Case Reference: 001-H | Duration: 18 November – 22 December 2025
Examiner: Undergraduate Digital Forensic Examiner, University of the West of Scotland
Compliance: ACPO Good Practice Guide for Digital Evidence (2012) — full chain of custody maintained
A court-standard digital forensic investigation of two seized devices submitted as part of Operation FishNet. The examination determined whether the devices contained illegal content, whether users were connected, and whether evidence was admissible for prosecution.
Verdict: Device 2 confirmed to contain files cryptographically identical to known illegal images. Direct email communication between Device 1 and Device 2 users established deliberate coordination. Device 1 user demonstrated advanced anti-forensic capability including secure deletion and memory acquisition tools.
| Device 1 | Device 2 | |
|---|---|---|
| OS | Windows 7 Home Premium SP1 (x64) | Windows XP SP3 (x86) |
| User Profile | Netty (nettycatchwell_3002@outlook.com) |
Student (roddyfisher10073@outlook.com) |
| Evidence Format | Device_1.E01 + Memory_Dump_1.raw |
Device_2.E01 + Memory_Dump_2.raw |
| Key Finding | Anti-forensic tools, 7,193 OneDrive artefacts | DarkComet RAT, confirmed illegal image hashes, email evidence |
| Hash Match Result | ❌ No matches against reference database | ✅ Multiple confirmed matches |
The investigation followed a strict three-phase approach in compliance with ACPO Principle 1 (no action shall change data on digital devices):
Acquisition — Bit-for-bit E01 forensic images created for both devices. Volatile memory (RAM) captured as .raw dumps. All media stored write-protected.
Verification — SHA-1 cryptographic hashes computed for both original evidence and forensic copies. Hash values matched across all transfers, providing mathematical proof of integrity throughout the chain of custody.
Analysis — All examination performed on forensic copies only. Cross-validated findings across multiple independent tools to eliminate single-source dependency.
| Tool | Version | Application |
|---|---|---|
| Autopsy | 4.21.0 | Primary disk artefact analysis, keyword search, file type analysis, email recovery |
| FTK Imager | 4.7.1 / 8.2.0.26 | Forensic imaging, read-only mounting, file export, metadata review |
| Volatility Framework | 2.6 | Volatile memory analysis — imageinfo, pslist, psscan, malfind, netscan |
| Registry Explorer | v2.1.0 | Registry hive parsing and user activity analysis |
| RegRipper | 3.0 | SYSTEM hive analysis, executed programs identification |
| Windows certutil | Native | MD5 and SHA-1 cryptographic hash generation |
| Windows CMD | Native | dir, findstr, filesystem corroboration |
| Microsoft Excel | 365 | Manual hash comparison and verification |
Registry analysis of the SYSTEM hive (via RegRipper) identified five high-risk executables executed from the Netty user profile:
| Executable | Purpose | Filesystem Status |
|---|---|---|
DumpIt.exe |
Memory acquisition tool | Present on disk — corroborated |
sdelete64.exe |
Secure deletion (anti-forensic) | Absent — executed then wiped |
malware.exe (×2) |
Suspicious executable | Absent — executed then wiped |
cmd.exe |
Interactive system use | System binary |
The pattern of executing sdelete64.exe following malware.exe indicates deliberate anti-forensic behaviour — intentional execution followed by permanent file destruction to reduce traceability.
Volatile memory analysis (Volatility Framework) confirmed no active encryption or archiving at time of seizure, indicating any concealment activity had already been completed.
7,193 OneDrive web download artefacts identified via Autopsy — establishing Device 1 as the primary cloud storage and distribution point.
DarkComet RAT identified as an active process in volatile memory at time of seizure — confirmed via pslist, malfind, and command-line argument analysis. Anomalous executable memory segments consistent with malicious injection detected.
MD5 hash comparison against a reference database of known illegal images confirmed multiple positive matches on Device 2. Zero matches on Device 1. Hash matching methodology:
- FTK Imager used to export full file hash CSV from Device 2
- Automated
findstrcomparison against reference database - Manual spreadsheet verification to eliminate false negatives from formatting issues
- Autopsy cross-validation of each match at binary level
Since MD5 is deterministic, identical hash values constitute proof of identical file content at byte level.
Email evidence recovered from Mozilla Thunderbird local storage on Device 2 confirmed direct communication between roddyfisher10073@outlook.com (Device 2) and nettycatchwell_3002@outlook.com (Device 1). Email thread titled "Re: First batch of reference images" contained explicit references to batch transfers, content management instructions, and confidentiality coordination — establishing intentionality and mutual awareness.
The two devices did not operate independently. The forensic evidence establishes a deliberate distribution pipeline:
Device 1 (Netty) Device 2 (Student)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7,193 OneDrive artefacts 36 OneDrive artefacts
Cloud storage / distribution hub → Selective recipient
No hash matches (no illegal content) Multiple confirmed hash matches
Anti-forensic tools (sdelete, DumpIt) DarkComet RAT active at seizure
Technical capability demonstrated Intent + possession confirmed
Email correspondence provides the explicit link — Device 2 user confirming receipt, requesting further batches, and discussing content management.
Full ACPO-compliant chain of custody maintained from evidence intake (07/11/2025) through to report completion (22/12/2025). Key chain of custody events documented in investigation logbook:
- E01 images and RAW memory dumps received via university learning platform
- SHA-1 hashes verified on intake and at every transfer point
- All analysis performed on forensic copies — originals never accessed directly
- Structured case directory maintained:
CaseFile_001-H-EM-A/Evidence/Analysis/ - Each exhibit numbered, timestamped, and tool-attributed
The full forensic report (Final_ADFA_Coursework_Report.docx) contains 50+ numbered exhibits and covers:
- Executive Summary and Author Background
- Methodology: Acquisition, Verification, Analysis
- Device 1 Findings: OS, installed programs, web downloads, Recycle Bin, registry artefacts, OneDrive usage, volatile memory analysis, encryption assessment
- Device 2 Findings: OS attribution, capability assessment, email communications, hash-based image identification, encryption evidence
- Cross-device correlation and user behaviour interpretation
- Alternative explanation assessment
- Conclusions and prosecution recommendations
- Appendices: Hash Verification Table, Chain of Custody Log, Glossary, Tool Outputs
| Skill | Evidence |
|---|---|
| Forensic Imaging | E01 acquisition, SHA-1 verification, write-protected mounting |
| Volatile Memory Analysis | Volatility 2.6 — process listing, malware detection, network artefacts |
| Registry Forensics | RegRipper + Registry Explorer — SYSTEM & NTUSER.DAT hive analysis |
| Malware Identification | DarkComet RAT — pslist, malfind, memory anomaly detection |
| Hash-Based Evidence | MD5 comparison pipeline — automated + manual verification |
| Email Forensics | Thunderbird local storage recovery, attribution, thread reconstruction |
| Anti-Forensic Detection | sdelete64, DumpIt, malware.exe execution → deletion pattern |
| Chain of Custody | ACPO 2012 compliant — full audit trail, timestamped logbook |
| Court-Ready Reporting | 50+ numbered exhibits, cross-validated findings, prosecution recommendations |
Module: Advanced Digital Forensic Analysis | University of the West of Scotland
BEng (Hons) Cyber Security — Final Year
This investigation was conducted as assessed academic coursework using evidence packages provided by the university. All forensic work was performed in an isolated, controlled lab environment. No real individuals, devices, or illegal material were involved.