Digital Forensic Review ClientIDX v XXX & Ors - XXX of 2008 TrueCrypt AnalysisDigital Forensic Review 30 October 2008 1 Table of contents 1. Executive summary ..............................................................................2 2. Introduction...........................................................................................3 3. Scope of Engagement ..........................................................................3 4. Analysis Conducted..............................................................................3 5. Findings.................................................................................................5 6. HDD Image CFM202_51..................................................................................................... 11 7. HDD Image CFM202_52..................................................................................................... 12 8. Device CFM202_56............................................................................................................. 13 9. Device CFM202_352........................................................................................................... 13 10. Conclusion........................................................................................13 Appendix 1 - CFM202_052 Hidden Partition...........................................14 Section 000 ............................................................................................................................ 16 Section 001 ............................................................................................................................ 22 Section 002 ............................................................................................................................ 27 Section 010 ............................................................................................................................ 33 Section 015 ............................................................................................................................ 39 Section 020 ............................................................................................................................ 45 Section 039 ............................................................................................................................ 50 Section 040 ............................................................................................................................ 51 Section 041 ............................................................................................................................ 51 Section 042 ............................................................................................................................ 57 Section 043 ............................................................................................................................ 63 Section 057 ............................................................................................................................ 63 Section 059 ............................................................................................................................ 68 Section 060 ............................................................................................................................ 74 APPENDIX 2 ................................................................................................81 Summary of qualifications and achievements ............................................................................... 86 Publications .................................................................................................................................. 87 Appendix 3 - Entropy Baselines ..............................................................90Digital Forensic Review 30 October 2008 2 1.Executive summary 1.1. A review of the four Hard Disk Drive (“HDD”) images supplied by AAAAA was conducted as requested in regards to ClientIDX Design v XXXX& Ors - YYYY of 2008. 1.2. The purpose of this engagement and the forensic analysis that is related to this report was to determine whether any hidden TrueCrypt volumes exist on the supplied media. A TrueCrypt volume is a hidden drive created with a TrueCrypt software package that cannot be accessed or otherwise viewed by a user unless they are aware of its existence and are furnished with a password. It is essentially an encrypted volume within an encrypted volume. 1.3. My examination of the evidence indicates that multiple hidden partitions exist on the supplied drive images. In particular, the HDD image named CFM202_052 has a 35 GB partition that is (or was) a TrueCrypt partition. As the creation of a new hidden partition effectively destroys any prior existing hidden partition it is not possible to determine whether there is any data within such a partition without access to the password used to create this volume. 1.4. My analysis of the supplied data also indicates that a large amount of media in violation of copyright exists on these systems.Digital Forensic Review 30 October 2008 3 2. Introduction 2.1. This statement made by me, Craig Wright, an Associate Director in the Forensic Services division of BDO Kendalls Corporate Finance (NSW-VIC) Pty Ltd (“BDO Kendalls Forensic”), accurately sets out the evidence that I would be prepared to present to the Court as a witness. This statement is true to the best of my knowledge and is made in awareness of the fact that I would be liable to prosecution in the event that I wilfully state anything that I know to be false or do not believe to be true. My Curriculum Vitae is attached as Appendix 2. 2.2. It has been prepared for AAAAA Lawyers, who represent ClientIDX Pty Ltd in the Victorian proceedings YYYY of 2008 against XXXX& Ors. 2.3. On 13 October 2008, I was contacted regarding the supply of one HDD containing images of four devices (“the Images”) that were taken by staff of Ernst and Young, for the purpose of analysis. I was requested to conduct a digital forensic analysis of the Images with the express purpose of determining the likelihood that hidden encrypted drives exist and if possible to access the partitions and to determine the existence of any unauthorised intellectual property. 2.4. The HDD with the Images was provided to BDO on 14 October 2008. 3. Scope of Engagement 3.1. The initial scope of the digital forensic engagement was limited to: 3.1.1. The four images supplied on the hard drive provided; 3.1.2. A forensic analysis of the Images; and 3.1.3. Creation and provision of a digital forensic report providing details relating to any hidden encrypted files and partitions files found on the suspect Images. 3.2. The initial emphasis of the engagement was primarily related to the detection of any hidden TrueCrypt partitions that may exist on the Images. 4. Analysis Conducted 4.1. As per the scope of the engagement, the images were provided to BDO staff on 14 October 2008.Digital Forensic Review 30 October 2008 4 4.2. Two images, “CFM202_51” and “CFM202_52” are forensic copies of a separate computer HDD (“the HDD Images”), while the other two images, “CFM202_56” and “CFM202_352” are forensic copies of a DVD-Rom and a USB Drive (“the Other Images”). 4.3. An initial investigation was conducted on the Images to determine disk structure and distribution and a seemingly unformatted partition was noted on image “CMF202_52” (refer to figure 4.3 below). Figure 4.3 4.4. Memory analysis was conducted on the system pagefiles for the HDD Images (“CMF202_51” and “CMF202_52”). I determined that these images have the following characteristics that allow for an analysis of the partitions that can be utilised to determine the existence of a hidden partition: 4.4.1. Pagefiles are in use and can be analysed. 4.4.2. The image format type is NTFS. 4.4.3. RAM Slack Fragments exist on the main drive images.Digital Forensic Review 30 October 2008 5 4.4.4. Registry calls to other drives exist. 4.4.5. Correct Defragmentation processes have not been followed to the specifications required by TrueCrypt. 4.5. Text strings found in the pagefiles can be used to create a password cracking process targeted at unlocking the aforementioned volumes. The time required to complete this process would be reliant on the complexity of the password used in the creation of the volumes. 4.6. Tests of the Entropy of both a bitwise and bytewise stream were conducted and mapped, where Entropy is the relative randomness of a given data unit. 4.7. When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). An analysis of the pagefile on image “CFM202_52” uncovered artefacts of a TrueCrypt volume (other than the one for which a password was supplied by AAAAA). TrueCrypt can be configured to use two (2) separate passwords. The first will open an encrypted but obvious volume. The second is used for a hidden volume that is designed to remain undetected if the first password has been handed over. 5.Findings 5.1. A TrueCrypt hidden partition of approximately 35 GB in size is contained in the image named “CFM202_52”. 5.2. One desired outcome of utilising a TrueCrypt volume is that it provides plausible deniability by allowing a user to deny knowledge of the existence of such a volume due to the apparent random nature of the data contained on the HDD. The assumption is that an encrypted volume cannot be distinguished from random data. An analysis of the entropy distribution of the HDD image (as displayed in Figure 5.4 below for the image “CFM202_52”) demonstrates that this is not the case. 5.3. By testing the distribution of characters on a HDD I am able to determine its entropy score. Entropy is the relative randmoness of a given data unit. As data stored on a computer HDD is anything but random (i.e. patterns in data occur even in data of apparent randomness, thereby providing a less than perfect entropy score), the occurrence of relatively higher randmoness, or higher entropy, is indicative of intervention, namely encryption. 5.4. Perfect entropy would demonstrate perfectly random data. TrueCrypt has achieved a level of near perfect entropy. This is displayed in Figure 5.4 below from sections 43 to 59 on the x-axis as it relates to the image “CFM202_52”. The other high entropy sections are related to the known TrueCrypt image called “recipes”. The rest of the graph relates to all other sections of the image.Digital Forensic Review 30 October 2008 6 Figure 5.4 5.5. Entropy as applied to computer forensics is a measure of the randomness on the HDD. Normal data has an entropy value between 1.0 and 7.85. Any value greater than a 7.85 is related to an encryption process (including Pseudo-Random Number Generators, or PRNG’s). 5.6. The entropy of the hidden drive section is 8.000000. The likelihood of this level of entropy occurring naturally is less than one chance in 100 billion1. This may be calculated using a multinomial distribution with eight (8) degrees of freedom. Entropy calculations were conducted using both a bit stream (an analysis of the 0 and 1 values) and a byte wise analysis (this is a character analysis as is included in the Appendix). [See: Shannon, C. E. (1948) “A Mathematical theory of communication”, Bell Systems Tech. J. 27, 379-423 and 623-656 ]. 5.7. An analysis of the entropy created through the means of pseudo random calculations (such as /dev/random and /dev/urandom) was conducted and the probabilities calculated. This is included in Appendix 3. 5.8. The only option for acquiring the content of a dismounted TrueCrypt drive is to complete a brute-force password guessing attack. This process is time consuming if a keyfile is not used and is effectively impossible otherwise. TrueCrypt also supports keyfiles (it uses the 1 See Gallager’s Theorem [Gallager, R. G. (1978) “Variations on a theme by Huffman”, IEEE Trans. on Information Theory, 24, 668-674] which details the process need to calculate the Huffman code for a source. The Kullback-Lieber or Mahalanobis distance “d” may also be used to calculate the expected value”Ep” and hence the likelihood of the entropy occurring naturally. The expected probability using this method is incalculably small.Digital Forensic Review 30 October 2008 7 first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). I have requested that AAAAA supply any files that may be a keyfile (such as a 1024k file on a USB stick). 5.9. Previous versions of encrypted containers were detected in the journaling filesystems (NTFS). By tracking any changes that occur within the free space of the outer container it was possible to detect the presence of a hidden container in image “CFM202_051”. 5.10. Standard entropy calculations for a TrueCrypt drive have a narrow range with a low standard deviation (as can be seen in the histogram below at Figure 5.9). 5.11. The “Source Coding Theorem” is used to calculate the expected code-length given a prefix-free source code. Having calculated the Kolmogoriv complexity of a random possible value, the lower bound of an expected value of complexity can be calculated [see also the works of Vitanyi and Li (2000)2]. 2 Vitanyi, P. M. B. and Li, M. (2000), “Minimum description length, induction, Bayesianism, and Kolmogorov complexity”, IEEE Trans. Information Theory, 46, 446-464.Digital Forensic Review 30 October 2008 8 Figure 5.9 5.12.The section of the hidden image “T” related to the hidden partition displayed a larger than expected entropy range when compared over differing slice sizes (this is the size of the information compared at an instance to calculate entropy).Digital Forensic Review 30 October 2008 9 Figure 5.10 5.13.These factors display the existence of a hidden partition. 5.14.The box plot at Figure 5.12 below displays the entropy distributions of the section that contains the hidden volume (1) compared against a distribution of empty space (2) from a TrueCrypt partition with no hidden volume. 5.15. The final entropy scores were determined by utilising the extensions to Kolmogorov (1956)3 proposed by Cover and Thomas (1991)4. A chai squared calculation as documented in appendix 1 below was also produced in order to validate the results5 3 Kolmogorov, A. (1956) “On the Shannon theory of information transmission in the case of continuous signals” Information Theory, IRE Transactions on Volume 2, Issue 4, December 1956 Page(s):102 - 108 . 4 Cover T. M. and Thomas, J. S. (1991) “Elements of Information Theory” Wiley InterscienceDigital Forensic Review 30 October 2008 10 Figure 5.12 5.16.The requirement to protect the data contained within the hidden volume gives “slices” that display distinctly different patterns to that of a partition without a hidden volume. Although the average value remains the same, Equality of Variances testing will demonstrate significant variations. 5 This method is based on a variation of the ENT process derived by John Walker (2008) which are based on the work of Hamming, Richard W. (1980) “Coding and Information Theory”. Englewood Cliffs NJ: PrenticeHall. See also: Park, Stephen K. and Keith W. Miller. (1988) “Random Number Generators: Good Ones Are Hard to Find”. Communications of the ACM, October 1988, p. 1192.Digital Forensic Review 30 October 2008 11 6.HDD Image CFM202_51 6.1. This drive image contained a TrueCrypt volume, “t”. 6.1.1. Description This image contains a 10GB Truecrypt volume 6.1.2. Location %l:\Documents and Settings\Sarah\t 6.1.3. Additional Another 35 GB partition that is consistent with being a TrueCrypt volume also exists on this drive. 6.2. There is strong evidence to support the assertion that this file contains a hidden TrueCrypt partition of up to 4.7 GB. The version of TrueCrypt used to create this volume has known flaws when executed on a system with a page file and where the drive is formatted using NTFS. The assertion that a hidden partition exists (or did exist and was destroyed) on this file may be stated with a 95% confidence interval. 6.3. This image has a number of instances of malware. These are Trojan’s that are designed to compromise the security of the system that they are running on and load further programs in order to gain access to or otherwise compromise a computer system. The host image that these files are held on shows no evidence that the malware files have compromised the system. 6.4. Additionally, the timestamps on these files predates the formally acknowledged discovery time of the malware, which is based upon the amendment and update of anti-virus software throughout the world. As such, these Trojan files could have been used to compromise a computer system without an Anti-Virus program being able to detect an attack; as such programs are updated on a daily basis in order to detect known viruses and other malware. 6.5. The particular trojans discovered are used to capture passwords, log keystrokes and extract information (such as banking details or intellectual property) from computer systems without authorisation. There is no discernable legal reason for these files to be on the drive image. 6.6. The trojans discovered were not installed and operating. In my experience, such trojans are usually uploaded and installed on computers, rather than being stored in an inert form. The existence of malware of this type on the HDD image prior to formal discovery and being stored in an inert manner may suggest that a user of the computer was knowingly storing the malware or developed the malware.Digital Forensic Review 30 October 2008 12 6.7. Based on the data and entropy calculations, there is a 65.41% (at a 95% confidence interval this is 59.09, 71.73)6 likelihood that a hidden partition exists in volume “t”. 7.HDD Image CFM202_52 7.1. This drive image contained a TrueCrypt volume, “Recipes”. 7.1.1. Description This volume contains a 1GB TrueCrypt volume 7.1.2. Location %I:\Documents and Settings\Ian\My Documents\recipes 7.1.3. The contents of this folder contain images unrelated to the matter. 7.1.4. This image contains a second partition of 35GB in total size. 7.2. A preliminary analysis of the 35 GB second partition indicates that this partition is unformatted. The distribution of data on this partition is consistent with a hidden TrueCrypt volume. Analysis of the system Pagefile has returned the following information: 7.2.1. “Select the location of the TrueCrypt volume within which you wish to create a hidden volume. Hidden Volume Created” 7.3. This demonstrates that a hidden volume has been created and used on the host system. 7.4. To be effective, TrueCrypt needs to be run on a disk format such as FAT32. The main partition is formatted as NTFS, which is a journaling file system. The computer that used the drive that this image was created from also uses a memory page file. 7.5. The partition on this image is either an existing TrueCrypt volume or it is one that has been destroyed. The use of information from system memory (as contained within the pagefile) could be used to create an association table in order to attempt to crack the password on this volume in order to provide access to any data stored therein. 7.6. Based on the data and entropy calculations, there is a 98.67% (at a 95% confidence interval this is 97.56, 99.78) likelihood that a hidden partition exists in the hidden volume. This hidden volume is approximately 35Gb in size. Based on an analysis of the “chain” file stored in the primary drive, MFT (Master File Table) information and related evidence, this partition is a MAC format partition. 6 Based on the Gaussian differential entropy and Gaussian random vector calculations. See Cover T. M. and Thomas, J. S. (1991) “Elements of Information Theory” Wiley Interscience.Digital Forensic Review 30 October 2008 13 7.7. The assertion that a hidden partition exists (or did exist and was destroyed) on this file may be stated with a 95% confidence interval. 8.Device CFM202_56 8.1. The existence of a hidden TrueCrypt partition on this drive is indeterminate. If a partition was to exist it would need to be sized to less than 500Mb in capacity. 8.2. No determination as to the existence of a hidden TrueCrypt partition on the drive image “CFM202_056” could be made. 9.Device CFM202_352 9.1. The process used was unable to determine if a TrueCrypt hidden volume exists on this image. 9.2. No determination as to the existence of a hidden TrueCrypt partition on the drive image “CFM202_352” could be made. 10. Conclusion 10.1. A 35 GB hidden TrueCrypt partition exists on image “CFM202_052”. 10.2. There is evidence that this partition is a MAC format drive. 10.3. Based on the data and entropy calculations, there is a 98.67% (at a 95% confidence interval this is 97.56, 99.78) likelihood that a hidden partition exists in the hidden volume. This hidden volume is approximately 35 GB in size. Based on an analysis of the “chain” file stored in the primary drive, MFT (Master File Table) information and related evidence, this partition is a MAC format partition. BDO Kendalls Corporate Finance (NSW-VIC) Pty Ltd Craig Wright Associate-Director 30 October 2008Digital Forensic Review 30 October 2008 14 Appendix 1- CFM202_052 Hidden Partition The hidden partition is contained within image sections 041 to 060 (the start and end of the TrueCrypt volume are respectively in these partitions). The entropy distributions of the drive demonstrate a large number of areas that display high entropy. This is due to the large number of compress files stored on the drive image. Most of these compressed files are illegally obtained material taken in breach of copyright.Digital Forensic Review 30 October 2008 15 Entropy The information density of the contents of the file, expressed as a number of bits per character. The results above, which resulted from processing an image file compressed with JPEG, indicate that the file is extremely dense in information—essentially random. Hence, compression of the file is unlikely to reduce its size. By contrast, the C source code of the program has entropy of about 4.9 bits per character, indicating that optimal compression of the file would reduce its size by 38%. [Hamming, pp. 104–108] Chi-square Test The chi-square test is the most commonly used test for the randomness of data, and is extremely sensitive to errors in pseudorandom sequence generators. The chi-square distribution is calculated for the stream of bytes in the file and expressed as an absolute number and a percentage which indicates how frequently a truly random sequence would exceed the value calculated. We interpret the percentage as the degree to which the sequence tested is suspected of being non-random. If the percentage is greater than 99% or less than 1%, the sequence is almost certainly not random. If the percentage is between 99% and 95% or between 1% and 5%, the sequence is suspect. Percentages between 90% and 95% and 5% and 10% indicate the sequence is “almost suspect”. Note that a JPEG file, while very dense in information, is far from random as revealed by the chisquare test. Applying this test to the output of various pseudorandom sequence generators is interesting. The low-order 8 bits returned by the standard Unix rand() function, for example, yields: Chi-square distribution for 500000 samples is 0.01, and randomly would exceed this value more than 99.99 percent of the times. Arithmetic Mean This is simply the result of summing the all the bytes (bits if the -b option is specified) in the file and dividing by the file length. If the data are close to random, this should be about 127.5 (0.5 for -b option output). If the mean departs from this value, the values are consistently high or low. Monte Carlo Value for Pi Each successive sequence of six bytes is used as 24 bit X and Y co-ordinates within a square. If the distance of the randomly-generated point is less than the radius of a circle inscribed within the square, the six-byte sequence is considered a “hit”. The percentage of hits can be used to calculate the value of Pi. For very large streams (this approximation converges very slowly), the value will approach the correct value of Pi if the sequence is close to random. A 500000 byte file created by radioactive decay yielded: Monte Carlo value for Pi is 3.143580574 (error 0.06 percent). Serial Correlation Coefficient This quantity measures the extent to which each byte in the file depends upon the previous byte. For random sequences, this value (which can be positive or negative) will, of course, be close to zero. A non-random byte stream such as a C program will yield a serialDigital Forensic Review 30 October 2008 16 correlation coefficient on the order of 0.5. Wildly predictable data such as uncompressed bitmaps will exhibit serial correlation coefficients approaching 1. The following information is the entropy calculation for a byte wise analysis of each of 2Gb drive image sections. The entropy calculations where conducted for slices of the following sizes: • 10Mb • 100Mb • 500Mb • 1Gb • 2Gb • 5Gb In all instances the findings were consistent with the reported results. Section 000 Value Char Occurrences Fraction 0 300979290 0.150490 1 21981508 0.010991 2 12956048 0.006478 3 11744366 0.005872 4 14856974 0.007428 5 8148497 0.004074 6 7372291 0.003686 7 9353976 0.004677 8 11932589 0.005966 9 7441224 0.003721 10 9666282 0.004833 11 6504088 0.003252 12 8891381 0.004446 13 9020678 0.004510 14 6607671 0.003304 15 10165651 0.005083 16 10886385 0.005443 17 6776862 0.003388 18 5800691 0.002900 19 5318322 0.002659 20 6848292 0.003424 21 6593779 0.003297 22 4593358 0.002297 23 4592131 0.002296 24 6051633 0.003026 25 4715518 0.002358 26 4654043 0.002327 27 4960438 0.002480 28 5544612 0.002772 29 4595718 0.002298 30 4630076 0.002315 31 5092665 0.002546Digital Forensic Review 30 October 2008 17 32 26315623 0.013158 33 ! 5365195 0.002683 34 " 6925669 0.003463 35 # 5154410 0.002577 36 $ 8092672 0.004046 37 % 5366958 0.002683 38 & 4576739 0.002288 39 ' 5606714 0.002803 40 ( 5909879 0.002955 41 ) 5092502 0.002546 42 * 4833513 0.002417 43 + 5031047 0.002516 44 , 9152149 0.004576 45 - 6071151 0.003036 46 . 6428396 0.003214 47 / 6014079 0.003007 48 0 16304890 0.008152 49 1 8363644 0.004182 50 2 7787938 0.003894 51 3 9638831 0.004819 52 4 7218335 0.003609 53 5 6787694 0.003394 54 6 6226682 0.003113 55 7 6027581 0.003014 56 8 6942658 0.003471 57 9 6763985 0.003382 58 : 5894988 0.002947 59 ; 7050283 0.003525 60 < 7080133 0.003540 61 = 6730789 0.003365 62 > 6974612 0.003487 63 ? 9986236 0.004993 64 @ 8968022 0.004484 65 A 8110025 0.004055 66 B 5910124 0.002955 67 C 7359286 0.003680 68 D 9016111 0.004508 69 E 11483560 0.005742 70 F 7068140 0.003534 71 G 5294965 0.002647 72 H 6501518 0.003251 73 I 6505408 0.003253 74 J 4445713 0.002223 75 K 4874477 0.002437 76 L 6193278 0.003097 77 M 7921266 0.003961 78 N 6142125 0.003071 79 O 5580496 0.002790Digital Forensic Review 30 October 2008 18 80 P 10866427 0.005433 81 Q 6079683 0.003040 82 R 6744959 0.003372 83 S 8306683 0.004153 84 T 6787175 0.003394 85 U 6803188 0.003402 86 V 7326343 0.003663 87 W 6851268 0.003426 88 X 5110415 0.002555 89 Y 5657708 0.002829 90 Z 4662172 0.002331 91 [ 5167333 0.002584 92 \ 7150861 0.003575 93 ] 6008791 0.003004 94 ^ 5557291 0.002779 95 _ 6791558 0.003396 96 ` 5396426 0.002698 97 a 12468011 0.006234 98 b 6298377 0.003149 99 c 8936428 0.004468 100 d 9161012 0.004581 101 e 18030022 0.009015 102 f 8379483 0.004190 103 g 6537316 0.003269 104 h 8706283 0.004353 105 i 12040375 0.006020 106 j 6924704 0.003462 107 k 5254418 0.002627 108 l 10178776 0.005089 109 m 7549070 0.003775 110 n 11757336 0.005879 111 o 12838081 0.006419 112 p 8673782 0.004337 113 q 4784837 0.002392 114 r 12191077 0.006096 115 s 11677162 0.005839 116 t 17220842 0.008610 117 u 12568572 0.006284 118 v 6321044 0.003161 119 w 6572080 0.003286 120 x 6003444 0.003002 121 y 5706130 0.002853 122 z 4501936 0.002251 123 { 4538546 0.002269 124 | 5174779 0.002587 125 } 5827855 0.002914 126 ~ 4644767 0.002322 127 5745715 0.002873Digital Forensic Review 30 October 2008 19 128 9539550 0.004770 129 5651780 0.002826 130 4761534 0.002381 131 8935536 0.004468 132 5849137 0.002925 133 8482648 0.004241 134 4602914 0.002301 135 4278752 0.002139 136 5741627 0.002871 137 10009428 0.005005 138 4866520 0.002433 139 20594114 0.010297 140 4752696 0.002376 141 8987722 0.004494 142 4348610 0.002174 143 4224432 0.002112 144 7999874 0.004000 145 4281007 0.002141 146 4204128 0.002102 147 4139542 0.002070 148 4434408 0.002217 149 4180351 0.002090 150 4088964 0.002044 151 4012234 0.002006 152 4468458 0.002234 153 4609102 0.002305 154 4243056 0.002122 155 3979547 0.001990 156 4368281 0.002184 157 4022279 0.002011 158 4083759 0.002042 159 4064455 0.002032 160 5022649 0.002511 161 ¡ 4546144 0.002273 162 ¢ 4031991 0.002016 163 £ 4222487 0.002111 164 ¤ 4458027 0.002229 165 ¥ 4429760 0.002215 166 ¦ 3986726 0.001993 167 § 4225503 0.002113 168 ¨ 4538511 0.002269 169 © 4093132 0.002047 170 ª 4410474 0.002205 171 « 4325024 0.002163 172 ¬ 4432649 0.002216 173 - 4020321 0.002010 174 ® 4041594 0.002021 175 ¯ 4168601 0.002084Digital Forensic Review 30 October 2008 20 176 ° 4750010 0.002375 177 ± 4164733 0.002082 178 ² 4004047 0.002002 179 ³ 4029161 0.002015 180 ´ 4464275 0.002232 181 µ 4457467 0.002229 182 ¶ 4460242 0.002230 183 · 4317452 0.002159 184 ¸ 5200379 0.002600 185 ¹ 4289176 0.002145 186 º 4254768 0.002127 187 » 4497571 0.002249 188 ¼ 5612163 0.002806 189 ½ 4604135 0.002302 190 ¾ 4813262 0.002407 191 ¿ 4946129 0.002473 192 À 9264035 0.004632 193 Á 5545733 0.002773 194 Â 5678031 0.002839 195 Ã 5448974 0.002724 196 Ä 5313464 0.002657 197 Å 4085247 0.002043 198 Æ 5618697 0.002809 199 Ç 5972770 0.002986 200 È 5037470 0.002519 201 É 5080869 0.002540 202 Ê 4200824 0.002100 203 Ë 4322286 0.002161 204 Ì 10252247 0.005126 205 Í 4186955 0.002093 206 Î 5458195 0.002729 207 Ï 5160100 0.002580 208 Ð 5162498 0.002581 209 Ñ 4475560 0.002238 210 Ò 4426248 0.002213 211 Ó 4443412 0.002222 212 Ô 4431892 0.002216 213 Õ 3995111 0.001998 214 Ö 4375952 0.002188 215 × 4398847 0.002199 216 Ø 5165740 0.002583 217 Ù 4511894 0.002256 218 Ú 4530059 0.002265 219 Û 4636455 0.002318 220 Ü 4749095 0.002375 221 Ý 4928257 0.002464 222 Þ 4259516 0.002130 223 ß 4373332 0.002187Digital Forensic Review 30 October 2008 21 224 à 6771166 0.003386 225 á 4839929 0.002420 226 â 4367034 0.002184 227 ã 4310431 0.002155 228 ä 4770271 0.002385 229 å 4177399 0.002089 230 æ 4107214 0.002054 231 ç 4252498 0.002126 232 è 10385474 0.005193 233 é 5863290 0.002932 234 ê 4294027 0.002147 235 ë 6055036 0.003028 236 ì 6339279 0.003170 237 í 4539972 0.002270 238 î 4519376 0.002260 239 ï 4720675 0.002360 240 ð 7137816 0.003569 241 ñ 5124872 0.002562 242 ò 4511460 0.002256 243 ó 4896207 0.002448 244 ô 5106704 0.002553 245 õ 4345800 0.002173 246 ö 5191012 0.002596 247 ÷ 5271844 0.002636 248 ø 6715529 0.003358 249 ù 4974459 0.002487 250 ú 4938884 0.002469 251 û 5348005 0.002674 252 ü 9002706 0.004501 253 ý 5879817 0.002940 254 þ 6937330 0.003469 255 ÿ 57341644 0.028671 Total: 2000000000 1.000000 Entropy = 7.245975 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 9 percent. Chi-square distribution for 2000000000 samples is 11678106766.03, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 101.0208 (127.5 = random). Monte Carlo value for Pi is 3.324978315 (error 5.84 percent). Serial correlation coefficient is 0.328802 (totally uncorrelated = 0.0).Digital Forensic Review 30 October 2008 22 Section 001 Value Char Occurrences Fraction 0 268223665 0.134112 1 27850962 0.013925 2 14624209 0.007312 3 13891032 0.006946 4 15347972 0.007674 5 9470962 0.004735 6 8649931 0.004325 7 10006199 0.005003 8 11404253 0.005702 9 8190061 0.004095 10 10031532 0.005016 11 8128258 0.004064 12 9413098 0.004707 13 9586517 0.004793 14 7479999 0.003740 15 10937316 0.005469 16 12819974 0.006410 17 8255428 0.004128 18 6987690 0.003494 19 6757803 0.003379 20 7499944 0.003750 21 6256756 0.003128 22 5134893 0.002567 23 5182606 0.002591 24 7344727 0.003672 25 5533129 0.002767 26 5338999 0.002669 27 5325855 0.002663 28 6081650 0.003041 29 5262110 0.002631 30 5332154 0.002666 31 6522075 0.003261 32 25340232 0.012670 33 ! 7077719 0.003539 34 " 7127807 0.003564 35 # 6439252 0.003220 36 $ 8704508 0.004352 37 % 5690246 0.002845 38 & 5048850 0.002524 39 ' 5461380 0.002731 40 ( 7396845 0.003698 41 ) 6187581 0.003094 42 * 5660669 0.002830 43 + 5442588 0.002721Digital Forensic Review 30 October 2008 23 44 , 6434645 0.003217 45 - 6376999 0.003188 46 . 6686870 0.003343 47 / 7990034 0.003995 48 0 15785658 0.007893 49 1 9452726 0.004726 50 2 8414109 0.004207 51 3 9474424 0.004737 52 4 8806371 0.004403 53 5 7684904 0.003842 54 6 6554293 0.003277 55 7 6674520 0.003337 56 8 7984853 0.003992 57 9 7408031 0.003704 58 : 6065241 0.003033 59 ; 6493476 0.003247 60 < 7891763 0.003946 61 = 6893599 0.003447 62 > 7957959 0.003979 63 ? 8067243 0.004034 64 @ 9800181 0.004900 65 A 8118442 0.004059 66 B 7028015 0.003514 67 C 7333682 0.003667 68 D 7765052 0.003883 69 E 8884965 0.004442 70 F 6695884 0.003348 71 G 5868853 0.002934 72 H 6644057 0.003322 73 I 7190639 0.003595 74 J 5218894 0.002609 75 K 5001639 0.002501 76 L 6101952 0.003051 77 M 6496213 0.003248 78 N 5763661 0.002882 79 O 6080926 0.003040 80 P 8931340 0.004466 81 Q 6063181 0.003032 82 R 7161953 0.003581 83 S 7318965 0.003659 84 T 6461233 0.003231 85 U 7149114 0.003575 86 V 6224487 0.003112 87 W 6063912 0.003032 88 X 5701602 0.002851 89 Y 5463902 0.002732 90 Z 4927059 0.002464 91 [ 5112322 0.002556Digital Forensic Review 30 October 2008 24 92 \ 5493208 0.002747 93 ] 5375652 0.002688 94 ^ 5077093 0.002539 95 _ 6355895 0.003178 96 ` 6910623 0.003455 97 a 11995726 0.005998 98 b 6833867 0.003417 99 c 8527231 0.004264 100 d 8707681 0.004354 101 e 15394401 0.007697 102 f 7041782 0.003521 103 g 6596528 0.003298 104 h 7373814 0.003687 105 i 10435956 0.005218 106 j 6456792 0.003228 107 k 5558469 0.002779 108 l 9025646 0.004513 109 m 6988616 0.003494 110 n 10845971 0.005423 111 o 11236848 0.005618 112 p 8683478 0.004342 113 q 5392913 0.002696 114 r 10958115 0.005479 115 s 10348000 0.005174 116 t 13613281 0.006807 117 u 9442906 0.004721 118 v 5967250 0.002984 119 w 6072185 0.003036 120 x 6177834 0.003089 121 y 5910592 0.002955 122 z 4676414 0.002338 123 { 4909632 0.002455 124 | 5069518 0.002535 125 } 5305610 0.002653 126 ~ 4795094 0.002398 127 5913580 0.002957 128 13005994 0.006503 129 6723175 0.003362 130 5801677 0.002901 131 7110088 0.003555 132 5877308 0.002939 133 6624764 0.003312 134 5025424 0.002513 135 4915243 0.002458 136 7161605 0.003581 137 7683960 0.003842 138 5333764 0.002667 139 11901707 0.005951Digital Forensic Review 30 October 2008 25 140 5430531 0.002715 141 6734606 0.003367 142 4854917 0.002427 143 5031678 0.002516 144 7167449 0.003584 145 5049086 0.002525 146 5316160 0.002658 147 4919524 0.002460 148 5142877 0.002571 149 4733777 0.002367 150 4658306 0.002329 151 4391677 0.002196 152 5221333 0.002611 153 4987470 0.002494 154 4763742 0.002382 155 4317527 0.002159 156 5038529 0.002519 157 4254479 0.002127 158 4387582 0.002194 159 4470433 0.002235 160 7232870 0.003616 161 ¡ 4727783 0.002364 162 ¢ 4587128 0.002294 163 £ 4693439 0.002347 164 ¤ 5152465 0.002576 165 ¥ 4824501 0.002412 166 ¦ 4267600 0.002134 167 § 4690101 0.002345 168 ¨ 5112100 0.002556 169 © 4749515 0.002375 170 ª 6083611 0.003042 171 « 4852249 0.002426 172 ¬ 4802483 0.002401 173 - 4799074 0.002400 174 ® 4399009 0.002200 175 ¯ 4680660 0.002340 176 ° 5598947 0.002799 177 ± 4695566 0.002348 178 ² 4515869 0.002258 179 ³ 4297985 0.002149 180 ´ 4815832 0.002408 181 µ 4888228 0.002444 182 ¶ 4662633 0.002331 183 · 4675124 0.002338 184 ¸ 5400448 0.002700 185 ¹ 4678998 0.002339 186 º 4837316 0.002419 187 » 5135313 0.002568Digital Forensic Review 30 October 2008 26 188 ¼ 5708174 0.002854 189 ½ 5196037 0.002598 190 ¾ 4881896 0.002441 191 ¿ 5665827 0.002833 192 À 10203736 0.005102 193 Á 5705366 0.002853 194 Â 5488785 0.002744 195 Ã 5692636 0.002846 196 Ä 5465318 0.002733 197 Å 4487202 0.002244 198 Æ 5526685 0.002763 199 Ç 6238541 0.003119 200 È 5463535 0.002732 201 É 5071246 0.002536 202 Ê 4637332 0.002319 203 Ë 4813751 0.002407 204 Ì 7007506 0.003504 205 Í 4545154 0.002273 206 Î 4906697 0.002453 207 Ï 4818196 0.002409 208 Ð 5899390 0.002950 209 Ñ 4850651 0.002425 210 Ò 4801047 0.002401 211 Ó 4619120 0.002310 212 Ô 4675734 0.002338 213 Õ 4490627 0.002245 214 Ö 4594884 0.002297 215 × 4767427 0.002384 216 Ø 5072089 0.002536 217 Ù 4518700 0.002259 218 Ú 4742549 0.002371 219 Û 4902678 0.002451 220 Ü 5189823 0.002595 221 Ý 5012686 0.002506 222 Þ 4790735 0.002395 223 ß 4838461 0.002419 224 à 10928679 0.005464 225 á 5960926 0.002980 226 â 5286772 0.002643 227 ã 5115161 0.002558 228 ä 5033087 0.002517 229 å 4621376 0.002311 230 æ 4388295 0.002194 231 ç 4790782 0.002395 232 è 7501373 0.003751 233 é 5645796 0.002823 234 ê 4618489 0.002309 235 ë 5530241 0.002765Digital Forensic Review 30 October 2008 27 236 ì 5996576 0.002998 237 í 4996069 0.002498 238 î 5393681 0.002697 239 ï 5581958 0.002791 240 ð 8353901 0.004177 241 ñ 5736259 0.002868 242 ò 4888042 0.002444 243 ó 4879337 0.002440 244 ô 4849808 0.002425 245 õ 4878220 0.002439 246 ö 4831255 0.002416 247 ÷ 5915802 0.002958 248 ø 6236614 0.003118 249 ù 4855679 0.002428 250 ú 5038134 0.002519 251 û 6476720 0.003238 252 ü 7111906 0.003556 253 ý 6002985 0.003001 254 þ 7025081 0.003513 255 ÿ 40760056 0.020380 Total: 2000000000 1.000000 Entropy = 7.378992 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 7 percent. Chi-square distribution for 2000000000 samples is 9121270233.13, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 101.0603 (127.5 = random). Monte Carlo value for Pi is 3.353090235 (error 6.73 percent). Serial correlation coefficient is 0.293255 (totally uncorrelated = 0.0). Section 002 Value Char Occurrences Fraction 0 93573865 0.046787 1 21388560 0.010694 2 13058262 0.006529 3 15132332 0.007566 4 13647822 0.006824 5 11920195 0.005960 6 10306325 0.005153 7 10897342 0.005449 8 11246384 0.005623Digital Forensic Review 30 October 2008 28 9 10147642 0.005074 10 11255522 0.005628 11 9779749 0.004890 12 10146508 0.005073 13 9874871 0.004937 14 8401589 0.004201 15 9731641 0.004866 16 10949148 0.005475 17 9913513 0.004957 18 8332374 0.004166 19 8337168 0.004169 20 9046165 0.004523 21 8116210 0.004058 22 7627091 0.003814 23 7894075 0.003947 24 8122405 0.004061 25 7818396 0.003909 26 7420600 0.003710 27 7683434 0.003842 28 7668933 0.003834 29 7331356 0.003666 30 7164154 0.003582 31 7478314 0.003739 32 17638639 0.008819 33 ! 7900563 0.003950 34 " 7691941 0.003846 35 # 7370941 0.003685 36 $ 8242233 0.004121 37 % 7327492 0.003664 38 & 6925435 0.003463 39 ' 7666431 0.003833 40 ( 8203309 0.004102 41 ) 8049533 0.004025 42 * 7610772 0.003805 43 + 7554424 0.003777 44 , 7509087 0.003755 45 - 7689826 0.003845 46 . 7355463 0.003678 47 / 8609371 0.004305 48 0 9053363 0.004527 49 1 7710371 0.003855 50 2 7395434 0.003698 51 3 7435550 0.003718 52 4 7166220 0.003583 53 5 6899385 0.003450 54 6 6756684 0.003378 55 7 6849363 0.003425 56 8 6899157 0.003450Digital Forensic Review 30 October 2008 29 57 9 6892753 0.003446 58 : 6700498 0.003350 59 ; 7575781 0.003788 60 < 7555107 0.003778 61 = 8335271 0.004168 62 > 8249777 0.004125 63 ? 8455888 0.004228 64 @ 7937703 0.003969 65 A 7032826 0.003516 66 B 7051787 0.003526 67 C 12727622 0.006364 68 D 6907269 0.003454 69 E 7695404 0.003848 70 F 9507000 0.004753 71 G 6334160 0.003167 72 H 6747558 0.003374 73 I 6623066 0.003312 74 J 5990062 0.002995 75 K 6145625 0.003073 76 L 6631027 0.003316 77 M 7038318 0.003519 78 N 6265372 0.003133 79 O 6583680 0.003292 80 P 7488170 0.003744 81 Q 6121163 0.003061 82 R 6694768 0.003347 83 S 7159053 0.003580 84 T 6468847 0.003234 85 U 6185153 0.003093 86 V 6477623 0.003239 87 W 6261559 0.003131 88 X 6098705 0.003049 89 Y 6484883 0.003242 90 Z 5766495 0.002883 91 [ 5945029 0.002973 92 \ 5947296 0.002974 93 ] 5956755 0.002978 94 ^ 5835787 0.002918 95 _ 6671219 0.003336 96 ` 6124023 0.003062 97 a 10058816 0.005029 98 b 6491486 0.003246 99 c 7769042 0.003885 100 d 7692226 0.003846 101 e 11379289 0.005690 102 f 6892884 0.003446 103 g 7090420 0.003545 104 h 7118525 0.003559Digital Forensic Review 30 October 2008 30 105 i 8981313 0.004491 106 j 6430410 0.003215 107 k 6060085 0.003030 108 l 8186488 0.004093 109 m 7142002 0.003571 110 n 9057124 0.004529 111 o 8896781 0.004448 112 p 7281127 0.003641 113 q 5603869 0.002802 114 r 8777456 0.004389 115 s 8574111 0.004287 116 t 10607556 0.005304 117 u 7820022 0.003910 118 v 6380997 0.003190 119 w 6328156 0.003164 120 x 6422971 0.003211 121 y 6106010 0.003053 122 z 5591320 0.002796 123 { 5669554 0.002835 124 | 5642360 0.002821 125 } 5747521 0.002874 126 ~ 5591801 0.002796 127 6445975 0.003223 128 9903691 0.004952 129 6167177 0.003084 130 5928417 0.002964 131 6988069 0.003494 132 6449763 0.003225 133 6407271 0.003204 134 5730033 0.002865 135 5839805 0.002920 136 7446174 0.003723 137 6895898 0.003448 138 5764328 0.002882 139 8902214 0.004451 140 5844359 0.002922 141 6886559 0.003443 142 5625869 0.002813 143 5828880 0.002914 144 6771531 0.003386 145 5634975 0.002817 146 5706474 0.002853 147 5824766 0.002912 148 5924610 0.002962 149 5648233 0.002824 150 5676312 0.002838 151 5690755 0.002845 152 5765513 0.002883Digital Forensic Review 30 October 2008 31 153 5663369 0.002832 154 5609051 0.002805 155 5702913 0.002851 156 5723299 0.002862 157 5577362 0.002789 158 5579343 0.002790 159 5728898 0.002864 160 6089286 0.003045 161 ¡ 5917602 0.002959 162 ¢ 5661617 0.002831 163 £ 5745638 0.002873 164 ¤ 6260359 0.003130 165 ¥ 5724991 0.002862 166 ¦ 5603692 0.002802 167 § 5916685 0.002958 168 ¨ 5817266 0.002909 169 © 5697083 0.002849 170 ª 5648371 0.002824 171 « 5731564 0.002866 172 ¬ 5809205 0.002905 173 - 5725287 0.002863 174 ® 5708714 0.002854 175 ¯ 5856906 0.002928 176 ° 6052227 0.003026 177 ± 5827293 0.002914 178 ² 5856540 0.002928 179 ³ 5875804 0.002938 180 ´ 6277266 0.003139 181 µ 5903061 0.002952 182 ¶ 6203213 0.003102 183 · 6133970 0.003067 184 ¸ 6325289 0.003163 185 ¹ 5954232 0.002977 186 º 6020037 0.003010 187 » 6331739 0.003166 188 ¼ 6671975 0.003336 189 ½ 6947313 0.003474 190 ¾ 6632218 0.003316 191 ¿ 7077550 0.003539 192 À 8936923 0.004468 193 Á 6441342 0.003221 194 Â 6255269 0.003128 195 Ã 6662532 0.003331 196 Ä 6586858 0.003293 197 Å 6089258 0.003045 198 Æ 6437747 0.003219 199 Ç 6497307 0.003249 200 È 6532387 0.003266Digital Forensic Review 30 October 2008 32 201 É 6374616 0.003187 202 Ê 6184932 0.003092 203 Ë 6345065 0.003173 204 Ì 7713236 0.003857 205 Í 6244014 0.003122 206 Î 6388237 0.003194 207 Ï 6504389 0.003252 208 Ð 6754210 0.003377 209 Ñ 6443355 0.003222 210 Ò 6512379 0.003256 211 Ó 6555677 0.003278 212 Ô 6561823 0.003281 213 Õ 6441032 0.003221 214 Ö 6505026 0.003253 215 × 6701520 0.003351 216 Ø 6925505 0.003463 217 Ù 6753745 0.003377 218 Ú 6683976 0.003342 219 Û 6929163 0.003465 220 Ü 6924897 0.003462 221 Ý 6885792 0.003443 222 Þ 6846726 0.003423 223 ß 7507708 0.003754 224 à 9620517 0.004810 225 á 7672271 0.003836 226 â 7289185 0.003645 227 ã 7399461 0.003700 228 ä 7477908 0.003739 229 å 7415282 0.003708 230 æ 7366986 0.003683 231 ç 7546265 0.003773 232 è 9457197 0.004729 233 é 7936486 0.003968 234 ê 7482388 0.003741 235 ë 7935479 0.003968 236 ì 8073349 0.004037 237 í 7917091 0.003959 238 î 7851469 0.003926 239 ï 8124254 0.004062 240 ð 8468963 0.004234 241 ñ 8091910 0.004046 242 ò 8033938 0.004017 243 ó 8208523 0.004104 244 ô 8370131 0.004185 245 õ 8308602 0.004154 246 ö 8528491 0.004264 247 ÷ 8801583 0.004401 248 ø 9185045 0.004593Digital Forensic Review 30 October 2008 33 249 ù 8943540 0.004472 250 ú 9159266 0.004580 251 û 9777928 0.004889 252 ü 10241810 0.005121 253 ý 9994521 0.004997 254 þ 11149779 0.005575 255 ÿ 24773121 0.012387 Total: 2000000000 1.000000 Entropy = 7.845178 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 1 percent. Chi-square distribution for 2000000000 samples is 1103449418.98, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 117.5418 (127.5 = random). Monte Carlo value for Pi is 3.143659059 (error 0.07 percent). Serial correlation coefficient is 0.122959 (totally uncorrelated = 0.0). Section 010 Value Char Occurrences Fraction 0 71145884 0.035573 1 5160437 0.002580 2 3658880 0.001829 3 3262282 0.001631 4 4393917 0.002197 5 2368510 0.001184 6 2394529 0.001197 7 1891588 0.000946 8 3664091 0.001832 9 1759489 0.000880 10 2104669 0.001052 11 2845566 0.001423 12 2358766 0.001179 13 3095230 0.001548 14 1228969 0.000614 15 2333396 0.001167 16 2616387 0.001308 17 1337591 0.000669 18 999999 0.000500 19 987543 0.000494Digital Forensic Review 30 October 2008 34 20 1522898 0.000761 21 1426110 0.000713 22 910628 0.000455 23 858817 0.000429 24 1411454 0.000706 25 1000589 0.000500 26 870464 0.000435 27 846883 0.000423 28 1167902 0.000584 29 805191 0.000403 30 831393 0.000416 31 754872 0.000377 32 5790325 0.002895 33 ! 969871 0.000485 34 " 1129040 0.000565 35 # 936754 0.000468 36 $ 2272135 0.001136 37 % 973419 0.000487 38 & 883211 0.000442 39 ' 880606 0.000440 40 ( 1391831 0.000696 41 ) 923082 0.000462 42 * 869248 0.000435 43 + 982238 0.000491 44 , 1132943 0.000566 45 - 1146971 0.000573 46 . 1366905 0.000683 47 / 1210121 0.000605 48 0 2693589 0.001347 49 1 1566971 0.000783 50 2 1430199 0.000715 51 3 2110634 0.001055 52 4 1646156 0.000823 53 5 1362726 0.000681 54 6 1217626 0.000609 55 7 1141209 0.000571 56 8 1565032 0.000783 57 9 1716616 0.000858 58 : 1369271 0.000685 59 ; 1841683 0.000921 60 < 1408474 0.000704 61 = 1426612 0.000713 62 > 1260804 0.000630 63 ? 1278431 0.000639 64 @ 2244219 0.001122 65 A 1789602 0.000895 66 B 1353751 0.000677 67 C 1663943 0.000832Digital Forensic Review 30 October 2008 35 68 D 2117186 0.001059 69 E 3709952 0.001855 70 F 1676114 0.000838 71 G 1120861 0.000560 72 H 1438332 0.000719 73 I 1324400 0.000662 74 J 839959 0.000420 75 K 840386 0.000420 76 L 1306417 0.000653 77 M 2227993 0.001114 78 N 1210769 0.000605 79 O 991271 0.000496 80 P 3294200 0.001647 81 Q 1436471 0.000718 82 R 1334076 0.000667 83 S 1869853 0.000935 84 T 1447423 0.000724 85 U 1798964 0.000899 86 V 1865322 0.000933 87 W 1568252 0.000784 88 X 1033148 0.000517 89 Y 1230819 0.000615 90 Z 737150 0.000369 91 [ 967245 0.000484 92 \ 931469 0.000466 93 ] 1191993 0.000596 94 ^ 1254043 0.000627 95 _ 1388412 0.000694 96 ` 1091671 0.000546 97 a 2667346 0.001334 98 b 1155045 0.000578 99 c 1773751 0.000887 100 d 1933265 0.000967 101 e 4042553 0.002021 102 f 1846052 0.000923 103 g 1343230 0.000672 104 h 2056956 0.001028 105 i 2570325 0.001285 106 j 1787932 0.000894 107 k 978645 0.000489 108 l 2256998 0.001128 109 m 1442943 0.000721 110 n 2455488 0.001228 111 o 2611303 0.001306 112 p 1981109 0.000991 113 q 860086 0.000430 114 r 2668605 0.001334 115 s 2298301 0.001149Digital Forensic Review 30 October 2008 36 116 t 4467845 0.002234 117 u 3432428 0.001716 118 v 1190627 0.000595 119 w 1090485 0.000545 120 x 1178760 0.000589 121 y 1580046 0.000790 122 z 1144748 0.000572 123 { 1060736 0.000530 124 | 1031868 0.000516 125 } 1477953 0.000739 126 ~ 822313 0.000411 127 901156 0.000451 128 1977676 0.000989 129 1067169 0.000534 130 783633 0.000392 131 2565689 0.001283 132 1273461 0.000637 133 2310681 0.001155 134 862564 0.000431 135 689338 0.000345 136 1054871 0.000527 137 2895595 0.001448 138 824989 0.000412 139 7392249 0.003696 140 889692 0.000445 141 3110813 0.001555 142 753436 0.000377 143 682711 0.000341 144 1679198 0.000840 145 739296 0.000370 146 814628 0.000407 147 754611 0.000377 148 846176 0.000423 149 805216 0.000403 150 786745 0.000393 151 674004 0.000337 152 853181 0.000427 153 869191 0.000435 154 772031 0.000386 155 748196 0.000374 156 833122 0.000417 157 716032 0.000358 158 735519 0.000368 159 701677 0.000351 160 1046439 0.000523 161 ¡ 1056161 0.000528 162 ¢ 833169 0.000417 163 £ 1000418 0.000500Digital Forensic Review 30 October 2008 37 164 ¤ 953639 0.000477 165 ¥ 947956 0.000474 166 ¦ 815831 0.000408 167 § 904848 0.000452 168 ¨ 931454 0.000466 169 © 740075 0.000370 170 ª 1159869 0.000580 171 « 695091 0.000348 172 ¬ 762123 0.000381 173 - 2348872 0.001174 174 ® 605475 0.000303 175 ¯ 554160 0.000277 176 ° 940249 0.000470 177 ± 623254 0.000312 178 ² 583407 0.000292 179 ³ 567667 0.000284 180 ´ 749472 0.000375 181 µ 614528 0.000307 182 ¶ 648941 0.000324 183 · 642684 0.000321 184 ¸ 1076711 0.000538 185 ¹ 704155 0.000352 186 º 644037 0.000322 187 » 564345 0.000282 188 ¼ 640053 0.000320 189 ½ 545471 0.000273 190 ¾ 592581 0.000296 191 ¿ 592083 0.000296 192 À 2319849 0.001160 193 Á 997945 0.000499 194 Â 1110033 0.000555 195 Ã 1160356 0.000580 196 Ä 1042873 0.000521 197 Å 573788 0.000287 198 Æ 1011200 0.000506 199 Ç 1178180 0.000589 200 È 984948 0.000492 201 É 945809 0.000473 202 Ê 592545 0.000296 203 Ë 629840 0.000315 204 Ì 1789254 0.000895 205 Í 526299 0.000263 206 Î 1028929 0.000514 207 Ï 649280 0.000325 208 Ð 952937 0.000476 209 Ñ 609729 0.000305 210 Ò 657495 0.000329 211 Ó 613047 0.000307Digital Forensic Review 30 October 2008 38 212 Ô 749020 0.000375 213 Õ 561945 0.000281 214 Ö 665752 0.000333 215 × 617737 0.000309 216 Ø 1027271 0.000514 217 Ù 678954 0.000339 218 Ú 543191 0.000272 219 Û 689494 0.000345 220 Ü 782067 0.000391 221 Ý 722554 0.000361 222 Þ 548400 0.000274 223 ß 539314 0.000270 224 à 1093209 0.000547 225 á 679630 0.000340 226 â 606309 0.000303 227 ã 610828 0.000305 228 ä 840442 0.000420 229 å 594710 0.000297 230 æ 563773 0.000282 231 ç 561532 0.000281 232 è 3875423 0.001938 233 é 1293562 0.000647 234 ê 567546 0.000284 235 ë 1167267 0.000584 236 ì 1410102 0.000705 237 í 577967 0.000289 238 î 569852 0.000285 239 ï 563820 0.000282 240 ð 3227580 0.001614 241 ñ 853261 0.000427 242 ò 611915 0.000306 243 ó 671614 0.000336 244 ô 960052 0.000480 245 õ 625624 0.000313 246 ö 911706 0.000456 247 ÷ 826857 0.000413 248 ø 1554448 0.000777 249 ù 872924 0.000436 250 ú 684856 0.000342 251 û 867748 0.000434 252 ü 1684059 0.000842 253 ý 1035857 0.000518 254 þ 1198583 0.000599 255 ÿ 1583474080 0.791737 Total: 2000000000 1.000000 Entropy = 2.209951 bits per byte.Digital Forensic Review 30 October 2008 39 Optimum compression would reduce the size of this 2000000000 byte file by 72 percent. Chi-square distribution for 2000000000 samples is 319682472370.65, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 220.4835 (127.5 = random). Monte Carlo value for Pi is 0.727997929 (error 76.83 percent). Serial correlation coefficient is 0.835450 (totally uncorrelated = 0.0). Section 015 Value Char Occurrences Fraction 0 7814982 0.003907 1 7810047 0.003905 2 7820338 0.003910 3 7809157 0.003905 4 7816008 0.003908 5 7815064 0.003908 6 7812937 0.003906 7 7806770 0.003903 8 7806998 0.003903 9 7809508 0.003905 10 7811611 0.003906 11 7814067 0.003907 12 7811085 0.003906 13 7810226 0.003905 14 7808458 0.003904 15 7808323 0.003904 16 7807298 0.003904 17 7808452 0.003904 18 7808875 0.003904 19 7814401 0.003907 20 7813119 0.003907 21 7809484 0.003905 22 7814528 0.003907 23 7811555 0.003906 24 7811682 0.003906 25 7816330 0.003908 26 7809872 0.003905 27 7817129 0.003909 28 7816443 0.003908 29 7810704 0.003905 30 7813211 0.003907 31 7816783 0.003908 32 7813474 0.003907Digital Forensic Review 30 October 2008 40 33 ! 7811743 0.003906 34 " 7809373 0.003905 35 # 7812674 0.003906 36 $ 7813091 0.003907 37 % 7817891 0.003909 38 & 7812856 0.003906 39 ' 7811944 0.003906 40 ( 7811369 0.003906 41 ) 7813195 0.003907 42 * 7806157 0.003903 43 + 7809616 0.003905 44 , 7813171 0.003907 45 - 7815104 0.003908 46 . 7815167 0.003908 47 / 7810067 0.003905 48 0 7813683 0.003907 49 1 7817735 0.003909 50 2 7814733 0.003907 51 3 7809823 0.003905 52 4 7808540 0.003904 53 5 7814271 0.003907 54 6 7814946 0.003907 55 7 7812667 0.003906 56 8 7812317 0.003906 57 9 7814393 0.003907 58 : 7812835 0.003906 59 ; 7814869 0.003907 60 < 7811881 0.003906 61 = 7811716 0.003906 62 > 7812010 0.003906 63 ? 7817989 0.003909 64 @ 7811678 0.003906 65 A 7811752 0.003906 66 B 7814308 0.003907 67 C 7816084 0.003908 68 D 7808399 0.003904 69 E 7811490 0.003906 70 F 7811843 0.003906 71 G 7810123 0.003905 72 H 7816563 0.003908 73 I 7813607 0.003907 74 J 7817698 0.003909 75 K 7807502 0.003904 76 L 7815414 0.003908 77 M 7809712 0.003905 78 N 7814712 0.003907 79 O 7814146 0.003907 80 P 7816162 0.003908Digital Forensic Review 30 October 2008 41 81 Q 7812797 0.003906 82 R 7812897 0.003906 83 S 7811307 0.003906 84 T 7814577 0.003907 85 U 7812030 0.003906 86 V 7814495 0.003907 87 W 7814708 0.003907 88 X 7808507 0.003904 89 Y 7815611 0.003908 90 Z 7812088 0.003906 91 [ 7806289 0.003903 92 \ 7815370 0.003908 93 ] 7812675 0.003906 94 ^ 7815764 0.003908 95 _ 7811525 0.003906 96 ` 7809777 0.003905 97 a 7812632 0.003906 98 b 7818733 0.003909 99 c 7810005 0.003905 100 d 7812729 0.003906 101 e 7817271 0.003909 102 f 7811156 0.003906 103 g 7813207 0.003907 104 h 7815125 0.003908 105 i 7811008 0.003906 106 j 7817604 0.003909 107 k 7809173 0.003905 108 l 7811739 0.003906 109 m 7814320 0.003907 110 n 7810250 0.003905 111 o 7810869 0.003905 112 p 7813151 0.003907 113 q 7810393 0.003905 114 r 7812795 0.003906 115 s 7811987 0.003906 116 t 7811530 0.003906 117 u 7815742 0.003908 118 v 7812733 0.003906 119 w 7812536 0.003906 120 x 7815659 0.003908 121 y 7810952 0.003905 122 z 7822119 0.003911 123 { 7813981 0.003907 124 | 7809203 0.003905 125 } 7806099 0.003903 126 ~ 7809258 0.003905 127 7815073 0.003908 128 7809126 0.003905Digital Forensic Review 30 October 2008 42 129 7811129 0.003906 130 7808863 0.003904 131 7809600 0.003905 132 7810433 0.003905 133 7816205 0.003908 134 7810696 0.003905 135 7810749 0.003905 136 7812869 0.003906 137 7811275 0.003906 138 7812136 0.003906 139 7813293 0.003907 140 7814594 0.003907 141 7816544 0.003908 142 7807992 0.003904 143 7811453 0.003906 144 7807282 0.003904 145 7808982 0.003904 146 7814871 0.003907 147 7813822 0.003907 148 7812873 0.003906 149 7810819 0.003905 150 7813828 0.003907 151 7812342 0.003906 152 7811914 0.003906 153 7817861 0.003909 154 7814918 0.003907 155 7813213 0.003907 156 7810841 0.003905 157 7809939 0.003905 158 7807538 0.003904 159 7811793 0.003906 160 7808515 0.003904 161 ¡ 7815643 0.003908 162 ¢ 7812588 0.003906 163 £ 7814087 0.003907 164 ¤ 7811162 0.003906 165 ¥ 7809456 0.003905 166 ¦ 7813274 0.003907 167 § 7811670 0.003906 168 ¨ 7811407 0.003906 169 © 7808108 0.003904 170 ª 7816698 0.003908 171 « 7813200 0.003907 172 ¬ 7817330 0.003909 173 - 7815796 0.003908 174 ® 7813384 0.003907 175 ¯ 7818109 0.003909 176 ° 7816027 0.003908Digital Forensic Review 30 October 2008 43 177 ± 7815326 0.003908 178 ² 7808721 0.003904 179 ³ 7813335 0.003907 180 ´ 7813198 0.003907 181 µ 7813299 0.003907 182 ¶ 7810674 0.003905 183 · 7812279 0.003906 184 ¸ 7810946 0.003905 185 ¹ 7806499 0.003903 186 º 7807226 0.003904 187 » 7816392 0.003908 188 ¼ 7811280 0.003906 189 ½ 7811753 0.003906 190 ¾ 7812062 0.003906 191 ¿ 7816540 0.003908 192 À 7814337 0.003907 193 Á 7810558 0.003905 194 Â 7814862 0.003907 195 Ã 7807372 0.003904 196 Ä 7814367 0.003907 197 Å 7810747 0.003905 198 Æ 7814437 0.003907 199 Ç 7812886 0.003906 200 È 7809585 0.003905 201 É 7817407 0.003909 202 Ê 7814756 0.003907 203 Ë 7808382 0.003904 204 Ì 7815847 0.003908 205 Í 7816394 0.003908 206 Î 7811020 0.003906 207 Ï 7810271 0.003905 208 Ð 7812719 0.003906 209 Ñ 7812803 0.003906 210 Ò 7814081 0.003907 211 Ó 7811923 0.003906 212 Ô 7809904 0.003905 213 Õ 7813070 0.003907 214 Ö 7811929 0.003906 215 × 7818489 0.003909 216 Ø 7807544 0.003904 217 Ù 7809965 0.003905 218 Ú 7812031 0.003906 219 Û 7815934 0.003908 220 Ü 7810306 0.003905 221 Ý 7814690 0.003907 222 Þ 7812959 0.003906 223 ß 7813225 0.003907 224 à 7814299 0.003907Digital Forensic Review 30 October 2008 44 225 á 7810699 0.003905 226 â 7811485 0.003906 227 ã 7815114 0.003908 228 ä 7819143 0.003910 229 å 7811801 0.003906 230 æ 7811319 0.003906 231 ç 7815802 0.003908 232 è 7811966 0.003906 233 é 7812533 0.003906 234 ê 7811655 0.003906 235 ë 7808824 0.003904 236 ì 7807171 0.003904 237 í 7816409 0.003908 238 î 7809037 0.003905 239 ï 7812139 0.003906 240 ð 7815575 0.003908 241 ñ 7808723 0.003904 242 ò 7815040 0.003908 243 ó 7817860 0.003909 244 ô 7806931 0.003903 245 õ 7810861 0.003905 246 ö 7806704 0.003903 247 ÷ 7813405 0.003907 248 ø 7814314 0.003907 249 ù 7813558 0.003907 250 ú 7810506 0.003905 251 û 7810673 0.003905 252 ü 7813261 0.003907 253 ý 7810586 0.003905 254 þ 7813132 0.003907 255 ÿ 7811511 0.003906 Total: 2000000000 1.000000 Entropy = 8.000000 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 0 percent. Chi-square distribution for 2000000000 samples is 282.14, and randomly would exceed this value 11.68 percent of the times. Arithmetic mean value of data bytes is 127.4998 (127.5 = random). Monte Carlo value for Pi is 3.141625863 (error 0.00 percent). Serial correlation coefficient is -0.000001 (totally uncorrelated = 0.0).Digital Forensic Review 30 October 2008 45 Section 020 Value Char Occurrences Fraction 0 226797589 0.113399 1 9423898 0.004712 2 6963854 0.003482 3 7989154 0.003995 4 7457926 0.003729 5 6059825 0.003030 6 6298234 0.003149 7 7343259 0.003672 8 6624083 0.003312 9 6818355 0.003409 10 8132579 0.004066 11 5827845 0.002914 12 6936479 0.003468 13 6772163 0.003386 14 6558962 0.003279 15 7761496 0.003881 16 6393940 0.003197 17 6052752 0.003026 18 6059887 0.003030 19 5758978 0.002879 20 6265580 0.003133 21 6604287 0.003302 22 5677173 0.002839 23 5597141 0.002799 24 7632100 0.003816 25 7093029 0.003547 26 5950918 0.002975 27 6424634 0.003212 28 7519357 0.003760 29 6766617 0.003383 30 6840015 0.003420 31 7094742 0.003547 32 21369703 0.010685 33 ! 5659384 0.002830 34 " 7499416 0.003750 35 # 7614803 0.003807 36 $ 9122727 0.004561 37 % 6889412 0.003445 38 & 5874158 0.002937 39 ' 7199246 0.003600 40 ( 6650646 0.003325 41 ) 6587027 0.003294 42 * 7005053 0.003503 43 + 7373631 0.003687 44 , 7226664 0.003613Digital Forensic Review 30 October 2008 46 45 - 7512078 0.003756 46 . 7576516 0.003788 47 / 6269331 0.003135 48 0 9264215 0.004632 49 1 8787661 0.004394 50 2 7938832 0.003969 51 3 7962149 0.003981 52 4 7091048 0.003546 53 5 7479030 0.003740 54 6 7511512 0.003756 55 7 7108130 0.003554 56 8 8441494 0.004221 57 9 8331872 0.004166 58 : 7294425 0.003647 59 ; 7165472 0.003583 60 < 7912686 0.003956 61 = 8045356 0.004023 62 > 7900722 0.003950 63 ? 7713752 0.003857 64 @ 6932997 0.003466 65 A 6690882 0.003345 66 B 5976458 0.002988 67 C 6296983 0.003148 68 D 5807640 0.002904 69 E 6716929 0.003358 70 F 9781106 0.004891 71 G 7767294 0.003884 72 H 6708242 0.003354 73 I 7467776 0.003734 74 J 6664292 0.003332 75 K 6465177 0.003233 76 L 6178911 0.003089 77 M 6819275 0.003410 78 N 7157377 0.003579 79 O 7397589 0.003699 80 P 6504264 0.003252 81 Q 6269302 0.003135 82 R 7116299 0.003558 83 S 6797817 0.003399 84 T 7208939 0.003604 85 U 8117713 0.004059 86 V 6965357 0.003483 87 W 7196028 0.003598 88 X 6547189 0.003274 89 Y 6324669 0.003162 90 Z 6808829 0.003404 91 [ 6784215 0.003392 92 \ 7312387 0.003656Digital Forensic Review 30 October 2008 47 93 ] 6582357 0.003291 94 ^ 6782270 0.003391 95 _ 7239294 0.003620 96 ` 6269556 0.003135 97 a 9151370 0.004576 98 b 6411772 0.003206 99 c 9026463 0.004513 100 d 7679015 0.003840 101 e 11335283 0.005668 102 f 7208305 0.003604 103 g 7698414 0.003849 104 h 7124893 0.003562 105 i 10062912 0.005031 106 j 6696607 0.003348 107 k 7390245 0.003695 108 l 8039031 0.004020 109 m 8350816 0.004175 110 n 9691024 0.004846 111 o 9431853 0.004716 112 p 7948538 0.003974 113 q 7476726 0.003738 114 r 9830447 0.004915 115 s 10067764 0.005034 116 t 10284593 0.005142 117 u 7913138 0.003957 118 v 6992551 0.003496 119 w 6782101 0.003391 120 x 7726789 0.003863 121 y 7304000 0.003652 122 z 7107797 0.003554 123 { 6930947 0.003465 124 | 6966641 0.003483 125 } 7036534 0.003518 126 ~ 6820077 0.003410 127 6678334 0.003339 128 7268748 0.003634 129 5813295 0.002907 130 5971428 0.002986 131 6543514 0.003272 132 5405181 0.002703 133 6088263 0.003044 134 6023403 0.003012 135 5899660 0.002950 136 5460477 0.002730 137 6200578 0.003100 138 6116007 0.003058 139 6950679 0.003475 140 7750462 0.003875Digital Forensic Review 30 October 2008 48 141 6800984 0.003400 142 7509744 0.003755 143 7093489 0.003547 144 5919585 0.002960 145 6463690 0.003232 146 6789798 0.003395 147 6427388 0.003214 148 5721810 0.002861 149 6936282 0.003468 150 6373116 0.003187 151 5860283 0.002930 152 5368810 0.002684 153 5770095 0.002885 154 6345092 0.003173 155 5520477 0.002760 156 7116414 0.003558 157 6102281 0.003051 158 7452525 0.003726 159 6951197 0.003476 160 5425134 0.002713 161 ¡ 5626839 0.002813 162 ¢ 5002435 0.002501 163 £ 6423483 0.003212 164 ¤ 6134849 0.003067 165 ¥ 6775087 0.003388 166 ¦ 5731449 0.002866 167 § 7189067 0.003595 168 ¨ 5665223 0.002833 169 © 6602942 0.003301 170 ª 6992269 0.003496 171 « 6392231 0.003196 172 ¬ 5921997 0.002961 173 - 6970113 0.003485 174 ® 6551771 0.003276 175 ¯ 7526017 0.003763 176 ° 5389426 0.002695 177 ± 6322267 0.003161 178 ² 5650871 0.002825 179 ³ 5893393 0.002947 180 ´ 6417217 0.003209 181 µ 6988248 0.003494 182 ¶ 6383503 0.003192 183 · 6732759 0.003366 184 ¸ 6408911 0.003204 185 ¹ 6829848 0.003415 186 º 5926225 0.002963 187 » 6256570 0.003128 188 ¼ 7064200 0.003532Digital Forensic Review 30 October 2008 49 189 ½ 7049190 0.003525 190 ¾ 6255137 0.003128 191 ¿ 6493888 0.003247 192 À 7024948 0.003512 193 Á 6216230 0.003108 194 Â 5849441 0.002925 195 Ã 6663387 0.003332 196 Ä 6323079 0.003162 197 Å 6073677 0.003037 198 Æ 7593866 0.003797 199 Ç 8001160 0.004001 200 È 6118847 0.003059 201 É 6445962 0.003223 202 Ê 6283075 0.003142 203 Ë 6259039 0.003130 204 Ì 6792398 0.003396 205 Í 6021608 0.003011 206 Î 6571009 0.003286 207 Ï 7447399 0.003724 208 Ð 5551926 0.002776 209 Ñ 5400788 0.002700 210 Ò 6487690 0.003244 211 Ó 6871711 0.003436 212 Ô 6395493 0.003198 213 Õ 5856914 0.002928 214 Ö 6410947 0.003205 215 × 7176132 0.003588 216 Ø 5762168 0.002881 217 Ù 5778057 0.002889 218 Ú 6819390 0.003410 219 Û 6809789 0.003405 220 Ü 6606565 0.003303 221 Ý 6204547 0.003102 222 Þ 6083043 0.003042 223 ß 5818083 0.002909 224 à 6790923 0.003395 225 á 6773634 0.003387 226 â 6643926 0.003322 227 ã 7792126 0.003896 228 ä 6413860 0.003207 229 å 6478081 0.003239 230 æ 6093599 0.003047 231 ç 7482893 0.003741 232 è 5860979 0.002930 233 é 7497343 0.003749 234 ê 6218374 0.003109 235 ë 7149871 0.003575 236 ì 5888163 0.002944Digital Forensic Review 30 October 2008 50 237 í 6837044 0.003419 238 î 6199513 0.003100 239 ï 5988468 0.002994 240 ð 7059598 0.003530 241 ñ 7408096 0.003704 242 ò 6240702 0.003120 243 ó 6559453 0.003280 244 ô 6266071 0.003133 245 õ 6792131 0.003396 246 ö 6334196 0.003167 247 ÷ 6106161 0.003053 248 ø 7376484 0.003688 249 ù 6441869 0.003221 250 ú 6389971 0.003195 251 û 6538233 0.003269 252 ü 7163546 0.003582 253 ý 6140316 0.003070 254 þ 6918160 0.003459 255 ÿ 13735139 0.006868 Total: 2000000000 1.000000 Entropy = 7.577415 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 5 percent. Chi-square distribution for 2000000000 samples is 6224750961.57, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 110.7567 (127.5 = random). Monte Carlo value for Pi is 3.248711703 (error 3.41 percent). Serial correlation coefficient is 0.298437 (totally uncorrelated = 0.0). Section 039 Value Char Occurrences Fraction 255 ÿ 2000000000 1.000000 Total: 2000000000 1.000000 Entropy = 0.000000 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 100 percent.Digital Forensic Review 30 October 2008 51 Chi-square distribution for 2000000000 samples is 510000000000.00, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 255.0000 (127.5 = random). Monte Carlo value for Pi is 0.000000000 (error 100.00 percent). Serial correlation coefficient is undefined (all values equal!). Section 040 Value Char Occurrences Fraction 255 ÿ 2000000000 1.000000 Total: 2000000000 1.000000 Entropy = 0.000000 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 100 percent. Chi-square distribution for 2000000000 samples is 510000000000.00, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 255.0000 (127.5 = random). Monte Carlo value for Pi is 0.000000000 (error 100.00 percent). Serial correlation coefficient is undefined (all values equal!). Section 041 Value Char Occurrences Fraction 0 6186953 0.003093 1 6179006 0.003090 2 6179854 0.003090 3 6180713 0.003090 4 6183960 0.003092 5 6181324 0.003091 6 6185545 0.003093 7 6185131 0.003093 8 6181481 0.003091 9 6181173 0.003091 10 6180990 0.003090 11 6178984 0.003089 12 6177646 0.003089 13 6183784 0.003092 14 6185547 0.003093 15 6183632 0.003092Digital Forensic Review 30 October 2008 52 16 6182515 0.003091 17 6180123 0.003090 18 6183878 0.003092 19 6179363 0.003090 20 6182217 0.003091 21 6180672 0.003090 22 6179931 0.003090 23 6182476 0.003091 24 6183362 0.003092 25 6182124 0.003091 26 6183415 0.003092 27 6185956 0.003093 28 6182854 0.003091 29 6179398 0.003090 30 6182552 0.003091 31 6180448 0.003090 32 6182629 0.003091 33 ! 6182899 0.003091 34 " 6187625 0.003094 35 # 6181214 0.003091 36 $ 6185625 0.003093 37 % 6179146 0.003090 38 & 6185613 0.003093 39 ' 6184755 0.003092 40 ( 6182968 0.003091 41 ) 6175904 0.003088 42 * 6181908 0.003091 43 + 6180923 0.003090 44 , 6186684 0.003093 45 - 6180236 0.003090 46 . 6179653 0.003090 47 / 6181593 0.003091 48 0 6182721 0.003091 49 1 6180286 0.003090 50 2 6183175 0.003092 51 3 6184273 0.003092 52 4 6187113 0.003094 53 5 6183732 0.003092 54 6 6184033 0.003092 55 7 6183867 0.003092 56 8 6181894 0.003091 57 9 6186156 0.003093 58 : 6183732 0.003092 59 ; 6182060 0.003091 60 < 6186635 0.003093 61 = 6184793 0.003092 62 > 6179943 0.003090 63 ? 6179555 0.003090Digital Forensic Review 30 October 2008 53 64 @ 6182019 0.003091 65 A 6185328 0.003093 66 B 6180370 0.003090 67 C 6186271 0.003093 68 D 6185638 0.003093 69 E 6184237 0.003092 70 F 6178656 0.003089 71 G 6182364 0.003091 72 H 6181682 0.003091 73 I 6181116 0.003091 74 J 6183148 0.003092 75 K 6181413 0.003091 76 L 6183185 0.003092 77 M 6185125 0.003093 78 N 6181165 0.003091 79 O 6184009 0.003092 80 P 6179541 0.003090 81 Q 6183699 0.003092 82 R 6184983 0.003092 83 S 6185227 0.003093 84 T 6185820 0.003093 85 U 6185163 0.003093 86 V 6178990 0.003089 87 W 6182658 0.003091 88 X 6182788 0.003091 89 Y 6178357 0.003089 90 Z 6181139 0.003091 91 [ 6181357 0.003091 92 \ 6183497 0.003092 93 ] 6183654 0.003092 94 ^ 6181770 0.003091 95 _ 6182329 0.003091 96 ` 6180735 0.003090 97 a 6187601 0.003094 98 b 6182767 0.003091 99 c 6184331 0.003092 100 d 6181366 0.003091 101 e 6182191 0.003091 102 f 6183730 0.003092 103 g 6182220 0.003091 104 h 6180404 0.003090 105 i 6180072 0.003090 106 j 6183795 0.003092 107 k 6179807 0.003090 108 l 6186116 0.003093 109 m 6184849 0.003092 110 n 6184612 0.003092 111 o 6181354 0.003091Digital Forensic Review 30 October 2008 54 112 p 6180942 0.003090 113 q 6178653 0.003089 114 r 6179599 0.003090 115 s 6183521 0.003092 116 t 6185043 0.003093 117 u 6182287 0.003091 118 v 6182844 0.003091 119 w 6186632 0.003093 120 x 6180537 0.003090 121 y 6183844 0.003092 122 z 6178435 0.003089 123 { 6179931 0.003090 124 | 6180371 0.003090 125 } 6184953 0.003092 126 ~ 6183069 0.003092 127 6179630 0.003090 128 6183822 0.003092 129 6183606 0.003092 130 6180154 0.003090 131 6181374 0.003091 132 6186078 0.003093 133 6184254 0.003092 134 6185095 0.003093 135 6180926 0.003090 136 6182364 0.003091 137 6179604 0.003090 138 6182097 0.003091 139 6179721 0.003090 140 6178313 0.003089 141 6182881 0.003091 142 6178897 0.003089 143 6185311 0.003093 144 6180182 0.003090 145 6178281 0.003089 146 6184475 0.003092 147 6181691 0.003091 148 6182205 0.003091 149 6179940 0.003090 150 6182828 0.003091 151 6182463 0.003091 152 6184245 0.003092 153 6180461 0.003090 154 6178292 0.003089 155 6185133 0.003093 156 6182638 0.003091 157 6182459 0.003091 158 6183227 0.003092 159 6187458 0.003094Digital Forensic Review 30 October 2008 55 160 6183057 0.003092 161 ¡ 6184972 0.003092 162 ¢ 6182513 0.003091 163 £ 6185706 0.003093 164 ¤ 6178523 0.003089 165 ¥ 6184362 0.003092 166 ¦ 6181993 0.003091 167 § 6184558 0.003092 168 ¨ 6180783 0.003090 169 © 6182094 0.003091 170 ª 6181943 0.003091 171 « 6179753 0.003090 172 ¬ 6183188 0.003092 173 - 6180613 0.003090 174 ® 6181263 0.003091 175 ¯ 6182539 0.003091 176 ° 6178801 0.003089 177 ± 6189395 0.003095 178 ² 6183548 0.003092 179 ³ 6179349 0.003090 180 ´ 6185441 0.003093 181 µ 6180781 0.003090 182 ¶ 6181391 0.003091 183 · 6183123 0.003092 184 ¸ 6179472 0.003090 185 ¹ 6186912 0.003093 186 º 6182738 0.003091 187 » 6184059 0.003092 188 ¼ 6185775 0.003093 189 ½ 6180612 0.003090 190 ¾ 6184799 0.003092 191 ¿ 6181417 0.003091 192 À 6183582 0.003092 193 Á 6182242 0.003091 194 Â 6184093 0.003092 195 Ã 6179117 0.003090 196 Ä 6184919 0.003092 197 Å 6181064 0.003091 198 Æ 6183620 0.003092 199 Ç 6182804 0.003091 200 È 6182621 0.003091 201 É 6183231 0.003092 202 Ê 6181201 0.003091 203 Ë 6181460 0.003091 204 Ì 6180736 0.003090 205 Í 6184871 0.003092 206 Î 6187297 0.003094 207 Ï 6180264 0.003090Digital Forensic Review 30 October 2008 56 208 Ð 6183878 0.003092 209 Ñ 6181613 0.003091 210 Ò 6179062 0.003090 211 Ó 6180338 0.003090 212 Ô 6179087 0.003090 213 Õ 6181766 0.003091 214 Ö 6182194 0.003091 215 × 6182630 0.003091 216 Ø 6182216 0.003091 217 Ù 6187118 0.003094 218 Ú 6182624 0.003091 219 Û 6182838 0.003091 220 Ü 6180125 0.003090 221 Ý 6181510 0.003091 222 Þ 6183234 0.003092 223 ß 6186385 0.003093 224 à 6185545 0.003093 225 á 6181073 0.003091 226 â 6183609 0.003092 227 ã 6183620 0.003092 228 ä 6181266 0.003091 229 å 6184645 0.003092 230 æ 6182398 0.003091 231 ç 6181655 0.003091 232 è 6179556 0.003090 233 é 6182602 0.003091 234 ê 6182334 0.003091 235 ë 6180356 0.003090 236 ì 6182313 0.003091 237 í 6182489 0.003091 238 î 6179690 0.003090 239 ï 6182233 0.003091 240 ð 6182331 0.003091 241 ñ 6183209 0.003092 242 ò 6177971 0.003089 243 ó 6179293 0.003090 244 ô 6182400 0.003091 245 õ 6181991 0.003091 246 ö 6184570 0.003092 247 ÷ 6181015 0.003091 248 ø 6180208 0.003090 249 ù 6181531 0.003091 250 ú 6182546 0.003091 251 û 6182141 0.003091 252 ü 6180195 0.003090 253 ý 6181839 0.003091 254 þ 6181642 0.003091 255 ÿ 423482757 0.211741Digital Forensic Review 30 October 2008 57 Total: 2000000000 1.000000 Entropy = 7.046416 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 11 percent. Chi-square distribution for 2000000000 samples is 22202795446.58, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 154.1018 (127.5 = random). Monte Carlo value for Pi is 2.486088866 (error 20.87 percent). Serial correlation coefficient is 0.383177 (totally uncorrelated = 0.0). Section 042 Value Char Occurrences Fraction 0 7813360 0.003907 1 7812771 0.003906 2 7807260 0.003904 3 7812620 0.003906 4 7810430 0.003905 5 7814819 0.003907 6 7811454 0.003906 7 7812239 0.003906 8 7807672 0.003904 9 7812447 0.003906 10 7810496 0.003905 11 7811366 0.003906 12 7812926 0.003906 13 7810579 0.003905 14 7812654 0.003906 15 7822053 0.003911 16 7811691 0.003906 17 7818343 0.003909 18 7811533 0.003906 19 7813309 0.003907 20 7810139 0.003905 21 7809279 0.003905 22 7810042 0.003905 23 7810516 0.003905 24 7814657 0.003907 25 7815224 0.003908 26 7812851 0.003906 27 7814368 0.003907 28 7809056 0.003905Digital Forensic Review 30 October 2008 58 29 7808232 0.003904 30 7809296 0.003905 31 7815692 0.003908 32 7810648 0.003905 33 ! 7811373 0.003906 34 " 7817941 0.003909 35 # 7810525 0.003905 36 $ 7813796 0.003907 37 % 7813999 0.003907 38 & 7811846 0.003906 39 ' 7810784 0.003905 40 ( 7811292 0.003906 41 ) 7816849 0.003908 42 * 7815951 0.003908 43 + 7812556 0.003906 44 , 7809215 0.003905 45 - 7814174 0.003907 46 . 7816706 0.003908 47 / 7812388 0.003906 48 0 7811601 0.003906 49 1 7815154 0.003908 50 2 7816373 0.003908 51 3 7812430 0.003906 52 4 7812804 0.003906 53 5 7810208 0.003905 54 6 7814641 0.003907 55 7 7810538 0.003905 56 8 7813412 0.003907 57 9 7813255 0.003907 58 : 7812406 0.003906 59 ; 7812246 0.003906 60 < 7813469 0.003907 61 = 7814816 0.003907 62 > 7805078 0.003903 63 ? 7810834 0.003905 64 @ 7811867 0.003906 65 A 7812839 0.003906 66 B 7816554 0.003908 67 C 7817156 0.003909 68 D 7814839 0.003907 69 E 7810262 0.003905 70 F 7812960 0.003906 71 G 7811699 0.003906 72 H 7811870 0.003906 73 I 7814147 0.003907 74 J 7815170 0.003908 75 K 7814580 0.003907 76 L 7810221 0.003905Digital Forensic Review 30 October 2008 59 77 M 7810913 0.003905 78 N 7815380 0.003908 79 O 7811374 0.003906 80 P 7810422 0.003905 81 Q 7812503 0.003906 82 R 7813908 0.003907 83 S 7811911 0.003906 84 T 7811313 0.003906 85 U 7809908 0.003905 86 V 7810033 0.003905 87 W 7815430 0.003908 88 X 7815584 0.003908 89 Y 7819799 0.003910 90 Z 7810583 0.003905 91 [ 7813798 0.003907 92 \ 7806384 0.003903 93 ] 7813189 0.003907 94 ^ 7813563 0.003907 95 _ 7819834 0.003910 96 ` 7811206 0.003906 97 a 7811272 0.003906 98 b 7817284 0.003909 99 c 7814918 0.003907 100 d 7815941 0.003908 101 e 7811559 0.003906 102 f 7814578 0.003907 103 g 7810057 0.003905 104 h 7812881 0.003906 105 i 7812343 0.003906 106 j 7809919 0.003905 107 k 7811675 0.003906 108 l 7810245 0.003905 109 m 7815112 0.003908 110 n 7807242 0.003904 111 o 7809626 0.003905 112 p 7813280 0.003907 113 q 7815895 0.003908 114 r 7811544 0.003906 115 s 7815206 0.003908 116 t 7814464 0.003907 117 u 7809330 0.003905 118 v 7812196 0.003906 119 w 7810123 0.003905 120 x 7813887 0.003907 121 y 7806351 0.003903 122 z 7810088 0.003905 123 { 7815579 0.003908 124 | 7811041 0.003906Digital Forensic Review 30 October 2008 60 125 } 7811498 0.003906 126 ~ 7806827 0.003903 127 7816228 0.003908 128 7811259 0.003906 129 7808429 0.003904 130 7812907 0.003906 131 7812702 0.003906 132 7811764 0.003906 133 7809869 0.003905 134 7813721 0.003907 135 7810763 0.003905 136 7814851 0.003907 137 7813814 0.003907 138 7813955 0.003907 139 7815035 0.003908 140 7812158 0.003906 141 7814934 0.003907 142 7807824 0.003904 143 7814236 0.003907 144 7817320 0.003909 145 7811248 0.003906 146 7815199 0.003908 147 7811875 0.003906 148 7813751 0.003907 149 7808957 0.003904 150 7812245 0.003906 151 7808890 0.003904 152 7817516 0.003909 153 7815031 0.003908 154 7814120 0.003907 155 7812148 0.003906 156 7806514 0.003903 157 7814531 0.003907 158 7808727 0.003904 159 7811599 0.003906 160 7815989 0.003908 161 ¡ 7807037 0.003904 162 ¢ 7814214 0.003907 163 £ 7813109 0.003907 164 ¤ 7814104 0.003907 165 ¥ 7812429 0.003906 166 ¦ 7811483 0.003906 167 § 7812777 0.003906 168 ¨ 7809491 0.003905 169 © 7807987 0.003904 170 ª 7811752 0.003906 171 « 7808190 0.003904 172 ¬ 7808394 0.003904Digital Forensic Review 30 October 2008 61 173 - 7815342 0.003908 174 ® 7819509 0.003910 175 ¯ 7814180 0.003907 176 ° 7811717 0.003906 177 ± 7813599 0.003907 178 ² 7817916 0.003909 179 ³ 7811659 0.003906 180 ´ 7812170 0.003906 181 µ 7815611 0.003908 182 ¶ 7811105 0.003906 183 · 7813529 0.003907 184 ¸ 7811583 0.003906 185 ¹ 7808104 0.003904 186 º 7812042 0.003906 187 » 7810844 0.003905 188 ¼ 7813599 0.003907 189 ½ 7815283 0.003908 190 ¾ 7812728 0.003906 191 ¿ 7814604 0.003907 192 À 7810919 0.003905 193 Á 7811957 0.003906 194 Â 7812970 0.003906 195 Ã 7813433 0.003907 196 Ä 7812380 0.003906 197 Å 7808845 0.003904 198 Æ 7812798 0.003906 199 Ç 7811179 0.003906 200 È 7814291 0.003907 201 É 7810172 0.003905 202 Ê 7815547 0.003908 203 Ë 7811336 0.003906 204 Ì 7810658 0.003905 205 Í 7815636 0.003908 206 Î 7813349 0.003907 207 Ï 7815224 0.003908 208 Ð 7808839 0.003904 209 Ñ 7808133 0.003904 210 Ò 7808878 0.003904 211 Ó 7814233 0.003907 212 Ô 7810487 0.003905 213 Õ 7816046 0.003908 214 Ö 7809983 0.003905 215 × 7810817 0.003905 216 Ø 7811755 0.003906 217 Ù 7807580 0.003904 218 Ú 7815030 0.003908 219 Û 7808421 0.003904 220 Ü 7810428 0.003905Digital Forensic Review 30 October 2008 62 221 Ý 7814090 0.003907 222 Þ 7812758 0.003906 223 ß 7813897 0.003907 224 à 7814167 0.003907 225 á 7814211 0.003907 226 â 7815801 0.003908 227 ã 7810173 0.003905 228 ä 7813158 0.003907 229 å 7810995 0.003905 230 æ 7816790 0.003908 231 ç 7809916 0.003905 232 è 7816207 0.003908 233 é 7813152 0.003907 234 ê 7807156 0.003904 235 ë 7812232 0.003906 236 ì 7814349 0.003907 237 í 7810915 0.003905 238 î 7817989 0.003909 239 ï 7816124 0.003908 240 ð 7811549 0.003906 241 ñ 7810222 0.003905 242 ò 7815426 0.003908 243 ó 7807040 0.003904 244 ô 7812233 0.003906 245 õ 7815421 0.003908 246 ö 7814588 0.003907 247 ÷ 7808934 0.003904 248 ø 7816409 0.003908 249 ù 7808799 0.003904 250 ú 7809924 0.003905 251 û 7814297 0.003907 252 ü 7813201 0.003907 253 ý 7812415 0.003906 254 þ 7811166 0.003906 255 ÿ 7814930 0.003907 Total: 2000000000 1.000000 Entropy = 8.000000 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 0 percent. Chi-square distribution for 2000000000 samples is 250.99, and randomly would exceed this value 55.92 percent of the times. Arithmetic mean value of data bytes is 127.4996 (127.5 = random). Monte Carlo value for Pi is 3.141592527 (error 0.00 percent).Digital Forensic Review 30 October 2008 63 Serial correlation coefficient is 0.000019 (totally uncorrelated = 0.0). Section 043 Section 057 Value Char Occurrences Fraction 0 7814166 0.003907 1 7812464 0.003906 2 7810955 0.003905 3 7807509 0.003904 4 7808400 0.003904 5 7809971 0.003905 6 7811946 0.003906 7 7809717 0.003905 8 7815085 0.003908 9 7808706 0.003904 10 7816688 0.003908 11 7812315 0.003906 12 7815442 0.003908 13 7815530 0.003908 14 7808949 0.003904 15 7810437 0.003905 16 7819069 0.003910 17 7810876 0.003905 18 7810511 0.003905 19 7813816 0.003907 20 7811152 0.003906 21 7812538 0.003906 22 7818187 0.003909 23 7806922 0.003903 24 7812009 0.003906 25 7811669 0.003906 26 7814935 0.003907 27 7811874 0.003906 28 7814425 0.003907 29 7815365 0.003908 30 7810017 0.003905 31 7806962 0.003903 32 7816275 0.003908 33 ! 7811296 0.003906 34 " 7809041 0.003905Digital Forensic Review 30 October 2008 64 35 # 7813063 0.003907 36 $ 7810183 0.003905 37 % 7811180 0.003906 38 & 7811246 0.003906 39 ' 7811867 0.003906 40 ( 7810561 0.003905 41 ) 7810468 0.003905 42 * 7816245 0.003908 43 + 7811380 0.003906 44 , 7810907 0.003905 45 - 7811948 0.003906 46 . 7815681 0.003908 47 / 7807334 0.003904 48 0 7813493 0.003907 49 1 7812099 0.003906 50 2 7812091 0.003906 51 3 7811877 0.003906 52 4 7814991 0.003907 53 5 7809628 0.003905 54 6 7814314 0.003907 55 7 7809271 0.003905 56 8 7812998 0.003906 57 9 7813278 0.003907 58 : 7812804 0.003906 59 ; 7813514 0.003907 60 < 7816180 0.003908 61 = 7810480 0.003905 62 > 7816733 0.003908 63 ? 7813259 0.003907 64 @ 7811601 0.003906 65 A 7819532 0.003910 66 B 7813170 0.003907 67 C 7813362 0.003907 68 D 7814735 0.003907 69 E 7816326 0.003908 70 F 7811816 0.003906 71 G 7817188 0.003909 72 H 7819173 0.003910 73 I 7812205 0.003906 74 J 7804328 0.003902 75 K 7807027 0.003904 76 L 7814148 0.003907 77 M 7810253 0.003905 78 N 7809888 0.003905 79 O 7815627 0.003908 80 P 7807242 0.003904 81 Q 7810741 0.003905 82 R 7812878 0.003906Digital Forensic Review 30 October 2008 65 83 S 7809886 0.003905 84 T 7810532 0.003905 85 U 7810789 0.003905 86 V 7816870 0.003908 87 W 7812318 0.003906 88 X 7813788 0.003907 89 Y 7810024 0.003905 90 Z 7815864 0.003908 91 [ 7813576 0.003907 92 \ 7815782 0.003908 93 ] 7812890 0.003906 94 ^ 7811774 0.003906 95 _ 7812700 0.003906 96 ` 7810341 0.003905 97 a 7823314 0.003912 98 b 7811231 0.003906 99 c 7815933 0.003908 100 d 7813314 0.003907 101 e 7811891 0.003906 102 f 7812262 0.003906 103 g 7817255 0.003909 104 h 7809379 0.003905 105 i 7812523 0.003906 106 j 7810432 0.003905 107 k 7810630 0.003905 108 l 7810278 0.003905 109 m 7810792 0.003905 110 n 7809192 0.003905 111 o 7815862 0.003908 112 p 7811340 0.003906 113 q 7814213 0.003907 114 r 7810457 0.003905 115 s 7809117 0.003905 116 t 7809928 0.003905 117 u 7809673 0.003905 118 v 7811254 0.003906 119 w 7813862 0.003907 120 x 7813592 0.003907 121 y 7808136 0.003904 122 z 7812474 0.003906 123 { 7815871 0.003908 124 | 7813256 0.003907 125 } 7809490 0.003905 126 ~ 7813750 0.003907 127 7810274 0.003905 128 7814956 0.003907 129 7809246 0.003905 130 7811369 0.003906Digital Forensic Review 30 October 2008 66 131 7810965 0.003905 132 7811065 0.003906 133 7812874 0.003906 134 7814057 0.003907 135 7817510 0.003909 136 7809900 0.003905 137 7816499 0.003908 138 7810348 0.003905 139 7814484 0.003907 140 7816474 0.003908 141 7811720 0.003906 142 7805840 0.003903 143 7815885 0.003908 144 7811930 0.003906 145 7810751 0.003905 146 7813827 0.003907 147 7811832 0.003906 148 7813468 0.003907 149 7812583 0.003906 150 7816979 0.003908 151 7812135 0.003906 152 7814870 0.003907 153 7815795 0.003908 154 7808995 0.003904 155 7811463 0.003906 156 7811121 0.003906 157 7812715 0.003906 158 7813738 0.003907 159 7813053 0.003907 160 7812555 0.003906 161 ¡ 7818875 0.003909 162 ¢ 7810031 0.003905 163 £ 7814693 0.003907 164 ¤ 7813289 0.003907 165 ¥ 7815513 0.003908 166 ¦ 7810078 0.003905 167 § 7813088 0.003907 168 ¨ 7817343 0.003909 169 © 7809715 0.003905 170 ª 7812567 0.003906 171 « 7812372 0.003906 172 ¬ 7812481 0.003906 173 - 7814897 0.003907 174 ® 7812213 0.003906 175 ¯ 7811071 0.003906 176 ° 7812678 0.003906 177 ± 7812060 0.003906 178 ² 7813512 0.003907Digital Forensic Review 30 October 2008 67 179 ³ 7805301 0.003903 180 ´ 7816202 0.003908 181 µ 7809329 0.003905 182 ¶ 7809456 0.003905 183 · 7811147 0.003906 184 ¸ 7810816 0.003905 185 ¹ 7813690 0.003907 186 º 7814527 0.003907 187 » 7805875 0.003903 188 ¼ 7810628 0.003905 189 ½ 7816325 0.003908 190 ¾ 7812857 0.003906 191 ¿ 7809307 0.003905 192 À 7812356 0.003906 193 Á 7809412 0.003905 194 Â 7809677 0.003905 195 Ã 7806270 0.003903 196 Ä 7814321 0.003907 197 Å 7812308 0.003906 198 Æ 7812755 0.003906 199 Ç 7809655 0.003905 200 È 7814660 0.003907 201 É 7813134 0.003907 202 Ê 7813486 0.003907 203 Ë 7815131 0.003908 204 Ì 7807899 0.003904 205 Í 7809749 0.003905 206 Î 7816069 0.003908 207 Ï 7812727 0.003906 208 Ð 7807887 0.003904 209 Ñ 7814080 0.003907 210 Ò 7812200 0.003906 211 Ó 7816592 0.003908 212 Ô 7811982 0.003906 213 Õ 7810515 0.003905 214 Ö 7810427 0.003905 215 × 7815826 0.003908 216 Ø 7809532 0.003905 217 Ù 7812606 0.003906 218 Ú 7810969 0.003905 219 Û 7811600 0.003906 220 Ü 7813869 0.003907 221 Ý 7810561 0.003905 222 Þ 7809716 0.003905 223 ß 7810856 0.003905 224 à 7817363 0.003909 225 á 7814599 0.003907 226 â 7805554 0.003903Digital Forensic Review 30 October 2008 68 227 ã 7810330 0.003905 228 ä 7813067 0.003907 229 å 7815804 0.003908 230 æ 7808706 0.003904 231 ç 7814621 0.003907 232 è 7811254 0.003906 233 é 7813047 0.003907 234 ê 7814505 0.003907 235 ë 7814753 0.003907 236 ì 7808175 0.003904 237 í 7818272 0.003909 238 î 7811735 0.003906 239 ï 7812018 0.003906 240 ð 7816548 0.003908 241 ñ 7817143 0.003909 242 ò 7815506 0.003908 243 ó 7814367 0.003907 244 ô 7815451 0.003908 245 õ 7812087 0.003906 246 ö 7812804 0.003906 247 ÷ 7818098 0.003909 248 ø 7806910 0.003903 249 ù 7813936 0.003907 250 ú 7817200 0.003909 251 û 7810299 0.003905 252 ü 7817398 0.003909 253 ý 7813417 0.003907 254 þ 7814579 0.003907 255 ÿ 7815048 0.003908 Total: 2000000000 1.000000 Entropy = 8.000000 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 0 percent. Chi-square distribution for 2000000000 samples is 279.44, and randomly would exceed this value 14.03 percent of the times. Arithmetic mean value of data bytes is 127.5017 (127.5 = random). Monte Carlo value for Pi is 3.141520767 (error 0.00 percent). Serial correlation coefficient is 0.000014 (totally uncorrelated = 0.0). Section 059 Value Char Occurrences FractionDigital Forensic Review 30 October 2008 69 0 7817659 0.003909 1 7813475 0.003907 2 7808853 0.003904 3 7813819 0.003907 4 7813543 0.003907 5 7808478 0.003904 6 7812081 0.003906 7 7812334 0.003906 8 7816608 0.003908 9 7811670 0.003906 10 7809960 0.003905 11 7811695 0.003906 12 7811543 0.003906 13 7811825 0.003906 14 7810759 0.003905 15 7812482 0.003906 16 7813876 0.003907 17 7815055 0.003908 18 7808939 0.003904 19 7813279 0.003907 20 7810719 0.003905 21 7812851 0.003906 22 7812460 0.003906 23 7807738 0.003904 24 7814931 0.003907 25 7813968 0.003907 26 7809969 0.003905 27 7814297 0.003907 28 7816172 0.003908 29 7814012 0.003907 30 7817763 0.003909 31 7816499 0.003908 32 7816089 0.003908 33 ! 7818112 0.003909 34 " 7808096 0.003904 35 # 7812356 0.003906 36 $ 7816209 0.003908 37 % 7809930 0.003905 38 & 7808977 0.003904 39 ' 7819702 0.003910 40 ( 7813349 0.003907 41 ) 7813228 0.003907 42 * 7806721 0.003903 43 + 7813424 0.003907 44 , 7813411 0.003907 45 - 7812622 0.003906 46 . 7813897 0.003907 47 / 7816011 0.003908Digital Forensic Review 30 October 2008 70 48 0 7812955 0.003906 49 1 7814430 0.003907 50 2 7813031 0.003907 51 3 7813447 0.003907 52 4 7815078 0.003908 53 5 7813858 0.003907 54 6 7811132 0.003906 55 7 7810955 0.003905 56 8 7813876 0.003907 57 9 7812071 0.003906 58 : 7808646 0.003904 59 ; 7811375 0.003906 60 < 7818876 0.003909 61 = 7815814 0.003908 62 > 7812540 0.003906 63 ? 7812035 0.003906 64 @ 7813736 0.003907 65 A 7812276 0.003906 66 B 7817782 0.003909 67 C 7811703 0.003906 68 D 7807297 0.003904 69 E 7812965 0.003906 70 F 7815044 0.003908 71 G 7811491 0.003906 72 H 7811649 0.003906 73 I 7814294 0.003907 74 J 7811045 0.003906 75 K 7813805 0.003907 76 L 7815925 0.003908 77 M 7814373 0.003907 78 N 7814612 0.003907 79 O 7808889 0.003904 80 P 7812926 0.003906 81 Q 7813635 0.003907 82 R 7815854 0.003908 83 S 7817951 0.003909 84 T 7811977 0.003906 85 U 7813146 0.003907 86 V 7810927 0.003905 87 W 7811913 0.003906 88 X 7814816 0.003907 89 Y 7811133 0.003906 90 Z 7809999 0.003905 91 [ 7813746 0.003907 92 \ 7813474 0.003907 93 ] 7815745 0.003908 94 ^ 7810150 0.003905 95 _ 7814197 0.003907Digital Forensic Review 30 October 2008 71 96 ` 7810400 0.003905 97 a 7812173 0.003906 98 b 7808553 0.003904 99 c 7809921 0.003905 100 d 7814286 0.003907 101 e 7812826 0.003906 102 f 7813675 0.003907 103 g 7811318 0.003906 104 h 7808371 0.003904 105 i 7810368 0.003905 106 j 7809039 0.003905 107 k 7815603 0.003908 108 l 7812664 0.003906 109 m 7808876 0.003904 110 n 7815901 0.003908 111 o 7814245 0.003907 112 p 7811889 0.003906 113 q 7818753 0.003909 114 r 7810023 0.003905 115 s 7809278 0.003905 116 t 7811170 0.003906 117 u 7812385 0.003906 118 v 7819518 0.003910 119 w 7811015 0.003906 120 x 7808710 0.003904 121 y 7809098 0.003905 122 z 7815191 0.003908 123 { 7807502 0.003904 124 | 7810166 0.003905 125 } 7808847 0.003904 126 ~ 7811599 0.003906 127 7811565 0.003906 128 7815647 0.003908 129 7813256 0.003907 130 7806956 0.003903 131 7814571 0.003907 132 7812560 0.003906 133 7809847 0.003905 134 7809827 0.003905 135 7820053 0.003910 136 7813056 0.003907 137 7812986 0.003906 138 7809373 0.003905 139 7808741 0.003904 140 7819372 0.003910 141 7811130 0.003906 142 7811201 0.003906 143 7809065 0.003905Digital Forensic Review 30 October 2008 72 144 7814642 0.003907 145 7811957 0.003906 146 7814855 0.003907 147 7812557 0.003906 148 7808339 0.003904 149 7815911 0.003908 150 7807622 0.003904 151 7811069 0.003906 152 7813941 0.003907 153 7813050 0.003907 154 7811382 0.003906 155 7815981 0.003908 156 7809023 0.003905 157 7811098 0.003906 158 7814466 0.003907 159 7808548 0.003904 160 7816770 0.003908 161 ¡ 7811221 0.003906 162 ¢ 7812605 0.003906 163 £ 7808642 0.003904 164 ¤ 7812759 0.003906 165 ¥ 7814077 0.003907 166 ¦ 7813465 0.003907 167 § 7815645 0.003908 168 ¨ 7814353 0.003907 169 © 7818343 0.003909 170 ª 7808206 0.003904 171 « 7812279 0.003906 172 ¬ 7813013 0.003907 173 - 7810067 0.003905 174 ® 7810286 0.003905 175 ¯ 7815171 0.003908 176 ° 7814031 0.003907 177 ± 7811216 0.003906 178 ² 7807885 0.003904 179 ³ 7813943 0.003907 180 ´ 7813337 0.003907 181 µ 7809668 0.003905 182 ¶ 7813781 0.003907 183 · 7814197 0.003907 184 ¸ 7811677 0.003906 185 ¹ 7814390 0.003907 186 º 7815099 0.003908 187 » 7817761 0.003909 188 ¼ 7812508 0.003906 189 ½ 7813957 0.003907 190 ¾ 7810917 0.003905 191 ¿ 7813098 0.003907Digital Forensic Review 30 October 2008 73 192 À 7808237 0.003904 193 Á 7812067 0.003906 194 Â 7812952 0.003906 195 Ã 7810133 0.003905 196 Ä 7813347 0.003907 197 Å 7815643 0.003908 198 Æ 7812400 0.003906 199 Ç 7807852 0.003904 200 È 7808860 0.003904 201 É 7811436 0.003906 202 Ê 7819048 0.003910 203 Ë 7810772 0.003905 204 Ì 7813478 0.003907 205 Í 7809189 0.003905 206 Î 7807843 0.003904 207 Ï 7810736 0.003905 208 Ð 7815867 0.003908 209 Ñ 7812316 0.003906 210 Ò 7808315 0.003904 211 Ó 7812245 0.003906 212 Ô 7811434 0.003906 213 Õ 7811316 0.003906 214 Ö 7811851 0.003906 215 × 7808108 0.003904 216 Ø 7815683 0.003908 217 Ù 7814160 0.003907 218 Ú 7808514 0.003904 219 Û 7810289 0.003905 220 Ü 7814309 0.003907 221 Ý 7813053 0.003907 222 Þ 7811807 0.003906 223 ß 7810198 0.003905 224 à 7809060 0.003905 225 á 7817058 0.003909 226 â 7813233 0.003907 227 ã 7805753 0.003903 228 ä 7806489 0.003903 229 å 7813793 0.003907 230 æ 7815013 0.003908 231 ç 7814036 0.003907 232 è 7813749 0.003907 233 é 7817808 0.003909 234 ê 7810176 0.003905 235 ë 7812197 0.003906 236 ì 7809050 0.003905 237 í 7818365 0.003909 238 î 7810097 0.003905 239 ï 7814889 0.003907Digital Forensic Review 30 October 2008 74 240 ð 7811776 0.003906 241 ñ 7816338 0.003908 242 ò 7814732 0.003907 243 ó 7816629 0.003908 244 ô 7809008 0.003905 245 õ 7812914 0.003906 246 ö 7815435 0.003908 247 ÷ 7811082 0.003906 248 ø 7811193 0.003906 249 ù 7809034 0.003905 250 ú 7813093 0.003907 251 û 7809875 0.003905 252 ü 7815292 0.003908 253 ý 7809481 0.003905 254 þ 7809151 0.003905 255 ÿ 7809326 0.003905 Total: 2000000000 1.000000 Entropy = 8.000000 bits per byte. Optimum compression would reduce the size of this 2000000000 byte file by 0 percent. Chi-square distribution for 2000000000 samples is 267.39, and randomly would exceed this value 28.45 percent of the times. Arithmetic mean value of data bytes is 127.4973 (127.5 = random). Monte Carlo value for Pi is 3.141614703 (error 0.00 percent). Serial correlation coefficient is -0.000004 (totally uncorrelated = 0.0). Section 060 Value Char Occurrences Fraction 0 1163303 0.034083 1 123128 0.003607 2 122564 0.003591 3 122915 0.003601 4 123219 0.003610 5 122661 0.003594 6 122932 0.003602 7 122818 0.003598 8 124018 0.003633 9 123027 0.003604 10 122948 0.003602 11 122812 0.003598Digital Forensic Review 30 October 2008 75 12 123044 0.003605 13 123493 0.003618 14 122962 0.003603 15 123534 0.003619 16 123334 0.003613 17 123200 0.003610 18 123004 0.003604 19 123261 0.003611 20 123246 0.003611 21 123279 0.003612 22 122632 0.003593 23 122862 0.003600 24 123157 0.003608 25 122348 0.003585 26 123174 0.003609 27 122903 0.003601 28 123119 0.003607 29 123684 0.003624 30 122902 0.003601 31 123448 0.003617 32 123304 0.003613 33 ! 122937 0.003602 34 " 123025 0.003604 35 # 122720 0.003595 36 $ 122710 0.003595 37 % 123301 0.003612 38 & 123515 0.003619 39 ' 123307 0.003613 40 ( 122830 0.003599 41 ) 123028 0.003604 42 * 122370 0.003585 43 + 122988 0.003603 44 , 123185 0.003609 45 - 122002 0.003574 46 . 123135 0.003608 47 / 122794 0.003598 48 0 123228 0.003610 49 1 122398 0.003586 50 2 123624 0.003622 51 3 123077 0.003606 52 4 122885 0.003600 53 5 123662 0.003623 54 6 122955 0.003602 55 7 123217 0.003610 56 8 122864 0.003600 57 9 122513 0.003589 58 : 123593 0.003621 59 ; 123523 0.003619Digital Forensic Review 30 October 2008 76 60 < 124073 0.003635 61 = 123287 0.003612 62 > 122841 0.003599 63 ? 122335 0.003584 64 @ 123175 0.003609 65 A 123121 0.003607 66 B 123079 0.003606 67 C 123655 0.003623 68 D 123235 0.003611 69 E 123127 0.003607 70 F 123356 0.003614 71 G 122890 0.003600 72 H 122614 0.003592 73 I 123626 0.003622 74 J 123223 0.003610 75 K 123141 0.003608 76 L 122914 0.003601 77 M 123960 0.003632 78 N 123152 0.003608 79 O 123871 0.003629 80 P 123004 0.003604 81 Q 122713 0.003595 82 R 123581 0.003621 83 S 123086 0.003606 84 T 122575 0.003591 85 U 123222 0.003610 86 V 122831 0.003599 87 W 122931 0.003602 88 X 123317 0.003613 89 Y 123431 0.003616 90 Z 122761 0.003597 91 [ 123391 0.003615 92 \ 123674 0.003623 93 ] 123716 0.003625 94 ^ 122861 0.003600 95 _ 123219 0.003610 96 ` 123350 0.003614 97 a 122924 0.003601 98 b 123296 0.003612 99 c 122711 0.003595 100 d 123305 0.003613 101 e 123057 0.003605 102 f 123406 0.003616 103 g 122617 0.003592 104 h 122758 0.003597 105 i 123173 0.003609 106 j 122939 0.003602 107 k 122938 0.003602Digital Forensic Review 30 October 2008 77 108 l 123263 0.003611 109 m 123073 0.003606 110 n 123052 0.003605 111 o 123089 0.003606 112 p 122834 0.003599 113 q 123643 0.003622 114 r 123074 0.003606 115 s 123643 0.003622 116 t 122908 0.003601 117 u 123096 0.003606 118 v 123241 0.003611 119 w 122306 0.003583 120 x 123096 0.003606 121 y 123498 0.003618 122 z 123117 0.003607 123 { 122897 0.003601 124 | 122817 0.003598 125 } 123322 0.003613 126 ~ 123434 0.003616 127 123136 0.003608 128 123310 0.003613 129 122845 0.003599 130 122889 0.003600 131 122668 0.003594 132 123154 0.003608 133 123914 0.003630 134 122614 0.003592 135 123258 0.003611 136 123566 0.003620 137 123070 0.003606 138 123759 0.003626 139 123127 0.003607 140 123190 0.003609 141 123207 0.003610 142 122991 0.003603 143 123587 0.003621 144 122975 0.003603 145 123102 0.003607 146 123469 0.003617 147 122310 0.003583 148 123379 0.003615 149 123286 0.003612 150 122858 0.003599 151 124040 0.003634 152 123126 0.003607 153 122598 0.003592 154 122633 0.003593 155 122831 0.003599Digital Forensic Review 30 October 2008 78 156 123247 0.003611 157 122695 0.003595 158 122685 0.003594 159 122928 0.003602 160 122873 0.003600 161 ¡ 123106 0.003607 162 ¢ 123613 0.003622 163 £ 122388 0.003586 164 ¤ 123271 0.003612 165 ¥ 123204 0.003610 166 ¦ 123510 0.003619 167 § 122464 0.003588 168 ¨ 123102 0.003607 169 © 123176 0.003609 170 ª 124381 0.003644 171 « 122904 0.003601 172 ¬ 122953 0.003602 173 - 122568 0.003591 174 ® 123309 0.003613 175 ¯ 122840 0.003599 176 ° 123380 0.003615 177 ± 123367 0.003614 178 ² 123314 0.003613 179 ³ 123523 0.003619 180 ´ 123195 0.003609 181 µ 122920 0.003601 182 ¶ 122775 0.003597 183 · 123493 0.003618 184 ¸ 122859 0.003600 185 ¹ 123164 0.003608 186 º 122867 0.003600 187 » 123779 0.003626 188 ¼ 122847 0.003599 189 ½ 122900 0.003601 190 ¾ 123233 0.003610 191 ¿ 123119 0.003607 192 À 122949 0.003602 193 Á 123116 0.003607 194 Â 122710 0.003595 195 Ã 122484 0.003589 196 Ä 123313 0.003613 197 Å 123249 0.003611 198 Æ 122909 0.003601 199 Ç 122584 0.003591 200 È 122789 0.003597 201 É 123013 0.003604 202 Ê 123621 0.003622 203 Ë 123416 0.003616Digital Forensic Review 30 October 2008 79 204 Ì 123412 0.003616 205 Í 122588 0.003592 206 Î 123162 0.003608 207 Ï 123235 0.003611 208 Ð 122686 0.003594 209 Ñ 123304 0.003613 210 Ò 122895 0.003601 211 Ó 123337 0.003614 212 Ô 123513 0.003619 213 Õ 123560 0.003620 214 Ö 122659 0.003594 215 × 122979 0.003603 216 Ø 123327 0.003613 217 Ù 122161 0.003579 218 Ú 123147 0.003608 219 Û 122989 0.003603 220 Ü 123416 0.003616 221 Ý 122905 0.003601 222 Þ 123042 0.003605 223 ß 123314 0.003613 224 à 122670 0.003594 225 á 122858 0.003599 226 â 123860 0.003629 227 ã 122692 0.003595 228 ä 123357 0.003614 229 å 123313 0.003613 230 æ 123195 0.003609 231 ç 122199 0.003580 232 è 123061 0.003605 233 é 122781 0.003597 234 ê 123076 0.003606 235 ë 122869 0.003600 236 ì 122884 0.003600 237 í 123280 0.003612 238 î 122911 0.003601 239 ï 122491 0.003589 240 ð 123231 0.003610 241 ñ 123312 0.003613 242 ò 123098 0.003607 243 ó 122716 0.003595 244 ô 123446 0.003617 245 õ 122637 0.003593 246 ö 122996 0.003604 247 ÷ 122640 0.003593 248 ø 123106 0.003607 249 ù 123171 0.003609 250 ú 123072 0.003606 251 û 122864 0.003600Digital Forensic Review 30 October 2008 80 252 ü 122771 0.003597 253 ý 123420 0.003616 254 þ 123127 0.003607 255 ÿ 1703750 0.049917 Total: 34131968 1.000000 Entropy = 7.815586 bits per byte. Optimum compression would reduce the size of this 34131968 byte file by 2 percent. Chi-square distribution for 34131968 samples is 26654040.58, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 129.5099 (127.5 = random). Monte Carlo value for Pi is 3.023361033 (error 3.76 percent). Serial correlation coefficient is 0.197848 (totally uncorrelated = 0.0).Digital Forensic Review 30 October 2008 81 APPENDIX 2 C R A I G S W R I G H T SUMMARY Craig is one of the most highly qualified digital forensic practitioners globally. With over 10 years of direct digital forensic experience and more than 20 years in IT Security generally, Craig has not only worked to develop many of the techniques in common practice, but is also working to expand the field of knowledge. On top of this, he has completed his LLM (with Commendation). These engagements have comprised of: • Statistical Data Analysis • Text Data Mining • Associative Rules Mining • Memory Forensics • Embedded device Forensics • Network Forensics • Cryptanalysis • System incident recovery (“deep diving”) • Steganography In addition to his consulting engagements Craig has also authored several books and articles on digital forensics. He is a co-author of “The Official CHFI Study Guide” and is a co-author of the CISSP-ISSMP Handbook to be released in Sept 2008 by ISC2. He has very strong skills in TCP/IP, Unix (Solaris, Linux and BSDI), Windows NT/2000/2003, Citrix, Netware, Internet and Intranet Technologies (Web Servers, FTP Servers, Mail Relays, DNS and News Servers) IT Security (Firewalls, Routers, Intrusion Detection systems, User Activity Monitoring systems, Policy and Procedural development, and Incident Response Handling.), and Remote Access Methods (Direct Dial, Dial Connect and Internet based VPN Solutions). With over 30 certifications directly related to IT Security and Digital forensics, Craig is the most highly accredited forensic specialist globally. Craig developed and published a method to detect Hydan, a steganographic tool designed to hide information within executable binaries. He is currently in the process of publishing a paper on the methods to detect TrueCrypt Hidden (Steganographic) Volumes (which where previously believed and reported to be undetectable). Craig has the following accreditations:Digital Forensic Review 30 October 2008 82 • CCE Certified Computer Examiner • GCFA (Gold) GIAC Certified Forensic Analyst • GSE (Compliance) Global Security Expert. • GSE (Malware) Global Security Expert (Malware) Craig is the only person to have successfully completed the GSE certification in the southern hemisphere and one of less than 15 people globally to have achieved this.. Craig has successfully completed the following engagements; • Spectral analysis of a digital recording device to provide proof via electronic “fingerprints”, • Is a member of the GIAC Ethics Council. • Has produced academically published papers on IT, Mathematics, HR and Business Strategy CAREER HIGHLIGHTS Although developing the security measures for the ASX was one of the early highlights of his career, Craig also distinguished himself by designing the security architecture and environment for Lasseter’s On-Line Casino allowing approval by the NT Government for the first online gaming license in Australia. Internationally, Craig led a cross functional horizontal business team which developed and implemented the security policies and procedural practices within Mahindra and Mahindra, India’s largest vehicle manufacturer, oil company and financial firm. Craig contributes to several security groups and has papers published by groups including SANS. Following is a partial list of organisations demonstrating Craig’s breadth of experience across multiple disciplines. WORK EXPERIENCE Senior Manager, Information Systems Manager Statistical and Quantitative Analysis Computer Assurance Manager – BDO Kendalls (Nov 2004 – Current) Management of a portfolio of CAS audit clients, Digital Forensics and design of statistical tests for accounting and financial systems This has included the development of an ISMS business plan to offer security review and audit services and ISO 7799 training. In IT Craig, • Manages the NSW IT audit and consulting team • Provides reviews, audits and consulting on a wide range of IT Disciplines • Provides Training and educational services • Analysis of Technology contracts and legislative implications of IT policy • Digital Forensic Services / Expert WitnessDigital Forensic Review 30 October 2008 83 In Risk and Analysis, Craig manages and consults on: • SAS consulting • Management, Financial and Accounting Systems design • Data Mining • Quantitative risk analysis and actuarial design • Marketing survey analysis • Analysis of Account for Fraud Detection • Continuous Audit • AML/CTF (Anti-Money Laundering / Counter Terrorism Funding) Consulting • BASEL II Risk Reviews Some of his recent client engagements include • Static Code analysis for Centrebet • Business analysis using DATs (Digital Analysis Technology) for a Marine Sales Company in NSW • BCP reviews for a number of Credit Unions • Data Conversion testing for a number of Credit Unions • IT Security and Risk reviews for several Credit Unions • SOX IT review and audit for GTN Security Research – Ridges Estate Implemented an AusIndustry approved Research Program involving the integration of technical solutions to the information security and agribusiness arenas. Craig has completed the following assignments; • Creation of Firewall and Authentication Procedure documents for News Ltd • Staff Mentoring at News Ltd in Security Technologies • Risk Assessments for News Ltd based on AS/NZS 4360 • Audit and review activity for News Ltd of the Internet systems and Firewalls • Staff training and documentation of the SecurID Authorisation systems • Network Security audit of the Rail Infrastructure Systems Internet Gateways • DNS and Mail Systems Security for RIC • Virus containment activities for RIC • Policy creation for Vodafone Ltd • Risk Assessments for Vodafone • Training and documentation of Security Audit and review procedures for Vodafone Ltd • Wireless systems research CIO / Principle Consultant – DeMorgan Information Security Systems (Dec 1997 – Aug 2003) After implementing the security and standards used to establish the Australian Stock Exchange’s OnLine commerce engine, “Enterprise Markets”, Craig founded DeMorgan in 1997 with an aim to the furtherance of Security in the IT arena.Digital Forensic Review 30 October 2008 84 DeMorgan was a provider of IT security services specialising in managed security and secure systems design to the top 150 companies in Australia with a focus on the financial services, banking and technology markets. • Successfully re-established the company in 2001 after it was placed into administration due to under capitalization. Craig was engaged with Security Audits and Reviews of over 100 companies during this time including CUSCAL, the ASX, Lasseter’s and others. He has Implemented an AusIndustry approved Research Program concerning wireless intrusion detection techniques. He has published procedures for the lockdown of both Windows and Unix based hosts. Craig’s role included the Executive management of the firm including both IT consultants, administrative and helpdesk staff with between 20-26 direct reports in 5 locations around Australia. Security Consultant – Australian Stock Exchange 1997/1998 Craig was chosen to design and implement security systems for the Australian Stock Exchange. This involved: • Creating organizational roles, • Creating business strategies, • Defining the positions based on the business strategies, • Creating job descriptions based on the proposed positions, • Developing individual development plans to enable staff to perform their new roles, • Creation of performance indicators to be able to assess the outputs of this new business unit In this position Craig was required to: • Provide technical advice on highly complex security matters to other areas of ASX. • Supervise the activities of staff involved in supporting the Internet Gateway. • Supervise the activities of the Security Consulting and Design Teams • Provide security consulting for more complex situations. Craig remained as independent technical adviser to the ASX until 2004. EDUCATION - SUMMARY Master of Network and Systems from Charles Stuart University • IT Masters – Networked systems Master of Management (Information Technology) from Charles Stuart University. • Management of IT • Finance • Human ResourcesDigital Forensic Review 30 October 2008 85 Master of Law, (Graduand) Northumbria University, Newcastle (UK) LLM (International Commercial Law, Honors) • Ecommerce Law. • Intellectual Property • International Finance Law Craig is enrolled at Newcastle University and is completing a Master of Statistics Degree • Applied Business Research and MIS Data analysis. • Completion date 2008 • Post Grad. Diploma (Statistics) complete. Other Qualifications (not exclusive) • Post Graduate Certificate in Management (Purchasing and Logistics) • Post Graduate Certificate in Management (Finance) • Post Grad. Diploma (Statistics) in Computational methods • Certificate in Management (Sales Management) • Associate in Science (Chemistry, Fuel Science) • Associate in Science (Applied Physics, Nuclear Science) • Doctor in Theology (Comparative Religious History) PROFESSIONAL QUALIFICATIONS AND ASSOCIATIONS GSE (Compliance) - SANS/GIAC GSE in compliance. Craig is the first (and only so far) person to have achieved this platinum level accreditation from GIAC globally. CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor CISSP – Certified Information Systems Security Professional Information Systems Security Architecture Professional (ISSAP) Information Systems Security Management Professional (ISSMP) Misc Certifications MCSE - Microsoft Certified System Engineer MCSA - Microsoft Certified System Administrator MSDBA – Microsoft Certified Data Base Analyst GCFA – GIAC Certified Forensic Analyst G7799 – G7799 Certified ISO 17799 Specialist GNSA – GIAC Certified Member in good standing, • AIFM (Associate Fellow) at AIM (Australian Institute of Management) • IEEE (Member) – Institute of Electrical and Electronic Engineers Craig has several published works including; • Co-Author, SANS Windows NT Security Handbook • “DNS Security in Australia”, Academic work published on various distributors. • Various periodical and News Paper articles (including the Australian and CIO Magazine).Digital Forensic Review 30 October 2008 86 • Over 10 peer reviewed academic papers INTERESTS • Research and Development activities, • Music, Piano (Trinity Grade 5, 4 octave range) • Boating. COMMUNITY SERVICES • Involvement with • United-care Burnside, Port Macquarie • St Vincent Community Services • Landcare Australia PERSONAL Marital status: Married Nationality: Australian Citizen Summary of qualifications and achievements The following is a non-exclusive list of degrees and certifications I hold. MMgmt(IT) CSU Masters of Management (IT) MNSA CSU Master of Network and System Admin CISSP # 47302 (ICS)2 Certified Information Systems Security Professional ISSMP # 47302 (ICS)2 Information Systems Security - Management Professional ISSAP # 47302 (ICS)2 Information Systems Security - Architecture Professional CISA # 0542911 IS Audit and Control Association - Certified Information Systems Auditor CISM # 0300803 IS Audit and Control Association - Certified Information Security Manager CCE # 480 ISFCE - Certified Computer Examiner ISSPCS # 051 International Systems Security Professional Certification Scheme GSE-Compliance #0001 [Platinum] GIAC Security Compliance (GSE-Compliance) GSEC # 10506 [Gold] GIAC Security Essentials Certification (GSEC) GCIH # 06896 [Silver] GIAC Certified Incident Handler GCIA # 02913 [Silver] GIAC Certified Intrusion Analyst GCFW # 01891 [Silver] GIAC Certified Firewall Analyst GCWN # 01234 [Silver] GIAC Certified Windows Security Administrator GAWN # 00894 [Silver] GIAC Assessing Wireless Networks GCUX # 00587 [Silver] GIAC Certified UNIX Security Administrator GNET # GIAC .Net GSLC # GIAC Security Leadership Certification GHTQ # 00368 [Silver] GIAC Cutting Edge Hacking Techniques G7799 # 0039 [GOLD] GIAC Certified ISO-17799 Specialist (G7799)Digital Forensic Review 30 October 2008 87 GCFA # 0265 [GOLD] GIAC Certified Forensics Analyst (GCFA) GSNA # 0571 [GOLD] GIAC Systems and Network Auditor (GSNA) GSAE # 00141 [Silver] GIAC Security Audit Essentials (GSAE) GLEG # 0006 [GOLD] GIAC Legal Issues (GLEG) GLEG Incorporates GIAC Business Law and Computer Security (GBLC) GLEG Incorporates GIAC Contracting for Data Security (GCDS) GLIT GLEG Incorporates GIAC Legal Issues in Information Technologies (GLIT) GLFR # 0016 GIAC Law of Fraud (GLFR) GREM # 0586 GIAC Reverse Engineering Malware (GREM) GPCI # 0086 GIAC Payment Card Industry (GPCI) GSPA # 0101 GIAC Security Policy and Awareness (GSPA) GLDR # 0101 GIAC Leadership (GLDR) GWAS # 0535 GIAC Web Application Security (GWAS) GIPS # 0036 GIAC Intrusion Prevention (GIPS) SSP-MPA # 0416 Stay Sharp Program - Mastering Packet Analysis (SSP-MPA) SSP-GHD # 0246 Stay Sharp Program - Google Hacking and Defense (SSP-GHD) SSP-DRAP # 0171 Stay Sharp Program - Defeating Rogue Access Points (SSP-DRAP) MCSA # 3062393 Microsoft Certified Systems Administrator MCSE # 3062393 Microsoft Certified Systems Engineer MCSE # 3062393 Microsoft Certified Systems Engineer (Mail) MCSE # 3062393 Microsoft Certified Systems Engineer (Security) MCDBA # 3062393 Microsoft Certified Database Administrator MIEEE # 87028913 Member IEEE AFAIM # PM133844 Associate Fellow Aust Inst. Management MACS # 3015822 Senior Member Aust Computer Society MSTAT Newcastle (In Progress) Master of Statistics LLM Northumbria (Graduand) Master of Law (International Commerce Law, Ecommerce Law) PG Diploma in Law complete MInfoSysSec CSU (In Progress) Master of Master Information Systems Security Requirements for graduation complete EUCP Certified (Documentary Letters of Credit under UCP 600) Publications The following are a non-exclusive list of the papers and books I have authored or co-authored. I have authored over 80 papers and an writing my 8th book. I have created courseware for several universities on information technology and security, law, risk and finance. "IT REGULATORY AND STANDARDS COMPLIANCE HANDBOOK". (How to Survive Information Systems Audit and Assessments) http://www.elsevier.com/wps/find/bookdescription.cws_home/714704/description#description CHECK POINT NGX R65 SECURITY ADMINISTRATION (Co-Author) http://www.elsevier.com/wps/find/bookdescription.cws_home/714139/description#description “Requirements for Record Keeping and Document Destruction in a Digital World” SANS RR – Oct 2007.Digital Forensic Review 30 October 2008 88 “Electronic Contracting in an Insecure World” SANS RR –Nov 2007. “Application, scope and limits of Letters of Indemnity in regards to the International Law of Trade” Internal Publication, BDO Aug 2007 “UCP 500, fizzle or bang” Internal Publication, BDO July 2007 “The Official CHFI Study Guide” (Exam 312-49) (Paperback) by Dave Kleiman (Author), Craig Wright (Author), Jesse "James" Varsalone (Author), Timothy Clinton (Author) Syngress, USA 2007 ISBN-10: 1597491977 ISBN-13: 978-1597491976 “The Problem With Document Destruction”, ITAudit, Vol 10. 10 Aug 2007, The IIA, USA Available online at: http://www.theiia.org/ITAudit/index.cfm?iid=552&catid=21&aid=2763 Reproduced in the British Computer Society Journal of Risk “A Taxonomy of Information Systems Audits, Assessments and Reviews” SANS Reading Room, Audit (June 2007) Available online at: http://www.sans.org/reading_room/whitepapers/auditing/1801.php “Analysis of a serial based digital voice recorder” SANS GIAC, Digital Forensics (Sept 2006) Available online at: http://www.giac.org/certified_professionals/practicals/GCFA/0265.php A QUANTITATIVE TIME SERIES ANALYSIS OF MALWARE AND VULNERABILITY TRENDS Paper and Presentation at Ruxcon Oct 2006 Australia “Port Scanning A violation of Property rights” Hackin9 Journal (Aug 2006) Available online at http://en.hakin9.org/?module=products&moduleAction=articleInfo&value=160 “Risk & Risk Management” (15 Jun 2006) Paper and Presentation at 360 Degree Security Summit 2006 “Beyond Vulnerability Scans — Security Considerations for Auditors”, ITAudit, Vol 8. 15 Sept 2005, The IIA, USA Available online at: http://www.theiia.org/ITAudit/index.cfm?act=itaudit.archive&fid=5651 “PCI Payment Card Industry Facts” Retail Industry journal, July 2005 “Implementing an Information Security Management System (ISMS) Training process” SANS GIAC, ISO 17799/27001 (Sept 2005) Available online at: http://www.giac.org/certified_professionals/practicals/G7799/0039.php “DNS Security in Australia”Digital Forensic Review 30 October 2008 89 Adrian Ashbury and Craig S Wright, Net Security, June 2000. Available online at http://www.net-security.org/cgi-bin/download.cgi?DNS-Scan-Results.pdf “Windows NT Security Step by Step” The SANS Institute SANS Institute © 2001 (Co-Author) “A Comparative analysis of Firewalls” in “The Internet Hot Sheet” Sept 1999Digital Forensic Review 30 October 2008 90 Appendix 3- Entropy Baselines A test of the general level of randomness that can be obtained from a computer system was conducted to create a test baseline. To conduct this test, 5,000 files were created with random content. These were created as follows: dd if=/dev/urandom of=/mount/ClientIDX/data/urandom.$1 count=2000 The variable $1 was used in a for-next loop to create 5,000 files (urandom.1, …, urandom.5000) that contain random data. This process was repeated using the Linux /dev/random device through which the remaining 5,000 files where created (random.1, …, random.5000). Both /dev/random and /dev/urandom have been included in the sample to ensure that all possible distributions of random data have been included in the sample. A test of the entropy (see Appendix 1) was conducted for each of the 10,000 files and a distribution of the results was entered into “R”7. > summary(entropy) Min. 1st Qu. Median Mean 3rd Qu. Max. 7.992 7.995 7.996 7.996 7.996 7.999 > max(entropy) # The maximum value recorded in 10,000 samples [1] 7.999082 > mean(entropy) # The mean value of Entropy [1] 7.995761 > sd(entropy) # The standard Deviation [1] 0.0009401717 > At this level (which is over 4.509 standard deviations away), we find a p-value8 = (2.2e-16) that any 1Mb random section of data will have en entropy calculation of 8.000000. A test of the hypothesis that the entropy of the hidden partition may be conducted by differencing the values from the 35Gb drive partition and that of the test sample9. The hypothesis test is conducted using the t-test statistical function in R. An array (diff) is created by subtracting the value to be tested (the array called entropy) from the hypothesised value (8.00). Histograms and boxplots of these distributions have been included later on this section. 7 R is a statistical analysis language and program. http://cran.r-project.org/ 8 This is an indication of the probability associated with finding the occurrence of this level of entropy naturally. 9 Which has been designed to simulate the natural distribution of random data on a computer system through repeating the creation of random files 10,000 times.Digital Forensic Review 30 October 2008 91 > t.test(diffs, conf.level =0.95) One Sample t-test data: diffs t = 450.8372, df = 9999, p-value < 2.2e-16 alternative hypothesis: true mean is not equal to 0 95 percent confidence interval: 0.004220214 0.004257073 sample estimates: mean of x 0.004238643 > > t.test(diffs, conf.level =0.9999) One Sample t-test data: diffs t = 450.8372, df = 9999, p-value < 2.2e-16 alternative hypothesis: true mean is not equal to 0 99.99 percent confidence interval: 0.004202050 0.004275236 sample estimates: mean of x 0.004238643 > Using Student’s T-Test (above) we see that we have to reject the hypothesis that the means could be equal (that is that the entropy of the 35Gb partition could occur naturally). The difference in entropy calculated is small, but it is statistically significant at a level of alpha =0.0001. This is a confidence level of 99.99%. These results are a clear indication that the data on the 35Gb hidden partition consists of a TrueCrypt hidden volume and are not randomly occurring information. It should also be noted that data created using a random number generator is significantly more random than that created through normal use.Digital Forensic Review 30 October 2008 92 Histogram of entropy entropy Frequency 7.992 7.994 7.996 7.998 0 500 1000 1500 2000Digital Forensic Review 30 October 2008 93Digital Forensic Review 30 October 2008 94 Histogram of diffs diffs Frequency 0.002 0.004 0.006 0.008 0 500 1000 1500 2000Digital Forensic Review 30 October 2008 95