Hands-On Project 16-4

This project is a follow-up based on an e-mail found in the Excel report from Hands-On Project 16-3. Cell B66 of the reports E-Mail Messages worksheet lists an e-mail sent to Mr. Sadler from the e-mail address dr-superior@ on October 27, 2017, at 11:59:52 a.m. PDT. This e-mail address belongs to Denise Robinson, the Human Resources manager at Superior Bicycles. Further examination of cell B77 shows another e-mail from ruth.wonderly6e@ that includes Denise Robinsons e-mail address in its contents. This e-mail was sent October 26, 2017, at 11:24:10 a.m. PDT.

Mr. Benson recalls seeing an e-mail from Ruth Wonderly on Tom Johnsons computer (see Figure 14-6 or cell B140 of the Excel report for Hands-On Project 14-3). This e-mail was sent October 16, 2017, at 4:13 p.m. PDT. For this project, he wants you to confirm that the e-mails found in the forensic images of Mr. Johnsons and Mr. Sadlers computers are also in the forensic image of Denise Robinsons computer. Follow these steps:

1. Download Ch16Proj04.exe from this chapters downloads section of the student companion site for this book. In File Explorer, double-click the Ch16Proj04.exe file and click Extract to extract it to your work folder.

2. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, enter Proj1604 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your work folder, and then click Next.

3. In the Additional Information window, type Proj1604 in the Case Number text box and your name in the Examiner text box, and then click Finish.

4. In the Select Data Source window, click the Browse button next to the Browse for an image file text box, navigate to your work folder, click the GCFI-dr01.001 file, and click Open. Click Next.

5. In the Configure Ingest Modules window, click Deselect All, and click the Email Parser check box. Click Next and then Finish.

6. In the Tree Viewer, click to expand Results, E-Mail Messages, Default (Default), and Default. In the Result Viewer pane, click the Date Sent header once to sort e-mails from oldest to most recent. Scroll down and click the e-mail sent October 26, 2017, at or after 11:24 a.m. PDT from Terry Sadler to Denise Robinsons Ruth Wonderly account (see Figure 16-32

7. Right-click the e-mail, point to Tag Results, and click Tag and Comment. In the Create tag dialog box, click the New Tag Name button, type Recovered EMail in the Tag Name text box, and click OK twice.

8. In the Result Viewer pane, click the E-Mail From header once to sort e-mails in alphabetical order. Scroll down and find all emails with the account name ruth. wonderly. Examine the contents of each email. For all emails with the name Tom or Tom Johnson in the body of the message, right-click the email, point to Tag Results and Quick Tag, and click Recovered EMail. Skip any redundant e-mails.

9. Click Generate Report. In the Generate Report window, click the Results - Excel option button in the Report Modules section, and then click Next. In the Configure Artifact Reports window, click the Tagged Results button, click Select All, and then click Finish.

10. When the report has been generated, click the Results - Excel pathname in the Report Generation Progress window to view the report, and then exit Autopsy. Turn the report in to your instructor.