Digital Forensics Analysis Report

Delivered to Professor Frank Griffits

August 18, 2017

Prepared by Livia Nguyen

Revision Summary

Date Revision History Comments

8/11/17 1.0 Original rough draft
8/14/17 1.1 Hash, Partition and volume analysis
8/15/17 1.2 Users, files, and MFT table analysis
8/16/17 1.3 Evidence recovery and analysis
8/18/17 1.4 Final draft

Version 1.4 1
Executive Summary

On October 21, 1985, Detective Grifitts were reported by Martin McFly stated that he has a

device that contain evidence of the suspect Biff Tannen. The device that was turned in to

detective Grifitts were a portable personal computer with an attach keyboard and screen. The

device has no power sources. The devices were reported by Martin McFly to has contain

evidence to prove that suspect Biff Tannen is involved in various alleged activities, including

drug trafficking, sexual exploitation or a minor, and murder.

The case was once again open because the current technology will allow further analysis on the

device to solve the cold case. The original hard disk drive located on the original devices were

image to the exact original copy of the evidence for further analysis. The case is once again

open and was solved with the help of current digital forensic tool.

The evidence found on the image, including documents, images, and others file that can be used

to prove that Biff Tannen is guilty for the crime that he has committed in 1985. A sale summary

from different salesperson could be used to prove that he is involved in drug dealing. There is

image of minor found in his user account on the drive together with an adult magazine that could

prove that was involved in a minor sexual exploitation act. He confessed in his personal diaries

that he has killed and disposed of George McFlys body due to jealousy and hatred toward him.

Evidence Acquisition Tools

AccessData FTK Imager 3.4.3 x64, Programming Calculator, Windows Disk Management.

Version 1.4 2
Analysis

Hash Verification

The acquisition log contains a hash verification that matches the value from the original images

file. There is a text file located in the image file that contain the has verification and update the

result every time a has verification is run. The hash was verified at the beginning of the

investigation and after concluding the examination to prove that the evidence has not been

modify during the examination process. The image text file contains the original hard disk,

image and verification information that are critical in the investigation process to prove that the

evidence is trustworthy in court.

Version 1.4 3
Partition and Volume

There are 3 partitions on this device in total, two is formatted and one unpartitioned space that

contain the unallocated space.

The evidence tree show that Partition 1 is an NTFS file system and partition 2 is a FAT32 file

system. The unpartitioned space contain the MBR partition table that show that the filesystem of

the unpartitioned table, which is not visible in the Evidence tree. The MBR partition table

started at offset 446 and ended at offset 458. Offset 446 is the Boot indicator, with the hex value

of 80 indicating the start of an MBR partition table. Offset 450 or the 4th bytes of the MBR is the

partition type. The partition type is hex 07, which is a signature for NTFS file system.

Version 1.4 4
The cluster size for partition 1 and 2 is 4,096 and the information could be found in property

under the File System Information section. The unpartitioned need to be manually calculate

because it does not appear in the property section.

The cluster count for Partition 1 is 8,483,327, and the cluster count for Partition 2 is 510,948. To

manually calculate the cluster count, simply

The starting sector for Partition 1 is 2,048 and the starting sector for Partition 2 is 67,868,672, as

define by FTK imager. The unpartitioned partition need to be manually calculate by converted

the 4 bytes starting at offset 454-457 by little endian format, which required the number to be

read from right to left. The 4 bytes of the starting sector for the unportioned partition is 00 08 00

Version 1.4 5
00, which will be 00 00 08 00 and that will give us 2,048 in decimal and that is the starting sector

of the partition.

The sector count for Partition 1 is 67,866,624 and the sector count for Partition 2 is 4,096,000.

The information was provided in the File System Information section in properties, by using

FTK Imager forensic tool.

The volume labels for Partition 1 NTFS filesystem is has no name therefor it was labeled as

NONAME. However, there are a volume serial number giving by FTK Imager, 2261-E755.

The second partition VBR show that the volume name is BUSINESS. The volume is also

listed in the File System Information Properties tab in FTK Imager Forensic tools.

Version 1.4 6
Users and Files

The file that is found at physical sector 6293504 and/or logical sector 6291456 is the $MFT file.

The file name of the physical sector 6293504 or logical sector 6291456 can be found in the file

attribute with the file signature 30 00 00 00.

Partition 1 user account can be found in the Root users and it listed 4 different users, 2 being

default and public. The other 2 noticeable users are called Biff Tannen and the other is called

Lorraine 195B. The user account located on partition 2 is Biff Tannen user account.

Version 1.4 7
There are a few notable files located in user accessible directories in partition 1. There are a vhd

file located on the Desktop of Biff Tannen user account called Business.vhd. The other

notable files are located in C:\User\Biff Tannen\Desktop\My Journal Entries, which contain his

diary entries that could contain critical evidence and needed further analysis in this case. There

is a sub directory called normal located in a .thumbnails directory located in Biff Tannens

user account and that also needed to be analyses.

The Compound_file.docs file can be found in the root directory of partition 2, but it has been

deleted from the partition. There is a vhd files under the name Business.vhd located on Biff

Tannen user accounts desktop in partition 1.

Version 1.4 8
The Business.vhd files on Biff Tannen user accounts desktop is over 1 GB in size. The file

contains sales information and images of Biff Tannen and the sales team that he is working with.

The vhd also contain a Business Plan.txt file that contains the list of things that he wants to do.

MFT Table

There are 1024 bytes in each $MFT entry. The total $MFT entry bytes located from offset bytes

28 to 31. In this case it is 00 04 00 00, and in little endian, it will translate to 1024 in decimal.

Version 1.4 9
To find the offset of the $MFT entry with the record number 31,631, multiply the number of

bytes per entry, which is 1024 to the record number, and that will provide the starting offset of

the file located at offset 32,390,144. The Go to Offset function of the FTK Imager can be used

to locate the starting entry for further information. Upon looking through $MFT the entry

information, the file with the record number 31,631 is called Business.vhds.v.

The header signature for the Standard Information Attribute for every MFT entry is 10 00 00 00

defined by Digital Forensics expert Brian Carrier.

The hex value of the Created Time for MFT entry 31,631 in the Standard Information Attribute

is FE 5D 34 45 86 15 D1 01. By converting the hex value to decimal, it will return the 100

nanoseconds, 130,909,530,601,315,838. The decoded value for the created time of this entry is

Monday, November 2, 2015 at 3:51:00 PM.

Time: 11/2/2015 3:51:00 PM UTC or 11/2/2015 8:51:00 AM local time.

Version 1.4 10
The header signature value for the File Information Attribute for every MFT entry is 30 00 00

00, defined by Digital Forensic expert Brian Carrier.

The hex value of the file name and extension for MFT entry 31,631 is

42007500730069006E006500730073002E0076006800640073002E007600. The ASCII value

for the filename and extension for this MFT entry is Business.vhds.v.

The data stream of MFT entry 31,631 can be found in the data attribute with the header signature

80 00 00 00. There are only two data streams located on this MFT entry. The resident flag of

this MFT entry has a non-resident since the hex value of the flag located on byte offset 08 of the

$DATA Attribute is 01, indicating that this file has a resident flag.

The offset of the first run list is located at offset 32390520. There is only one run list for this

entry. There is a total of two run lists on this entry and it is contiguous.

Data Stream 1 run lists hex value is 33 01 E8 03 8F 3E. The run list header value is 33, the left

nibble is the fragment size and the right nibble is the starting cluster of this data entry. The value

01 E8 03 return the number of cluster located in this data run lists, and the value 03 8F 3E

determine the starting cluster on disk LBA. The fragment size of run list 1 can be calculate by

multiply the number of cluster by the cluster size of the partition, in this partition it is 4,096. The

Version 1.4 11
calculation will return the fragment size 1,048,580,096. The starting cluster of this run lists is

2,375,311.

Hex 01 E8 03 = DEC 256,001 * 4096 = 1,048,580,096

Hex 03 8F 3E = DEC 2,375,311

The file signature of the file starting at logical cluster 2,375,311 is 33 C0 8E D0 BC 00 7C 8E,

which is the master boot record (MBR) signature.

Case Report

There was a hint that there is a virtual hard disk located in C: Users\Biff Tannen\Desktop under

the name Special Files.vhd, however the $Data attribute flag show that it is a non-resident flag

Version 1.4 12
01, so it means that the file could possibly has been renamed. I was able to recover a vhd file

located in the same location as the Special Files.vhd, called Business.vhd. Windows Disk

Management were used to mount the VHD for further analysis. Inside the folder, there were a

text file called Business Plan.txt, that describe a plan that talk about the possible of alleged crime

of drug trafficking and homicide, but further investigation must perform to prove that this file is

real.

There is a jpg file showing that Biff Tannen is the boss and is the one who is in charge of this

alleged activities. The jpg tile of the sales team shows a picture of the sales team that could

possibly be involved in drug trafficking allegation. The special contract ledger.xls file located on

the Business.vhd contain the sales details for Biff Tannen casino Pleasure Paradise Backdoor, up

to October of 2015, which is when the evidence was found.

Biff Tannen were believed to have killed George McFly, who is the husband of Lorraine. Biff

Tannens my journal entries located on Tannens account state that he initially wanted to kill

Lorraine unborn daughter, but instead he warns her that something bad will happen when the

baby turn 5 years old. 5 years later Tannen visited McFly for the baby 5th birthday. After the

party Tannen lured George McFly to his favorite hangout, bring him to the back of the coffee

shop and shot McFly on the head. He then disposed the body by dumping it in a valley 2 blocks

from the HV community Center in Hill Valley.

Version 1.4 13
There is a thumbnails folder located on Biff Tannens account that contain evidence to support

the alleged crime of sexual exploitation of a monitor. There is a thumbnail of an Oh la la

cover magazine, which is an adult magazine that compare to today could be a Playboy magazine.

Inside of the thumbnail folder, there is thumbnail image of minors that is to prove his alleged

crime on child exploitation.

Evidence

Drug Drafficking Evidence

Evidence located on the BUSINESS.vhd that contain the sale inforamtion.

Sexual Exploitation of Minor Evidence

Thumbnail located in the C:\Users\Biff Tannen\.thumbnails\normal folder.

Version 1.4 14
Homonide Evidence

Journal Entry of Biff Tannen located in the My Journal Entries folder on the Desktop.

15 March 1973

Dear Diary,

That bitch Lorraine is still with McFly. Or was until today...

I showed up at the McFly house as they were singing happy birthday to that little brat marty in

the back yard. I could tell he was going to grow up to be a butthead even though he's only five

years old now. I lured George McFly to have lunch with me at his favorite hangout right after

the party. Told him I was a publisher interested in his latest manuscript. That loser couldn't

write a publishable book if his life depended on it.

Haha. Anyway, my younger (and much richer) self me us back behind the coffee shop and put a

bullet in his head. I took his body and dumped it in 2015. I was only there long enought to drop

off the body and then get back to 1973 so that I could watch it all play out.

Young Biff is going to have Lorraine after all!

BT

Version 1.4 15
Reference

Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.

Version 1.4 16