Scribd
Upload
416 views6 pages

Analyzing UFO Group Evidence Files

The document discusses the analysis of a drive image from a USB drive provided by a UFO investigation group. 1) The file system used was FAT16. 2) The sector count was 444,160 and the image type was raw. 3) The cluster size was 61,551, with 16,384 clusters in use and 61,501 free clusters. 4) Files with "E5" as the first character of the filename had been deleted. The MAC times on the files were inconsistent with the story provided by the UFO group, suggesting fabrication of evidence. No credible evidence of off-world activities by a secret government organization was found.

Uploaded by

LIA NUR ADIBA ROSLEE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
416 views6 pages

Analyzing UFO Group Evidence Files

The document discusses the analysis of a drive image from a USB drive provided by a UFO investigation group. 1) The file system used was FAT16. 2) The sector count was 444,160 and the image type was raw. 3) The cluster size was 61,551, with 16,384 clusters in use and 61,501 free clusters. 4) Files with "E5" as the first character of the filename had been deleted. The MAC times on the files were inconsistent with the story provided by the UFO group, suggesting fabrication of evidence. No credible evidence of off-world activities by a secret government organization was found.

Uploaded by

LIA NUR ADIBA ROSLEE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

1. From the hex content of the drive image, what file system was used in the drive?

Based on the FTK, it uses FAT16

2. Based on the image file properties, what are the sector count and image type for the drive
imagine?

The sector count is 444,160 and image type is Raw (dd)

3. Based on the file system properties for the image, what is the cluster size? How many clusters
are in use? How many clusters are free?

The cluster size is 61,551. The cluster in use is 16,384 and cluster that are free are 61,501.

4. In hex view of the directory, what is the significance of the pattern “E5” that often appears as
the first character of a filename?
If the first character has the code E5, then the file was deleted. You may save some time when
going through the directory structure by checking the first character in the filename. If it is zero,
there are no more entries in current directory.
5. An important source of information for constructing a timeline of activities on the system are
the so-called file MAC-times (where MAC stands for Modified, Accessed, Created). Examining
the MAC-times for all the files in the root directory, do you find them consistent with the UFO
group’s story?

Based on the [Link] file,

the pictures and reports show that the pictures are delivered before the 3 rd of June 2008 and it is the
latest photographs based on the memo of the file.

based on the MAC-times of the pictures recorded in the exif file of the image file, all the pictures are
created:

File name Date created (Exif file)

[Link] 09-Jun-07 [Link] AM

[Link] N/A

[Link] 20-jan-07 [Link] AM

[Link] 06-Jul-07 [Link] AM

Based on the photos, it might be sent straight after the photo was fabricated. That would make the
memo consistent with the pictures. But based on the MAC-times on the image file, all files are copied on
the pen drive on 10th of September 2008. And that would make the story inconsistent since the memo is
dated way before the files are created in the pen drive that this was made an image from.
6. What does EXIF information present on some photographs suggest about their origin?

The exif can produce data such as which application made them, when it was made, its
resolution, date creation, date last access and date last write. All this info can be discovered by
using an exif editor such as Exif Pilot. All data of all photos are shown below:
7. Is there a signature mismatch for the file [Link]? Does the content of this file add any weight to
your overall conclusion?
Yes, apparently based on the hex file, the file [Link] was purposely changed file extension to
avoid the naked eye as another corrupt file. But based on the hex,

[Link] was actually a PDF file. So, after converting the file extension to PDF, we get this file:

As to if the content of the file changes my conclusion: None.


8. Based on the images you recovered, what would be your conclusion as to the UFO group’s
suspicions of off-world activities of a secret government organization?

conclusion is that the off-world activities of a secret government organization is non-existent


and illogical as the pictures presented in the Raw file is fake and fabricated in Adobe Photoshop
CS2 Windows via its exif and can be downloaded from [Link] as per shown in
every picture that has the website’s watermark.

For the [Link] file, it doesn’t affect the overall conclusion as it probably another distraction. A
secret government organization that has capabilities of doing off-world activities surely have a
better encryption technique than just changing the file extension.

Therefore, it is concluded that the UFO group’s suspicious are baseless and overexaggerated.
9. Examining the files present on the image, can you identify any traces of the use of a secure
deletion utility? Hint: Research the operation of the utility sdelete available from sysinternals
website.
SDelete renames the file 26 times, each time replacing each character of the file's name with a
successive alphabetic character. For instance, the first rename of "[Link]" would be to
"[Link]".

So, files such as [Link], is the traces of a sdelete.


But we can guess the file based on the number of characters in the file name and extension and
from its hex code.

As the hex code is the same with ![Link] file which is a temporary file for a word
document file, the [Link] as it has the same amount of characters in the file
name and extension.

You might also like