Comprehensive Forensic Report

Date:
Student Name / Student Number:
 Section – A
1. Executive Summary
In this report a detailed forensic analysis of digital evidence is presented which is associated
with a drug smuggling operation. This operation involves two main suspects Jane Esteban and
John Fredricksen. These individuals were detained at Wellington, New Zealand, on arrival from
Brisbane, Australia. During the investigation, one kilogram of methamphetamine was found
concealed in the suitcase of Fredricksen. During further investigation a place was raided in
Petone, in which some additional contrabands were seized, including digital devices. This report
provides the summary of investigation and digital footprints that connect these suspects to be involved
in drug smuggling network by performing detailed digital forensic investigation on their electronic
devices.

2. Introduction
Forensics in digital medium is nothing but the investigation of all the digital devices used for
conducting a crime. Consequently, digital forensic techniques are utilized on the seized
electronic devices as part of this case to examine more into this drug smuggling operation. The
main purpose of this investigation is to collect forensic evidence in order to establish any
linkage between the suspects.
3. Case Description
There are two principal suspects in this drug smuggling criminal case: the undercover cop, Jane
Esteban and also John Fredricksen who is a significant individual. Police found 1kg of
methamphetamine in the lining of Fredricksen's suitcase when he arrived in Wellington.
Additional inquiries brought a new location where more contraband, including a desktop
computer, was found. Therefore, it's important that we find further information from these for
us to really discover the depth of this illegal operation and who is involved in it.
4. Background and Activities of the Suspect
John Fredricksen: An experienced player in the world of drug smuggling, who used the
encryption channel to communicate with His New Zealand contact “Steve Kowhai”. He
communicated via Discord to plan logistics and used steganography to exchange classified
information. Fredricksen recruited Jane Esteban, as a drug mule, but in actual she was an
undercover officer who was collecting evidence against this network.
Jane Esteban: She is an undercover Australian Federal Police officer, who pretended as an
accomplice of Fredricksen to enter in his operation. She deployed malware to monitor
communications and gather intelligence. Her role was to collect incriminating evidence against
Fredricksen and Kowhai, so that they can be arrested.
Steve Kowhai: A prominent drug dealer in New Zealand, Kowhai target was to broaden the
ambit of his business. He shared techniques to escape from customs with Fredricksen and
helped him in concealing the incriminating messages within the pictures through
steganography. Steve's messages to Fredricksen were encrypted using multiple software.
5. Forensic Analysis and Conclusion
This process involved taking the device and imaging. First, the suspect laptops were imaged,
then the desktop computer, using FTK Imager; MD5 and SHA-1 hash values were calculated to
ascertain that no change in evidence occurred.
a. Encrypted Communications: The encrypted logs in Kowhai laptop were related to
logistic plans for smuggling of methamphetamine.

b. Hidden files: Data carving algorithms were used to hide some operational files
required for smuggling. In fact, these documents were hidden in image
files using steganography.
c. Malware Deployment: The Quasar RAT malware on Esteban's laptop proves that
she deployed it to spy on Fredricksen and Kowhai communication,
allowing her to obtain information leading to the involvement of these in the
criminal activity.
6. Conclusion
Thus, the forensic investigation has revealed an abundance of digital evidence, linking the
suspects to the drug smuggling operation. It includes; how the suspects were communicating
through encrypted channels and hiding documents or deploying software to recover messages.
This analysis played a pivotal role in building intelligence about the activities of the major drug
trafficking network and will prove extremely useful in not only taking out the suspects but also
in bringing down their illicit businesses
 Section – B
Details of Methodology
1. The digital forensics methodology that is used in the investigation also guarantees integrity,
reliability and reproducibility of the results. In these forensics every step from gathering the
evidence to its analysis is done in a very detailed manner, so that the evidences can be
considered factual and unchallengeable.
2. Data Collection
Imaging Process:
The FTK Imager, which is commonly available tool used across much of the digital forensic
community to acquire standard (bit-by-bit) forensic image of the devices which were discovered
with the suspect. All imaging were assigned unique identifiers. MD5 and SHA-1 hash were also
calculated to provide integrity proof for the evidence associated with devices.

Device Seizure and Chain of Custody:

All the seized devices and relevant processes related to evidence were kept in custody and
everything was well documented. Evidences were labeled and everything before handling the
hash values for evidences were calculated every time.
Challenges in Evidence Collection:
Most significant challenges that were faced included hidden messages which were encrypted
and also hidden data within image files. Special tools and techniques, such as decryption
attempts and steganographic analysis, were then used to extract the hidden data.

3. Systematic Review
Initial Analysis with Autopsy:
The initial examination was done by using autopsy, an open-source digital forensic tool. Images
were imported from the forensic environment into Autopsy for a general analysis of the file
system. Emphasis was on identifying major artefacts, including encrypted files, chat logs, and
hidden documents.
Memory Dump Analysis:
Volatile memory dumps from the devices were analyzed to capture ephemeral data like active
processes and network connections. Through the memory analysis plugins in Autopsy, it was
possible to identify active sessions that corresponded to communication tool usage such as
Discord and encrypted email clients like ProtonMail.

File decryption along with steganography detection

The files found on the devices were attempted to be decrypted. Known passwords were tried,
and brute-force methods where applicable were done. To find data hidden in the image files,
steganography detection tools have been used. The files recovered have been analyzed for
incriminating evidence.

Issues in assessment:
Basic challenges encountered were safe communications and encryption cracking as well as
containing hidden information. More advanced techniques like brute-forcing and password
recovery have been used, but not with much success because of the complexity usually
associated with the passwords.
4. Replication
Documentation of Procedures:
Detailed documentation of all procedures, including tool settings, hash values, and
configurations utilized in the examination, was maintained so that, in the next case, results
could be reproduced step by step by another forensic examiner.
Hash Verification
The hash values of each forensic image and the extracted data were checked consistently
throughout the investigation to assure evidence integrity. Hash value changes would imply
altering; however, there was no sign of alteration in this case.

Peer Review:
These were peer reviewed at a peers-to-peer level by another forensic examiner to validate
them; they should be appropriate methodologies and based on the evidence support the
conclusion.
5. Conclusion
All methodologies applied here were all intensive and of the very same type being of use within
the best forensic practices. All samples collected and analyzed were handled with utmost care
to preserve the integrity, and all findings were reproducible and legally tenable. Hence,
whatever conclusions such an analysis would produce are reliable.

Section – C
1. Finding – 1: Wallpapers and Memes
Discovery: Medicinal wallpapers and memes on the laptop of Fredricksen and desktop from the
raided address.
Discussion: Inculpatory: The presence of these pictures indicates a propensity for drug culture,
and it might even indicate connection to the suspects' linking to drug activities. These are not
conclusive evidence but support other incriminating findings.
Supporting Evidence: These are in the "Pictures" folder and have been used as wallpapers on
the computer desk. Metadata analysis also shows they were created and last modified around
the time of suspects' arrest dates.

2. Observation – 2: Web activity

Discovery: Inculpatory: Browser histories on Fredricksen’s and Kowhai’s devices revealed
searches related to drug smuggling, methamphetamine purity, and New Zealand drug laws.
Discussion: These searches are symptomatic that the suspects intend and know how to smuggle
drugs, and they are actively involved in planning.
Supporting Evidence: Browser history was extracted using Autopsy and presented as conducted
searches just before the suspects' arrest. Search metadata indicates that it is pertinent to the
timeline of the incident.

Finding – 3: Binaries Found on Suspect PC and Laptop

Discovery: Inculpatory: Cryptographic tool TrueCrypt and image steganography software were
discovered on the suspects' computers.
Discussion: Using TrueCrypt volumes to encrypt your files and image steganography to hide files
suggests a person trying to hide incriminating data. Such resources are used highly by criminals
who have to erase or hide sensitive information.
Supporting Evidence: The software was found in the "Applications" folder. The usage logs show
that the applications had been highly used in the weeks before the suspects were arrested.
4. Finding – 4: Channel of Communication
Discovery: Inculpatory: Encrypted log files pertaining to all communications done through
Protonmail and Discord.
Discussion: The communications are concerned with dialogue pertaining to logistics and the
coordination of smuggling, which relate the suspects directly to their illegality.
Supporting Evidence: The chat logs were extracted and analyzed using Autopsy. Timestamps
and metadata confirm that they are relevant to the investigation.
5. Finding – 5: Identification of Documents
Discovery: Inculpatory: Found on Fredricksen's PC is an Excel document titled "clients" listing
those involved in his drug operation.
Discussion: This paper relates the suspects to a larger number of individuals associated with the
smuggling enterprise. The existence of such a paper speaks to the character of the organized
criminal business organization.

Supporting Evidence: The file was placed in the "Business" folder. Metadata analysis
determined the file was created and changed within the date range of the incident. It's within
the date range for the
event.
6. Find – 6: Techniques of Obscurity
Discovery: Inculpatory: The user, Fredricksen, used various disguises for concealment, including
encryption using TrueCrypt and document-hiding inside images by using steganography.
Discussion: These methods show quite advanced sophistication and a purpose of concealment
of evidence at crime scene against the law enforcement.
Supporting Evidence: Evidence was found for TrueCrypt volumes as well as steganographic
images where partial decryption with known keys showed the existence of hidden data inside,
proving usage of these methods of obfuscation.

7. Findings – 7: Encryption Techniques

Discovery: Inculpatory: AES encryption and ProtonMail used end-to-end encryption for the
protection of sensitive documents and messages.
Discussion: Use of strong encryption methods indicates that suspects are trying to conceal their
activity. No evidence of crime could be discovered by investigators without keys for decryption.
Supporting Evidence: Encrypted volumes are on the suspects' devices as well as encrypted
emails. Encryption methods and encryption keys were examined, parts decrypted to reveal
pertinent information.
 8. Finding – 8: Evading Encryption Methods
Discovery: Inculpatory: The attackers attempted to crack the encryption using brute-force
attacks and social engineering.
Discussion: This demonstrates that no matter how advanced the security level of encryption
used, it reflects a possible weakness in investigating matters. Because keyloggers were used by
Jane Esteban, who was undercover, she initially did well.
Supporting Evidence: Logs of brute-force attempts and captured keylogger were logged. Their
result, although never full, was enough to push the investigation forward.

9. Finding – 9: Malware
Discovery: Exculpatory:The Quasar RAT malware had been embedded inside a contact card
which had been sent to John Fredricksen via Discord from Jane Esteban.
Discussion: the malware enabled Esteban to track all the activities of Fredricksen and capture
relevant proofs, such as ProtonMail accounts. This malware was essential while gathering
intelligence on a drug operation.
Supporting Evidence: OSForensics was used to detect and examine the malware. Its
implementation, usage, and collected data were documented in ensuring the investigation was
extended further. 10. Discovery 10: Documents Discovery: An image of the Australian police
badge and an attachment labeled "course-undercover survival.pdf" on Esteban's PC. Discussion:
All these documents support Esteban's claim that she is an undercover officer, and therefore
she does not engage in the trafficking of the drugs. They let her explain her role as well as justify
the use of intrusive techniques, which is the malware.

10. Finding 10 – Documents

Discovery: There was an image of an Australian Police Badge and a document entitled course-
undercover survival.pdf on Jane Esteban's PC.
Discussion: Exculpatory: The presence of these files confirms that, after all, Jane Esteban was
an undercover police officer. A picture of a badge and document concerning a survival course
validate her claim of having been enrolled in law enforcement rather than any criminal activity.
This evidence points to the fact that all of her actions, including the malware deployment, were
part of her official undercover operation to investigate the drug smuggling ring.
Supporting Evidence:
Files Recovered: The Australian police badge image and the document course-undercover
survival.pdf were found in the file system of Jane Esteban. Context: These files support the
allegation that Jane was an undercover officer. Her argument is that she was engaged in a legal
investigation, not in criminal activities. Verification: The documents were checked to ascertain
their authenticity, and the content therein agrees with documents that would normally be used
for training and operations by the police
force.

Summary and Conclusion

The forensic investigation has uncovered substantial digital evidence that implicates the
suspects in the drug smuggling operation. Through the use of encryption, steganography, and
other obfuscation methods, the suspects attempted to conceal their activities. However, the
deployment of sophisticated forensic techniques allowed investigators to uncover crucial
evidence that will be instrumental in prosecuting the suspects and dismantling their network.
The findings are well-supported and legally defensible, ensuring a robust case against those
involved.
References
 Garfinkel, S. (2010). Digital forensics research: The next 10 years. Digital Investigation,
7(Supplement), S64-S73.
 Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and
the internet (3rd ed.). Academic Press.
 Carrier, B. (2005). File system forensic analysis. Addison-Wesley Professional.
 Richard, G. G., & Roussev, V. (2006). Next-generation digital forensics. Communications
of the ACM, 49(2), 76-80.
 Stallings, W. (2017). Cryptography and network security: Principles and practice (7th
ed.). Pearson.
Appendices

1. FTK Imager