Case is individual work Case 3 deadline is June 3 by 11:00 pm Cases Grade 20 20 20 20 20 100 Case 1 Case 2 Case 3 Case 4 Case 5 Total Rubrics Case 2 - Total 20 points 20.0 pts Excellent Submission- Word Document 1. Steps you have done with screenshots 2. Autopsy Report 3. In-depth explanation and analyze the USB drive data Download Autopsy Forensic Tool (Free download) http://sleuthkit.org/autopsy/ Task 1 10.0 pts Good Analyzing Your Digital Evidence using Autopsy Forensic Tool 0.0 pts Poor When you analyze digital evidence, your job is to recover the data. If users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. Remember that as files are deleted, the space they occupied becomes free space-meaning it can be used for new files that are saved or files that expand as data is added to them. The files that were deleted are still on the disk until a new file is saved to the same physical location, overwriting the original file. In the meantime, those files can still be retrieved. Forensics tools such as Autopsy can retrieve deleted files for use as evidence. Task 1 1- Download Autopsy Forensic tool (It is a free tool to download, also available on computer labs) a. http://sleuthkit.org/autopsy/ b. Follow the steps in "Autopsy tool how to use" to complete the report and investigation (the .dd file is available on canvas) OR You can access to Autopsy Forensic Tool available on weblabs: https://weblabs.psu.edu/ Task 1 Submission-For every step make a screenshot and create a report for submission (5 points) Task 2 Discuss the following after Completing the Case in your report The files on George's USB drive indicate that he was conducting a side business on his company computer. Now that you have retrieved and analyzed the evidence, you need to find the answers to the following questions to write the final report: How did George's manager acquire the disk? Did George perform the work on a laptop, which is his own property? If so, did he conduct business transactions on his break or during his lunch hour? At what times of the day was George using the non-work-related files? How did you retrieve this information? Which company policies apply? Are there any other items that need to be considered? When you write your report, state what you did and what you found. The report you generated in Autopsy gives you an account of the steps you took. As part of your final report, depending on guidance from management or legal counsel, include the Autopsy report file to document your work. In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as repeatable findings; without it, your work product has no value as evidence. Task 2 Discuss the following after Completing the Case in your report The files on George's USB drive indicate that he was conducting a side business on his company computer. Now that you have retrieved and analyzed the evidence, you need to find the answers to the following questions to write the final report: How did George's manager acquire the disk? Did George perform the work on a laptop, which is his own property? If so, did he conduct business transactions on his break or during his lunch hour? At what times of the day was George using the non-work-related files? How did you retrieve this information? Which company policies apply? Are there any other items that need to be considered? When you write your report, state what you did and what you found. The report you generated in Autopsy gives you an account of the steps you took. As part of your final report, depending on guidance from management or legal counsel, include the Autopsy report file to document your work. In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as repeatable findings; without it, your work product has no value as evidence. Keep a written journal of everything you do. Your notes can be used in court, so be mindful of what you write or e-mail, even to a fellow investigator. Often these journals start out as handwritten notes, but you can transcribe them to electronic format periodically. Basic report writing involves answering the six Ws: who, what, when, where, why, and how. In addition to these basic facts, you must also explain computer and network processes. Typically, your reader is a senior personnel manager, a lawyer, or occasionally a judge who might have little computer knowledge. Identify your reader and write the report for that person. Provide explanations for processes and how systems and their components work. Your organization might have templates to use when writing reports. Depending on your organization's needs and requirements, your report must describe the findings from your analysis. The report generated by Autopsy lists your examination and data recovery findings. Other digital forensics tools generate a log file of all actions taken during your examination and analysis. Integrating a digital forensics log report from these other tools can enhance your final report. When describing the findings, consider writing your narrative first and then placing the log output at the end of the report, with references to it in the main narrative. In the Montgomery 72015 case, you want to show what evidence exists that George had his own business registering domain names and list the names of his clients and his income from this business. You also want to show letters he wrote to clients about their accounts. The time and date stamps on the files are during work hours, so you should include this information, too. Eventually, you hand the evidence file to your supervisor or to Steve, George's manager, who then decides on a course of action. Critiquing the Case in your report After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and critique the case in an effort to improve your work. Ask yourself assessment questions such as the following: How could you improve your performance in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? If so, what are they? Did you use new techniques during the case or during research? Task 2 Submission- Complete task 2 (15 points)