Case Study Analysis & Notes

(The Tale of Three Friends)

1. Case Scenario Overview

• Victim : Hazel, she was found dead with stab wounds to neck and stomach.

• Suspects :

  • Sonny : Cybersecurity consultant (private sector), top student, had unrequited feelings for Hazel since Year 1.

  • Jack : Technician at Temasek Polytechnic, Hazel’s fiancé, close friend of Sonny.

• Key Event : Both were arrested on Hazel’s wedding day, claiming ignorance of her death.

• Objective : Use mobile device forensics to determine who planned Hazel’s murder .

2. Interesting Pointers & Clues

Motives & Relationships

• Sonny’s Motive : Rejected confession of love to Hazel days before her death.

• Jack’s Motive : No explicit motive, but potential jealousy or hidden tensions?

• Timeline Oddities :

  • Both claim ignorance of her death until questioned—possible lie or coincidence?

Digital Evidence Opportunities

• Location Data : GPS logs from phones (e.g., proximity to Hazel’s home on the day of death).

• Communication Patterns :

  • Call logs, messages, or emails between Sonny/Jack and unknown contacts.

  • Deleted messages (recoverable via SQLite carving).

• Social Media Activity : Posts/check-ins near Hazel’s location or suspicious activity.

• App Data : Ride-hailing apps (e.g., Grab), calendar entries, or notes.

Behavioral Red Flags

• Sonny’s Profile : Cybersecurity expertise could mean he covered tracks (e.g., encrypted chats, deleted logs).

• Jack’s Profile : Technician role gives him access to campus systems

3. Suggested Chronological Sequence

(Based on case details and forensic analysis goals)

1. Pre-Wedding Day :

   • Hazel and Jack inform Sonny of their marriage plans.

   • Sonny confesses feelings to Hazel privately; she rejects him.

2. Day of Murder :

   • Suspect (Sonny/Jack) travels to Hazel’s home (GPS logs).

   • Murder occurs; weapon (knife) left at the scene.

3. Post-Murder :

   • Suspect deletes communication logs or uses encryption.

   • Suspect creates alibi (e.g., fake GPS data, manipulated timestamps).

4. Wedding Day Arrest :

   • Police arrest both suspects before the ceremony.

4. Project Objectives & Group Work Breakdown

(5 members, individual + group components)

Objective 1: NIST Framework Checklist

• Goal : Create actionable items for each phase of the NIST framework.

• Breakdown :

  • Member 1 : Collection (Identify sources, acquire data, preserve integrity).

  • Member 2 : Examination (Filter relevant data)

  • Member 3 : Analysis (Timeline, relational/functional analysis, Locard’s Principle).

  • Member 4 : Reporting (Documentation, chain of custody, conclusions).

  • Member 5 : ?

Objective 2: Forensic Investigation

• Goal : Analyze VM images of Sonny/Jack’s phones to uncover evidence.

• Breakdown :

  • Evidence Acquisition (1 member):

    • Use FTK Imager for forensic imaging.

    • Hash values (SHA-256) for integrity.

  • Temporal Analysis (1 member):

    • Reconstruct timeline using metadata (call logs, GPS, app timestamps).

  • Relational Analysis (2 members):

    • Map communication patterns (Sonny/Jack to Hazel, unknown contacts).

    • Use OSINT (e.g., Google Maps timeline, social media).

  • Functional Analysis (1 member):

    • Link evidence to actions (e.g., “How was the murder planned?”).

Group Deliverables

• Report : Combine individual contributions into a cohesive document.

• Presentation : Assign roles (e.g., Introduction, Analysis, Conclusion).

3.1 Search Warrants

What to Do :

1. Open-Source Intelligence (OSINT) :

   • Use tools like Google Maps, social media, or public records to verify locations linked to evidence (e.g., GPS coordinates from suspects’ phones).

   • Example : If a suspect’s phone shows a location near a specific HDB block in Tampines, use Google Street View to confirm the address and justify a search warrant.

2. Tutor Authorization :

   • Notify your tutor via Microsoft Teams before visiting any site. Provide:

     • Exact address (e.g., “123 Tampines Street 44”).

     • Justification : Link the location to evidence (e.g., “GPS data places Sonny’s phone at this address 30 minutes before Hazel’s death”).

3.2 Workload Distribution

How to Document :

• Create a Workload Distribution Table in your report. Assign roles based on the NIST Framework and marking rubrics:

3.3 Deliverables

Report Structure & Content :

1. Cover Page :

   • Follow Appendix A template (Practical Class, Group No., members’ names).

2. Declarations :

   • Non-Plagiarism : Signed by all members.

   • AI Tools : Document prompts/responses (e.g., “Used ChatGPT to brainstorm timeline analysis”).

3. Forensic Examination (NIST Framework) :

   • Collection :

     • Document seizure of Sonny/Jack’s VM images.

     • Include photos of devices (even simulated ones).

   • Examination :

     • Use tools like Autopsy or Magnet AXIOM to extract SMS, call logs, GPS.

   • Analysis :

     • Temporal : Timeline of Hazel’s death vs. suspects’ activities.

     • Relational : Link Sonny’s deleted messages to Hazel’s rejection.

     • Functional : Use Locard’s Principle (e.g., “Sonny’s phone connected to Hazel’s Wi-Fi at the crime scene”).

4. Appendices :

   • Include your Task 1 Checklist and CoC forms.

3.4 Guidelines – How to Get Started

Minimum Requirements Explained :

1. Crime Scene Handling :

   • Simulate steps from Week 1, Session 2 (e.g., “iPhone 15 Pro was found powered on; Airplane Mode enabled, SIM removed”).

   • Photos : Include mock screenshots of device states (even if using VMs).

2. Forensic Imaging :

   • Use FTK Imager to create forensic images of the VMs.

   • Hash Values : Document SHA-256 hashes for integrity.

3. Locard’s Exchange Principle :

   • Example: “Sonny’s phone shows Bluetooth pairing with Hazel’s smartwatch at the crime scene.”

4. Deductions :

   • Tie evidence to motives (e.g., “Jack’s phone has no GPS data near Hazel’s home, weakening his alibi”).