Open in app

Sign in

Write

Sign in

Digital Forensics Chromebook Case Study Solutions

Mohitrajai
6 min readSep 27, 2022

--

1) The folder to store all your data in — How many files are in Eli’s downloads directory?

->As the question is say they need to count of files which is downloaded so we are going to open the FTK and add the evidence as the folder which is provided for investigation for this incident.

->we can see the total number of items which is downloaded is 6.

2) Smile for the camera — What is the MD5 hash of the user’s profile photo?

->The question is asking that we need of md5 hash of profile photo of the user so let’s find the profile photo.

->We can see there is one folder in the user->accounts which is contains details of account.

->When you right click on this image you see the option of export the file hash list in FTK imager.

Md5 hash: 5ddd4fe0041839deb0a4b0252002127b

3) Road Trip! — What city was Eli’s destination in?

->Now this is the tricky question because user take the screenshot of his google map road trip and its store in downloads. So lets see the one of the screenshot file in download.

->We can see the destination city is Plattsburgh.

4) Promise Me — How many promises does Wickr make?

->Next tricky question when I search it I found one file in download which name is contains promise so I just open it. Lets see what is in it.

-> I just count it its total 9.

5) Key-ty Cat — What are the last five characters of the key for the Tabby Cat extension?

->So this is the very tuff question because there are lots of files and actually I don’t know what is tabby cat extension.

->After some google I understood that tabby cat is google chrome extension.

->After so many finding in evidence I found one folder which name is extension. Ijust open it one of them name

->Mefhakmgclhhfbdadeojlkbllmecialg have manifest.xml file where we see the key.

->In the last of the that key we found 5 characters DAQAB.

6) Time to jam out — How many songs does Eli have downloaded?

->The question is count of songs which is downloaded by the user so after the search in evidence file I found one path Music which is in Myfiles folder which is contains the songs.

->There 2 songs.

7) Autofill, roll out — Which word was Autofilled the most?

->This is tricky question actually user is used chrome browser most probably so for autofilled data chrome maintains the web data file lets find that file.

->I used DB browser for Sqllite to view the database file.

->Email is used maximum time.

8) Dress for success — What is this bird’s image’s logical size in bytes?

->The bird image I found in downloads user download this image from the internet.

->For exact file size we first export this image in local disk after that check the size from properties the size is 46791.

9) Repeat customer — What was Eli’s top visited site?

->As this question answer is get from the history database file an chrome history database file have the lots of details and also have the visited websites counts in table so lets open that.

->When open the history database file one table segment usage the segment_id 5 have maximum visited lets see which ite is this.

->When you go to the segment table you see below site.

->Site name http://protonmail.com/ has maximum visited.

10) Vroom Vroom, What is the name of the car-related theme?

->Actually, I cant understand this question but when I see the car related images I found the one image of car which is located at extension/ dkkklbgbfaeockpgbkleblklmcjdbnbj/ 1_0/ images/

->The car name Is Lamborghini Cherry.

11) You got mail — How many emails were received from notification@service.tiktok.com?

-> I add the evidence files in autopsy for the easiest way to find this questions answer autopsy have the capabilities to extract all the emails evidences in filter lets see how its possible.

->Total received from mail is 6.

12) Hungry for directions — Where did the user request directions to on Mar 4, 2021, at 4:15:18 AM EDT?

->This question answer we only get from one place where the map related data store in evidence files we already have one more evidence name takeout which have the all the google map related evidences.

13) Who defines essential? — What was searched on Mar 4, 2021, at 4:09:35 AM EDT?

->As the time given we have the takeout folder as an evidence the google search activity has store the all records for that.

->Go takeout->MyActivity->search folder the MyActivity file have details of visited all the path details.

->As we can see the answer is Travelling to get chicken essential travel.

14) I got three subscribers, and counting — How many YouYube channels is the user subscribed to?

->As the Question is tell as that youtube Subscription we have the google takeout evidences they contains this information so lets see.

->In Takeout folder we have the youtube Subscriptions folder which have the Json file but in json file no any data in it so its mean 0 subscription.

15) Time flies when you’re watching YT — What date was the first YouTube video the user watched uploaded?

->As we want to search details of YouTube this information we are getting from my activity folder which is in takeout folder.

->This is not a time when the video is uploaded when we extract the file from the evidence the link of video is given.

->Uploading date was 27/01/2021 shows in youtube channel.

16) How much? — What is the price of the belt?

->An this was the tricky Question user is searching activity is store in takeout folder in Myactivity folder.

->When we see the chrome myactivity they give the site link and reason for visiting.

->I extract the Myactivity File and visit this link.

->The price for this belt is 98.5.

--

--

Mohitrajai
Mohitrajai

Written by Mohitrajai

24 Followers
5 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams