In this tutorial, you'll work through fictitious forensic cases to practice collecting, examining, analyzing, and reporting on data that you have unveiled.
Digital Forensics is the use of digital media from a computer, mobile phone, server or network as evidence in a court of law. Watch the video below to explore the field of digital forensics and how digital data and information can be used in criminal cases!
Addison works as a server administrator and has been accused of stealing company financial data. He swears he is innocent. A search warrant has been granted for the company’s network logs and you have been tasked with learning as much as possible about the attack and the attacker. Can you dig into the logs and help track down the hacker?
You set the firewall settings to log all traffic on the SSH (Secure Shell) port. This is a cryptographic network protocol for operating network services securely over an unsecured network. Addison’s username is “admin”.
The following is an example of a network log.
Click on the Run button and scroll through and examine the data. Click on the information icons to find out more about the log entry.
According to the log, which users were able to successfully log in?
What day and time did the attacker begin trying to log into the company server?
Based on these log entries, which techniques did the hacker try over the course of this attack?
What usernames did the attacker try?
Was the attacker able to successfully get in? If you think yes, what time did it happen, and what username did the attacker use? If you think no, when did the attacker give up?
Was the attacker able to come back and log in later?
Anything else you find suspicious about these login attempts?
Do you think Addison the Admin is innocent or guilty?
What steps could be taken to prevent this from happening again?
This case is not a criminal case. This time, you have been called in by the IT Department of your school to assist with a possible plagiarism incident. Jacob is being accused of plagiarizing his essay for his Computer Science class.
Jacob claims that he wrote this essay on September 14, 2020 and it is his original work. The teacher believes that the essay seems very familiar and may have been plagiarized.
Click on the Run button to view a simulation of a Microsoft Word document. Click around (not everything will be accessible) and collect clues. Can you figure out how to view the metadata of this Microsoft Word document? If you get stuck, a blue box will appear at the bottom left of the screen with instructions. Use the following questions to direct your search.
When was the document originally created?
Who is listed as the document’s author?
Who last modified the document and when?
What was Jacob’s total editing time?
Write a report that details what you found and your conclusion about Jacob’s claim.
You’ve been called in by officials once again to assist with EXIF data on a photo in question.
EXIF is short for Exchangeable Image File and is metadata that is embedded in photos that are taken with digital cameras.
The police won’t go into specifics but would like you to either support or refute the following claims.
You will examine and analyze the EXIF data provided by an image viewing program in the next lab. After that, you will collect further data found by using the computer’s command line interface.
Photo in Question
The picture was taken by the suspect’s mobile phone. She has an iPhone 7 Plus with a serial number KCFGP71706722.
The suspect did not zoom in when taking the picture.
The person in the photo shielded her face because of the camera’s flash.
The picture was taken inside of a building.
The picture was taken in Babylon, NY.
Examine and analyze the EXIF data shown. Does any of this data support or refute the claims? Report what you found for each claim. If you are not able to make a decision based on the data shown, include that as well. You will submit a final conclusion in the last item in this lesson.
Click on the Run button to start the simulation of a terminal window in a MacOS operating system. In this lab, you will use a command line interface to unveil more details about the photo in question. A command line interface typically provides more information that its graphical user interface counterpart (as seen in the last activity) but you do need to know which commands to use. Follow along with the instructions to access more EXIF data.
We will be using a program called exiftool. To access all of a file’s data, you will type in exiftool
followed by a dash and the name of the image. The name of our photo in question is suspect.jpg
. Type a command to find the EXIF data.
There is a LOT of data provided here! Scroll through the information to examine and analyze which pieces of data are helpful. Use the guides below to help decipher some information that may be useful:
Light Source
The specification defines these values:
0 = Unknown
1 = Daylight
2 = Fluorescent
3 = Tungsten (incandescent light)
4 = Flash
Zoom Ratio
Indicates the digital zoom ratio when the image was shot.
0 = no zoom
2 = 2x zoom
4 = 4x zoom
The program exiftool also comes with the feature to extract specific data of the file. Type in exiftool-suspect.jpg-gps
to view specifics about the location where this photo was taken.
Use a GPS location tool such as google maps to determine where this photo was taken.