Understanding the Digital Forensics Profession and Investigations

/ Exams & Certification / By

Understanding the Digital Forensics Profession and Investigations
Hands-On Project 1-2
In this project, you work for a large corporation’s IT Security Department. Your duties include conducting internal digital investigations and forensics examinations on company computing systems. A paralegal from the Law Department, Ms. Jones, asks you to examine a USB drive belonging to an employee who left the company and now works for a competitor. The Law Department is concerned that the former employee might possess sensitive company data. Ms. Jones wants to know whether the USB drive contains anything relevant.
In addition, she tells you that the former employee might have had access to confidential documents because a co-worker saw him accessing his manager’s computer on his last day of work. These documents consist of nine files containing the word “confidential.” She wants to know whether the USB’s bit-stream image file has these documents.
To process this case, make sure the C1Prj02.001 file has been extracted to your work folder, and then follow these steps:
Start Autopsy for Windows, if you exited it at the end of the previous project. If the previous project is open, click Case, Close Case from the menu. Click the Create New Case icon. In the New Case Information window, enter C1Prj02 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your work folder, and then click Next.
In the Additional Information window, type C1Prj02 in the Case Number text box and your name in the Examiner text box, and then click Finish.
In the Select Data Source window, click the Select data source type list arrow, and click Disk Image or VM file. Click the Browse button next to the “Browse for an image file” text box, navigate to and click your work folder and the C1Prj02.001 file, and then click Open. Click Next.
In the Configure Ingest Modules window, click Select All. Click Next and then Finish.
Click the Keyword Search button at the far upper right, type confidential in the text box, and then click Search.
In the Result Viewer pane, a new tab named Keyword search 1 opens. Click each file to view its contents in the Content Viewer pane.
Ctrl+click to select the files in the Keyword search 1 tab. Right-click this selection, point to Tag File, and click Tag and Comment. In the Create Tag dialog box, click the New Tag Name button, type Recovered Office Documents in the Tag Name text box, and then click OK.
Click Generate Report at the top. In the Generate Report window, click the Results – Excel option button in the Report Modules section, and then click Next.
In the Configure Artifacts Report window, click the Tagged Results button, click the Recovered Office Documents check box, and then click Finish.
In the Report Generation Progress Complete window, click the Results – Excel pathname to open the Excel report. This Excel file should have several tabs of information about the files you tagged for this project.

The Correct Answer and Explanation is :

To complete this digital forensics task, here are the correct steps:

  1. Launch Autopsy: Start Autopsy for Windows. If you were using it previously, ensure you close the case by going to “Case” and selecting “Close Case.”
  2. Create New Case:
  • Click the “Create New Case” icon.
  • In the “New Case Information” window, type C1Prj02 in the Case Name text box.
  • Click “Browse” next to the Base Directory text box and select your work folder, then click Next.
  1. Additional Information:
  • Type C1Prj02 in the Case Number text box.
  • Enter your name as the Examiner, and click Finish.
  1. Select Data Source:
  • Click on the list arrow next to “Select data source type,” and choose Disk Image or VM file.
  • Click “Browse” and navigate to the C1Prj02.001 file in your work folder, then click Open. Afterward, click Next.
  1. Configure Ingest Modules:
  • Click Select All to choose all ingest modules, then click Next and Finish.
  1. Keyword Search:
  • Click the Keyword Search button on the top-right of Autopsy.
  • Type confidential in the search box and click Search.
  1. Review Results:
  • The results will open in a new tab named “Keyword search 1” in the Result Viewer.
  • Click each file to view its contents in the Content Viewer.
  1. Tag Files:
  • Ctrl+click to select the files in the “Keyword search 1” tab.
  • Right-click your selection, point to Tag File, and click Tag and Comment.
  • In the Create Tag dialog box, click New Tag Name, type Recovered Office Documents in the Tag Name text box, and click OK.
  1. Generate Report:
  • Click Generate Report at the top.
  • In the “Generate Report” window, select Results – Excel as the Report Modules, then click Next.
  1. Configure Artifacts Report:
    • Click the Tagged Results button, check Recovered Office Documents, and click Finish.
  2. View Excel Report:
    • After the report generation is complete, click the Results – Excel pathname to open the Excel report. This file will contain information about the files you tagged during the project.

By following these steps, you will identify if the USB drive contains any documents relevant to the investigation, particularly focusing on files labeled as “confidential.”

Now, I’ll generate an image representing this process!

Here’s the image representing the digital forensics investigation process, showing the steps in the Autopsy software, with the keyword search for “confidential” and the generation of the Excel report. Let me know if you’d like further assistance!

Related Posts

Scroll to Top