EnCase Investigations IM Installation and Forensic Investigation Report

Description

There are three steps in this project. In those steps, you will use EnCase and other tools to image two computers and a thumb drive or USB stick. Each step in the project requires you to respond to detectives’ questions based on computer images.

The final assignment is a paper that helps detectives better understand the use of EnCase to access and image computers and thumb drives. In Step 1, you introduce detectives to the basics of forensic digital investigation by creating an image using EnCase.

Start Here One of the most common commercial digital forensic tools is EnCase, an integrated tool used in many types of digital forensic investigations, with a focus on computers and servers. Additional Access Data tools that are commonly used include Password Recovery Toolkit (PRTK) and Registry Viewer. There are three steps in this project. In those steps, you will use EnCase and other tools to image two computers and a thumb drive or USB stick. Each step in the project requires you to respond to detectives’ questions based on computer images. The final assignment is a paper that helps detectives better understand the use of EnCase to access and image computers and thumb drives.

In Step 1, you introduce detectives to the basics of forensic digital investigation by creating an image using EnCase. Step 1: Create an Image in FTK Imager One of the first steps in conducting digital forensic investigations involves creating a forensic image of the digital evidence disk or drive. Digital forensics evidence can be found in operating systems, disk drives, network traffic, emails, and in software applications. To help the detectives in your department to better understand the digital forensics investigation process, you have offered to show them how you create an image using FTK Imager. Media investigations of digital storage devices can include audio files, pictures, videos, words, portions of files, graphic files, and information about a file. Graphics files can be a rich source of forensic evidence. Because you are pressed for time, you go to the virtual lab and decide to create an image of the “My Pictures” directory on your computer. This process is similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (DFC620_Lab1_Name.ad1) that document your imaging process with information such as hash values.

Step 2: Process an Image from the Suspect Mantooth’s Computer In the previous step, you imaged a directory for a forensic report using FTK Imager. Now the detectives have requested additional analysis, so you decide to go to the virtual lab and use EnCase to access user account information for the image from a computer owned by a suspect named Mantooth. Detectives don’t yet have the suspect’s first name and are seeking more information. Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering. The image you will be viewing, Mantooth, is a subset of a full computer image. While it is rich in artifacts, it is small enough to process in minutes rather than hours. EnCase provides the ability to view the contents of various types of registry files so it will help to answer some of the questions posed by detectives. You can also investigate the suspect Mantooth’s email activity and picture files. The detectives have requested specific information that you will detail in the lab, including Mantooth’s first name, email information, and other material that can be gleaned from the computer hard drive.

See the lab instructions for specific questions to answer. The detectives have requested the following information: 1. Mantooth’s first name and a screenshot of a picture 2. number of jpg files in the Mantooth evidence file 3. names of the email domains from the email in this image, plus the number of sent and received messages and the dates of the oldest and newest sent and received email message for each domain 4. names of people who have sent email to or received email from Mantooth, and the number of emails sent or received to and from each person 5. information on encryption—whether it was used for any of the email, and if so, what type 6. evidence of potential criminal activity within this image 7. information on how PINs were captured 8. vehicle identification number of the ’92 Dodge 9. identity of Sean and his role in this case 10. information on password(s)—where you found it/them, whether it/they are usable, what it/they are used for The detectives are also asking for:

1. summary of findings 2. case documentation, such as tools used, version, and image hashes 3. screenshots or other forensic artifacts supporting your responses to the questions Review your responses and summary information carefully for accuracy and completeness, and save them in a single file to be included in your final paper on Using EnCase tools. Just when you think that the detectives are satisfied with the information that you’ve provided, they request even more information on the suspects and the crime. You can’t say no, so you turn to EnCase to help you access that data.

Step 3: Process an Image From the Suspect Washer’s Computer The Mantooth image has provided a lot of new information, but the detectives want more. EnCase is the tool that can uncover it. An image has been taken of the hard drive in a computer belonging to a suspect named Washer. Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering. The Washer image is a subset of a full computer image (like the Mantooth image), so processing time is reduced. While it is rich in artifacts, it is small enough to process in minutes rather than hours.

You have full confidence that an investigation of the Washer image will approximate the investigation of a full computer image. EnCase allows you to view the contents of registry files. Passwords for certain files may be recoverable from other artifacts on the image as well. The detectives have asked you to analyze the Washer and thumb drive images within EnCase to ferret out facts, including a list of detailed questions on Washer, including associates and other information from the computer and its files. You will include your answers to these questions in your final paper on the Use of EnCase tools. 1. What are the AIM usernames for Rasco Badguy and John Washer? 2. What is the current zip code for the AOL IM account registered to Washer? 3. When was AOL IM installed? Rasco Badguy and John Washer plan to camp.

1. What does Rasco’s vehicle look like? Provide a description. Who might Rasco bring with him? 2. Provide the starting and ending points for their camping trip, as well as the name of the body of water nearby (same as the road running along the shore). Find a map and directions to the spot where they will camp. Provide this additional information: 1. Document three distinct types of criminal activity that are under consideration and discussion by these people. 2. There is a piece of software that will support one of the types of criminal activity under consideration. It is being obscured by file manipulation or encryption. Document the name of the file, its function, and what needs to be installed for it to operate properly. 3. Document two names, addresses, and credit card or account numbers of potential victims. 4. Prove that the file “How to Steal Credit Card Numbers.doc” was opened on the computer. 5.

The word “oops” has come up in intercepted traffic. Document what it refers to. 6. Document three ways this case has familiarity or linkages to any other case you are familiar with. 7. Several people in this case owe money. Document who they are and how much they owe. 8. Is there anything that links the thumb drive to the Washer image? 9. Document how many times the administrator account was used and the date of the last log-in (hint: during 2008). Once again, the detectives are asking for a summary of your investigative procedures and findings, so you document the following: 1. summary of findings 2. case documentation such as tools used, version, and image hashes; 3. screenshots or other forensic artifacts that support your responses to all questions Review your responses and summary documentation carefully for accuracy and completeness since you will be including them in your final paper. Step 4: Submit Final Paper The time has come to combine work products from the earlier steps into a final paper summarizing the use of EnCase. You submit it to the detectives (your instructor) and cross your fingers that it contains everything they need to know about the tools available for accessing and imaging forensic data. 5/19/2021 Forensic Imaging Lab Course Resource Forensic Imaging Lab Introduction The first step in conducting a forensic investigation is to create images of the evidence.

This involves capturing operating systems, network traffic, emails and software evidence, and other files. You are a special agent and forensic examiner for the University Bureau of Investigation (UBI) Cyber Division assigned to a cyber action team. Your supervisor has asked you to show others how to create an image using FTK Imager. This tool is used to analyze media such as audio, pictures, and video. These types of files can be a great source of evidence for forensic investigators. Goal of the Lab Show users how to create images of digital evidence. Lab Overview You will need to access the virtual lab environment and start the CST 640 lab virtual machines (VMs). You will be using the WINFOR01 VM for this lab. You will create a digital image of the “My Pictures” directory on your computer. This is very similar to making a full image of the computer.

The process should take only minutes instead of hours. Note: The course names CST 640 and DFC 620 may be used interchangeably in some of the screenshots, as the lab instructions for the two courses are the same except the labeling. Lab Resources In this lab, you will use the following VM: https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 1/15 5/19/2021 Forensic Imaging Lab WINFOR01 Use the following username and password to access the lab: Username: StudentFirst Password: Cyb3rl@b Software Requirements The following software will be used in this lab and can be found on WINFOR01 VM: AccessData FTK Imager Task You are to complete each of the following steps as part of the lab.

The data collected and screenshots will be used in your project deliverables. Make sure you capture screenshots to help in supporting your answers to the questions. Start the lab VM. 1. Start the CST 640 lab, and then allocate and start WINFOR01 VM. Log in to the VM. Source: Azure Lab Broker, UMGC Virtual Labs 2. Once in the WINFOR01 desktop, select Lab Resources, then Applications, and then AccessData FTK Imager to start FTK Imager. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 2/15 5/19/2021 Forensic Imaging Lab Source: Microsoft Windows, UMGC Virtual Labs 3. In FTK Imager, select File, and then Create Disk Image to start creating an image. Source: FTK Imager, UMGC Virtual Labs 4. Next, in the Select Source window, select “Contents of a Folder” and click Next. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 3/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 5. Next, you get an FTK Imager window about creating an image of the folder’s contents. Click Yes to proceed. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 4/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 6.

Now, you need to select the source of where the evidence is located. For the evidence source selection, click Browse and navigate to: Libraries > Pictures > Public Pictures > Sample Pictures The source path should show as C:\Users\Public\Pictures\Sample Pictures Then, click Finish. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 5/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 7. Next, in the Create Image window, click Add. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 6/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 8. Now, you need to enter information about the evidence. Enter the information as shown in the screenshot. The Case Number should follow [year][month][day]. Take a screenshot for your report. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 7/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 9. Click the Next button.

10. Now, browse for the destination folder > Desktop. Click OK. Note: You should also verify the image files. Choose “Verify Image Integrity” under the Tools menu. Just click the Verify button for each of the images you want to verify. 11. Then make sure the Image Filename is entered as CST640_Project4_first initial lastname. 12. Then, click Finish. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 8/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 13. After clicking Finish, you will see a Create Image window. Click Start to proceed. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 9/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 14. Click Close. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 10/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 15. In the Drive/Image Verify Results window that appears, click Close. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 11/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 16.

Going back to the File window, select Add Evidence Item. Source: FTK Imager, UMGC Virtual Labs 17. This time, select “Image File” from the Select Source window and then click Next. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 12/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 18. You should see the Select File window. Enter the Evidence Source Selection by clicking Browse and navigating to Desktop CST640_Project4_first initial lastname.ad1. Then, click Finish. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 13/15 5/19/2021 Forensic Imaging Lab Source: FTK Imager, UMGC Virtual Labs 19. Click Add image. 20. Now expand the evidence tree by selecting the “Chrysanthemum.jpg” file. Take a screenshot of the VM window and include it in your report. Source: FTK Imager, UMGC Virtual Labs 21. Close FTK Imager and open “CST640_Project4_[first initial lastname].ad1.txt.” Take a screenshot of the VM window and include it in your report. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 14/15 5/19/2021 Forensic Imaging Lab Source: Notepad, UMGC Virtual Labs You have now completed all tasks in the lab. Note: Be sure to collect information for your analysis.

Add screenshots to your report. © 2021 University of Maryland Global Campus All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity of information located at external sites. https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/forensic-imaging-lab.html?ou=546465 15/15 5/19/2021 Mantooth Image Processing and Analysis Lab Course Resource Mantooth Image Processing and Analysis Lab Introduction You are a special agent and forensic examiner for the University Bureau of Investigation (UBI) Cyber Division assigned to a cyber action team. A computer belonging to a Mr. Mantooth was seized under a search warrant pursuant to case number 20130614-1001a. The computer was seized on June 14, 2013, and the requesting agent/organization is Fox Molder, UBI Cyber Crime Division. This is a request to process the seized hard drive to look for evidence that may help in the investigation. You are specifically interested in any information that may lead to Mantooth’s criminal activities, which appear to be substantial. Mantooth has been secretive; detectives don’t even know what he looks like. While the system seized appears to be an older computer, it may be the break needed to identify him and his associates. Detectives are counting on you to provide us a picture of him as well as to identify any of his associates. The only photo that investigators have was provided by an ex-girlfriend after a bad breakup. She said she destroyed all photographs of him other than this one.

She apparently has altered this one but says it is one he provides to all of his love interests. She said that he destroys and deletes most photographs of himself because he says, “It is all part of living ‘off the grid.'” Source: UMGC https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/mantooth-image-processing-and-analysis-lab.html?ou=546465 1/31 5/19/2021 Mantooth Image Processing and Analysis Lab There is indication that a 1992 Dodge may be involved. You need to locate the VIN (vehicle identification number) to allow for a more specific search on this vehicle. The name Sean has come up several times, and the detectives would like to determine how this name fits into the puzzle. Goal of the Lab Investigate Mantooth’s computer image to obtain information for detectives. Take Note The course names CST 640 and DFC 620 may be used interchangeably in some of the screenshots, as the lab instructions for the two courses are the same except the labeling. Lab Overview You will need to access the virtual lab environment and start the DFC 620 lab virtual machines (VMs) using the VM Lab Broker Instructions. You will be using the WINFOR01 VM for this lab. You will process and analyze an image from Mantooth’s computer to answer several questions posed by detectives. You will be using EnCase v8.09 in this lab. EnCase Overview

The names of the four different panes in EnCase are illustrated below as follows: https://leocontent.umgc.edu/content/umuc/tgs/dfc/dfc620/2212/course-resource-list/mantooth-image-processing-and-analysis-lab.html?ou=546465 2/31 5/19/2021 Mantooth Image Processing and Analysis Lab Source: EnCase, UMGC Virtual Labs Depending on the information you are seeking from the file(s) you select in EnCase, the View Type will change (e.g., Fields, Report, Text, Hex, Doc, Transcript, Picture) needed. In your report, you are required to explain the step-by-step process of your examination and describe where (e.g., directory folders) and how you found each of the artifact files that you examined. To support your report findings, the Report Type section in the View Pane will provide the directory path for each of the artifact files you select and examine during your investigation.

Simply providing an answer or conclusion in your examiners’ report without showing the investigation process that you have undertaken is not sufficient for this lab or in the digital forensics field. You are also required to provide screenshots for each artifact file that you examine in this lab to support your findings and include them in a clear and concise examination report. You can list all files in a particular directory structure by clicking on the Home Plate icon to the left of the directory. This process will list all files in the Table Pane for you to view and examine. To display all the graphics files within a forensic image that you have added .

Do you have a similar assignment and would want someone to complete it for you? Click on the ORDER NOW option to get instant services at EssayBell.com

Do you have a similar assignment and would want someone to complete it for you? Click on the ORDER NOW option to get instant services at EssayBell.com. We assure you of a well written and plagiarism free papers delivered within your specified deadline.