Hands-On Project 6-4 You should test new or updated digital forensics tools to make sure theyre per- forming correctly. When complex software applications are updated, they might create new problems and function failures the vendor wasnt aware of. In this project, you test two competing digital forensics analysis tools to see how they compare in locating and recovering data. Keep in mind that even though tools have different strengths, they should yield similar results.

To com- pare OSForensics and ProDiscover Basic, you need the following:

ProDiscover Basic installed on your workstation

OSForensics installed on your workstation

Charlies hard drive file from the M57 Patents case (available at http://digitalcorpora.org/corp/nps/scenarios/2009-m57-patents/drives-redacted/) extracted to your work folder First, you use ProDiscover Basic to examine the file:

1. Start ProDiscover Basic. To start your analysis, click the New Project toolbar button. In the New Project dialog box, type C6Prj04PD for the project number and project filename, and then click OK. (Note: If you get an error when starting a new project, exit ProDiscover and start it again.)

2. In the tree view, click to expand Add, and then click Image File. In the Open dialog box, navigate to your work folder, click charlie-2009-12-07.E01, and then click Open. . In the tree view, click to expand Content View and then Images. Click to expand the image file, expand the C drive, and then click All Files. If necessary, click Yes in the ProDiscover message box that opens.

4. Next, click the Search toolbar button. Search terms have been created for the M57 case. In the Search dialog box, click the Content Search tab, if necessary. In the Search for the pattern(s) text box, type project2400 on one line and craigslist on a second line. Under Select the Disk(s)/Image(s) you want to search in, click the .e01 image file, and then click OK.

5. In the Search 1 tab of the search results, click the Filter button, and then 6 click project2400. Read the files, and then click the Selection button and click Select All. (Close the Add Comment dialog box, if it opens.) When youre finished, click Add to Report.

6. Click the Search toolbar button. In the Search dialog box, click the Content Search tab, if necessary. In the Search for the pattern(s) text box, type kitty and kitten on separate lines. Under Select the Disk(s)/Image(s) you want to search in, click the .e01 image file, and then click OK.

7. In the Search 2 tab of the search results, click the Filter button, and then click kitty. Click the check box next to the one file that doesnt have an extension, and then click Add to Report.

8. In the tree view, click Report, and then click the Export toolbar button. In the Export dialog box, click the RTF Format option button, click Browse, and navigate to and double-click your work folder. Type Chap6-4-PD.rtf in the File name text box, and then click Save. Click OK in the Export dialog box, and then click File, Print Report from the menu to print your report.

9. When youre finished, click File, E Next, you perform the same searches in OSForensics: Before starting this part of the project, create a subfolder of your work folder called C6Prj04.

1. Start OSForensics. Click Start in the left pane, if necessary, and in the right pane, click Create Case.

2. In the New Case dialog box, enter your name for the investigator, type C6Prj04 for the case name, and click the Investigate Disk(s) from Another Machine option button for the acquisition type. Click Custom Location for the case folder, click the Browse button, navigate to and click your Work/C6Prj04 folder, and then click OK twice. 3. Click the Add Device button. Click the Image File option button, and then browse to your work folder, click the charlie-2009-12-07.E01 image file, and click Open. Click OK twice. 4. Click the Create Index button in the left pane. In the Step 1 of 5 window, click the Use Pre-defined File Types option button, click all the file types listed, and then click Next. In the Step 2 of 5 window, click the Add button, click charlie-2009-12-07.E01, click OK, and then click Next. In the Step 3 of 5 window, type Index all file types in the Index Title text box, and then click Start Indexing. 5. When OSForensics finishes indexing the image file, click OK in the message box. Indexing might take an hour or more, so make sure you allow enough time. 6. Click the Search Index button in the left pane. In the Enter Search Words text box, type project2400, and then click Search in the right pane. Right-click each file in the results, point to Bookmark, and click Red. 7. In the Enter Search Words text box, type craigslist, and then click Search in the right pane. Right-click each file in the results, point to Bookmark, and click Yellow. Repeat this procedure with the search terms kitty and kitten, assigning the bookmark color red to kitty and the bookmark color yellow to kitten. (Note: In ProDiscover, you simply selected the file without an extension for the search term kitty.) 8. When youre done, click the Start button, and then click the Generate Report button. Accept the default settings, and click OK. In the report, notice your bookmarked files toward the bottom. 9. Compare the files you found with those found in ProDiscover, and note any discrepancies. Write a two page report, including screenshots, to submit to your instructor. Explain which tool you prefer to use and why. 10. Exit your Web browser, and exit OSForensics.