Forensic Image – DB Cooper Lab Assignment
The questions below will build on all of the exercises and labs that we have done in class to date. All of the tools/resources you need should be available on D2L from previous assignments.
Background
In 1971, D. B. Cooper became infamous by hijacking a Boeing 727 aircraft and extorting
$200,000 in ransom. Cooper escaped by strapping his ransom to his chest and parachuting from the exit ramp of the Boeing 727 at 8:13 PM… all while traveling at over 200 mph at altitudes of almost 10,000 ft and temperatures of seven below zero. D.B. Cooper’s body, parachute, and money were never found.
Based on an anonymous tip, on November 10th, 2014 at 4:25 pm Central Time, authorities execute a search warrant at a classified location at a classified location that was reported to be a safe house used by DB Cooper.
At the scene, a team of forensic analysts created a forensic image of a Dell Latitude D610 (Serial Number: X123Y456). This laptop computer is believed to been used by D. B. Cooper.
The authorities have provided you with a copy of this forensic image in the hopes that you can recover any information as to where DB Cooper has been hiding as well as any information where he may be keeping the ransom money.
Warning: The anonymous tip mentioned that DB Cooper’s computer is infected with a live virus, use caution!
Deliverables
Reports will be submitted via D2L as a single PDF file. Please name the report in the following format: “Your Name – DePaul DB Cooper Report” Forensic Image
For each question, document the tool you used and which file/artifact you obtained the answer from. Also note any notable or unusual findings. Make sure to include the results or screenshots of your output in your report.
i.e. The typedurls plugin from RegRipper was used to parse the Software\Microsoft\Internet
Explorer\TypedURLs registry key from the \Users\UserName\NTUSER.DAT registry hive.
If you get stuck, be sure to send me an email with any questions!! And make sure to have fun with the assignment!
Questions
Based on the investigation, the authorities are interested in determining the following information.
1. What is the MD5 hash for the forensic image?
2. What is the user/account name for the main user account/profile?
3. What is the password for the user account?
4. What is the Operating System version, and registered owner based on the Windows installation?
5. When was the Operating System installed?
6. Were any USB devices used on the computer? If so, when where the USB devices used and what are the serial numbers?
7. If any USB devices were used, can you determine what files and/or folders existed on
USB devices and what may have been accessed from them?
8. The anonymous tip mentioned that DB Cooper may have had 4 photos of his money and that these photos may have been recently deleted… can you recover and produce them?
9. Is there any evidence of the computer’s (NETBIOS) name being changed? If so, what is the old/new name?
10. Is there any evidence of time/date manipulation?
11. What file(s) did DB Cooper open from the Windows WordPad?
12. What did DB Cooper search for on Google?
13. Did DB Cooper download or run any programs from the Internet?
14. Is DB Cooper’s computer infected with a Virus? If so, what virus is it, when did he get infected, how did he get infected?
15. Is DB Cooper storing anything in encrypted containers?
16. Can you find any artifacts that may show where DB Cooper is hiding?
17. Are there any other files that DB Cooper deleted?
18. Investigators also received a tip that DB Cooper may have been using some secure deletion or scrubbing software on 10/28/2014? Can you confirm this tip? If so, what software was used and where is it located? Can you recover any of these documents?
19. Another tip Investigators received is that DB Cooper may have been hiding files in TrueCrypt v7 container. Cooper apparently keeps the password for this container in a hidden location, but he may have accessed the password file using WordPad on Forensic Image
11/03/2014. The TrueCrypt container is also reported to be stored in a hidden location. Forensic Image
20. Rumor has it that DB Cooper stores a pot of gold in this TrueCrypt container. Can you located it and produce the hidden pot of gold? Forensic Image
ORDER FOR HELP ON Forensic Image
