header of: FF D8 FF E0 00 10 4A 46 49 46 00 Jimmy Jungle.doc recovered using R-UNDELETE. Jimmy Jungle.doc has succesfully recovered.įigure 9. G) Recovered Jimmy Jungle.doc file by using the R-UNDELETE tool. Analyzing Jimmy Jungle Directories Entry with WinHex The data space that the file took up is simply marked as available, but the data was still there.įigure 8. The first character of the file in the directory entries was changed to E5h which is how DOS denotes a deleted file.
Analyzing Evidence 1 with WinHexį) Jimmy Jungle.doc: File was deleted. There are three files that are contained on the disk:įigure 7. The result is match.ī) Mount image.zip with AccessData FTK Imager 3.1.2.0 as Drive LĬ) Mount image on Drive L with AccessData FTK Imager 3.1.2.0 as Drive M, as shown on Figure 4.ĭ) Analyzing the Disk with FTK, as shown on Figure 5Į) Analyzing using WinHex, as shown on Figure 6. Verified the MD5 hash from image.zip with WinMD5.
#ACCESSDATA FTK IMAGER 3.2 0.EXE DOWNLOAD#
What processes did you (the investigator) use to successfully examine the entire contents of each file?Ī) Download the IMAGE.ZIP file (From Mr. The data space that the file took up is simply marked as available, but the data was still there.ĭ) Scheduled Visits.xls: File was hidden in a password protected zip file.ĥ. The file pointer in the FAT lead to a blank area on the disk.Ĭ) Jimmy jungle.doc: File was deleted. Cover Page.jpg was masked through misdirection.
File length in the root directory was changed from 2420 to 1000 bytes.ī) Cover page.jpg: file name was edited. Each one was hidden or masked using a different method.Ī) Schedule.exe: Zip file was renamed as an executable (.exe). Three files were recovered from the disk image. For each file, what processes were taken by the suspect to mask them from others? What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?įrom Scheduled Visits.xls file that has been recovered, found in Scheduled Visits.exe (password protected zip file//pw=goodtimes), these are the names of High Schools besides Smith Hill High School:Ĥ. The file coverpage.jpg, contains the string “pw=goodtimes” which appears to be a password as shown on Figure 1.ģ. What crucial data is available within the coverpage.jpg file and why is this data crucial?Ĭover page.jpg had additional data after the End of Image (FF D9). It’s a letter from ‘joe’ to:įrom the of the letter it appears that Joe’s supplier is “Jimmy Jungle”.Ģ. The file Jimmy Jungle.doc has been recovered from the disk image. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
0 kommentar(er)
