The purpose of this lab is to try using forensic tools to examine Microsoft filesystem images to see what you can recover. It is important to make sure your reports include all relevant evidence, but not irrelevant items or things outside the scope of your investigation.

Autopsy as a tool for identifying whether pictures of Clint Eastwood are on a suspect drive

In this investigation, we are continuing with our investigation of Donald. We are attempting to determine whether he used the computer to get images of Clint Eastwood from the internet.

Download Autopsy and install it, then run it

Add the wholedrive image file from lab 1

Use the evidence tree to view the filesystems found in the image, and explore them to see what files are in the image

Clicking on a file in the file listing allows you to view a file. Use that ability to see if there are any pictures there of Clint Eastwood. If you find any, check the box next to the file with Clint Eastwood, and tag them as notable items.

When you have examined all the pictures and tagged all the photos with Clint Eastwood in them, click Generate Report

Create the report in html format

Open the report by clicking on the file link and review it taking note of what the report contains, and what you would need to add to make it a complete forensic report Include the report in your submission for this lab.

Using Prodiscover for identifying evidence of transactions between George Montgomery and Laura Roper

In this investigation, there is an allegation that Laura Roper and George Montgomery worked together. We are looking for evidence that will show whether they had an ongoing business relationship or not. An image file has been captured for us by a 3rd party. We have no access to the third party.

Download a copy of Prodiscover Basic

Install Prodiscover Basic and start it

Start a new case

Add the inChp02.eve image file extracted from InChp02.exe self-extracting zip file.

Use the Search item in the Prodiscover navigation tree to try finding files with the words George, Montgomery, Laura, or Roper in them.

Examine the contents of the found files to see if they do reference George and Laura and if they do, check them off as files of interest with suitable comments about what is in the files you found. Do not include files that arent relevant to both George and Laura together.

Generate a report of your findings that describes the relationship between George and Laura and include that in your submission for this lab.

Finding Zone.identifier streams using Autopsy

Start a new case

Add the wholedrive image file you made last week

Click in the evidence tree to select drive C, directory catfiles, so that the files show up in the file list on the upper right

Repeat the previous step, but use the catfiles directory on drive D

Include the following question with your answers in your submission for this lab.

What extra files do you see on the D drive in the catfiles directory, compared to the C drive?

What is in those extra files?

How might you use that information as part of an investigation?

Examining the registry in an image file using AccessData Registry Viewer

If you have an image capture that includes the system.dat and user.dat files form the windows folder on a c: drive, you can examine the registry in that image. In this scenario, we are trying to determine if a captured registry from an employees computer has any information which might be useful to a paralegal investigating a Denise Robinson, who works for a competitor, Superior Bicycles.

Begin by copying the two registry files to a temporary folder. For this lab, you can download some sample files.

Extract the system.dat and user.dat files to a temporary folder.

Now we are going to look for references to superior bicycles or denise robinson in the registry to see if they left tracks in the registry.

Download the AccessData Registry Viewer and install it. When you start it, it will ask about a security device for licensing use, just choose No to run in Demo mode.

Use File->Open to open the user.dat file you previously downloaded.

Use Edit->Find and Edit->Find Next to find the string superior and the string denise in the registry image.

Save a list of the registry keys you found and their contents, and include them in your sumission for this lab.

Grading

Submit a single PDF file containing your results of doing the 4 investigations in the lab instructions on github.

For the first investigation, include the instructions, your activity notes, and a screenshot of the Autopsy window showing the tagged image file in the html report.

For the second investigation, include the report of your findings.

For the third investigation, include the 3 questions and your answers.

For the fourth investigation, include either screenshots of the keys you found with their contents, or a copy-pasted list of them with their contents.