CHAPTER 1 Understanding the Digital Forensics Profession and Investigations Hands-On Project 1-2 In this project, you work for a large corporations IT Security Department. Your duties include conducting internal digital investigations and forensics examinations on company computing systems. A paralegal from the Law Department, Ms. Jones, asks you to examine a USB drive belonging to an employee who left the company and now works for a competitor. The Law Department is concerned that the former employee might possess sensitive company data. Ms. Jones wants to know whether the USB drive contains anything relevant. In addition, she tells you that the former employee might have had access to confidential documents because a co-worker saw him accessing his managers computer on his last day of work. These documents consist of nine files containing the word confidential. She wants to know whether the USBs bit-stream image file has these documents. To process this case, make sure the C1Prj02.001 file has been extracted to your work folder, and then follow these steps:

1. Start Autopsy for Windows, if you exited it at the end of the previous project. If the previous project is open, click Case, Close Case from the menu. Click the Create New Case icon. In the New Case Information window, enter C1Prj02 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your work folder, and then click Next.
2. In the Additional Information window, type C1Prj02 in the Case Number text box and your name in the Examiner text box, and then click Finish.
3. In the Select Data Source window, click the Select data source type list arrow, and click Disk Image or VM file. Click the Browse button next to the Browse for an image file text box, navigate to and click your work folder and the C1Prj02.001 file, and then click Open. Click Next.
4. In the Configure Ingest Modules window, click Select All. Click Next and then Finish.
5. Click the Keyword Search button at the far upper right, type confidential in the text box, and then click Search.
6. In the Result Viewer pane, a new tab named Keyword search 1 opens. Click each file to view its contents in the Content Viewer pane.
7. Ctrl+click to select the files in the Keyword search 1 tab. Right-click this selection, point to Tag File, and click Tag and Comment. In the Create Tag dialog box, click the New Tag Name button, type Recovered Office Documents in the Tag Name text box, and then click OK.
8. Click Generate Report at the top. In the Generate Report window, click the Results - Excel option button in the Report Modules section, and then click Next.
9. In the Configure Artifacts Report window, click the Tagged Results button, click the Recovered Office Documents check box, and then click Finish.
10. In the Report Generation Progress Complete window, click the Results - Excel pathname to open the Excel report. This Excel file should have several tabs of information about the files you tagged for this project.

Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2021-02-28 18:28:14. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. CHAPTER 1 Understanding the Digital Forensics Profession and Investigations 11. In the Report Generation Progress Complete window, click Close, and then exit Autopsy. Write a memo to Ms. Jones listing the filenames where you found a hit for the keyword. List the cluster numbers for hits that occurred in unallocated space. Include the Excel spreadsheet with the report. Hands-On Project 1-3 Youre an IT security specialist for Superior Sailmakers, a company making sails for sloops and yawls. It sells rigging and sails to many sailboat makers who are competing against one another. Ms. Olsen in the Human Resources Department notifies you that she got an anonymous letter with an old USB drive. The letter states that a former employee, Ralph Williams, had photos belonging to ACE Sailboats that contained trade secrets from April 2006. The letter also states that after Mr. Williams ended his employment at Superior Sailmakers in January 2007, he used the photos on the USB drive to get hired by Smith Sloop Boats, a competitor of ACE Sailboats. Both sailboat manufacturers are customers of Superior Sailmakers. Ms. Olsen tells you that another specialist has already made an image of the USB drive in the Expert Witness format (with an .E01 extension). She wants you to examine its contents for any photograph files to determine whether the anonymous complaint is true. After your examination, you need to generate a report that Ms. Olsen will send to the Legal Department. The Legal Department will then determine whether any violations of trade secret or intellectual property laws might have occurred. Follow these steps:

1. Start Autopsy for Windows, and click the Create New Case icon. In the New Case Information window, enter C1Prj03 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your work folder, and then click Next.
2. In the Additional Information window, type C1Prj03 in the Case Number text box and your name in the Examiner text box, and then click Finish.
3. In the Select Data Source window, click the Select data source type list arrow, and click Disk Image or VM file. Click the Browse button next to the Browse for an image file text box, navigate to your work folder and click the C1Prj03.E01 file, and then click Open. Click Next.
4. In the Configure Ingest Modules window, click Select All. Click Next and then Finish.

Because youre looking for photos of sailboats that were copied to the USB drive sometime during April 2006, perform the following steps.

1. In the Tree Viewer pane, expand Views, File Types, By Extension, and Images.
2. In the Result Viewer pane, scroll to the right, if necessary, until the Modified Time column is in view. Sort the column by clicking the Modified Time header.
3. Scroll down until you find the first file with a starting month of April 2006, and then click the file to view it in the Content Viewer. Press the down arrow on the keyboard to view all files created or modified in April 2006.
4. Ctrl+click every file that has a photo of a boat or part of a boat. Right-click this selection, point to Tag File and then Quick Tag, and click Follow Up.

Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2021-02-28 18:28:14. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require CHAPTER 1 Understanding the Digital Forensics Profession and Investigations

In the Tree Viewer pane, scroll down and expand Tags, Follow Up, and File Tags.

1. In the Result Viewer pane, click the Thumbnail tab to view the tagged photos.
2. To create a report, click Generate Report at the top. In the Generate Report window, click the Results - HTML option button in the Report Modules section, and then click Next.
3. In the Configure Artifacts Report window, click the Tagged Results button, click the Follow Up check box, and then click Finish.
4. In the Report Generation Progress window, click the Results - HTML pathname to view the report. When viewing the report, click the links to examine the tagged files. When youre finished, click Close in the Report Generation Progress window.
5. Exit Autopsy, and write a short memo to summarize your findings.

Hands-On Project 1-4 Sometimes discovery demands from law firms require you to recover only allocated data from a disk. This project shows you how to extract just the files that havent been deleted (that is, the allocated files) from an image.

1. Start Autopsy for Windows. Click the Create New Case icon. In the New Case Information window, enter C1Prj04 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your work folder, and then click Next.
2. In the Additional Information window, type C1Prj04 in the Case Number text box and your name in the Examiner text box, and then click Finish.
3. In the Select Data Source window, click the Select data source type list arrow, and click Disk Image or VM file. Click the Browse button next to the Browse for an image file text box, navigate to your work folder and click the C1Prj04.E01 file, and then click Open. Click Next.
4. In the Configure Ingest Modules window, click Select All. Click Next and then Finish.
5. In the Tree Viewer pane, expand Views, File Types, and By Extension. Under By Extension are several subfolders representing file types, as youve seen in previous projects. Next to each file type subfolder is a number enclosed in parentheses, which shows the number of files of this type Autopsy found. Click subfolders with numbers greater than zero to view the files.
6. In the Result Viewer pane, scroll to the right, if necessary until the Flags(Meta) column is in view. Sort the column by clicking the Flags(Meta) header, which displays all allocated files to the top of the list.

Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2021-02-28 18:28:14. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. CHAPTER 1 Understanding the Digital Forensics Profession and Investigations

Note

In the Result Viewer pane, allocated (not deleted) files have a paper sheet icon to the left of the filename. Deleted (unallocated) files have a red X over the paper sheet icon, and unallocated files that have been corrupted and recovered by the OS have a diagonal broken bar icon.

1. Scroll to the left until the Name column is visible. If there are allocated files, they will be at the top of this list. Ctrl+click each allocated file, right-click this selection, and then click Extract File(s).
2. In the Save dialog box, click Save to save the files automatically in Autopsys case subfolder: Work\Chap01\Projects\C1Prj04\Export.
3. Write a brief memo that lists all the files you exported. Leave Autopsy running for the next project.

Hands-On Project 1-5 This project is a continuation from the previous project. You create a report listing all the unallocated (deleted) files Autopsy finds.

1. Start Autopsy for Windows and click the Open Recent Case icon, if necessary.
2. In the Tree Viewer pane, expand Views, File Types, Deleted Files, and All.
3. In the Result Viewer pane, Ctrl+click all files in the All subfolder. Right-click this selection, point to Tag File and then Quick Tag, and click Follow Up.
4. Click Generate Report at the top. In the Generate Report window, click the Results - Excel option button in the Report Modules section, and then click Next.
5. In the Configure Artifacts Report window, click the Tagged Results button, click the Follow Up check box, and then click Finish.
6. In the Report Generation Progress Complete window, click the Results - Excel pathname to open the Excel report. When youre finished, click Close in the Report Generation Progress window.

Write a brief memo listing all the deleted files on your report spreadsheet. Exit Autopsy. Hands-On Project 1-6 In this project, another investigator asks you to examine an image and search for all occurrences of the following keywords:

• ANTONIO
• HUGH EVANS

HORATIO After you complete these searches, the investigator wants a short report listing which files contain these names. 1. Start Autopsy for Windows. Click the Create New Case icon. In the New Case Information window, enter C1Prj06 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your work folder, and then click Next. CHAPTER 1 Understanding the Digital Forensics Profession and Investigations

In the Additional Information window, type C1Prj06 in the Case Number text box and your name in the Examiner text box, and then click Finish.

1. In the Select Data Source window, click the Select data source type list arrow, and click Disk Image or VM file. Click the Browse button next to the Browse for an image file text box, navigate to your work folder and click the C1Prj06.E01 file, and then click Open. Click Next.
2. In the Configure Ingest Modules window, click Select All. Click Next and then Finish.
3. Click the Keyword Lists button at the far upper right, and then click Manage List.
4. In the Global Keyword Search Settings dialog box, click the New List button. In the New Keyword List dialog box, type ListSearch1 in the New keyword list text box, and then click OK.
5. In the Keyword Lists section, click ListSearch1, as shown in Figure 1-22, and then click the New keywords button under the Keyword Options heading.

Figure 1-22 The Global Keyword Search Settings dialog box Source: www.sleuthkit.org 8. In the New keywords dialog box, type ANTONIO in the Enter keywords (one per line) below text box and press Enter, type HUGH EVANS and press Enter, and then type HORATIO and click OK. Click OK again. Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. from csuau on 2021-02-28 18:28:14. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 62 CHAPTER 1 Understanding the Digital Forensics Profession and Investigations

Case Project 1-2 Jonathan Simpson owns a construction company. One day a subcontractor calls him, saying that he needs a replacement check for the job he completed at 1437 West Maple Avenue. Jonathan looks up the job on his accounting program and agrees to reissue the check for $12,750. The subcontractor says that the original check was for only $10,750. Jonathan looks around the office but cant find the company checkbook or ledger. Only one other person has access to the accounting program. Jonathan calls you to investigate. How would you proceed? Write a one-page report detailing the steps Jonathan needs to take to gather the necessary evidence and protect his company.

Case Project 1-3 You are the digital forensics investigator for a law firm. The firm acquired a new client, a young woman who was fired from her job for inappropriate files discovered on her computer. She swears she never accessed the files. What questions should you ask and how should you proceed? Write a one- to two-page report describing the computer the client used, who else had access to it, and any other relevant facts that should be investigated.

Attachments:

Hands-on-chap....pdf

ITC597-Topic-....pdf

ITC597-Topic-....pdf

ITC597-Topic-....pdf