Case one - Illegal digital materials M57.biz is a new company that researches patent information for clients. Facts of the case: • 1 president / CEO • 3 additional employees • The firm is planning to hire more employees, so they have a lot of inventory on hand (computers, printers, etc). Current employees: • President: Pat McGoo • Information Technology: Terry • Patent Researchers: Jo, Charlie Employees work onsite, and conduct most business exchanges over email. All of the employees work in Windows environments, although each employee prefers different software (e.g. Outlook vs. Thunderbird). Figure 1: Network configuration for M57.biz Note: In the above figure "DOMEX" is the local server managing external network access and email. A functioning workstation originally belonging to m57.biz was purchased on the secondary market. The buyer (Aaron Greene) realizes that the previous owner of the computer had not erased the drive, and finds illegal digital images and videos on it. Aaron reports this to the police, who take possession of the computer. Police forensics investigators determine the following: • The computer originally belonged to m57.biz • The computer was used by Jo, an M57 employee, as a work machine.Police contact Pat McGoo (the CEO). Pat authorizes imaging of all other computer equipment onsite at M57 to support additional investigation. Police further pursue a warrant to seize a personal thumb drive belonging to Jo. You are given disk images from all of the computers and USB devices found onsite at M57, along with a USB thumb drive belonging to Jo. You are also provided with four detective reports and a search warrant and affidavit associated with seizure of the USB drive. • For the purposes of the scenario, illegal images have been simulated with pictures and videos of cats produced exclusively for this corpus. Questions to answer: • Is Jo the owner of these files? What evidence is there to confirm or reject this? • How did the computer come to be sold on the secondary market? • Who (if anyone) was involved in the sale (theft?) of the computer? • Were any attempts made to hide these activities? At the end of your investigation you should prepare a report based on the details provided in the assignment two. Electronic identities: Pat McGoo (President): [email protected] (email password: mcgoo01) Terry Johnson (IT Administrator): [email protected] (email password: johnson01) Jo Smith (Patent Researcher): [email protected] (email password: smith01) Charlie Brown (Patent Researcher): [email protected] (email password: brown01) Corpus and Supporting Documents: Hard drive images from all workstations in the office for Sub-section 1: charlie-2009-12-11.E01, jo- 2009-12-11-002.E01, pat-2009-12-11.E01, terry-2009-12-11-002.E01 RAM dumps from the machines taken during the police visit (mdd or windd images) for Sub-section 2: charlie-2009-12-11.mddramimage.zip, jo-2009-12-11.mddramimage.zip, pat-2009-12- 11.mddramimage.zip, terry-2009-12-11.mddramimage.zip Three company USB drives found on-premises and one personal USB drive seized from Jo for Subsection 3: charlie-work-usb-2009-12-11.E01, jo-work-usb-2009-12-11.E01, terry-workusb-2009-12- 11.E01, jo-favorites-usb-2009-12-11.E01Tools like: FTK, SleuthKit, autopsy and EnCase can be really helpful to investigate this case Download link for hard drive images from all workstations in the office for Subsection 1: http://digitalcorpora.org/corpora/scenarios/2009-m57-patents/drivesredacted/ Download link for RAM dumps from the machines taken during the police visit (mdd or windd images) for Sub-section 2: http://digitalcorpora.org/corpora/scenarios/2009- m57-patents/ram/ Download link for Three company USB drives found on-premises and one personal USB drive seized from Jo for Sub-section 3 : http://digitalcorpora.org/corpora/scenarios/2009-m57-patents/usb/ You can find further information (such as a copy of the detective reports, along with the search warrant and affidavit) about this case in the link below: http://digitalcorpora.org/corpora/scenarios/2009-m57-patents/