Great Deal! Get Instant $10 FREE in Account on First Order + 10% Cashback on Every Order Order Now

Step 1: Create an Image in FTK Imager One of the first steps in conducting digital forensic investigations involves creating a forensic image of the digital evidence disk or drive. Digital forensics...

1 answer below »

Step 1: Create an Image in FTK Image
One of the first steps in conducting digital forensic investigations involves creating a forensic image of the digital evidence disk or drive. Digital forensics evidence can be found in operating systems, disk drives, network traffic, emails, and in software applications. To help the detectives in your department to better understand the digital forensics investigation process, you have offered to show them how you create an image using FTK Imager. Media investigations of digital storage devices can include audio files, pictures, videos, words, portions of files, graphic files, and information about a file. Graphics files can be a rich source of forensic evidence.
Because you are pressed for time, you go to the virtual lab and decide to create an image of the “My Pictures” directory on your computer. This process is similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (DFC620_Lab1_Name.ad1) that document your imaging process with information such as hash values.
Submit your report for review and ungraded feedback from the detectives (your instructor). Incorporate any suggested changes; you will include your report in the Use of Access Data Tools paper that you submit in Step 4.
Now that you have demonstrated the imaging process and investigative techniques to detectives, you are ready to proceed to the next step in which you demonstrate the use of Registry Viewer.
Step 2: Process an Image From the Suspect Mantooth’s Compute
In the previous step, you imaged a directory for a forensic report using FTK Imager. Now the detectives have requested additional analysis, so you decide to go to the virtual lab and use Registry Viewer to access user account information for the image from a computer owned by a suspect named Mantooth. Detectives don’t yet have the suspect’s first name and are seeking more information.
Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering.
The image you will be viewing, Mantooth, is a subset of a full computer image. While it is rich in artifacts, it is small enough to process in minutes rather than hours. Registry Viewer provides the ability to view the contents of various types of registry files so it will help to answer some of the questions posed by detectives. You can also investigate the suspect Mantooth's email activity and picture files.
The detectives have requested specific information that you will detail in the lab, including Mantooth's first name, email information, and other material that can be gleaned from the computer hard drive. See the lab instructions for specific questions to answer.
The detectives have requested the following information:
1. Mantooth's first name and a screenshot of a picture
2. number of jpg files in the Mantooth evidence file
3. names of the email domains from the email in this image, plus the number of sent and received messages and the dates of the oldest and newest sent and received email message for each domain
4. names of people who have sent email to or received email from Mantooth, and the number of emails sent or received to and from each person
5. information on encryption—whether it was used for any of the email, and if so, what type
6. evidence of potential criminal activity within this image
7. information on how PINs were captured
8. vehicle identification number of the '92 Dodge
9. identity of Sean and his role in this case
10. information on password(s)—where you found it/them, whether it/they are usable, what it/they are used fo
The detectives are also asking for:
1. summary of findings
2. case documentation, such as tools used, version, and image hashes
3. screenshots or other forensic artifacts supporting your responses to the questions
Review your responses and summary information carefully for accuracy and completeness, and save them in a single file to be included in your final paper on Using Access Data tools.
Just when you think that the detectives are satisfied with the information that you’ve provided, they request even more information on the suspects and the crime. You can’t say no, so you turn to PRTK to help you access that data.
Step 3: Process an Image From the Suspect Washer’s Compute
The Mantooth image has provided a lot of new information, but the detectives want more. PRTK is the tool that can uncover it. An image has been taken of the hard drive in a computer belonging to a suspect named Washer.
Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering.
The Washer image is a subset of a full computer image (like the Mantooth image), so processing time is reduced. While it is rich in artifacts, it is small enough to process in minutes rather than hours. You have full confidence that an investigation of the Washer image will approximate the investigation of a full computer image. Registry Viewer allows you to view the contents of registry files, but PRTK can decrypt files as well. Passwords for certain files may be recoverable from other artifacts on the image as well.
The detectives have asked you to analyze the Washer and thumb drive images within FTK to fe
et out facts, including a list of detailed questions on Washer, including associates and other information from the computer and its files. You will include your answers to these questions in your final paper on the Use of Access Data tools.
1. What are the AIM usernames for Rasco Badguy and John Washer?
2. What is the cu
ent zip code for the AOL IM account registered to Washer?
3. When was AOL IM installed?
Rasco Badguy and John Washer plan to camp.
1. What does Rasco's vehicle look like? Provide a description. Who might Rasco
ing with him?
2. Provide the starting and ending points for their camping trip, as well as the name of the body of water nea
y (same as the road running along the shore). Find a map and directions to the spot where they will camp.
Provide this additional information:
1. Document three distinct types of criminal activity that are under consideration and discussion by these people.
2. There is a piece of software that will support one of the types of criminal activity under consideration. It is being obscured by file manipulation or encryption. Document the name of the file, its function, and what needs to be installed for it to operate properly.
3. Document two names, addresses, and credit card or account numbers of potential victims.
4. Prove that the file “How to Steal Credit Card Numbers.doc” was opened on the computer.
5. The word “oops” has come up in intercepted traffic. Document what it refers to.
6. Document three ways this case has familiarity or linkages to any other case you are familiar with.
7. Several people in this case owe money. Document who they are and how much they owe.
8. Is there anything that links the thumb drive to the Washer image?
9. Document how many times the administrator account was used and the date of the last log-in (hint: during 2008).
Once again, the detectives are asking for a summary of your investigative procedures and findings, so you document the following:
1. summary of findings
2. case documentation such as tools used, version, and image hashes;
3. screenshots or other forensic artifacts that support your responses to all questions
Review your responses and summary documentation carefully for accuracy and completeness since you will be including them in your final paper.
Step 4: Submit Final Paper: Use of Access Data Tools
The time has come to combine work products from the earlier steps into a final paper summarizing the Use of Access Data Tools. You submit it to the detectives (your instructor) and cross your fingers that it contains everything they need to know about the most widely used tools available for accessing and imaging forensic data.

Forensic Imaging La

Mantooth Image Processing and Analysis La

Washer Image Processing and Analysis La
homework-yjyhln1e.docx forensic-imaging-lab-icdb5wqz.pdf mantooth-image-processing-and-analysis-lab-uwwaowuw.pdf washer-image-processing-and-analysis-lab-qdbxqdhz.pdf
Answered 8 days After Mar 03, 2022

Solution

Neha answered on Mar 11 2022
90 Votes
Forensic Investigation
The forensic investigation can be defined as the practice in which we can establish the evidence and facts lawfully and they can be presented in the court. This term is generally used for most of the investigations whether it is about the financial fraud or murder case. Most of the people assume forensics to be related with the crime scene where the physical evidence is collected. There are different types of the foreign investigation like to computer forensics and it has the fields which focus over the insects, crime scenes or their dentistry.
Computer Forensics
The computer or digital investigations is the fastest growing division of the forensics, and it is the
anch of the science which has involvement of legal evidence found open the digital storage mediums and the computers. This field of the instigation has multiple subdivisions investigation mobile device investigation, database forensics or the portable device forensics. The digital forensic investigation is used in different situations like the examination the computer system used by defendant to find out the evidence. The investigators can use different programs in the utilities to find out the lost data after the crash of system or efforts done by the suspect for eliminating the incriminating files present on the computer. It is mandatory to handling and present the digital evidence carefully so that they can be admissible in the court room. There are different techniques and the methods which can be used for defining the steps followed during the forensics investigation. The following are the basic steps which needs to be followed:
· The first step is to prepare the event. For the preparation we need to have specific training, the policies and procedures at the corporate and also practice for the examinations and the investigations. Specialized forensics certificates can be considered as for the forensics investigators.
· The second step is to identify. When we are approaching further incident scene then we need to review whatever is taking place over the computer screen. If the data is being deleted, then we need to pull the power plug from the wall otherwise we can perform the real time capture of the system volatile data.
· The third step is to preserve. Once we are able to retrieve the volatile data then we can turn off the machine and remove it from the scene. This machine can be used in the isolated environment. We have to perform the full system bitstream image capture of the data present over the machine.
· The next step is to select. Since we are available with the verified copy of the data then the investigation can be started by selecting the potential evidence files common locations under datasets. We need to isolate the event specific data collected from the system to perform the further examination.
· Now we have to look for the hidden storage locations of the data like unallocated space, file allocation table space over the hard drives and slack space. We also have to check for the registry entries or the root directories to get the potential indicators of storage activity.
· Now we can evaluate the data present from the potential locations to have relevancy with the cu
ent investigation.
· The next step is to review the whole data collected from the relevant locations and make sure that the data is legible, relevant and readable.
· the last step is to present the data. We need to prepare the data report which can be presented in front of the court or the corporate officers.
To perform the digital forensic imaging, we need to follow the strict set of the procedures for extracting the evidence which can be present over the computer device. Most of the times these devices have the evidence which can be vital in the criminal investigation and any alteration over the original data will make the evidence in admissible in the court. The forensic images are also known as the mi
or image or the ghost image. To create such images, we need to follow a highly detailed process and it is performed by the highly trained professional only. Cu
ently we can use the algorithms for tracking and authenticating the imaging and extraction process in the industry. It is used to make sure that the image and the identical copy are identical. Search for the electronic evidence it is required for the investigator to know the place. The evidence can be found over different devices and it is not limited to the files which are visible over the device. The criminals always try to find some new methods with which they can hide the files so that it is not easily found by the investigators. The most general targets of the investigations are images, documents and emails.
The very first step to conduct the forensic investigation is to create the images of the evidence. It is the capturing of network traffic, operating systems, software evidence, emails and the other related files. We need to make the forensic image of all the evidence which are involved in the case. This image can be used as the perfect bit 4-bit copy of the source and this process is known as the bitstream image or the hard drive imaging. It is different from the traditional copy or the backup of the drive in which it has everything over the drive along with the active files. It includes all the areas like unallocated areas and the deleted files. When the information technology professional is making the copy of the computer then it is just the active files present on the computer. The active files can be operating system files, word, data files, email, excel, pictures but it does not have the files which are deleted, or which are not essential, but they can be used as the valuable data to work over the investigation. Another point while creating the processing images to use the right block device.
Such type of device is connected with the source media, and it helps to prevent the writing of the data over the original evidence which is people who changed their number data points and these data points are very critical for the investigation. The forensic image can be defined as the exact copy of the hard drive which is created with the help of third-party tools so that it can easily capture the image of the hard drive without changing the shred of the data. The forensic software copies the data by creating bitstream and it is the exact duplicate. These tools are able to create the copy of deleted data which also includes the files which are word left behind in swap and free spaces. For the given case we can use FTK Imager
FTK Image
This tool is able to create an image and paging file for the windows and it can also capture the wallet and memories to perform the analysis. After the installation is done, we can start to create the image. This tool is able to create the perfect copies or the forensic images of the old data...
SOLUTION.PDF
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here
Attach File