SEC 350 – Forensic Image Scenario

Forensic Examiner,

You are a forensic analyst subcontracted with the Delaware Department of Homeland Security.  Officer Kyle of the Kent County Police Department found a laptop from a suspicious person during a vehicle stop.  The suspect led Officer Kyle on a pursuit and momentarily evaded law enforcement personnel; Kent County Police officers located the suspect approximately 45 minutes later in a wooded area near the Senator William V. Roth, Jr. Bridge.  The laptop was never recovered, but a 8GB USB Thumb Drive was found in the suspect’s socks.  Officer Kyle was assigned to examine the thumb drive in relation to possible terrorist activity.  Officer Kyle executed a search warrant on Colette Winkle’s thumb drive.  Officer Kyle created a forensic image of the thumb drive.

Officer Kyle confirmed that MD5 hash value of the image to be the following:

564495b19a1f0bef5984cb604e73614d

Due to personal matters, Officer Kyle is no longer able to perform a forensic exam on the suspect’s thumb drive.  The case has been turned over to you.

It is your duty to prove/disprove the claim that Colette Winkle’s thumb drive possesses any terrorist material along with standard forensic practice such as identifying viruses, file ownership, etc.

Officer Kyle interviewed Colette Winkle at the scene and requested her login credentials.  Colette Winkle informed Officer Kyle that she wants an attorney.

 

I checked the md5 hash of the image and it is

7F71470996747330E1BF248BE4752454

not

564495b19a1f0bef5984cb604e73614d

as listed above

Professor mentioned it could be due to the program that made the image

 

To find that md5 hash:

In linux I ran the command

feoleb@Quark:~/Downloads$ md5sum USB_Image.E01

7f71470996747330e1bf248be4752454  USB_Image.E01

 

I then ran easeus and discovered the deleted ‘plans’ document as well as the ‘BridgePlan.odt’ in the recycle bin.

I was able to break the password with a dictionary attack on the .odt file after a paid version of .odt password-breaking software told me the password started with TRI (wouldn’t tell me the whole thing) – I used a mask attack to see what the next letter was and how many letters the word was total TRI%C%C%C%C%C indicated 8 letters and then I guessed TRIA%C%C%C%C and that narrowed it down and then I guessed TRIANINE.

I checked email and I couldn’t find anything in the thunderbird .default profile

The bridge plans clearly indicate that there is a plan and there are pictures of the bridge. I also found an internet shortcut for explosives on Tannerite.com

I found a credit card statement, though I don’t know if that’s indicative of anything, and I imagine with a warrant her account purchases could be checked anyway without this evidence. It looks like the balance has been about what it is now for the past five months (adding up the interest charges) at least so major purchases on this card would have been before that.

Found a picture of fox news about Al Qaeda, and I don’t know if that means anything.

 

Conclusion: I don’t know enough about evidence and litigation to evaluate the evidence but I was at least able to find suspicious material that can be evaluated by an expert or brought up in court.