User Account

All Pages

Demonstrate the ability to gather file system evidence

Assignment Help Computer Network Security
Reference no: EM132063291

Project: FTK Investigations "Would you be interested in how we "work our magic" in here? If you've got a few minutes, I can demonstrate." "I'll show you how we use a program called FTK Imager to create a forensic image of a computer. FTK provides one way of gathering information for our reports." "In cases like this, there are always so many questions that I usually need to use several different programs to process the images. I'll try something called Registry Viewer next, and then maybe PRTK after that... I'm sure one of 'em will give you the answers you need!"

One of the most commonly used commercial digital forensic tools is Forensic Toolkit from Access Data, more commonly known as FTK. FTK is an integrated tool used in many types of digital forensic investigations, with a particular focus on computers and servers. Additional Access Data tools that are commonly used with FTK include Password Recovery Toolkit (PRTK) and Registry Viewer. FTK Imager, which is license free, is used to create forensic images of various types of media in a variety of formats. that can be utilized by a wide variety of digital forensic tools. In this project you will use all four of these Access Data tools in a typical law enforcement scenario.

There are three steps in this project. In those steps you use FTK and other Access Data tools to image two computers and a thumb drive or USB stick. Each step in the project requires you to respond to detectives' questions based on computer images.

The final assignment is a paper that helps detectives better understand the use of FTK Imager and other Access Data tools to access and image computers and thumb drives. In Step 1, you introduce detectives to the basics of forensic digital investigation by creating an image using FTK Imager. Let's begin!

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

- 1.1 Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.4: Tailor communications to the audience.
- 1.6: Follow conventions of Standard Written English.
- 1.7: Create neat and professional looking documents appropriate for the project or presentation.
- 2.2: Locate and access sufficient information to investigate the issue or problem.
- 10.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging and verification.
- 11.1: Perform report creation, affidavit creation, and preparation to testify.
- 11.3: Use forensic tools for investigation of multimedia technologies.
- 11.4: Demonstrate the ability to gather file system evidence.

Step 1: FTK Imaging Lab Report
One of Tthe first steps in conducting forensic investigations often involves creating an image of the forensic evidence. Forensic evidence can be found in operating systems, network traffic (including e-mails), and software applications. To help the detectives in your department understand the digital forensics investigation process better, you have offered to show them how you create an image using FTK Imager. FTK Imager can be used to analyze many types of media including audio, pictures, and videos. Graphics files can be a rich source of forensic evidence.

Because you are pressed for time, you go to the virtual lab and decide to create an image of the "My Pictures" directory on your computer. This process is very similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (CSEC662_Lab1_Name.ad1) that document your imaging process with information such as hash values.

Submit your report for review and ungraded feedback from the detectives (your instructor). Incorporate any suggested changes; you will include your report in the Use of Access Data Tools paper that you submit in Step 4.

Now that you have demonstrated the imaging process and investigative techniques to detectives, you are ready to proceed to the next step in which you demonstrate the use of Step 2: Process an Image from the suspect Mantooth's computer

Keywords: Examining meta data, File systems, Hexadecimal and ASCII,Operating Systems, Report writing, File system information gathering
In the previous step you imaged a directory for a forensic report using FTK Imager. Now the detectives have requested additional analysis so you decide to go to the virtual lab and use Registry Viewer to access user account information for the image from the Mantooth computer. The Mantooth image is a subset of a full computer image. While it is rich in artifacts, it is small enough to process in minutes rather than hours. Registry Viewer provides the ability to view the contents of various types of registry files so it will help to answer some of the questions posed by detectives. You can also investigate the suspect Mantooth's e-mail activity and picture files.

The detectives have requested the following information:

1. Mantooth's first name and a screenshot of a picture

2. Number of jpg files in the Mantooth evidence file

3. Names of the e-mail domains from the e-mail in this image, plus the number of sent and received messages and the dates of the oldest and newest sent and received e-mail message for each domain

4. Names of people who have sent e-mail to or received e-mail from Mantooth, and the number of e-mails sent or received to and from each person

5. Information on encryption-whether it was used for any of the e-mail, and if so, what type

6. Evidence of potential criminal activity within this image

7. Information on how PINs were captured

8. Vehicle Identification Number of the '92 Dodge

9. Identity of Sean and his role in this case

10. Malware that initiates on startup

11. Information on password(s)-where you found it/them, whether it/they are usable, what it/they are used for

The detectives are also asking for:

1. Summary of findings

2. Case documentation, such as tools used, version, and image hashes

3. Screenshots or other forensic artifacts supporting your responses to the questions
You review your responses and summary information carefully for accuracy and completeness, and save them in a single file to be included in your final paper on Using Access Data tools (Step 4).
Just when you think that the detectives are satisfied with the information that you've provided, they request even more information on the suspects and the crime. You can't say no, so you turn to PRTK to help you access that data...
Registry Viewer.

Step 3: Process an Image from the suspect Washer's computer

Keywords: Examining metadata, File systems, Hexadecimal and ASCII, Operating Systems, File system information gathering
The Mantooth image has provided a lot of new information, but the detectives want more. PRTK is the tool that can uncover it. An image has been taken of the hard drive in a computer belonging to a suspect named Washer. The Washer image is a subset of a full computer image (similar to the Mantooth image) so processing time is reduced. While it is rich in artifacts, it is small enough to process in minutes rather than hours. You have full confidence that an investigation of the Washer image will approximate the investigation of a full computer image. Registry Viewer allows you to view the contents of various types of registry files, but PRTK can decrypt files as well. Passwords for certain files may be recoverable from other artifacts on the image as well.

The detectives have asked you to analyze the Washer and thumb drive processed images within FTK to ferret out the following facts. You will include your answers to these questions in your final paper on the Use of Access Data tools.

1. What are the AIM usernames for RascoBadguy and John Washer?

2. What is the current zip code for the AOL IM account registered to Washer?

3. When was AOL IM installed?

RascoBadguy and John Washer plan to camp.

1. What does Rasco's vehicle look like? Please provide a description. Who might Rasco bring with him?

2. Provide the starting and ending points for their camping trip, as well as the name of body of water nearby (same as road running along shore). Find a map and directions to the spot where they will camp.

Please provide this additional information:

1. Document three distinct types of criminal activity that are under consideration and discussion by these individuals.

2. There is a particular piece of software that will support one of the types of criminal activity under consideration. It is being obscured by file manipulation or encryption. Document the name of the file, its function, and what needs to be installed for it to operate properly.

3. Document two names, addresses, and credit card or account numbers of potential victims.

4. Prove that the file "How To Steal Credit Card Numbers.doc" was opened on the computer.

5. The word "oops" has come up in intercepted traffic. Document what it refers to.

6. Document three ways this case has familiarity or linkages to any other case you are familiar with.

7. A number of people in this case owe money. Document who they are and how much they owe.

8. Is there anything that links the thumb drive to the Washer image?

9. Document how many times the administrator account was used and the date of the last login (hint: during 2008).

Once again the detectives are asking for a summary of your investigative procedures and findings so you document the following:

1. Summary of findings

2. Case documentation such as tools used, version, and image hashes

3. Screenshots or other forensic artifacts that support your responses to all questions

You review your responses and summary documentation carefully for accuracy and completeness for you will be including them in your final paper.

Step 4: Submit Final Paper: Use of Access Data Tools

The time has come to combine work products from Steps 1, 2, and 3 into a final paper summarizing the Use of Access Data Tools. You submit it to the detectives (your instructor) and cross your fingers that it contains everything they need to know about the most widely-used tools available for accessing and imaging forensic data.

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.

- 1.1 Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.4: Tailor communications to the audience.
- 1.6: Follow conventions of Standard Written English.
- 1.7: Create neat and professional looking documents appropriate for the project or presentation.
- 2.2: Locate and access sufficient information to investigate the issue or problem.
- 10.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging and verification.
- 11.1: Perform report creation, affidavit creation, and preparation to testify.
- 11.3: Use forensic tools for investigation of multimedia technologies.
- 11.4: Demonstrate the ability to gather file system evidence.

Verified Expert

The solution file is prepared in ms word and worked in virtual machine FTK tool to perform image of two computers and a thumb drive. This report helps to detective to understand the use of FTK imager and other totals which are presented in the access Data tools and image computers or USB stick. we discussed , FTK Imaging , Process an Image from the suspect Mantooth’s Computer, Process an Image from the suspect Washer’s Computer and Process an Image from the suspect Thumb drive’s Computer. The solution file has all steps screen shots and references are included as per apa format.

Reference no: EM132063291

Questions Cloud

Explains the implications of tele-health : Explains the implications of tele-health for the surveillance of the disease/condition you selected. Analyzes the benefits and challenges of incorporating.
Discuss the difference in graphing a function : Discuss the difference in graphing a function using intercept method vs. plotting points. Do you always have to solve for y when graphing a line?
Write out the complete algebraic formulation : 1. Write out the complete algebraic formulation (decision variables, objective function, constraints).
Describe goals for the client based on presenting problem : Describe 2 goals for the client based on their presenting problem. Explain how ethnocentrism and racism may influence the case.
Demonstrate the ability to gather file system evidence : What is the current zip code for the AOL IM account registered to Washer - What does Rasco's vehicle look like? Please provide a description. Who might Rasco
Find all the zeros of the polynomial : 1. Find all the zeros of the polynomial:
Explain how initiative might alter the existing policies : Brief description of the position you selected from the NASW policy statement on child abuse and neglect. Then, describe a policy initiative you might.
How many seconds after the launch will the rocket : How many seconds after the launch will the rocket be 350 feet above the ground? Round to the nearest tenth of a second.
Do you agree with the broadcasters : The broadcast networks have argued that the viewing public cannot discern between over-the-air broadcast networks (e.g., ABC, CBS, NBC, FOX, PBS, and CW).

Reviews

inf2063291

10/8/2018 10:49:06 PM

Gratitude towards the tutor who gave my work some meaning and made it worthy. followed instructions, and turned the solution hours before the deadline... thank you so much! will definitely hire again for future papers Thank you so much !!

inf2063291

8/7/2018 2:20:46 AM

The system was down try it now. I just logged in the virtual machine.I sent an email to get help to resolve this issue, I will get in touch with you soon? Sorry to know you are having issues with the FTK. The message "No security device was found" at FTK start up is an issue related with the FTK tool license activation. Let's troubleshoot with simple steps. Please locate your Start Button's search box, and type in shutdown -s and hit Enter (This should be your VM's Start button, not your workspace's Start button) Your VM will shutdown in a minute. I am also attaching you a screenshot where you need to perform the task. Once you are back to the workspace, connect back to VM and open FTK again to see if that resolves. Your VM should pick up the license key. Sometimes this may take several attempts (similar to destroy/reallocate) but it will eventually result in the machine license working as expected. This will help prevent any saved work from being lost as the VMs will no longer be destroyed. As for the last option, you can also Destroy the lab resources and Allocate with new lab resources see if that resolves. Please do a few tries and if no success, please let me know.

Write a Review

Computer Network Security Questions & Answers

  An overview of wireless lan security - term paper

Computer Science or Information Technology deals with Wireless LAN Security. Wireless LAN Security is gaining importance in the recent times. This report talks about how vulnerable are wireless LAN networks without any security measures and also talk..

  Computer networks and security against hackers

This case study about a company named Magna International, a Canada based global supplier of automotive components, modules and systems. Along with the company analysis have been made in this assignment.

  New attack models

The Internet evolution is and is very fast and the Internet exposes the connected computers to attacks and the subsequent losses are in rise.

  Islamic Calligraphy

Islamic calligraphy or Arabic calligraphy is a primary form of art for Islamic visual expression and creativity.

  A comprehensive study about web-based email implementation

Conduct a comprehensive study about web-based email implementation in gmail. Optionally, you may use sniffer like wireshark or your choice to analyze the communication traffic.

  Retention policy and litigation hold notices

The purpose of this project is to provide you with an opportunity to create a document retention policy. You will also learn how to serve a litigation hold notice for an educational institute.

  Tools to enhance password protection

A report on Tools to enhance Password Protection.

  Analyse security procedures

Analyse security procedures

  Write a report on denial of service

Write a report on DENIAL OF SERVICE (DoS).

  Phising email

Phising email It is multipart, what are the two parts? The HTML part, is it inviting the recepient to click somewhere? What is the email proporting to do when the link is clicked?

  Express the shannon-hartley capacity theorem

Express the Shannon-Hartley capacity theorem in terms of where is the Energy/bit and is the psd of white noise.

  Modern symmetric encryption schemes

Pseudo-random generators, pseudo-random functions and pseudo-random permutations

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd