Purpose
In this assignment, you will examine a forensic disk image for evidence of coupon forgery creation. Read the scenario document carefully, as you may consider it interview notes with your client. This represents a more complex scenario than Investigation 2 and thus contains a greater degree of irrelevant data. Be sure to give yourself plenty of time to perform the examination and be sure to take advantage of Autopsy’s features to assist your disambiguation.
Instructions
You’ll need to use the following resources to complete the assignment:
- Investigation 03 Sample Evidence*
- Autopsy the open-source forensic suite* (or another suite, such as EnCase or FTK.)
- (Optional) Download and use the report template (See the Investigation and Forensics Challenge module for the templates)
*Accessed via the Virtual Lab.
After reading the Investigation 3 Scenario, open your forensic tool and import the sample evidence into the case. Begin a forensic report to document your examination.
Scenario
This scenario takes place circa 2013.
As part of normal business practice, Walmart security receives Counterfeit Coupon Alerts from the Coupon Information Corporation. Within the past month, Walmart security has received specific information regarding fraudulent coupons being passed at their store. Using the received information, they conducted an internal investigation using video surveillance footage in an effort to identify the customers who are engaged in this activity.
One of the suspects was an unknown white, male adult, approximately 28 years old, brown hair, 5′ 9″, 200 pounds, no facial hair, and no visible tattoos. A photograph of this suspect was circulated to the employees in the store.
On December 22, 2013, Craig Tucker was detained by Walmart security as he matched the description, and he had just passed two fraudulent coupons for Monster energy drink and Arizona Iced Tea beverages while paying for other items. Walmart security contacted the Santa Monica Police Department to arrest and prosecute Tucker for theft. Santa Monica PD Officer Smith interviewed Tucker, and he denied knowing the coupons were fraudulent. He claimed to have received the coupons after completing an online survey for students at Santa Monica Community College.
Although Tucker gave consent to the search of his personal computer, a search warrant was obtained to search his computer for evidence as it may be an instrument to committing a crime. You have been given a forensic image of his hard drive. Based on your review of the search warrant, you are authorized to search for any information or communication associated with the creation, downloading, distribution, and possession of fraudulent consumer coupons.
Questions
1) Can we find any digital artifacts indicating recent activity related to coupon fraud, such as temporary files, cache, or registry entries?
2) Are there indications on Tucker’s computer of tools or files used for creating or altering coupons, and evidence in communications of Tucker distributing or discussing fraudulent coupons?
3) Was Craig Tucker communicating with anyone regarding these coupons?
4) How did Craig know these could be used at Walmart (as there is no indication of this on the coupons themselves)?
5) How long has Craig Tucker been using these coupons? When was the first instance?
6) Is there any evidence to suggest that Tucker visited any websites or other online platforms that are linked to the distribution of fake coupons?
7) Do the file creation or modification dates align with the time Tucker allegedly obtained the coupons?
Format
You can submit your forensic report in Adobe PDF format. It should be a complete report. A template has been provided if you need help, but be aware that not all sections shown in the template will be relevant to this investigation:
- Upload one file (PDF).
- Your forensic report should include a cover page and a page dedicated to answering the accompanying questions at the end.
- You may include screenshots or other evidence to support your conclusions, but a screenshot is not a shortcut to a complete report.
Grading and Submission
In brief, I’ll be evaluating you on the following:
- Forensic Reporting
- The report is complete and contains only the truth.
- Examination Process
- Your examination is fully documented and uses accepted practices.
- Identifying Evidence
- While you are not expected to find every relevant evidence item, you should discover enough to adequately support the conclusions in your report.
