Lab Questions: ANSWERS MUST BE IN COMPLETE SENTENCES FOR FULL CREDIT.

2. Record your MD5 and SHA hashes.

3. Include a screenshot from your overview tab showing the breakdown of evidence types.

4. What indicates a file has been deleted in FTK? (Besides showing up in the deleted files section of the overview tab.)

5. Record your MD5 and SHA hashes.

6. What is the difference (if any) between the computed hash and the report hash calculated in your lab? (Were the hashes in Question 2 and Question 5 the same? What does this indicate?)

7. What information did you learn about the practicecase.001 dd image you downloaded from Blackboard? What kind of file system and operating system was used to create this disk? (Hint: If you can identify the file system, look up the associated operating system.)

8. Why is it important to run WinHex or other forensic tools Write Protect mode?

9. Why is it important to securely wipe (erase) a disk before saving evidence to it?

10. What is Safe Mode and how do you get into it?

11. Where would you go to find out which device the machine is set to boot from?

12. What is the System Restore tool used for? How do you set a system restore point?

13. Why is the System Restore tool of interest to a forensic examiner?

Practisecase.001 dd image:

Information for C:\Documents and Settings\Anne\Desktop\New Folder (2)\practicecase:

Physical Evidentiary Item (Source) Information: [Drive Geometry] Bytes per Sector: 512 Sector Count: 2,880 Source data size: 1 MB Sector count: 2880 [Computed Hashes] MD5 checksum: 192b0865c614370bdc307d0053ccf1b5 SHA1 checksum: f2ccc2dc4aa4e5721de05dda71e986f8139c9e75

Image Information: Segment list: C:\Documents and Settings\Anne\Desktop\New Folder (2)\practicecase.001

Mon Sep 04 21:35:48 2006 - Image Verification Results: MD5 checksum: 192b0865c614370bdc307d0053ccf1b5 : verified SHA1 checksum: f2ccc2dc4aa4e5721de05dda71e986f8139c9e75 : verified