Learning Objective: Using the correct tool to analyze a forensic image and recover various artifacts of value.

Narrative:Online monitoring of extremist websites has identified an individual that may be linked with possible extremist organizations. Subpoena requests to the internet service providers based on the suspect's IP address have led investigators to a specific residence.

A team entered suspect's residence and found a powered down Dell laptop computer. The suspect was not present. Triage indicated that files of possible value might be found and that a full forensic exam would be beneficial.

They were able to create a forensic image on scene and bring it back for you to analyze.Your task is to analyze the forensic image file using any tools/techniques we have covered and answer the following questions. Please be specific and include where you found the answer. Use screenshots were appropriate or convenient.

Assume all the tools we have been using have been validated and approved for use and use only the tools I've provided. When analyzing a multipart forensic image file, you only need to add/point to the first (*.E01) file, and make sure all the image files are together in one folder.

Artifact Questions

1. Verify the Image. What is the verification hash value of this image?

Click here to enter text.

1. How many partitions are there on this image? Which one contains User data?

Click here to enter text.

1. What is the Computer Name?

Click here to enter text.

1. What version of Windows is this user running?

Click here to enter text.

1. When was this version of Windows installed?

Click here to enter text.

1. Who is the registered owner of this computer?

Click here to enter text.

1. When was this computer last shut down?

Click here to enter text.

1. There were several different USB mass storage devices plugged into this computer. How many and what brand were these devices?

Click here to enter text.

1. What is the time zone setting on this computer?

Click here to enter text.

1. There is a folder with a series of pictures of Rocket Propelled Grenade launchers on this computer (several pictures in one folder). Where are they located and what is the status of these pictures?

Click here to enter text.

1. Examine the metadata (EXIF data) associated with the pictures and report any finding.

Click here to enter text.

1. Find any user created ".docx" files that may be of value and recorded the author based on the metadata.

Click here to enter text.

1. Find the folder titled posters.
   1. What is the full path of this folder? (ie. C:\Windows\...)

Click here to enter text.

1. Did the user try to hide the files in this folder? How?

Click here to enter text.

1. What is the user's full email address?

Click here to enter text.

1. Who has the user been in contact with via email?

Click here to enter text.

1. Where did the file Trip.zip come from, and where is it now?

Click here to enter text.

1. What does this file contain?

Click here to enter text.

1. What search terms has this user searched the Internet for that might be relevant? When exactly did each of those searches take place?

Click here to enter text.

1. Did the user access the pictures of RPG launchers you found earlier? What proof do you have?

Click here to enter text.

1. Give a brief executive level case summary write-up. Include information on what organization the owner of the computer belongs to, who his "contact" is and what organization he belongs too and any other information you think may be relevant to the investigation.

Click here to enter text.