Donald Price is an employee from Joachim’s Art Gallery based in Melbourne, Australia. Mr. Price had been suspended from the gallery when an audit discovered that one of the pieces he was responsible for had disappeared. (This was a small watercolour of two boats.) Unfortunately, Mr. Price wiped the hard disk of his office PC before investigators could be deployed. However, a CD-ROM was found in the PC’s CD-ROM drive. Although Mr. Price subsequently denied that the CD-ROM belonged to him, it was seized and entered into evidence.
A forensic image in raw format of the CD-ROM can be found here: http://www.deakin.edu.au/~zoidberg/2013OZ.ISO And its MD5 hash value can be found here: http://www.deakin.edu.au/~zoidberg/2013OZ.ISO.md5
You, an ITS officer employed by Joachim’s Art Gallery, are assigned to examine the image for any information relating to the case. You should keep in mind malicious codes and other means which may potentially alter the evidence. YOU MUST CITE ALL REFERENCES INCLUDING TECHNICAL MANUALS AND LAW PARAGRAPHS.
Your analysis should be conducted on a virtual machine (VMware) and include the following information:
1.1 Use an evidence form to document the evidence given to you.
1.2 Describe the environment of your forensic workstation and the access to the machine. Describe the procedure that you used to download the image file to your work directory.
1.3 Give at least two SHA-based hash function values of the ISO image.
1.4 Explain why multiple hash values are necessary to verify the validity of the image file.
1.5 Explain the procedure that you used before you could access the image file inside the virtual machine.
2.1 Use a table to document the detailed information of the files found in the root directory of the ISO image—file names, file actual sizes and their MD5 hash values.
2.2 Provide a description of any programs you would like to use based on the files identified on the ISO image.
3.1 Describe the key words you used to search the ISO image and explain why you chose them. Detail your search result and give your conclusions. (Document your procedure including commands and screenshots.)
4.1 List one violation conducted by Mr. Price against Cybercrime Act 2001, and one violation conducted by Mr. Price against the Crimes Act 1958. Back up your answers with definitions.
4.2 Is this case best pursued as a corporate or criminal investigation? Why?