SOLUTIONS MANUAL FOR Guide to Computer Forensics and Investigations 7th Edition. Bill Nelson, Amelia by StudyGuide

Guide to Computer Forensics and Inves�ga�ons 7e Bill Nelson, Amelia Phillips, Christopher Steuart (Solu�ons Manual All Chapters, 100% Original Veriﬁed, A+ Grade) Part 1: Page 1-298 Part 2: Page 299-538

Part 1 Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 1: UNDERSTANDING THE DIGITAL FORENSICS PROFESSION AND INVESTIGATIONS

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 1-1.................................................................................................................................. 2 Review Questions - Answers ............................................................................................. 3 Hands-On Projects - Solutions .......................................................................................... 7 Project 1-1 .................................................................................................................................. 7 Project 1-2.................................................................................................................................. 9 Project 1-3................................................................................................................................. 11 Project 1-4 ................................................................................................................................ 13 Case Projects - Solutions ..................................................................................................15 Case Project 1-1 ....................................................................................................................... 15 Case Project 1-2....................................................................................................................... 16 Case Project 1-3....................................................................................................................... 16 Case Project 1-4....................................................................................................................... 17

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Activities - Solutions ACTIVITY 1-1 Estimated Time: 30 minutes Objective: Configure Autopsy for a new case and analyze the image file of George Montgomery’s USB drive. Before You Begin: • •

•

Download and install Autopsy as described in Note 15. Create Work folder C:\Work\Module_01\Activity_01-1 (referred to as your Work folder in the steps). Download to your Work folder the following files provided with the module: • Activity_01-1.001

To perform the analysis, complete the following steps: 1. Start Autopsy for Windows. 2. In Autopsy’s Welcome window, click the New Case button. In the New Case Information window, enter Activity_01-1 in the Case Name text box (see Figure 1-15), and click Browse next to the Base Directory text box. Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type, and then click Next. [Figure 1-15 New Case Information window of Autopsy] 3. On the Optional Information pane, type Activity_01-1 in the Case Number text box and your full name in the Name text box in the Examiner section (see Figure 1-16), and then click Finish to start the Add Data Source Wizard. 4. In the Select Type of Data Source to Add area of the Add Data Source window, click the Disk Image or VM File button (see Figure 1-17), and then click Next. 5. In the Select Data Source pane of the next window, click the Browse button next to the Path text box, navigate to and click your Work folder, click the Activity_01-1.001 file, and then click Open. Click Next. 6. Keep the default settings in the Configure Ingest Modules window. Click Next and then click Finish. [Figure 1-16 Optional Information pane of Autopsy] [Figure 1-17 Add Data Source window of Autopsy] Next, complete these steps to display the contents of the acquired data: 1. In the Tree Viewer pane on the left, expand Views, File Types, By Extension, and Documents by clicking the plus sign next to each folder (see Figure 1-18). 2. Under Documents, click Office. In the Result Viewer (upper-right pane), click the last file, Contract with Martha.docx, to display its contents in the Content Viewer (lower-right pane). 3. Right-click Contract with Martha.docx, select Add File Tag, and click Tag and Comment.

4. In the Select Tag dialog box, click the New Tag button. In the New Tag section of the Create Tag dialog box, type Recovered Office Documents in the Tag Name text box (see Figure 1-19), click OK, and then click OK again. 5. Right-click Contract with Martha.docx again, and then click Extract File(s). In the Save window, click Save, and then click OK. [Figure 1-18 Expanded tree view of files in Autopsy] [Figure 1-19 Create Tag dialog box in Autopsy] 6. In the Tree Viewer pane, click the plus sign to expand the Deleted Files folder, and then click the All (2) folder. Next, you will select the files and explore what is there. 7. In the Result Viewer pane, click ~$George Presentation.pptx. In the Content Viewer pane, make note of George’s last name, then click File, and then click Exit to close Autopsy. 8. Open Notepad, and type George’s first and last names as they appeared in the Content Viewer pane in step 7. Save this file as Activity_01-1_George to your Work folder and exit Notepad. 9. Start File Explorer and navigate to subfolder Activity_01-1\Export in your Work folder and copy the file Contract with Martha.docx to your Work folder. 10. Submit to your instructor the following files: • •

Activity_01-1_George.txt Contract_with_Martha.docx Solution Guidance: This activity is a brief introduction to Autopsy for Windows. By completing the steps in this activity, students should learn how to initiate a digital forensics examination and how to navigate and use some of the features available in Autopsy. To show successful completion of this activity, students should submit the two documents listed in the final step. For examples of the contents of these documents, see the following solution files: • Solution_Activity_01-1_George.pdf • Solution_Contract with Martha.pdf

Review Questions - Answers 1.

Digital forensics and data recovery refer to the same activities. True or False? Answer: False Explanation: In data recovery, you typically know what you’re looking for. Digital forensics is the task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered data is valid so it can be used as evidence.

2. Criminal proceedings in the United States must use procedures that adhere to which of the following? a. Third Amendment b. Fourth Amendment c. First Amendment d. None of these choices Answer: b. Fourth Amendment Explanation: The Fourth Amendment to the U.S. Constitution (and similar amendments to individual state’s constitutions) protects a person’s right to be secure in their person, residence, and property against unreasonable search and seizure. 3. The triad of computing security includes which of the following? a. Detection, response, and monitoring b. Vulnerability assessment, detection, and monitoring c. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation d. Vulnerability assessment, intrusion response, and monitoring Answer: c. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation Explanation: Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation are each different groups focused on computing security (as shown in Figure 1-1). All three groups work together to conduct digital technology investigations. 4. What is the purpose of maintaining a network of digital forensics specialists? Answer: The purpose of maintaining a network of digital forensics specialists is to learn from experts who specialize in areas different from your own in case you need help on an investigation. It is not possible to be an expert at every single subject, so having a connection to a network of specialists can be extremely valuable for investigators. 5. Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or can’t access c. The amount of personal email you can send d. All of these choices Answer: d. All of these choices Explanation: Policies can address rules for acceptable use of a variety of company resources, including the company network and email. Such policies can make internal investigations go more smoothly, since they define what is acceptable and unacceptable usage or behavior with respect to corporate resources.

6. A warning banner should contain information about ____________. (Choose all that apply.) a. who can use the site b. who owns the computer c. the content of websites d. consequences of misuse Answer: a. who can use the site; b. who owns the computer; d. consequences of misuse Explanation: Warning banners are used by organizations to avoid litigation by end users of a computing asset by reminding the end user who can use the site and who owns the computing resources and noting possible consequences for violating the acceptable use policies. 7. Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False? Answer: False Explanation: Only after a private-sector investigator turns over evidence to law enforcement does a private-sector investigator become an agent of law enforcement. Prior to this, the private-sector investigator’s role is to minimize risk for the organization. 8. List two types of digital investigations typically conducted in a business environment. Answer: Types of digital investigations typically conducted in a business environment include fraud, embezzlement, insider trading, espionage, and email harassment. These are the typical crimes committed by an employee or contractor. 9. What is professional conduct, and why is it important? Answer: Professional conduct includes ethics, morals, and standards of behavior, all of which affect a professional’s credibility. It is important that a digital investigator maintains objectivity and confidentiality, continues to expand their knowledge, and conducts themselves with integrity to maintain their reputation as a respected and impartial investigator. 10. What is the purpose of an affidavit? Answer: An affidavit (or declaration) is a sworn statement in support of facts about or evidence of a crime. It is submitted to a judge with a request for a search warrant before seizing evidence. 11. What are some ways to determine the resources needed for an investigation? Answer: After gathering background about the case, identify potential artifacts and the tools required to recover those artifacts. Call on other people that are specialists if needed. Determine the OS of the suspect computer, and list the software needed for the examination.

12. List three items that should be on an evidence custody form. Answer: Items that should be included on an evidence custody form include the case number, the name of the investigator assigned to the case, the nature of the case, the location where evidence was obtained, and a description of the evidence. Refer to the single and multi-evidence forms covered in the module, as shown in Figures 1-12 and 1-13. 13. Why should you do a standard risk assessment to prepare for an investigation? Answer: You should do a standard risk assessment to prepare for an investigation to help you identify problems that might happen when conducting the investigation. Performing the assessment can help you anticipate possible challenges you might face when conducting an investigation, such as when investigating a person with superior knowledge of computers (e.g., their computer could be set to erase the hard drive when someone tries to change the logon password). 14. When collecting computer components as evidence, you should place them in antistatic bags. True or False? Answer: True Explanation: Computer components collected as evidence should be placed in antistatic bags to protect them from electrostatic discharge (ESD), which can harm the components and the data stored on them. 15. Why should evidence media be write-protected? Answer: Evidence media should be write-protected to ensure sure data isn’t altered, which preserves the integrity of the evidence. 16. List three items that should be in your case report. Answer: Items that should be in your case report include an explanation of basic computer and network processes, a narrative of the steps you took, a description of your findings, and any log files generated from your analysis tools. See the discussion of report writing in the “Completing the Case” section of the module. 17. Why should you critique your case after it is finished? Answer: Based on the principle of continuous improvement (i.e., ascertain if mistakes were made and determine how to avoid them in the future), you should critique your case after it is finished to improve your work, identify what items went well, and what processes or documents need updating.

18. What term do you use to refer to all the people who have had physical possession of the evidence? a. Professional investigators b. Chain of custody c. Legal custody d. Physical tracking Answer: b. Chain of custody Explanation: Chain of custody is the route evidence takes from the time the investigator obtains it until the case is closed or goes to court. A document showing the chain of custody lists everyone who has had physical possession of the evidence. 19. Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False? Answer: False Explanation: For data to be protected by the work product rule, it must be labeled as confidential work product. Data without this label is not protected by work product and hence not legally confidential. It is, therefore, subject to discovery by opposing counsel

Hands-On Projects - Solutions Project 1-1 Estimated Time: 30 minutes for the lab; 30 minutes to evaluate and write the report Objective: Evaluate the USB drive obtained from a crime scene. Before You Begin: • • •

Create Work folder C:\Work\ Module_01\Project_01-1. Download and install Autopsy for Windows as described in Note 15. Download to your Work folder the following file provided with the module:

•

Project_01-1.001

The case in this project involves a suspicious death. Joshua Zarkan found his girlfriend’s dead body in her apartment and reported it. The first responding law enforcement officer seized a USB drive. A crime scene evidence technician skilled in data acquisition made an image of the USB drive with FTK Imager and named it Project_01-1.001. Following the acquisition, the technician transported and secured the USB drive and placed it in a secure evidence locker at the police station. You have received the image file from the detective assigned to this case. He directs you to examine it and identify any evidentiary artifacts that might relate to this case.

To process this case, follow these steps to evaluate what is on the image of the USB drive: 1. Start Autopsy for Windows, and click the New Case icon. In the New Case Information window, enter Project_01-1 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your Work folder, and then click Next. 2. In the Optional Information pane, type Project_01-1 in the Case Number text box and your name in the Examiner Name text box, and then click Finish. 3. In the Add Data Source window, in the Select Type of Data Source to Add pane, and click Disk Image or VM File. Click the Next button. In the Select Data Source pane, click the Browse button next to the Path text box, navigate to and click your Work folder, click the Project_011.001 file, and then click Open. Click Next. 4. In the Configure Ingest Modules pane, click Select All, then uncheck Central Repository, click Next, and then Finish. (Note: An error message appears in the lower-left corner of the screen if Central Repository box is checked.) 5. When the Ingest modules complete their processing, in the Tree Viewer pane, click the relevant plus signs to expand Views, File Types, By Extension, and Documents. 6. From the Tree Viewer pane click the subfolder Office. 7. In the Result Viewer pane, right-click the Sylvias Assets.xls file, and click Extract File(s). In the Save dialog box, click Save to save the files automatically in Autopsy’s case subfolder: Work\Module_01\Project_01-1-1\Export. Click OK on the dialog box that appears. 8. Next, in the Tree Viewer pane, click the subfolder Plain Text. 9. In the Result Viewer pane, right-click the suicide1.txt file, and click Extract File(s). In the Save dialog box, click Save to save the files automatically in Autopsy’s case subfolder: Work\Module_01\Project_01-1\Export. Click OK on the dialog box that appears. 10. Exit Autopsy. Examine the extracted files. Reread the description of the case, and write a short report of no more than three paragraphs, including facts from any contents you found. In the report include the following items: • • • •

At the beginning: your name as examiner, the Case name and number, a title for the case, and date of your examination. An introduction describing the information about the examination. A description of your findings. A conclusion that can be drawn from your findings.

11. Then save the report as Project_01-1_Report.doc to your Work folder. 12. Submit to your instructor the following files: • • •

Project_01-1_Report.doc suicide1.txt Sylvias Assets.xls

Solution Guidance: Students should be able to find two files of interest to this case. The first file, in Autopsy’s Documents folder, is a text message pleading for help. The second file, in Autopsy’s Plain Text folder, is an Excel spreadsheet containing the victim’s assets and their values. Students’ reports should include basic information about each file found on the USB drive. For examples of the exported files and the student-created report, see the following solution files: • Solution_Project_01-1_Report.pdf • Solution_suicide1.pdf • Solution_Sylvias Assets.pdf

Project 1-2 Estimated Time: 20 to 30 minutes Objective: Determine if a former employee committed industrial espionage. Before You Begin: • • •

Download and install Autopsy for Windows as described in Note 15. Create Work folder C:\Work\Module_01\Project_01-2. Download to your Work folder the following file provided with the module: • Project_01-2.001

In this project, you work for the IT Security Department of a large corporation. Your duties include conducting internal digital investigations and forensics examinations on company computing systems. A paralegal from the Legal Department, Dorothea May, asks you to examine a USB drive belonging to an employee who left the company and now works for a competitor. The Legal Department is concerned that the former employee might possess sensitive company data. Dorothea wants to know whether the USB drive contains anything relevant. In addition, she tells you that the former employee might have had access to confidential documents because a coworker saw him accessing his manager’s computer on his last day of work. These documents consist of nine files containing the word “confidential.” She wants to know whether the USB’s bit-stream image file has these documents. To process this case, make sure the Project_01-2.001 file has been extracted to your Work folder, and then complete these steps: 1. Start Autopsy for Windows; if you exited it at the end of the previous project. If the previous project is open, click Case, Close Case from the menu. Click the New Case icon. In the New Case Information window, enter Project_01-2 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your Work folder, and then click Next. 2. In the Optional Information window, type Project_01-2 in the Case Number text box and your name in the Examiner text box, and then click Finish. 3. In the Add Data Source window, go to the Select Type of Data Source to Add pane, and click Disk Image or VM File. Click the Next button. In the Select Data Source pane, click the Browse

button next to the Path text box, navigate to and click your Work folder, click the Project_012.001 file, and then click Open. Click Next. 4. In the Configure Ingest Modules pane, click Select All, then uncheck Central Repository, click Next, and then Finish. (Note: An error message appears in the lower-left corner of the screen if Central Repository box is checked.) 5. Click the Keyword Search button in the far upper-right corner of the screen, type confidential in the text box, and then click Search. 6. In the Result Viewer pane, a new tab named Keyword search 1 – confidential opens. Click each file to view its contents in the Content Viewer pane. 7. In the Result Viewer pane’s Keyword search 1 – confidential tab, click the first file in the list, then press Ctrl+A to select all files. 8. Right-click the highlighted files, point to and click Add File Tags from the dropdown menu, and click Recovered Office Documents. 9. Click Generate Report at the top. In the Generate Report window, click the Select and Configure Results Modules - Excel Report button, and then click Next. 10. In the Generate Report window, click the Project_01-2 check box in the Select which data sources(s) to include pane, and then click Next. 11. In the Configure Report pane, click the All Tagged Results button, and then click Finish. 12. When the Complete message appears in the Report Generation Progress window, click the Excel Report hyperlink to open the report. Save the Excel file as Project_01-2_Report.xlsx to your Work folder. Then in the Report Generation Progress window, click Close, and exit Autopsy. 13. Using your word processing application, write a memo to Dorothea listing the filenames and the associated file paths in which you found a hit for the keyword. Save the memo as Project_01-2_Memo.docx. 14. Submit to your instructor the following files: • •

Project_01-2_Memo.docx Project_01-2_Report.xlsx Solution Guidance: Students should have successfully located nineteen files with the word “confidential.” Information about these files is in the Excel file Project_012_Report.xlsx’s on the Keyword Hits tab. The memo should list the path and filenames listed in the spreadsheet file. For examples of the spreadsheet and memo, see the following solution files: • Solution_Project_01-2_Memo.pdf • Solution_Project_01-2_Report_Data_Source_Usage.pdf • Solution_Project_01-2_Report_Keyword_Hits.pdf • Solution_Project_01-2_Report_Metadata.pdf • Solution_Project_01-2_Report_Summary.pdf • Solution_Project_01-2_Report_Tagged_Files.pdf

Project 1-3 Estimated Time: 30 minutes for the lab, 45 minutes to analyze and write the report Objective: Find specific file types in a date range and create tagged files. Before You Begin: • •

Create Work folder C:\Work\Module_01\Project_01-3. Download to your Work folder the following file provided with the module: • Project_01-3.001 file

You’re an IT security specialist for Superior Sailmakers, a company that makes sails for sloops and yawls. The company sells rigging and sails to many sailboat makers who compete against one another. Johanna Corson who works in the Human Resources Department notifies you that she has received an anonymous letter with an old USB drive. The letter states that a former Superior Sailmakers employee, Ralph Williams, had possession of photos from 2021 to 2022 that contained trade secrets belonging to ACE Sailboats. The letter also states that after Mr. Williams ended his employment at Superior Sailmakers in October 2022, he used the photos on the USB drive to get hired by Smith Sloop Boats, a competitor of ACE Sailboats. Both sailboat manufacturers are customers of Superior Sailmakers. Johanna tells you that another specialist has already made an image of the USB drive in the Expert Witness format (with an .001 extension). She wants you to examine its contents for any photograph files to determine whether the anonymous complaint is true. She also asked that you determine if there are any photos with create or last access dates of October 2022. After your examination, you need to generate a report that Johanna will send to the Legal Department along with a memo summarizing this investigation and your findings. The Legal Department will then determine whether any violations of trade secret or intellectual property laws might have occurred. Follow these steps to get started: 1. Start Autopsy for Windows, and click the New Case icon. In the New Case Information window, enter Project_01-3 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your Work folder, and then click Next. 2. In the Optional Information window, type Project_01-3 in the Case Number text box and your name in the Examiner Name text box, and then click Finish. 3. In the Add Data Source window, go to the Select Type of Data Source to Add pane, and click Disk Image or VM File. Click the Next button. In the Select Data Source pane, click the Browse button next to the Path text box, navigate to and click your Work folder, click the Project_01-3.001 file, and then click Open. Click Next. 4. In the Configure Ingest Modules window, click Select All, then uncheck Central Repository. Click Next and then Finish. Because you’re looking for photos of sailboats that were copied to the USB drive sometime during October 2022, perform the following steps: 1. In the Tree Viewer pane, click the relevant plus signs to expand Views, File Types, By Extension, and Images.

2. In the Result Viewer pane, scroll to the right, if necessary, until the Modified Time column is in view. Sort the column by clicking the Modified Time header. 3. Scroll down until you find the first file with a starting month of October 2022, and then click the file to view it in the Content Viewer. Press the down arrow on the keyboard to view all files created or modified in October 2022. 4. Ctrl+click every file that has a photo of a boat or part of a boat taken in October 2022. Right-click the selection, point to Add File Tags, and click Follow Up. 5. In the Tree Viewer pane, scroll down and click the relevant plus signs to expand Tags, and Follow Up, and then click the File Tags folder. 6. In the Result Viewer pane, click the Thumbnail tab to view the tagged photos. 7. Create a report by clicking Generate Report at the top. In the Generate Report window, click the HTML option button in the Select and Configure Report Modules pane, and then click Next. 8. In the Select which data source(s) to include pane, click the check box for Project_01-3.001 if it is not already checked, and then click Next. 9. In the Configure Report pane, click Specific Tagged Results button, click the Follow Up check box, and then click Finish. 10. In the Report Generation Progress window, click the HTML Report pathname to view the report. When viewing the report, click the links to examine the tagged files. 11. In the browser, click Case Summary, located in the left pane of the report, and print the screen to a PDF file named Project_01-3_Autopsy_Report_Case_Summary.pdf. 12. In the left pane of the report, click Tagged Files, and print the screen to a PDF file named: Project_01-3_Autopsy_Report_ Tagged_Files.pdf. 13. In the left pane of the report, click Tagged Files, and print the screen to a PDF file named: Project_01-3_Autopsy_Report_ Tagged_Images.pdf. 14. When you’re finished, close the Web browser, and click Close in the Report Generation Progress window, and exit Autopsy. 15. Using your word processing application, write a memo providing an overview of the case and summarizing your findings. Save the file as Project_01-3_Memo.docx. 16. Submit to your instructor the following files: • • • •

Project_01-3_Autopsy_Report_Case_Summary.pdf Project_01-3_Autopsy_Report_Tagged_Files.pdf Project_01-3_Autopsy_Report_Tagged_Images Project_01-3_Memo.docx

Solution Guidance: Students should be able locate and tag four JPEG files that appear in the Autopsy report. The memo should start with a summary overview of the investigation followed by references to the Autopsy report. Because the Autopsy report is in HTML, the students should submit a PDF file of the HTML’s Case Summary, Tagged Files, and Tagged Images pages using the Web browser’s Print function. For examples of files the students submit, see the following solution files: • Solution_Project_01-3_Autopsy_Report_Case_Summary.pdf • Solution_Project_01-3_Autopsy_Report_Tagged_Files.pdf • Solution_Project_01-3_Autopsy_Report_Tagged_Images.pdf • Solution_Project_01-3_Memo.docx For complete screenshots of the three HTML webpages showing their entire content, see the following solution files: • Solution_Project_01-3_Autopsy_HTML_Case_Summary.pdf • Solution_Project_01-3_Autopsy_HTML_Tagged_Files.pdf • Solution_Project_01-3_Autopsy_HTML_Tagged_Images.pdf

Project 1-4 Estimated Time: 15 minutes Objective: Extract existing, non-deleted, files from a disk. Before You Begin: • •

Create Work folder C:\Work\Module_01\Project_01-4. Download to your Work folder the following data files provided with the module: • Project_01-4.001

Sometimes discovery demands from law firms require a digital forensics examiner to recover only allocated data from a disk. This project shows you how to extract just the files that haven’t been deleted (that is, the allocated files) from an image. For this project, you are to extract all allocated files from the digital forensics image file. Complete these steps: 1. Start Autopsy for Windows. Click the New Case icon. In the New Case Information window, enter Project_01-4 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your Work folder, and then click Next. 2. In the Optional Information window, type Project_01-4 in the Case Number text box and your name in the Examiner Name text box, and then click Finish. 3. In the Add Data Source window, go to the Select Type of Data Source to Add pane, and click Disk Image or VM File. Click the Next button. In the Select Data Source pane, click the Browse button next to the Path text box, navigate to and click your Work folder, click the Project_01-4.001 file, and then click Open. Click Next.

4. In the Configure Ingest Modules window, click Select All, then uncheck Central Repository. Click Next and then Finish. 5. In the directory tree viewer, clicking the relevant plus signs to expand Views, File Types, and By Extension. Under the By Extension folder are several subfolders representing file types, as you have seen in previous projects. Next to each file type subfolder is a number enclosed in parentheses, which indicates the number of files of this type that Autopsy found. 6. Click the first subfolder with numbers greater than zero to view the files, as shown in Figure 1-22. [Insert Figure 1-22 Expanded folders showing the number of files per folder] 7. In the Result Viewer pane, scroll to the right, if necessary, until the Flags(Meta) column is in view. Click the Flags(Meta) header to sort the list of files, which displays all allocated files to the top of the list as shown in Figure 1-23. [Insert Figure 1-23 Sorting Flags(Meta)] Note 17 In the Result Viewer pane, allocated (not deleted) files have a paper sheet or picture icon to the left of the filename. Deleted (unallocated) files have a red X over the paper sheet icon, and unallocated files that have been corrupted and recovered by Autopsy have a diagonal broken bar icon. 8. Scroll to the left until the Name column is visible in the Result Viewer pane. If there are allocated files, they will be at the top of this list. Ctrl+click each allocated file, then rightclick the highlighted files, and then click Extract File(s). 9. In the Save dialog box, click Save to save the files automatically in Autopsy’s case subfolder: Work\Module_01\Project_01-4\Export 10. Repeat steps 6 through 9 to extract all other allocated files. 11. When you are finished, write a brief memo that lists all the files you exported, and save the file as Project_01-4_Memo.docx. 12. Leave Autopsy running for the next project. 13. Submit to your instructor the following file: •

Project_01-4_Memo.docx

Solution Guidance: Student should have located and exported two allocated files from the Images subfolder and four allocated files from the Office subfolder. The files are as follows: • 6-Lin_tomb.jpg • 16-Gettysbg.jpg • 18-magnaCt.doc • 19-USConst.doc • 20-USDeclar.doc • 22-Botany.doc Note that each student’s extracted files will have the same file names, but different prefix numbers. Autopsy automatically assigns a unique prefix number followed by a hyphen for all extracted files names. This prefix number is not consistent between different runs of Autopsy on the same computer or between different computers running Autopsy. For an example of the memo that students should submit, see the following solution file: • Solution_Project_01-4_Memo.pdf

Case Projects - Solutions Case Project 1-1 Estimated Time: 60 minutes Objective: Decide the best approach for the case. Before You Begin: •

Create Work folder C:\Work\Module_01\Case_Project_01-1.

An insurance company has asked your digital forensics firm to review a case for an arson investigation. The suspected arsonist has already been arrested, but the insurance company wants to determine whether there is any contributory negligence on the part of the victims. The evidence used by the suspect is a laptop and tablet. What procedure would you follow? Using the guidelines listed in the “Taking a Systematic Approach” section of this module, write a one- to two-page memo that includes an outline of your approach for this case and save it as Case_Project_01-1_Memo.docx. When you have completed this case project, submit to your instructor the following file: •

Case_Project_01-1_Memo.docx Solution Guidance: The purpose of this case project is to have the students review and apply the elements listed in the “Taking a Systematic Approach” section of this module. In the outline, the students should be encouraged to think through the different steps and develop their own thoughts on how to apply these elements to all digital forensics’ investigations. For an example of an outline memo, see the following solution file: • Solution_Case_Project_01-1_Memo.pdf

Case Project 1-2 Estimated Time: 60 minutes Objective: Form a hypothesis for a case and create a list of possible evidence to examine. Before You Begin: •

Create Work folder C:\Work\Module_01\Case_Project_01-2.

Jonathan Simpson owns a construction company. One day a subcontractor calls him, saying that he needs a replacement check for the job he completed at 1437 West Maple Avenue. Jonathan looks up the job on his accounting program and agrees to reissue the check for $12,750. The subcontractor says that the original check was for only $10,750. Jonathan looks around the office but can’t find the company checkbook or ledger. Only one other person has access to the accounting program. Jonathan calls you to investigate. After reviewing the facts from Jonathan, determine the steps necessary to ascertain if this is an actual case of theft or a clerical mistake. How should you proceed? Write a one-page letter detailing the known facts of the case and the steps Jonathan needs to take to gather the necessary evidence for this examination. Save the report as Case_Project_01-2_Letter.docx. Submit to your instructor the following file: •

Case_Project_01-2_Letter.docx Solution Guidance: Although there was a discrepancy reported between the check originally received by the subcontractor and what the accounting program listed, the most likely explanation is that a simple data entry error occurred. The digital forensics examiner should always consider that a discrepancy is the result of a mistake, without any ill intent. Even for a case that might be a simple mistake, however, the digital forensics examiner must always treat the evidence and other associated information for the case as possible evidence of a crime. Preserving the evidence is the first concern—even for incidents that may have no civil or criminal concerns. For an example of the student-created letter, see the following solution file: • Solution_Case_Project_01-2_Letter.pdf

Case Project 1-3 Estimated Time: 60 minutes Objective: Prepare for an attorney-client privileged case. Before You Begin: •

Create Work folder C:\Work\Module_01\Case_Project_01-3.

You are the digital forensics examiner for a large corporation. You receive a telephone call from a lawyer with an outside law firm that is retained by your company’s legal department. The outside law firm is Melbourne & Schaffel Law Group, and the attorney’s name is Nariko Bortoletti. Nariko informs you that Melbourne & Schaffel will be representing your employer in a possible criminal indictment against some senior executives. She directs you to collect the laptop

computers of all C-level executives as well as a senior division president. At the end of the call, Nariko provides you with her contact information: • • •

Telephone: 555-555-0115 Cell Phone: 555-555-0128 Email: nariko.bortoletti@mslawyers.biz

Because this is the first you have heard about this case, you inform Nariko that you will need to check with your company’s legal department about this request and will respond to her as soon as possible. You contact one of the lead litigation attorneys in your company’s legal department and explain the request to him. The litigation attorney tells you that he will call you back after he gets more details about the possible investigation. Within five minutes, the litigation attorney calls you back and informs you that he has spoken to Nariko Bortoletti. The litigation attorney instructs you to collect the computers. Before doing this, you need to email Nariko requesting the following information: • • •

List of persons laptops to collect (defendants/plaintiffs names) Actions to take when the evidence is collected (evidence preservation and processing) Case communication security (attorney-client privilege needs)

Using the information described in the “Attorney-Client Privilege Investigations” section of this module, write a one-page email message (use a word processor application to create the message) to Nariko Bortoletti requesting a formal memo that clearly provides the information requested by your company’s litigation attorney. Save the memo-email as Case_Project_01-3_Email.docx. Submit to your instructor the following file: •

Case_Project_01-3_Email.docx Solution Guidance: Students should create a one-page memo styled as an email message addressed to the outside attorney (Nariko Bortoletti). The email message should ask for more specific information about whose computers should be collected and what should be done with them. Following this information request, the students should ask for a specific memo that clearly states that all communications be protected under the rules of attorney-client privilege. For an example of the type of email students should write, see the following solution file: • Solution_Case_Project_01-3_Email.pdf

Case Project 1-4 Estimated Time: 30 minutes Objective: Determine what is needed to start a digital forensics examination. Before You Begin: •

Create Work folder C:\Work\Module_01\Case_Project_01-4.

Your supervisor directs you to create a checklist for new examiners in your organization to use when gathering digital evidence to process digital evidence. Apparently, many of the

examiners have been unprepared when collecting digital evidence, which has caused delays and confusion in case processing. Using the information provided in the “Conducting an Investigation” section of this module, develop a simple checklist that covers what to gather before an investigation is started. The checklist should be easy to follow with minimal explanations. In addition to the items listed below, include additional information you might need for a case: • • • • • • •

Case title Case number Examiner’s name Date and time Description of the case A list of tasks and material for the case Comment or notes related to each listed item

Save the checklist as Case_Project_01-4_Exam_Checklist.docx. Submit to your instructor the following file: •

Case_Project_01-4_Exam_Checklist.docx Solution Guidance: Students will need to review the “Conducting an Investigation” section of this module and create a simple high-level checklist that can be used to initiate a digital forensics investigation. This form should address only the resources required to prepare for an examination, as was described in this module. For an example of the information that should appear on this form, see the following solution file: • Solution_Case_Project_01-4_Exam_Checklist.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 2: REPORT WRITING AND TESTIMONY FOR DIGITAL INVESTIGATIONS

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 2-1 ................................................................................................................................. 2 Review Questions - Answers ............................................................................................. 5 Hands-On Projects - Solutions ........................................................................................ 14 Project 2-1................................................................................................................................. 14 Project 2-2 ................................................................................................................................ 16 Project 2-3 ................................................................................................................................ 17 Project 2-4 ................................................................................................................................ 18 Project 2-5 ............................................................................................................................... 20 Case Projects - Solutions ..................................................................................................21 Case Project 2-1....................................................................................................................... 21 Case Project 2-2 ..................................................................................................................... 23 Case Project 2-3 ..................................................................................................................... 24 Case Project 2-4 ..................................................................................................................... 26 Case Project 2-5 ..................................................................................................................... 27

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Activities - Solutions Activity 2-1 Estimated Time: 20 minutes Objective: In preparation for creating a formal report, repeat the examination of George Montgomery’s USB drive, and create detailed examiner notes of every step taken during the analysis. Before You Begin: • •

Create Work folder C:\Work\Module_02\Activity_02-1. Download to your Work folder the following files provided with the module: • Activity_02-1_Examiner_Notes.xlsx • Activity_02-1.001

For this activity, you will complete the initial steps required to create a formal digital forensics report by analyzing the data on George Montgomery’s USB drive using Autopsy and creating an examiner notes log file. Complete the following steps: 1. Open the file Activity_02-1_Examiner_Notes.xlsx. 2. In cell C3 of the spreadsheet, type your name. In cells C4 and C5, type Activity_02-1. In the Date and Start Time columns, enter the current date and time as shown in Figure 2-5. Save the file, and leave it open to record your activities during the forensics examination. [Figure 2-5 Examiner notes spreadsheet] 3. Start Autopsy for Windows. 4. In Autopsy’s Welcome window, click the New Case button. In the Case Name text box in the New Case Information window, enter Activity_02-1, and click Browse next to the Base Directory text box. Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type, and then click Next. 5. In the Case Number text box in the Optional Information window, type Activity_02-1, and enter your full name in the Name text box in the Examiner section. Click Finish to start the Add Data Source Wizard. 6. In the Select Type of Data Source To Add area of the Add Data Source window, click the Disk Image or VM File button, and then click Next. 7. In the Select Data Source area of the Add Data Source window, click Browse, navigate to your Work folder in the Open window, click the Activity_02-1.001 file, click Open, and then click Next in the Select Add Data Source window. 8. In the Configure Ingest area of the Add Data Source window, click Select All and click Next. 9. When the ingest configuration completes, click Finish.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

10. In cell B8 of the examiner notes spreadsheet, note the time you started the activity, and in cell C8, add a statement indicating that you started Autopsy and loaded the file Activity_021.001. An example entry would be, “Started Autopsy and added forensic image file Activity_021.001 using Autopsy for Windows, version 4.18.0.” Next, you will locate all the relevant document files. Follow these steps, and for every entry in the examiner notes spreadsheet, note the time each activity was started: 1. In the Tree Viewer pane on the left, click to expand Views, File Types, By Extension, and Documents. 2. Under Documents, click Office. In the Result Viewer (upper-right pane), click the file, Contract with Martha.docx, to display its contents in the Content Viewer (lower-right pane). 3. Right-click Contract with Martha.docx. In the drop-down menu, click Add File Tag, and then click Recovered Office Documents in the Tag Name text box. 4. In cell C9 of the examiner notes spreadsheet, type a statement indicating that you examined the content of the file Contract with Martha.docx, and describe the content of the message. 5. Repeat steps 2, 3, and 4, and examine the following files: George Presentation.pptx, ~$George Presentation.pptx, Inventory and sales.xlsx, and Notes.doc. When finished, update the examiner notes. 6. In the Tree Viewer pane, click and expand the Tags folder and the Recovered Office Documents folder. Then, in the Result Viewer pane, click the Contract with Martha.docx file to highlight it. Press Ctrl1A to highlight all tagged files. 7. In the Result Viewer pane, right-click the highlighted files, and click Extract File(s) as shown in Figure 2-6. In the Save dialog box, click Save and then OK. [Figure 2-6 Extracting files from Autopsy] Note 6 Autopsy will store extracted files in the subfolder Export under the Work folder’s case folder. An example for this path would be: C:\Work\Module02\Activity_02-1\Export. 8. In Autopsy’s main window, click Tools and then Generate Report. In the Generate Report, Report Modules dialog box, click HTML Report, and then click Next. 9. In the Select which data source(s) to include dialog box, click Check All, and then click Next. 10. In the Configure Report dialog box, click All Tagged Results, and then click Finish. 11. When the Report Generator completes, click the link to the report to open it in your web browser, and then click Close in the Report Generation Progress window.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

12. Save and close the spreadsheet file Activity_02-1_Examiner_Notes.xlsx. In the Export subfolder copy for this Autopsy examination submission to your instructor the five files that were also retrieved (note, your exported files may have different prefix numbers). Close Autopsy. Submit to your instructor the following files: • • • • • •

Activity_02-1_Examiner_Notes.xlsx 12-Contract with Martha.docx 14-George Presentation.pptx 16-Inventory and sales.xlsx 18-Notes.doc 22-~$George Presentation.pptx

Note 7 When a report is generated in Autopsy, a folder is created containing the HTML report (titled “report.html”) as well as a subfolder titled “content.” The content subfolder contains the data that is viewable from the report.html file. Autopsy automatically appends the current date and time to the folder name and saves it in the Base Directory designated when the case was created. An example of the file path for the HTML report is: C:\Work\Module02\Activity_02-1\Reports\ Activity_02-1 HTML Report mm-dd-yyyy-hh-mm-ss\report.html. The HTML report can be viewed with your browser by double-clicking the file report.html in File Explorer. Solution Guidance: This activity is designed to show students how to examine files, write examiner notes, and create an HTML report using Autopsy for Windows. The student’s Activity_02-1_Examiner_Notes.xlsx file should have sufficient details to provide accurate and complete information for a formal report. For an example of the types of notes that should be included (at minimum) in the examiner notes file, see the following solution file: • Solution_Activity_02-1_Examiner_Notes.pdf For an example of the HTML file that students should submit, see the following solution file: • Solution_Activity_02-1 HTML Report mm-dd-yyyy-hh-mm-ss.zip

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Review Questions - Answers 1.

Which of the following rules or laws requires an expert to prepare and submit a report? a. FRCP 26 b. FRE 801 c. Neither d. Both Answer: a. FRCP 26 Explanation: Rule 26, Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert’s written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions (law.cornell.edu/rules/frcp/rule_26). The report must also include related exhibits, such as photographs or diagrams, and the witness’s curriculum vitae listing all the publications they contributed to during the preceding 10 years.

2. For what purpose have hypothetical questions traditionally been used in litigation? a. To frame the factual context of rendering an expert witness’s opinion b. To define the case issues for the finder of fact to determine c. To stimulate discussion between a consulting expert and an expert witness d. To deter a witness from expanding the scope of their investigation beyond the case requirements Answer: a. To frame the factual context of rendering an expert witness’s opinion Explanation: The law requires an expert who doesn’t have personal knowledge about the specific event or system to state opinions as responses to hypothetical questions. Those questions can ask the expert witness to express an opinion based on hypothetical facts without referring to a particular system or situation. In this regard, you as a forensics investigator (an expert witness) differ from an ordinary witness. You didn’t see or hear the incident in dispute; you’re giving evidence as an opinion based on professional knowledge and experience, even if you might never have seen the system, data, or scene. 3. Which of the following is an example of a written report? a. A search warrant b. An affidavit c. Voir dire d. Examiner notes Answer: b. An affidavit Explanation: A written report may, depending on circumstances, be an affidavit or a declaration. Because this type of report is sworn to under oath (and penalty of perjury or comparable false-swearing statute), it demands attention to detail, carefully limiting the focus of what is written, and providing thorough documentation and support of what is written.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

4. What is the term for destroying a report before the final resolution of a case? (Choose all that apply.) a. Voir dire b. Discovery c. Motion in limine d. Spoliation Answer: d. Spoliation Explanation: Destroying a report could be considered destroying or concealing evidence—called spoliation, which could subject your client to monetary, evidentiary, or other more severe sanctions. 5. An expert witness can give an opinion in which of the following situations? (Choose all that apply.) a. The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. b. The witness has been shown to be qualified as a true expert in the field. c. The witness testifies to a reasonable degree of certainty (probability) about their opinion, inference, or conclusion. d. Hypothetical questions of a witness can only apply to particular situations. Answer: a. The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople; b. The witness has been shown to be qualified as a true expert in the field; c. The witness testifies to a reasonable degree of certainty (probability) about their opinion, inference, or conclusion. Explanation: As an expert witness, you can testify to an opinion or a conclusion, if these basic conditions are met: The opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay witnesses or jurors. You have been shown to be qualified as a true expert in the field (which is why a curriculum vitae is important). You must testify to a reasonable degree of certainty (probability) about your opinion, inference, or conclusion. At minimum, as an expert witness, you must know the relevant data (facts) on which your opinion, inference, or conclusion is based, and you must be prepared to testify in response to a hypothetical question that sets forth the underlying evidence. 6. What is the standard format used when submitting reports electronically to U.S. federal courts and in most state courts? Answer: Attorneys can submit documents electronically in many courts; the standard format in (US) federal courts and most state courts is Portable Document Format (PDF).

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

7. When writing a report, what is the most important aspect of formatting? a. A neat appearance b. Size of the font c. Clear use of symbols and abbreviations d. Consistency Answer: d. Consistency Explanation: The way you format text in a report is less important than being consistent in applying formatting. For example, if you indent paragraphs, be sure all are indented. Use fonts consistently, and use consistent heading styles throughout (for example, major headings in bold with initial capitals, minor headings in italics, and so forth). Follow the same guideline throughout for units of measure; for example, use “%” or “percent”, but don’t use both. In other words, establish a template and stick to it. 8. Automated tools help you collect and report evidence, but you are responsible for doing which of the following? (Choose all that apply.) a. Explaining your formatting choices b. Explaining the significance of the evidence c. Explaining in detail how the software works d. Explaining any limitations or uncertainty that applies to the findings Answer: b. Explaining the significance of the evidence; d. Explaining any limitations or uncertainty that applies to the findings Explanation: A report generator for a digital forensics tool will only display the findings from an examination. It is up to the examiner to provide explanations about the meaning and any limitations of the findings to judges, attorneys, and jurors. 9. What criteria should be considered when assessing a written report? (Choose all that apply.) a. The report should appeal to the reader. b. Information should be relevant and well organized for the reader. c. The report’s language should be simple and direct. d. A variety of terms should be used throughout the report. Answer: a. The report should appeal to the reader; b. Information should be relevant and well organized for the reader; c. The report’s language should be simple and direct. Explanation: A report must be tailored to the potential reader, so they find it easy to read and understand. The ideas and organization should be relevant and clearly organized, with grammar and vocabulary that is simple and direct. Technical terminology should be used consistently, and punctuation and spelling must be accurate and consistent throughout the report. Reports should be written in logical order to facilitate logical thinking to guide the reader. Be sure to define acronyms and abbreviations used in the report.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

10. Describe the major advantages of automated forensics tools in report writing? Answer: By using automated forensics tools in report writing, you can incorporate the log files and reports generated by these tools into your written reports. The generated files are in a format that is easy to incorporate into an electronic document. Digital forensics tools can create a lot of information that can be difficult to transfer into a narrative report. With the automated report functions available in many digital forensics tools, details of evidence findings can be easily incorporated into a report to ensure that the report is complete. 11. What advantages are offered by the report generator feature of many digital forensics tools? (Choose all that apply.) a. A digital forensic report generator will create a detailed HTML report that includes such things as the date and time a file was last accessed, as well as the content of files identified by the examiner examination. b. A digital forensic report generator eliminates the need to write a narrative report. c. A digital forensic report generator automatically provides sufficient explanation of the evidence. d. A report generated in HTML format can be easily incorporated into another electronic document using the hyperlink feature available in many word processors. Answer: a. A digital forensic report generator will create a detailed HTML report that includes such things as the date and time a file was last accessed, as well as the content of files identified by the examiner examination; d. A report generated in HTML format can be easily incorporated into other electronic document using the hyperlink feature available in many word processors. Explanation: A typical digital forensics program’s report generator will produce a report that contains discovered evidence and related information about the computer, such as the size of the disk drive being examined. The generated report findings of evidence do not include an explanation of what the evidence is and how it relates to the investigation. For cases not requiring a formal report, the examiner will need to provide an oral briefing of the findings. For investigations that require a formal report, a written report should be created that explains what evidence was found and how it relates to the case. 12. Which of the following describes expert witness testimony? (Choose all that apply.) a. Testimony designed to assist the jury in determining matters beyond the ordinary person’s scope of knowledge b. Testimony that defines issues of the case for determination by the jury c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience d. Testimony designed to raise doubt about facts or witnesses’ credibility

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Answer: a. Testimony designed to assist the jury in determining matters beyond the ordinary person’s scope of knowledge; c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience Explanation: A digital forensics investigator testifying as an expert witness needs to communicate complex information to nontechnical persons, such as jurors, attorneys, and judges. It is the investigator’s responsibility to make sure they understand how you formulated an opinion from the evidence to arrive at your opinion. 13. When using graphics while testifying, which of the following guidelines apply? (Choose all that apply.) a. Make sure the jury can see your graphics. b. Practice using charts for courtroom testimony. c. Your exhibits must be clear and easy to understand. d. Be overprepared by having additional graphics that explain more complex or supporting issues. Answer: a. Make sure the jury can see your graphics; b. Practice using charts for courtroom testimony; c. Your exhibits must be clear and easy to understand. Explanation: When using graphics as part of your testimony presentation, it is important to make sure the jury can see them clearly. Graphics should be big, bold, and simple so that the jury can see them easily. Consider factors such as glare and adequate contrast to ensure easy visibility. Make sure you practice using the graphics so you are comfortable referring to them when testifying. Exhibits should be clear and easy to follow, especially for nontechnical jurors and the judge. 14. What kind of information do fact witnesses provide during testimony? (Choose all that apply.) a. Their professional opinion on the significance of evidence b. Definitions of issues to be determined by the finder of fact c. Facts only d. Observations of the results of tests they performed Answer: c. Facts only; d. Observations of the results of tests they performed Explanation: Fact witnesses may testify about facts relating to a case, including facts related to their observation of a crime or incident. A fact witness may also provide testimony regarding technical matters relating to a case, such as technical information about a computer system or network configuration. A fact witness might also testify about the number of files recovered using a keyword search or regarding their observations about the condition a computer when it was recovered from an incident or crime scene.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

15. How should you respond to a question you don’t understand when testifying? Answer: If you are asked a confusing or awkward question that you don’t understand, simply ask that the attorney rephrase the question. This allows the attorney to better formulate their question and gives you more time to think about how to best answer it. 16. What should you do if you realize you have made a mistake or misstatement during a deposition? (Choose all that apply.) a. If the deposition is still in session, refer back to the error and correct it. b. Decide whether the error is minor and, if so, ignore it. c. If the deposition is over, make the correction on the corrections page of the copy provided for your signature. d. Call the opposing attorney and inform them of your mistake or misstatement. e. Request an opportunity to make the correction at trial. Answer: a. If the deposition is still in session, refer back to the error and correct it; c. If the deposition is over, make the correction on the corrections page of the copy provided for your signature. Explanation: Testimony in a deposition can be stressful since there is no judge or opposing attorney to object to the questions being asked. Questions from the attorney can be designed to elicit answers from you that are contrary to the facts as you know them so that your answers favor their client. If you make a mistake, correct it, and get back on track with your testimony. After the deposition has ended, if you realized you misspoke or made a mistake in your testimony notify the attorney that you would like to correct the error. 17. Which of the following are types of depositions? (Choose all that apply.) a. Testimony preservation b. Peer testimony c. Discovery d. Prestige testimony Answer: a. Testimony preservation; c. Discovery Explanation: There are only two types of depositions: testimony preservation and discovery. A testimony-preservation deposition may be requested by your client to preserve your testimony in case of schedule conflicts or health problems. These depositions are often video recorded in addition to the written transcript, and your testimony is entered by playing the video recording for the jury. A discovery deposition is part of the discovery process for trial. The opposing attorney who requested the deposition often conducts the equivalent of a direct examination and a cross-examination.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

18. As a fact or expert witness at trial, what must you always remember about your testimony? a. You are responsible for the outcome of the case. b. Your duty is to report your technical or scientific findings or render an honest opinion. c. Avoid mentioning how much you were paid for your services. d. Always address the judge when responding to questions from the attorneys. Answer: b. Your duty is to report your technical or scientific findings or render an honest opinion. Explanation: For your credibility as a witness, you must be as truthful as possible. Any less than being truthful will damage your reputation. When responding to questions from attorneys in a jury trial, always face the jury. 19. Before testifying, you should do which of the following? (Choose all that apply.) a. Create an examination plan with your retaining attorney. b. Make sure you have been paid for your services and the estimated fee for the deposition or trial. c. Exercise appropriate grooming. d. Type all the draft notes you took during your investigation. Answer: a. Create an examination plan with your retaining attorney; b. Make sure you have been paid for your services and the estimated fee for the deposition or trial. Explanation: The examination plan helps ensure sure that you and the attorney understand each other in terms of the technical matters of the investigation and your opinion of the case. By talking and developing the examination plan with the attorney, both of you will be prepared for your testimony. If you are working as an independent digital forensics examiner, never proceed with a case before a payment for your services has been made. 20. Which of the following describes the purpose of the voir dire? (Choose all that apply.) a. To exclude certain evidence through a pretrial motion b. To create an examination plan by an expert witness c. To determine the qualifications of a witness as an expert d. To make corrections to your testimony after a deposition Answer: c. To determine the qualifications of a witness as an expert Explanation: During voir dire for an expert witness, the attorney guides the expert through their CV. The amount of detail in this examination depends on several factors, but they all relate to how much advantage the attorney sees in the witness’s qualifications. After the attorney has completed this examination, they ask the court to accept the witness as an expert. Opposing counsel might object, however, and is allowed to examine the witness, too. Cross-examination typically happens only if the opposing attorney thinks there’s something to gain from it.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

21. What is a motion in limine? a. A motion to dismiss the case b. The movement of molecules in a random fashion c. A pretrial motion for the purpose of excluding certain evidence d. A pretrial motion to revise the case schedule Answer: c. A pretrial motion for the purpose of excluding certain evidence Explanation: A motion in limine is a pretrial motion asking the judge to exclude or limit the use of certain evidence. It allows the judge to decide (when the jury isn’t present) whether certain evidence should be admitted. 22. Your curriculum vitae is which of the following? (Choose all that apply.) a. A necessary tool to be an expert witness b. A generally required document to be made available before your testimony c. A detailed record of your experience, education, and training d. A description of your skills as they apply to the current case Answer: a. A necessary tool to be an expert witness; b. A generally required document to be made available before your testimony; c. A detailed record of your experience, education, and training Explanation: Your curriculum vitae (CV) lists your education, training, and professional experience and is used to qualify your testimony. For forensics examiners, this document is a necessary tool for serving as an expert witness and it generally must be made available before you testify. FRCP Rule 26, requires the examiner's curriculum vitae be included as part of their report (unless bona fides are integrated into the report). Make sure your CV reflects your professional background. Unlike a job resume, it should not be geared toward a specific trial. Most important, keep your CV current and date it for version control. If your CV is more than three months old, you probably need to update it to reflect new cases and additional training. 23. The most reliable way to ensure that jurors recall testimony is to do which of the following? a. Present evidence using oral testimony supported by hand gestures and facial expressions. b. Present evidence combining oral testimony and graphics that support the testimony. c. Wear bright clothing to attract jurors’ attention. d. Emphasize your points with humorous anecdotes. e. Memorize your testimony carefully.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Answer: b. Present evidence combining oral testimony and graphics that support the testimony. Explanation: Oral testimony supported by graphical presentations is an effective way to impart information and help your listeners retain it. Your exhibits must be clear and easy to understand. Graphics should be big, bold, and simple so that the jury can see them easily. Consider factors such as glare and adequate contrast to ensure easy visibility. If necessary, make smaller copies of graphics for jurors so that they can see details better. 24. If you’re giving an answer that you think your attorney should follow up on, what should you do? a. Change the tone of your voice. b. Argue with the attorney who asked the question. c. Use an agreed-on expression to alert the attorney to follow up on the question. d. Try to include as much information in your answer as you can. Answer: c. Use an agreed-on expression to alert the attorney to follow up on the question. Explanation: Responding to a question with a sentence that communicates limitations or qualifications might be important, if a simple yes or no doesn’t answer the question completely and accurately. If you need to have your attorney expand a line of questions on redirect, have an agreed-on expression you can use to signal him, such as “This question requires a more complex answer, but the short answer is yes (or no).” 25. In answering a question about the size of a hard drive, which of the following responses is appropriate? (Choose all that apply.) a. “It’s a very large hard drive.” b. “The technical data sheet indicates it’s a 3-terabyte hard drive.” c. “It’s a 3-terabyte hard drive configured with 2.78 terabytes of accessible storage.” d. “I was unable to determine the drive size because it was so badly damaged.” Answer: b. The technical data sheet indicates it’s a 3-terabyte hard drive; c. It’s a 3-terabyte hard drive configured with 2.78 terabytes of accessible storage; d. I was unable to determine the drive size because it was so badly damaged. Explanation: When testifying as an expert witness, state only the facts needed to answer the question. If you know the answer to the question being asked, provide a short answer that includes only the facts. For instance, if you are asked the size of a particular hard drive, specifically state the size of the hard drive if you were able to determine it. If you do not know the answer to a question, clearly state that you do not know or that you were unable to determine an answer to the question, Then follow up with a brief explanation regarding why you are unable to answer the question, such as, “The drive was so badly damaged that I was unable to determine its size and manufacture’s name.”

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

26. Which items should be included in your curriculum vitae? (Choose all that apply.) a. Previous expert testimony b. Education and training c. Work experience d. Training and presentations you have conducted Answer: a. Previous expert testimony; b. Education and training; c. Work experience; d. Training and presentations you have conducted Explanation: Your curriculum vitae (CV) lists your education, training and professional experience and is used to qualify your testimony. It should include all related and unrelated schooling, training, and work performed throughout your life. Also make note of any professional training you provided or contributed to, and include a testimony log that reflects every testimony you have given as an expert. For forensics examiners, keeping this document updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience. 27. When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn’t being released to the defense? a. Keep the information on file for later review. b. Bring the information to the attention of the prosecutor, then to their supervisor, and finally to the judge (the court). c. Destroy the evidence. d. Give the evidence to the defense attorney. Answer: b. Bring the information to the attention of the prosecutor, then to their supervisor, and finally to the judge (the court). Explanation: All potential exculpatory information and evidence must be brought forward and revealed to all parties to ensure that the investigation and trial are conducted to the highest level of honesty and forthrightness.

Hands-On Projects - Solutions Project 2-1 Estimated Time: 60 minutes Objective: Complete a checklist to help organize your writing in preparation for writing a formal investigation report. Before You Begin: • • •

Complete Activity 2-1. Create Work folder C:\Work\Module_02\Project_02-1. Download to your Work folder the following data files provided with the module: • Project_02-1_Report_Writing_Guide_Checklist.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

•

Download to your Work folder the following files you previously created: • Activity_02-1_Examiner_Notes_2-1.xls • The Autopsy report (report.html) created in Activity 2-1

For this activity, you will be initiating the steps necessary to write a report from the findings in Activity 2-1. You will fill out a checklist that will help identify the readers of the report, the report’s purpose, and the required format and style of the final report. Because this is the first step in the drafting of the report, not all sections of the checklist need to be completed. Leave blank any section for which you lack information or content, and include a header as a reminder for you to complete later in the final report. As a reminder, this case centers around George Montgomery, an employee who is missing from work. Known facts about this case include the following: •

This case was initiated as an investigation into the whereabouts of a missing employee and has turned into an investigation about possible employee abuse of company resources.

•

The missing employee appears to have been conducting a side business using a company computer.

•

One small-capacity USB drive was recovered from the employee’s assigned computer.

•

The requesting manager has some technical knowledge of information systems.

The objectives to be addressed in this report include the following: •

Attempt to determine George Montgomery’s location.

•

Attempt to determine the reasons that George Montgomery and another employee, Martha, are absent from work.

•

Give a statement indicating what resources were used to perform this examination.

•

Give a statement regarding what was found from this examination.

•

Provide an opinion about your findings.

It will be necessary to make assumptions for some of the items and questions in this checklist. Use your best judgment when completing this form. Complete the following steps: 1. Open the file Project_02-1_Report_Writing_Guide_Checklist.xlsx. 2. Open and review the report.html file and the Activity_02-1_Examiner_Notes.xlsx file to answer the questions in rows 4 through 28 in Project_021_Report_Writing_Guide_Checklist.xlsx, part of which is shown in Figure 2-7. [Figure 2-7 Example of a report-writing checklist] 3. Next, answer the questions in rows 30 through 32. For these questions, use your judgment. 4. When you have completed entering information into the spreadsheet, save it and then close it. Submit to your instructor the following file: •

Project_02-1_Report_Writing_Guide_Checklist.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Solution Guidance: Students should create and fill in answers to questions in the checklist. The answers they provide should be short, concise, and specific to the checklist questions. Student should be allowed to make assumptions regarding the reader of the report in their responses. For questions that ask specifics about the examination, answers should state facts found during the examination. For an example of the file that students should submit, see the following solution file: • Solution_Project_02-1_Report_Writing_Guide_Checklist.pdf

Project 2-2 Estimated Time: 60 minutes Objective: Use a fact-collection questionnaire to organize your findings from a digital forensics examination. Before You Begin: • • • •

Complete Activity 2-1 and Project 2-1. Create Work folder C:\Work\Module_02\Project_02-2. Download to your Work folder the following data files provided with the module: • Project_02-2_Fact_Collection_Questionnaire.xlsx Download to your Work folder the following files you previously created: • Activity_02-1_Examiner_Notes.xlsx • Project_02-1_Report_Writing_Guide_Checklist.xlsx • The Autopsy report (report.html) created in Activity 2-1

This project will be used to help organize the facts discovered during a digital forensics examination along with the observations and opinions of the digital forensics investigator. This information will be used to create a detailed outline for a report. Complete the following steps: 1. Open the file Project_02-2_Fact_Collection_Questionnaire.xlsx. 2. In cell B3, enter your name as the examiner; in cell B4, type Use of Company Resources for the case name; and in cell B5, type Montgomery_72022 as the case number. 3. In cell B9, type Unauthorized Computing Activity of George Montgomery for the title of the report. 4. In cell B10 (Is a cover sheet needed?), type No. 5. Using information from the Autopsy report.html file from Activity 2-1, the Project_02-1_Report_Writing_Guide_Checklist.xlsx file, and the Activity_021_Examiner_Notes.xlsx file, continue answering the remaining questions in Preliminary_022_Fact_Collection_Questionnaire.xlsx rows 13 through 38. 6. When you have finished entering information into this spreadsheet, save it and close it. Submit to your instructor the following file: •

Project_02-2_Fact_Collection_Questionnaire.xlsx

7. Proceed to the next project.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Solution Guidance: The purpose of this project is to show students how to use a checklist to ensure all the evidence is correctly identified and documented after a digital forensics examination to ensure that no facts are overlooked and left out of the final report. Students should answer as many of the questions in file Project_02-2_ Fact_Collection_Questionnaire.xlsx as possible. For an example of the file that students should submit, see the following solution file: • Solution_ Project_02-2_ Fact_Collection_Questionnaire.pdf

Project 2-3 Estimated Time: 60 minutes Objective: Build a report outline using a questionnaire to organize the information obtained from the digital forensics examination. Before You Begin: • • • •

Complete Activity 2-1, Project 2-1, and Project 2-2. Create Work folder C:\Work\Module_02\Project_02-3. Download to your Work folder the following data files provided with the module: • Project_02-3_Report_Outline_Checklist.xls Download to your Work folder the following files you previously created: • Activity_02-1_Examiner_Notes.xlsx • Project_02-1_Report_Writing_Guide_Checklist.xlsx • Project_02-2_Fact_Collection_Questionnaire.xlsx • The Autopsy report (report.html) created in Activity 2-1

For this project, you will merge your notes from Activity 2-1, Project 2-1, and Project 2-2, and enter information into the outline checklist file Project_02-3_Report_Outline_Checklist.xlsx. This outline checklist will be used in Project 2-4 to write a report. To complete this outline for the report, complete the following steps: 1. Open the file Project_02-3_Report_Outline_Checklist.xlsx. 2. Open and review the contents of your answers in the following files: • • •

Activity_02-1_Examiner_Notes.xlsx Project_02-1_Report_Writing_Guide_Checklist.xlsx Project_02-2_Fact_Collection_Questionnaire.xlsx

3. After reviewing your notes from the three files listed in step 2, go to the Project_023_Report_Outline_Checklist .xlsx file and type Unauthorized Computing Activity of George Montgomery in cell B5 for the title of the report. In cell C7, type This will be a short report. (See Figure 2-8.) [Figure 2-8 Example of a report outline checklist] 4. For the remaining rows of the Narrative Content from Questionnaire column, write brief responses in complete sentences to the questions that appear in the first column. In the

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Reminder Notes from Checklists column, add any additional comments, observations, and thoughts you have for each question. 5. When you have completed entering information into this spreadsheet, save it and close it. Submit the following file to your instructor: •

Project_02-3_Report_Outline_Checklist.xls Solution Guidance: Students are to review the following files, and add the pertinent information to the file Project_02-3_Report _Outline_Checklist.xlsx: • Activity_02-1_Examiner_Notes.xlsx • Project_02-1_Report_Writing_Guide_Checklist.xlsx • Project_02-2_ Fact_Collection_Questionnaire.xlsx • The Autopsy report (report.html) created in Activity 2-1 For each item listed in the “Report Section Headers” column in the Project_023_Report _Outline_Checklist.xlsx file, students should write brief responses in complete sentences in the “Narrative Content from Questionnaire” answer column. In the “Reminder Notes from Checklists” column, students should list information they may want to include in the final report to ensure that the report is complete and accurate. For an example of the file that students should submit, see the following solution file: • Solution_Project_02-3_Report _Outline_Checklist.pdf

Project 2-4 Estimated Time: 120 minutes Objective: Write an informal report based on the information obtained from the examiner notes, checklist, and questionnaires in Activity 2-1, Project 2-1, Project 2-2, and Project 2-3. Before You Begin: • • •

•

Complete Activity 2-1, Project 2-1, Project 2-2, and Project 2-3. Create Work folder C:\Work\Module_02\Project_02-4. Download to your Work folder the following data files provided with the module: • Project_02-4_Informal_Report.docx • Project_02-4_Report_Revision_Checklist.xls Download to your Work folder the following files you previously created: • Activity_02-1_Examiner_Notes.xlsx • Project_02-1_Report_Writing_Guide_Checklist.xlsx • Project_02-2_Fact_Collection_Questionnaire.xlsx • Project_02-3_Report_Outline_Checklist.xlsx • The Autopsy report (report.html) created in Activity 2-1

For this project, you will write an initial draft of a report that will contain information from Activity 2-1, Project 2-1, Project 2-2, and Project 2-3. This will be an informal report for the organization’s management, with fewer sections than would typically be included in a formal

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

report. The information you gathered in the previous activity and projects will be used to write the report. This project will be the first draft of your report. To create the first draft of your report, complete the following steps: 1. Open the following files: • • • • • • • •

Activity_02-1_Examiner_Notes.xlsx Project_02-1_Report_Writing_Guide_Checklist.xlsx Project_02-2_Fact_Collection_Questionnaire.xlsx Project_02-3_Report_Outline_Checklist.xlsx Project_02-4_Informal_Report.docx Project_02-4_Report_Revision_Checklist.xls The Autopsy report (report.html) created in Activity 2-1 A file compression program such as WinZip, WinRAR, or 7-zip

2. In the file Project_02-4_Informal_Report.docx, replace Title of report here for the Report header with Unauthorized Computing Activity of George Montgomery, and type your name as the report author. Enter your institution’s name next to “Organization,” the current date next to the “Date of Report,” and the case number Montgomery_72022 next to “Case Number,” as shown in Figure 2-9. [Figure 2-9 Informal digital forensics report] 3. Copy your answer from cell B9 in the Project_02-3_Report _Outline_Checklist.xlsx file, and paste it in the line below the Introduction heading in Project_02-4_Informal_Report.docx. 4. Copy the contents of cell B11 in the Project_02-3_Report _Outline_Checklist.xlsx file and paste it in the line below the Bona Fides heading in file Project_02-4_Informal_Report.docx. 5. Copy the contents of cells B13, B14, and B15 in the Project_02-3_Report _Outline_Checklist.xlsx file, and paste them under the Case Examination and Findings heading in the report file Project_02-4_Informal_Report.docx. 6. Copy the contents of cells B17, B18, and B19 in the Project_02-3_Report _Outline_Checklist.xlsx the, and paste them under the Conclusion heading in the report file Project_02-4_Informal_Report.docx. 7. Review the following files for any additional information you may have missed, and add it to the file Project_02-4_Informal_Report.docx where appropriate: • • •

Activity_02-1_Examiner_Note.xlsx Project_02-1_Report_Writing_Guide_Checklist.xlsx Project_02-2_Fact_Collection_Questionnaire.xlsx

8. Read through your report and correct the spelling, grammar, and flow of the report. 9. In the Project_02-4_Report_Revision_Checklist.xlsx file, answer the questions in rows 3 through 10, and make any necessary updates or corrections in the file Project_024_Informal_Report.docx. 10. In your Work folder, navigate to the Autopsy subfolder Reports\Activity_02-1 HTML Report mm-dd-yyyy-hh-mm-ss. Compress into one zip file the report.html file and the subfolder content to create the compressed file Activity_02-1 HTML Report mm-dd-yy-hh-mm-ss.zip.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

11. When finished, save and close all files. Submit to your instructor the following files: • • •

Project_02-4_Informal_Report.docx Project_02-4_Report_Revision_Checklist.xlsx Activity_02-1 HTML Report mm-dd-yy-hh-mm-ss.zip Solution Guidance: Students are to write a report using notes and information from Activity 2-1, Project 2-1, Project 2-2, and Project 2-3 using the following files: • Activity_02-1_Examiner_Notes.xlsx • Project_02-1_Report_Writing_Guide_Checklist.xlsx • Project_02-2_Fact_Collection_Questionnaire.xlsx • Project_02-3_Report_Outline_Checklist.xlsx • The Autopsy report (report.html) created in Activity 2-1 The information collected in these files should be transferred to the file Project_024_Informal_Report.docx in the order prescribed in the steps of this project. After the information has been written into file Project_02-4_Informal_Report.docx, students should revise their report by rereading it and making any necessary spelling and grammar corrections. Students should also check for readability of the report to improve its quality. As part of the revision process, student should use the file Project_024_Report_Revision_Checklist.xlsx as a quality control checklist before finalizing the report. For examples of the files that students should submit, see the following solution files: • Solution_Project_02-4_Informal_Report.pdf • Solution_Project_02-4_Report_Revision_Checklist.pdf • Solution_Activity_02-1 HTML Report mm-dd-yyyy-hh-mm-ss.zip

Project 2-5 Estimated Time: 60 minutes Objective: Review your digital forensics report and prepare for testimony. Before You Begin: • • • •

Complete Activity 2-1 and Project 2-4. Create Work folder C:\Work\Module_02\Project_02-5. Download to your Work folder the following data files provided with the module: • Project_02-5_Testimony_Prep_Checklist.xlsx Download to your Work folder the following files you previously created: • Project_02-4_Informal_Report_First_Draft.doc • The Autopsy report (report.html) created in Activity 2-1

For this project, you will review your report from Project 2-4, and answer the questions in the file Project_02-5_Testimony_Prep_Checklist.xlsx to prepare for testimony. To prepare to testify, complete the following steps:

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

1. Open the file Project_02-5_Testimony_Prep_Checklist. 2. Review Project_02-4_Informal_Report_First_Draft.docx and the report.html Autopsy report created in Activity 2-1. 3. In cell C5 of the Project_02-5_Testimony_Prep_Checklist.xlsx file, type Unknown at this time because no theory was stated by Steve Billings. 4. In cell C6, type, George Montgomery and Martha were conducting personal for-profit business on company computing assets, as shown in Figure 2-10. [Figure 2-10 Completing the testimony prep checklist] 5. Continue answering the remaining questions in the checklist to the best of your knowledge. For any questions you do not have the answers to, type I don’t know. For questions that are not applicable, type Not applicable. 6. When finished, save and close all files. Submit to your instructor the following file: •

Project_02-5_Testimony_Prep_Checklist.xlsx Solution Guidance: Students are to review the file Project_024_Informal_Report_First_Draft.docx and answer the questions in the file Project_025_Testimony_Prep_Checklist.xlsx regarding the digital forensics examination performed in Activity 2-1. For an example of the file that students should submit, see the following solution file: • Solution_Project_02-5_Testimony_Prep_Checklist.pdf in the Solutions folder.

Case Projects - Solutions Case Project 2-1 Estimated Time: 60 minutes Objective: Research and create an outline for a resume and a curriculum vitae (CV). In this Case Project, you will research how to create a resume and CV and develop an outline for both types of documents. From these outlines, you will write a resume and a CV in Case Projects 2-2 and 2-3. Note that a resume is typically one page long, with brief summaries of information written for a specific job. A CV is typically several pages long, with details from your background and experience that are relevant to your career; it should include many more details than a resume. Before You Begin: •

Create Work folder C:\Work\Module_02\Case_Project_02-1.

Complete the following steps: 1. Using your preferred web browser search engine, search for “How do I write a resume.” Review several websites, including some that offer examples of sample resumes, taking notes of the recommendations provided.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

2. Next, search for “How do I write a curriculum vitae.” Review and take notes of the recommendations provided from several websites, including some that offer examples of CVs. 3. Based on your notes and the sample resumes and CVs you found during your online search, write an outline for your resume and another outline for your CV. Save your resume outline as Case_Project_02-1_resume_outline and your CV outline as Case_Project_02-1_CV_outline in your Work folder. 4. Submit to your instructor the following files: • •

Case_Project_02-1_resume_outline Case_Project_02-1_CV_outline Solution Guidance: Students are to review various websites that have specific instructions on how to write a resume and CV. From their review and notes, they will need to create an outline for both a resume and a CV. The resume outline should have the following sections: • Student’s contact information • Work experience history, including any internships and related volunteer work • Personal achievements and related activities • Education and training • Specific skills related to the requirements of the posted job The CV outline should have the following sections: • Student’s contact information • Formal education • Informal education • Skills • Work history, with detailed descriptions of duties and accomplishments • Awards received from work performed • Publications produced • Presentations given • Certificates and professional licenses Note that students new to digital forensics and those with minimal work history and education can skip those sections that are not relevant for them. The following websites are helpful resources for writing resumes: • indeed.com/career-advice/resumes-cover-letters/writing-a-resume-with-noexperience • topresume.com/career-advice/make-a-great-resume-with-no-work-experience • myperfectresume.com/resume/examples The following websites are helpful resources for writing curriculum vitae: • indeed.com/career-advice/resumes-cover-letters/cv-format-guide • zety.com/blog/how-to-write-a-cv • owl.purdue.edu/owl/job_search_writing/resumes_and_vitas/writing_the_cv.html

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Case Project 2-2 Estimated Time: 90 minutes Objective: Create a resume tailored to a specific digital forensics job description. Before You Begin: • • •

Complete Case Project 2-1. Create Work folder C:\Work\Module_02\Case_Project_02-6. Download to your Work folder the following data files provided with the module: • Case_Project_02-2_Digital_Forensics_Analyst_Job_Description.pdf • Download to your Work folder the following files you previously created: • Case_Project_02-1_resume_outline • Access the following items: • Research information from Case Project 2-1 • Your education and work history Using the information you gathered while completing Case Project 2-1, create a one-page resume tailored to the job description in the Case_Project_022_Digital_Forensics_Analyst_Job_Description.pdf file. Because you may not possess some of the required skills stated in the job description, include previously unrelated skills and experiences that can be applied to this job description. Note 15 As you progress in your career, routinely update your resume and CV to show your continued growth in experience, education, and training. In addition, when submitting your resume or CV to an attorney (or instructor), convert it to a Portable Document File (PDF) format. Complete the following steps: 1. Using your resume outline and the research you gathered in Case Project 2-1, create a resume for the digital forensics analyst position described in the Case_Project_022_Digital_Forensics_Analyst_Job_Description.pdf file, and save it in your Work folder. To make the writing process easier, have a vision or idea of what the resume should look like as a finished product based on your research. 2. For those just entering the digital forensics field, a resume would typically be one page long; two pages is appropriate for more experienced professionals. Avoid creating a resume longer than two pages. A document longer than two pages is a CV and is not a summary of qualifications for a specific position you are applying for. At the top of your resume, provide your complete and spelled-out mailing address (no abbreviations, such as “New York” instead of “NY”) and, optionally, a professional networking profile link. For this exercise, you may use your institution’s mailing address and phone number as your mailing address and phone number. 3. A resume needs to be formatted for ease of readability. Typically, you have about 5–12 seconds to impress a hiring manager enough that they will consider you for an interview. Use a font size between 10 and 12 points and ensure that the document has the appropriate white space along the margins and between the lines of text. Many employers only receive resumes electronically through an application tracking system (ATS) program. When a resume is received, the ATS program will search it for key words from

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

the job announcement. The resume with the most key word matches will be placed at the top of the list for the hiring manager to review. For more information on how to optimize your resume for an ATS, see these websites: • •

visualcv.com/blog/how-to-beat-the-applicant-tracking-system Jobscan.co/blog/8-things-you-need-to-know-about-applicant-tracking-systems

4. Whenever possible, professional experience included on your resume should reflect the skills and qualifications listed in the job posting. If you do not have anything on point, describe experiences that demonstrate your aptitude for the skills and qualifications described in the job posting. 5. For each job position on your resume, include a one- or two-sentence description of the position, and identify at least three to five accomplishments that illustrate your ability to solve problems, along with quantifiable metrics (e.g., Implemented new inventory control procedures to reduce shrink by 15%). 6. Save your resume using one of the following file names, and submit the file to your instructor as a PDF file or printed on letter- or A4-sized paper: • •

Case_Project_02-2_ATS_version.pdf Case_Project_02-2_NonATS_version.pdf Solution Guidance: Students’ resumes should be brief and concise. Because they may have only minimal training and experience in digital forensics, they should strive to list information that indirectly relates to this profession. Students should be given the option of producing an ATS-compatible or a non-ATS formatted resume. For examples of both styles of resumes, see the following solution files: • Solution_Case_Project_02-2_ATS_version.pdf • Solution_Case_Project_02-2_NonATS_version.pdf

Case Project 2-3 Estimated Time: 4–24 hours Objective: Create a curriculum vitae for a digital forensics examiner. Before You Begin: • • • •

Complete Case Project 2-1. Create Work folder C:\Work\Module_02\Case_Project_02-3. Download to your Work folder the following file you previously created: • Case_Project_02-1_CV_outline Access the following items: • Research information from Case Project 2-1 • Your education and work history

Complete the following steps: 1. Based on your research, prepare your CV with the following information: •

Your contact information

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

•

• •

Education history (starting with the most recent, and nothing lower than postsecondary education; include any post-secondary education you have completed to date if you have not finished your education at the time the document is written) Employment history (starting with the most recent) Professional certifications (starting with the most recent)—presented as: vendor name, certificate title, date, certificate course number, and certificate ID, as in the following example: CompTIA, Downers Grove, Illinois Course: Network1, N10-003 Date: 01/2008 ID: SRSYM7F4K3ZP43PS

•

Expert witness testimony listed as: Plaintiff v Defendant. Case Number. Legal Report Number. (Name of the court, date of decision), as in the following example: Greyhound Lines, Inc. v. Robert Ward, et al. No. 06-1875. 485 F.3d 1032. (8th Cir. April 24, 2007)

• • •

Professional presentations and training Course and workshops attended Specific experience as a subject matter expert

2. Save your CV to your Work folder, and submit it to your instructor for review. (All documents must be submitted as a PDF file or printed on letter- or A4-sized paper.) When submitting your resume use one of the following file names for the project: • •

Case_Project_02-3_ATS_CV-your-name.pdf Case_Project_02-3_NonATS_CV-your-name.pdf

A resume and CV require constant revision to produce a usable product. Expect to allocate 50–80% of your time revising your documents. Review your documents several times, keeping an eye out for clarity of thought, progression, and proper spelling and grammar. When possible, print out the document and read it out loud to identify where you may have spelling, grammar, or syntax errors. Solution Guidance: Students’ CVs should be detailed and should include a list of their training and work history. Because a CV is a list of one’s accumulated life experiences, it should include all work, education, and other related profession experiences. Students should include all accomplishments achieved related to their schooling, employment, and membership in any clubs or social organizations. Students should be encouraged to write brief stories about their accomplishments for specific situations in their lives. For an example of an ATS compatible CV, see the following solution file: • Solution_Case_Project_02-3_CV-CynthiaKazakova.pdf. In addition, students might find helpful information on the following websites, which describe a variety of CV designs: • thebalancecareers.com/cv-samples-and-writing-tips-2060349 • grad.illinois.edu/sites/default/files/pdfs/cvsamples.pdf • standout-cv.com/blogs/cv-writing-advice-blog/115702276-example-of-a-good-cv

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Case Project 2-4 Estimated Time: 60 minutes Objective: Create a glossary for your report’s reference section. Before You Begin: • •

Create Work folder C:\Work\Module_02\Case_Project_02-4. Access the following items: • Key terms used in Modules 1 and 2 along with reference sources on the web

For this Case Project, you will create a glossary with important terms and definitions related to digital forensics. In addition to the key terms word lists found at the end of Modules 1 and 2, you should include additional words that you think might be of use in a digital forensics report for nontechnical readers. (Note that this will be an ongoing task as you make your way through the remaining modules in this book.) To create your glossary using a spreadsheet application, complete the following steps: 1. Open a new spreadsheet, and type Key Term in cell A1 and Definition in cell B1. Widen columns A and B as shown in Figure 2-11. [Figure 2-11 A digital forensics report glossary spreadsheet] Note 16 When writing definitions for your report, keep in mind that the person reading them will typically have very little technical knowledge. Provide concise and easy-to-understand descriptions and, if necessary, include examples in your definitions for the reader. 2. In each row, in column A, type in the key term word or acronym followed by its definition in column B. Verify your definition from the descriptions in this module, the glossary of this book, or through your preferred web search engine. 3. After you have completed entering the key terms and definitions, review your file carefully. Correct any spelling errors, using the spell check function key (F7), and check the grammar of the definitions. 4. Sort the glossary in alphabetical order by key term by selecting from row 2 through the final row containing a key term and definition. Then click Data, and Sort for Microsoft Excel, or Sort Ascending for LibreOffice Calc. 5. When finished, save your glossary as Case_Project_02-4_Glossary in your Work folder, and submit to your instructor the following file: •

Case_Project_02-4_Glossary.xlsx Solution Guidance: Students should produce a spreadsheet that contains technical terms relating to digital forensics. The key terms selected by the student can vary since they will apply their own judgment regarding which terms to include. Definitions, grammar, and spelling should be verified for correctness and accuracy. Definitions should be concise and easy for the nontechnical reader to understand. For an example of the type of glossary students should submit, see the following solution file: • Solution_Case_Project_02-4_Glossary.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Case Project 2-5 Estimated Time: 20 minutes Objective: Create a list of books, articles, journals, and other resources on digital forensics and assorted information technologies for your own reference library (in either hard copy or digital form). Before You Begin: • •

Create Work folder C:\Work\Module_02\Case_Project_02-5. Access the following items: • Resources from online and brick-and-mortar bookstores, libraries, journals, and other resource sites

For this project, start by searching for digital forensics, information technology, and other forensics science books from online libraries and bookstores, such as Barnes & Noble or Amazon. Expand your search to identify specific articles and journals as well as other reference websites that might be helpful to you in your work as a digital forensics investigator. Finally, do a search for companies and organizations that provide advanced digital forensics technical services. Using your preferred word processor program, create a list of these resources. Your list should have the following two sections: • •

The books you have read and books you would like to read Web links for articles, journals, reference sites, how-to guides, and advanced digital forensics technical services

Use a standard bibliography format, such as American Psychological Association (APA) or Modern Language Association (MLA) formats, to list the books and articles. For details on how to write references using any one of these three formats, see the following websites: • •

For APA: writingcenter.uagc.edu/format-your-reference-list For MLA: bibliography.com/mla/mla-book-citation-examples

For your list of references, consider also providing a comment section for personal notes for each book you have read or wish to read. When finished, save your reference list as Case_Project_02-5_References in your Work folder, and submit to your instructor the following file: •

Case_Project_02-5_References.docx Solution Guidance: Students are to research online sources for relevant articles, journals, reference websites, companies, and other organizations connected to digital forensics, related IT topics, and general investigative subjects. From this research they are to create a document that contains a list of these references, along with any notes that provide more information about reference. This list should use APA or MLA bibliography reference formats. Students’ references should only use one format, not both, throughout the entire document. For an example of the type of document students should submit, see the following solution file: • Solution_Case_Project_02-5_References.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 3: THE INVESTIGATOR ’S LABORATORY AND DIGITAL FORENSICS TOOLS

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 3-1 ................................................................................................................................. 2 Review Questions - Answers ............................................................................................. 3 Hands-On Projects - Solutions .......................................................................................... 9 Project 3-1.................................................................................................................................. 9 Project 3-2 ................................................................................................................................ 11 Project 3-3 ................................................................................................................................ 12 Project 3-4 ................................................................................................................................ 14 Case Projects - Solutions ................................................................................................. 16 Case Project 3-1....................................................................................................................... 16 Case Project 3-2 ...................................................................................................................... 17 Case Project 3-3 ...................................................................................................................... 18 Case Project 3-4 ...................................................................................................................... 19 Case Project 3-5 ..................................................................................................................... 20

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Activities - Solutions Activity 3-1 Estimated Time: 5 minutes Objective: Determine file ownership by using the command-line interpreter (CLI) in Windows. Before You Begin: •

Access the following item: •

A computer using the Windows 10 operating system or newer

Complete the following steps: 1. Open a command prompt window by pressing the Windows key and the R key. In the Run input box, type cmd and click OK. 2. At the command prompt, type cd \ and press Enter to take you to the root directory. Create a Work folder for this activity by typing md Work\Module_03\Activity_03-1 and press Enter. 3. At the root directory, type dir /q > C:\Work\Module_03\Activity_03-1\Fileowner.txt and press Enter. 4. In any text editor, open Fileowner.txt to see the results. You should see your file structure and whether the files were generated by the system or by a user. When you’re finished, exit the text editor and close the command prompt window. 5. Submit to your instructor the following file: •

Fileowner.txt Solution Guidance: If students successfully complete this activity, the file Fileowner.txt should list the owners of the directories. For an example of the file that students should submit, see the following solution file: •

Solution_Activity_3-1_Fileowner.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Review Questions - Answers 1.

Which of the following should be considered when building a business case for developing a forensics lab? (Choose all that apply.) a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. The organization’s digital forensics needs Answer: a. Procedures for gathering evidence; b. Testing software; c. Protecting trade secrets; d. The organization’s digital forensics needs Explanation: A business case can be used to provide justification for establishing or upgrading a lab and its equipment. To persuade an organization’s management to invest money, personnel, and resources for a digital forensics investigation group, the business case should address the necessary procedures for gathering evidence, required testing software, the need to protect trade secrets, and the type of digital investigation services the organization needs. Along with these elements, additional ideas can be incorporated into the business case to further enlighten management about why a lab, a forensics team, and certain equipment are required.

2. ANAB mandates the procedures established for a digital forensics lab. True or False Answer: False Explanation: ANAB audits the lab’s tasks and functions to ensure correct and consistent results for all cases. These audits are done on subscribing members’ forensics labs to ensure the quality and integrity of their work. It is the responsibility of the lab’s management team to establish the necessary procedures. 3. What is the purpose of the reconstruction function of a digital forensics tool? (Choose all that apply.) a. The reconstruction function in a digital forensics program will extract additional evidence from a suspect’s disk image. b. The reconstruction function only rebuilds data carved from a disk image file. c. The reconstruction function is a copy of a logical partition to another logical partition. d. The reconstruction function duplicates a suspect’s drive. Answer: d. The reconstruction function duplicates a suspect’s drive. Explanation: The reconstruction function serves many purposes that allow for a more detailed examination of a suspect’s drive than can be performed from an analysis tool such as Autopsy or others. By creating an exact copy of a suspect’s drive, an examiner can boot it without concerns about altering the original drive or the original image of it. By using a reconstructed drive for investigating such things as malware, the examiner can better analyze the activity of a malware or virus program while it is running on a computer in real time.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

4. What type of information can help you to determine the types of operating systems needed in your lab? (Choose all that apply.) a. Type of computing assets of your organization b. Computer sales marketing trends for your community c. Typical computing assets found in your community d. Uniform Crime Report statistics for your area and a list of cases handled in your area Answer: a. Type of computing assets of your organization; c. Typical computing assets found in your community; d. Uniform Crime Report statistics for your area and a list of cases handled in your area Explanation: Building a digital forensics lab business case requires you to gather as much information as possible about the organization or community the lab will serve. With this information, you will be better able to determine the resources required for the lab to operate efficiently and to better serve the lab’s clients. 5. What types of expenses and ongoing costs should be included in a business case for a digital forensics lab? (Choose all that apply.) a. Anticipated specialized training costs for personnel b. Digital media evidence lockers c. Digital forensics hardware and software with prices d. Consumable items such as flash drives, CDs, and DVDs Answer: a. Anticipated specialized training costs for personnel; b. Digital media evidence lockers; c. Digital forensics hardware and software with prices; d. Costs of consumable items such as flash drives, CDs, and DVDs Explanation: The business case should reflect the projected costs of the overall operations of a lab, including physical security needs such as evidence lockers, required hardware and software, and consumables such as flash drives, CDs, and DVDs. Some organizations may separate training costs from operating costs. For these organizations, unless otherwise directed by management, costs for training staff should also be included. 6. Why is physical security so critical for a digital forensics lab? a. To keep the lab working area free from dust and dirt b. To keep the lab a safe working environment for visitors c. To ensure lab operation costs are kept low d. To maintain the chain of custody and prevent data from being lost, corrupted, or stolen Answer: d. To maintain the chain of custody and prevent data from being lost, corrupted, or stolen Explanation: For all investigations, evidence integrity is paramount. By maintaining a physically secure digital forensics lab, corruption or accidental alteration of digital media evidence can be minimized or completely avoided. Damaging or compromising digital evidence will destroy its credibility and will jeopardize the outcome of an investigation. If it can be demonstrated that digital evidence was compromised in any way, opposing attorneys can challenge its value in your case.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

7. If a visitor to your digital forensics lab is a personal friend, it’s not necessary to have them sign the visitor’s log. True or False? Answer: False Explanation: As important as physical security is to the operations of a digital forensics lab, the security of visitors is just as important. All visitors should be identified and required to sign a visitor’s log that lists the date of their visit, their arrival and departure times, the staff member they are visiting, and the purpose of the visit. Visitors must be escorted by a lab staff member at all times to ensure that no one inappropriately accesses digital evidence or a processing computer. 8. A forensic lab should have a master key that opens the locks for several different evidence storage containers. True or False? Answer: False Explanation: Access to evidence storage containers must be restricted to authorized lab staff members. One way to do this it to avoid the use of master keys that open several different locks in the lab. 9. A forensic workstation should always have a direct broadband connection to the Internet. True or False? Answer: False Explanation: As a general security precaution, digital forensics workstations should not have a direct connection to the Internet while processing digital evidence. This also applies to workstations that have antivirus software and firewalls implemented because communications could still be transmitted to and from the workstation from an external source. This applies to any cloud services as well. The workstation can be connected to a local area network to other computers and servers also not connected to the Internet. 10. What document provides good information on safe storage containers? (Choose all that apply.) a. ISO 27037 b. ISO 17025 c. NISPOM d. ISO 5725 Answer: c. NISPOM Explanation: The National Industrial Security Program Operating Manual (NISPOM), DoD 5220.22-M provides information to U.S. defense contractors on how to secure classified information. The NISPOM provides specific details on how to control sensitive information such as digital media and computing assets. This guide shows how to establish and maintain the integrity of digital evidence stored in a lab.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

11. What term refers to labs constructed to shield electromagnetic radiation emissions? Answer: TEMPEST Explanation: When running, computers emit electromagnetic radiation (EMR) that can be read by specialized equipment that can obtain the data being processed and transmitted by computers and network cabling. To prevent the collection of information, computers and network cables must be shielded. Typical shielding of computer systems takes place in a lab facility that is lined with copper or other materials to prevent the transmission of data from computers. This shielding is referred to as TEMPEST by the U.S. Department of Defense. TEMPEST facilities must include special filters for electrical power and telephones. All heating and ventilation ducts in the facility must have special baffles to trap emanations. 12. According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply.) a. DEFR’s competency b. DEFR’s skills in using the command line c. Use of validated tools d. Conditions at the acquisition setting Answer: a. DEFR’s competency; c. Use of validated tools Explanation: For validation of data acquisition tools, DEFR’s competency specifically defines what is done, why it is done, and the validation processes. This is further described in ISO 27037. 13. Hashing analysis makes up which function of digital forensics tools? a. Validation and verification b. Acquisition c. Extraction d. Reconstruction Answer: a. Validation and verification Explanation: Many digital forensics acquisition tools use hashing programs, such as MD5 or SHA1, to validate that the data copied is good—that is, complete and uncorrupted. The use of these hashing algorithms reduces the time it takes to perform a bit-by-bit comparison from the original source (suspect drive) data to the copied target (acquired drive) data. 14. Digital forensics hardware acquisition tools typically have built-in hashing capabilities. True or False? Answer: True Explanation: To ensure the integrity of the copied data, hardware acquisition tools have the ability to hash the data. Typical hardware digital forensics acquisition tools such as the Image MaSSter Solo-4 will generate CRC32, MD5, SHA-1, and SHA-256 hashes. The Tableau TX1 will generate MD5 and SHA-1 hashes.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

15. The reconstruction function of a forensics tool can be used for which of the following? (Choose all that apply.) a. Re-create a suspect drive to show what happened b. Create a copy of a drive for other investigators c. Recover file headers d. Re-create a drive compromised by malware Answer: a. Re-create a suspect drive to show what happened; b. Create a copy of a drive for other investigators; d. Re-create a drive compromised by malware Explanation: The purpose of the reconstruction function of a forensics tool is to re-create a suspect drive to show what happened during a crime or an incident. Another reason for duplicating a suspect drive is to create a copy for other digital investigators, who might need a fully functional copy of the drive so that they can perform their own acquisition, test, and analysis of the evidence. Reconstruction may also be done if a drive has been compromised by malware or a suspect’s actions. 16. Which of the following are subfunctions associated with data extraction for digital forensics acquisition tools? (Choose all that apply.) a. Tagging data of interest to the examination b. Copying fragmented data located in unallocated disk space c. Searching for specific data sets of interest d. Exploring and examining the contents of data sets of interest Answer: a. Tagging data of interest to the examination; b. Copying fragmented data located in unallocated disk space; c. Searching for specific data sets of interest; d. Exploring and examining the contents of data sets of interest. Explanation: Most digital forensics tools have a function that allows the examiner to label artifacts of interest in digital evidence. This labeling is referred to as tagging, which helps organize the digital evidence for the tool’s report generator. The tool’s report generator will typically contain metadata and other printable content of the evidence in an HTML or text document. Copying fragmented data located in unallocated disk space is the data-carving process function. The keyword search subfunction of the data extraction function allows the investigator to search for specific data sets of interest. The data viewing subfunction involves exploring and examining the contents of data sets of interest. 17. Data can’t be written to a disk drive with a command-line tool. True or False? Answer: False Explanation: To prevent data from being written by any digital forensics tool, including a command-line tool, a write-blocker, hardware- or software-enabled device should be implemented for the acquisition. Prior to present-day tools— when only command-line acquisition methods were available—examiners would use extreme care to only copy data from a suspect’s disk drive to a target evidence drive.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

18. In testing tools, the term “reproducible results” means that you get the same results every time a tool is used on the same digital evidence. True or False? Answer: False Explanation: When testing digital forensics tools, the phrase “reproducible results” means that you get the same results when analyzing digital evidence using different machines or software. As an example, if two acquisitions of a suspect’s disk drive are done using two different acquisition tools, such as FTK Imager and X-Ways Imager, their MD5 or SHA1 hash values should be identical. If the hash values do not match, the investigator must determine why—for instance, one tool may have performed a physical acquisition and the other a logical acquisition. 19. The verification function does which of the following? (Choose all that apply.) a. Proves that a tool performs as intended b. Creates segmented files c. Proves that two sets of data are identical via hash values d. Verifies hex editors Answer: a. Proves that two sets of data are identical via hash values Explanation: By verifying that the hash values match, you can have confidence that the integrity of the data is good. 20. What is the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller? (Choose all that apply.) a. Write-blockers provide additional firewall protection for suspect computers. b. Write-blockers are specifically designed to detect malware on a suspect’s computer. c. USB or FireWire write-blockers provide plug-and-play access to disk drives. d. Write-blockers allow for USB or FireWire connections between computers, similar to a local area network. Answer: c. USB or FireWire write-blockers provide plug-and-play access to disk drives. Explanation: USB or FireWire write-blockers allow you to remove and reconnect drives without having to shut down your workstation, saving time when processing the evidence drive. 21. Which of the following criteria must be met when implementing new hardware or software for a digital forensics lab? (Choose all that apply.) a. Identify forensics category requirements. b. Identify test cases. c. Establish a test method. d. Analyze cost of the hardware or software.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Answer: a. Identify forensics category requirements; b. Identify test cases; c. Establish a test method Explanation: Before introducing any new digital forensics hardware or software tool, the examiners must (1) identify the forensics category that describes its functions and uses, (2) identify and create sample test cases with known or expected outcome of findings, and (3) define the methods to use for the testing of the new hardware or software. Cost analysis is a budget matter that is unrelated to the testing of new hardware or software. 22. A log report in forensics tools does which of the following? (Choose all that apply.) a. Tracks file types b. Monitors network intrusion attempts c. Records an investigator’s actions in examining a case d. Lists known good files Answer: c. Records an investigator’s actions in examining a case Explanation: Digital forensics tools typically have a logging feature that records all activities, such as bookmarking, data extractions, and keyword search results. This log can be part of a formal report, as discussed in the module “Report Writing and Testimony for Digital Investigations.”

Hands-On Projects - Solutions Project 3-1 Estimated Time: 10 minutes Objective: Perform an inventory of files on a USB drive using Windows DOS commands. Before You Begin: • •

Create Work folder C:\Work\Module_03\Project_03-1. Download to your Work folder the following data file provided with the module: • Project_03-1_USB_Thumb_Drive_File_List.zip

You are visiting an attorney’s office and the paralegal gives you a thumb drive that contains files of interest to the attorney. The paralegal asks if you could generate a short report that list the files on the thumb drive as soon as possible. The paralegal needs to send the report to the attorney at another law office. Since it will take too long for you to take the thumb drive back to your lab, you ask the paralegal if there is a Windows PC available that you can use to create a report. The paralegal lets you use one of the computers in the law office. To be thorough in this examination, you will need to list all folders, files (including any hidden files), and their last modified dates. This list should be written to a text file with your name, the case number (this project’s number), and a list of all the files that displays the path and file name and their last modified dates for presentation to the attorney. To perform this task, complete the following steps:

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

1. Using File Explorer, navigate to your Work folder, right-click the file Project_03-1_USB_Thumb_Drive_File_List.zip, click Extract All, and then click Extract to extract the contents of the zip file. 2. Open a command prompt window by pressing the Windows key and the R key. In the Open box, type cmd and click OK. 3. At the command prompt, type cd \Work\Module03\Project_03-1 and press Enter to take you to the Work folder. 4. At the command prompt, initiate your report for the attorney by typing echo Examiner: your_name > Project_03-1_File_List.txt and then press the Enter key. 5. Type echo Case No.: Project_03-1 >> Project_03-1_File_List.txt and then press the Enter key. 6. Insert a label for the file list report by typing echo **** Visible Files **** >> Project_03-1_File_List.txt and then press the Enter key. 7. Type dir /s/t:w Project_03-1_USB_Thumb_Drive_File_List >> Project_031_File_List.txt and then press the Enter key. 8. Insert a label for the file list report by typing echo **** Hidden Files **** >> Project_03-1_File_List.txt and then press the Enter key. 9. List hidden files using the same command as in Step 6 with the addition of the attribute hidden files switch /a:h. Type the following at the command prompt: dir /s/t:w/a:h Project_03-1_USB_Thumb_Drive_File_List >> Project_03-1_File_List.txt and then press the Enter key. 10. Insert a label for the file list report by typing echo **** Visible Files Listed by Path **** >> Project_03-1_File_List.txt and then press the Enter key. 11. Type dir /s/b Project_03-1_USB_Thumb_Drive_File_List >> Project_031_File_List.txt and then press the Enter key. 12. Insert a label for the file list report by typing echo **** Invisible Files Listed by Path **** >> Project_03-1_File_List.txt and then press the Enter key. 13. Type dir /s/b/t:w Project_03-1_USB_Thumb_Drive_File_List >> Project_031_File_List.txt and then press the Enter key. 14. Verify your output by typing at the command prompt: type Project_031_File_List.txt and press Enter. 15. When you’re finished, exit the text editor, close the command prompt window, and submit to your instructor the following file: • Project_03-1_File_List.txt Solution Guidance: The purpose of this project is for students to learn how to use the echo, type, and dir Windows DOS commands and their associated switches to examine files and their metadata (such as the dates the files were last accessed) and to output the file information to a text file that can be used in a report. For an example of the document student should produce, see the following solution file: • Solution_Project_03-1_File_List.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Project 3-2 Estimated Time: 10 minutes Objective: Compare two files that appear to be identical, and identify the differences using Windows DOS commands. Before You Begin: • •

Create Work folder C:\Work\Module_03\Project_03-2. Download to your Work folder the following data file provided with the module: • Project_03-2_File_Comparison.zip

An attorney emails you two files with similar names that appear to be identical. The attorney would like to know if these files are identical or if there are any differences in the data values. To determine whether these files are the same, use the Windows DOS comp command to see if there are any differences. If differences are detected, use the Windows DOS command fc to locate where these differences are located in these files. Complete the following steps: 1. Using File Explorer, navigate to your Work folder. Right-click the file Project_03_File_Comparison.zip, click Extract All, and then click Extract to extract the content of the zip file. 2. Open a command prompt window by pressing the Windows key and the R key. In the Run input box, type cmd and click OK. 3. At the command prompt, type cd \Work\Module03\Project_03-2\Project_032_File_Comparison and press Enter to take you to the Work folder. 4. At the command prompt, initiate your report for the attorney by typing echo Examiner: your_name > Project_03-2_File_Compare.txt and then press the Enter key. 5. Type echo Case No.: Project_03-2 >> Project_03-2_File_Compare.txt and then press the Enter key. 6. Insert a label for the file list report by typing echo **** Compare Difference Using the COMP Command **** >> Project_03-2_File_Compare.txt and then press the Enter key. 7. Type comp /m Summary1.csv Summary2.csv >> Project_03-2_File_Compare.txt and press the Enter key. 8. Now inspect your text file to see if the comp command detected any differences in the two files. Type the following at the command prompt: type Project_03-2_File_Compare.txt and press the Enter key. 9. If the output from the comp command revealed differences, then perform the File Compare (fc) command to determine what areas of these files differ. Insert a label for the file list report by typing echo **** Compare Difference Using the fc Command **** >> Project_03-2_File_Compare.txt and then press the Enter key. 10. At the command prompt, type fc Summary1.csv Summary2.csv >> Project_032_File_Compare.txt and then press the Enter key.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

11. Verify your output by typing the following at the command prompt: type Project_031_File_List.txt and press Enter. 12. Using your word processor, navigate to your Work folder and open the file Project_03-2_File_Compare.txt. Examine each line of the output to determine which data is different. Once you locate the data differences, highlight and make bold the data that is different in the two files. 13. When you’re finished, save your file, exit the text editor, and close the command prompt window. 14. Submit to your instructor the following file: •

Project_03-2_File_Compare.txt Solution Guidance: The purpose of this project is to show how Windows DOS commands can be used to compare files that might have different content that is not easily seen. If correctly executed, the comp command used on this project file will produce information showing that there are two lines, that is, records, of numeric data that are different between the two files. The comp command will provide a line number where the differences are between each file, but it will not show what the differences are. The output created using the fc command will show the line with data that is different between the two files, as well as the line before it and the line after it, if it is less than 81 characters long. The fc command will not list the specific line number. For an example of what the student should produce using the comp and the fc commands, see the following solution file: • Solution_Project_03-2_File_Compare.pdf

Project 3-3 Estimated Time: 60 minutes Objective: Install and examine the features available with the hexadecimal editor HxD. Before You Begin: • •

Create Work folder C:\Work\Module_03\Project_03-3. Access the following item: • HxD (download and install from mh-nexus.de/en/downloads.php?product=HxD20)

Many digital forensics tools originated from hexadecimal editors. In the era of DOS computers, Norton Disk Edit, a hexadecimal editor, was one of the original tools used by computer forensics examiners. Hexadecimal editors make it easy to view data, especially nonprintable characters. Learning about the functions and features of a hexadecimal editor will enhance your understanding of how digital forensics tools such as Autopsy work and also improve your ability to interpret and navigate through digital evidence. In this project, you will create a list of the functions and purposes of the dropdown menu options in HxD.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Note 14 Hexadecimal editors are not intended to be used as an examination tool of digital evidence since they have the ability to alter data. Digital forensics tools are specifically designed to only read data from digital evidence so as to prevent the altering of the evidence. Hexadecimal editors are only to be used for copying or interpreting evidence. The only exception to this is when performing a live acquisition when collecting RAM data, which is further discussed in the module “Virtual Machine Forensics and Live Acquisitions Forensics.” Complete the following steps to create a list of menu functions that are available in HxD. When creating this list, you can omit functions such as New, Open, Recent files, Copy, and Save. 1. Start your spreadsheet program, create a new spreadsheet file, and save it as Project_033_HxD_Features.xlsx. Enter the following labels in the following rows and columns: • • • • • • •

In cell A1, type Hexadecimal Editor Features In cell A2, type HxD Menu Items In cell A3, type Menu Functions In cell B3, type Dropdown Menu Items In cell C3, type Sub-menu Items In cell D3, type Description & Use In cell E3, type Forensic Tool Function

2. Now expand columns A through E as shown in Figure 3-12 so that each label is readable. [Figure 3-12 Example for creating a list of HxD features] 3. Start HxD and note the dropdown menu items. In the spreadsheet, type File in cell A4. 4. In HxD, click File, note the items listed in the dropdown menu, and then click Import as shown in Figure 3-13. Note the items listed in that submenu. In the spreadsheet, type Import in cell B5 and, in cells C6 through C8, type Motorola S-Record, Intel Hex, and ETL Extended. [Figure 3-13 HxD dropdown menu options showing Import submenu options] 5. In HxD, click File again, click Export, and then note the items listed, as shown in Figure 314. In the spreadsheet in cell B9, type Export, and then in cells C10 through C25 type in the submenu items listed in the HxD Export submenu. [Figure 3-14 HxD dropdown menu options showing Export submenu options] 6. Repeat Steps 3 –5 for the remaining dropdown menus and submenu items. 7. In column D, write a brief description for each menu and submenu function listed in columns B and C. Note that because HxD’s Help menu lacks information about its functions, you will need to make an educated guess about the purpose of each function. As an example, for the “Save Selection” menu function, you could write “Saves highlighted selected data to a separate file.” If you have no understanding of a particular function, leave the Description & Use field blank. For additional information about HxD’s features, see mh-nexus.de/en/hxd.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

8. Next, determine if the function can be used as a forensic tool function. For example, the menu Search function’s submenu Find is used to locate data and only reads data. The Replace function, however, is a hexadecimal feature that will write data that would alter and corrupt digital evidence, which means it cannot be used as a forensics tool function. For every function that only reads data, type the letter X in the corresponding row in column E. 9. When you’re finished, exit the spreadsheet program and HxD. 10. Submit to your instructor the following file: •

Project_03-3_HxD_Features.xlsx Solution Guidance: The purpose of this project is to show the student how to explore and learn about the capabilities of HxD. The procedures applied in this project can be applied to other software tools, including digital forensics tools and other hexadecimal editors. By examining the available menu items from HxD’s dropdown menu, the student will begin to develop an understanding of the capabilities of this application. For this project, students should make their best effort to identify and describe the available functions in HxD. They should then identify which menu items perform readonly functions and data export write functions, such as the “Save As” function, which saves to an external file. For descriptions left blank, the student should be encouraged, with the instructor’s assistance, to continue researching the purpose of these functions. Those descriptions left blank or incorrectly defined can be used for remedial instruction to ensure the student becomes competent in the use and understanding of this and other tools. For an example of the spreadsheet students should submit, see the following solution file: • Solution_Project_03-3_HxD_Features.xlsx

Project 3-4 Estimated Time: 10 minutes Objectives: Perform a test to see if HxD hexadecimal editor can extract an imbedded JPEG file in a text file. Before You Begin: • • •

•

Complete Project 3-3. Create Work folder C:\Work\Module_03\Project_03-4. Download to your Work folder the following data files provided with the module: • Project_03-4_Examiner_Notes.xlsx • Project_03-4_Hex_Extract.dat Refresh your understanding of the hexadecimal numbering system.

In this project, you will test the ability of HxD to locate a JPEG file that has been hidden inside a text file. To perform this test, you will use HxD’s hexadecimal search function for the JPEG header (0xFF D8). Once the file is located, you will need to determine its offset position (the number of bytes from the start of the file) in the file. Then you will locate the end-of-file marker for the JPEG file (0xFF D9) and determine its offset position. Once you have the start and end offset positions, you will copy the JPEG data into a new file. You will need to name

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

the new file with a .jpg extension. You will then test the extracted file by opening it in Microsoft Photos or your preferred photo program. Complete the following steps: 1. Using your spreadsheet program, open the file Project_03-4_Examiner_Notes.xlsx. In cell C3, type your name and, in cells C4 and C5, type Project_03-4 for the Case Name and Case Number. 2. Start HxD and, in the dropdown menu, click File and then Open. Make a notation of your actions in the Examination Activity Performed column of the examiner notes file. Continue to note your activities along with the start time of each activity as you move through the rest of the steps. 3. In the Open dialog box, navigate to your Work folder, locate and select Project_034_Hex_Extract.dat, and then click Open. 4. In the dropdown menu, click Search and then Find. In the Find dialog box, click the Hexvalues tab. 5. In the Search for input box, type FFD8 and then click OK. The starting offset position for the string 0xFF D8—Offset(h): 1E5—appears in the lower-left corner of the HxD program screen, as shown in Figure 3-15. Make a note of this in the examiner notes file. [Figure 3-15 HxD offset position] 6. Next, to locate the end-of-file marker for the JPEG file, in the dropdown menu click Search and then Find. In the Find dialog box, click the Hex-values tab. 7. In the Search for input box, type FFD9 and then click OK. Note that HxD shows E947 as the ending offset position for the string 0xFF D9; however, the actual ending offset position for this two-byte search is at offset E948, as shown in Figure 3-16. Make a note of this information in the examiner notes file. [Figure 3-16 Actual offset position is E948] Now that you have the start and end offset positions, you will copy the JPEG data into a new file. 8. In the dropdown menu, click Edit and then Select-block. In the Start-offset input box, type 1E5. 9. In the End-offset input box, type E948 and click OK. 10. In the dropdown menu, click Edit and Copy. Next, click File and then New to open a new, blank file. 11. In the dropdown menu, click Edit and Paste insert. In the Confirmation dialog box, click OK. 12. In the dropdown menu, click File and Save as. In the Save As dialog box, navigate to your Work folder, and in the File name input box, type Project_03-4_Recovered_JPG.jpg. Click Save and then exit HxD. Update the examiner notes file. 13. Open File Explorer and navigate to your Work folder. Double-click the file Project_034_Recovered_JPG.jpg to open it in your default photo program to determine if the data recovery was successful, as shown in Figure 3-17.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

[Figure 3-17 Recovered JPEG image from text file] 14. Update and save your examiner notes, exit the spreadsheet program, and submit to your instructor the following files: • •

Project_03-4_Examiner_Notes.xlsx Project_03-4_Recovered_JPG.jpg Solution Guidance: By successfully completing this project, students will learn how to search for hexadecimal string data and recover embedded data, such as a photograph in a file. This project is a manual data-carving exercise that shows how a hexadecimal editor can be used to extract unique data contained within a file and then save that extracted data in a new file. This project shows how HxD can be used to recover data manually. Digital forensics tools, such as Autopsy or X-Ways Forensics, can perform this task automatically. For examples of the output generated for this project, see the following solution files: • Solution_Project_03-4_Examiner_Notes.pdf • Solution_Project_03-4_Recovered_JPG.pdf

Case Projects - Solutions Case Project 3-1 Estimated Time: 60 minutes Objective: Create a list of currently available digital forensics software tools and their costs supported by research. Before You Begin: •

Create Work folder C:\Work\Module_03\Case_Project_03-1.

For this case project, you will gather information about currently available digital forensics software tools. Create a spreadsheet that lists the tools, their basic features and purpose, and if available, their cost. Using an Internet search engine, research available products for the following categories: • • • • • • • •

Digital forensics analysis tools Email forensics tools Disk and data capture tools Windows registry analysis tools Memory forensics tools Network forensics tools Mobile device forensics tools Linux forensics tools

Create a new spreadsheet file and save it as Case_Project_03-1_Digital_Forensics_Software_List.xlsx.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Enter your name at the top of the spreadsheet in the first row. In the second row, enter this project number: Case_Project_03-1_Digital_Forensics_Software_List. Enter a row header for each tool category along with column headers for the following four types of product information (see Figure 3-18): • • • •

Tool Name Price Description URL

[Figure 3-18 Example of digital forensics software list] Provide at least two tools for each category. When you have completed this case project, submit to your instructor the following file: •

Case_Project_03-2_Digital_Forensics_Hardware_List.xlsx Solution Guidance: The purpose of this case project is for students to gather information about different commercial and free digital forensics software tools. Students should locate and list two or more digital forensics software products for each category. Note that for some categories, such as email forensics tools, students can reference email or e-discovery tools. For an example of a completed spreadsheet listing digital forensics software tools, see the following solution file: • Solution_Case_Project_03-1_Digital_Forensics_Software_List.pdf

Case Project 3-2 Estimated Time: 60 minutes Objective: Create a list of currently available digital forensics hardware tools and their costs supported by research. Before You Begin: •

Create Work folder C:\Work\Module_03\Case_Project_03-2.

For this case project, you will gather information about currently available digital forensics hardware tools, and then create a spreadsheet that lists the tools, their basic features and purpose, and if available, their cost. Using an Internet search engine, research available products for the following categories: • • • • •

Digital forensics workstations Digital forensics write-blockers Digital forensics disk duplicator hardware Password recovery devices Drive adapters

Create a new spreadsheet file, and enter your name at the top of the spreadsheet in the first row. In the second row, enter this project number: Case_Project_032_Digital_Forensics_Hardware_List. Enter a row header for each tool category along with column headers for the following four types of product, as you did in Case Project 3-1.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Provide at least two tools for each category. When you have completed this case project, save it as Case_Project_03-2_Digital_Forensics_Hardware_List.xlsx and submit to your instructor the following file: •

Case_Project_03-2_Digital_Forensics_Hardware_List.xlsx Solution Guidance: The purpose of this case project is for students to gather information about different commercial hardware tools and their features. Students should locate and list two or more digital forensics hardware products for each category. Note that there are fewer websites available for the digital forensics disk duplicator hardware category; most URL links are to software applications. For an example of a completed spreadsheet listing digital forensics software tools, see the following solution file: • Solution_Case_Project_03-2_Digital_Forensics_Hardware_List.pdf

Case Project 3-3 Estimated Time: 60 minutes Objective: Create a list of resource needs for a new digital forensics lab along with their associated costs. Before You Begin: • •

Create Work folder C:\Work\Module_03\Case_Project_03-3. Download to your Work folder the following data file provided with the module: • Case_Project_03-3_Lab_Worksheet.xlsx

Your management team has directed you to determine how much it will cost to configure and equip a digital forensics lab for the organization. To make your calculations, you will build a worksheet of required resources and their costs. The following criteria for the new lab have been approved by management: • • • •

The lab will be used for internal security investigations within the organization. One digital forensics examiner will work in the lab. The lab will only process Windows O/S computers. A storage room (3 3 4.5 meters) has been allocated for the lab.

The organization’s facility manager has examined the storage room and determined that the room will need a lock, minor ventilation improvements, a network drop, and some minor electrical upgrades since the room was not intended to support computers. The facility manager also stated that their budget can cover the cost of the electrical upgrade, a network drop, and the ventilation work. There is also a surplus of furniture that can be used in the lab. Your budget, which has been set at $5,000, will need to pay for the locking mechanism for the door as well as the remaining resources required to run the lab. Using the spreadsheet file Case_Project_03-3_Lab_Worksheet.xlsx, fill in information on what you propose for each item you think is needed for the lab. The spreadsheet includes the following six worksheets:

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

• • • • •

•

Lab_Cost_Dashboard —A summary of costs from the other five worksheets, along with your name and the project name External_Costs—Any expenses that might need to be subcontracted out, such as mobile device forensics Facility_Costs—Any costs incurred to set up the storage room as a digital forensics lab Management_Costs—All ongoing operation expenses, such as extra disk drives, CDs, DVDs, and printer paper Procedures_Costs—Nondigital forensics tools and expenses that support the daily operation of the lab, such as additional security controls and assorted cables and connectors that support an examination Tools_Costs—Costs for all hardware and software tools that will be used to support digital forensics examinations

Make any additions, deletions, and changes to the worksheets as needed. Starting with worksheet Lab_Cost_Dashboard, in B3, enter your name as shown in the example in Figure 3-19. [Figure 3-19 Example of dashboard for cost estimates spreadsheet] Complete columns B and C of the remaining worksheets, using your preferred Internet search engine to research the products and their costs, as shown in the example in Figure 3-20. [Figure 3-20 Example of facility cost worksheet] When finished, save and submit to your instructor the following file: •

Case_Project_03-3_Lab_Worksheet.xlsx Solution Guidance: Students are to use the information in the file Case_Project_033_Lab_Worksheet.xlsx to create a list of hardware, software, miscellaneous supplies, and any other resources required to create an operational digital forensics lab. The total cost should be as close as possible to the $5,000 limit stated in the management’s directive. Students should be encouraged to update the categories and items in the spreadsheet as they think is necessary. For an example of this spreadsheet, see the following file: • Solutions_Case_Project_03-3_Lab_Worksheet.pdf

Case Project 3-4 Estimated Time: 60 minutes Objective: Describe, in a memorandum, the upgrades available in Autopsy 4.19.0. Before You Begin: •

Create Work folder C:\Work\Module_03\Case_Project_03-4.

Digital forensics tools are constantly being updated. These updates typically include new features and bug fixes. By reviewing the release notes from the application’s vendor, you can learn what the bug fixes are and what new features may have been added to the latest version. For this case project, you are to review the release notes for Autopsy 4.19.0 and describe them in a memorandum.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

To perform this task, go to github.com/sleuthkit/autopsy/releases/tag/autopsy-4.19.0 and read through the release notes. From the release notes, identify items that are improvements and bug fixes, and then write a memorandum to your instructor listing all the improvements and bug fixes. Save this memorandum as Case_Project_03-4_Autopsy_Upgrade_Review.docx. At the beginning of the memorandum, write a short paragraph explaining your opinion of the new version of Autopsy and whether it should be implemented for future casework. When finished, submit to your instructor the following file: •

Case_Project_03-4_Autopsy_Upgrade_Review.docx Solution Guidance: For this case project, students should list all the improvement and bug fixes noted in the release notes for Autopsy 4.19.0. The memorandum can list update features in groups as summaries for each. For an example of the file students should submit, see the following solution file: • Solution_Case_Project_03-4_Autopsy_Upgrade_Review.pdf

Case Project 3-5 Estimated Time: 60 minutes Objective: Outline, in a memorandum, a test plan that includes the steps and procedures you will use to verify that the latest version of Autopsy works correctly. Before You Begin: •

Complete Case Project 3-4.

•

Create Work folder C:\Work\Module_03\Case_Project_03-5.

Your management has reviewed your memorandum describing the upgrades available in Autopsy 4.19.0 and has informed you that the new version of Autopsy will only be approved for use after you have tested it and demonstrated that the results from a previous case are the same or better. Your testing plan includes the following information: 1. The specifications of the testing workstation 2. Previous case examined data and information, such as examiner notes 3. Expected output from test 4. Test steps to be performed Management would like you to write a one-page memorandum detailing this test plan in an outline form. Save this memorandum as Case_Project_03-5_Autopsy_Test_Plan.docx and submit to your instructor the following file: •

Case_Project_03-5_Autopsy_Test_Plan.doc

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Solution Guidance: For this case project, the student’s memorandum should provide details for each of the following: 1. The specifications of the testing workstation a. OS and version b. CPU model c. RAM d. Disk size and available free space 2. Previous case examined data and information a. The test case information (e.g., the image file Activity_02-1.001) b. The previous report generated with the older version of Autopsy and the examiner notes 3. Expected output from test a. The report created with the newer version of Autopsy b. A comparison between the old and new report 4. Test steps to be performed a. Download and install Autopsy 4.19.0 b. Perform same steps listed in examiner notes from test case For an example memorandum, see the following solution file: • Solution_ Case_Project_03-5_Autopsy_Test_Plan.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 4: DATA ACQUISITION

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 4-1 ................................................................................................................................. 2 Review Questions - Answers ............................................................................................. 3 Hands-On Projects - Solutions ......................................................................................... 11 Project 4-1 ................................................................................................................................ 11 Project 4-2 ................................................................................................................................ 15 Project 4-3 ................................................................................................................................ 16 Project 4-4................................................................................................................................ 19 Project 4-5 ................................................................................................................................ 21 Case Projects - Solutions ................................................................................................. 28 Case Project 4-1...................................................................................................................... 28 Case Project 4-2 ..................................................................................................................... 29 Case Project 4-3 ..................................................................................................................... 30 Case Project 4-4 ...................................................................................................................... 31

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Activities - Solutions Activity 4-1 Estimated Time: 5 minutes Objective: Perform a sparse acquisition of a file folder and its associated subfolders and files using xcopy. Before You Begin: • •

•

Create Work folder C:\Work\Module_04\Activity_04-1. Download to your Work folder the following data files provided with the module: • Activity_04-1_Examiner_Notes.xlsx • Activity_04-1_xcopy_Data.zip Unzip the contents of the file Activity_04-1_xcopy_Data.zip into your Work folder.

For this activity, you will determine how the xcopy command copies folders and files with the hidden attribute set on and off. This activity requires you to run xcopy twice, once with the /s switch and then a second time with the /s and /h switches. After completing the xcopy command, you will use the dir command with the /s, /b, and /a:h switches to list which copied folder path contains any hidden files. Complete the following steps: 1. Open the file Activity_04-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Activity_04-1. 2. Open a command prompt window by pressing the Windows key and the R key. In the Run input box, type cmd and click OK. 3. From the root directory, type cd Work\Module04\Activity_04-1 and press Enter. 4. Type dir and press Enter to view the contents of the Activity_04-1 folder. 5. Type xcopy /s /i Activity_04-1_xcopy_Data .\XCopy_Data-S-switch and press Enter. 6. Type xcopy /s /i /h Activity_04-1_xcopy_Data .\XCopy_Data-S-H-switches and press Enter. 7. Type dir /s /a:h > Activity_04-1_xcopy_Data-S-switch.txt and press Enter. 8. Type dir /s /a:h XCopy_Data-S-H-switches > Activity_04-1_xcopy_Data-SHswitches.txt and press Enter. 9. After completing the xcopy and dir commands, go to the Activity_04-1_Examiner_Notes.xlsx file and describe in detail the steps you performed. 10. Submit to your instructor the following files: • • •

Activity_04-1_Examiner_Notes.xlsx Activity_04-1_xcopy_Data-S-switch.txt Activity_04-1_xcopy_Data-S-H_switches.txt

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Solution Guidance: The purpose of this activity is to show students how to use the xcopy command and how hidden data can be skipped if the /h switch option is not implemented. Students should describe the steps they took in detail in their examiner notes to show they have successfully completed this task. For examples of the files that students will submit, see the following solution files: • Solution_Activity_04-1_Examiner_Notes.pdf • Solution_Activity_04-1_xcopy_Data-S-switch.pdf • Solution_Activity_04-1_xcopy_Data-S-H-switches.pdf Note that the file Activity_04-1_xcopy_Data-S-switch.txt turned in by the students should only list the disk drive volume information because the xcopy command does not copy the hidden files.

Review Questions - Answers 1.

Which of the following describes the benefit of static acquisitions? a. Preservation of digital evidence b. Preservation of encrypted evidence c. Preservation of dynamic evidence d. Preservation of nonlinear evidence Answer: a. Preservation of digital evidence Explanation: The primary benefit of static acquisition is the preservation of evidence, as the acquisition is conducted while nothing is changing on the evidence drive. Static acquisitions are typically done on nonencrypted storage medium.

2. Which of the following are advantages of the raw format for static acquisitions? (Choose all that apply.) a. Achieves faster data speeds b. Ignores minor data errors c. Can be read by most forensics tools d. Requires less storage space than the source drive e. Natively includes hash values of the raw file Answer: a. Achieves faster data speeds; b. Ignores minor data read errors; c. Can be read by most forensics tools Explanation: By its very nature, the raw format can achieve faster data speeds (reducing the acquisition time for the examiner) than the AFF or proprietary formats. The raw format also ignores minor data errors from the source drive, such as when a hard drive encounters a defective sector, and it can be read by most forensics tools.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

3. Which of the following are the caveats of the raw format when conducting acquisitions? a. Achieves lower drive speeds b. Requires equal or greater target disk space c. Contains hashes in the raw data file d. Collects marginal blocks Answer: b. Requires equal or greater target disk space Explanation: For all the advantages of the raw format for conducting acquisitions, it does have its caveats, including that it requires equal or greater target disk space and does not contain hash values in the raw file (metadata). In addition, when using the raw format, the examiner might have to run a separate hash program to validate the data (costing examiner time) and the raw format may not collect marginal (bad) blocks. 4. Which of the following features are a benefit of proprietary format acquisition files? (Choose all that apply.) a. The option to compress the acquisition data b. The option to segment the acquisition image onto multiple storage media c. The ability to be read by any forensics analytic tool d. The option to generate a metadata report external of the acquisition image file Answer: a. The option to compress the acquisition data; b. The option to segment the acquisition image onto multiple storage media Explanation: The option to compress the acquisition data is a benefit to the digital forensics examiner because it reduces the data consumption of the acquisition image. Being able to segment the acquisition image onto multiple storage media allows the examiner to store an acquisition medium on several media, such as taking a 500GB forensics acquisition image and storing the acquisition on three to five BDXL optical discs. Proprietary formats cannot be read by any forensics tool as their proprietary nature means that the publisher of the forensics tool needs to acquire a license agreement from the vendor in order to use that proprietary format. Proprietary formats can store metadata within the acquisition image rather than externally. 5. Of all the proprietary formats, which one is the unofficial standard? a. Raw b. E01 c. AFF d. dd Answer: b. E01 Explanation: The E01 (Expert Witness Compression) format is currently the unofficial standard.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

6. Which of the following tools have the ability to conduct a sector-by-sector duplicate of a hard drive to a larger hard drive? (Choose all that apply.) a. EnCase b. FTK c. X-Ways Forensics d. Autopsy Answer: a. EnCase; c. X-Ways Forensics Explanation: Both EnCase and X-Ways Forensics have the ability to create a sector-by-sector duplicate of the source drive to a larger destination drive. This is useful when conducting acquisitions of older drives when disk-to-image acquisition is not available or practical. 7. Which files are collected during a logical acquisition? a. Files that are of interest to the case b. All files on the storage device c. All files and deleted data on the storage device d. All data, including intentionally hidden data not recorded by the Master File Table, on the entire storage medium Answer: a. Files that are of interest to the case Explanation: Only files of interest to the case or specific types of files are collected during a logical acquisition. 8. Which of the following is the primary benefit of making two acquisition images of a suspect drive in a critical investigation? a. It allows for multiple forensics examiners to start examining the evidence immediately. b. It allows for digital forensics examiners to practice using multiple tools to gain experience. c. It allows for the digital forensics examiner to make at least one good copy of the forensically collected data in case of any failures during the acquisition process. d. Making two acquisition images offers no tangible benefits. Answer: c. It allows for the digital forensics examiner to make at least one good copy of the forensically collected data in case of any failures during the acquisition process. Explanation: Making two copies of the source drive reduces the probability that the digital forensics examiner will encounter an error during the acquisition process. Remember that Murphy’s Law applies to digital forensics, too: If anything can go wrong, it will.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

9. Which of the following is a concern for digital forensics examiners connecting a hotswappable storage device (such as a USB drive) containing evidence to a computer running a newer version of a Linux distro, such as Kali 2022.2? a. There are no concerns; the examiner can access the storage device immediately. b. File system compatibility errors will occur if the file system is from a Mac or Windows computer, which may not be readable on a Linux computer c. Newer Linux distributions automatically mount the USB device, which could alter data on it. d. There are no concerns; the Linux OS requires the user to manually mount the drive before accessing it. Answer: c. Newer Linux distributions automatically mount the USB device, which could alter data on it. Explanation: Newer Linux OSs, such as Kali 2022.2 or Ubuntu 22.04, automatically mount a USB device to allow the user to immediately start accessing the storage medium. Digital forensics examiners need to use a write-blocker to ensure that the OS does not damage the evidence. The exceptions are Kali Linux Live (using the forensic mode when booting up) and CAINE. 10. Which of the following best explains a hashing tool? a. It is a data destruction tool, designed to render the data irrecoverable by magnetic force microscopy. b. It is a data mixing tool, designed to homogenize data into a consistent data stream for greater analytical performance. c. It is a data separating tool, designed to itemize data by their signatures for ease of analyses by a digital forensics examiner. d. It is a data identification tool, designed to generate a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. Answer: d. It is a data identification tool, designed to generate a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. Explanation: Hashing algorithms are used to generate a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. This hash value can be used to identify a data set or verify that a data set was not altered. 11. Which of the following is the maximum file size that could be stored on a FAT32 formatted storage device? a. 2 KB b. 2 MB c. 2 GB d. 2 TB e. 2 PB f. 2 EB

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Answer: c. 2 GB Explanation: The maximum file size limit for a FAT32 storage device is 2 GB. This information is beneficial for the digital forensics examiner when segmenting acquisition images on FAT32 formatted devices. 12. Which of the following terms is not recognized for classifying acquisition formats? (Choose all that apply.) a. Refined b. Raw c. Compressed d. AF Answer: a. Refined; c. Compressed Explanation: The terms refined and compressed are not recognized terms for classifying acquisition formats. Raw, Advanced Forensics Format (AFF), and proprietary are recognized terms for classifying acquisition formats. 13. Which of the following should an examiner consider if they are tasked with conducting a physical acquisition of a storage system that utilizes RAID? (Choose all that apply.) a. Does the examiner have enough storage capacity to conduct the acquisition? b. Is the examiner aware of which RAID type is being used? c. Is the examiner aware of how the RAID is being implemented and administered? d. Does the examiner have a tool capable of conducting the acquisition? Answer: a. Does the examiner have enough storage capacity to conduct the acquisition?; b. Is the examiner aware of which RAID type is being used?; c. Is the examiner aware of how the RAID is being implemented and administered?; d. Does the examiner have a tool capable of conducting the acquisition? Explanation: All these questions are ones that an examiner should ask themselves before conducting a physical acquisition of a storage system that utilizes RAID as part of the acquisition planning process. Answering these questions and having solutions to address any challenges before attempting the acquisition of a RAID system will ensure that the examiner is prepared to complete this task. 14. Why should a digital forensics examiner use a wiping tool on a destination drive before conducting a forensics acquisition? a. Wiping the destination drive allows for greater performance of the drive. b. Wiping the destination drive increases the accuracy of data being written to the drive. c. Wiping the destination drive is required to decommission the drive to prepare it for resale. d. Wiping the destination drive is recommended to ensure that no previous data is stored on that drive that could be comingled with new evidence.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Answer: d. Wiping the destination drive is recommended to ensure that no previous data is stored on that drive that could be comingled with new evidence. Explanation: Ideally, only new hard drives should be used for all investigations, but this practice may not be sustainable. The next choice is to wipe drives before they are used for storing the acquisition image, to avoid any possibility that data would be comingled on the drive, thus contaminating the evidence. 15. Which of the following could be used to aid in identifying the keyboard combination to access a computer’s boot options without referring to the manufacturer’s technical documentation or asking for assistance? a. Let the computer boot up as normal, launch the OS recovery tools, and select change boot options. b. Closely observe the computer’s monitor during start-up for specific information regarding which key or keys to press to access the boot menu. c. Press CTRL+ALT+DEL rapidly on the keyboard while the computer is powering up. d. Look at the back or bottom of the computer to identify the keyboard combination to strike. e. Press CMD+C rapidly on the keyboard during the boot process to bring up the boot menu. Answer: b. Closely observe the computer’s monitor during start-up for specific information regarding which key or keys to press to access the boot menu. Explanation: Many manufacturers have designed their computers to boot as quickly as possible for the convenience of the user. The typical computer displays information about which key or keys to press to access its boot menu for five seconds or less during start-up. If the examiner misses this information or is unable to press the appropriate key(s) in time, the computer should be powered down immediately. After the computer is shut down, it should be restarted and monitored again to learn which key or keys should be pressed and to press those keys within the brief time frame provided by the computer’s firmware. 16. Which of the following is the most critical aspect of digital forensics? a. Acquiring digital evidence b. Validating digital evidence c. Producing digital evidence d. Analyzing digital evidence Answer: b. Validating digital evidence Explanation: Digital evidence, by its nature, is fragile or volatile; digital forensics examiners must exercise care to preserve this evidence and validate it in order to produce evidence that can be presented at a board of inquiry or a court of law.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

17. What type of controller operates independently of a computer’s OS? a. Software RAID b. Hardware RAID c. RAID 10 d. RAID 15 Answer: b. Hardware RAID Explanation: RAID drives that are connected to a special controller that is independent of a computer’s OS is referred to as hardware RAID. RAID drives that are managed by a computer’s OS are referred to as software RAID. RAID 10 and 15 are combinations of RAID 0 and 1. RAID 1 and 5 are configurations that work on either hardware RAID or software RAID. 18. A digital forensics examiner tasked with conducting a physical acquisition of a Quantum Fireball 1 GB SCSI HDD has experienced repeated failures of the acquisition tool in their attempt to create a disk-to-image acquisition. Which other method should the digital forensics examiner try to complete the physical acquisition process? a. Physical disk-to-image acquisition b. Physical disk-to-disk acquisition c. Logical disk-to-image acquisition d. Logical disk-to-data acquisition Answer: b. Physical disk-to-disk acquisition Explanation: The next option for the examiner to try is a physical disk-to-disk acquisition, where an acquisition tool exactly copies data from an older disk to a newer disk and sets up the target drive’s geometry to match the original drive’s parameters.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

19. A digital forensics firm has been tasked by the court with conducting a physical acquisition of five 22 TB HDDs for an investigation. The digital forensics firm is a small firm and only has one acquisition machine, which supports one drive at a time at 480 Mbps of bandwidth. Assuming that the acquisition process is conducted serially and does not experience any errors, how many consecutive hours (rounded up to the nearest whole hour) at minimum should an examiner of the firm allocate toward the supervision of the acquisition process? a. 182 hours b. 336 hours c. 510 hours d. 714 hours Answer: c. 510 hours Explanation: An example on how to calculate the time required to forensically image five disk drives is shown here: ([5 disks) × [22 TB per hard drive] × [1000 GB per TB] × [1000 MB per GB] * [8 bits per byte]) / ([480 Mbps] × [3600 seconds per hour]) In a spreadsheet, the formula would appear as: (5 * 22 * 1000 * 1000 * 8) / (480 * 3600) = 509.26 Because the firm is performing the acquisition process serially, the tasks are performed one after another, which means there are five separate tasks to complete. The computer has a 480 Mbps data port, so 22 TB needs to be converted to megabytes (MB) and then to megabits (Mb) to determine how many Mb must be processed. This numerator (5 * 22 * 1000 * 1000 * 8) is then divided by the denominator (480 * 3600), which is comprised of the performance of the port (Mbps), times the number of seconds in an hour, to convert the number to hours as requested in the question.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

20. A digital forensics firm has been tasked by the court with conducting a physical acquisition of five 22 TB HDDs for an investigation. The digital forensics firm has a drive acquisition machine capable of running the physical acquisition of five hard drives concurrently, with 6 Gbps of bandwidth per drive. Assuming that the acquisition process does not experience any errors, how many consecutive hours (rounded up to the nearest whole hour) at minimum should an examiner of the firm allocate toward the supervision of the acquisition process? a. 9 hours b. 18 hours c. 27 hours d. 36 hours Answer: a. 9 hours Explanation: An example on how to calculate the time required to forensically image five disk drives concurrently is shown here: ([1 task] × [22 TB per hard drive] × [1000 GB per TB] × [8 bits per byte]) / ([6 Gbps] × [3600 seconds per hour]) In a spreadsheet, the formula would appear as: (1 * 22 * 1000 * 8) / (6 * 3600) = 8.15 Because the firm has a drive acquisition machine capable of conducting five acquisitions concurrently (i.e., in parallel), the original five tasks just became one task. Because the machine is performing at 6 Gbps per drive, 22 TB needs to be converted to gigabytes (GB) and then to gigabits (Gb) to determine how many Gb must be processed. This numerator is than divided by the denominator, which is comprised of the performance of the port (Gbps) times the number of seconds in an hour, to convert the number to hours as requested in the question.

Hands-On Projects - Solutions Project 4-1 Estimated Time: 60 minutes Objective: Perform a sparse acquisition of a file folder and its associated subfolders and files using robocopy. Before You Begin: • •

•

Create Work folder C:\Work\Module_04\Project_04-1. Download to your Work folder the following data files provided with the module: • Project_04-1_Examiner_Notes.xlsx • Project_04-1_RoboCopy_Data.zip Unzip the contents of the file Project_04-1_RoboCopy_Data.zip into your Work folder.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

In this project, you will familiarize yourself with the robocopy command and how to use the /s and /e switches to view the different results they produce. You will also use the /log: switch to record which files and folders are copied when robocopy is run from a PowerShell window. You will also use the Get-ChildItem cmdlet to record a directory listing of files and subfolders in folders Project_04-1_RoboCopy_Data, Project_04-1_RoboCopy_Data_S_switch, and Project_04-1_RoboCopy_Data_S_switch. For the final step, you will use the cmdlets Compare-Object and Get-Content to compare the output of the two log files created by robocopy to see if the /s and /e switches produce different output values. Complete the following steps: 1. Open the file Project_04-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_04-1. 2. Open a command prompt window by pressing the Windows key and the R key. In the Run input box, type PowerShell and click OK. 3. From the root directory, type cd Work\Module04\Project_04-1 and press Enter. 4. At the PowerShell prompt, type get-childitem -path *.* and press Enter to view the contents of the Project_04-1 folder. 5. At the command prompt, type the following commands (one using the /s switch to create a folder containing no empty folders and one using the /e switch to create a folder that contains empty folders and hidden files) and press Enter after each one: •

robocopy Project_04-1_RoboCopy_Data Project_04-1_RoboCopy_Data_S-switch/s /log:Project_04-1_0_RoboCopy-with-S-switch.log robocopy Project_04-1_RoboCopy_Data Project_04-1_RoboCopy_Data_E-switch/e / log:Project_04-1_0_RoboCopy-with-E-switch.log

• Tip

To minimize the text you need to retype for the second command, in PowerShell, press the up-arrow key to recall the previous command. Then press the left arrow key until the cursor is just to the right of the portions of the command line that need to be changed. Press the Backspace key to delete the specific item used in the previous command, and type the changes to match the second command line for this step. When finished updating the command line, press the Enter key to execute the command. 6. Type the following commands (one to create a list that contains all files, including empty folders and hidden files, and one that only lists hidden files), and press Enter after each one: •

get-childitem -path Project_04-1_RoboCopy_Data -recurse -force > Project_04-1_1_Get_ChildItem_Force.txt

•

get-childitem -path Project_04-1_RoboCopy_Data -recurse –hidden > Project_04-1_1_Get_ChildItem_Hidden.txt

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

7. To create a list that contains all the files, including empty folders and hidden files, as well as a list that only includes hidden files for folder Project_04-1_RoboCopy_Data_S-switch, type the following two commands and press Enter after each one: •

get-childitem -path Project_04-1_RoboCopy_Data_S-switch -recurse -force > Project_04-1_2_Get_ChildItem_Force_S-switch.txt

•

get-childitem -path Project_04-1_RoboCopy_Data_S-switch -recurse –hidden > Project_04-1_2_Get_ChildItem_Hidden_S-switch.txt

8. To create a list that contains all files, including empty folders and hidden files, as well as a list that only includes hidden files for folder Project_04-1_RoboCopy_Data_E-switch, type the following commands and press Enter after each one: •

get-childitem -path Project_04-1_RoboCopy_Data_E-switch -recurse -force > Project_04-1_3_Get_ChildItem_Force_E-switch.txt

•

get-childitem -path Project_04-1_RoboCopy_Data_E-switch -recurse -hidden > Project_04-1_3_Get_ChildItem_Hidden_E-switch.txt

9. To complete this task, compare the two log files created by robocopy to see if they are different. In PowerShell, type the following command: •

compare-object (get-Content Project_04-1_0_RoboCopy-with-Sswitch.log)(get-content Project_04-1_0_RoboCopy-with-E-switch.log) > Project_04-1_4_Logfiles_compare.txt

10. In the file Project_04-1_Examiner_Notes.xlsx, list the cmdlets that were used in this project. 11. In the file Project_04-1_Examiner_Notes.xlsx, make notes about the differences between the files in each of the following pairs of files: •

•

Compare the contents of files: • Project_04-1_0_RoboCopy-with-E-switch.log • Project_04-1_0_RoboCopy-with-S-switch.log Compare the contents of files: • Project_04-1_1_Get_ChildItem_Force.txt • Project_04-1_1_Get_ChildItem_Hidden.txt Compare the contents of files: • Project_04-1_2_Get_ChildItem_Force_S-switch.txt • Project_04-1_3_Get_ChildItem_Force_E-switch.txt Compare the contents of files: • Project_04-1_2_Get_ChildItem_Hidden_S-switch.txt • Project_04-1_3_Get_ChildItem_Hidden_E-switch.txt

12. In the file Project_04-1_Examiner_Notes.xlsx, make notes about the contents of the file Project_04-1_4_Logfiles_compare.txt.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

13. When you are finished, save your examiner notes and exit PowerShell. Submit to your instructor the following files: • • • • • • • • • •

Project_04-1_Examiner_Notes.xlsx Project_04-1_0_RoboCopy-with-E-switch.log Project_04-1_0_RoboCopy-with-S-switch.log Project_04-1_1_Get_ChildItem_Force.txt Project_04-1_1_Get_ChildItem_Hidden.txt Project_04-1_2_Get_ChildItem_Force_S-switch.txt Project_04-1_2_Get_ChildItem_Hidden_S-switch.txt Project_04-1_3_Get_ChildItem_Force_E-switch.txt Project_04-1_3_Get_ChildItem_Hidden_E-switch.txt Project_04-1_4_Logfiles_compare.txt Solution Guidance: The primary purpose of this project is to show students how to use robocopy, which can be run from a DOS terminal window shell or a PowerShell window. A secondary purpose of this project is to show the following PowerShell cmdlets as alternatives to the DOS commands: DOS Commands PowerShell Cmdlets

comp dir fc

compare-object and get-content get-childitem compare-object and get-content

In addition, students should identify the differences between the robocopy command’s use of the /s and /e switches by examining the output files created in this project. Students should document their findings from these output files in their examiner notes files. Students’ findings should also note the difference between the robocopy /s and robocopy /e copied data. For examples of the files that students will submit, see the following solution files: • Solution_Project_04-1_0_RoboCopy-with-E-switch.pdf • Solution_Project_04-1_0_RoboCopy-with-S-switch.pdf • Solution_Project_04-1_1_Get_ChildItem_Force.pdf • Solution_Project_04-1_1_Get_ChildItem_Hidden.pdf • Solution_Project_04-1_2_Get_ChildItem_Force_S-switch.pdf • Solution_Project_04-1_2_Get_ChildItem_Hidden_S-switch.pdf • Solution_Project_04-1_3_Get_ChildItem_Force_E-switch.pdf • Solution_Project_04-1_3_Get_ChildItem_Hidden_E-switch.pdf • Solution_Project_04-1_4_Logfiles_compare.pdf • Solution_Project_04-1_Examiner_Notes.pdf Note that the individual cmdlets used in this project are provided for your reference in the file Solution_Project_04-1_ps-cmdlets.pdf.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Project 4-2 Estimated Time: 25 minutes Objective: Determine the hash values of several files stored in various subfolders. Before You Begin: • • •

Create Work folder C:\Work\Module_04\Project_04-2. Download to your Work folder the following data file provided with the module: • Project_04-2_PS_Hashing_Data.zip Unzip the contents of the file Project_04-2_PS_Hashing_Data.zip into your Work folder.

In this project, you will collect the SHA-256 and SHA-512 hashes for files stored in several subfolders. These hash values will then be written to output files. Complete the following steps: 1. Open a command prompt window by pressing the Windows key and the R key. In the Run input box, type PowerShell and click OK. 2. From the root directory, type cd Work\Module04\Project_04-2 and press Enter. 3. At the PowerShell prompt, type get-childitem -path *.* and then press Enter to view the contents of the Project_04-2 folder. 4. List and save to a text file all the files and subfolders in the folder Project_042_PS_Hashing_Data by typing the following and then pressing Enter: •

get-childitem -path Project_04-2_PS_Hashing_Data -recurse –force > Project_04-2_PS_Hashing_Data_File_Listings.txt and then press Enter.

5. List each file’s SHA-256 value by typing the following and then pressing Enter: •

get-filehash -algorithm sha256 -path (get-childitem "C:\Work\Module04\Project_04-2\Project_04-2_PS_Hashing_Data\*.*" -recurse -force) | export-csv Project_04-2_PS_Hashing_Data_File_SHA-256.csv

6. List each file’s SHA-512 value by typing the following and then pressing Enter: •

get-filehash -algorithm sha512 -path (get-childitem "C:\Work\Module04\Project_04-2\Project_04-2_PS_Hashing_Data\*.*" -recurse -force) | export-csv Project_04-2_PS_Hashing_Data_File_SHA-512.csv

7. Concatenate the two hash files into one file by typing the following and then pressing Enter: •

get-content -path .\Project_04-2_PS_Hashing_Data_File_SHA-*.csv | setcontent -path .\Project_04-2_PS_Hashing_Data_Results.csv

8. Start your spreadsheet program and open the file Project_042_PS_Hashing_Data_Results.csv, adjust the formatting of the columns and rows as necessary, and then save this file with an .xlsx extension. 9. Exit your spreadsheet and PowerShell, and submit to your instructor the following file: •

Project_04-2_PS_Hashing_Data_Results.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Solution Guidance: This project shows students how to produce hashes of files contained in subfolders using PowerShell. For this project, the student needs to successfully show that they can generate individual SHA-256 and SHA-512 hashes for each file in a subfolder. The final output should list each file’s hash type (both SHA-256 and SHA-512), the associated hash values, file path, and file name. For an example of the file that students will submit, see the following solution file: • Solution_Project_04-2_PS_Hashing_Data_Results.pdf Note that the individual cmdlets used in this project are provided for your reference in the file Solution_Project_04-2_ps-cmdlets.pdf.

Project 4-3 Estimated Time: 45 minutes Objective: Create a bootable Kali Linux Live USB drive that can be used to perform forensics data acquisitions. Before You Begin: • • •

Create Work folder C:\Work\Module_04\Project_04-3. Download to your Work folder the following data file provided with the module: • Project_04-3_Examiner_Notes.xlsx Access the following items: • A USB flash drive (4 GB or larger) • Kali Linux Live ISO (see download instructions below) • balenaEtcher (see download instructions below)

This project, which will show you how to create a Kali Linux Live forensic boot USB flash drive, is broken into the following four sections: • Downloading the Kali Linux Live ISO • Downloading and installing balenaEtcher, a utility that can create a bootable USB flash drive from the Internet • Obtaining the serial number of the USB flash drive that will contain the bootable ISO image • Creating a Kali Linux Live USB flash drive using balenaEtcher, and determining if the drive’s serial number is the same Upon completing this project, you will have a USB flash drive that can enable software writeblocking of a suspect’s disk drive, along with Linux-based command-line and GUI acquisition utilities. For additional information about creating a Kali USB bootable flash drive, see kali.org/docs/usb. Note 11 The following instructions are correct at the time of this writing; however, vendors routinely update their websites. The steps provide a general description on how to perform these tasks. Use your judgment and knowledge to perform these steps based on any vendor updates and ask your instructor for assistance, if necessary.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Downloading Kali Linux Live ISO To download Kali Linux Live, complete the following steps: 1. Using your web browser, go to kali.org/get-kali/#kali-live. 2. On the Kali Live webpage, click the 64-bit button (or the 32-bit button if you have an older 32-bit system). 3. Click the recommended 64 Everything Includes every tool possible icon (for a 32-bit system, click the recommended 32-bit Kali yyyy.n Point release live image icon; note that yyyy.n is the year and release number for the most recent update of this ISO). After the file downloads to your computer, navigate to your Work folder and click Save. 4. On the Live Boot webpage, click the Kali-USB Documentation link, and on the Portable Kali on a USB drive/key/stick webpage, click Making a Kali Bootable USB Drive on Windows. Review the instructions for further information on installing Kali Linux Live on a USB drive. 5. Open the file Project_04-3_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_04-3. 6. In the file Project_04-3_Examiner_Notes.xlsx, make an entry stating that you have downloaded Kali Linux Live and include the website’s URL. Leave the file Project_043_Examiner_Notes.xlsx open for the remaining steps.

Downloading and Installing beleanEtcher To download and install beleanEtcher, complete the following steps: 1. Go to the website balena.io/etcher and click Download for Windows (x86|64). Note that x86 is the original reference for 32-bit computers. After the file downloads to your computer, navigate to your Work folder and click Save. 2. Using File Explorer, navigate to your Work folder and double-click the file balenaEtcherSetup-1.7.9.exe to start the installation of balenaEtcher. Click the I Agree button to complete the installation. 3. In the file Project_04-3_Examiner_Notes.xlsx, make an entry stating that you have downloaded and installed balenaEtcher and include the website’s URL.

Obtaining a USB Drive’s Serial Number To obtain the serial number of the USB flash drive, complete the following steps: 1. Insert the USB flash drive that will be used as a Kali Linux Live boot drive. 2. Using File Explorer, make note of the drive letter assigned to this USB flash drive. 3. Start a PowerShell window session and from the root directory, type cd Work\Module04\Project_04-3 and press Enter. 4. In PowerShell, list and save to a text file all connected internal disks and USB flash drives that are connected to your computer by typing the following and then pressing Enter: •

get-wmiobject win32_physicalmedia | format-list tag, serialnumber > Project_04-3_SN_ISO.txt

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

5. Obtain a list of just the USB drives connected to your computer, and then append the output to the file Project_04-3_SN_ISO.txt by typing the following and pressing Enter: •

get-disk | where-object -filterscript {$_.bustype -eq "USB"} | format-list >> Project_04-3_SN_ISO.txt

6. Using Notepad, examine the file Project_04-3_Before_ISO.txt and record the serial number of your USB drive in the file Project_04-3_Examiner_Notes.xlsx, and close Notepad. 7. Leave the USB flash drive connected to your computer and keep the PowerShell window open for the following procedures. Note 12 If you have more than one USB drive connected to your computer, you will first need to determine which one you will use for the Kali Linux Live ISO. To determine the correct USB flash drive, disconnect all USB flash drives except the one to be used. Then repeat the above steps to identify the serial number of the correct drive.

Creating a Kali Linux Live Boot USB Flash Drive Caution Before running balenaEtcher, it is extremely important to correctly identify the drive letter for the Kali Linux Live USB drive. If you assign balenaEtcher to the wrong disk’s drive letter, it will overwrite it—destroying the drive’s contents while it writes the ISO image to it. If you have a drive that has multiple partitions, balenaEtcher will destroy all the partitions as well. To create the Kali Linux LiveBoot USB flash drive, complete the following steps: 1. To start balenaEtcher, click the Windows Start icon, scroll down the menu of applications, and click balenaEtcher. 2. In the balenaEtcher window, click the Flash from file button. In the Open window, navigate to your Work folder, click the file kali-linux-yyyy.n-live-amd64.iso (e.g., kali-linux-2022.2live-amd64.iso), and then click Open. 3. In the balenaEtcher window, click the Select target button. In the Select target window, click the check box for your USB flash drive, confirm that the selected drive’s location is the correct drive letter, and then click Select(1). 4. In the balenaEtcher window, click the Flash button. When balenaEtcher completes, close the program. 5. Get the serial number of the newly created Kali Linux Live USB flash drive, from PowerShell by typing: •

get-disk | where-object -filterscript {$_.bustype -eq "USB"} >> Project_04-3_SN_ISO.txt and Enter.

6. Using Notepad, examine the file Project_04-3_SN_ISO.txt and record the serial number and the manufacturer of the USB flash drive in the file Project_04-3_Examiner_Notes.xlsx.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

7. Save the file Project_04-3_Examiner_Notes.xlsx, and then close it and Notepad. Submit to your instructor the following files: • •

Project_04-3_Examiner_Notes.xlsx Project_04-3_SN_ISO.txt Solution Guidance: In this project, the students download the Kali Linux Live ISO file and the balenaEtcher utility and then install balenaEtcher on their computers. Students learn how to obtain a USB’s serial number to correctly identify it so that there are no mistakes of writing an ISO image to the wrong device. Students will gain experience in the various ways PowerShell can provide detailed information about devices, such as USB flash drives. The file Project_04-3_SN_ISO.txt contains redirected output from the three PowerShell commands. For examples of the files that students will submit, see the following solution files: • Solution_Project_04-3_Examiner_Notes.pdf • Solution_Project_04-3_SN_ISO.pdf Note that the individual cmdlets used in this project are provided for your reference in the file Solution_Project_04-3_ps-cmdlets.pdf.

Project 4-4 Estimated Time: 30 minutes Objective: Prepare a target drive for a static forensic data acquisition. Before You Begin: • • •

Create Work folder C:\Work\Module_04\Project_04-4. Download to your Work folder the following data file provided with the module: • Project_04-4_Examiner_Notes.xlsx Access the following item: • One USB flash drive 2 GB or larger

Note 13 For this project, you will be using a USB flash drive, and it is assumed that your target drive is new or has already been wiped using the diskpart clean all function or one of the commercially available wiping tools described earlier in this module. If you plan to wipe a larger external drive, be aware that wiping it can take several hours or days to complete. This project will show how to prepare a target drive for a static acquisition of a source or suspect computer system. To begin this project, you will need to identify the size of the source or suspect computer and then select the appropriately sized target drive. The target drive should be larger than the source or suspect’s disk drive. If, however, an acquisition tool such as FTK Imager is used, the target drive can be slightly smaller if the data is compressed using the Expert Witness format.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

When performing a forensic data acquisition, it is extremely important that you know which media is the source or suspect drive and which is the target drive. Your target drive’s firmware serial number should be recorded before it is connected to the source or suspect computer. In addition, the target drive should be wiped of any residual data before it is used. For this project, you will identify the correct target drive and, if necessary, reformat it as an NTFS partition. To obtain the target disk drive information, complete the following steps: 1. Open the file Project_04-4_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_04-4. 2. Right-click the Windows Start button and then click Disk Management. 3. Connect the USB target drive to your computer. The Disk Management utility should automatically add the drive. If it doesn’t, click Action and Rescan Disks to activate the connection. 4. In the Drive Management window, the physical numbers of each drive connected to the computer are shown in the left column of the bottom pane. These numbers start with Disk 0 and increment for each additional connected drive. Typically, the last drive connected is listed as the last physical drive in Disk Management. Make a note of the physical drive number of the USB drive and its assigned logical drive letter. Figure 4-14 is an example of a computer that has two internal drives and one external USB drive. Your USB drive may have a different physical disk number and drive letter than what is shown. [Figure 4-14 Windows Disk Management] 5. Open a command prompt window and, from the root directory, type cd Work\Module04\Project_04-4 and press Enter. 6. Obtain the serial number of your target drive by typing the following at the DOS prompt and then pressing Enter: •

wmic diskdrive get serialnumber, model, size, name, partitions > Project_04-4_Drive_Info.txt

7. Verify the redirected output from the wmic command by typing type Project_044_Drive_Info.txt and then pressing Enter, as shown in Figure 4-15. [Figure 4-15 Windows wmic command] 8. In the file Project_04-4_Examiner_Notes.xlsx, record the target drive’s disk number and its assigned logical drive partition letter, as shown in Disk Management. 9. Open the file Project_04-4_Drive_Info.txt and examine the contents of the Name column and locate the physical drive number (\\.\PHYSICALDRIVEn) that matches the Disk Management’s drive number (Disk n). 10. In the file Project_04-4_Drive_Info.txt, in the SerialNumber column, locate the target drive’s serial number, which is on the same line as the physical drive number (\\.\PHYSICALDRIVEn), and record the serial number in the file Project_044_Examiner_Notes.xlsx.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

11. From File Explorer, if necessary, reformat the target drive as an NTFS format with the label name of Proj-4-5_Target_Disk (this drive will be used in the next project). In the file Project_04-4_Examiner_Notes.xlsx, record the serial number and note that the drive is an NTFS format with the volume label of Proj-4-5_Target_Disk. 12. Close all open programs and files and submit to your instructor the following files: • •

Project_04-4_Drive_Info.txt Project_04-4_Examiner_Notes.xlsx Solution Guidance: Students should have successfully reformatted a large external USB drive as NTFS and changed the label of the drive’s partition to Proj-45_Target_Disk (this drive will be used in the next project). Students should have successfully determined the USB flash drive’s firmware serial number using the wmic command. For examples of the files students will submit, see the following solution files: • Solution_Project_04-4_Examiner_Notes.pdf • Solution_Project_04-4_Drive_Info.pdf

Project 4-5 Estimated Time: 90 minutes Objective: Perform a static digital forensic acquisition of a USB flash drive using Guymager. Before You Begin: • • •

•

Complete Project 4-3 and Project 4-4. Create Work folder C:\Work\Module_04\Project_04-5. Download to your Work folder the following data files provided with the module: • Project_04-5_Data_Disk.zip • Project_04-5_Evidence_Form_Single_Item.xlsx • Project_04-5_Examiner_Notes.xlsx Access the following items: • The Kali Linux Live USB flash drive from Project_04-3 • File Project_04-4_Drive_Info.txt from Project_04-4 • The USB flash drive labeled Proj-4-5_Target_Disk from Project_04-4 • A workstation with three available USB ports (obtain a USB multiport hub if your computer only has two ports) • One USB flash drive smaller than the Proj-4-5_Target_Disk USB flash drive (ideally, smaller than 20 GB)

For this project, you will use Guymager to perform a physical acquisition of a small USB flash drive. To prepare for this project, you will need to create a source drive that contains data from the file Proj_04-5_Data_Disk.zip. This source drive must be smaller than the USB flash drive created in Project 4-5 (Proj-4-5_Target_Disk).

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Note 14 The current version of Guymager is limited to performing only physical drive acquisitions. It provides no other options, such as logical or sparse acquisitions, and it cannot compress imaged data. This requires the target drive to be large enough to store the imaged data from the source drive along with any additional information files. If the source drive is the same size or slightly larger than the Proj-4-5_Target_Disk USB flash drive, there won’t be enough storage space and the acquisition will fail to complete correctly.

Note 15 The instructions listed in this project are for static acquisitions of disk drives that are not encrypted. For encrypted disk media, see the module “Virtual Machine Forensics and Live Acquisitions Forensics." This project will show you how to boot Kali Linux Live from a USB flash drive in a forensic mode that will write-block all connected drives. After booting into Kali Linux Live, you will identify and verify the target drive by its assigned volume label name and its firmware serial numbers, which were obtained in Project 4-4. After you have confirmed the target drive, you will identify the source or suspect drive and record its serial number. After collecting the serial number of the source drive, you will run Guymager to perform the acquisition. When the acquisition is finished, you will complete an evidence form and update the examiner notes describing your actions to complete this project.

Creating the Source/Suspect USB Flash Drive To create the source/suspect USB flash drive, complete the following steps: 1. Insert the source USB flash drive into one of your computer’s USB ports. 2. Using File Explorer, navigate to your Work folder, right-click the file Proj_045_Data_Disk.zip, and then click Extract All. 3. In the Extract Compressed (Zipped) Folders window, click Browse and navigate to the source USB flash drive. Click Select Folder and then click Extract. 4. In File Explorer, right-click the source USB flash drive and click Rename. Enter PRJ45SRC as the name and press Enter.

Preparing for the Acquisition To prepare for the acquisition, complete the following steps: 1. Open the file Project_04-5_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_04-5. 2. In the file Project_04-5_Examiner_Notes.xlsx, record the make, model, and serial number of the forensic workstation used for this examination. 3. Connect the target USB flash drive to the computer. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

4. Connect the Kali Linux Live USB flash drive to the computer. 5. In the file Project_04-5_Examiner_Notes.xlsx, record the USB flash drive manufacturer, the model (if available), and the volume labels that have been assigned to each. 6. Start the computer and monitor the display screen for menu options that will appear during the start-up. When the boot menu option appears, press and hold the appropriate key(s) until the boot menu or a message stating that it is loading appears. Tip If your Kali Linux Live boot USB flash drive is the same manufacturer and model as your target USB flash drive, the boot menu will display both devices with the same manufacturer’s name and model names. To determine which is the boot drive, select the first one. If an error message appears stating that there is no OS on the media, reboot and access the boot menu again and select the other USB device.

Caution When performing a static acquisition of a suspect computer, the most critical time is when it is powered up. Most computers will display its menu options for only a few seconds before it automatically starts loading the OS from the internal drive. If you are unable to press the boot menu key option before the computer accesses its internal drive’s OS, immediately stop the computer by pressing and holding the power button down for 10 seconds. Repeat this process until you have determined what key to press while the system is starting and have successfully accessed the boot menu.

Selecting the Kali Linux Live Forensic Boot Mode To select the Kali Linux Live forensic boot mode, complete the following steps: 1. When the boot menu appears, select the Kali Linux Live USB flash drive and then press Enter to start Kali. The boot menu typically displays the manufacturers’ names and the models of the disk media, as shown in the example in Figure 4-16, where the boot USB flash drive is a Verbatim STORE drive. Make sure you know the manufacturer’s name and the model of your Kali Linux Live USB flash drive to ensure you select the correct one when booting. [Figure 4-16 A UEFI boot device menu] 2. When the Kali Linux Live start-up menu appears, as shown in Figure 4-17, select Live system (amd64 forensic mode) and press Enter. [Figure 4-17 Kali Linux boot menu] 3. When the Kali desktop appears, verify the time shown in the upper-right corner of the screen. On older computers, Kali Linux Live displays the computer’s time in UTC. Newer computers typically display the local time. Verify that the computer’s clock is correct to the

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

offset for your time zone or to UTC. Make note of the time, if it’s UTC or local, and your time zone in your examiner notes. 4. In Kali, click the Application icon (located in the far upper-left corner of the screen) and, in the search input box, type Terminal Emulator and then press Enter. 5. At the terminal window prompt, type ls and then press Enter to verify what directory you are in. Then type cd Documents and then press Enter. 6. Connect the source USB flash drive, PRJ45SRC, to the computer. 7. List and save to a file the connected disk media to the computer by typing the following and then pressing Enter: •

sudo blkid -o list | tee Project_04-5_Computer_Info.txt

8. From the blkid screen output, determine the assigned device path names for the source (volume name: PRJ45SRC) and target (volume name: Project_04-5_Target_Disk) drives. Record the partition-assigned paths for both drives in the examiner notes. In the example shown in Figure 4-18, the partition-assigned path for the source drive is /dev/sdc1 and /dev/sdi1 for the target drive. [Figure 4-18 Linux blkid command showing connected devices] 9. Obtain the size of all the drives by typing the following and then pressing Enter (as shown in Figure 4-19): •

sudo lsblk -l | tee -a Project_04-5_Computer_Info.txt

[Figure 4-19 Linux lsblk command showing connected devices] 10. In the lsblk output, in the MOUNTPOINTS column, identify the logical path name for the target drive and record it in the examiner notes. In Figure 4-19, the logical path name appears as /media/kali/Proj-04-5_Target_Disk. 11. Next, from the lsblk output, verify that the target drive is large enough for the acquisition of the source drive by reviewing the information in the SIZE column. If the target drive is smaller, obtain a larger target drive and make note in your examiner notes that a larger drive will be needed. Tip If your screen output from any of these commands disappears in the terminal window, type cat Project_04-5_Computer_Info.txt to redisplay the output.

Mounting the Target Drive and Copying the Drive Information File to It When Kali Linux Live boots, its entire OS is loaded into the RAM of the computer. Any data saved to folders in the Kali drive, such as the Documents folder, will be deleted when Kali shuts down. To save any data written to the Kali Linux Live USB flash drive, it will need to be copied to the target drive after it is mounted before rebooting your computer.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Note 16 The examples shown in this project were performed with Guymager version 0.8.13. This version, unlike commercially available imaging tools such as FTK Imager, lacks the ability to compress digital forensics image files. When using this tool, be sure to have a target drive larger than the source or suspect drive To mount the target drive and copy the drive information file to it, complete the following steps: 1. On the Kali desktop, double-click the File System icon. Then, in the left pane of the File System window, click Proj-04-5_Target_Disk in the Devices section to access the target drive, as shown in Figure 4-20. [Figure 4-20 Accessing the target drive from the File System window] Caution When accessing a disk drive from the File System window, Kali Linux Live will automatically mount the drive as read-write. Be extremely careful not to click the source or suspect disk devices so as to not mount it. If for any reason you need to access the source or suspect drive using File System (or any other icon link listed in the File System window), you can mount it read-only from a terminal command line. For a read-only mount command example, use sudo mount -o ro, noload /dev/sda1 /media/kali/sda1 and press Enter. Once the source or suspect drive is mounted read-only, you can view the contents using any of the File System icons. 2. In the left pane of the File System window, click the Documents folder. Then, in the right pane, right-click the file Project_04-5_Computer_Info.txt, and in the dropdown menu, click Copy. 3. In the left pane of the File System window, click device Proj-04-5_Target_Disk, Then, move the cursor to a blank area of the right pane, right-click, and then click Paste.

Running Guymager To perform an acquisition using Guymager, complete the following steps: 1. If your terminal window is closed, click the Application button located in the upper left corner of the display (the Kali dragon icon) and then in the search input box, type Terminal Emulator and then press Enter. 2. At the prompt in the Terminal Emulator window, type sudo guymager and then press Enter. 3. When the Guymager window appears, read through the listing in the Linux device column. Locate the source drive’s physical path name previously recorded in your examiner notes, as shown in Figure 4-21. [Figure 4-21 Guymager’s main screen]

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

4. When you have identified the source drive, position the cursor on the device’s row, rightclick, and in the dropdown menu, click Acquire image, as shown in Figure 4-22. [Figure 4-22 Designating the source drive to be acquired] 5. In the Acquire image window, in the File format section, enter the following information in each of the following input boxes: Case number Proj-04-5 Evidence number Proj-04-5 Examiner Your name Description Acquisition of evidence USB drive Notes Optional for you to add any additional information 6. In the Destination section, click the ellipse button, then in the Select destination directory window, double-click Media, double-click kali, click Proj-04-5_Target_Drive, and then click Choose to close the Select destination directory window and return to the Acquire image window. 7. In the Destination section of the Acquire image window, type the following in the “Image filename (without extension)” box: PRJ45SRC. The input in this box will be automatically repeated in the “Info filename (without extension)” box, which is the log file name for this acquisition. If a more descriptive log file name is needed, enter the new name in the “Info filename (without extension)” box. 8. In the Hash calculation/verification section, uncheck the Verify image after acquisition (takes twice as long) check box, as shown in Figure 4-23, and then click Start. [Figure 4-23 Unchecking the Verify Image option] 9. When the acquisition is finished, exit Guymager and then unmount the target drive by typing the following and then pressing Enter: •

umount /media/kali/Proj-04-5_Target_Drive

10. Verify that the target drive is dismounted by typing the following and then pressing Enter: •

findmnt -D /media/kali/Proj-4-5_Target_Disk

If the dismount is successful, findmnt will display no output. Note 17 If the umount command produces an error or the findmnt command shows that the drive did not dismount, run the umount command again with the –f option to force it to dismount.

Caution It is important to properly dismount all source and evidence drives before shutting Kali down. If you shut down Kali with mounted drives, data on the drives could be lost.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

11. Exit Guymager, close all applications and windows, and shut down Kali Linux Live. 12. Remove the source drive, labeled PRJ45SRC, from the workstation.

Complete the Paperwork and Secure the Evidence To complete the paperwork and secure the evidence, complete the following steps: 1. If the target drive was removed, reconnect it to the workstation and boot to Windows. 2. Copy the following files from the USB flash drive named Project_04-5_Target_Disk to your Work folder: • • •

PRJ45SRC.E01 PRJ45SRC.info Project_04-5_Computer_Info.txt

3. Open the file Project_04-5_Evidence_Form_Single_Item.xlsx and complete the form. For any information not available about the USB flash drive, type N/A in the appropriate field. 4. Place the source or suspect drive and the target drive in a secure container. Note that under normal digital forensics operations, all evidence should be placed in a lockable evidence cabinet or room. For this project place the evidence where only you have access to it. 5. In the file Project_04-5_Examiner_Notes.xlsx, add all remaining details of the steps taken and any results and findings. Be sure to state where and how you secured the evidence. 6. Upon completion, submit to your instructor the following files: • • • • •

PRJ45SRC.E01 PRJ45SRC.info Project_04-5_Computer_Info.txt Project_04-5_Evidence_Form_Single_Item.xlsx Project_04-5_Examiner_Notes.xlsx

7. Save the thumb drive labeled PRJ45SRC; you will use it in Case Project 4-3. Solution Guidance: In this project, students learned how to prepare and acquire a digital forensics image using the tool Guymager, which is part of the Kali Linux Live suite. For examples of the files students will submit, see the following solution files: • Solution_Project_04-5_Computer_Info.pdf • Solution_Project_04-5_Evidence_Form_Single_Item.pdf • Solution_Project_04-5_Examiner_Notes.pdf • Solution_Project_04-5_PRJ45SRC.E01 • Solution_Project_04-5_PRJ45SRC.pdf Note that file Solution_PRJ45SRC.E01 is an Expert Witness data file and can only be viewed with a digital forensics tool such as FTK Imager or Autopsy.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Case Projects - Solutions Case Project 4-1 Estimated Time: 60 minutes Objective: Create a bootable CAINE Linux Live USB drive that can be used to perform forensics data acquisitions. Before You Begin: • • •

Create Work folder C:\Work\Module_04\Case_Project_04-1. Download to your Work folder the following data file provided with the module: • Case_Project_04-1_Examiner_Notes.xlsx Access the following items: • A USB flash drive (4 GB or larger) • CAINE ISO file at caine-live.net (on this webpage, see the DOWNLOAD link) • The utility balenaEtcher used in Project 4-3.

For this project, you will apply the same steps that were used for the Kali Linux Live USB flash drive in Project 4-3 to create a CAINE USB flash drive. After creating the CAINE USB flash drive, test it to verify that it works by completing the following steps: 1. If the CAINE USB flash drive was removed from the computer, reconnect it to a USB port. 2. Reboot the workstation and access the boot menu before the OS is started. 3. In the boot menu, select the CAINE USB device to continue the start-up of the computer. 4. After CAINE is booted, click the Main Menu button (located in the lower-left corner of the display), click Forensic tools, and then click Disks. 5. In your examiner notes, add your name and the Case Name and Case Number at the top. Then make a list of the following disk tools that are available in CAINE. Give a brief description and, if available, a web link that has additional information about each tool. AFRO APFS-FUSE Btrfrsc DDRescue-GUI ddrescuereview dvdisaster RecuperaBit TestDisk XHFS XMount-GUI © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

6. When you have completed your research, shut down CAINE and submit to your instructor the following file: •

Case_Project_04-1_Examiner_Notes.xlsx Solution Guidance: This project is intended to challenge students in their ability to transfer the skills they learned in Project 4-3 in creating a Kali Linux Live bootable USB flash drive and apply it to creating a CAINE bootable USB flash drive. In addition, the students learn about the tools available in CAINE that are designed for disk drive data recovery. For an example of the file that students will submit, see the following solution file: • Solution_Case_Project_04-1_Examiner_Notes.pdf

Case Project 4-2 Estimated Time: 60 minutes Objective: Determine what file acquisition tools and their features are available in the Kali Linux Live OS. Before You Begin: • •

Create Work folder C:\Work\Module_04\Case_Project_04-2. Download to your Work folder the following data file provided with the module: • Case_Project_04-2_Examiner_Notes.xlsx

For this project, you will create a list of file acquisition utilities that are available in the Kali Linux Live distro. To review the available utilities, go to the Kali tools webpage (kali.org/tools). In the file Case_Project_04-2_Examiner_Notes.xlsx, provide the following information about each tool: • • • •

Name of acquisition utility The acquisition format type such as raw or expert witness Any installation instructions required to implement the utility An example of how to use the command or how to access its help information

When you have completed this project, submit to your instructor the following file: •

Case_Project_04-2_Examiner_Notes.xlsx Solution Guidance: The purpose of this project is to help students become aware of the many acquisition utilities available in the Kali Linux distro. To better understand these tools, students should list the names of each utility, the format type it creates, the installation commands (if required) to implement it, and how to access help information about it or an example on how to apply it. For an example of the file that students will submit, see the following solution file: • Solution_Case_Project_04-2_Examiner_Notes.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Case Project 4-3 Estimated Time: 30 minutes Objective: Perform an acquisition using Guymager with the “Verify image after acquisition option” selected. Before You Begin: • • • •

Complete Project 4-4 and Project 4-5 and either Project 4-3 or Case Project 4-1. Create Work folder C:\Work\Module_04\Case_Project_04-3. Download to your Work folder the following data file provided with the module: • Case_Project_04-3_Examiner_Notes.xlsx Access the following items: • File PRJ45SRC.info from Project 4-5 • The USB flash drive labeled Proj-4-5_Target_Disk from Project 4-4 • The Kali Linux Live USB flash drive from Project 4-3 or the CAINE Linux Live USB drive from Case Project 4-1 • A workstation with three available USB ports (obtain a USB multiport hub if your computer only has two ports)

For this case project, you will make an acquisition of the source drive PRJ45SRC from Project 4-4. When initiating this acquisition, you will accept the default for Guymager to verify the image after it completes copying the source drive. Make sure that the Verify image after acquisition check box is checked. When completing the input boxes in the Acquire image window, change the contents in the Image file (without extension) input box to CPRJ43SRC, as shown in Figure 4-24. If a more descriptive log file name is needed, enter the new name in the “Info filename (without extension)” box. [Figure 4-24 Checking the verify image option] After completing the acquisition, compare file CPRJ43SRC.info to file PRJ45SRC.info and describe their differences in your examiner notes file. To help better identify the differences between these files, use the DOS fc command with the /n switch. Then use the redirect (>) option to save the fc output to a text file named Case_Project_04-3_FC_Info.txt. In your examiner notes, list the specific content for each line that is different between the two files. When you have completed the examiner notes, save it, making sure to include your name and the Case Name and Case Number at the top. Submit to your instructor the following files: • •

Case_Project_04-3_Examiner_Notes.xlsx Case_Project_04-3_FC_Info.txt Solution Guidance: The file Case_Project_04-3_Examiner_Notes.xlsx should contain detailed descriptions of the differences between the files CPRJ43SRC.info and PRJ45SRC.info. For examples of the files that students will submit, see the following solution files: • Solution_Case_Project_04-3_Case_Project_04-3_FC_Info.pdf • Solution_Case_Project_04-3_Examiner_Notes.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

Case Project 4-4 Estimated Time: 90 minutes Objective: Create a data acquisition preparation checklist form that can be used as a guide when conducting a digital forensics acquisition. Before You Begin: •

Complete Project 4-5 and Case Project 4-3.

For this project, you will create a form for an action plan of performing a digital forensics acquisition. Using your word-processing application, create a document and save it as Case_Project_04-4_Data_Acquisition_Checklist.docx.

Data Acquisition Checklist This form should be divided into the following sections: • •

•

Section 1: Examiner Assignment—List the examiner (you) Section 2: Case Information—List as much information as is available about the evidence, the location of the acquisition, any special requests or needs, the type of acquisition requested, the computer hardware specifications, plans for the disposition of the evidence collected, etc. Section 3: Case Resource Needs—List the acquisition tools you plan to use, the types of target drives needed, the estimated day and time the acquisition will be performed, the requested validation method to be applied to the source drive and image files, any evidence control instructions, etc. The following is a list of possible items to include: • Size and number of target disk drives needed • Electrical power needs • What acquisition tool(s) to use • Day and time to perform the acquisition • Type of hashing algorithm to use to verify acquisition • Evidence control needs during acquisition • Target drive file format to be used • Target drive(s) serial number(s) • Time estimates to complete each drive acquisition Section 4: Contingency Plans—List the resources needed related to any possible equipment failures, staffing support, electrical power concerns, etc. The following is a list of possible items to include: • List of resources that might be needed if problems are encountered • List of qualified backup personnel to support the data collection if more help is needed • Alternate electrical power sources if electrical power fails in the immediate area Section 5: Acquisition Checklist Procedure—List the specific steps you will take to make the acquisition, based on the knowledge and experience you have gained from reading this module and completing Project 4-5 and Case Project 4-3. The following is a list of possible items to include and steps to take:

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

• Boot menu access key of subject/suspect of computer • Source/suspect host computer’s drive(s) • Target drive(s) connected to computer • USB flash drive(s) connected to computer • Boot subject/suspect computer in forensics mode • After booting, get a list of connected disk(s) serial number(s) • Verify the forensic boot drive serial number • Verify the source drive(s) serial number(s) • Verify the target drive(s) serial number(s) • Verify the size of the source/suspect drive(s) • Verify the target drive is large enough for the acquisition of the source drive(s) • Run acquisition tool • Secure evidence drives when done • Complete the evidence form • Complete your examiner notes. When creating this form, include a comment section for notes that you might want to add when filling out information for each of the checklist items.

Case Information The case information for this checklist is based on the following facts: • • • • • • • • • • •

The assigned case number: Case Project 4-4 The client: Superior Industries, Inc. The task requested by the client is to collect forensic images from two computers for an e-discovery demand. The location for this acquisition is the second floor of the offices of Superior Industries, Inc., at 333 West Camden Street, Baltimore, MD, 21201. The client request that the acquisition be done on the upcoming weekend. The type of acquisition: Static acquisition All evidence is contained on HDD and SSD devices. The client would like you to maintain chain of evidence and secure evidence in your forensic lab’s evidence storage room. The computers cannot be removed from the premises, and the disk drives cannot be removed from the computers’ cases, to avoid voiding the warranty on the computers. Due to the client’s directive, the original disk drives cannot be retained. Known information about the computers includes the following: • Computer 1 specifications: ▪ HP Envy desktop • One 1 TB HDD and one 512 GB SSD drive • External USB ports available are: o 4 SuperSpeed USB Type-A o 1 SuperSpeed USB Type-B o 4 USB 2.0 Type-A

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 4: Data Acquisition

•

• •

Computer 2 specifications: ▪ Dell Inspiron • One 1 TB HDD and one 256 GB SSD drive. • External USB ports available are: o 1 USB 3.2 Gen|Type-C o 3 USB 3.2 Gen|Type-A o 4 USB 2.0 Type-A In section 3 of your form, compute the estimated time it will take to acquire all disk drives from the computers. In the notes section of your form, list any special instructions or observations that might be needed when performing the acquisition.

Complete Sections 1 through 4 of your form. Leave Section 5 blank. When you have completed the checklist, submit to your instructor the following file: •

Case_Project_04-4_Data_Acquisition_Checklist.docx Solution Guidance: For this case project, students need to create a checklist that can be used as a guide when preparing and performing a digital forensics acquisition. Their form should include checklist items described in the “Data Acquisition Checklist” section of this case project. Students should fill in information for each checklist item described in the “Case Information” section of this case project for Sections 1 through 4 of their form. For an example of what the data acquisition preparation form should look like, see the following solution file: • Solution_Case_Project_04-4_Data_Acquisition_Checklist.pdf

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 5: PROCESSING CRIME AND INCIDENT SCENES

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 5-1 ................................................................................................................................. 2 Review Questions - Answers ............................................................................................. 3 Hands-On Projects - Solutions ......................................................................................... 11 Project 5-1................................................................................................................................. 11 Project 5-2 ................................................................................................................................ 12 Project 5-3 ................................................................................................................................ 13 Project 5-4 ................................................................................................................................ 15 Case Projects - Solutions ................................................................................................. 20 Case Project 5-1...................................................................................................................... 20 Case Project 5-2 ...................................................................................................................... 21 Case Project 5-3 ..................................................................................................................... 23 Case Project 5-4 ..................................................................................................................... 25

Activities - Solutions Activity 5-1 Estimated Time: 5 minutes Objective: Identify the owner of a file using the metadata of a word processor document. Before You Begin: • •

Create Work folder C:\Work\Module05\Activity_05-1. Download to your Work folder the following data files provided with the module:

• •

Activity_05-1_Examiner_Notes.xlsx Activity_05-1_Metadata_File_Ownership.odt

For this activity, a preliminary examination is needed to determine the registered owner of a document file. This activity will show you how to use Autopsy for Windows to determine the registered owner of a document that was created in LibreOffice Writer. To perform this task, complete the following steps: 1. Open the file Activity_05-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Activity_05-1. 2. Start Autopsy for Windows. 3. In Autopsy’s Welcome window, click the New Case button. In the New Case Information window, enter Activity_05-1 in the Case Name text box and then click Browse next to the Base Directory text box. Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type and then click Next. 4. In the examiner notes file, in the Date and Start Time columns in row 8, enter the current date and time and, in the Examination Activity Performed column, type Started examination to obtain registered owner’s name of document Activity_05-1_Metadata_File_Ownership.odt. 5. In the Optional Information window of Autopsy, type Activity_05-1 in the Case Number text box and your full name in the Name text box in the Examiner section. Click Finish to start the Add Data Source Wizard. 6. In the Select Type of Data Source To Add area of the Add Data Source window, click the Logical Files button and then click Next, as shown in Figure 5-1. [Figure 5-1 Selecting the Logical File option in Autopsy] 7. In the Select Data Source area of the Add Data Source window, click Add and navigate to your Work folder in the Open window. Click the Activity_05-1_Metadata_File_Ownership.odt file, click Select, and then click Next in the Select Add Data Source window. 8. In the Configure Ingest area of the Add Data Source window, click Select All and then click Next. 9. In the examiner notes file, in cell C9, type All Ingest modules selected. 10. When the Ingest Modules configuration completes, click Finish.

11. After the Ingest process completes, in Autopsy’s Tree Viewer pane, click Metadata and then in the Result Viewer pane, click file Activity_05-1_Metadata_File_Ownership.odt. 12. In the Content Viewer pane, right-click Owner and then click Select All, as shown in Figure 5-2. [Figure 5-2 Selecting all the data in the Content Viewer pane] 13. Right-click the highlighted area in the Content Viewer pane and click Copy. 14. In the examiner notes file, place your cursor in cell C10, right-click, and then click Paste in the dropdown menu. Make row 10 large enough to display all of its contents. 15. In cell D10 of the examiner notes file, enter the amount of time the task took to complete in tenths of an hour. 16. Exit Autopsy, and save and exit your examiner file notes. Submit to your instructor the following file:

•

Activity_05-1_Examiner_Notes.xlsx Solution Guidance: The purpose of this activity is to show students how to obtain metadata of a LibreOffice Writer file. Students should use the examiner notes file to document the steps taken to acquire this information. For an example of the examiner notes file students will submit, see the following solution file: • Solution_Activity_05-1_Examiner_Notes.pdf

Review Questions - Answers 1.

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used. b. The investigator doesn’t have to get a warrant. c. The investigator must get a warrant. d. Users can load whatever they want on their machines. Answer: a. Most companies keep inventory databases of all hardware and software used. Explanation: Most businesses, especially large corporations, have some type of configuration management system that keeps track of hardware and software computing assets. By using available databases, a digital forensics examiner can more easily identify the type of hardware and software in use to better plan for how to collect evidence and conduct the investigation.

2. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee at management’s direction. True or False?

Answer: True Explanation: A covert surveillance can be conducted at management's direction if the organization has policies in place that state that the organization has the right to monitor the network, computing, and telecommunication assets and if employees have been properly notified of these policies. 3. If you discover evidence of a criminal act, such as child pornography, while investigating a potential abuse of company policy, the case becomes a criminal investigation and should be referred to law enforcement. True or False? Answer: True Explanation: It is the responsibility of the digital forensics examiner to report to law enforcement any evidence of child pornography. As part of the reporting process, a digital forensics examiner must inform their management, human resources department, and/or legal department of the finding immediately. 4. As a private-sector investigator, you could become an agent of law enforcement if which of the following happens? (Choose all that apply.) a. While you are processing a civil digital forensics investigation, a police officer asks you to hand over digital evidence unrelated to your case that will be given to your local county prosecutor’s office for a criminal case they are investigating. b. While you are processing a civil digital forensics investigation, a police officer serves you a subpoena for production of evidence that lists specific digital evidence unrelated to the noncriminal investigation that you are conducting. c. While you are processing a noncriminal digital forensics investigation, a police officer assists you by giving you instructions on how to use a new digital forensics tool that could be helpful on the civil case you are processing. d. While you are processing a civil digital forensics investigation, a police officer asks you to preserve additional digital evidence unrelated to your case that will be needed by your local county prosecutor’s office for a criminal case they are investigating. Answer: a. While you are processing a civil digital forensics investigation, a police officer asks you to hand over digital evidence unrelated to your case that will be given to your local county prosecutor’s office for a criminal case they are investigating. Explanation: If you are conducting a civil investigation, such as a complaint of an employee abusing their Internet privileges at a company, and you discover child pornography, it is your responsibility to report it to the police. By reporting it to the police you become a witness to a crime. If the police instruct you to continue searching for more contraband without a search warrant, then you become an agent of the police. To avoid becoming an agent of the police, you must request a subpoena duces tecum directing you to collect specific evidence. Since you witnessed the crime by examining a suspect’s computing device, the police and prosecutor can easily justify a search warrant that should direct you to continue searching and collecting the criminal evidence. For more information about acting as a government agent, see “When is a Private Citizen Acting as a Government Agent?” at llrmi.com/articles/legal_updates/2018_us_v_highbull.

5. The plain view doctrine only applies to the seizure of computers at a crime scene, not the examination of digital evidence. True or False? Answer: False Explanation: The plain view doctrine applies to all evidence that is observed by a police officer or a digital forensics examiner when the evidence is seized or during its examination. The plain view doctrine can only apply to evidence of what was observed at the time of the seizure, such as a child pornography picture displayed on a computer’s monitor, or is incidental to an examination while searching for other unrelated evidence that was specified in a search warrant that was observed. Digital forensics investigators should keep up with the current legal opinions and court rulings about the plain view doctrine. 6. If a suspect’s computer is found in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) a. Coordinate with the hazmat team. b. Determine a way to obtain the suspect’s computer. c. Assume the suspect’s computer is contaminated. d. Do not enter alone. Answer: a. Coordinate with the hazmat team; c. Assume the suspect’s computer is contaminated. Explanation: The priority when dealing with a crime or incident scene is the safety of the investigators and digital forensics examiners. When dealing with hazardous materials, it is best to request a hazmat team participate in the seizure and decontamination of the hardware being seized. Be prepared to brief the hazmat team members on how to best process the digital evidence to avoid damaging it while they perform the decontamination of the scene and the suspect’s computing devices. 7. What are the three rules for a forensic hash? a. It can be predicted; only two files can have the same hash value; and if the file changes, the hash value changes. b. It cannot be predicted; only two files can have the same hash value; and if the file changes, the hash value changes. c. It can be predicted; only two files can have the same hash value; and if the file changes, the hash value changes. d. It cannot be predicted; no two files can have the same hash value; and if the file changes, the hash value changes. Answer: d. It cannot be predicted; no two files can have the same hash value; and if the file changes, the hash value changes. Explanation: Research by Wang Xiaoyun has defined three rules for forensics hashes: (1) The value of a hash cannot be predicted, (2) no two dissimilar files can have the same hash value, and (3) the hash value of a file will change if the file is altered.

8. In forensic hashes, when does a collision occur? (Choose all that apply.) a. Only when two or more copies of the same file have different hash values b. Only on the rare occasion when two different files have the same hash value c. When an unchanged file’s hash value changes every time a new hash of it is calculated d. When new versions of hashing utilities are released Answer: b. Only on the rare occasion when two different files have the same hash value. Explanation: In recent years, it has been discovered that MD5 and SHA hashing can produce identical hash values of certain files. The original research was done using MD5 calculations where the researchers created a file of 1024 bytes. MD5 processes 512-byte blocks of data at a time when computing a file’s hash. In the test, the researcher copied the original file into a second file. Then, in the second file, the researcher altered three bytes in each 512-byte block. There was a total of six bytes altered between the two files. The researcher then computed the MD5 hash of these two files. The MD5 utility produced identical hash numbers for both files. Specific to digital forensics, it is always best to have the original file. If collision is suspected or has occurred, it is a simple process of performing a byte-by-byte comparison between the two files. If there are specific differences between the two files, a detailed examination of the data should be done to determine what those differences are and if they have any impact on the data’s viability. That is, how much of the data was altered and does it have any influence on the credibility of the remaining matching evidence. 9. What items should be included in an initial-response field kit? (Choose all that apply.) a. Digital camera b. Assorted cables, adapters, and connectors with imaging drives c. Evidence forms and various labels d. Antistatic evidence bags Answer: a. Digital camera; b. Assorted cables, adapters, and connectors with imaging drives; c. Evidence forms and various labels; d. Antistatic evidence bags Explanation: The initial-response field kit should include only the basic items needed to collect digital evidence. A digital camera will help the investigator record the present state of the evidence as well as its identity. Assorted cables, adapters, and connectors will make it easier to connect to the suspect’s media storage devices to acquire evidence. An evidence form should be filled in as data is collected to ensure that nothing is overlooked and that everything is correctly documented at the time it is collected. Antistatic evidence bags should always be used to protect any seized devices. In addition to having the items detailed in the four answer options for this question, the digital forensics examiner should consider including other items listed in Table 5-1 in this module as part of their initial-response field kit.

10. In U.S. courts, how is digital evidence defined? (Choose all that apply.) a. Digital evidence is defined as propensity evidence. b. Digital evidence is defined as physical evidence. c. Digital evidence is defined as corroborating evidence. d. Digital evidence is defined as anecdotal evidence. Answer: b. Digital evidence is defined as physical evidence. Explanation: U.S. courts have defined digital evidence as physical evidence. The courts treat digital evidence the same as any other real evidence, such as a knife, a gun, or fingerprints found at a crime scene. Evidence that would be considered hearsay, such as computer log file records or databases, falls under the hearsay exception rule—that is, records kept in the normal course of business are also treated as physical evidence. 11. Computer peripherals or attachments can contain DNA evidence. True or False? Answer: True Explanation: Because DNA is found in such things as hair or skin fragments, it is sometimes possible to extract a suspect’s DNA from such things as a computer’s keyboard or thumb drive. For an example of a DNA kit that can be used to collect DNA from a crime scene and keyboard, see the blog post titled “How to Swab for Touch DNA Evidence” on the Puritan Medical Products website (blog.puritanmedproducts.com/how-to-swab-for-touch-dna-evidence). 12. If a suspect computer is running Windows 10, which of the following things can you safely do while also minimizing the risk of altering potential evidence? (Choose all that apply.) a. Browse open applications. b. Disconnect power. c. Start File Explorer. d. Connect a USB external disk drive. Answer: a. Browse open applications; c. Start File Explorer; d. Connect a USB external disk drive Explanation: Whatever action the investigator takes will impact the RAM and swap file, such as the pagefile.sys file for Windows, on the suspect’s computer. The least-impactful step is to use the computer’s mouse to browse through each open program on the computer and make notes of their contents. The second leastimpactful step is to use the operating system’s file manager program, such as File Explorer for Windows or Finder for Macintosh, to see what disk drives are mounted to the computer. The next least-impactful step is to connect an external drive, such as an external USB drive, to the computer and verify through the file manager program that the drive is accessible. These three steps will access the least amount of memory on the suspect’s computer. File data, such as a Word document, can be saved to the external drive and the application can be closed without saving its data to the internal drive.

13. If you have a video recording device such a smartphone or video camera, which of the following are the best techniques to use to record physical evidence such as computers and storage media at a crime or incident scene? (Choose all that apply.) a. Start with an overall view of the scene and then move in closer, panning from left to right. b. Start with a closer view of the scene and slowly pan from left to right and then zoom out to get a view of the overall scene. c. Start with an overall view of each device and media, and then zoom in for closeups. d. Start with close-up shots of each device and media and then zoom out. Answer: a. Start with an overall view of the scene and then move in closer, panning from left to right; c. Start with an overall view of each device and media and then zoom in for close-ups. Explanation: When recording video or taking still photos of a crime or incident scene, it is best to start with a general overall view of the scene, then to pan through it with a closer view of the area. By starting with an overall shot, you will be able to show how the equipment and any media is situated so that it is easily referenced after you leave the scene. This also applies to close-up views of individual devices, such as a computer or assorted media, that might be present at the scene. Start with an overall shot of the equipment or media and then zoom in to show the details. Your video recording device should have the ability to record small print such as equipment serial or model numbers. Using video recording devices will help speed up the processing of a crime or incident scene. The recorded videos or photos of the suspect’s computer cable connections will be useful in showing what and how other devices are connected to the computer. You can use the video or photos to add more details to document evidence forms and examiner notes after you leave the scene. 14. Which of the following techniques might be used in covert surveillance? (Choose all that apply.) a. Keylogging b. Data sniffing c. Network logs d. Event logs Answer: a. Keylogging; b. Data sniffing Explanation: Any method or device that secretly records activity on a computer, such as a keylogger program or a data sniffer utility, is a covert recording device. Covert recording devices should only be used under special circumstances, as outlined under a company policy that states that employees have no expectation of privacy and with management approval, or for criminal investigations, as authorized by a court order. Implementing covert surveillance without authorization can result in criminal and civil prosecution under wiretap laws. Although network and event log files can provide useful information for an investigation, they are normal operational records that are not covert.

15. What can happen to proprietary or trade-secret data when it is commingled with criminal evidence? (Choose all that apply.) a. Proprietary or trade-secret information that is commingled with digital evidence will automatically be exempt from public disclosure. b. Proprietary or trade-secret information that is commingled with digital evidence will automatically be restricted from public disclosure. c. Proprietary or trade-secret information that is commingled with digital evidence can be used as additional evidence against a defendant. d. Proprietary or trade-secret information that is commingled with digital evidence can be given court-ordered protection to prevent its release to the public in a criminal case. Answer: d. The proprietary or trade-secret information that is commingled with digital evidence can be given court-ordered protection to prevent its release to the public in a criminal case. Explanation: When conducting a criminal digital forensics examination that involves a business, the examiner should be cognizant of the nature of the business and the product it produces or sells. If the examiner finds digital evidence that is mixed in with potential proprietary or trade-secret information, it is the responsibility of the digital forensics examiner to notify the lead investigator, company management, or the corporate attorney about the existence of commingled data. The investigator or management will need to discuss this with the business’ counsel to determine if they need to go before a judge to separate the commingled data. 16. List two hashing algorithms commonly used for forensic purposes. (Choose all that apply.) a. diff b. MD5 c. SHA-1 d. comp Answer: b. MD5; c. SHA-1 Explanation: MD5 and SHA-1 are hash algorithms that compute a unique hexadecimal value for a file, group of files, or a media storage device such as a disk drive. The diff and comp commands compare one file to another file. They do not compute a unique value of a file; however, they can be used to display the differences, if any, between files. The diff command is available in a Linux shell, and the comp command is available in the Windows CMD window. 17. Which of the following is the preferred media for storing digital evidence for longer than 10 years? (Choose all that apply.) a. CD or DVD b. SSDs c. 4-mm DAT d. External USB hard drives

Answer: c. 4-mm DAT Explanation: Magnetic tape media storage devices are a preferred storage media when storing large quantities of digital evidence for periods over five years. CDs and DVDs have less storage capacity and a shorter time before they start to deteriorate. When using magnetic media, including 4-mm DAT systems, to store digital evidence, the media should be protected from magnets, electromagnetic fields, and extreme temperatures. Extreme temperatures and magnets will disrupt and destroy their contents. 18. If a company doesn’t distribute a computing use policy stating an employer’s right to inspect employees’ computers freely, including email and web use, employees have an expectation of privacy when using company assets. True or False? Answer: True Explanation: Organizations, both public and private, must notify employees about their policies regarding computer, network, and Internet usage. The policy should clearly state that employees have no expectation of privacy when using company assets. The organization must distribute these policies and have the employees acknowledge that they understand the policies. Acknowledgment of the policies should be recorded in the employees’ personnel files. As an added layer of protection for an organization, all computers should have a short statement warning banner specifically stating that there is no expectation of privacy that appears when a user logs on to the computer. This added protection will cover non-employees who have been authorized to use an organization’s computing assets but have not been briefed about its policies. 19. You have been called to the scene of a fatal car crash where a laptop computer is still running. What are the primary thing(s) should you bring with you to the scene? (Choose all that apply.) a. Your initial-response field kit b. Your first-aid kit c. Personal safety gear d. Hazmat protection gear Answer: a. Your initial-response field kit Explanation: In the event you are called to collect digital evidence at an accident scene, other personnel that specialize in processing the accident will likely also be at the scene. Your primary responsibility is to have your initial-response field kit available so that you can take into custody the digital evidence, such as a laptop.

20. When at a crime or incident scene that is in a public area where there are onlookers or news reporters who ask you questions regarding your activities, how should you respond? (Choose all that apply.) a. Answer their questions to the best of your knowledge. b. Direct them to assist you in the collection of the digital evidence. c. Inform them that you cannot answer their questions and that they should contact your organization’s public information officer. d. Ask the person questioning you for their name and contact information and inform them that you will call them later. Answer: c. Inform them that you cannot answer their questions and that they should contact your organization’s public information officer. Explanation: To maintain the security and integrity of an investigation, it is extremely important not to answer questions or make any comments to the public or the news media about a case. At a crime or incident scene, if someone persists in their questioning, redirect them to your organization’s public information officer, or if you are working for an attorney, have them contact the attorney for any information. If someone is overly aggressive and attempts to gain access to the scene, request security or the police to have them removed from the area so that you can complete your assignment. Keep in mind that an investigation can be destroyed due to leaked information. By refusing to answer onlookers or news reports questions, you will have done your part in maintaining the integrity of the case.

Hands-On Projects - Solutions Project 5-1 Estimated Time: 5 minutes Objective: Identify the MD5 hash value of a file using HxD editor. Before You Begin: • •

Create Work folder C:\Work\Module_05\Project_05-1. Download to your Work folder the following data file provided with the module: • Project_05-1_USBillOfRights.pdf

This project will show you how to obtain the MD5 or other hash values of a file using the hexadecimal editor HxD. For this project, you will compute the MD5 hash value of the file Project_05-1_USBillOfRights.pdf. To compute this file’s hash, complete the following steps: 1. Start HxD and then click File and Open. Navigate to your Work folder, click Project_051_USBillOfRights.pdf, and then click Open. 2. Click Analysis and then Checksum. In the Available algorithms pane of the Generate checksums window, scroll down until you see MD5, click MD5, and then click OK.

3. In the Results pane, located in the bottom half of the HxD window, right-click the MD5 Checksum results, then click Copy with details. 4. Start Notepad and click Edit, then Paste, and then save this file as Project_05-1_MD5Checksum.txt. 5. When finished, close HxD and submit to your instructor the following file: •

Project_05-1_MD5-Checksum.txt Solution Guidance: This project shows students how to calculate the MD5 and other types of hashes of individual files using the hexadecimal editor HxD. HxD can compute several other types of hashes (including MD2, MD4, SHA-1, SHA-256, and SHA-512), various Checksum values, and various CRC values. In addition to computing the hash value of an entire file, HxD can compute the hash values of a section of a file, such as a selected area of a file. Hashing a file or sections of a file can provide an easy method for identifying a file. It can also check a file’s integrity to ensure it has not changed. Students should submit a text file that contains the same information as shown in the following solution file: • Solution_ Project_05-1_MD5-Checksum.pdf

Project 5-2 Estimated Time: 5 minutes Objective: Identify the differences between two similar data files using HxD. Before You Begin: • •

Create Work folder C:\Work\Module_05\Project_05-2. Download to your Work folder the following data files provided with the module: • Project_05-2_Compare_File-1.docx • Project_05-2_Compare_File-2.docx • Project_05-2_Comparison_Results.xlsx

As part of a digital forensics investigation, it may be necessary to determine what the differences are between two files that appear to be identical. For this project, you will examine the contents of two files to identify their differences using the hexadecimal editor HxD. 1. From File Explorer, double-click the file Project_05-2_Comparison_Results.xlsx to open it in your spreadsheet program. Type your name in the Examiner’s Name field in cell C3. 2. Start HxD, and then click Analysis, then Data comparison, and then Compare. 3. In the Window arrangement pane of the Compare Window, click the Tile horizontally button and then in the Scope pane, click All. 4. In the Compare window, click the 1. Data source ellipse button and, in the Open window, navigate to your Work folder, click Project_05-2_Compare_File-1.docx, and then click Open. 5. In the Compare Window, click the 2. Data source ellipse button and, in the Open window, navigate to your Work folder, click Project_05-2_Compare_File-2.docx, click Open, and then click OK. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

6. Examine the differences between the two files by clicking Analysis, Data comparison, and then Next difference. For each difference located, record the offset byte position (the offset is displayed in the lower left corner of the HxD window) and the character values between the two files in Project_05-2_Comparison_Results.xlsx. 7. When finished, close HxD and submit to your instructor the following file: •

Project_05-2_Comparison_Results.xlsx Solution Guidance: There will be occasions when a digital forensics examiner will need to compare files that appear to be identical to determine if they differ and, if so, what their differences are. This project shows students how to use the file-comparison function in the hexadecimal editor HxD. Students should have successfully located nine differences between the two files. For an example of the files that students should submit, see the following solution file: • Solution_Project_05-2_Comparison_Results.pdf

Project 5-3 Estimated Time: 10 minutes Objective: Calculate the hash values of selected files and locate any duplicate files. Before You Begin: • •

Create Work folder C:\Work\Module_05\Project_05-3. Download to your Work folder the following data files provided with the module: • Project_05-3_Examiner_Notes.xlsx • Project_05-3_File_Hashes.exe

After collecting digital evidence from a crime or incident scene, it is necessary to validate its integrity by calculating the hash values of the relevant files. For this project, you will work with a self-extracting zip file, named Project_05-3_File_Hashes.exe, which contains several other files. Your task is to use Autopsy for Windows to calculate the MD5 and SHA-256 values for each file. In addition to producing the hashes for each file, you will need to take notes of the steps you take to produce the hash calculations and the metadata that list the hash values. You will use your notes later (in Case Project 5-1) to produce a memorandum describing your activities for this project. As part of the validation process in an actual case, you can use your examiner notes, if necessary, to repeat the steps taken to create the file hashes if challenged by an opposing attorney. Perform the following steps to complete this project: 1. In File Explorer, double-click the file Project_05-3_File_Hashes.exe and, in the WinRAR selfextracting archive window, click Extract. 2. From File Explorer, double-click the file Project_05-3_Examiner_Notes.xlsx to open it in your spreadsheet program. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project 05-3. Then in cells A8 and B8, enter the current date and time. 3. Start Autopsy for Windows.

4. In Autopsy’s Welcome window, click the New Case button. In the New Case Information window, enter Project_05-3 in the Case Name text box and click Browse next to the Base Directory text box. Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type and then click Next. 5. In the Optional Information window, type Project_05-3 in the Case Number text box and your full name in the Name text box in the Examiner section. Click Finish to start the Add Data Source Wizard. 6. In the Select Type of Data Source To Add area of the Add Data Source window, click the Logical Files button and then click Next. 7. In the Select Data Source pane, click Add and then click Browse. In the Select Local Files or Folders window, navigate to your Work folder, click the Project_05-3_File_Hashes folder, click Select, and then click Next in the Select Data Source pane. 8. In the Configure Ingest area of the Add Data Source window, click Select All if it is not already selected. Click Next and then click Finish. 9. In the examiner notes spreadsheet, add a note in cell C8 indicating that you started Autopsy and loaded the file Project_05-3_File_Hashes. An example entry would be, “Started Autopsy and added forensic image file Project_05-3_File_Hashes using Autopsy for Windows, version 4.18.0.” 10. When the Ingest completes, in Autopsy’s Tree Viewer pane, click the plus/minus signs to expand Data Sources and then LogicalFileSet1(1). Then, click the Project_05-3_File_Hashes folder. 11. In the Result Viewer pane, click the file MagnaCarta.odt and then press Ctrl+A to select all the files listed in the Result Viewer. Position the cursor over the highlighted files, right-click, and then click Export selected rows to CSV, Save, and then OK. 12. Using File Explorer, navigate to the Autopsy Export folder, which will be located under your Work folder at Work\Project_05-3\Project_05-03\Export. 13. Double-click the file Project_05-3_File_Hashes yyyymmnnnnnnn.csv, which you created in step 11, to open it in Excel. (Note that Autopsy names the file using the folder name and then appends the numeric values of year, month, and a seven-digit number to the file’s name.) 14. In the Project_05-3_File_Hashes spreadsheet, scroll to the right to display column K, the MD5 Hash column, and column L, the SHA-256 Hash column, as shown in Figure 5-5. In your examiner notes files, record the names of all the files that were extracted. [Figure 5-5 Extracted file metadata hash values] 15. In the Project_05-3_File_Hashes spreadsheet, note that there are two files that have matching MD5 and SHA-256 hash values. Update your examiner notes, describing which files have the same hash values and listing those hash values. 16. Close Autopsy and save the file Project_05-3_File_Hashes yyyymmnnnnnnn.csv as an Excel file with the name Project_05-3_File_MD5_SHA_Hashes.xlsx.

17. When finished, submit to your instructor the following files: • •

Project_05-3_Examiner_Notes.xlsx Project_05-3_File_MD5_SHA_Hashes.xlsx Solution Guidance: In this project, students learned how to use Autopsy for Windows to calculate the MD5 and SHA-256 hash values for several files. By examining the extracted metadata, students should have observed that the two files have the same MD5 and SHA-256 hash values. This suggests that the contents of the files are identical. For examples of the output files that students will submit, see the following solution files: • Solution_Project_05-3_Examiner_Notes.pdf • Solution_Project_05-3_File_MD5_SHA_Hashes.pdf

Project 5-4 Estimated Time: 60 minutes Objective: Explain why two files that contain identical information have different hash values. Before You Begin: • •

Create Work folder C:\Work\Module_05\Project_05-4. Download to your Work folder the following data files provided with the module: • Project_05-4.exe • Project_05-4_Examiner_Notes.xlsx

For this project, assume you have received two LibreOffice documents from an attorney. Both documents appear to have the same content. One file is named Project_054_My_Odyssey_Book_I.odt, while the name of the other file contains an extra “s” in it and is named Project_05-4_My_Odysssey_Book_I.odt. Your task is to analyze and identify the differences between these files. The attorney informs you that these files have something to do with an internal fraud investigation for the company the attorney is representing. The investigation was initiated by auditors reviewing accounts payable records who found payments for materials that were never delivered. The person responsible for the payments is Jēkabs Latkovskis, the accounts payable manager. These two files were attachments to an email message from Mr. Latkovskis’s company email account to George Pappaly, a supplier’s representative. For this examination, you will need to take detailed examiner notes of the steps taken to ensure they can be repeated if the results are challenged by an opposing attorney. These notes might be used to show how you located and extracted potentially incriminating evidence for a court. To proceed with this project, complete the following steps: 1. In File Explorer, double-click the file Project_05-4.exe, and then in the WinRAR selfextracting archive window, click Extract. 2. In File Explorer, double-click the file Project_05-4_Examiner_Notes.xlsx to open it in your spreadsheet program. Type your name in the Examiner’s Name field, and in the Case Name

and Case Number fields, type Project 05-4. Then in cells A8 and B8, enter the current date and time. 3. To initiate the analysis, start HxD and then click File and Open. Navigate to your Work folder and click Project_05-4_My_Odyssey_Book_I.odt. 4. Repeat step 3 to open the file Project_05-4_My_Odysssey_Book_I.odt. 5. In the main screen of HxD, click the Project_05-4_My_Odyssey_Book_I.odt tab and then click Analysis and Checksum. In the Available algorithms pane of the Generate checksum window, scroll down, click MD5, and then click OK. 6. In the HxD Results pane, click the Checksum tab. Right-click the MD-5 hash value, and then click Copy with details in the dropdown menu. 7. In the file Project_05-4_Examiner_Notes.xlsx, in cell C8, type File Project_054_My_Odyssey_Book_I.odt and then paste the MD5 hash from the HxD Results pane. Tip When pasting text data into an Excel or Calc cell, it is best to paste it in the Formula Bar input box. For a description of the screen elements for Microsoft Excel, see computer2101.wordpress.com/2017/12/09/excel-screen-elements-and-parts-of-the-excelscreen. For a description of the screen elements for LibreOffice Calc, see wiki.documentfoundation.org/images/c/c0/GS4205-GettingStartedWithCalc.pdf. 8. In the main screen of HxD, click the Project_05-4_My_Odysssey_Book_I.odt tab and then click Analysis and Checksum. In the Available algorithms pane of the Generate checksum window, scroll down, click MD5, and then click OK. 9. In the HxD Results pane, click the Checksum tab. Right-click the MD5 hash value and then click Copy with details in the dropdown menu. 10. In the file Project_05-4_Examiner_Notes.xlsx, in cell C9, type File Project_054_My_Odysssey_Book_I.odt and then paste the MD5 hash from the HxD Results pane. 11. Keep HxD and your examiner notes file open and proceed to the next section. Because the hashes do not match, the next step is to run the HxD compare function to identify which parts of the two files are different. To proceed with this section, complete the following steps: 1. In HxD, click Analysis, then Data comparison, and then Compare. 2. In the Window arrangement pane of the Compare window, click the Tile horizontally button, if is not already selected. In the Scope pane, click All. 3. In the Compare Window, click the 1. Data source ellipse button and, in the Open window, navigate to your Work folder, click Project_05-4_My_Odyssey_Book_I.odt and then click OK.

4. In the Compare Window, click the 2. Data source ellipse button and, in the Open window, navigate to your Work folder, click Project_05-4_My_Odysssey_Book_I.odt, and then click OK. 5. Examine the differences between the two files by clicking Analysis, Data comparison, and then Next difference (or press F6), to see if there are any obvious differences. 6. After locating six or more differences, close HxD and write a comment in your examiner notes in cell C10, stating, in your own words, that because there are so many differences between these files, another method should be used to identify their differences. 7. Leave your examiner notes spreadsheet open and proceed to the next section. Now that you have confirmed these files are different, you need to find a way to identify the exact differences between the files. Because these files are word processor documents with content that consists of formatting codes and possibly compressed data, a simpler approach might be to convert both files into plaintext files. By converting these files to plaintext, you remove all nonprintable data and formatting. These files can then be examined using such tools as Windows DOS fc or Linux shell diff commands. To identify the differences, complete the following steps: 1. Open the file Project_05-4_My_Odyssey_Book_I.odt in Microsoft Word or LibreOffice Writer. Then open Project_05-4_My_Odysssey_Book_I.odt in a separate Microsoft Word or LibreOffice Writer session. 2. In Microsoft Word or LibreOffice Writer, note the number of words listed for each file. The word count is displayed in the status bar (located in the lower-left corner of the word processor window, as shown in the example in Figure 5-6). In your examiner notes, enter the filename and word count for each file in cells C11 and C12. [Figure 5-6 Status bar location in Microsoft Word] Tip Word-processing applications such as Word or Writer can sometimes produce different results when viewing a document. In this example, the two .odt files list slightly different word counts depending on which application is being used: •

When viewed with Microsoft Word, the file Project_05-4_My_Odysssey_Book_I.odt shows 320 more words than the file Project_05-4_My_Odyssey_Book_I.odt.

•

When viewed with LibreOffice Writer, the file Project_05-4_My_Odysssey_Book_I.odt shows 321 more words than the file Project_05-4_My_Odyssey_Book_I.odt.

The fact that the word count is different is a significant clue that there is latent or obfuscated data in the file Project_05-4_My_Odysssey_Book_I.odt. 3. If you are using Microsoft Word, in the Project_05-4_My_Odyssey_Book_I.odt window, click File and Save As. In the Save As pane, click Browse and then navigate to your Work folder. 4. In the Save As window, click the arrow for the Save as type dropdown menu, click Plain Text (*.txt), and then click Save.

5. In the File Conversion window, click the MS-DOS option button and then OK. In the Microsoft Word warning window, click Yes to save the new plaintext file. 6. Repeat steps 3, 4, and 5 to create the plaintext version for file Project_054_My_Odysssey_Book_I.odt. When finished, close Microsoft Word and skip to step 11. 7. If you are using LibreOffice Writer, in the Project_05-4_My_Odyssey_Book_I.odt window, click File and Save As. In the Save As pane, click Browse and navigate to your Work folder. 8. In the Save As window, click the arrow for the Save as type dropdown menu, click Text (*.txt), and then click Save. 9. In the LibreOffice Writer’s Confirmation File Format window, click Use Text Format. 10. Repeat steps 7, 8, and 9 to create the plaintext version for file Project_054_My_Odysssey_Book_I.odt. When finished, close LibreOffice Writer. 11. In your examiner notes, in cell C13, write a short statement indicating that you have converted files Project_05-4_My_Odyssey_Book_I.odt and Project_054_My_Odysssey_Book_I.odt to plaintext files for further analysis. For this section, you will use the Microsoft DOS shell command fc (file compare) and the redirect feature to create a separate text file showing the exact text differences between the files. To determine if there are any differences, complete the following steps: 1. Open a command prompt window by pressing the Windows key and the R key. In the Run input box, type cmd and then click OK. 2. At the command prompt, type cd \ and press Enter to go to the root directory. 3. From the root directory, type cd Work\Module05\Project_05-4 and then press Enter. 4. At the folder Project_05-4 command prompt, type dir and press Enter to view the contents of the folder. 5. Type fc Project_05-4_My_Odyssey_Book_I.txt Project_05-4_My_Odysssey_Book_I. txt > Project_05-4_FC_My_Odysssey.txt and then press Enter, as shown in Figure 5-7. [Figure 5-7 Changing directory folders and running the fc command] 6. In File Explorer, double-click file Project_05-4_FC_My_Odysssey.txt to open it in your default text editor, such as Notepad. Examine its contents for any differences between the two files, as shown in Figure 5-8. [Figure 5-8 Examining the fc output file differences] Notice that the file Project_05-4_FC_My_Odysssey.txt has several lines of text that start with the grave accent (`) character. When viewing the original file Project_054_My_Odysssey_Book_I.odt, the text of those lines remains hidden until the font color is changed in the word processor, as shown in Figure 5-9. [Figure 5-9 Hidden message changed to red color font]

Because the file Project_05-4_FC_My_Odysssey.txt shows that there are several message text fragments inserted between additional paragraphs in the file Project_054_My_Odysssey_Book_I.odt, the next step is to extract each message fragment to get the complete message. To simplify this task, the DOS command findstr (Find String) can be used to extract all message fragments that start with the grave accent character. To extract these fragments, complete the following steps: 1. At the DOS command prompt, type findstr ` Project_05-4_My_Odysssey_Book_I.txt >Project_05-4_Findstr_My_Odysssey.txt and then press Enter. 2. In the file Project_05-4_Examiner_Notes.xlsx, in cell C14, add a note indicating that you ran the DOS command in step 1. 3. In File Explorer, double-click the file Project_05-4_Findstr_My_Odysssey.txt to open it in your default text editor and examine its contents for the extracted data. 4. In the text editor, click the first character, press Ctrl+A to select all of the file’s contents, and then press Ctrl+C to copy the selected contents. 5. In the file Project_05-4_Examiner_Notes.xlsx, in cell C14, write Text data recovered: and then click in cell C15, click the Formula Bar input box, and then press Ctrl+V to paste the copied data into cell C15. 6. When you are finished, save your examiner notes and exit the DOS shell. Submit to your instructor the following file: • • •

Project_05-4_Examiner_Notes.xlsx Project_05-4_FC_My_Odysssey.txt Project_05-4_Findstr_My_Odysssey.txt Solution Guidance: This project shows students how to determine if two very similar files have differences that are not immediately apparent. In an initial examination of the two files, students find that the files have different hash and word count values. As part of the analysis process, students convert these .odt files to .txt (plaintext) files. By converting them to plaintext files, students can run the DOS fc command to identify the differences between them. By examining the output from the fc command, students can see that the file Project_05-4_My_Odyssey_Book_I.txt has a blank line following each paragraph. The file Project_05-4_My_Odysssey_Book_I.txt, however, has text written in those paragraphs (but in a white font color that is not visible in a word processor application). Students are also able to see that the file Project_05-4_My_Odysssey_Book_I.odt has a grave accent (`) character at the beginning of these lines. Further examination of the file Project_05-4_My_Odysssey_Book_I.txt reveals that there are several message fragments written in between other paragraphs. To verify that this data exists in the file Project_05-4_My_Odysssey_Book_I.odt, students open it in a word processor and highlight what appears to be a blank line

between the first two paragraphs. By changing the font color to a darker color—such as red, blue, or black—students reveal its contents. Knowing that the hidden message fragments start with the grave accent character, students then run the DOS findstr command to extract all occurrences in the file Project_05-4_My_Odysssey_Book_I.txt. From the output created by the findstr command, students have successfully recovered all the obfuscated message fragments. For examples of the output and the examiner notes file that students will submit, see the following solution files: • Solution_Project_05-4_Examier_Notes.pdf • Solution_Project_05-4_FC_My_Odysssey.pdf • Solution_Project_05-4_Findstr_My_Odysssey.pdf

Case Projects - Solutions Case Project 5-1 Estimated Time: 45 minutes Objective: Write a memorandum that describes your activities and findings from Project 5-3. Before You Begin: • • •

Complete Project 5-3. Create Work folder C:\Work\Module05\Case_Project_05-1. Download to your Work folder the following files you previously created: • Project_05-3_Examiner_Notes.xlsx • Project_05-3_File_MD5_SHA_Hashes.xlsx

Using a standard memorandum template from your preferred word processor, write a memorandum describing how you calculated the MD5 and SHA-256 hashes for the selected files you examined. Include a one- to three-sentence introduction providing an overview of the project, one or more paragraphs describing the steps you took (including how you identified and handled the evidence) and your findings regarding any duplicate files that might have been revealed using the MD5 hashing, and a list of the relevant files and their hashes. Finally, include a conclusion of one or more sentences that summarizes your examination and findings and, if necessary, offers an opinion. Be sure to use correct grammar and spelling and ensure that the memorandum is organized and complete. When you are finished, save your memorandum as a Word file named Case_Project_05-1.docx. Submit to your instructor the following file: •

Case_Project_05-1.docx

Solution Guidance: For this case project, students use their examiner notes from Project 5-3 and the Excel file created in that project to write a one-page memorandum that lists the steps they took using Autopsy for Windows to calculate hash values of the duplicate files. The memorandum should be in paragraph format and grading should be based on the following elements: Grammar • Spelling and grammar should be correct. Organization • The writing should be outlined in the following steps: 1. Introduction statement: One to three sentences explaining the nature of the project 2. Initial steps taken: A description of the handling of the evidence to process the examination with sufficient general descriptions of what was done in one or more paragraphs 3. Detailed steps taken: A description of how the digital evidence was located 4. Finding: A description of what was found from the examination 5. List relevant evidence: A list of the relevant evidence with brief descriptions 6. Conclusion: A one-or-more sentence conclusion of the examination, findings, and, if necessary, an opinion. Completeness • All findings and explanation of findings should be described in the narrative. For an example of the memorandum that students should submit, along with additional information for grading, see the following solution file: • Solution_Case_Project_05-1.pdf

Case Project 5-2 Estimated Time: 60 minutes Objective: Write a memorandum that describes your activities and findings from Project 5-4. Before You Begin: • • •

Complete Project 5-4. Create Work folder C:\Work\Module05\Case_Project_05-2. Download to your Work folder the following files you previously created: • Project_05-4_Examiner_Notes.xlsx • Project_05-4_Findstr_My_Odysssey.txt

Using a standard memorandum template from your preferred word processor, write a memorandum describing your work in Project 5-4 using the information you included in your examiner notes and file Project_05-4_Examiner_Notes.xlsx. Include a one- to three-sentence introduction providing an overview of the project, one or more paragraphs describing the steps you took (including how you identified and handled the evidence), and your findings.

A suggested outline for the memorandum includes the following sections: • An introduction statement • Initial steps taken • Detailed steps taken • Findings • List of relevant evidence • Conclusion Although your memorandum is an informal report, it should include sufficient detail so that readers will understand how you were able to determine that there was obfuscated text messages embedded in the file Project_05-4_My_Odesssy_Book_I.odt. Finally, include a conclusion that summarizes your examination and findings and, if necessary, offers an opinion. Be sure to use correct grammar and spelling and ensure that the memorandum is organized and complete. When you have completed the memorandum, save it as a Word file named Case_Project_052.docx. Submit to your instructor the following file: •

Case_Project_05-2.docx Solution Guidance: For this case project, students use their examiner notes from Project 5-4 and the file Project_05-4_Findstr_My_Odysssey.txt to write a memorandum describing their findings. The memorandum should provide detailed descriptions of the steps taken and the findings from the examination. The students should explain the steps taken to extract the hidden messages. As a guideline, the student’s memorandum can be organized in the following order: • An introduction statement • Initial steps taken • Detailed steps taken • Findings • List of relevant evidence • Conclusion The memorandum should include the following elements in paragraph format: Grammar • Spelling and grammar should be correct. Organization • The writing should be outlined in the following steps: 1. Introduction statement: One to three sentences explaining the nature of the project 2. Initial steps taken: A description of the handling of the evidence to process the examination with sufficient general descriptions of what was done in one or more paragraphs 3. Detailed steps taken: A description of how the digital evidence was located 4. Finding: A description of what was found from the examination 5. List relevant evidence: A list of the relevant evidence with brief descriptions 6. Conclusion: A one-or-more sentence conclusion of the examination, findings, and, if necessary, an opinion

Completeness • All findings and explanation of findings should be described in the narrative. For an example of the memorandum students should submit, see the following solution file: • Solution_Case_Project_05-2.pdf

Case Project 5-3 Estimated Time: 10 minutes Objective: Complete an evidence form based on information shown in photographs of collected digital evidence. Before You Begin: • •

•

Create Work folder C:\Work\Module_05\Case_Project_05-3. Download to your Work folder the following data files provided with the module: • Case_Project_05-3_Digital_Evidence_Photos.exe • Case_Project_05-3_Evidence_Form_Multiple_Items.xlsx Access one of the following items: • Microsoft Photo, Paint, LibreOffice Draw, or IrfanView

Your supervisor, Adalgisa Lombardi, hands you a USB thumb drive that contains photos of evidence. The photos were acquired from a crime scene she previously helped process. Adalgisa directs you to fill out an evidence form describing the information shown in the photos. To complete this project, extract the files from the self-extracting file Case_Project_05-3_Digital_Evidence_Photos.exe, then examine the photos and proceed to complete the information provided on the multiple items evidence form file Case_Project_053_Evidence_Form_Multiple_Items.xlsx. To complete the form, use the following information: • • • • • • •

Case number: Project_05-3 Your organization’s name, such as your school or course name Investigator’s name: Erkki Nummelin Nature of case: Fraud Investigation Location where evidence was obtained: Blues Sporting Memorabilia, LLC, Suite 11B, 1060 W Addison St., Chicago, IL 60613 Evidence was received by Adalgisa Lombardi on February 23, 2022, at about 9:55 p.m. (based on information gathered from the photos) Evidence was stored in Cabinet 10 in the evidence room on February 24, 2022, at about 3:00 p.m.

After completing the evidence form, adjust any formatting to improve its appearance such as wrapping text in cells. Make other adjustments as well to make the form look professional. When you have completed the evidence form, submit to your instructor the following file: •

Case_Project_05-3_Evidence_Form_Multiple_Items

Solution Guidance: For this case project, students should provide as much information as possible based on the photos showing the evidence items. Each section of the form must be completed with the appropriate information. The top part of the form should contain the following information: • • • • •

Case number: Project_05-3 Investigating organization: School or course name Investigator’s name: Erkki Nummelin Nature of case: Fraud Investigation Location where evidence was obtained: Blues Sporting Memorabilia, LLC, Suite 11B, 1060 W Addison St., Chicago, IL 60613

The second part of the form should contain the following information: Description of Evidence

Vendor Name

Model No./ Serial No.

Item #1

Virgin Mobile smartphone

Samsung

Serial no.: 573634789744682000

Item #2

Sprint smartphone

Samsung

DEC: 4285779428433682677 HEC: 462554875224D1

Pavilian DV5

S/N: CNGF4K3FF9 S/W Cert #: DAGT3FF4K3-YZ2GA-B6W2J67KMD

Item #3

Laptop computer

The third part of the form should list the following: • Evidence was received by Adalgisa Lombardi on February 23, 2022, at about 9:55 p.m. (based on information gathered from the photos) • Evidence was stored in Cabinet 10 in the evidence room on February 24, 2022, at about 3:00 p.m. Because this evidence hasn’t been examined at the time of this form’s completion, the last section listing the Evidence Procured By and Evidence Returned by should be blank. For an example of a completed evidence form that students will submit, see the following solution file: • Solution_Case_Project_05-3_Evidence_Form_Multiple_Items.pdf

Case Project 5-4 Estimated Time: 10 minutes Objective: Review a crime scene drawing from a remote location and provide directions to nontechnical investigators on what digital evidence to collect. Before You Begin: • •

Create Work folder C:\Work\Module05\Case_Project_05-4. Download to your Work folder the following data files provided with the module: • Case_Project_05-4_Email_Request.docx • Case_Project_05-4_Ship_Cabin.pdf

A police investigator on a cargo ship emails you a message indicating that a cabin on the ship is a possible crime scene that contains digital evidence relating to an embezzlement case. The police have been called to investigate but need to move quickly because the ship will be sailing to a foreign port within the next hour. There is no way you will have time to respond to the scene since it is more than a one-hour drive from your office. One investigator had attempted to send you photos of the cabin and its contents via a text message, but for unknown reasons, the text message failed to transmit to you. The investigators then hastily create a hand drawing of the cabin showing what they think is digital evidence. The investigators then took a picture of the drawing using a smartphone and emailed it to you as an attachment. The captain of the ship has stated that the investigators can take whatever they think necessary to process the case and that the ship must sail in an hour. The investigators would like you to tell them which items are most important so that they know what to seize first before they have to leave the ship. Using the information in the email message and the hand drawing of the crime scene, reply with a list of the items they should seize. Write your email response in your preferred word processor, and save it as Case_Project_05-4_Email_Reply.docx. Be brief and concise. Because the investigators have only an hour before the ship leaves, be sure to list the most important evidence to collect first followed by the less important evidence. This will ensure that the police collect the most critical evidence even if they do not have time to collect all of the evidence in the cabin. Remember that you are communicating information to nontechnical investigators, so your instructions must be clear. When you have completed your email response, submit to your instructor the following file: •

Case_Project_05-4_Email_Reply.docx Solution Guidance: In the scenario in this case project, students, working as digital forensics examiners, must rely on the ability of the nontechnical investigators to seize evidence. It is important that students communicate clear instructions regarding how the on-site investigators should proceed. Typically, the top priority when collecting any evidence is to preserve it; this is especially true when collecting digital evidence that is volatile, such as a computer’s RAM. There are situations, however, where the need to quickly collect evidence supersedes the need to carefully preserve volatile data. This case problem presents

one such situation. Similar to the situation litigated in Steve Jackson Games, Inc. v. U.S. Secret Service, where the U.S. Secret Service seized computers, not the data, the ship in this scenario is not related to the embezzlement case. Delaying a ship (or aircraft) could be very costly to the owners, their employees, and customers. When processing a crime or incident scene, investigators should consider the priorities for collecting and preserving evidence based on the specific situation and the need to protect a business from losses of revenue or negative publicity. In these situations, it is important that the examiner knows how to determine the importance of certain types of evidence. When facing such a situation, it is best to collect artifacts that likely contain the most evidence first. Then, if there is sufficient time, collect less critical evidence. In this project, the priority of which evidence to collect first and then last are as follows: 1. CPU1 and CPU2 Reason: Computers typically contain the most amount of information for a digital forensics examination. Because this is an embezzlement case, the computers may contain relevant evidence, such as invoices, spreadsheets, inventory databases, etc. Specific to any open files, such as a spreadsheet file, investigators should be instructed to save open files under a different name to not overwrite previous data written to the original files. In this situation, the investigator lacks the resources and skills to perform a RAM acquisition; the investigators should be instructed to list what applications are currently running on the computers before performing an orderly shutdown of the computers. 2. External USB drive on top of CPU1 Reason: Because this device is on top of the CPU cabinet, it is likely connected—or was connected—to the computer and may have evidence stored on it. 3. Notepad on computer desk Reason: Notepads or sticky notes may contain information about a case. On rare occasions, they may contain passwords, which could be useful when attempting to access encrypted data files or accounts. 4. Internal disk drive on top of the rolltop desk Reason: This drive might also contain evidence, although it is less likely to include evidence than an external hard drive that is connected to a CPU cabinet. 5. Right rolltop desk drawers 1 and 2: Entire contents (mobile devices) Reason: Mobile devices may contain contact information and text messaging communications with other known and yet-to-be known suspects in the investigation. 6. Left rolltop desk drawers 1, 2, and 3: Entire media contents Reason: Any media storage devices, such as optical media (CDs or DVDs) and thumb drives, may contain evidence relating to the investigation.

7. Cabinet 3: Assorted internal disk drives Reason: Because these drives are in a separate location from the suspect’s computer, it is less likely that they contain evidence of significant value to the investigation, which is why they have a lower priority than the other drives. 8. Right rolltop desk drawers 3 and 4: Assorted maps Reason: Although not digital evidence—and therefore less likely to be critical to the case—this material might have some relationship to the case. If time permits, it would be wise to collect these items because they might reveal additional facts about the case as data artifacts are examined from the collected media. 9. Cabinet 1: Computer manuals Reason: In the event the suspect had installed some nonstandard software on a computer, such as a specialized database program, it is much easier to collect the user manual at the scene rather than having to locate one later when analyzing the data. 10. Multiline telephone with phone number memory Reason: A telephone with phone number memory may also reveal additional suspects in the investigation. 11. Router Reason: A router may not be significant to an investigation; however, if an investigator needs to set up the suspect’s computers to see how they interact with each other or over a network, it is much easier to have the original equipment than to try to locate and configure your own devices to it. 12. Monitors, keyboards, and mice Reason: As with the suspect’s router, having the monitor, keyboard, and mouse available minimizes the time and effort involved in setting up the suspect’s system for follow-up analysis. 13. Plug strip under desk Reason: Collecting peripheral devices such as power cords and plug strips eliminates the need to have to draw on your additional resources if an investigator needs to set up the suspect’s systems. For an example of an email response that lists which evidence items to collect in what order, see the following solution file: • Solution_Case_Project_05-4_Email_Reply.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 6: WORKING WITH MICROSOFT FILE SYSTEMS AND THE WINDOWS REGISTRY

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 6-1 ................................................................................................................................. 2 Review Questions - Answers ............................................................................................. 3 Hands-On Projects - Solutions ......................................................................................... 11 Project 6-1 ................................................................................................................................ 11 Project 6-2 ................................................................................................................................ 13 Project 6-3 ................................................................................................................................ 16 Project 6-4................................................................................................................................ 18 Project 6-5 ............................................................................................................................... 20 Case Projects - Solutions ................................................................................................. 22 Case Project 6-1...................................................................................................................... 22 Case Project 6-2 ..................................................................................................................... 24 Case Project 6-3 ..................................................................................................................... 25 Case Project 6-4 ..................................................................................................................... 27

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Activities - Solutions Activity 6-1 Estimated Time: 5 minutes Objective: Determine the number of partitions on the drive and their file system type listed in the MBR by examining its partition table. Before You Begin: • •

Create Work folder C:\Work\Module_06\Activity_06-1. Download to your Work folder the following data files provided with the module: • Activity_06-1_Examiner_Notes.xlsx • Activity_06-1.001 Access the following item: • The hexadecimal editor HxD (download and install from mhnexus.de/en/downloads.php?product=HxD20)

•

In the first part of this activity, you will examine the primary partition table to determine how many partitions are in the drive from the image file Activity_06-1.001. In the second part, you will further examine the partition table to determine each partition’s file type. Complete the following steps: 1. Open the file Activity_06-1_Examiner_Notes.xlsx. 2. In cell C3 of the spreadsheet, type your name. In cells C4 and C5, type Activity_06-1. In the Date and Start Time columns, enter the current date and time. Save the file and leave it open to record your activities during the forensics examination. 3. Start HxD, click Tools, and then click Open disk image. 4. In the Open disk image window, navigate to your Work folder, click Activity_06-1.001, and then click Open. In the Specify the sector size dropdown box of the Sector size window, select 512 (hard disk/floppy disks) and then click OK. 5. In HxD, locate the cursor at offset 1BE (as shown in Figure 6-10). Then, using Table 6-2, locate the offset position for the system identification code for the first partition. [Figure 6-10 Determine the file system types in a partition table] Tip Most hexadecimal editors display the data (hexadecimal codes) in columns and rows. The data is typically displayed with rows and columns with hexadecimal numbers. To locate a specific byte in a hexadecimal viewer, such as HxD, locate the nearest row number that is lesser than the address by one digit. That is, if the address is 0x1BE, locate the first row that is 0x1B0. Then locate the column of the last digit, in this example, 0x0E, and scroll down to the location where the row of 0x1B0 and column 0x0E cross each other, as shown in Figure 610, to determine the exact location. 6. Look up the Hexadecimal code value in Table 6-1 to determine the file system used for the first partition. Then in Activity_06-1_Examiner_Notes.xlsx, make an entry indicating the first

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

partition’s file system type for this disk drive, along with the System identification code offset byte position. 7. Repeat steps 5 and 6 for all remaining partitions listed in this partition table. 8. When finished, close HxD and save and close your examiner notes. 9. When done, submit to your instructor the following file: •

Activity_06-1_Examiner_Notes.xlsx Solution Guidance: This activity is designed to show students how to examine and determine the types of file systems listed in a partition table of an MBR-formatted disk drive. The student’s examiner notes file should have sufficient details listing each partition’s file system type, including the appropriate hexadecimal code values and offset position. For examples of the types of notes that should be included (at minimum) in the examiner notes, see the following solution file: • Solution_Activity_06-1_Examiner_Notes.pdf

Review Questions - Answers 1.

What is the starting cluster number for FAT-formatted drives? a. Cluster 0 b. Cluster 1 c. Cluster 2 d. Cluster 2048 Answer: c. Cluster 2 Explanation: All FAT logical drives start at cluster 2, which is where the Root folder is located. In FAT partitions, the area before cluster 2 contains the Boot sector and the FAT1 and FAT2.

2. Where is the Ntuser.dat file located on Windows and older OSs by default? a. C:\Users\<user-account> b. C:\Users\<user-account>\AppData\Roaming\Microsoft\Windows c. C:\Windows\System32\Config d. C:\Windows\System\Config32 Answer: a. C:\Users\<user-account> Explanation: By default, the Ntuser.dat file, which contains the list of most recently used files and desktop configuration settings, is located at C:\Users\<user-account>. C:\Users\<user-account>\AppData\ is a valid directory path containing additional information to support the various applications used by the user. C:\Windows\System32\Config contains additional databases about the Windows computer.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

C:\Windows\System\Config32 is an invalid directory path, although a cause for alarm if present if the examiner is conducting an incident response investigation against a live propagating network worm. 3. By default, a 2,997 GB file occupies how many clusters on a 24 TB drive formatted with NTFS? a. 324,832,929 b. 321,248,915 c. 314,159,265 d. 374,625,000 Answer: d. 374,625,000 Explanation: A 24 TB drive, formatted with NTFS, will have a default cluster size of 8 KB. With this knowledge, students will first need to convert 2,997 GB to MB (2997 × 1000). Then they will need to convert MB to KB (2,997,000 × 1000), which equals 2,997,000,000 KB. This number is then divided by 8 to get the answer of 374,625,000 clusters. See Table 6-6 (“Cluster sizes in an NTFS disk”) for information on how many sectors are assigned to clusters in relation to the size of a large disk drive. 4. Which of the following header data values indicates the beginning of a new record entry in an $MFT file? a. RECORD b. FILE c. ENTRY d. DATA Answer: b. FILE Explanation: The beginning of any file record in $MFT typically starts with the word FILE; anything else would warrant additional investigation as to why it is different or to determine if the custodian is attempting to obfuscate data. 5. Which is a benefit of a journaled file system? a. The file system records a transaction after the system carries it out. b. The file system records a transaction before the system carries it out. c. The file system maintains a journal of all data on the disk. d. The file system maintains a journal of all user keyboard entries. Answer: b. The file system records a transaction before the system carries it out. Explanation: The benefit of a journaled file system is that transactions are committed to journal before they are carried out; that way, in the event of a power failure or other interruption, the system can complete the transaction or go back to the last good setting. 6. While examining the $MFT record of a photograph of a famous city landmark, an examiner notes that there are two 0x80 attribute records in the $MFT record. What is the significance of this finding?

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

a. By default, there are always two 0x80 attributes in an $MFT record. b. Multiple 0x80 attribute fields are used to store each of the metadata properties of the photograph. c. A second data stream is appended after the first data stream. d. The $MFT record is corrupted or altered and requires repair. Answer: c. A second data stream is appended after the first data stream. Explanation: The presence of two 0x80 attributes within the $MFT record indicates NTFS alternate data streams, which is a method of appending a second data stream after the first data stream. Alternate data streams can obfuscate evidentiary data, intentionally or by coincidence. 7. Which file contains the contents of the RAM when a Windows laptop is suspended? a. swap.sys b. pagefile.sys c. suspended.sys d. hiberfile.sys Answer: d. hiberfile.sys Explanation: The contents of the RAM of a Windows laptop that is suspended is stored in the hiberfile.sys file. This file can contain many artifacts useful to a forensics examiner as it contains information about what the computer was performing before it was suspended. 8. Which file contains contents of the RAM as a Windows computer uses all its memory? a. swap.sys b. pagefile.sys c. suspended.sys d. hiberfile.sys Answer: b. pagefile.sys Explanation: As the computer’s physical memory is exceeded, Windows will start to use the pagefile.sys file to store items that are not currently being processed in the RAM. 9. Which OS had a limitation of eight characters for the file names and three characters for extensions? a. DOS 6.22 b. Windows 95 c. Windows 98 d. Windows 97

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Answer: a. DOS 6.22 Explanation: MS DOS 6.22, with its FAT file system, had a limitation of eight characters for the file name and three for the extension. Windows 95 introduced the capability to have file names longer than eight characters. 10. In the $I metadata file, which offset indicates when a file was deleted? a. 0x0 b. 0x80 c. 0x10 d. 0x20 Answer: c. 0x10 Explanation: In the $I metadata file, the offset position of 0x10 indicates the date and time when a file was deleted. 11. In a FAT file system, which hexadecimal number would indicate to the examiner that the file is currently marked as unallocated disk space? a. 0xD7 b. 0xF5 c. 0xG7 d. 0xE5 Answer: d. 0xE5 Explanation: In a FAT file system, when a file is deleted, the OS marks the first letter of the file name as 0xE5 to indicate that the file is no longer available and new data can be written to the same cluster location. 12. In boot sector 0 of an MBR-formatted drive, what is the starting offset byte position for the first partition in the primary partition table of the drive? (Choose all that apply.) a. Offset 0x1AE b. Offset 0x1BE c. Offset 0x1CE d. Offset 0x1DE Answer: b. Offset 0x1BE Explanation: For all MBR-formatted disk drives, the primary partition table starts at offset 0x1BE. The first or only partition (the logical drive) also starts at offset 0x1BE. If there are additional partitions added to the drive, their information starts at offsets of 0x1CE, 0x1DE, and 0x1EE. Offset 0x1EE is where the primary extended partition, which is not a logical drive, is located. In the extended partition, additional partition tables are created for any additional logical drives. See Table 6-2 for the starting offset byte position for all created partitions in an MBR’s partition table.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

13. In an MBR partition table, what is the offset byte location that lists the system identification of the file system for the first partition on a drive? (Choose all that apply.) a. Offset 0x1BF b. Offset 0x1C0 c. Offset 0x1C1 d. Offset 0x1C2 Answer: d. Offset 0x1C2 Explanation: The hexadecimal code that indicates the system identification of a partition’s file system is contained in 1 byte at offset 0x1C2. The information stored at offset 0x1BF is the partition’s starting head position. The information stored at offset 0x1C0 is the partition’s starting track position. The information stored at offset 0x1C1 is the partition’s cylinder position. 14. For an MBR-formatted drive that has two partitions, what is the starting sector byte position for the second partition? (Choose all that apply.) a. Offset 0x1C4 b. Offset 0x1E4 c. Offset 0x1D6 d. Offset 0x1DA Answer: c. Offset 0x1D6 Explanation: The MBR partition table stores the relative sector address as a hexadecimal value in little endian format starting at offset 0x1D6 and ending at offset 0x1D9 for the second partition. 15. For an MBR-formatted drive that has one partition, what is the offset byte position that stores the number sectors allocated to the partition? (Choose all that apply.) a. Offset 0x1C3 b. Offset 0x1C4 c. Offset 0x1C6 d. Offset 0x1CA Answer: d. Offset 0x1CA Explanation: The MBR partition table stores the number of sectors allocated to the partition at offset 0x1CA. The number of sectors is stored as a hexadecimal value in little endian format. 16. The primary partition table for the first partition lists a hexadecimal value of 00 20 03 00 in little endian for the total number of sectors assigned to the partition. What is the decimal equivalent of this hexadecimal number? (Hint: Use a programmer’s calculator application, such as Windows Calculator in Programmer mode, to determine the decimal value.) a. 8192 b. 8195 c. 196,640 d. 204,800

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Answer: d. 204,800 Explanation: Most calculators that have a programmer’s mode feature will only compute hexadecimal values in big endian format. To obtain the correct answer, the little-endian format of 00 20 03 00 needs to be reversed to 00 03 20 00 to obtain the correct conversion value for this question, which is 204,800. 17. The partition table located in the first sector of an extended partition is located at sector 821,248 (decimal). The relative sector (the starting sector value for the partition) in this partition table has a hexadecimal value of 00 08 00 00 in little endian. What is the first physical sector number, in decimal, for this logical drive partition? a. 2048 b. 821,249 c. 4,096,000 d. 823,296 Answer: d. 823,296 Explanation: The relative sector number is the number of sectors from the current sector where the partition table is located. To obtain the first physical sector of the logical drive, add the relative sector value to the extended partition’s sector address. Because the relative sector value is listed in hexadecimal little endian, it must first be converted to big endian. Then, using a programmer’s calculator application, such as Windows Calculator in Programmer mode, the relative sector value can be converted to the decimal equivalent. In this example, the hexadecimal value of 00 08 00 00 is 2048 decimal. Add 2048 to the extended partition’s sector address of 821,248 to obtain the physical starting sector address for the logical, which is 823,296. 18. A nonresident file in an $MFT record has two data runs in attribute 0x80 $DATA. The first data run, VCN(0), has a hexadecimal value of “21 17 EA 06” and VCN(1) has a hexadecimal value of “31 20 00 01 F9.” What is the decimal values of the LCN address for each VCN and the number of clusters allocated to each data run? a. VCN(0) LCN is 1770 with 23 clusters allocated to it; VCN(1) LCN is 65,515 with 32 clusters allocated to it. b. VCN(0) LCN is 3352 with 40 clusters allocated to it; VCN(1) LCN is 177,752 with 27 clusters allocated to it. c. VCN(0) LCN is 1770 with 17 clusters allocated to it; VCN(1) LCN is 65,515 with 20 clusters allocated to it. d. VCN(0) LCN is 1721 with 23 clusters allocated to it; VCN(1) LCN is 3120 with 100 clusters allocated to it. Answer: a. VCN(0) LCN is 1770 with 23 clusters allocated to it; VCN(1) LCN is 65,515 with 32 clusters allocated to it. Explanation: For nonresident files in an MFT record’s data run, VCN(0) is the actual LCN value for the file’s first cluster address. For the second data run of VCN(1), its value is the number of clusters from VCN(0). To obtain the LCN value for VCN(1),

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

you add the number of clusters to VCN(0). Note that VCNs are signed integers and can have negative values. If students are using a hexadecimal calculator, such as Microsoft Calculator’s Programmer option, they will need to convert the hexadecimal values from little endian to big endian to get the correct values. 19. How many bytes are in a cluster for a 4 GB FAT16-formatted drive? a. 8 KB b. 16 KB c. 32 KB d. 64 KB Answer: d. 64 KB Explanation: Unlike FAT32 and NTFS, FAT16 has a limited range that it can address for large disk drives. To compensate, Windows increased the number of sectors for a cluster. Even with the increased cluster sizes for FAT16, it can only access up to 4 GB of drive space. 20. For a typical MBR-formatted drive, what are the number of bytes from offset 0x00 position to the first boot partition sector? a. 128 bytes b. 512 bytes c. 32,768 bytes d. 65,536 bytes Answer: d. 65,536 bytes Explanation: Disk drive partition tables will list the number of sectors from sector 0, where the partition boot sector is located in the partition table’s starting sector field. The number of sectors for most MBR-formatted drives is 0x80, or 128 sectors for smaller drives. The number of bytes between offset 0x00 to the first partition is 0x10000, or 65,536 bytes. Note that larger drives, over 2 TB in size, will also have the same number of bytes between the offset 0x00 to the first partition, with sector counts of 16 since each sector is 4096 bytes. 21. Which of these files contains metadata about deleted files in the $Recycle.Bin? (Choose all that apply.) a. $RXNIAC2.txt b. $I30 file c. $LogFile d. $IXNIAC2.txt Answer: d. $IXNIAC2.txt Explanation: The $IXNIAC2.txt file contains the metadata of the deleted file. The $RXNIAC2.txt file contains the actual data of the deleted file. The $I30 file contains folder information, such as the file names that are in the folder, and the $LogFile file contains system activity records.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

22. What is the offset position in an $MFT record that lists a file’s record number? a. Offset 0x00 to 0x04 b. Offset 0x1C to 0x1F c. Offset 0x2C to 0x2F d. Offset 0x32 to 0x33 Answer: c. Offset 0x2C to 0x2F Explanation: The $MFT record for a file is located 44 (or 0x2C) bytes from the beginning of the record that is 4 bytes long. See the “$MFT Header Fields” section of this module for more information about header fields in an $MFT record. 23. What is the offset position in an NTFS boot sector that lists the starting cluster for the $MFT file for the partition? a. Offset 0x15 to 0x1F b. Offset 0x30 to 0x37 c. Offset 0x40 to 0x48 d. Offset 0x48 to 04F Answer: b. Offset 0x30 to 0x37 Explanation: Offset 0x30 lists the cluster address of the $MFT file. Partitions that are less than 2 TB will have 512-byte sectors, making up eight sectors per cluster. Larger partitions over 2 TB sectors will have 4096-byte sectors, making up eight sectors per cluster. For additional details, see the “Windows Boot Partition” section of this module, including Table 6-4 and Figure 6-9. Note that Figure 6-9 shows that there are 0x200 (512) bytes per sector and 0x8 (eight) sectors per cluster. When using the hexadecimal editor HxD to navigate to the starting sector of the $MFT file, you will need to convert the number of clusters to sectors by multiplying the clusters by 8 for the $MFT file’s starting sector position 24. What type of data might be recovered when examining Internet activities on a suspect computer? (Choose all that apply.) a. Disk quota to help determine potentially hidden files by a suspect b. Occurrences of when applications had been previously run by a suspect c. Bookmark information showing a suspect’s preferences in specific areas relating to a crime or complaint d. Web history activities by a suspect that might show what research they had done to prepare for a crime Answer: c. Bookmark information showing a suspect’s preferences in specific areas relating to a crime or complaint; d. Web history activities by a suspect that might show what research they had done to prepare for a crime Explanation: Bookmark information and web history activities will show what interest a suspect may have relating to known and unknown crimes. This information can provide support for the criminal complaint and direct the investigator to other leads that support the case. Answers a and b have no direct relation to web and Internet activities.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Hands-On Projects - Solutions Project 6-1 Estimated Time: 15 minutes Objective: Determine the create date and time of a file named rebel.txt using a recovered data fragment from unallocated disk space. Before You Begin: • •

Create Work folder C:\Work\Module_06\Project_06-1. Download to your Work folder the following data files provided with the module: • Project_06-1_Data_Fragment.dat • Project_06-1_Examiner_Notes.xlsx

•

Access the following item: • The hexadecimal editor HxD

In this project, you will first configure HxD’s Data inspector to minimize the data it displays to include only the most common data interpretations. Then you will examine a data fragment, which was recovered from unallocated disk space, that appears to be from a deleted $MFT file. The recovered fragment contains the file name rebel.txt. You will determine the file’s create date and time using the HxD’s Data inspector feature. To configure HxD, complete the following steps: 1. Open the file Project_06-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_06-1. 2. Open HxD, click Tools, and then click Options. In the Options window, click the Data inspector tab, as shown in Figure 6-38. In the “Available data types” pane, uncheck the following data types and then click OK: LEB128

Double (float64)

time_t (64 bit)

ULEB128

OLETIME

Disassembly (x86-16)

AnsiChar / char8_t

DOS date

Disassembly (x86-32)

WideChar / char16_t

DOS time

Disassembly (x86-64)

UTF-8 code point

DOS date and time

Single (float32)

time_t (32 bit)

[Figure 6-38 HxD’s Data inspector tab with the “Available data types” pane]

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

3. Confirm that you have the following data types checked: Binary (8 bit)

Int24

Uint64

Int8

Uint24

FILETIME

UInt8

Int32

GUID

Int16

Uint32

Uint16

Int64

Tip The Data inspector function in HxD displays integer numbers as signed integers and unsigned integers in decimal or hexadecimal values. Examples of how integers are interpreted by HxD are as follows: • • •

Int8 represents 1 byte consisting of 8 bits that can be a positive or negative number. UInt24 represents 3 bytes of 24 bits that can only be a positive number. Int64 represents 8 bytes of 64 bits that can be a positive or negative number.

The default integer values displayed in the Data inspector pane are in decimal values. To change them to hexadecimal, click the “Hexadecimal base (for integral numbers)” check box located at the bottom of the Data inspector pane. If for any reason the Data inspector pane disappears from HxD, it can be redisplayed by clicking View and then Data inspector. 4. In your examiner notes, list the fields that are now displayed in the Data inspector pane and leave HxD running for the second part of this project. To obtain the file date and time of a file in an $MFT fragment, complete the following steps: 1. In HxD, click File and then Open. Navigate to your Work folder, click Project_06-1_Fragment.dat, and then click Open. 2. In the hexadecimal pane, locate the file name attribute 0x30 starting position, which is at offset 0x08. Click to place the mouse cursor at offset 0x08. Then click and hold the mouse button while dragging the mouse cursor down until you have highlighted 0x20 hexadecimal bytes from the starting position of attribute 0x30. 3. Click the mouse cursor at offset 0x28. Then in the Data inspector pane, locate the date and time and record it in your examiner notes file. 4. Update FILETIME in your examiner notes and close Excel and HxD. 5. When finished, submit to your instructor the following file: •

Project_06-1_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Solution Guidance: Students should have successfully configured HxD’s Data inspector to only display the following available data types: • Binary (8 bit) • Int8 • UInt8 • Int16 • UInt16 • Int24 • UInt24 • Int32 • UInt32 • Int64 • UInt64 • FILETIME • GUID Students should have listed in their examiner notes the fields displayed in HxD’s Data inspector pane. They should also list the create date and time value displayed in the Data inspector’s FILENAME field for this data fragment. For an example of the file that students will submit, see the following solution file: • Solution_Project_06-1_Examiner_Notes.pdf

Project 6-2 Estimated Time: 10 minutes Objective: Determine if a file in an $MFT record is a resident or nonresident file and, if it is a nonresident file, determine its logical cluster address and the number of clusters allocated to it. Before You Begin: • •

•

Create Work folder C:\Work\Module_06\Project_06-2. Download to your Work folder the following data files provided with the module: • Project_06-2_MFT_Examination_Report.xlsx • Project_06-2_MFT_File.dat Access the following item: • The hexadecimal editor HxD

In this project, you will examine an MFT file, Project_06-2_MFT_File.dat, and search for a file named Secrets.dat. After locating the record for this file, you will need to determine if it is a resident or a nonresident MFT record. If it is a nonresident file, you will need to locate the three components that make up VCN(0) for this file and list that information, along with their offset byte positions, in file Project_06-2_MFT_Examination_Report.xlsx.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Complete the following steps: 1. Open the file Project_06-2_MFT_Examination_Report.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field, date of report, and, in the Case Number field, type Project_06-2. 2. Open HxD, click File, and then click Open. In the Open window, navigate to your Work folder and click Project_06-2_MFT_File.dat and then Open. 3. In HxD, click Search and then click Find to open the Find dialog box. In the Search for input box, type Secrets.dat. In the Options section, click the Text encoding down arrow, click Unicode (UTF-16 little endian), and then click OK, as shown in Figure 6-39. [Figure 6-39 HxD’s Search for input box] 4. This first search result will list the Secrets.dat file in its assigned directory folder where this file is stored on the disk. Press the F3 key to continue the search for this file’s $MFT record. 5. In HxD, scroll up so that the first line in the main window lists the FILE0 value for the MFT record that contains Secrets.dat, as shown in Figure 6-40. [Figure 6-40 HxD's search results] 6. Locate attribute 0x10 for this $MFT record by placing the cursor at the beginning of the record, which is byte offset 0x00013000. Then click and hold the left mouse button and drag down, highlighting the number of bytes until the length value counter is 0x38. While dragging the mouse cursor, note that the byte count length value (located at the bottom center of the HxD window in Figure 6-40) increases as you highlight additional data. 7. Reposition the cursor to the left of attribute 0x10 and make note of the number of bytes listed for this attribute, which is at offset 0x0001303C. Then click and hold the left mouse button and drag down, highlighting the number of bytes until the length counter is the same hexadecimal value listed at offset 0x0001303C to locate the starting position for attribute 0x30. 8. Reposition the cursor to the left of attribute 0x30 and make note of the number of bytes listed for this attribute at offset 0x0001309C. Then click and hold the left mouse button and drag down, highlighting the number of bytes listed at offset 0x0001309C to locate the starting position for attribute 0x80. 9. Eight bytes past the starting position of attribute 0x80 is the resident/nonresident flag record field. In your examination report, indicate if the file is a resident or a nonresident file. 10. If it is a nonresident record, in attribute 0x80, locate the data run for this file and determine the number of allocated clusters and its LCN address by clicking the first byte of components two and three of the data run. Then, in your examination report, record the offset byte locations, their hexadecimal values, and the decimal values listed in the Data inspector pane. If it is a resident record, skip to step 11 and make notations in the examination report of your findings.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Tip For this project, the data run starts 0x40 bytes from the starting byte of attribute 0x80. In addition, the data run is made up of three components: 1. The number of bytes used to store the values for allocated bytes and the LCN address of the data run 2. The number of allocated clusters for the data run 3. The logical address of the data runs’ first cluster where the file is stored on the disk Note that unfragmented files will only have one data run, VCN(0). Fragmented files will have two or more data runs, such as VCN(1), VCN(2), and so on. Tip For the assigned cluster addresses other than VCN(0), use the signed integer values to determine the offset cluster count from VCN(0). Use the Int8 for 1-byte values, Int16 for 2byte values, Int24 for 3-byte values, Int32 for 4-byte values, and Int64 for 8-byte values. 11. Fill in the information in the examination report and then save the report. Close Excel and HxD. 12. When finished, submit to your instructor the following file: •

Project_06-2_ MFT_Examination_Report.xlsx Solution Guidance: Students should successfully determine that this $MFT record is a nonresident file and that there is only one data run for this record. As described in this module, students should be mindful when interpreting the data run to ensure that they record the correct byte size integer value displayed in the Data inspector pane. That is, if the VCN’s first component is 0x22, the second component is a 2-byte integer (Int16), and the third component is also a 2-byte integer. For the Secrets.dat file, the information for the number of allocated clusters is at offset 0x00013149, which has a value of 0x0090, or 144 (decimal) allocated clusters (unsigned 16 bits, or a 2-bytes integer). For the LCN, also known as VCN(0), its information is at offset 0x0001314B, and it has a cluster address of 0x0FDF, or 4,063 (decimal). Note that HxD shows default hexadecimal values in little endian. Students should convert the hexadecimal data to big endian to ensure they correctly list it in their report. For an example of the file that students will submit, see the following solution file: • Solution_ Project_06-2_MFT_Examination_Report.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Project 6-3 Estimated Time: 30 minutes Objective: Install Python on your workstation. Before You Begin: •

Create Work folder C:\Work\Module_06\Project_06-3 for the Python scripting application.

Many freeware digital forensics tools have been created in various scripting languages such as Python. One developer, Eric Zimmerman, has developed many Python scripts specifically designed to recover unique data useful to a digital forensics examiner. In this project, you will first determine if .Net 4.6.2 or newer is installed on your workstation. The .Net utility is required to run Mr. Zimmerman’s Python scripts, which will be used in the projects that follow. After you’ve determined if .Net 4.6.2 or newer is installed, you’ll then access the Microsoft Store and install the current version of Python. If .Net 4.6.2 or newer is not installed, you’ll be directed to the Microsoft website to download this utility. To install .Net onto your workstation or to verify the version number of .Net already installed on your workstation, complete the following steps: 1. Open a command prompt window by pressing the Windows key and the R key and then in the Run input box, type PowerShell and click OK. 2. At the PowerShell command prompt, type cd \work\module_06\project_06-3 and press Enter. 3. Type (get-itemproperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").release -ge 394802 | tee-object -file Project_063_Net_Version.txt and press Enter. 4. If the output from the get-itemproperty command displays the word “True,” skip to step 5. If the output is “False,” go to dotnet.microsoft.com/en-us/download/dotnetframework/net48 and click Download .NET Framework 4.8 Runtime. In the Save as window, navigate to your Work folder and click Save. Then from File Explorer, double-click the file ndp48-web.exe (or the newer version) to install the current .Net service. Note 20 If there is a newer version available for .Net, check Mr. Zimmerman’s website to confirm it is compatible with his current scripts. See the “Requirements and troubleshooting” page at ericzimmerman.github.io/#!index.md. 5. Type the following command to verify the version of .Net installed on your workstation: gci 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | gp -name version -ea 0 | where { $_.pschildname -match '^(?!S)\p{L}' } | select pschildname, version | tee-object -file Project_06-3_Net_Version.txt -append and then press Enter, as shown in Figure 6-41. [Figure 6-41 Listing the version of .Net] If the Client and Full version numbers displayed on your screen are equal to or greater than 4.8.04084, proceed to the next section. If not, repeat step 4 in this section to reinstall .Net.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Next, you will determine if Python is installed on your workstation by completing the following steps: 1. At the PowerShell prompt, type python --version | tee-object -file Project_06-3_ Python_Version.txt and then press Enter. 2. If you receive an error message that Python is not found or if the installed version is less than version 3.10.7, skip to the next set of steps in this project; otherwise, submit to your instructor the following files and then go on to Project 6-4: • •

Project_06-3_Net_Version.txt Project_06-3_Python_Version.txt

Note 21 For more information on using PowerShell commands to determine if .Net is installed on your workstation, see raymond.cc/blog/how-to-check-what-version-of-microsoft-net-frameworkis-installed-in-computer. Complete the following steps to install the most current version of Python if it is not installed or if your installed version is older than version 3.10.7: 1. From the Windows desktop, click Start and then in the search input box, type Microsoft Store and press Enter. 2. In Microsoft Store’s search input box, type python and press Enter. 3. In the Microsoft Store application pane, click the most current version of Python. Then, in the Python application window, click Get. 4. When the download and installation is complete, type the following command at the PowerShell prompt to verify the Python version number: python --version | tee-object -file Project_06-3_Python_Version.txt -append and press Enter. 5. When finished, submit to your instructor the following files: • •

Project_06-3_Net_Version.txt Project_06-3_Python_Version.txt Solution Guidance: Upon completion of this project, students should have successfully installed the latest version of Python on their workstation. If errors are encountered during the installation of .Net 4.6 or newer and Python, students should verify that their computer hardware and Windows OS are up to date. For examples of the files students will submit for this project, see the following solution files: • Solution_Project_06-3_Net_Version.pdf • Solution_Project_06-3_Python_Version.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Project 6-4 Estimated Time: 60 minutes Objective: Locate and attempt to recover the file Surveil-northside06.JPG from a digital forensics image file. Before You Begin: • •

•

Create Work folder C:\Work\Module_06\Project_06-4. Download to your Work folder the following data files provided with the module: • Project_06-4_C-Drive.E01 • Project_06-4_Examiner_Notes.xlsx Access the following item: • Autopsy for Windows

Your manager has directed you to examine a digital forensics image file named Project_064_C-Drive.E01 to determine if you can recover a file named Surveil-northside06.JPG. While conducting this examination, you will need to make note of every step taken in the Project_06-4_Examiner_Notes.xlsx file, which will be used to create a report in Case Project 6-1. When you have completed the examination, you will also need to generate an Autopsy report. Complete the following steps: 1. Open the file Project_06-4_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_06-4. 2. Start Autopsy for Windows and, in the Welcome window, click the New Case button. In the New Case Information window, enter Project_06-4 in the Case Name text box, and click Browse next to the Base Directory text box. Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type and then click Next. 3. In the Optional Information window, type Project_06-4 in the Case Number text box and your full name in the Name text box in the Examiner section. Click Finish to start the Add Data Source Wizard. 4. In the Select Type of Data Source To Add area of the Add Data Source window, click the Disk Image or VM File button and then click Next. 5. In the Select Data Source pane, click Add and then click Browse. In the Select Local Files or Folders window, navigate to your Work folder, click the Project_06-4_C-Drive.E01 folder, click Select, and then click Next in the Select Data Source pane. 6. In the Configure Ingest area of the Add Data Source window, click Select All if it is not already selected. Click Next and then click Finish. 7. In the examiner notes spreadsheet, add a statement in cell C8 indicating that you started Autopsy and loaded the file Project_06-4_C-Drive.E01. An example entry would be, “Started Autopsy and added forensic image file Project_06-4_C-Drive.E01 using Autopsy for Windows, version 4.18.0.” 8. When the ingest process completes, click the Keyword Search button and, in the search input box, type Surveil-northside06.JPG. Click the Exact Match button and then click Search.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

9. In Autopsy’s Tree Viewer pane, click the plus/minus signs to expand Keyword Hits and Single Literal Keyword Search and then click Surveil-northside06.jpg. 10. In the Results viewer pane, highlight and then right-click all the files listed. Click Add Result Tags and then click Notable Item (Notable), as shown in Figure 6-42. [Figure 6-42 Tagging search results] 11. In the Results viewer pane, unselect the highlighted file by clicking $UsnJrnl:$J. Then, right-click $UsnJrnl:$J (as shown in Figure 6-43). Click Extract File(s), Save, and then OK to export the file. [Figure 6-43 Exporting $UsnJrnl:$J] 12. Click Generate Report and, in the Generate Report window’s Report Modules pane, click the Excel Report button and then click Next. 13. In the Generate Report window’s “Select which data source(s) to include” pane, click the check box for Project_06-4_C-Drive.E01 and then click Next. 14. In the Configure Report pane, click the All Results button and then click Choose Result Types. In the Result Type Section window, uncheck Accounts, E-Mail Messages, and Web Cookies. Click OK and then click Finish. 15. In the Generate Report window, click the Excel Report link to open and examine the Excel report. Click all worksheet tabs to verify that data was recorded in the report. 16. In Excel, click File, then Save As, and navigate to your Work folder. In the Save As window’s File name input box, type Project_06-4_Excel_Report and click Save. Exit Excel. 17. In the Generate Report window, click Close and keep Autopsy open for the next project. 18. In your examiner notes, add a statement indicating that it appears that the file Surveilnorthside06.JPG has been deleted or renamed and that further examination of the $UsnJrnl:$J file should be performed. 19. When done, submit to your instructor the following files: • •

Project_06-4_Examiner_Notes.xlsx Project_06-4_Excel_Report.xlsx Solution Guidance: Students should have determined that the file Surveilnorthside06.JPG had been present in the digital forensics image file Project_06-4_CDrive.E01 and that no file by that name is currently present. A keyword search only revealed references to this file in the $LogFile and $UsnJrnl:$J files. Students should have successfully extracted the file $UsnJrnl:$J from the image file to the Autopsy Export folder. The $J file from $UsnJrnl:$J will be used in the next project. For examples of the files created for this project, see the following solution files (note that the different Excel_Report PDF files represent the different tabs that should be part of the student’s submitted file Project_06-4_Excel_Report.xlsx):

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

• • • • • • • • • •

Solution_Project_06-4_Examiner_Notes.pdf Solution_Project_06-4_Excel_Report_EXIF_Metadata.pdf Solution_Project_06-4_Excel_Report_Extension_Mismatch_Detected.pdf Solution_Project_06-4_Excel_Report_Keyword_Hits.pdf Solution_Project_06-4_Excel_Report_Metadata.pdf Solution_Project_06-4_Excel_Report_Recent_Documents.pdf Solution_Project_06-4_Excel_Report_Run_Programs.pdf Solution_Project_06-4_Excel_Report_Summary.pdf Solution_Project_06-4_Excel_Report_Tagged_Files.pdf Solution_Project_06-4_Excel_Report_User_Content_Suspected.pdf

Project 6-5 Estimated Time: 30 minutes Objective: Determine if there is any information about the file Surveil-northside06.jpg listed in the exported file $UsnJrnl:$J in Project 6-4. Before You Begin: • • •

•

Complete Project 6-4. Create Work folder C:\Work\Module_06\Project_06-5. Download to your Work folder the following data files provided with the module: • Project_06-5_Examiner_Notes.xlsx • Project_06-5_$UsnJrnl_$J (a duplicate of the exported file $UsnJrnl_$J from Project 6-4) Access the following items: • The following tools from Eric Zimmerman’s Tools website (ericzimmerman.github.io/#!index.md) • MFTECmd • Timeline Explorer

In the previous project, you were unable to locate the contents of the file Surveilnorthside06.JPG. However, references to this file were located in the $LogFile and $UsnJrnl:$J files. This indicates that the file $UsnJrnl:$J may have some transaction information about the file Surveil-northside06.JPG. To examine and extract information about Surveil-northside06.JPG from $UsnJrnl:$J, you will need to use two tools created by Eric Zimmerman: MFTECmd.exe and TimelineExplorer.exe. The tool MFTECmd.exe will extract the data from $UsnJrnl:$J and save it to a .csv formatted file. The tool TimelineExplorer.exe will display and interpret the exported .csv file created from MFTECmd.exe. MFTECmd.exe runs from a command prompt, and Timeline Explorer can run from File Explorer by double-clicking TimelineExplorer.exe. Complete the following steps: 1. Open the file Project_06-5_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_06-5.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

2. From the Eric Zimmerman’s Tools website, select the Python version (.net 4 | 6) that is installed on your computer, then download and unzip to your Work folder the following files: • •

MFTECmd (MFTECmd.zip) Timeline Explorer (TimeLineExplorer.zip)

3. Open a command prompt window by pressing the Windows key and the R key. In the Run input box, type cmd and click Run as administrator. 4. In the Command Prompt window, type cd \work\Module06\Project_06-5 and then press Enter. 5. Type mftecmd.exe -f Project_06-5_$UsnJrnl_$J –csv .\ --csvf Project_06-5_ UsnJrnl_J.csv and press Enter. 6. In File Explorer, navigate to the folder \Work\Module06\Project_06-5\TimelineExplorer and double-click TimelineExplorer.exe. 7. In Timeline Explorer, click File and Open. Navigate to \Work\Module06\Project_06-5, click Project_06-5_UsnJrnl_J.csv, and then click Open. 8. In the Search box, type Surveil-northside06.JPG and click Find. Note the associated number for this file in the Entry Number column, as shown in Figure 6-44. [Figure 6-44 Surveil-northside06.JPG and its Entry Number] 9. Clear the search results by clicking the X in the Search box. Then in the Entry Number column’s filter row, type the noted entry number for the file Surveil-northside06.jpg, and press Enter, as shown in Figure 6-45. [Figure 6-45 Sorted file associated to Surveil-northside06.JPG] 10. Click File, Export, and then Excel. In the “Select a file to export data” window, navigate to your Work folder and, in the File name box, type Project_06-5_Surveil-northside06-JPGhistory. Click Save, then OK, and exit Timeline Explorer. 11. From File Explorer, navigate to your Work folder and open the file Project_06-5_Surveilnorthside06-JPGhistory.xlsx. In the Name column (column E) of the Excel file, locate and click the cell of the last filename listed in this row. Note the filename listed in this cell. 12. Scroll to the right until the Update Reasons column (column L) is in view and note the reason code. 13. In Autopsy, Project 6-4, click Keyword Search and, in the search input box, type the filename listed in column E, Account01.dat. Click Search. If you closed Autopsy after completing Project 6-4, open Autopsy and click Open Recent Case. In the Open Recent Case window, select Project_06-4 and click Open. 14. In the Results Viewer pane, right-click Account01.dat and click Extract File(s). Navigate to Work\Module_06\Project_06-5 and, in the Save window’s File name box, change account.dat to Project_06-5_northside06.JPG. Click Save and OK. 15. Close Autopsy, Excel, and the command prompt window. Update your examiner notes.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

16. When finished, submit to your instructor the following files: • • • •

Project_06-5_Examiner_Notes.xlsx Project_06-5_Surveil-northside06.JPG Project_06-5_Surveil-northside06-JPG-history.xlsx Project_06-5_UsnJrnl_J.csv Solution Guidance: Students should have successfully identified the following facts about the file Surveil_northside06.JPG: • This file’s assigned $UsnJrnl:$J Entry Number is 872. • This original file’s create date and time are 3/23/2023 at 4:30:59 PM. • This file’s name was changed to Account01.dat on 3/23/2023 at 4:35:54 PM. • This file’s name was changed back to Surveil_northside06.JPG on 3/23/2023 at 4:37:49 PM. • This file’s name was changed back to Account01.dat on 3/23/2023 at 4:39:38 PM. For examples of the output files that students will submit, see the following solution files: • Solution_Project_06-5_Examiner_Notes.pdf • Solution_Project_06-5_Surveil- northside06.JPG-history.pdf • Solution_Project_06-5_Surveil_northside06.pdf • Solution_Project_06-5_UsnJrnl_J-csv.pdf

Case Projects - Solutions Case Project 6-1 Estimated Time: 60 minutes Objective: Summarize the findings from Project 6-4 and Project 6-5. Before You Begin: • • •

Create Work folder C:\Work\Module_06\Case_Project_06-1. Download to your Work folder the following data file provided with the module: • Case_Project_06-1_Informal_Report.docx Download to your Work folder the following files you previously created: • Project_06-4_Examiner_Notes.xlsx • Project_06-4_Excel_Report.xlsx • Project_06-5_Examiner_Notes.xlsx • Project_06-5_Surveil-northside06.JPG • Project_06-5_Surveil-northside06-JPG-history.xlsx

In this case project, you will write an informal report of your findings from Projects 6-4 and 65. To create this report, start with the provided file Case_Project_06-1_Informal_Report.docx. Incorporate into your report the following:

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

• • •

Information compiled from your examiner notes and the file Project_064_Excel_Report.xlsx The recovered picture in file Project_06-5_Sureil-northside06.JPG The Project_06-5_Surveil-northside06-JPG-history.xlsx file

In your report, reference as exhibits the following files (these may be inserted into the report or referenced as attachments): • •

Project_06-5_Surveil-northside06.JPG Project_06-5_Surveil-northside06-JPG-history.xlsx

For this case project, it is optional to insert into the report these two files or to reference them as attachments. Title this report Search and Recovery of Missing File and use Case_Project-06-1 as the Case Number. This report should be written for a nontechnical person. When finished, submit to your instructor the following files: • •

Case_Project_06-1_Informal_Report.docx Attached or inserted files: • Project_06-4_Excel_Report.xlsx • Project_06-5_Surveil-northside06.JPG • Project06-5_Surveil-northside06-JPG-history.xlsx Solution Guidance: Students should use the details listed in their examiner notes from Projects 6-4 and 6-5 for the contents of this report. When students copy the text from their notes into the report, they should revise and update the report’s narrative to provide better readability and to clarify the steps they took, their findings, and their observations. This report should include key date and times listed in file Project_06-5_Surveilnorthside06-JPG-history.xlsx. It should also include or reference the recovered image file Surveil_northside06-jpg and the Autopsy Excel report Project_064_Excel_Report.xlsx. For an example of the informal report students will submit, see the following solution file: • Solution_Case_Project_06-1_Informal_Report.pdf For examples of attached or referenced files for this report, see the solution files from Projects 6-4 and 6-5.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Case Project 6-2 Estimated Time: 20 minutes Objective: Determine the contents of a data fragment and what information those contents might reveal. Before You Begin: • • •

•

Create Work folder C:\Work\Module_06\Case_Project_06-2-3-4. Note that you will use this Work folder for the remaining Case Projects in this module. Download to your Work folder the following data files provided with the module: • Case_Project_06-2_Data_Fragment • Case_Project_06-2_Examiner_Notes.xlsx Access the following item: • The hexadecimal editor HxD

Note 22 Case Projects 6-2, 6-3, and 6-4 are designed to develop your skill interpreting unique hexadecimal data that is located in allocated space or in damaged files. For each of these case projects, you will need to reference the tables and figures included in this module for information to help identify these data fragments. In this case project, you will examine a data fragment that lists a specific file name. The fragmented data was recovered by another examiner from a drive partition that appears to have been partially overwritten. The other examiner had performed a keyword search for a file named Adam-Smith.txt and found a reference to its name located in unallocated space on the drive. The examiner copied the data fragment into file Case_Project_06-2_Data_Fragment and has asked if you could help determine if it contains anything of value for the case. To examine this data, use HxD to determine what the fragmented data is and if there is any useful information in it. After your examination, document the details of your findings in the file Case_Project_062_Examiner_Notes.xlsx. In your examiner notes, list the figure and table numbers in this module that are associated with this fragmented data. When finished, submit to your instructor the following file: •

Case_Project_06-2_Examiner_Notes.xlsx Solution Guidance: To complete this case project, students will need to review the tables and figures in this module to determine which ones have the same record fields as the data fragment. The students should be able to identify Table 6-14 and Figure 639 as the sources necessary to interpret this data fragment as remnants of a $I file from the NTFS drive’s $Recycle.Bin file. Note that the first 2 bytes of this data fragment of the $I file are missing. The students will need to analyze the data fragment fields to correctly identify that it is from a $Recycle.Bin $I file.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

In their examiner notes, students should state that the fragment appears to be from an $I file, and they should include the file’s name along with the date and time the file was deleted. For an example of the output files that students will submit, see the following solution file: • Solution_Case_Project_06-2_Examiner_Notes.pdf For a comparison of the fields within this fragmented data to the figures and tables in this module, see the following solution file: • Solution_Case_Project_06-2_Fragment_Recycle_Bin.pdf

Case Project 6-3 Estimated Time: 40 minutes Objective: Examine a fragment of data from a corrupted drive to determine what system file it is associated with for a data-recovery task. Before You Begin: •

•

Download to the Work folder you created in Case Project 6-2 (C:\Work\Module_06\Case_Project_06-2-3-4) the following data files provided with the module: • Case_Project_06-3_Data_Fragment • Case_Project_06-3_Examiner_Notes.xlsx Access the following item: • The hexadecimal editor HxD

As with Case Project 6-2, for this case project, you will examine a data fragment that lists a specific file name. This fragmented data was also recovered by the other examiner from the same drive partition, which appears to have been partially overwritten. The other examiner had performed a keyword search for a file named Bismark.txt and found a reference to its name located in an unallocated space in the forensics image file. The examiner copied the data fragment into the file Case_Project_06-3_Data_Fragment and has asked if you could help determine if it contains anything of value for the examiner’s case. To examine this data, use HxD to identify what system files the fragmented data is from and use information presented in this module to identify its contents. Include offset positions that you identify and explain their interpreted values, such as dates, times, or other related information. After your examination, write details of your findings in Case_Project_063_Examiner_Notes.xlsx. In your examiner notes, list the figure and table numbers in this module that are associated with this fragmented data. When finished, submit to your instructor the following file: •

Case_Project_06-3_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Solution Guidance: To complete this case project, students will need to review the tables and figures in this module to determine which ones have the same record fields as the data fragment. The students should have identified the following table and figures as a source of information to identify the data fragment from file Case_Project_06-3_Data_Fragment: • Table 6-8 • Figure 6-15 • Figure 6-19 Students should be given credit if they also listed the following figures other than Figures 6-15 and 6-19: • • • • • •

Figure 6-13 Figure 6-14 Figure 6-16 Figure 6-21 Figure 6-22 Figure 6-23

In the examiner notes, students should state that this data fragment appears to be from an MFT record that displays the date and time fields from the file name attribute, 0x30, and data attribute, 0x80. Students should also list each field within each attribute along with its offset byte position within the data fragment, as shown here: For attribute 0x30 Offset from beginning of fragment Offset 0x08

Attribute field name

Value in attribute

File create data and time

8/12/2022 7:55:57 PM

Offset 0x10

File modified date and time

8/12/2022 7:55:57 PM

Offset 0x18

File last access date and time

8/12/2022 7:55:57 PM

Offset 0x20

File record update data and time

8/12/2022 7:55:57 PM

Offset 0x42

Filename

Bismark.txt

For attribute 0x80 Offset from beginning of fragment Offset 0x58

Attribute field name

Value in attribute

Date attribute starting position

0x80

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

Offset 0x5C

Number of bytes assigned for

0x48 bytes

attribute 0x80 Offset 0x60

Nonresident flag

Offset 0x98

Data run, starting cluster, and number of allocated clusters

0x01

Two bytes allocated starting cluster address; 1 byte for number of allocated clusters. The data run for this attribute shows an assigned cluster number of 2859, which is one cluster of allocated data. Further examination of the drive’s partition will be needed to determine the assigned bytes per sector and sectors per cluster. For an example of the output file that students will submit, see the following solution file: • Solution_Case_Project_06-3_Examiner_Notes.pdf For a comparison of the fields within this data fragment to the figures and tables in this module, see the following solution file: • Solution_Case_Project_06-3_Fragment_MFT_Record.pdf

Case Project 6-4 Estimated Time: 20 minutes Objective: Examine a fragment of data from a corrupted drive to determine what system file it is associated with for a data-recovery task. Before You Begin: •

•

Download to the Work folder you created in Case Project 6-3 (C:\Work\Module_06\Case_Project_06-2-3-4) the following data files provided with the module: • Case_Project_06-4_Data_Fragment • Case_Project_06-4_Examiner_Notes.xlsx Access the following item: • The hexadecimal editor HxD

As with Case Projects 6-2 and 6-3, in this case project, you will examine a data fragment that lists a specific file name. This fragmented data was also recovered by the other examiner from the same drive partition, which appears to have been partially overwritten. The other examiner had performed a keyword search for a file named Quotes.txt and found a reference to its name located in an unallocated space in the forensics image file. The examiner copied the data fragment into the file Case_Project_06-4_Data_Fragment and has asked if you could help determine if it contains anything of value for the examiner’s case.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 6: Working with Microsoft File Systems and the Windows Registry

To examine this data, use HxD to identify what system files the fragmented data is from and use information presented in this module to identify its contents. Include offset positions you identify and their interpreted values, such as dates, times, or other related information. After your examination write details of your findings in Case_Project_064_Examiner_Notes.xlsx to report your findings. In your examiner notes, list the figure and table numbers in this module that are associated with this fragmented data. When finished, submit to your instructor the following file: •

Case_Project_06-4_Examiner_Notes.xlsx Solution Guidance: To complete this case project, students will need to review the tables and figures in this module to determine which ones have the same record fields as the data fragment. The students should have identified the following table and figure as a source of information to identify the data fragment from file Case_Project_06-4_Data_Fragment: • Table 6-10 • Figure 6-31 This data fragment is from a $UsnJrnl:$J file. Within the examiner notes, students should identify the origin of the data, such as the name of the system file that contains this type of data. In their notes, they should list all associated data in the data fragment. For an example of the output file that students will submit, see the following solution file: • Solution_Case_Project_06-4_Examiner_Notes.pdf For a detailed description of the fields within this fragmented data, see file: • Solution_Case_Project_06-4_Fragmentr_UsnJrnl-J.pdf

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 7: LINUX AND MACINTOSH FILE SYSTEMS

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 7-1 ................................................................................................................................. 2 Activity 7-2 ................................................................................................................................ 3 Activity 7-3 ................................................................................................................................ 6 Review Questions - Answers ............................................................................................. 7 Hands-On Projects - Solutions ......................................................................................... 11 Project 7-1................................................................................................................................. 11 Project 7-2 ................................................................................................................................ 12 Project 7-3 ................................................................................................................................ 15 Case Projects - Solutions ................................................................................................. 16 Case Project 7-1 ....................................................................................................................... 16 Case Project 7-2 ...................................................................................................................... 17

Activities - Solutions Activity 7-1 Estimated Time: 30 minutes Objective: Install an Ubuntu virtual machine (VM) on Oracle VM VirtualBox Manager for use in later exercises. Before You Begin: • • •

Create Work folder C:\Work\Module_07\Activity_07-1. Download to your Work folder the following files provided with the module: • Activity_07-1_Examiner_Notes.xlsx Access the following items: • Download and install Oracle VM VirtualBox (virtualbox.org/wiki/Downloads) • Download the ISO image for Ubuntu 22.04.x (ubuntu.com/download/desktop)

Complete the following steps: 1. Open the file Activity_07-1_Examiner_Notes.xlsx. 2. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Activity 7-1. In the Date and Start Time columns, enter the current date and time. Save the file and leave it open to record your steps throughout this activity and to document anything unexpected that you observe. 3. Start Oracle VM VirtualBox Manager and click the New icon at the upper-left corner of the right pane to start the Create Virtual Machine Wizard. 4. In the Name and operating system window, type Ubuntu 22.04 for the virtual machine name. Accept the default settings and click Next. 5. In the Memory size window, check that the default setting is 1024 and then click Next. 6. In the Hard drive window, click Create a virtual hard drive now and then click Create. In the “Hard drive file type” window, click Virtual Machine Disk (VMDK) and then click Next. In the “Storage on physical hard drive” window, click the Dynamically allocated option button and then click Next. 7. In the File location and size window, increase the setting to 20 GB and then click Create. Leave VirtualBox open. Record your steps in your examiner notes. 8. In the Oracle VM VirtualBox Manager, click the Settings icon. 9. Click Storage in the left pane. In the Storage section, click Empty under Controller: IDE. In the Attributes section on the right, click the CD icon (see Figure 7-1). Click Choose/Create Virtual Optical Disk File. In the Ubuntu 22.04 – Optical Disk Selector window, click the Add button. Navigate to the folder where the ISO file is stored, click the ISO file, and then click OK. [Figure 7-1 Selecting the source for an ISO file]

10. In the Oracle VM VirtualBox Manager, click the Ubuntu 22.04 virtual machine and then click the Start icon. The VM should follow a standard OS installation. Accept the default settings. When prompted for a username, enter your name or first initial and last name. Name the machine something unique. Do a screen capture of this window and include it in your examiner notes file along with details of the steps you took to create the VM. 11. Leave the virtual machine running for the next activity. 12. When finished, submit to your instructor the following file: •

Activity_07-1_Examiner_Notes.xlsx Solution Guidance: In this activity, students install a VM with Ubuntu 22.04 for use in future activities. Students should submit their examiner notes file showing the steps they took, along with a screen capture of the window showing their name with the machine name. For an example of the file that students will submit, see the following solution file: • Solution_Activity_07-1_Examiner_Notes.pdf

Activity 7-2 Estimated Time: 20 minutes Objective: Explore basic Linux commands. Before You Begin: • • •

Complete Activity 7-1. Create Work folder C:\Work\Module_07\Activity_07-2. Download to your Work folder the following files provided with the module: • Activity_07-2_Examiner_Notes.xlsx

Complete the following steps: 1. Open the file Activity_07-2_Examiner_Notes.xlsx. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, enter Activity 7-2. Throughout the rest of this activity, use your examiner notes to record what you do and to document anything unexpected that you observe. 2. Start Ubuntu 22.04 in VirtualBox, if necessary. On the left side of the desktop are icons for different categories of applications. You can use these desktop icons to select an application or click the Show Applications icon in the bottom left of the screen. In the search box, you can start typing the name of an application, and the system will make a suggestion (see Figure 7-2). Type term and then click the Terminal icon when it is displayed. [Figure 7-2 Opening the Terminal window] 3. To find the name of your computer and the Linux kernel revision number, type uname -a and press Enter. Note the name of your computer and any other relevant information. To record the results in a file, type uname -a > ~/my.log and press Enter. Nothing is displayed in the terminal window, but a file called my.log is created in your user profile folder, and the

output of the uname -a command is redirected to it. Record your steps in the file Activity_072_Examiner_Notes.xlsx. 4. To identify your current path, type pwd (which stands for “print working directory”) and press Enter. In a new terminal window, the print working directory is likely the user’s home directory. 5. To see a list of the directory’s contents, type ls and press Enter. For comparison, try typing ls -l and pressing Enter and then typing ls -la and pressing Enter. (Note: All files beginning with the . (dot) character are usually omitted from the list of files, unless you add the – a option, which stands for “all.”) 6. To record the full listing in the same log file you created earlier, type echo “” >> ~/my.log and press Enter and then type echo “Full listing:” >> ~/my.log and press Enter. Finally, type ls -la >> ~/my.log and press Enter. These commands add a blank line, followed by the heading “Full listing:” and finally the listing of the directory’s contents in your log file. 7. To see the updated contents of your log file, type cat ~/my.log and press Enter. Do a screen capture of this and add it to your examiner notes files. Tip In current versions of Gnome, which is the Ubuntu desktop, the terminal window’s scroll bar doesn’t show, but you can display it by moving your mouse pointer to where a scroll bar is usually placed. 8. Type ip addr and press Enter to see your network interfaces: wired, wireless, FireWire, lo (the loopback device), and so forth. The interfaces are displayed with their MAC addresses (in the “Hwaddr” column) and currently assigned IP addresses (in the “inet addr” column). Try the same command with -a and observe the difference in the output. Append the output of this command to your log file. 9. Navigate to the root directory by typing cd / and pressing Enter. Confirm that you’re at the top of the directory tree by typing pwd and pressing Enter. At this level when you type ls -l and press Enter, you should see folders such as /etc, /lost1found, and /home, indicating you are at the top (see Figure 7-3). Also note that the owner of the files is root. [Figure 7-3 Confirming you are at the top of the directory tree] 10. Next, type clear, then cd and press Enter. Type pwd and press Enter, and you will find yourself back at your home directory. When you type ls -l and press Enter, you will see your own files and that the owner is the name you logged in under, as shown in Figure 7-4. [Figure 7-4 Listing of /home/user directory] 11. To identify the username you’re currently using, type whoami and press Enter. It should indicate that you are logged in as student—or whatever name you used when installing the system. 12. To see a listing of all user accounts configured on the system, type sudo cat /etc/passwd and press Enter. Then type the password and press Enter. The output displays the contents of the user account configuration file, passwd. It contains the superuser account

“root,” the regular user account you’re currently using, and a long list of system accounts for system services, such as lp, sys, daemon, and sync. For each account, you see the username, numeric user and group IDs, possibly a formatted display name, the home directory (which is /root for the superuser), and the standard command shell, which is usually /bin/bash for regular and root users. 13. To see only the information for your user account, type cat /etc/passwd | grep user (replacing user with your own username) and press Enter. 14. Append the /etc/passwd file to your log file by typing cat /etc/passwd >> ~/my.log and pressing Enter. The /etc/passwd file doesn’t contain user passwords, although in earlier versions of Linux, it stored hashed passwords. Because everyone can read this file, storing even hashed passwords was considered a security risk, so they were moved to the /etc/shadow file, which can be accessed only by the root user. 15. To get a detailed listing of the /etc/shadow file, type ls -l /etc/shadow and press Enter. If permission is denied, repeat this command preceded by sudo. 16. Type sudo cat /etc/shadow and press Enter. Then type the password and press Enter. The file’s contents are shown, but only regular user accounts contain a password hash. You should see this information only for your user account. 17. To append just the entry for your user account to your log file, type sudo cat /etc/shadow | grep user >> ~/my.log (replacing user with your username) and press Enter. This command redirects the output of cat as input to grep, which leaves only the line containing your username, and then appends it to your log file. You can have multiple | pipes in a single command but only one redirection to a file (using > or >>) because the file is like a dead end—there can be no output after it’s redirected to a file. Be sure to record the steps you have taken in your file Activity_07-2_Examiner_Notes.xlsx. 18. Close the terminal window by typing exit and pressing Enter. Leave Ubuntu running for the next activity. 19. When finished, update your examiner notes and submit to your instructor the following file: •

Activity_07-2_Examiner_Notes.xlsx Solution Guidance: In this activity, student have seen how to add output to a file and print to screen. The final file that students submit should show the results of the files, along with a screen capture. For an example of the file that students will submit, see the following solution file: • Solution_Activity_07-2_Examiner_Notes.pdf

Activity 7-3 Estimated Time: 40 minutes Objective: Create Kali and Paladin VMs for use in the end-of-module exercises. Before You Begin: • • • •

Complete Activity 7-1. Create Work folder C:\Work\Module_07\Activity_07-3. Download to your Work folder the following files provided with the module: • Activity_07-3_Examiner_Notes.xlsx Access the following items: • VirtualBox image for Kali (kali.org/get-kali/#kali-virtual-machines) • Paladin Edge ISO (sumuri.com/product/paladin-edge-64-bit) • Install 7Zip (7-zip.org/download.html), which is free, on your Windows machine. You may also use other zip utilities, such as WinZip, if you have access to them.

Note 11 For more details on importing the Kali VirtualBox image, download the instruction manual here: kali.org/docs/virtualization/import-premade-virtualbox. Complete the following steps: 1. Open the file Activity_07-3_Examiner_Notes.xlxs and input your name and Activity 7-3 in the appropriate fields. Throughout the rest of this activity, use your examiner notes to record what you do and to document anything unexpected that you observe. 2. Use 7Zip to extract the Kali image. 3. Open VirtualBox and, in the upper-left corner, click Tools. Click the Add button on the right. 4. Navigate to the location of the extracted Kali image and click Open. The VirtualBox Manager should now show a Kali machine. Click the Start button to verify that it works. The default username and password are both kali. 5. After it opens, navigate the menu to verify it works. In the file Activity_073_Examiner_Notes.xlsx, note the steps you took to complete the installation along with any issues you encountered. 6. Close the machine. Note 12 For more details on using Paladin, go to sumuri.com/resources. 7. To create the Paladin box, click the New button. 8. In the window that appears, enter the name Paladin, Operating System Linux and click Next. 9. For the hard disk type, select VMDK. Increase the disk size to 20 GB, accept the remaining defaults, and then click Create.

10. After the VM is created, click Settings and then click Storage. As you did in Activity 7-1, click the IDE CD icon and navigate to where the Paladin ISO is stored. 11. After the image is selected, click Okay. Then install the OS using the default settings. 12. After it is installed, exit VirtualBox. 13. When you are finished, update your examiner notes with information about the Paladin installation and submit to your instructor the following file: •

Activity_07-3_Examiner_Notes.xlsx Solution Guidance: The installation students complete in this activity should go fairly smoothly for most students. Students who are working on home machines may have to make some adjustments, but most should not encounter any issues. For examples of the output file that students will submit, see the following solution file: • Solution_Activity_07-3_Examiner_Notes.pdf

Review Questions - Answers 1.

Which part of a file structure stored on an Apple File System is designed to store data? a. Data fork b. Resource fork c. Meta fork d. System fork Answer: a. Data fork Explanation: The data fork, which contains data, is one part of the file structure associated with a data file stored on Apple file systems.

2. Which part of a file structure stored on an Apple File System is designed to store metadata? a. Data fork b. Resource fork c. Meta fork d. System fork Answer: b. Resource fork Explanation: The resource fork, which contains metadata and application information, is one part of the file structure associated with a data file stored on Apple file systems.

3. To recover a password in macOS, which tool do you use? a. Finder b. Password Recovery Toolkit c. Keychain Access d. Spotlight Answer: c. Keychain Access Explanation: Keychain Access (or in macOS Monterey, System Preferences\Password) is used to manage passwords within macOS. 4. What are the major improvements in the Linux ext4 file system? Answer: The Linux ext4 file system is backward compatible, allows for larger file sizes (up to 1,000,000 TB), introduced long file names, eliminated indirect pointers, introduced extents, and does checksums on its journals. 5. How does macOS reduce file fragmentation? Answer: The macOS file system utilizes clumps to reduce file fragmentation. Clumps are groups of contiguous allocation blocks used to minimize file fragmentation within macOS. 6. Which of the following is true about the use of hard links? (Choose all that apply.) a. Files are protected from file updates. b. Files with the same inode can be updated by different users. c. Files do not have to be shared to be updated by a different user. d. Files can only be deleted by one of the users. Answer: b. Files with the same inode can be updated by different users; c. Files do not have to be shared to be updated by a different user. Explanation: A hard link is an inode that refers to a physical location on a disk that allows you to access the same file using different file names; hard links allow multiple users to update files with different file names in different locations or logins. 7. Which of the following Linux system files contains hashed passwords for the local system? a. /var/log/dmesg b. /etc/passwd c. /var/log/syslog d. /etc/shadow Answer: d. /etc/shadow Explanation: The hashed passwords are located in the shadow file in the Linux file system.

8. Which of the following describes the superblock’s function in the Linux file system? (Choose all that apply.) a. Stores bootstrap code b. Specifies the disk geometry and available space c. Manages the file system, including configuration information d. Tracks inodes by using the inode tables Answer: b. Specifies the disk geometry and available space; c. Manages the file system, including configuration information; d. Tracks inodes by using the inode tables. Explanation: The superblock specifies the disk geometry and available space, and it keeps track of all inodes. It also manages the file system, including configuration information, such as block size for the drive, file system names, blocks reserved for inodes, and volume name. 9. What is the Disk Arbitration feature used for in macOS? Answer: Disk Arbitration is a macOS feature for disabling and enabling automatic mounting when a drive is connected via a USB or FireWire device. Explanation: Being able to turn off the mount function in macOS allows you to connect a suspect drive to a Mac without a write-blocking device. 10. In Linux, which of the following is the home directory for the superuser? a. /home b. /root c. /super d. /home/superuser Answer: b. /root Explanation: The home directory for the superuser is “root.” You are advised not to log in as root unless you need those privileges. 11. Which of the following organizations certifies when an OS meets UNIX requirements? a. IEEE b. UNIX Users Group c. The Open Group d. SUSE Group Answer: c. The Open Group Explanation: The Open Group was formed as a neutral standards group to ensure Linux continues to be a multiuser, multithreaded, secure OS. 12. On most Linux systems, current user login information is in which of the following locations? a. /var/log/dmesg b. /var/log/wmtp c. /var/log/usr d. /var/log/utmp

Answer: c. /var/log/usr Explanation: On Linux systems, usr refers to each user on the system. The /var/log folder maintains the various system logs for the system. The /var/log/usr stores the user login information. 13. Which of the following describes plist files? (Choose all that apply.) a. You must have a special editor to view them. b. They are found only in Linux file systems. c. They are preference files for applications. d. They require special installers. Answer: c. They are preference files for applications. Explanation: A plist file contains the settings for applications in macOS, iOS, and iPadOS. Developers must include at least one plist file for their applications to work. 14. Data blocks contain actual files and directories and are linked directly to inodes. True or False? Answer: True Explanation: Inodes point to data blocks, which store data. 15. Which of the following items should a digital forensics examiner collect before attempting the acquisition of a macOS device with an APFS with encryption enabled? (Choose all that apply.) a. Custodian’s username b. Custodian’s password c. System administrator’s username d. System administrator’s password e. Custodian’s mother’s family name f. Custodian’s mother’s date of birth g. System administrator’s place of birth h. System administrator’s favorite color Answer: a. Custodian’s username; b. Custodian’s password; c. System administrator’s username; d. System administrator’s password Explanation: The custodian’s and system administrators’ credentials are required as these can be used to set up the macOS device to boot up the forensics acquisition software, mount encrypted APFS volumes, and/or install Rosetta 2 to allow the usage of Intel-based tools on the newer Macs using Apple silicon.

Hands-On Projects - Solutions Project 7-1 Estimated Time: 20 minutes Objective: Create a hard and symbolic link. Before You Begin: • • • •

Complete Activity 7-1. Create Work folder C:\Work\Module_07\Project07-1. Download to your Work folder the following data file provided with the module: • Project_07-1_Examiner_Notes.xlsx Access the following item: • Ubuntu 22.04 VM

To see how hard and symbolic links work, complete the following steps: 1. Open the file Project_07-1_Examiner_Notes.xlsx. Enter your name and the project number in the appropriate fields. Throughout the rest of this project, use your examiner notes to record what you do and to document anything unexpected that you observe. 2. Start the Ubuntu 22.04 Virtual Machine, if necessary, and open a terminal window. Type ls -l and press Enter. 3. In the output, the number in the second column shows the hard link count for each directory or file. Notice the number of hard links for the Music directory in Figure 7-17. [Figure 7-17 Number of hard link counts for the Music directory] 4. Type cd Music and press Enter. Create a subdirectory called PopTunes by typing mkdir PopTunes and pressing Enter. 5. Return to your home directory by typing cd and pressing Enter. Next, type ls -l and press Enter; notice that the link count for the Music directory has increased. 6. To practice creating a hard link, first create a new file by typing touch originalfile and pressing Enter. Create a new subdirectory in the /tmp directory by typing mkdir /tmp/Module07 and pressing Enter. 7. Switch to your home directory again, if necessary, and type ln originalfile /tmp/Module07/newfile and press Enter. 8. Type ls -i and press Enter to see the original file’s inode number. Change to the /tmp/Module07 directory and repeat this command. Newfile should have the same inode number as originalfile (see Figure 7-18). [Figure 7-18 Verifying that the hard linked files have the same inode number]

9. To create a symbolic link, switch to the /tmp directory, type mkdir testsym, and press Enter to create a new subdirectory. Switch to this subdirectory and create two files by typing touch test1 test2 and pressing Enter. If necessary, type cd .. and press Enter to return to the /tmp directory. Finally, create the symbolic link by typing ln -s /tmp/testsym mysym and pressing Enter. Using ln with the s specifies a symbolic link versus a hard link. Note that you typically use the full path name because symbolic links can exist on other systems. You will see in the next step that a new folder was created along with the files. 10. Type ls -1 mysym (using the numeral one, not a lowercase L, for the option after the hyphen) and press Enter. The files you created in the testsym directory are also in mysym. Finally, type ls -l mysym (using a lowercase L after the hyphen) and press Enter. An arrow points from mysym to the testsym directory, as shown in Figure 7-19, to indicate the symbolic link. [Figure 7-19 Showing a symbolic link] 11. When finished, update your examiner notes and submit the following file to your instructor: •

Project_07-1_Examiner_Notes.xlsx Solution Guidance: The student’s examiner notes should include notes on the steps they took to complete this project. Students should also include the inode number along with anything else they observed as they completed this project. For an example of the file that students will submit, see the following solution file: • Solution_Project_07-1_Examiner_Notes.pdf

Project 7-2 Estimated Time: 45 minutes (time may vary depending on updates needed) Objective: Use the forensics tools in Kali Linux. Before You Begin: • • •

•

Complete Activity 7-3. Create Work folder C:\Work\Module_07\Project07-2. Download to your Work folder the following data file provided with the module: • Project_07-2_Examiner_Notes.xlsx • GCFX-LX.exe Access the following item: • Kali Linux VM

Complete the following steps: 1. Open the file Project_07-2_Examiner_Notes.xlsx. Enter your name and the Project number. Throughout the rest of this project, use your examiner notes to record what you do and to document anything unexpected that you observe. 2. Open VirtualBox and launch the Kali Linux box.

3. To be able to access forensics image files that are on your host machine, you will need to do a few things. Be sure that all applications are closed. Open a terminal window. Type sudo apt-get update and press Enter. If prompted, enter the password of kali for sudo. Accept all changes. The apt-get update command goes out to the Linux repository for your version and finds the most recent list of files that should be on your system. 4. Next, type sudo apt-get upgrade and press Enter. Based on the list from the apt-get update command, apt-get upgrade downloads and installs the needed items. The upgrade may take up to 20 minutes depending on the version of the image you downloaded. Allow the VM to reboot as needed. 5. In the dropdown menus, click Devices and then Insert Guest Additions CD Image. (Note that there will be no window that pops up to prompt you.) 6. After the device is mounted, you will be able to see the contents. Note that the CD contains the installation for multiple OSs. The one needed for Kali is the VboxLinuxAdditions.run. In the terminal window, type findmnt and then press Enter. At the bottom, you should see the mount point for the CD. Select the mount point, rightclick it, and then click Copy. This is the path that you need for the next step. 7. Type sudo and then right-click and paste the path you just copied. Then type a forward slash and the file name (/VboxLinuxAdditions.run), as shown in Figure 7-20. [Figure 7-20 Installing the Sleuth Kit] 8. Press Enter. Enter the password when prompted and then press Enter. The Kali OS is now installed. 9. Create a subdirectory in your Work folder called Shared Evidence. You will copy the necessary files to this subdirectory on your host machine. 10. Next, you need to create a shared folder. On the menu, click Devices and then Shared Folders, Shared Folders Settings. . . . In the right pane of the window that opens, click the Add button. 11. In the Add Share window, click the dropdown arrow for the Folder Path. Navigate to your Work\Shared Evidence folder and select it. Enter the Folder Name and Mount point and select the options so your dialog box matches the one shown in Figure 7-21. Click OK twice. [Figure 7-21 Creating a shared folder on the host computer] 12. Copy the file GCFX-LX.exe to your Shared Evidence folder on your host machine. Extract the files. 13. Kali Linux contains the compiled Linux version of Autopsy/Sleuth Kit. Many times you may have to evaluate evidence from older systems. The remaining steps in this project will take you through an older tool and older image. Click the Kali Linux icon in the upper-left portion of the window. Click 11 – Forensics in the left pane and then click autopsy (root) on the right, as shown in Figure 7-22. [Figure 7-22 Launching Autopsy/Sleuthkit in Kali Linux]

A terminal window opens, requesting your password and instructing you to leave it open and launch a web browser with the address http://localhost:9999/autopsy. 14. Click the New Case button, as shown in Figure 7-23. [Figure 7-23 Starting Autopsy] 15. When the Create a New Case dialog box opens, enter Project_7-2 for the case name, a description (optional), and your name. Click the New Case button to continue. 16. In the Creating Case dialog box, click Add Host to continue. In the Add a New Host dialog box, enter TestForensics for the hostname and then click Add Host. 17. In the Add a New Image dialog box, type the complete path to the evidence locker in the Location text box. (Remember that Linux commands are case sensitive. If you enter a lowercase file name and the file name is uppercase, Autopsy can’t find and load the file.) This image has multiple segments, so use an asterisk as the extension (e.g., GCFI-LX.*) 18. Click the Partition and Move option buttons and then click Next. 19. In the Image File Details section, click the Calculate the hash value for this image option button and then click Add. In the Calculating MD5 message box, click OK. (Note that calculating a hash value can add time to your evaluation.) 20. In the “Select a volume to analyze or add a new image file” page, click Analyze and then Keyword Search to start a search for keywords of interest to the investigation. 21. In the Keyword Search of Allocated and Unallocated Space page, type martha in the text box and then click Search. 22. When the search is finished, Autopsy displays a summary of the search results. To see detailed search results, click the results link in the upper-left pane. 23. Examine the search results by scrolling through the left pane and then click the Fragment 236019 “Ascii” link to view details of the search, as shown in Figure 7-24. [Figure 7-24 Viewing Fragment 236019 “Ascii” link] 24. Repeat this examination by clicking other ASCII and Hex links for the remaining hits. When you’re finished examining the search hits, close the Searching for ASCII and Searching for Unicode dialog box to return to the “Select a volume to analyze or add a new image file” dialog box. Exit Autopsy and log off Ubuntu. 25. When finished, update your examiner notes and submit the following file to your instructor: •

Project_07-2_Examiner_Notes.xlsx

Solution Guidance: Sharing files from a host machine can cause a few challenges. Students need to know where the files are stored, and they must know the correct path. Launching Autopsy and Sleuth Kit in Linux is easier now than in the past, however. In this project, students should be able to find the results of searching for “martha,” as shown in Figure 7-24. Urge students to search for other names that they may find as a result of the original search, as well. They should also note that the files were partitions. For an example of the file that students will submit, see the following solution file: • Solution_Project_07-2_Examiner_Notes.pdf

Project 7-3 Estimated Time: 20 minutes Objective: Explore the Paladin forensics tool. Before You Begin: • • •

Complete Activity 7-3. Create Work folder C:\Work\Module_07\Project07-3. Download to your Work folder the following data file provided with the module:

•

• Project_07-3_Examiner_Notes.xlsx Access the following item: •

Paladin Edge VM

Complete the following steps: 1. Launch the Paladin Edge VM, as shown in Figure 7-25. [Figure 7-25 Paladin Edge interface] 2. Open the file Project_ 07-3_Examiner_Notes.xlsx. Input your name and the project number. Throughout the rest of this project, use your examiner notes to record what you do and to document anything unexpected that you observe. 3. Click the App Menu button in the lower-left corner. Select Paladin Toolbox from the menu that appears. 4. Explore the various tools that are available. Make notes about the tools that might produce results. Be aware that to use this you would need to be connected to an actual device for evaluation and analysis. 5. When finished, submit the following file to your instructor: •

Project_07-3_Examiner_Notes.xlsx

Solution Guidance: The Paladin Edge VM tool is forensically sound. It automatically keeps logs for what you do on an item, and the shared folder item for the host machine is operational without having to do anything. It can view unaollocated space and free space on a drive. It can also examine USB drives and perform network forensics and remote acquisitions and it has Libre Office. For an example of the file that students will submit, see the following solution file: • Solution_Project_07-3_Examiner_Notes.pdf

Case Projects - Solutions Case Project 7-1 Estimated Time: 60 minutes Objective: Compare forensics tools that can evaluate macOS devices. Before You Begin: •

Create Work folder C:\Work\Module_07\Case_Project_07-1.

Research and compare forensics tools that can examine macOS devices. Create a table listing at least three tools, including their price, features they have in common, differences in functions, and price. Open your word processing application, create a new document, and save it as Case_Project_07-1_Report in your Work folder. Write a one- to two-page report stating which tool you would choose if you were an investigator for a small firm and explain why. Include your summary table in your paper. When finished, submit to your instructor the following file: •

Case_Project_07-1_Report Solution Guidance: Within the report that students submit, they should include a table showing at least three tools, along with their important features, prices, and time on the market. Students should explain what is covered in the table, compare the tools they selected, and note any features that they found would be useful in an investigation. The module lists tools such as Celebrite. Students might also include tools such as Passware Kit, Parrot OS, Blackbag MacQuisition, Magnet Axiom, and Belkasoft. For an example of the file that students will submit, see the following solution file: •

Solution_Case_Project_07-1_Report.pdf

Case Project 7-2 Estimated Time: 60 minutes Objective: Determine what tools to use when a Windows computer does not boot. Before You Begin: •

Create Work folder C:\Work\Module_07\Case_Project_07-2.

This module explored the use of Autopsy for Linux as well as Paladin Edge. The use of Linux tools can be especially useful when a Windows computer does not boot. Open your word processing application, create a new document, and save it as Case_Project_07-2_Report in your Work folder. Write a one- to two-page memo describing the tools that might be used based on research you do using blogs, user groups, and user manuals. What additional preparation would you as a forensics investigator have to take to use these tools? When you are finished, submit to your instructor the following file: •

Case_Project_07-2_Report Solution Guidance: In the report students write for this case project, they should describe some of the tools that could be useful to a forensics investigator when working with a Windows computer that does not boot. The module “The Investigator’s Laboratory and Digital Forensics Tool” introduced students to a USB bootable drive that can be used to examine Windows machines. Students might also include things such as a removable hard drive for use as the destination drive for imaging. They may consider situations in which the RAM needs to be acquired and note that Paladin is specifically for that type of situation. Kali Linux, Autopsy, and other Linux-based tools are also commonly used to access Windows computers. For an example of the file that students will submit, see the following solution file: • Solution_Case_Project_07-2_Report.pdf

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 8: MEDIA FILES AND DIGITAL FORENSICS

Table of Contents Activities - Solutions .......................................................................................................... 2 Activity 8-1 ................................................................................................................................. 2 Activity 8-2 ................................................................................................................................ 5 Review Questions - Answers ............................................................................................. 7 Hands-On Projects - Solutions .........................................................................................13 Project 8-1 ................................................................................................................................ 13 Project 8-2 ................................................................................................................................ 16 Project 8-3 ................................................................................................................................ 17 Project 8-4................................................................................................................................ 19 Project 8-5 ............................................................................................................................... 22 Project 8-6............................................................................................................................... 25 Case Projects - Solutions ................................................................................................. 28 Case Project 8-1...................................................................................................................... 28 Case Project 8-2 ..................................................................................................................... 29 Case Project 8-3 ..................................................................................................................... 30 Case Project 8-4 ...................................................................................................................... 31

Activities - Solutions Activity 8-1 Estimated Time: 60 minutes Objective: Search for JPEG files with altered headers and then extract them for follow-up examination and reconstruction. Before You Begin: • •

Create Work folder C:\Work\Module_08\Activity_08-1. Download to your Work folder the following files provided with the module: • Activity_08-1_Examiner_Notes.xlsx • Activity_08-1.001

For this activity, you have been directed to locate possible graphics files that were referenced in the Tom Johnson email (shown earlier in Figure 8-15) and extract them using Autopsy. Complete the following steps: 1. Open the file Activity_08-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Activity_08-1. 2. Start Autopsy for Windows. If the UAC window appears, click Yes and click the Create New Case button. In the New Case Information window, type Activity_08-1 for the case name and click Browse next to the Base Directory text box. Navigate to and click your Work folder and then click Next. In the Additional Information window, type Activity_08-1 for the case number, enter your name for the examiner, and then click Finish. 3. In the Add Data Source window, leave the default selection Disk Image or VM file in the Type of Data Source to Add section and then click Next. 4. In the Select Data Source window, click the Browse button, navigate to your Work folder, click Activity_08-1.001, and click Open. Then click Next. 5. In the Configure Ingest Module window, click Select All, and then deselect (or uncheck) PhotoRec Carver (see Figure 8-16). Click Next, and then click Finish. [Figure 8-16 Autopsy Configuration Ingest Modules] 6. Click to expand Extracted Content, if necessary, and then click EXIF Metadata in the Tree Viewer pane. 7. Click the first file Odessey11.txt in the Result Viewer pane. Then in the Content Viewer pane, click the Hex tab, as shown in Figure 8-17. [Figure 8-17 EXIF Metadata files results] 8. Repeat step 7 for the remaining four files listed in the Result Viewer pane and examine each file’s contents to determine if their headers have also been altered. Note your observations in the examiner notes file.

9. Click the Keyword Search button, located in the upper-right corner of the Autopsy window, and type FIF (all uppercase letters) in the Keyword Search input box. Click the Exact Match button and then click Search. Note that there are no hits from this search. 10. Refine the search by clicking Keyword Search again and in the input box delete the previous entry FIF and type fif (all lowercase letters) in the Keyword Search input box. Click the Substring Search button (as shown in Figure 8-18) and then click Search. [Figure 8-18 Keyword search window] Note 8 With the Substring Search option selected, Autopsy will locate more search results. This will require additional time to determine if those search results are relevant to the examination. 11. Click the Name column tab in the Result Viewer pane to sort the files in ascending order. Then click each file listed in the Result Viewer pane and examine the contents of each file in the Content Viewer pane to determine if it has an altered header. 12. In your examination of each file, note that file _1.XLS contains the value of zFIF in the Content Viewer pane, as shown in Figure 8-19. [Figure 8-19 Content Viewer pane] 13. To further examine these files’ contents, click the file _1.XLS in the Result Viewer pane and then click the Hex tab in the Content Viewer pane and note that the first 4 bytes (bytes 0 to 3) and the 6th byte have a value of 0x7A (lowercase letter z), followed by the text FIF, as shown in Figure 8-20. [Figure 8-20 Keyword search results] Because this file’s first 4 bytes are the lowercase letter z, you can assume there might be other graphics files that also start with “zzzz” from Chris Robinson’s email. To reduce the number of false-positive hits, perform another search for the letters zzzz. 14. Click Keyword Search again and, in the Keyword Search input box, delete the previous input of fif, type zzzz, and then click Search. 15. Now in the Result Viewer pane, examine each file listed and its associated data displayed in the Content Viewer pane. When examining the data in the Content Viewer pane, switch between the Hex, Text, File Metadata, and Results tabs to further identify the type of data. Make notations in your examiner notes of your observation for each file. 16. Files that have the first 4 bytes of zzzz are displayed in the Content Viewer pane. Select each file by pressing and holding the Ctrl key and then clicking each file listed in the Result Viewer pane. 17. When the files are selected, right-click the selected files, click Add File Tags, and then click Follow Up, as shown in Figure 8-21. [Figure 8-21 File tagging for follow-up examination] 18. Right-click the selected files again and click Extract File(s). In the Save window, click Save and then OK.

19. Click Generate Report from Autopsy’s menu bar. In the Select and Configure Report Modules Report Module pane, click the Excel Report button and then Next. 20. If it is not already checked, click the check box for Activity_08-1.001 and then click Next in the “Select which data source(s) to include” pane. 21. Click the Specific Tagged Results button, click the Follow up check box, and then click Finish in the Configure Report’s “Select which data to report on” pane. 22. When the report generator completes, in the Report Generation Progress window, doubleclick the link listed for the Excel Report output to open it in your preferred spreadsheet application. 23. In Excel, save this report as Activity_08-1-Report.xlsx to your Work folder and close the file. 24. In Autopsy’s Report Generation Progress window, click Close and then exit Autopsy. 25. Update and save file Activity_08-1_Examiner_Notes.xlsx and then exit Excel. 26. From File Explorer, navigate to Autopsy’s Export folder (work\Activity_08-1\Activity_081\Export) and rename the following files: • • • • •

nnn-_1.XLS to Activity_08-1_nnn-_1.XLS nnn-_51.XLS to Activity_08-1_nnn-_51.XLS nnn-gametour2.exe to Activity_08-1_nnn-gametour2.exe nnn-gametour3.exe to Activity_08-1_nnn-gametour3.exe nnn-gametour4.exe to Activity_08-1_nnn-gametour4.exe

Note 9 When you export a file in Autopsy, it prefaces the file name with three unique numbers followed by a hyphen. For instance, the recovered file gametour2.exe was renamed to 212gametour2.jpg in the example used for this project. If there are files that have the same name, with each one residing in a different folder, Autopsy generates a unique number for each file or folder to identify that the files are different. 27. When finished, submit to your instructor the following files: • • • • • • •

Activity_08-1_Examiner_Notes.xlsx Activity_08-1-Report.xlsx Activity_08-1_nnn-_1.XLS Activity_08-1_nnn-_51.XLS Activity_08-1_nnn-gametour2.exe Activity_08-1_nnn-gametour3.exe Activity_08-1_nnn-gametour4.exe

Solution Guidance: This activity is designed to show students how to perform an initial search for unknown data files and then how to refine a second search to reduce the number of hits from the first search. Students should extract files listed from the search and list those files in an Autopsy-generated Excel report file. For examples of the files that students will submit, see the following solution files: • Solution_Activity_08-1_Examiner_Notes.pdf • Solution_Activity_08-1-Report_Summary_Sheet_Tab.pdf • Solution_Activity_08-1-Report_Tagged_Files_Sheet_Tab.pdf Confirm that students exported the correct files from Autopsy files by opening each exported file with a hexadecimal editor and comparing its hexadecimal contents to the associated PDF screenshots listed in the following table.

Exported files from students

Screenshots of headers

Activity_08-1_nnn-_1.XLS

Solution_Activity_08-1_181-_1.pdf

Activity_08-1_nnn-_51.XLS

Solution_Activity_08-1_201-_51.pdf

Activity_08-1_nnn-gametour2.exe

Solution_Activity_08-1_212-gametour2.pdf

Activity_08-1_nnn-gametour3.exe

Solution_Activity_08-1_214-gametour3.pdf

Activity_08-1_nnn-gametour4.exe

Solution_Activity_08-1_216-gametour4.pdf

Note that the file Activity_08-1_Report.xlsx will only have data on the Summary and Tagged Files tabs.

Activity 8-2 Estimated Time: 30 minutes Objective: Create a viewable JPEG file by reconstructing its header with the correct hexadecimal values. Before You Begin: • • •

• •

Complete Activity 8-1. Create Work folder C:\Work\Module_08\Activity_08-2. Download to your Work folder the following files provided with the module: • Activity_08-2_212-gametour2.exe • Activity_08-2_Examiner_Notes.xlsx Access the following item: The hexadecimal editor HxD

For this activity, you will use the hexadecimal editor HxD to reconstruct the header of a JPEG file that has been intentionally corrupted. To accomplish this task, complete the following steps:

1. Open the file Activity_08-2_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Activity_08-2. 2. Start HxD. If the UAC window appears, click Yes, File, and then Open. In the Open window, navigate to your Work folder and Activity_08-2_212-gametour2.exe and then click Open. 3. In the main screen of HxD, position the mouse cursor at offset 0x00000000. Starting from offset 0x00000000, type FF D8 FF E0, as shown in Figure 8-24. [Figure 8-24 Corrected header] 4. Reposition the cursor to offset 0x00000006 and type 4A. 5. Now, click File and then Save As. In the Save As window’s File name input box, type Activity_08-2-Recovered-212-gametour2.jpg and then navigate to your Work folder and click Save. 6. Next, using File Explorer, navigate to your Work folder and double-click file Activity_08-2Recovered-212-gametour2.jpg to verify the recovery and then close the viewer application. Note 10 After you repair a graphics file header, you can test the updated file by opening it in an image viewer, such as Windows Photo Viewer, IrfanView, ThumbsPlus, QuickView, or ACDSee. If the file displays the image, as shown in Figure 8-25, you have performed the recovery correctly. [Figure 8-25 Recovered file] 7. Update and save file Activity_08-2_Examiner_Notes.xlsx and then exit this program and HxD. 8. When finished, submit to your instructor the following files: • •

Activity_08-2_Examiner_Notes.xlsx Activity_08-2-Recovered-212-gametour2.jpg

Tip Every two hexadecimal values you entered in the previous steps are equivalent to one ASCII character. For example, an uppercase A has the hexadecimal value 41 and a lowercase a has the hexadecimal value 61. Most disk editors have a reference chart for converting hexadecimal values to ASCII characters, such as the one shown in Figure 8-26. [Figure 8-26 ASCII equivalents of hexadecimal values] Solution Guidance: This activity is designed to give students experience using a hexadecimal editor to reconstruct a damaged JPEG file’s header. Successful completion of this activity will produce a JPEG file with an image of a kayak frame. Examiner notes should list every step taken by the student to correctly recover this file. For examples of the two files students will submit, see the following solution files: • Solution_Activity_08-2_Examiner_Notes.pdf • Solution_ Activity_08-2-Recovered-212-gametour2.pdf

Review Questions - Answers 1.

The process of converting raw images to another format is called which of the following? a. Data conversion b. Transmogrification c. Transfiguring d. Demosaicing Answer: d. Demosaicing Explanation: The process used by many digital camera devices to convert raw picture data to a standard graphic format, such as JPEG, is known as demosaicing.

2. What are the hexadecimal values of a TIF file in little endian? (Choose all that apply.) a. 0x49 0x49 0x2A 0x00 b. 0xFF 0xD8 0xFF 0xE0 c. 0xFF 0xD8 0xFF 0xE1 d. 0x50 0x4B 0x03 0x04 Answer: a. 0x49 0x49 0x2A 0x00 Explanation: The first four bytes of TIF files are II* followed by a null space. The header hexadecimal values for the other answer options are as follows: Answer b. 0xFF 0xD8 0xFF 0xE0 = JPEG file Answer c. 0xFF 0xD8 0xFF 0xE1 = Exif JPEG file Answer d. 0x50 0x4B 0x03 0x04 = Compressed data file, such as ZIP 3. Many digital picture formats use data compression to accomplish which of the following goals? (Choose all that apply.) a. Save space on a hard drive. b. Provide a crisp and clear image. c. Eliminate redundant data. d. Produce a file that can be emailed or posted on the Internet. Answer: a. Save space on a hard drive. Explanation: Digital images contain a large amount of information, which produces very large files. Many graphic image formats use compression to minimize the size of the file. 4. Portable Network Graphic (.png) files use which of the following types of compression? (Choose all that apply.) a. WinZip b. Lossy c. Lzip d. Lossless

Answer: d. Lossless Explanation: To ensure that graphic data is unchanged, the PNG image file format uses lossless compression. 5. A JPEG file uses which type of compression? (Choose all that apply.) a. WinZip b. Lossy c. Lzip d. Lossless Answer: b. Lossy Explanation: JPEG was developed to further reduce picture file size. The tradeoff of JPEG files is that they use a lossy compression rather than a lossless compression. Lossy compression compresses data by permanently discarding bits of information in the file. Some discarded bits are redundant, but others are not. 6. Steganography is used for which of the following purposes? (Choose all that apply.) a. Validating data b. Hiding data c. Accessing remote computers d. Creating strong passwords Answer: b. Hiding data Explanation: The only purpose steganography has is to conceal data. Secret messages can be added to a file that can only be revealed by using the steganography application used to add it to a file. 7. Which of the following might indicate that steganography was used to hide data? (Choose all that apply.) a. Multiple copies of the same graphics file that have different hash values b. Graphics files with the same name but different file sizes c. Steganography programs in the suspect computer’s All Programs list d. Graphics files with different timestamps Answer: a. Multiple copies of the same graphics file that have different hash values; b. Graphics files with the same name but different file sizes; c. Steganography programs in the suspect computer’s All Programs list Explanation: Answers a, b, and c are just some of the clues that might indicate steganography has been used to hide data. Answer d (“Graphics files with different timestamps”) is not a significant clue because the timestamp is stored in a file's metadata, such as an $MFT record. This data is not part of a file's content. 8. In steganalysis, cover-media is which of the following? a. The content of a file used for a steganography message b. The type of steganographic method used to conceal a message c. The file a steganography tool used to host a hidden message, such as a JPEG or an MP3 file d. A specific type of graphics file used only for hashing steganographic files

Answer: c. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file Explanation: The cover-media file contains the hidden steganographic message. 9. Which of the following methods are used for digital watermarking? (Choose all that apply.) a. Implanted subroutines that link to a central web server automatically when the watermarked file is accessed b. Invisible modification of the LSBs in the file c. Layering visible symbols on top of the image d. Using a hex editor to alter the image data Answer: b. Invisible modification of the LSBs in the file; c. Layering visible symbols on top of the image Explanation: Digital watermarks are designed to be discreet so that the markings do not interfere with the data. Types of discreet methods include using least significant bits (LSB) patterns within bytes of the file and superimposing another slightly shaded graphic on top of a graphic file’s picture. 10. You’re using Windows Disk Management to view primary and extended partitions on a suspect drive through a write-blocker. The program reports the extended partition’s total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? (Choose all that apply.) a. The disk is corrupted. b. There might be a hidden or deleted partition. c. Nothing; this is what you’d expect to see. d. The drive is formatted incorrectly. Answer: b. There might a hidden or deleted partition. Explanation: When examining a drive in Windows Disk Management that shows an extended partition beyond the initial partitions, this may be an indication that there is or was an additional partition assigned on this drive. Based on this, the digital forensics examiner should inspect this unallocated partition space to see if there is data of interest to the case. Most digital forensics tools can identify any deleted or hidden partition. 11. If an application uses salting when creating passwords, what factors should a forensics examiner consider when attempting to recover passwords? (Choose all that apply.) a. There are no concerns because salting doesn’t affect password-recovery tools. b. Salting can make password recovery extremely difficult and time consuming. c. Salting applies only to OS start-up passwords, so there are no serious concerns for examiners. d. The effect on the computer’s CMOS clock could alter files’ date and time values.

Answer: b. Salting can make password recovery extremely difficult and time consuming. Explanation: By adding extra data into a password, it alters its hash value, which also makes it more difficult to determine the password. 12. Which of the following methods would likely be most successful when attempting to gain access to a password-protected file found on a computer? (Choose all that apply.) a. Solicit the password from the suspect. b. Use a brute-force attack on the password-protected file. c. Use a dictionary attack on the password-protected file. d. Use a tool to build a password profile of the suspect to attack the passwordprotected file. Answer: d. Use a tool to build a password profile of the suspect to attack the password-protected file. Explanation: Of the options presented, an examiner should first consider using a tool to build a password profile of the suspect to attack the password-protected file. Building a password profile, where an examiner provides the tool with documents to index, allows the computer to attempt specific words or phrases used by the suspect, thus leading to a higher probability of recovering the password. A brute-force attack, while eventually successful, can require weeks (or possibly even years or decades) to crack. A dictionary attack may be successful if the suspect uses a common word in the dictionary. It should be attempted as today’s computers, when clustered together, can attempt all the passwords in a dictionary in mere minutes, but it may not be successful. 13. Rainbow tables serve what purpose for digital forensics examinations? (Choose all that apply.) a. Contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords b. Supplement the NIST NSRL library of hash tables c. Enhance the search capability of many digital forensics examination tools d. Provide a scoring system for probable search terms. Answer: a. Contain computed hashes of possible passwords that some passwordrecovery programs can use to crack passwords Explanation: Many passwords are stored as hash values. By hashing every possible character available on a keyboard into one or more character groups, hash comparison can run extremely quickly. The hash-compare program only needs to read the hexadecimal hash numbers, which is much faster than programs that must hash alphanumeric values (which increases CPU usage).

14. Which would be the most appropriate resource for identifying an unknown graphics file format that a digital forensics analysis tool does not recognize? (Choose all that apply.) a. The senior digital forensics examiner b. The NSRL c. The Intranet d. The Internet Answer: d. The Internet Explanation: Doing an online search is the best way to learn more about file formats and their extensions. The search query of “file type” or “file format” can return a current list of websites with information on file extensions. 15. When you carve a graphics file, recovering the image depends on which of the following skills? (Choose all that apply.) a. Recovering the image from a tape backup b. Recognizing the pattern of the data content c. Recognizing the pattern of the file header content d. Recognizing the pattern of a corrupt file Answer: c. Recognizing the pattern of the file header content Explanation: It’s important that a digital forensics examiner be familiar with the many types of header data. Internet resources are an excellent resource that provides file header information that should be applied when encountering unknown file types. 16. Which of the following groups of hexadecimal numbers are the header values of a JPEG file? (Choose all that apply.) a. 0x89, 0x50, 0x4E, 0x47 b. 0xFF, 0xD8, 0xFF, 0xE0 c. 0xFF, 0xD8, 0xFF, 0xE1 d. 0x00, 0x00, 0x00, 0x14 Answer: b. 0xFF, 0xD8, 0xFF, 0xE0 Explanation: All JPEG file formats share the same first three hexadecimal bytes. For the standard JPEG file, the fourth hexadecimal byte is 0xE0. For Exif files, the fourth hexadecimal byte is 0xE1. If an Exif file is converted to a regular JPEG file, its first four bytes will match answer b (0xFF, 0xD8, 0xFF, 0xE0). Note that an Exif file converted to JPEG will have the original Exif data at offset 0x18. For the other answer options: Answer a is a .bmp file, answer c is an Exif file, and answer d is a .mov file. 17. Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.) a. Any graphics files b. Files associated with an application c. System files the OS uses d. Any files pertaining to the company © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Answer: b. Files associated with an application; c. System files the OS uses Explanation: By using the known good hash values, a digital forensics examiner can reduce the number of other unknown files to examine. This saves a significant amount of time when conducting an examination. 18. The Exterro’s AccessData Known File Filter (KFF) database can be used for which of the following purposes? (Choose all that apply.) a. Filter known program files from view. b. Calculate hash values of image files. c. Compare hash values of known files with evidence files. d. Filter out evidence that doesn’t relate to your investigation. Answer: a. Filter known program files from view; c. Compare hash values of known files to evidence files Explanation: The commercially available KFF database, only available in Exterro’s AccessData FTK program, provides filtering of known good and bad (contraband or virus) files. This filtering feature quickly identifies files of interest. 19. The National Software Reference Library (NSRL) provides what type of resource for digital forensics examiners? (Choose all that apply.) a. A list of digital forensics tools that make examinations easier b. A list of MD5 and SHA1 hash values for all known OSs and applications c. Reference books and materials for digital forensics d. A repository for software vendors to register their developed applications Answer: b. A list of MD5 and SHA1 hash values for all known OSs and applications Explanation: The current NSRL library only provides MD5 and SHA1 hashes of known good files. Although MD5 and SHA1 are known to produce collisions, the likelihood that this will be a problem is not significant. If collision does occur, a byte-to-byte comparison or examination of the suspected file can be performed to determine if there is an exact match. In addition, the higher the hash algorithm, such as SHA256 or higher, will take more CPU cycles it will take to compute, which means it will take longer to hash each file in a digital forensics image file. 20. Block-wise hashing has which of the following benefits for forensics examiners? (Choose all that apply.) a. Allows validating sector comparisons between known files b. Provides a faster way to shift bits in a block or sector of data c. Verifies the quality of OS files d. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect drive Answer: d. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect drive Explanation: Block-wise hashing provides a way to quickly determine if a fragmented portion of data is associated with a file. By hashing individual sectors of a file, sectors of fragmented data can be compared. If the hashes match, then you have confirmed that the file was originally on the media you are examining.

21. What is the first step when initiating a digital forensics examination? (Choose all that apply?) a. Identify needs of the examination. b. Select the appropriate acquisition tool. c. Wipe the target drives for the acquisition. d. Properly preserve the evidence. Answer: d. Properly preserve the evidence. Explanation: The most important task for all investigations is to ensure that the evidence is secure so that it can be preserved from any possible corruption or other losses. The preservation should be done as soon as possible, especially for solid-state drives to make sure any deleted data is not wiped by solid-state devices wear-leveling and trimming functions.

Hands-On Projects - Solutions Project 8-1 Estimated Time: 45 minutes Objective: Recover a JPEG file from a deleted partition. Before You Begin: • •

•

Create Work folder C:\Work\Module_08\Project_08-1. Download to your Work folder the following data files provided with the module: • Project_08-1_Examiner_Notes.xlsx • Project_08-1_Partition_Recovery.E01 Access the following item: • Autopsy for Windows

Your manager has directed you to examine a digital forensics image file named Project_081_Partition_Recovery.E01 to see if you can recover a file named Surveil-westparkinglot08.jpg. If you locate this file, you will need to obtain as much of its metadata as possible. While conducting this examination, make notes in the file Project_08-1_Examiner_Notes.xlsx to document the steps you take along with information about the file’s metadata. When you have completed the examination, you will also need to generate an Autopsy report. Perform the following steps to complete this project: 1. Open the file Project_08-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_08-1. 2. Start Autopsy for Windows. If the UAC window appears, click Yes. 3. In Autopsy’s Welcome window, click the New Case button. In the New Case Information window, enter Project_08-1 in the Case Name text box and click Browse next to the Base Directory text box. Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type and then click Next.

4. In the Optional Information window, type Project_08-1 in the Case Number text box and your full name in the Name text box in the Examiner section. Click Finish to start the Add Data Source Wizard. 5. In the Select Type of Data Source To Add area of the Add Data Source window, click the Disk Image or VM File button and then click Next. 6. In the Select Data Source pane, click Browse and, in the Select Local Files or Folders window, navigate to your Work folder. In the Open window, click the Project_081_Partition_Recovery.E01 folder, click Open, and then click Next in the Select Data Source pane. 7. In the Configure Ingest area of the Add Data Source window, click Deselect All and then click the check boxes for: • • • • •

File Type Identification Extension Mismatch Detector Picture Analyzer Keyword Search PhotoRec Carver

Click Next and then click Finish. 8. In your examiner notes, add a statement indicating that you started Autopsy and loaded the file Project_08-1_Partition_Recovery.E01 in cell C8. An example entry would be “Started Autopsy and added forensic image file Project_08-1_Partition_Recovery.E01 using Autopsy for Windows, version 4.18.0.” Note 12 Autopsy will take several minutes to complete the ingest processing. Before proceeding to the next step, wait until Autopsy finishes, which will be indicated in the lower-right corner of the application window. 9. When the Ingest completes, click the Keyword Search button and, in the search input box, type Surveilwestparkinglot08. Click the Exact Match button and then Search. 10. In Autopsy’s Tree Viewer pane, click the plus/minus signs to expand Keyword Hits and then click Single Literal Keyword. Click Surveil-westparkinglot08.jpg. 11. In the Result viewer pane, press and hold the Ctrl key and then click the following files: • • • •

Surveil-westparkinglot08.jpg Surveil-westparkinglot08.jpg:Zone.Identifier f0003377.mft f0006902.mft

12. Once all four files are selected, right-click the first selected file, click Add File Tags, and then click Follow Up in the dropdown menu. 13. Right-click the first of the four selected files again and click Export selected rows to CSV in the dropdown menu. In the Save window, click Save and OK. 14. Right-click the first selected file and click Extract File(s). In the Save window, click Save and then OK in the dropdown menu to extract each file’s contents.

15. Click Generate Report and, in the Generate Report window’s Report Modules pane, click the Excel Report button. In the Header input box, type your name and, in the Footer input box, type Project 08-1. Click Next. 16. In the Generate Report window’s “Select which data source(s) to include” pane, click the check box for Project_08-1_Partition_Recovery.E01 and then click Next. 17. In the Generate Report window’s Configure Report pane, click the All Results button and then click Finish. 18. In the Generate Report window, click the Excel Report link to open and examine the report. Click the Tagged Files sheet tab (second-to-last sheet tab) to verify that all tagged Follow Up files are listed in the report. 19. In Excel, click File, Save As, and then Browse and navigate to your Work folder. In the File name input box, type Project_08-1_Excel_Report and click Save. 20. In Autopsy, click Close in the Report Generation Progress window and then in Autopsy’s toolbar click Case and then Exit to close Autopsy. 21. Update and complete your notes for this project in the examiner notes file and close all Excel files. 22. When finished, submit to your instructor the following files: • •

Project_08-1_Examiner_Notes.xlsx Project_08-1_Excel_Report.xlsx Solution Guidance: Students should have successfully located the file Surveil-westparkinglot08.jpg and three other files associated with the Surveil-westparkinglot08.jpg:Zone.Identifier file and the two $MFT records files (f0003377.mft and f0006902.mft). During the examination, the students may have noticed that the file Surveil-westparkinglot08.jpg produces an error when they attempt to open it. Students should also have noted that the first 4 bytes of the Surveil-westparkinglot08.jpg file’s header had been overwritten with the lowercase letter “y” rather than the standard EXIF header value of 0xFF, 0xD8, 0xFF, and 0xE1. Examples of the examiner notes and the Autopsy Excel report that students will submit can be found in the following solution files: • Solution_Project_08-1_Examiner_Notes.pdf • Solution_Project_08-1_Excel_Report_EXIF_Metadata_Sheet.pdf • Solution_Project_08-1_Excel_Report_Extension_Mismatch_Detected_Sheet.pdf • Solution_Project_08-1_Excel_Report_Keyword_Hits_Sheet.pdf • Solution_Project_08-1_Excel_Report_Metadata_Sheet.pdf • Solution_Project_08-1_Excel_Report_Summary_Sheet.pdf • Solution_Project_08-1_Excel_Report_Tagged_Files_Sheet.pdf • Solution_Project_08-1_Excel_Report_User_Content_Suspected_Sheet.pdf

Project 8-2 Estimated Time: 10 minutes Objective: Extract a deleted partition from a physical disk image file and save it as a partition disk image file. Before You Begin: • •

•

Create Work folder C:\Work\Module_08\Project_08-2. Download to your Work folder the following data files provided with the module: • Project_08-2_Examiner_Notes.xlsx • Project_08-2_Partition_Recovery.E01 Access the following item: • FTK Imager

This project will show you how to create an image file of a deleted disk partition from a disk drive. Complete the following steps: 1. Open the file Project_08-2_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_08-2. 2. Start FTK Imager. If the UAC window appears, click Yes. 3. In FTK Imager, click File and Add Evidence Item. In the Select Source window, click the Image File button and then Next. 4. In the Select File window, click Browse and navigate to your Work folder. In the Open window, click Project_08-2_Partition_Recovery.E01. Click Open and then Finish. 5. In the Evidence Tree pane of FTK Imager, click the plus sign next to Project_081_Partition_Recovery.001 and then click to highlight [Recovered] Partition 1 [10MB]. 6. Click File and Export Disk Image and then in the Create Image window, click Add. In the Select Image Type window, click Raw (dd) and then Next. 7. In the Evidence Item Information Window, enter the following information in the appropriate input boxes: Case Number:

Project_08-2-Recovered-Deleted-Part.001

Evidence Number:

Project_08-2-Recovered-Deleted-Part.001

Unique Description:

Deleted partition recovery

Examiner:

your name

Notes:

Image creation of deleted partition from image file Project_08-2_Partition_Recovery.E01

8. When you have finished entering the evidence information, click Next. 9. In the Select Image Destination window, click Browse and navigate to your Work folder. In the Image Filename (Excluding Extension) input box, type Project_08-2-Recovered-DeletedPart and then click Finish.

10. In the Create Image window, click the Verify images after they are created check box. Click Start and then Close in the Drive/Image Verify Results window. Click Close again in the Creating Image window. 11. Exit FTK Imager and update and complete your notes for this project in the examiner notes file. 12. When finished, submit to your instructor the following files: • • •

Project_08-2_Examiner_Notes.xlsx Project_08-2-Recovered-Deleted-Part.001 Project_08-2-Recovered-Deleted-Part.001.txt Solution Guidance: Upon completion of this project, students should have created a partition disk image of the deleted partition from the physical disk image file Project_08-2_Partition_Recovery.E01. Students should also provide the output file Project_08-2-Recovered-Deleted-Part.001.txt created by FTK Imager from this recovery acquisition. For examples of the files created for this project, see the following solution files: • Solution_Project_08-2_Examiner_Notes.pdf • Solution_Project_08-2-Recovered-Deleted-Part-001-txt.pdf To verify that the student successfully created an image of the partition, perform an MD5 hash on the student’s submitted file Project_08-2-Recovered-Deleted-Part.001. Refer to the student’s file Project_08-2-Recovered-Deleted-Part.001.txt for the MD5 hash value.

Project 8-3 Estimated Time: 30 minutes Objective: Install the latest version of the NSRL database and then the known hash values for this book’s projects into Autopsy. Before You Begin: • •

•

Create Work folder C:\Work\Module_08\Project_08-3. Download to your Work folder the following data files provided with the module: • Project_08-3_Examiner_Notes.xlsx • Project_08-3_Known-Project-Hashes.csv Access the following items: • NSRL-nnnm-computer-Autopsy.zip (download the most current version to your Work folder at sourceforge.net/projects/autopsy/files/NSRL) • Autopsy for Windows

For this project, you will install into Autopsy the following two items: • •

The most current version of the NSRL database in Autopsy Hashes of pseudo-Windows system files used in these projects

This project is divided into two sections. The first section instructs you on how to add the NSRL database to Autopsy. The second section instructs you on how to add another hash set, the pseudo-Windows system files hashes, to Autopsy. Note 13 Many of the digital forensics’ images used throughout this book are designed to simulate a Windows boot drive. These images contain fake system files that contain no data or data only related to the specific projects. This is done to give the appearance that you are looking at a real Windows boot drive. When you apply the NSRL database to these fake forensics image files, Autopsy will flag them as suspicious. To avoid this, when analyzing project image files, use the hashes listed in the file Known-Pseudo-Project-Hashes.csv rather than the NSRL database. Section One: Installing the NSRL database into Autopsy Complete the following steps: 1. Open the file Project_08-3_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_08-3. 2. From File Explorer, navigate to your Work folder and extract NSRL-nnnm-computerAutopsy.zip to its own subfolder in your Work folder. 3. Start Autopsy for Windows. If the UAC window appears, click Yes. In the Welcome window, click Close and then click Tools and then Options from the menu. In the Options window, click the Hash Sets icon to open the window shown in Figure 8-27. [Figure 8-27 The Hash Database options] 4. Click the Import Hash Set button to open the Import Hash Database dialog box (see Figure 8-28). Click Open, navigate to your Work folder’s subfolder NSRL-nnnm-computer-Autopsy, and click the file NSRL-nnnm-computer.txt-md5.idx. Click Open and then click OK. [Figure 8-28 The Import Hash Database dialog box] Note 14 Each edition of the NSRL hash database contains a version number in its file name; in Figure 8-29, for example, the version number is 278. When installing this database, use the one with the highest version number in its file name. [Figure 8-29 Added NSRL database in Autopsy] 5. In the Options window, click OK to finish the installation. Exit your web browser and leave Autopsy running for the next section of this project. Section Two: Creating and installing the file Project_08-3_Known-Pseudo-Project-Hashes.csv in Autopsy To add the Project_08-3_Known-Pseudo-Project-Hashes.csv hashes, complete the following steps:

1. In the Hash Sets window, click New Hash Set. In the Create Hash Set window, click the Local button and, in the Name input box, type Project_08-3_Known-Pseudo-ProjectHashes.csv to create a hash index file in Autopsy. 2. In the Hash Set Path, click Save As, and then in the Save window, click Save to create the hash database Project_08-3_Known-Pseudo-Project-Hashes.csv.kdb. 3. In the Type section of the Create Hash Set window, click the Known button, uncheck the Send ingest messages for each hit check box (as shown in Figure 8-30), and click OK. [Figure 8-30 Create Hash Set window] 4. Using File Explorer, navigate to your Work folder and open the file Project_08-3_KnownPseudo-Project-Hashes.csv with Notepad or your preferred text editor. 5. If using Notepad, click Edit and Select All. Click Edit again and then click Copy. 6. In Autopsy, make sure that Project_08-3_Known-Pseudo-Project-Hashes.csv is selected in the Hash Sets pane, and then in the Hash Set Details section of the Hash Set window, click Add Hashes to Hash Set. 7. In the Add Hashes to Hash Set window, click Paste From Clipboard. Click OK and then click OK again in the dialog box. 8. Click OK in the Hash Sets window then exit Autopsy. 9. Close Notepad and update your examiner notes to list the steps you took to complete this project. 10. When finished, submit to your instructor the following file: •

Project_08-3_Examiner_Notes.xlsx Solution Guidance: Upon completion of this project, students should have successfully installed the two hash databases into Autopsy. In their examiner notes, students should document their activities, indicating what hash databases were installed. For an example of how the students’ examiner notes should appear, see the following solution file: • Solution_Project_08-3_Examiner_Notes.pdf

Project 8-4 Estimated Time: 30 minutes Objective: Create and add a bad hash file to Autopsy to quickly identify known bad files. Before You Begin: • •

•

Create Work folder C:\Work\Module_08\Project_08-4. Download to your Work folder the following data file provided with the module: • Project_08-4_Examiner_Notes.xlsx • Project_08-4_Known-Bad-Data.001 Access the following items: • FTK Imager • Autopsy for Windows © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

This project is divided into two sections. The first section shows you how to create a list of hashes of known bad files of interest. In the second section, you will load these hashes into Autopsy so that they can be used to analyze a forensics disk image file and quickly locate those bad files. For this project, you are directed to obtain the MD5 hash values of five files that are stored in the file Project_08-4_Known-Bad-Data.001. The names of the five files are as follows: • • • • •

Crypto-20220523.ods Horse-Bookie.dbf IMG_0038.JPG IMG_0039.JPG IMG_0043.JPG

After the MD5 hashes are obtained in a .csv file, you will then be instructed on how to add these hashes into Autopsy. Section One: Generating the MD5 hashes of known bad files To create a known bad hash set database in Autopsy, complete the following steps: 1. Open the file Project_08-4_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_08-4. 2. Start FTK Imager. If the UAC window appears, click Yes. Click File and then click Add Evidence Item. In the Select Source window, click the Image File button and then Next. 3. In the Select File window, click Browse and navigate to your Work folder. Select Project_08-4_Known-Bad-Files.001, click Open, and then click Finish in the Select File window. 4. In the FTK Imager Evidence Tree pane, click the plus sign to expand the folder tree and then click the [root] folder. 5. In the File list pane, select the following files by pressing the Ctrl key and clicking each file: • • • • •

Crypto-20220523.ods Horse-Bookie.dbf IMG_0038.JPG IMG_0039.JPG IMG_0043.JPG

6. Right-click the selected files and then click Export File Hash List, as shown in Figure 8-31. [Figure 8-31 Exporting hash values in FTK Imager] 7. In the Save As window, navigate to your Work folder, and then in the File name input box, type Project_08-4_Known-Bad-Hashes-MD5. Click Save and exit FTK Imager. 8. In File Explorer, navigate to your Work folder and open file Project_08-4_Known-BadHashes.csv in Excel. 9. In Excel, delete the first row, which contains the headers for each column, and then delete column B, as shown in Figure 8-32.

[Figure 8-32 Updated MD5 bad file list] 10. Click File and Save As and then navigate to your Work folder. In the Save As window’s File name input box, type Project_08-4_Known-Bad-MD5.csv, and in the “Save as type” input box, select the option CSV UTF-8(Comma delimited)(*.csv). Click Save and Yes. Section Two: Adding the known bad hashes to Autopsy 1. Start Autopsy for Windows. If the UAC window appears, click Yes. In the Welcome window, click Close and then click Tools and then Options from the menu. In the Options window, click the Hash Sets icon to open the window. 2. In the Hash Sets window, click New Hash Set. In the Create Hash Set window, click the Local button, and in the Name input box, type Project_08-4_Known-Bad-Hashes-MD5.csv. 3. In the Hash Set Path, click Save As, and then in the Save window, click Save to create the hash database Project_08-4_Known-Bad-MD5.kbd. 4. In the Type section of the Create Hash Set window, click the Notable button, then check the Send ingest messages for each hit check box, if not already selected (as shown in Figure 8-33), and click OK. [Figure 8-33 Create Hash Set window of bad file] 5. Using File Explorer, navigate to your Work folder and open file Project_08-4_Known-BadMD5.csv with Notepad or your preferred text editor. 6. If using Notepad, click Edit and Select All, click Edit again, and then click Copy. 7. In Autopsy, make sure that Project_08-4_Known-Bad-Hashes-MD5.csv is selected in the Hash Sets pane, and then in the Hash Set Details section of the Hash Set window, click Add Hashes to Hash Set. 8. In the Add Hashes to Hash Set window, click Paste From Clipboard. Click OK and then click OK again in the dialog box. 9. Click OK in the Hash Sets window, then exit Autopsy. 10. Close Notepad and update your examiner notes to list the steps you took to complete this project. 11. When finished, submit to your instructor the following files: • •

Project_08-4_Examiner_Notes.xlsx Project_08-4_Known-Bad-Hashes-MD5.csv Solution Guidance: Upon completion of this project, students should have successfully installed the bad hash database into Autopsy. In their examiner notes file, students should document their activities of what hash databases were installed. For an example of how the examiner notes should appear, see the following solution files: • Solution_Project_08-4_Examiner_Notes.pdf • Solution_Project_08-4_Known-Bad-Hashes-MD5.pdf

Project 8-5 Estimated Time: 45 minutes Objective: Recover bit-shifted data from a text file using the demo version of X-Ways’ WinHex software. Before You Begin: • •

•

Create Work folder C:\Work\Module_08\Project_08-5. Download to your Work folder the following data files provided with the module: • Project_08-5_Bitshift_Data.001 • Project_08-5_Examiner_Notes.xlsx Access the following items: • The PassMark Software virtual mounting application OSFMount (osforensics.com/tools/mount-disk-images.html), installed on your computer • The demo version of WinHex (x-ways.net/winhex/index-m.html), installed on your computer

Note 15 The demo version of the X-Way’s WinHex software has a 45-day evaluation period and is limited to writing or exporting data up to 200 KB. After 45 days, a license can be purchased at x-ways.net/order.html. X-Ways provides several versions of its software. The demo version used in this project is the personal demo version, which has limited capabilities. A licensed version of WinHex has no limit to the amount of data it can write or export. Most X-Ways products have a 12-month license that will require renewal every year. For a complete list of X-Ways products, see x-ways.net. The demo version of WinHex can only access individual files and physical or logical drives. The demo version cannot mount a digital forensics image file as other digital forensics tools such as Autopsy or FTK Imager can do. However, the demo version of WinHex can access an image file that is mounted as a virtual drive. This project is divided into two sections. Section one of this project shows you how to mount a digital forensics image file as a virtual drive and access the drive using the demo version of WinHex. Section two shows you the bitshifting feature available in WinHex. Section One: Mounting a digital forensics image in WinHex Complete the following steps for this project: 1. Open the file Project_08-5_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_08-5. 2. Start and run OSFMount as an administrator. If the UAC window appears, click Yes. Click Mount New and, in the Step 1 of 4 pane of the Mount Virtual Disk window, click the Disk image file (.img, .dd, .vmdk, E01, . . .) button and then click the ellipse button. 3. Navigate to your Work folder, click Project_08-5_Bitshift_Data.001, click Open in the Select image file window, click the Mount as RAM drive check box, and then click Next, as shown in Figure 8-34.

[Figure 8-34 OSFMount Mount Virtual Disk Step 1 of 4] 4. In the Step 2 of 4 pane of the Mount Virtual Disk window, click the Mount entire image as virtual disk button and then click Next, as shown in Figure 8-35. [Figure 8-35 OSFMount Mount Virtual Disk Step 2 of 4] 5. In the Step 3 of 4 pane, click the Initialize Partition Table check box, click the MBR (Master Boot Record) button, and then click Next, as shown in Figure 8-36. [Figure 8-36 OSFMount Mount Virtual Disk Step 3 of 4] 6. In the Step 4 of 4 pane, click the Read-only drive check box, click the Drive emulation down arrow, and then click Logical Drive Emulation. Click Mount, as shown in Figure 8-37. [Figure 8-37 OSFMount Mount Virtual Disk Step 4 of 4] 7. When the Mounted virtual disks screen appears, determine the assigned letter for the virtual drive, as shown in Figure 8-38. [Figure 8-38 OSFMount showing the mounted drive] 8. Start and run WinHex as an administrator. If the UAC window appears, click Yes, and when the evaluation dialog box opens, click OK. If the Case Data pane is not present, click View, Show, and Case Data, as shown in Figure 8-39. Click OK in the dialog warning box. [Figure 8-39 WinHex Demo with the Case Data pane] 9. In the Case Data pane, click File and Create New Case, and in the license warning dialog box, click OK. In the New Case window’s Case title/number input box, type Project_08-5WinHex, then click the ellipse button and navigate to- your Work folder. In the Select Folder window, click OK and then click OK in the New Case window. See Figure 8-40. [Figure 8-40 WinHex New Case window] 10. In the Case Data pane, click File and Add Medium. In the Select Disk window, click BITSHFIT (Lettered drive:), and then OK, as shown in Figure 8-41. (Note that in this example, the drive letter is K:, but your assigned drive letter might be different, as was described in the above step 6.) [Figure 8-41 WinHex Select Disk window] 11. In the Case Data pane, expand the directory tree by clicking the plus sign for Drive Letterdrive: (this is the mounted virtual drive). Click the folder Bitshift-Data, then Quotes, and then the file Bismark.txt in the Directory Browser pane, as shown in Figure 8-42. [Figure 8-42 WinHex main screen] 12. When you have successfully mounted the virtual drive, proceed to Section Two.

Note 16 For more information about using the features of WinHex and X-Ways Forensics, see xways.net/winhex/manual.pdf. Section Two: Exploring the WinHex bit-shifting feature. For this section, you will first determine if data in the file Bismark.txt has been bit-shifted either one bit to the left or one bit to the right. Your next task is to shift all the bits back to their original settings and then to examine the file’s text contents to verify that all data has been correctly shifted back to its original condition. Because the demo version of WinHex has limited functionality, you will need to complete the following steps for this file restoration: 1. Using File Explorer, navigate to the virtual drive and the folder Letter-drive:\BitshiftData\Quotes. Right-click the file Bismark.txt and then click Copy. Navigate to and right-click your Work folder and then click Paste. 2. In WinHex, click Options and Edit Mode from the menu, click Default Edit Mode (editable), if necessary, and then click OK. 3. Click File and Open. Navigate to your Work folder and click Bismark.txt. 4. From the main menu, click Edit and then Select All to highlight this file’s data in the Data Content pane, as shown in Figure 8-43. [Figure 8-43 Selecting the data content of the file Bismark.txt] 5. Click Edit and then Modify Data. In the Modify Block Data dialog box, click the Right shift by 1 bit option button, as shown in Figure 8-44, and then click OK. [Figure 8-44 WinHex Modify Block Data dialog window] 6. Inspect the Data Content pane to see if the bit-shifting is restored, as shown in Figure 845. [Figure 8-45 Restored bit-shifted file Bismark.txt] 7. From the main menu, click File and Save. 8. From File Explorer, navigate to your Work folder and double-click the file Bismark.txt to view and verify that it has been restored, as shown in Figure 8-46. [Figure 8-46 Verified bit-shifted file Bismark.txt 9. Save Bismark.txt as Project_08-5_Bismark-Recovered-File.txt in your Work folder and update your examiner notes. 10. Close any open File Explorer windows. In OSFMount, click Dismount all & Exit and Yes in the warning dialog box. In WinHex’s main menu, click File and then click Exit and then Yes. In the evaluation dialog box, click OK. 11. When finished, submit to your instructor the following files: • •

Project_08-5_Bismark-Recovered-File.txt Project_08-5_Examiner_Notes.xlsx

Solution Guidance: The purpose of this project is to show students how bit-shifting can be used to obscure data and how to use WinHex to recover that data. The demo version of WinHex contains features, such as the Case Data feature, that are also available in the licensed version of X-Ways Forensics. Upon completion of this project, students should have successfully bit-shifted the contents of file Bismark.txt, making it readable using the demo version of WinHex. For examples of a successfully recovered Bismark.txt file and the examiner notes file, see the following solution files: • Solution_Project_08-5_Bismark-Recovered-File.pdf • Solution_Project_08-5_Examiner_Notes.pdf

Project 8-6 Estimated Time: 20 minutes Objective: Create and add a bad hash file to Autopsy to quickly identify known bad files. Before You Begin: • • •

•

Complete Project 8-3 and Project 8-4. Create Work folder C:\Work\Module_08\Project_08-6. Download to your Work folder the following data files provided with the module: • Project_08-6_Examiner_Notes.xlsx • Project_08-6-Image_Hash_Search.E01 Access the following item: • Autopsy for Windows

For this project, you will use the known bad hashes previously added to Project 8-4, which are included in the digital forensics image file Project_08-6-Image_Hash_Search.E01. In this project, you will perform an analysis using Autopsy for Windows. It will require the hashing of all files while Autopsy compares and locates the previously added known bad hashes of the known bad files. After determining if files are present or not present, you will need to produce an Autopsy Excel report showing your findings along with examiner notes showing the steps you took to complete the examination. Complete the following steps: 1. Open the file Project_08-6_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_08-6. 2. Start Autopsy for Windows. In the Welcome window, click New Case, and in the Case Information pane’s Case Name input box, type Project_08-6-Image_Hash_Search. Click Browse and navigate to your Work folder and then click Next. 3. In the Optional Information pane, enter Project_08-6- Image_Hash_Search for the Case Number and then add your information to the Examiner’s Name and Email input boxes. Click Finish.

4. In the Select Type of Data Source To Add pane, click Disk Image or VM File and then click Next. 5. In the Select Data Source pane, click Browse and navigate to your Work folder. Click Project_08-6-Image_Hash_Search.E01, then Open, and then Next in the Select Add Data Source window. 6. In the Configure Ingest Modules, click Deselect All, then click Hash Lookup, and then in the “Select hash sets to use” pane: • •

Click to uncheck NSRLFile-nnnm-computer.text-md5 (Known). Click the Known-Pseudo-Project-Hashes.csv (Known) and Project_08-4_Known-BadMD5.csv check boxes and then check Calculate MD5 even if no hash set is selected, as shown in Figure 8-47.

[Figure 8-47 Selecting the known hash databases] 7. In the “Run ingest modules on” pane, click the File Type Identification check box and the Extension Mismatch Detector check box. 8. In the options pane for the Extension Mismatch Detector options pane, click the Check all file types button and then click the Skip files without extensions and Skip known files check boxes, as shown in Figure 8-48. [Figure 8-48 Selecting the Check all file types option] 9. In the “Run ingest modules on” pane, click the following ingest modules: • • • •

Picture Analyzer Keyword Search Interesting Files Identifier PhotoRec Carver

When you are finished, your screen should look like Figure 8-49. [Figure 8-49 Selecting the remaining ingest module option] 10. In the Add Data Source window, click Next and then Finish. 11. When Autopsy finishes analyzing the files, in the Tree Viewer pane, click the Results plus sign, then the Hashset Hits plus sign, and then Project_08-4_Known-Bad-MD5.csv. 12. In the Result Viewer pane, click the first file, Crypto-20220523.ods, and then press Ctrl+A to select all files, as shown in Figure 8-50. [Figure 8-50 Tagging known bad files search results] 13. In the Result Viewer pane, right-click the selected files and then click Add Results Tags and then Notable Items (Notable). Right-click the selected files again, click Export File(s), and then in the Save window, click Save and OK. 14. Click Generate Report and in the Select and Configure Report Module’s Report Modules pane, click the Excel Report button and then Next. In the “Select which data source(s) to include” window, click Check All and then Next.

15. In the Configure Report window, if not already selected, click the All Results button and then click Finish. 16. When the Report Generation Progress window shows that the report is complete, click the Excel Report hyperlink to view the report. 17. Save the Excel report with the name of Project_08-6-Found-Known-Bad-Files.xlsx to your Work folder. 18. In Autopsy, click Close in the Report Generation Progress window and then exit Autopsy. 19. Update your examiner notes to reflect the steps you took to complete the project, then save the file and exit Excel. 20. When finished, submit to your instructor the following files: • •

Project_08-6_Examiner_Notes.xlsx Project_08-6-Found-Known-Bad-Files.xlsx Solution Guidance: Upon completion of this project, students should have located the following files in the digital forensics image file Project_8-6-Bad-Hashes.E01: • •

• • • • •

/img_Project_08-6-Image_Hash_Search.E01//$CarvedFiles/f0001464.jpg /img_Project_08-6Image_Hash_Search.E01/Users/renata7e/Documents/Bookkeeping/Finance/Crypto20220523.ods /img_Project_08-6-Image_Hash_Search.E01/Users/renata7e/Pictures/DCIMB/101___11/IMG_0038.JPG /img_Project_08-6-Image_Hash_Search.E01/Users/renata7e/Pictures/DCIMB/101___11/IMG_0039.JPG /img_Project_08-6-Image_Hash_Search.E01/Users/renata7e/Pictures/DCIMB/101___11/IMG_0043.JPG /img_Project_08-6-Image_Hash_Search.E01/Users/renata7e/Pictures/DCIMB/CANONMSC/IMG_0038.JPG /img_Project_08-6-Image_Hash_Search.E01/Users/renata7e/Pictures/DCIMB/CANONMSC/IMG_0039.JPG

For examples of the examiner notes and a completed Excel report, see the following solution files: • Solution_Project_08-6_Examiner_Notes.pdf • Solution_Project_08-6-Found-Known-Bad-Files.zip • Solution_Project_08-6-Found-Known-Bad-Files-EXIF_Metadata.pdf • Solution_Project_08-6-Found-Known-Bad-Files-Hashset_Hits.pdf • Solution_Project_08-6-Found-Known-Bad-Files-Metadata.pdf • Solution_Project_08-6-Found-Known-Bad-Files-Summary.pdf • Solution_Project_08-6-Found-Known-Bad-Files-Tagged_Results.pdf • Solution_Project_08-6-Found-Known-Bad-Files-User_Content_Suspected.pdf

Case Projects - Solutions Case Project 8-1 Estimated Time: 60 minutes Objective: Create an examination planning form that incorporates items discussed in this module. Before You Begin: •

Create Work folder C:\Work\Module_08\Case_Project_08-1.

In this case project, you are to create a form that will be used to plan and prepare for future examinations. To create this form, incorporate the following possible checklist items and considerations based on what you learned from this module: Nature of the case •

State the allegation or nature of the case

Resources needed •

Identify the target media, its manufacturer, model, and serial number, and the date it was wiped; check for viruses

Acquisition method and format •

Identify the type of acquisition, raw or proprietary, and determine if it needs to be compressed

Hashing method • • •

Indicate the hashing method that will be used on the digital evidence Define how much of the media will need to be examined, partial or complete Specify if a complete list of all files and folders or only specific files and folders will be needed for a report

Special considerations • •

Determine if password recovery will be needed to conduct the examination Indicate if unidentified executable files will need to be identified

Examination objectives • • • •

Define the objective for the examination Determine the evidence to look for in this examination State the case’s hypothesis Identify the search keywords to be used in the examination

Media collection • • • •

List evidence to collect from the examination List any peripheral media to include Update supporting documents for this examination Provide the case number for this examination

• •

Select the acquisition tool to use Select the digital forensics tool(s) to use for the examination

Examination steps to be taken • • • • • • • •

Make a digital forensics acquisition of the media to examine Start the digital forensics application and open the digital forensics image file Initiate processing of data, such as ingesting and hashing of the data from the image file Survey the contents of the media Perform keyword searches germane to the case Extract evidence that supports or refutes the case’s allegations Determine if any reexamination is necessary to complete the analysis Determine if any additional evidence is needed to complete the examination

Examination reporting • • • •

From the digital forensic application, generate a report Update the examiner notes Write a formal or informal report Secure all evidence and update evidence forms as needed

If you are creating this plan in a word processor, save it as Case_Project_081_Examination_Plan.docx; if you are creating it in a spreadsheet application, save it as Case_Project_08-1_Examination_Plan.xlsx. When finished, submit to your instructor the following file: •

Case_Project_08-1_Examination_Plan.docx or

•

Case_Project_08-1_Examination_Plan.xlsx Solution Guidance: Using their preferred word processor or spreadsheet program, students should create a form that incorporates the items listed in this case project. Students should also be encouraged to add and modify the form, using additional information in the module as they see necessary. For an example of a form and a bulleted outline to help guide the students for this project, see the following solution file: • Solution_Case_Project_08-1_Examination_Plan.pdf

Case Project 8-2 Estimated Time: 60 minutes Objective: Determine the file types of unknown formatted files. Before You Begin: • •

Create Work folder C:\Work\Module_08\Case_Project_08-2. Download to your Work folder the following data files provided with the module: • Case_Project_08-2_Examiner_Notes.xlsx • Case_Project_08-2_Unknown_File_Types.zip

•

Access the following item: • Hexadecimal editor (HxD, WinHex, or another editor)

The file Case_Project_08-2_Unknown_File_Types.zip contains four recovered files, named File1.dat through File4.dat. Your assignment is to examine the headers of each file and correctly identify its correct file type, such as .jpg, .png, or other file type. Use the Internet and your preferred search engine to help identify these header formats. One web source to consider using is garykessler.net/library/file_sigs.html. Once identified, rename the extension of each file to its correct value. Then test the file to see if it can be opened. Report your findings in your examiner notes. Then archive all four recovered files into one zip file named Case_Project_08-2_Recovered_Files.zip When finished, submit to your instructor the following files: • •

Case_Project_08-2_Examiner_Notes.xlsx Case_Project_08-2_Recovered_Files.zip Solution Guidance: To complete this case project, students will need to examine each file (File1.dat through File4.dat) with a hexadecimal editor and rename each file with its correct file extension value. Students should test each file to verify that they have the correct extension and that they can be opened successfully with their computer’s default photo viewer program. For examples of the examiner notes and the recovered files, see the following solutions files: • Solution_Case_Project_08-2_Examiner_Notes.pdf • Solution_Case_Project_08-2_Recovered_Files.zip: o File1.bmp o File2.gif o File3.jpg o File4.rtf

Case Project 8-3 Estimated Time: 60 minutes Objective: Create a reference guide for three or more video players available from third-party vendors. Before You Begin: • •

Create Work folder C:\Work\Module_08\Case_Project_08-3. Download to your Work folder the following data file provided with the module: • Case_Project_08-3_Video_Player_Reference_Guide.xlsx

When conducting an examination, a digital forensics examiner may encounter a video file format about which they have no knowledge. The purpose of this case project is to become familiar with the many different video player utilities available and the video file formats they can play. For this case project, you are to create a reference guide of available video player programs. This reference guide should contain the following information about each video player program:

• • • • •

The application’s name A list of all video format extensions it can play The OS(s) that it can run on The video player’s cost The web link where the video player can be downloaded from

To complete this case project, use the form Case_Project_083_Video_Player_Reference_Guide.xlsx. List three or more applications from third-party vendors, not applications built into an OS, and list only video file formats. When finished, submit to your instructor the following file: •

Case_Project_08-3_Video_Player_Reference_Guide.xlsx Solution Guidance: To complete this case project, students should list at least three different video player programs that are only available from third-party vendors. Students should not list video player programs that are built into OSs. For each video player program, students should list the supported video file formats by their extension values, along with the program’s cost, any notes about the format, and the web source where it is available for downloads. Students should only list video player file formats, not graphic (still photos) or music file formats. For examples of the output files that students will submit, see the following solution file: • Solution_Case_Project_08-3_Video_Player_Reference_Guide.pdf

Case Project 8-4 Estimated Time: 60 minutes Objective: Determine the file formats for a list of hexadecimal header values. Before You Begin: •

Download to your Work folder the following data file provided with the module: • Case_Project_08-4-Media-File_Header_Reference.docx

For this case project, you are given a list of hexadecimal header values of known media files. Your task is to complete the provided form by listing the extension value of the associated file format for each hexadecimal header value, along with a brief description of the file type. To identify the header values, reference one of the following websites: • • •

“File Signatures Table,” sceweb.sce.uhcl.edu/abeysekera/itec3831/labs/FILE%20SIGNATURES%20TABLE.pdf “GCK’s File Signatures Table,” garykessler.net/library/file_sigs.html List of file signatures (profilbaru.com/article/List_of_file_signatures)

When finished, submit to your instructor the following file: •

Case_Project_08-4-Media-File_Header_Reference.docx

Solution Guidance: This case project will provide practice for students in identifying and researching file header information from unknown recovered data, either from unallocated drive space or an unknown file. In addition, this case project will expose students to the different types of multimedia file formats. For an example of the file that students should submit, see the following solution file: • Solution_ Case_Project_08-4-Media-File_Header_Reference.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 9: VIRTUAL MACHINE FORENSICS AND LIVE ACQUISITIONS FORENSICS

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Activities - Solutions Activity 9-1 Estimated Time: 30 minutes Objective: Install VMware Workstation Player and detect the VM using OSForensics. Before You Begin: • •

Create Work folder C:\Work\Module_09\Activity_09-1. Download to your Work folder the following data file provided with the module:

•

• Activity_09-1_Examiner_Notes.xlsx Access the following items: • •

OSForensics Free Trial (download and install at osforensics.com/download.html) VMware Workstation Player (download and install at vmware.com/content/vmware/vmware-published-sites/us/products/workstationplayer/workstation-player-evaluation.html)

In this activity, you examine your own system for evidence of a VM. Complete the following steps: 1. Open the file Activity_09-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field, and in the Case Name and Case Number fields, type Activity_09-1. 2. Start OSForensics and click the Create New Case icon. In the New Case window, on the Basic Case Data tab, enter Activity 09-01 for the Case name. Enter your name as the investigator and click OK. 3. In the Workflow pane, click Registry Viewer, select C:\Windows\System32\Config\SOFTWARE as the Registry hive file to open, and then click Open. 4. In the Registry Viewer window’s left tree view pane, scroll down to determine if VMware is listed in the SOFTWARE Registry file. If the Registry entry VMware, Inc. is present, expand it and then click VMware Drivers, as shown in Figure 9-9. Note the number of entries present for VMware Player. Record in your examiner notes what you found. [Figure 9-9 Viewing VMWare in the Registry] 5. In the right pane of the Registry Viewer window, right-click VMware Drivers and click Export Key to Disk. In the Export List to window, navigate to your Work folder, type Activity_09-1_VMWare_Reg_Data in the File name input box, click the Save as type dropdown arrow, click CSV Files (*.csv), and then click Save. 6. Exit OSForensics and update your examiner notes file to reflect the steps you completed in this activity.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

7. When finished, submit to your instructor the following files: • •

Activity_09-1_Examiner_Notes.xlsx Activity_09-1_VMWare_Reg_Data.csv Solution Guidance: Students should have successfully installed VMware Workstation Player and the trial version of OSForensics. Students should have also successfully located the SOFTWARE Registry entry for VWware Player and generated a .csv report of its Registry entries. For examples of the files that students will submit, see the following solution files: • •

Solution_Activity_09-1_Examiner_Notes.pdf Solution_Activity_09-1-VMWare_Reg_Data.pdf

Review Questions - Answers 1.

You can expect to find a type 1 hypervisor on what type of device? (Choose all that apply.) a. Desktop b. Smartphone c. Bare metal d. Network server Answer: c. Bare metal; d. Network server Explanation: A type 1 hypervisor loads on bare metal and does not need an OS to load into. “Bare metal” can also refer to network server hardware that does not contain an OS.

2. The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of which of the following? (Choose all that apply.) a. RAM b. Storage c. Network connections d. Operating system Answer: a. RAM; b. Storage Explanation: A type 1 hypervisor depends on the amount of RAM and storage available. Many have as much as several terabytes of RAM and even more of storage. While certain brands of hypervisor may have limitations, the RAM and storage available are key. The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput. Each type 1 hypervisor can host from a few to several hundred VMs per host, and the IBM hypervisor can host thousands of VMs per host.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

3. Which of the following sets of file extensions are all associated with VMware VMs? a. .vmx, .log, and .nvram b. .vdi, .ova, and .r0 c. .vmx, .r0, and .xml-prev d. .vbox, .vdi, and .log Answer: . a. .vmx, .log, .nvram Explanation: Refer to Table 9-1 for a complete listing of file extensions that are associated with VMware VMs. Note that most of the file types begin with “vm.” 4. Which VMWare files store the virtual hard drive’s contents? a. Files with .ova extensions b. Files with .vmx extensions c. Files with .vmdk extensions d. Files with .vmsd extensions Answer: c. Files with .vmdk extensions Explanation: VMWare files with the .vmdk (VM disk) extension contain the VM drive’s contents. Other files that may contain some data are the .log files that contain VM session information, .vmem files that contain RAM data from current VM sessions, and .vmsd files that contain snapshot information. 5. In order to be able to determine which websites were accessed by a VM, which of the following must be true? a. The VM is on a NAT. b. The VM is bridged. c. The VM has its own virtual router. d. The VM has its own virtual switch. Answer: b. The VM is bridged. Explanation: Assuming that the VM is bridged with a separate IP address from the host computer, the VM’s IP address will be listed in log files. The host computer’s log will list the VM’s network activities. 6. In VirtualBox, a(n) _________ file contains settings for virtual hard drives. a. .vbox-prev b. .ovf c. .vbox d. .log Answer: c. .vbox Explanation: The .vbox file contains the settings for virtual hard drive in VirtualBox. See Table 9-2 for more information on the various file types associated with VirtualBox.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

7. To examine a .vdi virtual image file, what is required for it to be accessible using Autopsy or FTK Imager? a. Autopsy and FTK Imager can automatically mount and access .vdi image files in the same way as a .E01 or a raw file. b. FTK Imager has a converter utility that can change .vdi files into a raw .001 file format. c. Autopsy can open .vdi files only through a remote network connection. d. The .vdi file must be converted to a .vmdk, .vhd, or raw file format using a VirtualBox utility program. Answer: d. The .vdi file must be converted to a .vmdk, .vhd, or raw file format using a VirtualBox utility program. Explanation: Autopsy and FTK Imager and several other digital forensics tools can only read and access .vmdk and .vhd virtual image files. To examine a .vdi virtual image file, an examiner will need to install VirtualBox to copy the .vdi file into a .vmdk, .vdi, or raw image. The VirtualBox utility vboxmanage can perform this conversion from a terminal prompt. 8. Which of the following Registry keys might contain information indicating that a VM is installed on a computer? a. HFILE_CLASSES_ROOT b. HKEY_CLASSES_ROOT c. HFILE_EXTENSIONS d. HKEY_CLASSES_FILE Answer: b. HKEY_CLASSES_ROOT Explanation: The HKEY_CLASSES_ROOT file contains the extensions for all file types on a Windows OS. From examining this registry folder, you might be able to locate an installed VM utility. 9. Which of the following is a clue that a VM has been installed on a host system? a. Network logs b. Virtual network adapter c. Virtualization software d. USB drive Answer: b. Virtual network adapter Explanation: Look for a virtual network adapter in Windows System or type ipconfig or, in Linux, type ifconfig in the command-line interface. 10. VM snapshots contain which of the following? a. The entire VM b. Changes made since the last update c. All changes made since the initial installation d. Just the current state of the VM

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Answer: d. Just the current state of the VM Explanation: Snapshots are used to record the current state of the VM. For more details, go to nakivo.com/blog/vm-snapshot-vs-backup. 11. A critical part of live acquisitions is to capture which of the following? a. Hard drive b. RAM c. BIOS d. Network logs Answer: b. RAM Explanation: In live acquisitions, the most important thing to recover initially is the RAM, which is volatile. The challenge faced with live acquisitions is the order of volatility, which determines how long a piece of information lasts on a system. 12. For which of the following reasons might you need to perform a live acquisition of a computer? (Choose all that apply.) a. For an ongoing known network intrusion b. To capture RAM data before it might be lost c. To perform an acquisition on a mission-critical computer that can’t be shut down for a static acquisition d. To capture unallocated drive space on an active system Answer: a. For an ongoing known network intrusion; b. To capture RAM data before it might be lost; c. To perform an acquisition on a mission-critical computer can’t be shut down for a static acquisition Explanation: For network investigations, live acquisitions should be performed on computers when volatile data may be lost due to malware so that digital evidence can be captured in real time, including during an ongoing known network intrusion. A live acquisition might also be necessary for an acquisition on a critical system that can’t be shut down. 13. What types of acquisition tools can be used for selective live acquisitions? (Choose all that apply.) a. The DOS xcopy command b. The DOS robocopy command c. FTK Imager d. X-Ways Imager Answer: a. The DOS xcopy command; b. The DOS robocopy command; c. FTK Imager; d. X-Ways Imager Explanation: All four answer options are tools that can be used to perform a selective live acquisition to acquire data, and they work best used on a local computer. These commands and tools can be used remotely, however, with the aid of other tools, such as F-Response, that can configure networked computers’ drives to appear as a locally connected drive on the examiner’s computer.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

14. The remote acquisition utility Belkasoft R refers to the digital forensics examiner’s workstation as what? a. Server b. Agent c. Endpoint d. Master Answer: a. Server Explanation: Belkasoft refers to the examiner’s workstation as the server. The agent is the utility that is pushed to the source or suspect computer or mobile device to allow access from the server. Endpoint refers to the source or suspect computer or mobile device where the data will be acquired from. 15. For Belkasoft R, what are the minimum requirements needed to perform a remote acquisition? (Choose all that apply.) a. The server’s local IP address b. The server’s external IP address c. The TCP port numbers for the local and external IP addresses d. The SSL certificates of the source and target computers Answer: a. The server’s local IP address; b. The server’s external IP address; c. The TCP port numbers for the local and external IP addresses Explanation: In addition to the server’s local and external IP addresses, the endpoint computer’s IP address is also needed. As a minimum requirement, the SSL certificate is not needed to perform a remote acquisition. 16. What Windows NTFS system file logs file changes? a. $Extend b. $I30 c. $Secure d. $UsnJrnl:$J Answer: d. $UsnJrnl:$J Explanation: The $UsnJrnl file contains the subfile $J, which records changes, such as a file’s name change and if data was added or deleted from a file. The $UsnJrnl:$J file is located in the subfolder of $Extend, which is not visible in File Explorer. Tools like FTK Imager can view and access folders and files such as $Extend and $UsnJrnl. 17. The fsutil command requires what type of privilege to run? a. Standard login b. Guest login c. System administrator d. Superuser Answer: c. System administrator Explanation: The fsutil command requires system administrator privileges to run and access those areas of the protected files.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Hands-On Projects - Solutions Project 9-1 Estimated Time: 10 minutes for actual work and several hours for the imaging process Objective: Convert a .vdi file to a raw image file. Before You Begin: • •

•

Create Work folder C:\Work\Module_09\Project_09-1. Download to your Work folder the following data files provided with the module: • Project_09-1_Examiner_Notes.xlsx • Project_09-1_VDI_file.zip (unzip this file and extract the contents to your Work folder) Access the following items: • Autopsy for Windows • Oracle VirtualBox (download and install at virtualbox.org/wiki/Downloads) • Ubuntu 22.04 VM

Complete the following steps: 1. Open the file Project_09-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_09-1. 2. Using File Manager, determine the full path of Oracle VirtualBox (e.g., C:\Program Files\oracle\virtualbox). 3. In the search area of the Windows start menu, type command. Select Run as administrator and navigate to the VirtualBox folder. 4. Type vboxmanage clonemedium c:\Work\Module_09\Project_09-1\Project_091_VDI_file.vdi c:\work\Module_09\Project_09-1\Project_09-1_Rawformat.001 -format=vmdk and press Enter. 5. Once the file converts, launch Autopsy for Windows. Start a new case and open the file. 6. Update your examiner notes to reflect on the steps you took to complete the project, including the amount of time it took to complete the steps. Save and close the examiner notes file. 7. When finished, submit to your instructor the following file: •

Project_09-1_Examiner_Notes.xlsx Solution Guidance: To complete this case project, students will need to unzip the .vdi file. They need to be aware of the amount of time it took both to unzip the file and to convert the .vdi file to a raw format. They also need to test the converted file with Autopsy to ensure it converted correctly. For an example of the file that students will submit, see the following solution file: •

Solution_Project_09-1_Examiner_Notes.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Project 9-2 Estimated Time: 20 minutes for actual work and several hours for the imaging process Objective: Create a forensic image of a VM using Autopsy. Before You Begin: • •

Create Work folder C:\Work\Module_09\Project_09-2. Download to your Work folder the following data file provided with the module: • Project_09-2_Examiner_Notes.xlsx • Access the following items: • Autopsy for Windows • Ubuntu 22.04 VM To create a forensic image of a VM using Autopsy, complete the following steps: 1. Open the file Project_09-2_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_09-2. 2. Start Autopsy for Windows and click the Create New Case button. In the New Case Information window, enter today’s date in the Case Name text box and click Browse next to the Base Directory text box. Navigate to and click your Work folder and then click Select. 3. In the Additional Information window, type today’s date in the Case Number text box and your name in the Examiner text box and then click Finish. 4. In the Select Data Source window, click the Browse button next to the “Browse for an image file” text box, navigate to the /users/username/VirtualBox VMs/Ubuntu 22.04 folder (or where your Ubuntu VM is stored), click the Ubuntu 22.04.vmdk file, and then click Open. Click Next, leave the default settings in the Configure Ingest Modules window, and click Next again. 5. It may take Autopsy several hours to ingest the image, so leave the machine running. 6. Once the process is complete, update your examiner notes file to document the steps you took and your results. Submit to your instructor the following file: •

Project_09-2_Examiner_Notes.xlsx Solution Guidance: Older versions of Autopsy could not process certain files, such as .vmdk files, but the current version can. Students should be aware that it may take a significant amount of time for Autopsy to ingest the entire file. For an example of the file that students will submit, see the following solution file: • Solution_Project_09-2_Examiner_Notes.pdf

Project 9-3 Estimated Time: 120 minutes Objective: Create and test a nested VM. Before You Begin: • •

Create Work folder C:\Work\Module_09\Project_09-3. Download to your Work folder the following data file provided with the module: • Project_09-3_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

•

Access the following items: • Ubuntu 22.04 VM with 8 GB of RAM and 50 GB of storage (name it “Ubuntu 22.04”)

In this project, you examine a VM nested inside another VM. Keep in mind that the number of VMs you can nest depends on the host machine’s RAM and storage. For example, if you have 32 GB of RAM, you could allot 16 GB of those to the first VM installed in the initial VM, 8 GB of RAM to the second VM, and 4 GB of RAM to the third VM. With a VM nested this deeply, it would be hard for an investigator to determine where an attack originated. This project is a fun exercise to conduct in a classroom setting where machines are available for this level of exercise. This one only requires a machine with 16 GB of RAM, which most laptops have. Complete the following steps: 1. To create a nested VM in VirtualBox, you need to change the settings. In the VirtualBox main window, select the Ubuntu VM you created for this project. Then click the Settings icon and then click System. In the System window, click the Processor tab and increase the number of CPUs to 2. Click the Enable Nested VT-X/AMD-V check box to select it, as shown in Figure 913. Click OK. [Figure 9-13 Enable Nested VT-x/AMD-V] Note 6 Because Ubuntu 22.04 needs 2–4 GB of RAM and 25 GB of storage, students may encounter issues completing this project on some machines. The other potential issue is that Ubuntu 22.04 requires two CPUs, which can put a strain on the host machine. An alternative approach is to use Xubuntu as the nested VM because it uses fewer resources. For more information on this approach, see howtogeek.com/718012/how-to-choosebetweenubuntu-kubuntu-xubuntu-and-lubuntu. 2. Launch the Ubuntu 22.04 VM and open Firefox. Download the iso file for Ubuntu 22.04. 3. The most straightforward way to install VirtualBox on Ubuntu is at the command-line interface. Launch a terminal window. Type sudo apt-get update. If prompted, enter the password you created for this OS. Next, type sudo apt-get install virtualbox. Install the VirtualBox Extension Pack by typing sudo apt-get install virtualbox-ext-pack. Accept the agreement to only use it for personal use. (For more details, go to phoenixnap.com/kb/install-virtualbox-on-ubuntu.) When the installation is complete, you will see a message indicating that the Extension Pack installed correctly. 4. To launch VirtualBox, bring up a terminal window and type virtual in the Search line. The icon for VirtualBox should appear. Create a new VM called Ubuntu-Nested. In the Create Virtual Machine window, continue creating the VM. Click the VMDK (Virtual Machine Disk) option button for the hard disk type and leave the default settings in the remaining windows. 5. With the VM powered off, click the Settings icon and then click System. Be sure to adjust the RAM to approximately half that of the host VM and confirm that you have at least 20 GB of storage on this one. Start the Ubuntu-Nested VM and install Ubuntu 22.04. Be sure to use a different username than the host VM. Note any issues you run into.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

6. Take a screenshot of Ubuntu-Nested running inside Ubuntu main, as shown in Figure 9-14. [Figure 9-14 Ubuntu-Nested VM] 7. Navigate to where the VM files are stored on Ubuntu-Primary (referring to the module discussion, if needed) and take a screenshot showing where the files for Ubuntu-Nested are located, as shown in Figure 9-15. When you’re finished, power off Ubuntu-Nested. [Figure 9-15 File location for the Ubuntu-Nested VM] 8. Take a snapshot of the Ubuntu-Primary VM and name it SS_of_Ubuntu_Nested. Copy it to your examiner notes and add descriptive comments if you like. 9. Run the nested VM and access a few different websites. Then delete the VM by opening Oracle VirtualBox VM Manager. Right-click the nested VM and select Remove. 10. A VirtualBox-Question window opens with a message asking if you want to just remove the VM from the list or delete all the files. Click Delete all Files. 11. Try to locate the deleted files and record the results of your search in your examiner notes. Check locations such as Trash to see if the deleted files are there. If not, ascertain why. As a challenge, you can try doing this same project in VMware Player. 12. When you are finished, submit to your instructor the following file: •

Project_09-3_Examiner_Notes.xlsx Solution Guidance: Students will likely run into issues with this project because Ubuntu 22.04 requires so many resources. Ideally, they will use a 16-bit or smaller VM as the nested VM. The critical part of this project is that they realize that the file was too large for the Trash of Ubuntu. For an example of the file that students will submit, see the following solution file: • Solution_Project_09-3_Examiner_Notes.pdf

Project 9-4 Estimated Time: 30 minutes Objective: Explore and examine a forensics image file that contains a Windows virtual hard drive. Before You Begin: • •

•

Create Work folder C:\Work\Module_09\Project_09-4. Download to your Work folder the following data files provided with the module: • Project_09-4_Examiner_Notes.xlsx • Project_09-4_Virtual_Drive.zip (unzip this file and extract the contents to your Work folder) Access the following items: • Autopsy for Windows

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Your manager has directed you to examine a digital forensics image file named Project_094_Virtual_Drive.E01, which contains a VM file, to see if you can find any correspondence from Nosipho Zondo (email address: nosiphoz@gmx.com) to Roberto Ramirez (email address: ramirez7e@gmx.com). Your manager is particularly interested in learning if these two people exchanged any files. In addition to verifying any communications between these two people, you will need to extract any messages as well as any files attached to those messages. Complete the following steps: 1. Open the file Project_09-4_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_09-4. 2. Start Autopsy for Windows. In the Welcome window, click New Case and, in the Case Information pane’s Case Name input box, type Project_09-4-Virtual_Drive. Click Browse and navigate to your Work folder and then click Next. 3. In Autopsy’s Welcome window, click the New Case button. In the New Case Information window, enter Project_09-4_Virtual_Drive in the Case Name text box and click Browse next to the Base Directory text box. Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type and then click Next. 4. In the Optional Information window, type Project_09-4_Virtual_Drive in the Case Number text box and your full name in the Name text box in the Examiner section. Click Finish to start the Add Data Source Wizard. 5. In the Select Type of Data Source To Add area of the Add Data Source window, click the Logical Files button and then click Next. 6. In the Select Data Source pane, click Add and then Browse. In the Select Local Files or Folders window, navigate to your Work folder and click the Project_09-4_Virtual_Drive.E01 folder. Click Select and then click Next in the Select Data Source pane. 7. In the Configure Ingest area of the Add Data Source window, click Deselect All and then click the Email Parser and Virtual Machine Extractor checkboxes. Click Next and then click Finish. 8. When the Ingest completes, in the Tree Viewer pane, click and expand Results, E-Mail Messages, Default ([Default]), and then the Default folder. 9. In the Result Viewer pane, click the E-Mail From header once to sort sender email addresses in ascending order. Scroll down the list until you locate the first messages sent by ramirez7@gmx.com to nosiphoz@gmx.com, as shown in Figure 9-16. [Figure 9-16 Email from Roberto Ramirez to Nosipho Zondo] 10. In the Content Viewer pane, click the Attachment (3) tab, and then in the Table pane, expand the Location column to display the entire path and file name of each of the attached files. Click to select all three files and then right-click the highlighted files. Click Extract File(s), as shown in Figure 9-17. Click Save in the Save window and then click OK. [Figure 9-17 Files attached to the email]

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

11. Close Autopsy and then update and complete the notes of your actions for this project in your examiner notes file. 12. Start File Explorer and copy the three attached files from Autopsy’s Extract folder to your Work folder. Rename each file from its export name as follows: • • •

Project_09-4_nnnnnn-Crypto-20220523.ods Project_09-4_nnnnnn-685684-Horse-Bookie.dbf Project_09-4_nnnnnn-685686-Superior-Industries-Accounts.odb

13. When finished, submit to your instructor the following files: • • • •

Project_09-4_Examiner_Notes.xlsx Project_09-4_nnnnnn-Crypto-20220523.ods Project_09-4_nnnnnn-Horse-Bookie.dbf Project_09-4_nnnnnn-Superior-Industries-Accounts.odb

Note 7 When exporting files, Autopsy will assign a unique prefix number to the file’s name to distinguish it from other identically named files or folders. Solution Guidance: Upon completion of this project, students should have successfully located the email message from Nosipho Zondo to Roberto Ramirez that contained the following three attached files: • • •

nnnnnn-Crypto-20220523.ods nnnnnn-Horse-Bookie.dbf nnnnnn-Superior-Industries-Accounts.odb

The email message students should have located contains the following metadata: • • • • • • • •

Source File: INBOX E-Mail From: ramirez7e@gmx.com E-Mail To: nosiphoz@gmx.com Subject: Inside Info Date Received: 2023-05-24 14:12:55 PDT Path: /pop.gmx.com/INBOX Thread ID: f1ecca4e-dac6-4283-90c9-b65fb80d4349 Data Source: Project_09-4_VBox.vhd

For examples of the files created for this project, see the following solution files: • • • • • • •

Solution_Project_09-4_685682-Crypto-20220523.pdf Solution_Project_09-4_Examiner_Notes.pdf Solution_Project_09-4_685684-Horse-Bookie.pdf Solution_Project_09-4_685686-Superior-Industries-Accounts-Companies-odb.pdf Solution_Project_09-4_685686-Superior-Industries-Accounts-Crypto-odb.pdf Solution_Project_09-4_685686-Superior-Industries-Accounts-Customers-odb.pdf Solution_Project_09-4_685686-Superior-Industries-Accounts-InternationalCustomers-odb.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Case Projects - Solutions Case Project 9-1 Estimated Time: 60 minutes Objective: Compare and contrast at least three tools for remote acquisition through independent research. Before You Begin: •

Create Work folder C:\Work\Module_09\Case_Project_09-1.

One of the topics explored in this module was remote acquisition. You were introduced to Belkasoft R, which is a tool specifically designed for remote acquisitions. What other tools are available? Find at least two others to compare with Belkasoft R. In either a word processor or spreadsheet application, create a table that compares the three products and save it as Case_Project_09-1.docx or Case_Project_09-1.xlsx. In the table, note the name of the product, its website, its cost, and some of its important features. Pay attention to the features that each one has or doesn’t have and how they differ. Which one do you prefer? When finished, submit to your instructor the following file: •

Case_Project_09-1.docx or Case_Project_09-1.xlsx Solution Guidance: Students should find at least three tools and compare them. For an example of the file that students will submit, see the following solution file: • Solution_Case_Project_09-1.pdf

Case Project 9-2 Objective: Create a procedure to use for a VM found on a suspect hard drive. Before You Begin: •

Create Work folder C:\Work\Module_09\Case_Project_09-2.

In this case project, assume you have acquired a forensic image of a suspect laptop. After doing an examination, you discover at least one VM installed and you think more data likely exists, but you aren’t sure. You decide to make a copy of the VM’s files and mount the VM as an external drive. In a word processor, start a document and save it as Case_Project_092.docx in your Work folder. In the document, write a short report describing the best procedure for this situation, including listing the steps you would follow. When finished, submit to your instructor the following file: •

Case_Project_09-2.docx Solution Guidance: Students could take different approaches to completing this case project. They could do what is suggested here, or they could launch a copy of the suspect drive and examine it live. For an example of the file that students will submit, see the following solution file: • Solution_Case_Project_09-2.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 10: NETWORK FORENSICS

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Activities - Solutions Activity 10-1 Estimated Time: 30 minutes Objective: Install Wireshark and use it to examine sample capture packets. Before You Begin: • •

•

Create Work folder C:\Work\Module_10\Activity_10-1. Download to your Work folder the following data files provided with the module: • Activity_10-1_Examiner_Notes.xlsx • http.cap • udp_lite_normal_coverage_8-20.pcap Access the following item: • Wireshark (download and install from wireshark.org)

Complete the following steps: 1. Open the file Activity_10-1_Examiner_Notes.xlsx and fill in your name and the date. Record the steps you take in this activity in your examiner notes. 2. Right-click the Wireshark icon and select Run as administrator. Note that if you do not run the software as Administrator, Wireshark may take several dialog boxes to load, depending on how many networks it detects. 3. In Wireshark, click File and then Open. Navigate to your Work folder for this module, and then click the file http.cap, which is a capture file for a standard http request. 4. You will see three panes in the Wireshark window: one large pane on the top and two on the bottom, as shown in Figure 10-4. As you examine the top pane, notice that it displays the time, source and destination IP addresses, protocol used, length, and some additional information about the frame. [Figure 10-4 Sample capture file in Wireshark] 5.The bottom-left frame shows the frame number along with the various protocols, which include IP and UDP. As you click on the various protocols, expand them and examine the hexadecimal code along with the ASCII in the bottom right frame. Take screen captures of what you find, similar to what is shown in Figure 10-5. [Figure 10-5 Exploring in Wireshark] 6. Next, open the file udp_lite_normal_coverage_8-20.pcap. Select one of the frames in the top pane and then expand the Internet Protocol Version item. Take a screen capture of this and then exit Wireshark. 7. Update your examiner notes to reflect the steps you took in this activity, and add the screen captures to your notes. When finished, submit to your instructor the following file: •

Activity_10-1_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Solution Guidance: For this activity, students install Wireshark and use the sample packet captures. They need to take screenshots of the items they examine and include those screenshots in their examiner notes file. The screenshots should show dates, IP addresses, protocols, and the hexadecimal representation. For an example of the file that students will submit, see the following solution file: • Solution_Activity_10-1_Examiner_Notes.pdf

Activity 10-2 Estimated Time: 30 minutes Objective: Analyze the file from Activity 10-1 using tcpdump. Before You Begin: • • •

Create Work folder C:\Work\Module_10\Activity_10-2. Download to your Work folder the following data files provided with the module: • Activity_10-2_Examiner_Notes.xlsx Access the following item: • Kali Linux VM

tcpdump is a powerful Linux-based command-line tool that can be used both to acquire and analyze data from ports. In this activity, you use tcpdump to analyze the same file you worked with in Wireshark. Complete the following steps: 1. Open the file Activity_10-2_Examiner_Notes.xlsx, and fill in your name and the date. Record the steps you take in this activity in your examiner notes. 2. Launch the Kali Linux VM and open a terminal window. 3. Verify that tcpdump is already installed by typing sudo apt install tcpdump at the command prompt. You should see a response indicating that the newest version of tcpdump is already installed, as shown in Figure 10-6. Take a screen capture of this window for your examiner notes. [Figure 10-6 Verifying tcpdump is installed on Kali] Note that if you attempt to run tcpdump on eth0 you will get an error indicating that you do not have permission as this is a guest machine. 4. To download the pcap file to the VM, open a browser and go to wiki.wireshark.org/SampleCaptures. In the search bar, type udp_lite. Click on udp_lite_normal_coveraage_8-20.pcap. Save it to your Home directory. 5. In the terminal window, type tcpdump -r udp_lite_normal_coveraage_8-20.pcap. Take a screen capture of the output, which should look like Figure 10-7. [Figure 10-7 Reading a pcap file using tcpdump] 6. Update your examiner notes to reflect the steps you took in this activity, and add the screen captures to your notes. When finished, submit to your instructor the following file: •

Activity_10-2_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Solution Guidance: In this activity, students will verify that tcpdump is installed on Kali Linux and use one of the same sample packet captures used with Kali. They need to take screenshots of the items they examine. The screenshots should show dates, the source and destination IP addresses, and the protocol For an example of the file that students will submit, see the following solution file: • Solution_Activity_10-2_Examiner_Notes.pdf

Review Questions - Answers 1.

Where does a layered network defense strategy put the most valuable data? a. In the demilitarized zone b. In the outermost layer c. In the innermost layer d. None of these choices Answer: c. In the innermost layer Explanation: A layered network defense strategy involves setting up layers of protection to hide the most valuable data where it will be the most difficult to get to. Therefore, the most important data is stored in the innermost layer. 2. When do zero-day attacks occur? (Choose all that apply.) a. On the day the application or OS is released b. Before a patch is available c. Before the vendor is aware of the vulnerability d. On the day a patch is created Answer: a. On the day the application or OS is released; b. Before a patch is available; c. Before the vendor is aware of the vulnerability Explanation: A zero-day attack is one launched when an attacker discovers a vulnerability before the vendor has created and released a patch, and often before the vendor is even aware the vulnerability exists.

3. What types of information do packets contain? a. Destination b. Source c. Protocol d. All of these choices Answer: d. All of the above Explanation: Packets contain not only the data but also key information that can be used to determine their destination, source, and protocol, among other things.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

4. Honeypots are which of the following? (Choose all the apply.) a. Computers used to deceive legitimate users of the network b. Computers that collect data regarding attackers c. Computers that appear to be legitimate parts of a network d. Computers that redirect traffic Answer: b. Computers that collect data regarding attackers; c. Computers that appear to be legitimate parts of a network Explanation: Honeypots are computers placed on a network to attract attackers into attacking them so that the researchers or facility can gain information about who is attacking and how they are gaining entry. 5. tcpdump collects what type of information? a. Source and destination b. Time and size of data c. Speed of connection d. Only data Answer: a. Source and destination; b. Time and size of data Explanation: Tcpdump collects packets, which contain source and destination information as well as the time the data was sent and the size of the data, with other items. 6. Misconfigured servers may be the result of which of the following? a. An untested patch b. Port 1295 open c. Port 80 open d. Port 23 open Answer: a. An untested patch; d. Port 23 open Explanation: Misconfigured servers may be the result of patches that have not been tested and an open port 23, among other things. 7. Network administrators and digital forensics investigators need to consider which of the following regarding the data on a network (Choose all that apply.) a. How long data should be saved b. Who can view the data c. Content of the data d. Jurisdiction governing any PII on the network Answer: a. How long data should be saved; b. Who can view the data; c. Content of the data; d. Jurisdiction governing any PII on the network Explanation: Network administrators and digital forensics investigators need to consider things such as how long the data must be preserved and who can view the data. The content of the data may impact those two considerations. In addition, the jurisdiction governing any PII is important to determine what privacy laws apply.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

8. Hardening a network involves which of the following? (Choose all that apply.) a. Applying the latest patches b. Putting the most valuable information in the innermost part of the network c. Putting decoys on the network d. Making sure the routers are on Answer: a. Applying the latest patches; b. Putting the most valuable information in the innermost part of the network Explanation: Hardening a network involves making sure the network is up to date by applying the latest patches and putting the most valuable information in the innermost part of the network as part of a layered network defense strategy. 9. Small companies must deal with which of the following in relation to their networks? (Choose all that apply.) a. Internal threats b. External threats c. Lack of money d. Having a small network Answer: a. Internal threats; b. External threats Explanation: When trying to safeguard their network, small companies have to address threats from employees as well as from external hackers. 10. To minimize response time after an intrusion, organizations should do which of the following? (Choose all that apply.) a. Destroy all data. b. Have a standard installation image for systems on the network. c. Have an incident response team. d. Immediately reinstall the OS. Answer: b. Have a standard installation image for systems on the network; c. Have an incident response team. Explanation: By having a standard installation, an organization can quickly tell if the hash values on a computer have changed. An incident response team helps ensure that the organization can quickly determine what happened, find compromised machines, get those machines offline, and restore them as quickly as possible to minimize downtime after an attack. 11. Network forensics tools allow you to do which of the following? (Choose all that apply.) a. Perform remote shutdown of devices b. Transmit data c. Harden systems d. Image devices remotely Answer: a. Perform remote shutdown of devices; d. Image devices remotely Explanation: Network forensics tools allow a user to remotely shut down a device and to perform a remote forensic image.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

12. Network logs can be used to identify which of the following? (Choose all that apply.) a. Which ports were accessed b. Name of the person accessing a specific port c. Time a port was accessed d. Destination IP address Answer: a. Which ports were accessed; c. Time a port was accessed; d. Destination IP address Explanation: Network logs record traffic in and out of a network and contain a large amount of information, including things such as which ports were accessed, the time a port was accessed, and destination IP addresses, among other things. 13. Zombies are used in what type of attack? a. Zero day b. Malware c. DDoS d. Viral Answer: c. DDoS Explanation: Zombies are computers that are used as part of a DDoS (distributed denial-of-service attack), which is a type of attack in which other online machines are used, without the owners’ knowledge, to launch an attack. 14. Dockers allow developers to do which of the following? a. Create new programs b. Combine their applications in one container that is easily moved c. Bypass security protocols d. Create subroutine Answer: b. Combine their applications in one container that is easily moved Explanation: Dockers allow developers to put their applications and relevant code into one container that can easily be moved from one VM or platform to another. 15. Tools that are useful to network administrators can also be used by hackers. True or False? Answer: True Explanation: Tools such as Splunk, Wireshark, and Snort can be used by a hacker once they are on your network to evaluate and gain access to areas. 16. Variations in a company’s typical network pattern can indicate which of the following? a. New people have been hired b. A new application has been installed c. The network has been compromised d. None of these choices Answer: c. The network has been compromised Explanation: Changes in network traffic patterns may indicate that a hacker has accessed the network and is either downloading information or installing malware.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Hands-On Projects - Solutions Project 10-1 Estimated Time: 20 minutes Objective: Examine other features of Wireshark that are available to investigators. Before You Begin: • • •

Complete Activity 10-1. Create Work folder C:\Work\Module_10\Project10-1. Download to your Work folder the following data files provided with the module: • •

Project_10-1_Examiner_Notes.xlsx telnet-cooked.pcap

While Wireshark is much more powerful when used in a live capture setting, you can still get an idea of how much you can find by exploring the tool in this project. Complete the following steps: 1. Open the file Project_10-1_Examiner_Notes.xlsx. Enter your name and the project number. Record what you do and anything unexpected that you observe as you complete these steps. 2. Right-click the Wireshark icon and select Run as administrator. 3. Click File and then Open. Click telnet-cooked.pcap and click Open. 4. Notice that in the upper pane, the protocols show TCP and Telnet, as shown in Figure 10-8. Take a screen capture of what you see for your examiner notes. [Figure 10-8 Reading a Telnet file] 5. On the menu, click Statistics and then click Capture File Properties. Notice the information available there and then close the dialog box. 6. Next click on Statistics, TCP Stream Graphs, and then Time Sequence. Record this step in your examiner notes. 7. Wireshark has a color scheme to make reading and spotting items, such as different protocols, easier. Click View and then Coloring Rules. The window that opens shows the default colors for each standard protocol. Users can modify this for their own use. For example, if they cannot see red, it can be changed to a different color. 8. You can also apply filters. On the menu, click Analyze and then Display Filters. This shows the most commonly used filters. 9. Update your examiner notes to reflect the steps you took in this activity, and add the screen captures to your notes. When finished, submit to your instructor the following file: •

Project_10-1_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Solution Guidance: In this project, students will look at the various features of Wireshark, take screen captures, and update their examiner notes file to reflect the steps they completed. Because learning to use Wireshark would constitute a separate class in itself, this project is intended to provide students with an overview of the tool. For an example of the file that students will submit, see the following solution file: •

Solution_Project_10-1_Examiner_Notes.pdf

Project 10-2 Estimated Time: 20 minutes Objective: Examine a live stream in Wireshark. Before You Begin: • • •

Complete Activity 10-1. Create Work folder C:\Work\Module_10\Project10-2. Download to your Work folder the following data file provided with the module: • Project_10-2_Examiner_Notes.xlsx

Complete the following steps: 1. Open the file Project_10-2_Examiner_Notes.xlsx. Enter your name and the project number. Record what you do and anything unexpected that you observe as you complete these steps. 2. Right-click the Wireshark icon and select Run as administrator. 3. In the opening window, see which networks have activity on them. Select one and then click the Wireshark Capture button. 4. After a few minutes, click the Stop button. 5. Examine the data and see if you can determine what was picked up. For example, in Figure 10-9, you can see a standard query on line 7 in the Info column that shows doh.xfinity.com. It appears in both the upper pane and the lower-right pane. [Figure 10-9 Reading a live Wireshark capture] 6. Figure 10-10 shows encrypted data in an application package. Find one in your capture and record it in your examiner notes. [Figure 10-10 Reading a live Wireshark capture showing encrypted data] 7. Find at least two other items of interest as you explore the capture and make note of them in your examiner notes. 8. Be sure to save your screen capture file. 9. Update your examiner notes to reflect the steps you took in this activity, and add the screen captures to your notes. When finished, submit to your instructor the following file: •

Project_10-2_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Solution Guidance: In this project, students will do a capture of their own network. Depending on their Internet service provider, students may turn up something different than what is shown in the figures. For an example of the file that students will submit, see the following solution file: •

Solution_Project_10-2_Examiner_Notes.pdf

Case Projects - Solutions Case Project 10-1 Estimated Time: 60 minutes Objective: Research and draft an incident response plan for a small business. Before You Begin: •

Create Work folder C:\Work\Module_10\Case_Project_10-1.

ABC Real Estate has two Windows servers, a Linux server, and 10 workstations, along with a small but dedicated IT staff. A total of 30 realtors are in and out of the office daily and share the workstations. Using your word processor, create a document and save it as Case_Project_10-1_Report.docx in your Work folder. Research incident response plans and network intrusion policies online and draft a basic plan in your report document for ABC Real Estate. Your plan should be one to two pages long. It should touch on the training required for all employees and what steps the IT staff should take to protect the company’s machines and networks prior to an incident. It should also include a detailed set of steps that the IT staff should take in the event of a network intrusion. When finished, submit to your instructor the following file: •

CaseProject_10-1_Report.docx Solution Guidance: Based on what they learned in the module, students should know that their draft incident response plan should require that the IT staff at ABC Real Estate have a standard installation image for all the company’s workstations. The student’s response plan should also detail who on the IT staff should be notified when an incident occurs, what files need to be pulled from the network logs, and how to retrieve the RAM and items in their OOV. The plans should also include a requirement that the IT staff examine the network IDS after a successful attack to determine how and why it was successful. For an example of the file that students will submit, see the following solution file: • Solution_CaseProject_10-1_Report.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 10: Network Forensics

Case Project 10-2 Estimated Time: 60 minutes Objective: Compare and contrast at least four network intrusion detection and prevention systems. Before You Begin: •

Create Work folder C:\Work\Module_10\Case_Project_10-2.

Many network IDS and IPS software packages are available on the market, both shareware and commercial. Some products are placed on the server and others on the actual network. In the module, you were introduced to Snort, one of the more powerful tools available. Companies and organizations of all sizes need to carefully consider the cost and features of the various products and decide which package is best for their needs. Using your word processor, create a document and save it as Case_Project_10-2_Report.docx in your Work folder. Research at least four network IDSs/IPSs, and create a table in your report document that compares some of their features and their prices. Write a brief paragraph explaining which one you would choose and why. When finished, submit to your instructor the following file: •

CaseProject_10-2_Report.doc Solution Guidance: When researching the topic in this case project, students will run across host-based as well as network-based intrusion/detection tools. Encourage students to go to resources such as upguard.com/blog/top-free-network-basedintrusion-detection-systems-ids-for-the-enterprise for more information. For an example of the file that students will submit, see the following solution file: • Solution_CaseProject_10-2_Report.pdf

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 11: CLOUD FORENSICS AND THE INTERNET OF ANYTHING

Activities - Solutions Activity 11-1 Estimated Time: 60 minutes Objective: Research how private health information is secured in the cloud. Before You Begin: •

Create Work folder C:\Work\Module_11\Activity_11-1.

Modern devices such as the CPAP, CGM, and even pacemakers upload their data to the cloud or store it on the device itself. This information contains PII and other data affected by the Health Insurance Portability and Accountability Act (HIPAA). In this activity, you will research how these companies protect this sensitive information. Complete the following steps: 1. Open Activity_11-1_Examiner_Notes.xlsx in your Work folder. 2. Look for websites that explain the importance of data security in the IoT. 3. In this section, we looked at several devices that contain HIPAA information along with PII. What steps should the manufacturer and users of these devices take to ensure the patient or user’s information is secure? 4. List the websites that you find along with their observations and recommendations. 5. When finished, submit to your instructor the following file: •

Activity_11-1_Examiner_Notes.xlsx Solution Guidance: Students should list several websites that discuss the challenges of HIPAA associated with devices that contain personal health and medical information, along with other PII. Students should note the pertinent background information on these sites as well as any recommendations the sites provided for securing private health and medical data. For an example of the file that students should submit, see the following solution file: • Solution_Activity_11-1_Examiner_Notes.pdf

Review Questions - Answers 1.

Amazon was an early provider of web-based services that eventually developed into the cloud concept. True or False? Answer: True Explanation: Amazon created EC2 in 2006 to support small businesses. EC2 enabled individuals and small businesses to rent processing time to run their own applications from a centralized source.

2. What are the three levels of cloud services defined by NIST? a. CRC, DRAM, and IMAP b. OpenStack, FROST, and management plane c. SaaS, PaaS, and IaaS d. Hybrid, private, and community clouds Answer: c. Saas, PaaS, and IaaS Explanation: The three basic levels of cloud services were defined in the NIST document 800-145. Over 75 are defined in NIST SP 500-322. 3. What capabilities should a forensics tool have to acquire data from a cloud? (Choose all that apply.) a. Identify and acquire data from the cloud. b. Expand and contract data storage capabilities as needed for service changes. c. Circumvent firewalls to access cloud data. d. Examine virtual systems. Answer: a. Identify and acquire data from the cloud, b. Expand and contract data storage capabilities as needed for service changes, d. Examine virtual systems Explanation: The forensics tools must be able to identify and acquire data from the cloud. Because of the changing nature of the cloud, the tools must also be able to expand and contract data storage capabilities as needed. Finally, since most cloud systems are on VMs, the tools must be able to examine virtual systems. 4. Commingled data isn’t a concern when acquiring cloud data. True or False? Answer: False Explanation: Because of multi-tenancy on the physical boxes, users may share the same applications. As a result, the investigator must be sure to segregate the data. 5. A(n) __________ is a contract between a CSP and the customer that describes what services are being provided and at what level. Answer: service-level agreement (SLA) Explanation: A service-level agreement tells the customer what they can expect. 6. Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (Choose all that apply.) a. Subpoenas with prior notice b. Temporary restraining orders c. Search warrants d. Court orders Answer: a. Subpoenas with prior notice, c. Search warrants, d. Court orders Explanation: The ECPA describes five methods that can be used to gain electronic information from a provider. In addition to the ones listed here, it also includes court orders with prior notice and subpoenas.

7. In which cloud service level can customers rent hardware and install whatever OSs and applications they need? a. SaaS b. IaaS c. DaaS d. PaaS Answer: IaaS Explanation: In Infrastructure as a Service (IaaS), the client installs the OS and applications. The CSP maintains the equipment and/or computers being used by the customers. 8. What are the two states of encrypted data in a secure cloud? a. RC4 and RC5 b. CRC-32 and UTF-16 c. Homomorphic and AES d. Data in motion and data at rest Answer: d. Data in motion and data at rest Explanation: The states of encrypted data are either in motion or at rest. The other answer options describe types of encryption. 9. Evidence of cloud access found on a smartphone usually means which cloud service level was in use? a. IaaS b. HaaS c. PaaS d. SaaS Answer: d. SaaS Explanation: A smartphone typically will be using a SaaS, such as Dropbox or Gmail. 10. Which of the following cloud deployment methods typically offers the best security? a. Hybrid cloud b. Public cloud c. Community cloud d. Private cloud Answer: b. Public cloud Explanation: Because of the number of advertisers, dedicated security personnel, and scale, public clouds are the most secure.

11. The multi-tenancy nature of cloud environments means conflicts in privacy laws can occur. True or False? Answer: True Explanation: Multi-tenancy means that various companies or entities from varying jurisdictions may be on the same physical drive as the one you are investigating. As a result, there may be differences in the applicable privacy laws. 12. Which of the following tools are commonly used to obtain data in the cloud? (Choose all that apply.) a. X-Ways Forensics b. F-Response Universal c. FTK Imager d. RFID Answer: b. F-Response Universal Explanation: F-Response was developed as a remote acquisition tool and then became F-Response Universal, which allows live read-only remote access to other devices on an enterprise network. 13. A CSP’s incident response team typically consists of which staff? List at least three positions. Answer: System administrators, network administrators, and legal advisors Explanation: A systematic approach is needed when conducting an incident response in the cloud. Typically, CSPs have personnel trained to respond to network incidents—including legal advisors and system and network administrators who handle normal support services for the cloud. When a network intrusion occurs, the members of the CSP team become first responders to the incident. Understanding the legal constraints along with the intricacies of the networks and systems involved are necessary to achieve the desired outcome. 14. The cloud services Dropbox, Google Drive, and OneDrive have Registry entries. True or False? Answer: True Explanation: The cloud services Dropbox, Google Drive, and OneDrive have Registry entries, so even if a suspect uninstalls a cloud application, you can usually find information to show it was installed previously. 15. When might a temporary restraining order be requested for cloud environments? a. When cloud customers need immediate access to their data b. To enforce a court order c. When anti-forensics techniques are suspected d. When a search warrant requires seizing a CSP’s hardware and software used by other parties not involved in the case

Answer: d. When a search warrant requires seizing a CSP’s hardware and software used by other parties not involved in the case. Explanation: Because of multi-tenancy, government agencies and law enforcement may seize all the hardware of the CSP. This may result in not only the company being investigated to be shut down, but others as well. A temporary restraining order may be requested in such cases to protect other impacted companies. 16. NIST document SP 500-322 defines more than 75 cloud services, including which of the following? (Choose all that apply.) a. Backup as a service b. Security as a service c. Drupal as a service d. Intelligence as a service Answer: a. Backup as a service, b. Security as a service, c. Drupal as a service Explanation: NIST document SP 500-322 was formally published in February 2018 and includes more than 75 services, such as backup as a service, security as a service, and Drupal as a service. 17. What is included in the Internet of Everything as it was defined by Cisco Systems? a. All things on the Internet b. The people, data, devices, and processes connected via the Internet c. The future of things on the Internet d. The work of hackers on the Internet Answer: b. The people, data, devices, and processes connected via the Internet Explanation: The Internet of Everything refers to a larger, interconnected intelligent network. The term, coined by Cisco Systems, includes the people, devices, data, and processes connected via the Internet. 18. Machine-to-machine (M2M) connections need human approval to operate. True or False? Answer: False Explanation: In the context of M2M, devices connected to the IoE can communicate with each other and, in some instances, may make decisions without involving humans. Depending on the parameters of the system, such machines may make decisions and proceed without notifying or requesting permission from a person. 19. In a smart home, everyday appliances that can be accessed via your smartphone could include which of the following? a. Washing machine b. Dishwasher c. Refrigerator d. All of these choices

Answer: d. All of these choices Explanation: In a smart home, almost all appliances can be accessed via your mobile device if they are IoT devices. This introduces vulnerabilities along with convenience. 20. Hackers could potentially use smart light bulb data on an unsecure wireless network to do which of the following? (Choose that apply.) a. Determine your everyday habits. b. Ascertain the layout of your home. c. Determine if you are away from home. d. None of these choices Answer: a. Determine your everyday habits, b. Ascertain the layout of your home, c. Determine if you are away from home. Explanation: Many people who use smart light bulbs name them, so they know which one they are turning off or on. If this data is on a wireless network that is not secure, it could allow someone who has hacked the network to draw conclusions about the user’s daily habits, the layout of their home, and whether they are away from home for multiple days in a row. 21. The data from items such as a CPAP machine store information that is subject to which of the following laws? (Choose all that apply.) a. Sarbanes-Oxley b. PCI DSS c. HIPAA d. None of these choices Answer: c. HIPAA Explanation: Because CPAP is a medical device, any data stored on the device or transmitted from it is covered by HIPAA. 22. Which of the following IoT categories covers technologies used for traffic control, energy, water and waste management, and public safety? a. Industrial Internet of Things b. Infrastructure Internet of Things c. Commercial Internet of Things d. None of these choices Answer: b. Infrastructure Internet of Things Explanation: The Infrastructure IoT includes technologies that manage infrastructure both for rural areas and for smart cities, in applications such as traffic control, energy, water and waste management, and public safety. As with the Industrial IoT, one of the primary goals of the Infrastructure IoT is to improve the overall efficiency of devices and systems.

23. Which of the following is a device that allows data to be processed as close to the source as possible? a. Magnet AXIOM Cloud b. CGM device c. OneDrive d. IoT edge device Answer: d. IoT edge device Explanation: An IoT edge device allows the data to be processed as close to the source as possible. Instead of transmitting raw data to the cloud, the data is analyzed and sorted at the source and then sent to the central processing center. Edge computing will become more common as more IoT sensors are placed online.

Hands-On Projects - Solutions Project 11-1 Estimated Time: 20 minutes Objective: Locate files uploaded to Dropbox. Before You Begin: • •

Create Work folder C:\Work\Module_11\Project11-1. Download to your Work folder the following data files provided with the module:

•

• Project_11-1_Examiner_Notes.xlsx • Project_11-1.zip Access the following item: •

FTK Imager

You have been asked to identify any files that might have been uploaded from Denise Robinson’s legacy computer to the Dropbox cloud service. To determine whether files were uploaded, you must find the Dropbox folder where files are synchronized to see what it contains. Complete the following steps: 1. Open the file Project_11-1_Examiner_Notes.xlsx and save it to your Work folder. Fill in your name and the other pertinent information. 2. Double-click the file Project_11-1.zip to extract the Project_11-1.img file. 3. Launch FTK Imager and click File and then Add Evidence Item. 4. In the Select Source dialog box that appears, click the Image File button and then click Next. 5. In the Select File dialog box, click the Browse button and go to your Work folder. Select Project_11-1.img and click Open. Then click Finish.

6. In the Evidence Tree pane, expand Project_11-1.img and then click to expand [root]. You should now be able to see the Users folder, as shown in Figure 11-6. Take a screen capture and add it to your examiner notes. [Figure 11-6 Accessing the Users folder] 7. Expand the Users folder and find Denise’s account name listed. Next, expand her folder and locate the Dropbox folder, as shown in Figure 11-7. Take a screen capture and add it to your examiner notes. [Figure 11-7 Showing Denise’s Dropbox folder] 8. Click the Dropbox folder. You should see its contents in the File List pane on the right. Right-click the Getting Started.pdf file and select Export Files. Save the file to your Work folder. Do the same for the Dropbox.zip file. 9. Exit FTK Imager. 10. Unzip the Dropbox.zip file and examine the Contents of the Dropbox folder. 11. Update your examiner notes to indicate what files you found. When finished, submit to your instructor the following file: •

Project_11-1_Examiner_Notes.xlsx Solution Guidance: Students should submit examiner notes showing the steps they took to find 24 files in the Dropbox.zip file. The Getting Started.pdf is about using the cloud. For an example of the file that students will submit, see the following solution file: • Solution_Project_11-1_Examiner_Notes.pdf

Project 11-2 Estimated Time: 20 minutes Objective: Examine Google Drive access information using sync_log.log. Before You Begin: • • • •

Complete Project 11-1. Create Work folder C:\Work\Module_11\Project11-2. Download to your Work folder the following data file provided with the module: • Project_11-2_Examiner_Notes.xlsx Access the following item: • FTK Imager

The attorney managing the case wants to know which email Denise used to access Google Drive. To determine this, you need to examine the Google Drive file sync_log.log. Complete the following steps: 1. Open the file Project_11-2_Examiner_Notes.xlsx and save it to your Work folder. Fill in your information.

2. Launch FTK Imager and navigate back to Denise’s user folder. 3. In this exercise, you need to find the Google drive data. In Denise’s user folder, navigate to AppData\Local\Google\Drive. 4. The file sync_log.log should appear in the File List pane, as shown in Figure 11-8. [Figure 11-8 Showing Denise’s Google Drive folder] 5. Click the sync_log.log file in the File List pane. In the pane at the bottom of the window, the email address will be visible, as shown in Figure 11-9. Take a screen capture and add it to your examiner notes. [Figure 11-9 Showing Denise’s sync_log.log file] 6. Note the email and record it in your examiner notes. 7. When finished, exit FTK Imager and submit to your instructor the following file: •

Project_11-2_Examiner_Notes.xlsx. Solution Guidance: For this project, students should submit examiner notes with screenshots showing that they found the email address of Denise Robinson in the log file. For an example of the file that students will submit, see the following solution file: • Solution_Project_11-2_Examiner_Notes.pdf

Case Projects - Solutions Case Project 11-1 Before You Begin: •

Create Work folder C:\Work\Module_11\Case_Project11-1.

Estimated Time: 2 hours Objective: Examine how privacy laws can affect an investigation. Privacy laws in other countries are an important concern when performing cloud forensics and investigations. You have been assigned a case involving PII data stored on a CSP in Australia. Before you start any data acquisition from this cloud, you need to research what you can access under Australian law. For this project, look for information on Australia’s Privacy Principles (APP), particularly “Chapter 8: APP 8—Cross-Border Disclosure of Personal Information.” Using your word processor, create a document and save it as Case_Project_111_Report.docx in your Work folder. Write a one- to two-page paper summarizing disclosure requirements, steps for storing PII data in Australia, requirements for getting consent from data owners, and any exceptions allowed by this law. When finished, submit to your instructor the following file: •

Case_Project_11-1_Report.docx

Solution Guidance: APP 8 (which can be found at oaic.gov.au/privacy/australianprivacy-principles/australian-privacy-principles-guidelines/chapter-8-app-8-crossborder-disclosure-of-personal-information) details the circumstances in which PII can be released and the conditions that apply. For an example of the report that students should submit, see the following solution file: • Solution_Case_Project_11-1_Report.pdf

Case Project 11-2 Estimated Time: 1 hour Objective: How to conduct an investigation involving a small CSP that does not have its own incident response team. Before You Begin: •

Create Work folder C:\Work\Module_11\Case_Project11-2.

A cloud customer has asked you to do a forensics analysis of data stored on a CSP’s server. The customer’s attorney explains that the CSP offers little support for data acquisition and analysis but, for a fee, it will help with locating the data. The attorney asks you to prepare a memo with detailed questions of what you need to know to complete your analysis. The attorney plans to use this memo to negotiate with the CSP for services you’ll provide in collecting and analyzing evidence. Using your word processor, create a document and save it as Case_Project_11-2_Report.docx in your Work folder. Write a one-page memo detailing your questions for the CSP. When finished, submit to your instructor the following file: •

Case_Project_11-2_Report_docx Solution Guidance: In their memo, students should cover questions such as what help will be provided by the CSP staff, what training the CSP staff might need on protecting PII and ensuring a secure chain of custody, and what is covered by the customer’s CSA, among other things For an example of the report that students should submit, see the following solution file: • Solution_Case_Project_11-2_Report.pdf

Case Project 11-3 Estimated Time: 30 minutes Objective: Explore the changes caused by the IoT in the digital forensics field. Before You Begin: •

Create Work folder C:\Work\Module_11\Case_Project_11-3.

A 2020 paper titled “A Survey on the Internet of Things (IoT) Forensics: Challenges, Approaches and Open Issues”) discusses the ways in which changes in IoT will impact the forensics field (researchgate.net/publication/338443914_A_Survey_on_the_Internet_of_Things_IoT_Forensics_ Challenges_Approaches_and_Open_Issues). These changes apply to all IoT-based domains, including healthcare, smart home appliances, industrial machines, supply-chain and inventory management, smart grid, surveillance, and smart cities. Industries that rely on sensitive data for real-time decision making are among the most appealing ones for attackers and are, therefore, industries where forensics expertise will be most needed in the coming years. Using your word processor, create a document and save it as Case_Project_11-3_Report.docx in your Work folder. Write a one-page paper discussing how the changes in IoT will affect the forensics field and your possible job opportunities over the next few years. Be sure to cite your sources. Submit to your instructor the following file: •

Case_Project_11-3_Report.docx Solution Guidance: Students should submit a report that includes details about the new and updated skill sets that will be required in the forensics field as well as information on some of the IoT-related laws and technology that forensics investigators will need to become aware of. For an example of the report that students should submit, see the following solution file: • Solution_Case_Project_11-3_Report.pdf

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 12: MOBILE DEVICE FORENSICS

Activities - Solutions Activity 12-1 Estimated Time: 30 minutes Objective: Install and explore the Android mobile forensics tool Andriller CE on a Windows computer. Before You Begin: • • •

Create Work folder C:\Work\Module_12\Activity_12-1. Download to your Work folder the following data file provided with the module: • Activity_12-1_Examiner_Notes.xlsx Access the following items: • Andriller CE (Download the zip file from github.com/den4uk/andriller to your Work folder; click the green Code button, click Download ZIP, and extract andrillermaster.zip into your Work folder.) • Python 3 (If it is not already installed on your computer, go to the Microsoft Store and download and install the most current version of Python 3.)

Complete the following steps to install Andriller CE on a Windows computer: 1. Open the file Activity_12-1_Examiner_Notes.xlsx. In cell C3 of the spreadsheet, type your name. In cells C4 and C5, type Activity_12-1. In the Date and Start Time columns, enter the current date and time. Save the file and leave it open to record your activities during the forensics examination. 2. To start Andriller CE, from File Explorer, navigate to the folder Work\Module12\Activity_121\andrillermaster\andriller-master. In the andriller-master folder, double-click andrillergui.py. Andriller CE will open a terminal window and then display the Andriller CE GUI window. 3. In Andriller CE, click Output, as shown in Figure 12-5. Then, in the Select Folder window, navigate to your Work folder and click Select Folder. [Figure 12-5 Andriller start screen] 4. Click the following dropdown menus and note in your examiner notes a general description for each menu’s available utilities: • Decoder • Apps Utils • Lockscreens • Tools • ADB 5. Click Save Log and, in the Save As window, navigate to your Work folder. In the File name input box, type Activity_12-1_Andriller.log and then click Save. 6. When finished, close Andriller CE and then save and close your examiner notes. Submit to your instructor the following files: • •

Activity_12-1_Andriller.log Activity_12-1_Examiner_Notes.xlsx

Solution Guidance: In this activity, students should have successfully installed Andriller CE and examined the features it provides in its dropdown menus. In their examiner notes, students should have recorded the steps they took to install and explore the tool. They should also have generated a log report from Andriller CE showing that the installation was successful. For examples of the types of notes that should be included and an example Andriller CE log file, see the following solution files: • Solution_Activity_12-1_Andriller.pdf • Solution_Activity_12-1_Examiner_Notes.pdf

Review Questions - Answers 1.

In which of the following cases did the U.S. Supreme Court require a search warrant to examine the contents of mobile devices? a. Miles v. North Dakota b. Smith v. Oregon c. Riley v. California d. Dearborn v. Ohio Answer: c. Riley v. California Explanation: In the Riley v. California case, the U.S. Supreme Court ruled that an officer must get a search warrant before an examination can be done on a mobile device.

2. Global System for Mobile Communications (GSM) is used by which cellular provider? a. U.S. Cellular b. AT&T c. Verizon d. Twigby Answer: b. AT&T Explanation: AT&T uses GSM. T-Mobile and Twigby (owned by Verizon), Verizon, and U.S. Cellular all use CDMA. 3. Which organization manages Code Division Multiple Access (CDMA) networks? a. International Telecommunication Union b. U.S. National Institute of Standards and Technology c. U.S. Federal Communications Commission d. Telecommunications Industry Association Answer: d. Telecommunications Industry Association Explanation: The Telecommunications Industry Association is the organization that created the interim standard 95 (IS-95) for CDMA.

4. The OS of a mobile device is stored in which type of memory storage? a. Read-only memory b. Compact flash c. MultiMediaCard d. Secure digital cards Answer: a. Read-only memory Explanation: The OS for all mobile devices is stored in read-only memory. 5. Which of the following parts make up a GSM mobile device? a. The subscriber identity module (SIM) card and the mobile equipment b. The micro-SIM card and the nano-SIM card c. The subscriber’s identification and servicer-related information d. The mobile station and backup storage Answer: a. The subscriber identity module (SIM) card and the mobile equipment Explanation: A GSM mobile device is divided into two parts: the SIM card and the mobile equipment. The mobile equipment contains the identity of the subscriber to the network, stores service-related information, and backs up the mobile device. 6. How many radio frequencies are used for two-way communications between cell phones and cell towers? a. One frequency is used to transmit voice and data between cell towers and cell phones. b. Two frequencies are used to transmit voice and data—one for voice and the other for data. c. Two frequencies are used to transmit voice and data—one from the cell phone to the cell tower and one from the tower to the cell phone. d. Four frequencies are used to transmit voice and data. One frequency is used for voice from the cell phone to the cell tower, another is used for data from the cell phone to the cell tower for data, a third is used for voice from the cell tower to the cell phone, and a fourth one is used for data from the cell tower to the cell phone. Answer: c. Two frequencies are used to transmit voice and data—one from the cell phone to the cell tower and one from the tower to the cell phone. Explanation: All cellular networks use two radio frequencies to communicate between cell phones and cell towers. The towers transmit on one frequency to the cell phones. and the cell phones transmit to the towers on another frequency. By separating these frequencies, voice and data are transmitted and received much faster.

7. For the typical cell tower, what is the azimuth of the gamma antenna? a. North b. Southeast c. Southwest d. South Answer: c. Southwest Explanation: The standard for most cell tower antennas is (1) the alpha, or A, antenna points north; (2) the beta, or B, antenna points southeast; (3) the gamma, or C, antenna point southwest. Tower locations in unique locations or with obstructions near them may be pointed in other directions. 8. What is the maximum range a GSM cell phone can communicate with a cell tower? a. 22 miles or 35 kilometers b. 35 miles or 56 kilometers c. 10 miles or 16 kilometers d. 40 miles or 64 kilometers Answer: a. 22 miles or 35 kilometers Explanation: GSM networks are designed to send and transmit voice and data up to 22 miles or 35 kilometers. CDMA networks are designed to send and transmit voice and data up to 35 miles or 56 kilometers. The actual range for GSM and CDMA networks may be shorter due to obstructions such as buildings or hills. 9. Cell phones can be tracked through which of the following modes of communication? (Choose all that apply.) a. Bluetooth b. Cell tower c. GPS d. Wi-Fi network Answer: a. Bluetooth; b. Cell tower; c. GPS; d. Wi-Fi network Explanation: All answers are correct. Bluetooth can transmit a cell phone’s location to other Bluetooth devices, which can then transmit information to other applications and networks. Cell towers log all cell phone connections along with the specific antenna used by the cell phone. GPS data can transmit exact location through special applications like Apple Maps or Google Maps to their respective cloud’s services. Applications connecting to cloud services through Wi-Fi networks can transmit location data to the application’s web servers. 10. How does E911 verify the exact location of a caller? a. By using the cell phone’s map application b. By accessing the cell phone’s Apple Maps or Google Maps application c. By requiring the caller to verbally tell the E911 operator their location d. Through a text message sent to the E911 operator that lists the cell phone’s latitude and longitude location

Answer: d. Through a text message sent to the E911 operator that lists the cell phone’s latitude and longitude location Explanation: Since the Wireless Communications and Public Safety Act of 1999 (911 Act), the GPS feature is integrated into E911 services. When a caller dials the E911 service, the cell phone automatically turns on the phone’s GPS utility. It then automatically sends the phone’s latitude and longitude location in an SMS text message to the E911 dispatcher. The E911 dispatcher can also ping the caller’s cell phone to determine their location to see if the caller is moving from one location to another, such as driving in a car. 11. The term Time Division Multiple Access (TDMA) refers to which of the following? (Choose all that apply.) a. A technique of dividing a radio frequency so that multiple users share the same channel b. A proprietary protocol developed by Motorola c. A specific cellular network standard d. A technique of spreading the signal across many channels Answer: a. A technique of dividing a radio frequency so that multiple users share the same channel; c. A specific cellular network standard Explanation: TDMA, which is used by GSM, allows multiple phones to take turns sharing a channel on a round-robin basis. 12. How do cellular networks identify and track every mobile device? a. Orthogonal frequency division multiplexing b. SIM cards c. International mobile subscriber identity (IMSI) d. Time Division Multiple Access Answer: c. International mobile subscriber identity (IMSI) Explanation: All cellular mobile devices have a unique identifier number called the international mobile subscriber identity (IMSI). When a cellular mobile device connects to a cellular network, it is this number that is used as the cell phone’s address. The IMSI number is located in the SIM card of the mobile device. 13. What is a Stingray in connection with cell phone communications? a. A device used for routine maintenance of a cellular network b. A surveillance device used by law enforcement and the military c. A portable cell tower system that is used to set up emergency communications d. A caller distribution system that reroutes calls from cell towers that have too many cell phone users connected at one time Answer: b. A surveillance device used by law enforcement and the military Explanation: A Stingray is also referred to as an IMSI catcher and cell-site simulator. Stingrays can be used to surveil many cell phones or they can be set up to surveil one or two individual cell phones.

14. Which type of cellular network log would you use to search for a possible suspect that may have been in the area of a recent crime? a. Call detailed records log b. Cell-site location information log c. Cell site simulator log d. Cell phone pinging report Answer: b. Cell-site location information log Explanation: A cell-site location information log provides a detailed list of cell phones, using their IMSI numbers, that had contact with a specific cell tower. This information is useful for criminal cases in that it can help law enforcement identify a possible suspect that may have been in the area of a reported crime. 15. Of the two categories of data storage on a mobile device, which category is considered internal storage? a. SIM chip b. SD card c. Cloud storage d. Wi-Fi network storage Answer: a. SIM card Explanation: Data stored on a SIM chip along with electronically erasable programmable read-only memory storage is considered internal storage. Storage that is transferred from the mobile device to a network, such as the cloud, is considered external storage. 16. What is the purpose of autovacuum in a cell phone? a. The autovacuum function is an on-demand cleanup tool that deletes text messages. b. To filter spam calls, the autovacuum will block further calls from being received. c. The autovacuum function will delete data from unallocated space on a cell phones data storage area. d. The autovacuum function is an SQLite utility that cleans up deleted records in an SQLite database. Answer: d. The autovacuum function is an SQLite utility that cleans up deleted records in an SQLite database. Explanation: In order to optimize data storage on a cell phone, the autovacuum function is automatically run to reduce the size of SQLite databases. Any deleted records eliminated by autovacuum will be unrecoverable by a mobile device forensics tool. 17. Which of the following are functions of a mobile device management (MDM) system? (Choose all that apply.) a. Protect the confidentiality and trade secret information stored on mobile devices of an organization. b. Provide a service for an organization to update mobile devices remotely. c. Communicate an organization’s policies and procedures. d. Provide personal security for employees with their issued mobile devices. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Answer: a. Protect the confidentiality and trade secret information stored on mobile devices of an organization; c. Communicate an organization’s policies and procedures Explanation: MDM is useful for securing and controlling an organization’s policies and procedures of mobile devices. In addition to protecting sensitive data on a mobile device, MDM can also enforce proper security measures that users may alter for their own needs. 18. When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place. True or False? Answer: False Explanation: If the mobile device is connected to a computer, data on the mobile device could be deleted. Your first responsibility is preventing any changes to or deletion of evidence on a mobile device. 19. When seizing a mobile device that is powered on, what should your first step be to ensure that evidence is not lost? a. Turn off the mobile device. b. Put the mobile device in airplane mode. c. Quickly determine what applications are running before turning off the mobile device. d. Place the mobile device immediately into a Faraday bag. Answer: b. Put the mobile device in airplane mode Explanation: By putting the mobile device into airplane mode, you will have time to further assess what to do such as examine it to see if there might be any activities of interest by a suspect before turning the power off. 20. SIM cards contain which type of information? (Choose all that apply.) a. Call data b. Text message data c. Location data d. IMSI numbers from other mobile devices Answer: a. Call data; b. Text message data; c. Location data Explanation: In addition to cell, text, and location data, the SIM card will also contain its own IMSI number along with other information about the mobile device’s subscriber. 21. Which of the following are mobile forensics extraction methods? (Choose all that apply.) a. Logical extraction b. Bilateral read c. Physical extraction d. Hex dumping

Answer: a. Logical extraction; c. Physical extraction; d. Hex dumping Explanation: A logical extraction copies all existing files. A physical extraction copies allocated and unallocated data from the mobile device. A hex dump extracts data from the mobile device’s processor, flash memory, and other components. The hex dumping procedure is invasive and may damage the mobile device. 22. Which of the following data extraction methods of a mobile device are nondestructive to the device? (Choose all that apply.) a. Manual extraction b. Logical extraction c. Physical extraction d. Chip-off extraction Answer: a. Manual extraction; b. Logical extraction; c. Physical extraction Explanation: Manual, logical, and physical extraction methods are safe and will not destroy the components in the device. The chip-off extraction method will destroy its components. 23. What is the minimum amount of battery power needed before initiating an acquisition of a mobile device? a. 95% b. 90% c. 80% d. 5% Answer: c. 80% Explanation: Because most mobile devices have a single dual-purpose port that is used to charge the device’s battery and communicate with an external system, it is extremely important to maximize the battery charge before starting the examination and acquisition. The least amount of battery power needed to perform an acquisition on a mobile device is 80%—any less could jeopardize the acquisition and cause a failure in completing the task. 24. When should a test access port (TAP) method of data extraction be implemented on a mobile device? a. When a mobile device was dropped in water b. If a manual extraction failed to work c. When it is necessary to extract data directly from the chips in the mobile device d. If the mobile device’s port is damaged Answer: d. If the mobile device’s port is damaged Explanation: Since the TAP method of data extraction requires connecting electrical leads to the chips inside a mobile device, it should only be done if the port on the device is unable to input or output data.

Hands-On Projects - Solutions Project 12-1 Estimated Time: 45 minutes Objective: Report results from a tablet’s SD Card image. Before You Begin: • • •

•

Complete Activity_12-1. Create Work folder C:\Work\Module_12\Project_12-1. Download to your Work folder the following files provided with the module: • Project_12-1_Examiner_Notes.xlsx • Project_12-1_SD_Card.E01 Access the following item: • Autopsy for Windows

For this project, you are given an image file of an SD card from a Samsung Galaxy tablet. You will examine the contents of this image file and create a report from Autopsy listing the contents of the card. Complete the following steps: 1. Open the file Project_12-1_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_12-1. 2. Start Autopsy for Windows. In the Welcome window, click New Case, and in the Case Information pane’s Case Name input box, type Project_12-1-SD_Card_Exam. Click Browse, navigate to your Work folder, and then click Next. 3. In the Optional Information pane, enter Project_12-1-SD_Card_Exam for the Case Number and then add your information to the Examiner’s Name and Email input boxes. Click Finish. 4. In the Select Type of Data Source To Add pane, click Disk Image or VM File and then click Next. 5. In the Select Data Source pane, click Browse and navigate to your Work folder. Click Project_12-1-SD_Card.E01, then Open. In the Select Add Data Source window, click Next. 6. In the Configure Ingest Modules pane, click Deselect All, click the check box for the following ingest modules, and then click Next: • • • •

Picture Analyzer Encryption Detection PhotoRec Carver Android Analyzer

7. In the Add Data Source window, click Finish. 8. From the Tree Viewer pane, click and expand all the subfolders under Views and By MIME Type.

9. For subfolders that contain files, right-click each file, click Add File Tag, and then click Notable Items (Notable). 10. In the Tree Viewer pane, scroll down and click to expand the Tags and click the File Tags folder. 11. In the Result Viewer pane, highlight all media type files, such as documents, spreadsheets, and graphic files, and then right-click the highlighted files. Click Add File Tags and then click Tag and Comment. 12. In the Select Tag window, click the Tag input box’s down arrow, click Recovered Office Documents, and then click OK. 13. Click Generate Report from the menu bar. In the Select and Configure Report Module’s Report Modules pane, click the Excel Report button, then click Next. 14. If the source file Project_12-1_SD_Card.E01 is not already checked, click Check All in the Select which data source(s) to include window, and then click Next. 15. Click the All Results button and then click Finish in the Configure Report window. 16. When the Report Generator Progress window shows that the report has completed, click the Excel Report link and save the report to your Work folder, naming it Project_121_SD_Card_Contents.xlsx. 17. Update your examiner notes to reflect the steps you took to complete the project. Then save the file, exit Excel, and close Autopsy. 18. When finished, submit to your instructor the following files: • •

Project_12-1_Examiner_Notes.xlsx Project_12-1_SD_Card_Contents.xlsx Solution Guidance: To complete this project, students will need to locate files of interest per the directions to identify what files are in the image file. From this examination, an Autopsy Excel report should be generated that lists the image’s contents. For examples of the output files that students will submit, see the following solution files: • Solution_Project_12-1_Examiner_Notes.pdf • Solution_Project_12-1_SD_Card_Contents.pdf • Solution_Project_12-1_SD_Card_Contents_EXIF_Metadata.pdf • Solution_Project_12-1_SD_Card_Contents_Summary.pdf • Solution_Project_12-1_SD_Card_Contents_Tagged_Files.pdf • Solution_Project_12-1_SD_Card_Contents_Tagged_Results.pdf • Solution_Project_12-1_SD_Card_Contents_User_Content_Suspected.pdf

Project 12-2 Estimated Time: 10 minutes Objective: Determine if an Android .tar file has recoverable data. Before You Begin: • • •

Complete Activity_12-1. Create Work folder C:Work\Module_12\Project_12-2. Download to your Work folder the following data files provided with the module:

•

• Project_12-2_Examiner_Notes.xlsx • Project_12-2_Android_Acquisition.tar Access the following item: •

Andriller CE

For this project, another digital forensics examiner has asked you to process the acquired .tar file of a Samsung tablet and determine what data is available from this file. Complete the following steps to parse data from the file Project_12-2_Android_Acquisition.tar: 1. Open the file Project_12-2_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_12-2. 2. Start Andriller CE, click Output, and navigate to your Work folder. 3. In Andriller, click the Parse (.TAR) tab and then click TAR File. In the Open window, navigate to your Work folder, click Project_12-2_Android_Acquisition.tar, and then click Open. 4. When Andriller completes processing the .tar file, it will open a report in your web browser. From your web browser, click the link that is displayed to view its contents. Click the Print menu option for your browser and, in the Print dialog box, click the down arrow in the Destination box and click Save to PDF. Click Landscape in the Orientation or Layout section and then click Save. 5. In the Print Save As window, navigate to your Work folder and, in the file name input box, type Project_12-2_Andriller_Android_Calendar. Then click Save. 6. In Andriller, click Save Log and, in the Save As window, navigate to your Work folder. In the File Name input box, type Project_12-2_TAR_Extract.log and click Save. 7. Update your examiner notes to reflect the steps you took to complete the project. Then save the file, exit Excel, exit Andriller, and close the browser window. 8. When finished, submit to your instructor the following files: • • •

Project_12-2_Andriller_Android_Calendar.pdf Project_12-2_Examiner_Notes.xlsx Project_12-2_TAR_Extract.log

Solution Guidance: To complete this project, students will need to export all available data from the .tar file using Andriller CE. For examples of the output files that students will submit, see the following solution files: • Solution_Project_12-2_Andriller_Android_Calendar.pdf • Solution_Project_12-2_Examiner_Notes.pdf • Solution_Project_12-2_TAR_Extract.pdf

Project 12-3 Estimated Time: 10 minutes Objective: Determine if an Android .ab file has recoverable data. Before You Begin: • • •

•

Complete Activity_12-1. Create Work folder C:\Work\Module_12\Project_12-3. Download to your Work folder the following data files provided with the module: • Project_12-3_backup.ab • Project_12-3_Examiner_Notes.xlsx Access the following item: • Andriller CE

For this project, the same digital forensics examiner from Project 12-2 has asked you to process the acquired Android backup (.ab) file of the same Samsung tablet to determine if any additional data is available from this acquisition’s backup. Complete the following steps to parse data from file Project_12-3_Android_Acquisition.tar: 1. Open the file Project_12-3_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field and, in the Case Name and Case Number fields, type Project_12-3. 2. Start Andriller, click Output, and navigate to your Work folder. 3. In Andriller, click the Parse (.AB) tab and then click AB File. In the Open window, navigate to your Work folder, click Project_12-3_backup.ab, and then click Open. 4. When Andriller completes processing the .ab file, it will open a report in your web browser. From your web browser, click all the available links to view their contents, and print each webpage as a PDF file with landscape orientation. Name the calendar webpage Project_123_Andriller_Android_Calendar.pdf and the shared storage webpage Project_123_Shared_Storage.pdf. 5. In the Print Save As window, navigate to your Work folder. In the file name input box, type Project_12-3_Andriller_Android_Calendar and then click Save. 6. In Andriller, click Save Log and, in the Save As window, navigate to your Work folder. In the File Name input box, type Project_12-3_AB_Extract.log and click Save.

7. Update your examiner notes to reflect the steps you took to complete the project. Then save the file, exit Excel, exit Andriller, and close your web browser. 8. When finished, submit to your instructor the following files: • • • •

Project_12-3_AB_Extract.log Project_12-3_Andriller_Android_Calendar.pdf Project_12-3_Examiner_Notes.xlsx Project_12-3_Shared_Storage.pdf Solution Guidance: To complete this project, students will need to export all available data from the .tar file using Andriller CE. For examples of the output files that students will submit, see the following solution files: • Solution_Project_12-3_AB_Extract.pdf • Solution_Project_12-3_Andriller_Android_Calendar.pdf • Solution_Project_12-3_Examiner_Notes.pdf • Solution_Project_12-3_Shared_Storage.pdf

Project 12-4 Estimated Time: 25 minutes Objective: Extract information using the features available in the SQLite forensics utility FQLite. Before You Begin: • •

•

Create Work folder C:\Work\Module_12\Project_12-4. Download to your Work folder the following data files provided with the module: • Project_12-4_Examiner_Notes.xlsx • Project_12-4_Report.sqlite Access the following items: • FQLite (fqlite_vn.n.jar; download the latest nonbeta version to your Work folder from staff.hs-mittweida.de/~pawlaszc/fqlite) • Java version 1.8 or newer ▪ To verify if Java is already installed or present on your workstation, from a command prompt type java -version and then press Enter. ▪ If an older version of Java is installed, remove it (see java.com/en/download/help/remove_olderversions.html for more details). ▪ To install the current version of Java, see java.com/en/download.

In this project, another examiner has extracted an SQLite database from a Samsung tablet and is requesting that you convert this database into a .csv file so that its contents can be easily compared to other nondatabase files. Complete the following steps: 1. Open the file Project_12-4_Examiner_Notes.xlsx in your spreadsheet application. Type your name in the Examiner’s Name field, and in the Case Name and Case Number fields, type Project_12-4.

2. From File Explorer, navigate to your Work folder and double-click the file fqlite_vn.n.jar. 3. In the FQLite Carving Tool window, click File and then Open Database. In the open database window, navigate to your Work folder, click Project_12-4_Report.sqlite, and then click Open. 4. In the left pane of the FQLite Carving Tool, click Project_12-4_Report.sqlite. Examine the database’s metadata and, in your examiner notes, record the following information from the right pane’s Property and Value columns: • • • • • • • • •

Path File Size (in Bytes) Number of Pages Page Size Page number of the first freelist trunk page Total number of freelist pages Auto-Vacuum Database Encoding SQLITE_VERSION_NUMBER

5. In the left pane, click and expand Project_12-4_Report.sqlite and then click Horse-Bookie. 6. Click File and then Export Database. In the export records to file window, navigate to your Work folder. In the File name input box, type Project_12-4_Horse_Bookie.txt, click Save, and then click OK. 7. Start Excel and then click File, Open, and Browse. Navigate to your Work folder and click Project_12-4_Horse_Bookie.txt. 8. In the Text Import Wizard – Step 1 of 3 window, click the Delimited button and then click Next. 9. In the Text Import Wizard – Step 2 of 3 window, click the Semicolon check box and then click Next. 10. In the Text Import Wizard – Step 1 of 3 window, click Finished. In Excel, save this file as Project_12-4_Horse_Bookie.csv. 11. Update your examiner notes to reflect the steps you took to complete the project. Then save the file, exit Excel, and exit FQLite. 12. When finished, submit to your instructor the following files: • •

Project_12-4_Examiner_Notes.xlsx Project_12-4_Horse_Bookie.csv Solution Guidance: To complete this project, students will need to convert an SQLite database file to a text file using FQLite and then convert the text file into a .csv file. For examples of the output files that students will submit, see the following solution files: • Solution_Project_12-4_Examiner_Notes.pdf • Solution_Project_12-4_Horse_Bookie.pdf

Case Projects - Solutions Case Project 12-1 Estimated Time: 30 minutes Objective: Identify vendors that sell Faraday tents to be used for forensics extractions on mobile devices. Before You Begin: • •

Create Work folder C:\Work\Module_12\Case_Project_12-1. Download to your Work folder the following data file provided with the module: • Case_Project_12-1_Faraday_Memo.docx

For this case project, research and identify at least two vendors that sell Faraday tents that can provide power to mobile devices and battery charges for workstations and laptops. Use your preferred web search engine to locate available products. In a memo, list the vendor’s name and the product name, the web link, and, if available, the cost of the Faraday tent from two or more vendors. When finished, submit to your instructor the following file: •

Case_Project_12-1_Faraday_Memo.docx Solution Guidance: Upon completion of this case project, students should have found through their web searches at least two vendors that provide Faraday tents that have filtered electrical power. The memo should list the vendor’s company’s name, product name, its website, and cost. For an example of the memo that students should submit, see the following solution file: • Solution_Case_Project_12-1_Faraday_Memo.pdf

Case Project 12-2 Estimated Time: 45 minutes Objective: Identify vendors that sell SIM card reader devices. Before You Begin: • •

Create Work folder C:\Work\Module_12\Case_Project_12-2. Download to your Work folder the following data file provided with the module: • Case_Project_12-2_SIM_Card_Reader_Memo.docx

For this case project, research and identify at least two vendors that sell USB-compatible SIM card readers. Use your preferred web search engine to locate these available products. In a memo, list the vendor’s name and the product’s name, the web link, and, if available, the cost of each SIM card reader from two or more vendors.

When finished, submit to your instructor the following file: •

Case_Project_12-2_SIM_Card_Reader_Memo.docx Solution Guidance: Upon completion of this case project, students should have found at least two vendors that sell USB-compatible SIM card readers, not SD card devices. The memo should list the vendor name and the product name, webpage address, and cost. For an example of the memo that students should submit, see the following solution file: • Solution_Case_Project_12-2_SIM_Card_Reader_Memo.pdf

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 13: EMAIL AND SOCIAL MEDIA INVESTIGATIONS

Activities - Solutions Activity 13-1 Estimated Time: 30 minutes Objective: Examine an .evolution file using HxD. Before You Begin: • •

•

Create Work folder C:\Work\Module_13\Activity_13-1. Download to your Work folder the following data files provided with the module: o Activity_13-1_Examiner_Notes.xlsx o martha-evolution.tar Access the following item: o The hexadecimal editor HxD

Complete the following steps: 1. Open the file Activity_13-1_Examiner_Notes.xlsx and fill in your name and the date. Record the steps you take in this activity in your examiner notes. 2. Start HxD, click File, and then click Open. Navigate to your Work folder and select marthaevolution.tar. When the file opens in HxD, it should look similar to what is shown in Figure 136. Do a screen capture here. [Figure 13-6 Viewing .evolution file in HxD] 3. You are going to search for an email from Terry Sadler. In the Special Editor pane, be sure the ANSIchar is selected. It will also say Windows (ANSI) just below Help on the menu at the top of the window. On the menu, click Search and then click Find. 4. In the Find dialog box that opens, type terrysadler and click Search All. The results should be similar to what is shown in Figure 13-7. [Figure 13-7 Email with offset] 5. Place your cursor in front of the F in “From.” Notice the offset displayed in the bottom pane and in the lower-left corner is 710F4. Do a screen capture of the results and add it to your examiner notes. 6. Scroll down to find the end of the email. It will be similar to what you see in Figure 13-8. When you find the entire email, do a screen capture for your examiner notes. [Figure 13-8 Terry Sandler email from .evolution file] 7. When finished, submit to your instructor the following file: •

Activity_13-1_Examiner_Notes.xlsx Solution Guidance: Students should easily be able to search for and find the email from Terry Sadler and should include a screenshot showing the results of their search in their examiner notes. Note that students can use a hex editor other than HxD to complete this activity. For an example of the file that students will submit, see the following solution file: • Solution_Activity_13-1_Examiner_Notes.pdf

Review Questions - Answers 1.

Email headers contain which of the following information? (Choose all that apply.) a. Sender and receiver email addresses b. ESMTP number or reference number c. The email servers the message traveled through to reach its destination d. IP address of the receiving server ` e. All of these choices Answer: e. All of these choices Explanation: The email header stores all the information regarding the source and route taken by a message.

2. What is the first piece of information you should look for in an email message you’re investigating? a. Sender or receiver’s email address b. Originating email domain or IP address c. Subject line content d. Message number Answer: a. Sender or receiver’s email address Explanation: You should typically begin with the email address. Then, look at the IP address and, if needed to verify the authenticity of the email, find the message number. 3. In Microsoft Outlook, emails are typically stored in which of the following? a. .pst and .ost files b. res1.log and res2.log files c. PU020102.db file d. .evolution file Answer: a. .pst and .ost files Explanation: Microsoft Outlook files are stored on the server as .pst files and locally on the hard drive as .ost files. 4. When searching a victim’s computer for a crime committed with a specific email, which of the following provides information for determining the email’s originator? (Choose all that apply.) a. Email header b. Username and password c. Firewall log d. All of these choices

Answer: a. Email header; c. Firewall log Explanation: The email header and firewall log contain the information necessary to determine the originator of the email. The username and password will not necessarily help you track down the originator. 5. Phishing does which of the following? a. Uses DNS poisoning b. Lures recipients with false promises c. Takes people to fake websites d. Uses DHCP Answer: b. Lures recipients with false promises Explanation: Phishing is typically used to get people to give up personal information that can later be used to compromise their accounts. Phishing emails include false information and may include false promises to entice people with money or other rewards. 6. Which of the following is a current formatting standard for email? a. SMTP b. MIME c. Outlook d. HTML Answer: b. MIME Explanation: MIME is used by Microsoft Outlook to format email. 7. After examining email headers to find an email’s originating address, investigators use forward lookups to track an email to a suspect. True or False? Answer: False Explanation: Investigators can use a reverse lookup to find the name of the owner of an email address. 8. When you access your email, what type of computer architecture are you using? a. Mainframe and minicomputers b. Domain c. Client/server d. None of these choices Answer: c. Client/server Explanation: Most email services use a client/server architecture to store and transmit email. 9. To trace an IP address in an email header, what type of lookup service can you use? a. Intelius Inc.’s AnyWho online directory b. Verizon’s http://superpages.com c. A domain lookup service, such as arin.net, internic.com, or whois.net d. Any web search engine

Answer: c. A domain lookup service, such as arin.net, internic.com, or whois.net Explanation: A domain lookup service associates the IP address with the company or person. 10. Router logs can be used to verify what types of email data? a. Message content b. Content of attached files c. Tracking flows through email server ports d. Finding blind copies Answer: c. Tracking flows through email server ports Explanation: Router logs are used to track items between locations. 11. Logging options on email servers can be which of the following? (Choose all that apply.) a. Disabled by users b. Set up in a circular logging configuration c. Configured to a specified size before being overwritten d. Set to periodic logging mode Answer: b. Set up in a circular logging configuration; c. Configured to a specified size before being overwritten; d. Set to periodic logging mode Explanation: All of the answer options except a. are correct. Users do not have the authority to change the logging options on a server. 12. On a UNIX-like system, which file specifies where to save different types of email log files? a. maillog b. /var/spool/log c. syslog.conf d. log Answer: c. syslog.conf Explanation: The syslog.conf file is the main configuration file of a Linux system. It specifies where to save different types of email log files. 13. What information is never included in an email header? a. Blind copy (bcc) addresses b. Internet addresses c. Domain name d. Contents of the message e. Type of email server used to send the email Answer: d. Contents of the message Explanation: Any blind copy addresses, the Internet addresses, and the domain names are part of the header. The type of email server used to send the email is sometimes but not always included in the header. Of the options list, only the contents of the message is never part of the header.

14. Which of the following types of files can provide useful information when you’re examining an email server? a. .dbf files b. .emx files c. .log files d. .slf files Answer: c. .log files Explanation: The log files contain the most relevant information, such as dates and times of emails along with source and destination. 15. Email accessed with a web browser leaves files in temporary folders. True or False? Answer: True Explanation: A web browser typically generates temporary folders. 16. When confronted with an email server that no longer contains a log with the date information you need for your investigation and the client has deleted the email, what should you do? (Choose all that apply.) a. Search available log files for any forwarded messages. b. Restore the email server from a backup. c. Check the current database files for an existing copy of the email. d. Do nothing because after the file has been deleted, it can no longer be recovered. Answer: a. Search available log files for any forwarded messages; b. Restore the email server from a backup.; c. Check the current database files for an existing copy of the email. Explanation: Forwarded messages may contain the necessary information. In addition, an email server backup and current database files may also include a copy of the relevant email. 17. You can view email headers in Notepad with all popular email clients. True or False? Answer: True Explanation: Popular email clients are typically in plain text; therefore, they can be viewed in Notepad. Be aware, however, that some metadata may not be recognizable in Notepad. 18. To analyze email evidence, an investigator must be knowledgeable about an email server’s internal operations. True or False? Answer: False Explanation: The investigator relies on the knowledge of the network administrator for such information.

19. Sendmail uses which file for instructions on processing an email message? a. sendmail.cf b. syslogd.conf c. mese.ese d. mapi.log Answer: a. sendmail.cf Explanation: Sendmail.cf is the configuration file for Sendmail. It contains information such as domain, host, and rule sets. 20. A forensic linguist may be able to determine if the same person wrote an email by analyzing chat logs and social media communications. True or False? Answer: True Explanation: A forensic linguist will examine items known to have been written by that person and attempt to determine if the same person wrote the email.

Hands-On Projects - Solutions Project 13-1 Estimated Time: 20 minutes Objective: Explore the WayBack Machine website to determine how it could be useful in an investigation. Before You Begin: • •

Create Work folder C:\Work\Module_13\Project13-1. Download to your Work folder the following data file provided with the module: • Project_13-1_Examiner_Notes.xlsx

At some point, you may be involved in an investigation in which you need to determine if an individual has (or had) a website. As part of your investigation, you can use resources such as Pipl.com or TruthFinder.com to find information about the person, including websites they own or may have owned. Then, you can use the WayBack Machine website, which is run by the nonprofit group Internet Archive, to see how that website appeared at different points in the past. In this exercise, you will use the WayBack Machine to look at a website so that you can see how this tool could be useful in an investigation. Complete the following steps: 1. Open the file Project_13-1_Examiner_Notes.xlsx. Enter your name and the exercise number. Record what you do and anything unexpected that you observe. 2. Open a browser and go to web.archive.org. [Figure 13-9 Wayback Machine homepage]

3. On the Wayback Machine homepage, enter cbs.com in the URL search box at the top of the page, and then press Enter. 4. The search results show a timeline for the cbs.com website. Scroll to the far left, and note that the timeline begins at 1996 and continues to the current year. Take a screenshot of the timeline and add it to your examiner notes. 5. On the timeline, click the 1996 box. In the calendar that appears below the timeline, click any date that is highlighted by a blue or green circle. Take a screenshot of the page that comes up and add it to your examiner notes. 6. Select two more dates and take a screenshot of each. Notice that you can select the exact date you want to view, and note how this tool could be used in an investigation. 7. For extra credit, pick a local business or your college/university and see how much their website has changed over the last few years. For example, you might be able to see if the school offered a class or program and then quickly removed it. 8. When finished, submit to your instructor the following file: •

Project_13-1_Examiner_Notes.xlsx Solution Guidance: For this project, students should spend time reviewing the results of their search for cbs.com on the WayBack Machine website. In their examiner notes, students should include a screenshot of the timeline for cbs.com along with screenshots of the 1996 entry and two other dates. For an example of the file that students will submit, see the following solution file: • Solution_Project_13-1_Examiner_Notes.pdf

Project 13-2 Estimated Time: 20 minutes Objective: Examine an email account from the Enron case using Autopsy for Windows. Before You Begin: • •

Create Work folder C:\Work\Module_13\Project13-2. Download to your Work folder the following data files provided with the module: • • •

Project_13-2_Examiner_Notes.xlsx kenneth_lay_1.pst kenneth_lay_2.pst

In this module, we discussed the Enron case. At the time the scandal broke, Kenneth Lay was the CEO and chairman of the company. This project allows you to examine his emails, which were released as part of the Enron investigation. Complete the following steps: 1. Open the file Project_13-2_Examiner_Notes.xlsx. Enter your name and the exercise number. Record what you do and anything that you observe.

2. Start Autopsy for Windows and click the Create New Case button. In the New Case Information window, enter Enron in the Case Name text box and click Browse next to the Base Directory text box. Navigate to and click your Work folder and then click Next. In the Additional Information window, type today’s date in the Case Number text box and your name in the Examiner text box and then click Finish. 3. In the Add Data Source window, in the Select Type of Data Source to Add pane, click Logical Files. Then click Next. 4. In the Select Data Source pane, click the Add button. Navigate to your Work folder, click both Kenneth Lay.pst files, and then click Select. Click Next. 5. In the Configure Ingest Modules window, click Next and then click Finish. 6. When Autopsy has finished processing the ingest modules (about 20 minutes), click Keyword Search in the upper-right corner and enter the following search keyword: trade. Your initial results will be similar to what is shown in Figure 13-10. Take a screen capture of your results and include it in your examiner notes. [Figure 13-10 Autopsy results searching for “trade”] 7. Separately, search for each of the following terms: trading, stocks, and money. Take a screen capture of what you find and include it in your examiner notes. You should find files similar to what is shown in Figure 13-11 when you search for “stocks.” You can do additional outside research on Kenneth Lay’s role in the Enron scandal to identify additional search terms that might be relevant. Add any additional information to your report. [Figure 13-11 Autopsy results searching for “stocks”] 8. After you have completed all of your searches, save your examiner notes and submit to your instructor the following file: •

Project_13-2_Examiner_Notes.xlsx Solution Guidance: The Enron scandal left thousands of employees bankrupt and without their pensions. The students should find a plethora of information in addition to the emails that show them how corporate corruption can occur. Their examiner notes should include screenshots showing the results of their searches in Autopsy. For an example of the file that students will submit, see the following solution file (which includes the bare minimum of what students should submit): •

Solution_Project_13-2_Examiner_notes.pdf

Case Projects - Solutions Case Project 13-1 Estimated Time: 60 minutes Objective: Create a short report describing how law enforcement could use social media activity to track a missing person. Before You Begin: •

Create Work folder C:\Work\Module_13\Case_Project_13-1.

A Silver Alert has been issued to seek the public’s assistance in locating a missing elderly gentleman who is very active on Facebook. Using your word processor, create a document and save it as Case_Project_13-1.docx in your Work folder. Write a few paragraphs describing how law enforcement could use the man’s social media activity to help find him. Be sure to include the necessary steps law enforcement would need to take to gain full access to his profile and activity history. When finished, submit to your instructor the following file: •

Case_Project_13-1.docx Solution Guidance: Typically, Silver Alerts are broadcast on highway signs and on the local news as a way to engage the public in helping to locate missing elderly individuals, particularly those with dementia or who are otherwise at risk or vulnerable. Students should note that law enforcement could work with family members and also obtain a warrant to look at the missing man’s Facebook account with the goal of finding information that might help locate him. For an example of what students should submit, see the following solution file: • Solution _Case_Project_13-1.pdf

Case Project 13-2 Estimated Time: Objective: Create a short report describing how emails and social media activity could be used to track a missing person. Before You Begin: •

Create Work folder C:\Work\Module_13\Case_Project_13-2.

A mother calls you to report that her 15-year-old daughter has run away from home. She has access to her daughter’s email account and says her daughter has emails in her inbox suggesting she has run away to be with a 35-year-old woman. Her daughter has also made related posts on Snapchat. Using your word processor, create a document and save it as Case_Project_13-2.docx in your Work folder. Write a brief report explaining how you should proceed. When finished, submit to your instructor the following file: •

Case_Project_13-2_Report.docx

Solution Guidance: Students should note that the mother’s permission would need to be obtained to examine her daughter’s emails as well as any computer that her daughter may have used to access SnapChat, in case that search might yield useful information. Students should suggest steps such as creating a timeline of what may have happened and attempting a reverse lookup on her email address to determine who she is with as well as her possible location. For an example of the report that students submit, see the following solution file: • Solution_Case_Project_13-2_Report.pdf

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 14: E-DISCOVERY

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

Activities - Solutions Activity 14-1 Estimated Time: 45 minutes Objective: Explore an e-discovery research database. Before You Begin: • •

•

Create Work folder C:\Work\Module_14\Activity_14-1. Download to your Work folder the following files provided with the module: • Activity_14-1_Examiner_Notes.xlsx • e-Discovery_Database.accdb Access the following item: • Microsoft Access

In connection with the dissertation titled “An Investigation of Digital Forensics Concepts in an International Environment: The U.S., South Africa, and Namibia” (Phillips, 2013), a straightforward database was created to help students, instructors, and legal practitioners research laws in their country and others. The database, which is contained in the eDiscovery_Database.accdb file you downloaded at the start of this activity, was created in Microsoft Access. The database is composed of several tables, as shown in Figure 14-5. The various fields are listed for each table. Note that next to some fields, you will see “PK,” which stands for Primary Key—meaning that key is part of the table. Next to some of the others you will see “FK,” which stands for Foreign Key—meaning it is the primary key or sorting key from another table. [Figure 14-5 The e-discovery database’s entity-relationship diagram] In this activity, you will walk through the design of the database and the topics included to better understand how such a tool could be useful in a digital forensics investigation— particularly one that covers multiple state and international jurisdictions. Complete the following steps: 1. Open the file Activity_14-1_Examiner_Notes.xlsx. Fill in your name and the date. In your examiner notes, record the steps you take in this activity and add screenshots as necessary. 2. Launch the e-Discovery_Database.accdb. It will open to the Navigation Menu window, as shown in Figure 14-6. [Figure 14-6 The Navigation Menu window of the e-discovery database with the Country tab selected] 3. Click the State-Province tab. Note that the State ID designation is in the format used by the United Nations, with the abbreviation for the country followed by a dash and then the abbreviation for the state or province, as shown in Figure 14-7. Currently the data loaded is for the United States. Notice the Country Code dropdown arrow. If you were adding a state or province for another country, you would select it here. You will research and add data to the

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

database in the Case Project at the end of the module. Take a screen capture here and add it to your examiner notes. [Figure 14-7 The State-Province tab] In the United States, individual states may have their own rules of evidence or rules of civil/criminal procedure with the stipulation that they cannot be less stringent than the federal rules. On the State-Province screen, notice the websites listed, but be aware that some of the URLs may be out of date. If you search on Florida Rules of Civil Procedure, you will notice that they were last updated in 2024. 4. At the bottom of the window in Figure 14-7, note that you are viewing record 1 of 50. Use the right arrow to click through to view the other states in alphabetical order. Some states do not have their own rules but rely entirely on the FRE, FRCP, and FRCrP. Find a state that does not have its own rules. Take a screen capture and add it to your examiner notes. 5. Click the Federal or Country Rules tab. Notice, as shown in Figure 14-8, that some rules, such as FRCrP Rule 41, have subsections. You can see the description of the topics covered in those subsections, such as when a warrant is needed or when to request property be returned. [Figure 14-8 The Federal or Country Rules tab] 6. Click the Case Law tab. As you can see in the example shown in Figure 14-9, this tab shows the case name, year, and country, along with any important facts about the case. As with the other tabs, you can scroll through to view additional cases. If you know which case you are looking for, you can type in the name in the Search box at the bottom. For example, if you type in “Reyes,” it will bring up the case United States v. Reyes. [Figure 14-9 The Case Law tab] 7. Common search criteria were included as part of the database to make it easier to use for research. Make sure that the Navigation Pane on the left side of the Navigation Menu is open. Scroll to the bottom of the Navigation Pane and double-click Common Search Criteria: Table. The Common Search Criteria tab opens, as shown in Figure 14-10. This list of search terms gives you an idea of the many things that can come into play on the legal side, which is why it is so important to have e-discovery teams with expertise in various areas. Do a screen capture for your report. [Figure 14-10 Common Search Criteria] 8. Click the X to close the Common Search Criteria table and return to the Navigation Menu. Next, click on the Federal Rules Sections and Subform subsection, and you will see the Common Search criteria for those. This table has not been fully populated; however, you can see how it could be used. 9. Click the Rule Type tab. Notice that currently it only has a few entries. Because the technology is changing and the laws are still being developed, more rules can be added to the database as needed. 10. Close the database.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

11. Update your examiner notes to reflect the steps you took in this activity, and add the screen captures to your notes. When finished, submit to your instructor the following file: •

Activity_14-1_Examiner_Notes.xlsx Solution Guidance: This activity is intended to give students exposure to some of the issues that can impact the legal side of e-discovery. The screen captures included in their examiner notes should be similar to what is shown in the figures. For an example of the file that students will submit, see the following solution file: • Solution_Activity_14-1_Examiner_Notes.pdf

Review Questions - Answers 1.

In the context of e-discovery, digital data is often referred to as __________________. Answer: electronically stored information (ESI) Explanation: Electronically stored information (ESI) refers to any information that is created or stored electronically. ESI includes things such as documents and other files, emails, text messages, photos, and video or audio recordings.

2. U.S. companies generally have the right to view which of the following? (Choose all that apply.) a. Company-related email sent using a company email account b. Personal email sent using a company email account c. Legal email sent using a company email account d. Email sent using an employee’s personal account Answer: a. Company-related email sent using a company email account; b. Personal email sent using a company email account; c. Legal email sent using a company email account Explanation: In the United States, it is common practice for employers to require employees to acknowledge that the company has the right to monitor company email accounts. This is not true in all countries. 3. Which of the following would specifically impact an investigation involving citizens of the European Union? a. The CFAA b. The GDPR c. The Patriot Act d. None of these choices Answer: b. The GDPR Explanation: The EU passed the GDPR (General Data Protection Regulation) to protect the personal identifiable information of its citizens even when they are living in another country.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

4. The “meet and confer” doctrine is part of which procedural document? a. FRCrP b. FRCP c. FRE d. None of these apply Answer: b. FRCP Explanation: Rule 26(f) of the FRCP mandates that the parties to a lawsuit “meet and confer” early in a litigation to come to an agreement on what constitutes relevant data, what formats should be used during discovery, and what metadata should be included. 5. The Computer Fraud and Abuse Act (CFAA) was created to do which of the following? a. Stop financial fraud b. Target identity theft through the use of counterfeit access devices c. Expand the scope of computer crimes covered by federal law to include unauthorized access d. Address crimes of abuse Answer: c. Expand the scope of computer crimes covered by federal law to include unauthorized access Explanation: In 1986, the CFAA was passed to expand the scope of computer crimes covered by federal law to include those related to the unauthorized access of networks and computers. The Counterfeit Access Device and Abuse Act of 1984 was passed to target financial fraud and identity theft through the use of counterfeit access devices. 6. Title II of the USA PATRIOT Act did which of the following? a. Allowed medical records to be seized b. Granted investigators the right to seize personal identifiable information without telling the target of the investigation c. Expanded wiretap laws d. All of these choices Answer: d. All of these choices Explanation: Title II of the USA PATRIOT Act, which was passed into law on October 26, 2001, expanded what digital data could be seized in an investigation, initially including medical records. In addition, it allowed law enforcement to execute warrants, seize property and personal identifiable information, and investigate someone without informing them. Title II also expanded the wiretap laws. 7. The Sarbanes-Oxley Act created the __________________ to register, oversee, and investigate accounting firms used by publicly held companies.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

Answer: Public Company Accounting Oversight Board (PCAOB) Explanation: The Public Company Accounting Oversight Board (PCAOB) is a nonprofit organization with the following four primary responsibilities: • • • •

Register accounting firms that audit companies. Perform inspections of registered accounting firms. Establish standards for auditing, ethics, and quality control of same. Investigate and discipline registered accounting firms for violations.

8. In the case of Katz v. United States, the Supreme Court ruled that the wiretap used to record Charles Katz’s phone calls was illegal based on which of the following reasons? a. The investigators did not inform Katz that he was being investigated. b. The crime being investigated was not a felony. c. Katz had an expectation of privacy, and the investigators did not have a warrant. d. There was no probable cause. Answer: c. Katz had an expectation of privacy, and the investigators did not have a warrant. Explanation: The Supreme Court ruled that Katz had a reasonable expectation of privacy when using an enclosed public phonebooth and determined that the FBI violated his Constitutional rights because they did not obtain a warrant before recording his calls. 9. The FIRAC method is__________________. a. an approach to legal analysis b. a way to read a warrant c. a way to read a subpoena d. None of these choices Answer: a. an approach to legal analysis Explanation: The FIRAC (facts, issues, rules and references, analysis, and conclusions) method is an approach to legal analysis and is a useful tool for reading and understanding. 10. The EDRM is a strictly linear model. True or False? Answer: False Explanation: The EDRM is not intended to be strictly linear. The steps may be carried out in a different order than shown in Figure 14-11, and in some cases, not all steps will be required. The model is also iterative, meaning a single step might be performed multiple times to get a more precise result. Similarly, it might be necessary to cycle back to earlier steps.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

11. The IGRM helps companies prepare for litigation by doing which of the following? a. Defining the stakeholders b. Providing a framework to organize information resources c. a and b d. None of these choices Answer: c. a and b Explanation: The IGRM (Information Governance Reference Model) is a framework and set of guidelines developed in 2012 to help companies manage their information resources. It addresses stakeholders and factors that impact information governance—including users, security, privacy, legal, and risk—and it feeds into the EDRM. 12. Once a litigation hold is in place, companies can still delete files as they normally would. True or False? Answer: False Explanation: A litigation hold notifies employees that they must stop overwriting backups, deleting files, and performing other tasks that could destroy evidence related to an anticipated litigation. In the case of Zubulake v. UBS Warburg LLC, the court ruled “once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a litigation hold to ensure the preservation of relevant documents.” 13. Investigators must consider which of the following when choosing which e-discovery software to use? a. What applications are being used or have been used by the companies involved in the litigation b. Whether to use a cloud-based or stand-alone software c. Who controls the data and where the data is stored d. All of these choices Answer: d. All of these choices Explanation: All of the answer options are relevant. When researching e-discovery software, investigators should pay attention to the ways in which different topics and software features are highlighted on the websites of the various software companies. The topics and features may vary significantly depending on the industry or type of investigation for which the tool is intended.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

Hands-On Projects - Solutions Project 14-1 Estimated Time: 20 minutes Objective: Use the Aid4Mail Converter tool for email e-discovery Before You Begin: • •

•

Create Work folder C:\Work\Module_14\Project_14-1. Download to your Work folder the following data files provided with the module: • Project_14-1_Examiner_Notes.xlsx • Eric_saibi.zip Using 7-Zip or a similar tool, unzip the file eric_saibi.zip and extract the file to your Work folder.

e-Discovery often involves working with email and email-collection databases that include files stored in various formats. One common email database file format is the Microsoft Outlook Personal Storage Table (PST) file. PST files are stored locally on computers by Microsoft Outlook and contain sent and received emails along with other related data. Aid4Mail Converter is a free-to-use tool (unlimited trial) that can be used to convert PST files into other formats. Once converted, the PST file contents can be examined using other applications, such as a spreadsheet program. In this project, you will use Aid4Mail Converter to convert a PST file into a CSV (comma-separated value) file so that you can examine the contents using a spreadsheet program—in this case, Microsoft Excel. Complete the following steps: 1. Open a browser and go to aid4mail.com/download-free-trial, as shown in Figure 14-13. Download and install Aid4Mail. [Figure 14-13 Aid4Mail download page] 2. Start Aid4Mail. When you start Aid4Mail for the first time, you will have to choose which Trial License you would like to use. For this project, choose the Investigator Trial License option. 3. After you click the Investigator Trial License option, the Aid4Mail Investigator Trial window opens with a Session-001 conversion session ready for you to specify the source to convert and the target format to convert to. See Figure 14-14. [Figure 14-14 Aid4Mail Investigator Trial window] 4. In the Format box in the Source section, choose PST file as the format. Click in the PST file: box and then navigate to and select the eric_saibi.pst file in your Work folder. 5. In the Format box in the Target section, choose CSV as the format. 6. Click the Select link for the Location: box and then click the Project_14-1 folder. For the file name, type eric_saibi.csv. See Figure 14-15. [Figure 14-15 Source to Target window in Aid4Mail]

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

7. Expand the Filter options by clicking the plus sign next to Filter. Keep the default setting of “Process all,” but notice that you have the option of selecting specific folders from the source PST file to process. 8. Leave all the other default settings as they are, and click the Run button in the column on the left. 9. The conversion process begins, and the Progress tab opens, showing the percentage progress in a green bar at the top of the window. When the conversion is 100 percent complete, a link to the converted file will appear at the bottom of the window below the Open target label. See Figure 14-16. [Figure 14-16 Aid4Mail progress complete] 10. Click the link to open the location of the eric_saibi.csv file, and then double-click the eric_saibi.csv file to open it in Excel or your default spreadsheet application. 11. Expand the headings of the columns so you can better view the information. Notice that the Source.Folder column in Figure 14-17 indicates that the file contains Deleted items and Inbox items. If you scroll down, you will find emails from other folders, such as Sent items and Saved items. [Figure 14-17 CSV files with rows of interest highlighted] 12. Review the CSV file and use the Fill Color feature to highlight rows in the file that contain emails that you think are interesting and/or may contain suspicious content, as shown in Figure 14-17. 13. Save your highlighted CSV file with a new name, using the existing file name and your name appended to the end of the file name. 14. Exit Aid4Mail. The software trial has no time limit, so you can continue to experiment with the application. 15. Update your examiner notes to reflect the steps you took in this activity and add the screen captures to your notes. When finished, submit to your instructor the following files: • •

Project_14-1_Examiner_Notes.xlsx eric_saibi_your_name.csv Solution Guidance: This project gives students an opportunity to work with an e-discovery software tool that may be of use to them as digital forensics investigators. Their examiner notes should include screen captures that are similar to what is shown in the figures. For examples of the files that students will submit, see the following solution files: • Solution_Project_14-1_Examiner_Notes.pdf • eric_saibi_randall.csv

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

Project 14-2 Estimated Time: 30 minutes Objective: Apply the features of the GoldFynch eDiscovery tool. Before You Begin: • •

Create Work folder C:\Work\Module_14\Project14-2. Download to your Work folder the following data files provided with the module: • Project_14-2_Examiner_Notes.xlsx • lay-k.zip

There are several e-discovery applications available that can be used for tasks such as data file gathering, analysis, tagging, redaction, and production. Most of these tools require you to purchase the software and do not have a free trial version. The cloud-based application GoldFynch eDiscovery is an exception. It is currently free to use if you require less than 512 GB of file storage. In this project, you will upload files from the Enron case and try out some of GoldFynch’s e-discovery features. Complete the following steps: 1. Open the Project_14-2_Examiner_Notes.xlsx file. Enter your name and the project number. Use your examiner notes to document the steps you take in this project and add screenshots throughout. 2. The first step is to register with GoldFynch so you can gain access to their cloud-based application. Go to goldfynch.com and click the Sign Up for Free in Seconds link to begin the registration process. See Figure 14-18. [Figure 14-18 Registration link for GoldFynch] 3. Fill in the registration form and click the Sign up for free button. 4. You will receive an email message from accounts@goldfynch.com. Click the Confirm E-Mail Address button in the email to continue account creation. 5. Click the Setup my account button. You will be asked to choose a password, which you will have to enter twice. 6. Press Enter after typing in your password a second time and the GoldFynch cloud-based interface will open in your browser, ready for you to create a case, as shown in Figure 14-19. [Figure 14-19 The GoldFynch cloud-based interface] 7. Click the +Create New Case button. The Create a new case form opens. Enter Enron for the name of the case and drag the slider all the way to the left to choose the $0/MO cost 512MB storage option so that you can use GoldFynch for free. Click the Create Case button. 8. The Start Here window opens, with options for accessing various GoldFynch functions, such as uploading files. Drag the lay-k.zip file in your Work folder to the “Drop files here to upload” area of the window, shown in Figure 14-20. [Figure 14-20 Drag files here to upload] 9. After you drop the file for upload, the Upload Files window opens asking for a Custodian and Source. The custodian is the caretaker of the file(s) you are uploading, and the source is

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

where the file(s) came from. Enter your name as Custodian and Library of Congress as the source. Click the Begin Upload button. 10. It may take a minute or so for the upload to begin. Click the light green Files icon in the left pane of the window to navigate to the files window. You will eventually see your uploaded file in that location, likely with a message indicating it is being processed. After the file is completely processed, the window should resemble Figure 14-21. [Figure 14-21 The lay-k.zip file in the files window] 11. Click the lay-k.zip file and then click the lay-k folder that opens. This will reveal the contents of the uploaded zip file, as shown in Figure 14-22. [Figure 14-22 The contents of the lay-k.zip file] 12. The lay-k folder has several subfolders, including an inbox folder. Click the inbox folder. The folder opens, displaying a list of emails numbered from 1 to 1000. 13. Click email 1. The email opens, displaying its header information (From and To) along with the contents of the email. You can navigate to other emails by clicking on the email numbers in the list on the left. You may have to increase the size of your browser, or zoom out, to see all the information. See Figure 14-23. [Figure 14-23 Viewing email] 14. You can perform keyword searches on all uploaded files by entering a keyword or keywords in the search bar at the top of the window. Click in the New Search for box and enter the following text: trade trading stocks money. The search feature will indicate how many documents contain all the keywords as a single phrase, all of the keywords separately, or any of the keywords. 15. Click the All of: line, which indicates there are 19 results, to display a list of the results in the pane on the left. Scroll through the list to see the emails. See Figure 14-24. [Figure 14-24 The 19 search results] 16. In the list of search results, click 224 at the top of the list to open the email. Individual files can be tagged to mark emails that are important or that touch on a specific topic, for instance. This feature helps you group or classify files using different criteria. This tagging can be done in the search results window and the file viewing window. 17. Click the IMPORTANT tag at the top of the window to tag email 224 as “important.” A popup window will open with a message asking if you want to just apply the tag to the item or all of the emails. Choose just the item. 18. Tag the next four emails in the search results list (237, 1070, 205, and 301) as IMPORTANT. See Figure 14-25. [Figure 14-25 Labeling emails as Important] 19. Click the Tags icon in the left pane of the window (as shown in Figure 14-25) to open to the tags window and view the file count for various tags. Notice there are five files tagged as IMPORTANT.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

20. Click the IMPORTANT tag. The search window opens with a list of the five emails that are tagged as IMPORTANT. 21. Click the browser back arrow twice to return to the docs or home page. Because GoldFynch is running in a browser, you can also click the back arrow to return to previous pages or click the forward arrow to navigate ahead. 22. GoldFynch can be used to redact documents (blacking out text that you don’t want others to be able to read when you provide them with production copies of the documents). This can be done wherever a file is rendered using the redaction tool. 23. Click the Redaction tool and, in the center pane showing the contents of the email, use the Drawing tool to draw a box around the list of items below the word CONTENTS. A graystripped box appears over the redacted text, as shown in Figure 14-26. Although you can still read the text now, when this document is processed for production, the text that is grayed out on the screen will be blacked out (redacted) and unreadable. [Figure 14-26 Using the Redaction tool] As you learned in the module, deduplication is the process of removing multiple copies of files from a collection in order to reduce the number of files in the collection. The purple double-arrow icon in the left pane of the window navigates to the deduplication feature. The email collection you are working with contains no duplicates, so deduplication is not necessary. Larger multiple source file sets are more likely to contain duplicates as well as multiple file types, including not just emails but also Word documents, PDFs, images, and audio and video files, among others. Figure 14-27 shows that a deduplication analysis of our uploaded files detected no duplicates. [Figure 14-27 Results of running the deduplication tool] 24. Review sets are collections of selected files made from full sets of files that were uploaded in GoldFynch. Review sets, which typically contain fewer files than the entire collection, are created and then distributed to other parties so that they can review just those specific files. To create a review set in GoldFynch, click the light purple Review sets icon in the left pane and then click the Create new review set button. 25. In the Create new review set window, select the By tag option and choose the IMPORTANT tag from the dropdown list. Click the Yes, expand families check box to select it. 26. In the “Choose a name for this review set” box at the bottom of the window, enter Important email review set, as shown in Figure 14-28. [Figure 14-28 Create new review set] 27. Click the Create button. The review set will be created and listed on the review set page. Clicking the review set name in the list will open the docs page with the files in the review set available for review. 28. Click the green Productions icon in the left pane to open the production window. Production is the process of creating copies of original documents for delivery to third parties. These document copies are rendered in a read-only format and will contain the redactions and other features you have applied to the originals.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

29. Click the blue Start Production Wizard button, shown in Figure 14-29. The production wizard will guide you through a series of numbered steps, asking you to provide input and make choices. [Figure 14-29 Production Wizard form] 30. In Step 1, enter Production 1 as the name of the production and click OK. 31. In step 2, check the check box next to the IMPORTANT tag to select the emails you tagged as IMPORTANT for inclusion in the production. 32. In step 3, choose PDFs only for the type of production and One PDF per document as how the files should be produced. 33. In step 4, click OK to accept the defaults. 34. In step 5, click OK to accept the default sort order. 35. In step 6, click OK to accept the default tag placements. 36. In step 7, choose black for the redaction box color and Final for the redaction mode. Then click OK. 37. In step 8, click OK to accept the default Bates numbering options. 38. In step 9, choose Original file names prefixed with Bates number for the file-naming option. 39. In step 10, review the production options and click the Produce button to begin the production process. 40. When the production process has completed, click the REQUESTED PRODUCTIONS tab to view the completed production details. When progress is 100%, you will be able to view the created production documents. 41. Click the more (ellipse) button on the far right of the production details, as shown in Figure 14-30, and choose Download Production from the dropdown menu. A zip file containing the production PDFs will begin to download to your computer. [Figure 14-30 Exporting a zip file] 42. Open the downloaded zip file and view the production files. Notice that the files contain redactions where you specified. See Figure 14-31. [Figure 14-31 Production files showing redaction] 43. Exit GoldFynch or continue to experiment by performing other searches, taggings, redactions, and productions. 44. Submit to your instructor the following file: •

Project_14-2_Examiner_Notes.xlsx

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

Solution Guidance: This project gives students exposure to a free e-discovery software tool that allows them to experiment with tasks such as redaction and deduplication. The screen captures included in their examiner notes should be similar to what is shown in the figures. For an example of the file that students will submit, see the following solution file: • Solution_Project_14-2_Examiner_Notes.pdf

Case Projects - Solutions Case Project 14-1 Estimated Time: 60 minutes Objective: Research another country’s laws, regulations, and rules that could impact a digital forensics investigation. Before You Begin: • • •

Complete Activity 14-1. Create Work folder C:\Work\Module_14\Case_Project14-1. Download to your Work folder the following data file provided with the module: • Case_Project_14-1_Examiner_Notes.xlsx

When researching laws that might affect a multinational litigation or case, you need to consider the rules of evidence, privacy regulations, and civil and criminal laws that might be pertinent across all of the involved countries. You must also be sure that you are using reliable sources, such as a country’s government website. In this case project, you will be researching the rules of evidence, privacy regulations, and other laws of Australia using the database you worked with in Activity 14-1. The database includes a State-Province tab. Australia has provinces, so you will need to enter those and determine the United Nations abbreviation for them. You will need to find information on Australia’s privacy regulations as well as the country’s rules of evidence, rules of civil procedure, and rules of criminal procedure. Complete the following steps: 1. Open the file Case_Project_14-1_Examiner_Notes.xlsx. Enter your name and the date and use your examiner notes to record your findings and any updates to the database you think are necessary. 2. Launch the e-Discovery_Database.accdb file that you worked with in Activity 14-1. 3. In the Navigation Menu window, select the Country tab. At the bottom, click the New (blank) record button and add Australia as a country along with the abbreviation. 4. Begin your search at places such as https://libguides.anu.edu.au/c.php?g=759049&p=5446610.

Solution and Answer Guide: Bill Nelson, Amelia Phillips, Chris Steuart, Robert S. Wilson Guide to Computer Forensics and Investigations, 7th Edition, ISBN: 9780357672884; Module 14: e-Discovery

5. Be sure to consider what is currently in the database and what might need to be added as criteria or fields. There are six states and two territories in Australia (australia.com/en/factsand-planning/about-australia/cities-states-and-territories.html). Enter each of those into the database. Take screenshots of the ones you add. 6. There are 13 Australian Privacy Principles (oaic.gov.au/privacy/australian-privacyprinciples/australian-privacyprinciples-quick-reference). These would be added under the Federal or Country Rules tab. Enter a few of them in the database. Take screenshots of the ones you add. 7. Once you have completed your research, take screen captures of the forms you added items to and submit to your instructor the following file: •

Case_Project_14-1_Examiner_Notes.xlsx Solution Guidance: This case project gives students experience researching the laws, regulations, and rules of another country, which could be useful in an investigation. The screen captures they include in their examiner notes should be similar to what is shown in the figures. For an example of the file that students will submit, see the following solution file: • Solution_Case_Project_14-1_Examiner_Notes.pdf

Solution and Answer Guide

BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS , 7TH EDITION, ISBN: 9780357672884; MODULE 15: ETHICS AND PROFESSIONAL RESPONSIBILITIES

Activities - Solutions Activity 15-1 Estimated Time: 60 minutes Objective: Create a digital forensics intake form. Before You Begin: •

Create Work folder C:\Work\Module_15\Activity_15-1.

For this activity, you will create a digital forensics intake form using your word processing application. Save the form as Activity_15-1_Digital_Forensics_Intake_Form.docx in your Work folder. Before creating this form, review the web links provided in the module or perform a web search—such as “private investigator intake form”—for examples and ideas to help you complete this activity. The form should be designed for nontechnical people to ensure that a potential client can provide the most accurate information possible. The form should provide sufficient information for you to determine if you have the capability to carry out the examination and if there might be a potential conflict of interest. Intake forms used by private investigators and attorneys will typically have more questions of a personal nature that are unrelated to a digital forensics examination. Your form should be explicitly designed for digital forensics. Use the following outline as a guide for your form. 1. Digital forensics examiner’s name and organization 2. General information a. Date and time of the initial contact from the client or attorney b. Name of client and their attorney, if one is representing the client c. Attorney or client organization’s name, address, telephone number, and email address d. Primary and secondary contact person for the case 3. Case information a. Have you used a digital forensics examiner’s service before? i. If so, who and when, and what was the nature of the examination? b. Description of the case c. Is this case currently being litigated? i. If so, what is the case’s docket? ii. If so, who is the plaintiff or prosecutor? iii. If so, who is the defendant?

4. Digital evidence information a. List the digital evidence to be examined. b. Will the digital examiner need to go on-site to collect the evidence? i. If so, where is it located? ii. Contact person releasing the evidence? iii. Where is the digital evidence located? iv. Best date and time to collect evidence? v. If the digital evidence will be delivered to the digital examiner, who is the person and when will it be delivered? c. Who is authorized to release the digital evidence for an examination? d. Who is authorized to receive the report findings? e. What type of data or device is to be examined? 5. Examination instructions a. What information from this examination is needed? b. How soon do you need this examination to be completed? At the end of the form, state what your retainer fee requirements are and that the fee must be paid before an examination can begin. When finished, submit to your instructor the following file: •

Activity_15-1_Digital_Forensics_Intake_Form.docx Solution Guidance: For this activity, students need to create their own intake form for a digital forensics examination. Students should review the items listed in the outline in the activity along with the web links provided in the module to determine what questions should be included on their intake form. Students should include questions that address technical matters regarding the examination needs as well as questions that can help to identify possible conflict-of-interest concerns. For an example of the output files that students will submit, see the following solution file: • Solution_Activity_15-1_Digital_Forensics_Intake_Form.pdf

Review Questions - Answers 1.

Which of the following describes types of ethical standards? (Choose all that apply.) a. Standards that others apply to you or that you’re compelled to adhere to by external forces (such as licensing bodies) b. Your own internal rules you use to measure your performance c. Court proceeding standards d. Ethics standards provided to you by an attorney

Answer: a. Standards that others apply to you or that you’re compelled to adhere to by external forces (such as licensing bodies); b. Your own internal rules you use to measure your performance Explanation: For a digital forensics examiner, ethics and professional responsibilities include established rules, such as those set by a governing private or public organization, as well as their own personal standards of excellence and integrity. 2. Ethical obligations are duties that you owe only to others. True or False? Answer: False Explanation: Ethical obligations are both to yourself and to others. Fulfilling those ethical obligations ensures that you maintain your self-respect and the respect of others in your profession. 3. Which of the following organizations have a code of ethics or conduct that are relevant to digital forensics investigators? (Choose all that apply.) a. ISFCE b. IACIS c. ABA d. DFIR Answer: a. ISFCE; b. IACIS; c. ABA Explanation: Many organizations list codes of ethics to promote professionalism among their members. The purpose of these codes is to ensure that unbiased and objective behavior is practiced by all members to maintain and improve their profession. 4. In the United States, no state or national licensing body specifically licenses digital forensics examiners. True or False? Answer: True Explanation: At this time, no one organization, private or governmental, licenses digital forensics examiners. Some states, however, do require that digital forensics examiners be licensed as private investigators. 5. When you begin a conversation with an attorney about a specific case, which of the following should you do? a. Ask to meet with the attorney in person. b. Answer their questions in as much detail as possible. c. Ask who the parties in the case are. d. Refuse to discuss details until a retainer agreement is returned. Answer: d. Refuse to discuss details until a retainer agreement is returned. Explanation: A retainer fee will ensure that the attorney is not trying to create a conflict of interest that will prevent you from working on a case.

6. Externally enforced ethical rules from licensing bodies, with sanctions that can restrict a professional’s practice, are more accurately described as which of the following? a. Laws b. Objectives c. A higher calling d. All of these choices Answer: a. Laws Explanation: Unlike professional organizations, licensing bodies, such as a state licensing department, have legal authority to enforce licensing laws. An example of licensing laws would be those related to the licensing of private investigators. 7. What is an effective way to ethically protect yourself at a personal and legal level? a. Ensure you have nothing to hide. b. Maintain your objectivity in all matters. c. Identify your biases. d. All of these choices Answer: d. All of these choices Explanation: For digital forensics examiners, it is vital that you be honest, unbiased, and objective in all matters, including your examinations and testimony. 8. Ethics are a tool that can help you identify your prejudices. True or False? Answer: True Explanation: Ethics can be used to identify and control a digital forensics examiner’s bias along with any preconceived prejudices to help maintain objectivity. 9. What sources are there for ethical standards for digital forensics? (Choose all that apply.) a. An examiner’s personal ethics b. Membership requirements of a professional organization c. A certifying body granting an examiner certification d. An employer’s rules and policies Answer: a. An examiner’s personal ethics; b. Membership requirements of a professional organization; c. A certifying body granting an examiner certification; d. An employer’s rules and policies Explanation: In addition to the four items listed, there are many sources that a digital forensics examiner can draw on to develop ethical standards. In the United States, there is no national standard for digital forensics examiners; however, in many states, examiners must be licensed as private investigators and comply with those states’ regulations.

10. An expert witness can testify about evidence even if they weren’t present when an event occurred or didn’t handle the evidence. True or False? Answer: True Explanation: An expert witness, unlike a fact witness, gives an opinion based on the evidence they are presented. 11. Which of the following is the most effective way for a digital forensics examiner to prevent “opinion shopping” by a client or an attorney? (Choose all that apply.) a. Only take requests for cases from attorneys that you have worked with before. b. Require a retainer be paid before proceeding. c. Require sufficient information about the case to properly evaluate it. d. Request references before talking to the attorney. Answer: b. Require a retainer be paid before proceeding; c. Require sufficient information about the case to properly evaluate it. Explanation: To avoid any potential conflicts of interest, a digital forensics examiner should make sure that the requester—that is, an attorney or potential client—is not attempting to eliminate the examiner from working on a case. 12. Which of the following situations would create an “unethical situation” for a digital forensics examiner? a. Failing to report exculpatory evidence b. Expanding an examination of a case beyond the scope directed by the attorney c. Reexamining a case before it goes to trial using updated digital forensics tools and finding more inculpatory evidence d. All of these choices Answer: a. Failing to report exculpatory evidence Explanation: Your responsibility as a digital forensics examiner is to be as truthful as possible in all matters. For criminal cases, it is extremely important that you bring forward all exculpatory evidence and let the attorneys, judge, and jury come to their own decision of its value. Although not an ethical matter, the expanding of an examination beyond what the attorney’s direction can produce more complications for a case. If you feel it is necessary to expand the examination, you should recommend it to the attorney since it is the attorney’s responsibility to accept or reject your recommendation depending on the needs of the case. Because many cases may take several months or more to come to trial, and digital forensics tools are constantly being improved, you should recommend to the attorney that a reexamination using the most current forensics tools be used prior to going to trial. By reexamining a case, new evidence might be brought to light. Any new evidence could change the direction of a case.

13. How should you respond when being examined by an attorney who claims that your present testimonial opinion has changed from a previous case? a. Refuse to answer the question. b. Request a recess so that you can review the specific differences between the cases. c. Explain in detail why your opinion is different for the present case. d. Tailor your answer so as to suit the question’s differences between the cases. Answer: c. Explain in detail why your opinion is different for the present case. Explanation: When testifying, it is extremely important to be well prepared and to be aware of any potential conflicts between your previous testimony and your testimony in the current case. Refusing to answer questions in court is not allowed. Requesting a recess may be granted but will most likely be objected to by the opposing attorney and cause the judge to look unfavorably on you. Trying to adjust your testimony after requesting a recess will also make you less credible as a witness. When preparing to testify in any case, always prepare for all possible challenges to your work and opinions. 14. What should you do to prevent being disqualified as a possible digital forensics examiner for a case when an attorney you haven’t had contact with before wants to talk to you about a case? (Choose all that apply.) a. Document the day and time you received the call from the attorney. b. Note the attorney’s name and contact information. c. Request a retainer to be paid to you from the attorney before talking further about the case. d. Get as much information from the attorney as possible about the case before negotiating a fee for your services. Answer: a. Document the day and time you received the call from the attorney; b. Note the attorney’s name and contact information; c. Request a retainer to be paid to you from the attorney before talking further about the case. Explanation: To limit potentially qualified digital forensics examiners from working for the opposing attorney, some attorneys will attempt to create a conflict of interest for an expert. This practice is called “conflicting out.” When talking about a potential case with an attorney you haven’t worked with before, always note the day and time of the conversation and the nature of the communications. Inform the attorney that if they wish to discuss the details of the case, you must be paid a retainer. By requesting a retainer, you will minimize any potential conflict of interest. 15. What factors do courts typically use to disqualify an expert witness? a. Whether the attorney informed the expert that their discussions were confidential b. Whether the expert witness signed a confidentiality agreement c. The number of times the attorney and expert talked about a case d. All of these choices

Answer: d. All of these choices Explanation: In addition to factors such as whether an attorney informed the expert that their discussion is confidential, whether the expert signed a confidentiality agreement, and the number of discussions the attorney and expert had, other factors of disqualification include the following: •

Type of information and documents reviewed by the expert, including whether any material reviewed by the expert is confidential or an attorney work product

•

Whether the expert provided confidential information to the attorney

•

Whether the expert had concerns about being retained for the case

•

Whether the attorney requested the expert to perform the service

•

Whether compensation was given to the expert by the attorney

16. Based on the court case Wang Laboratories, Inc. v. Toshiba Corp. (762 F. Supp. 1246 [E.D. Va. 1991]), which of the following could result in an expert being disqualified? (Choose all that apply.) a. An attorney who asks for the hourly rates from a digital forensics examiner b. A confidential relationship between the expert and the opposing attorney c. An opposing attorney who communicates confidential information to the expert d. An attorney who requests the expert review a previously settled case’s public record Answer: b. A confidential relationship between the expert and opposing attorney; c. An opposing attorney who communicates confidential information to the expert Explanation: Wang Laboratories, Inc. v. Toshiba Corp. states that an expert will be disqualified from a case if any confidential information is shared or if a confidential relationship is formed between the opposing attorney and the expert. Requesting information on the fees of an expert or the sharing of public record information is not confidential and will not disqualify the expert. 17. When can a digital forensics examiner accept a contingency fee for their services? a. For all civil lawsuit litigation b. Only when providing testimony for noncriminal cases c. In civil cases where the client has insufficient funds to pay the expert d. Never—with exceptions if the expert is only providing consultation and not testifying in a case Answer: d. Never—with exceptions if the expert is only providing consultation and not testifying in a case Explanation: Only in some cases if an expert witness is used only as a consultant can the expert receive a contingency fee. As a standard practice, digital forensics experts should never agree to a contingency fee. The expert witness should be paid in full for their services.

18. Which of the following guidelines should a digital forensics examiner follow to avoid ethical errors? (Choose all that apply.) a. Never report false facts of a case. b. Never allow an attorney that retained you alter your opinion. c. Never reach a conclusion before completing an examination. d. Never perform work beyond your ability. Answer: a. Never report false facts of a case; b. Never allow an attorney that retained you alter your opinion; c. Never reach a conclusion before completing an examination; d. Never perform work beyond your ability. Explanation: Never ignore inculpatory and exculpatory evidence that may contradict facts for the case. In addition, never overcommit your time to complete a case and overstate your abilities. For your reputation and credibility of the profession, it is important to be forthright, honest, and complete in the work you provide for the attorney. Anything less will damage your professional reputation. 19. How does the Daubert standard apply to a digital forensics examiner? (Choose all that apply.) a. If an expert distorts, falsifies, or misrepresents facts, their opinions will be considered unreliable. b. If an expert distorts, falsifies, or misrepresents facts, all evidence will be considered invalid. c. Daubert defines that an expert has an “ethical responsibility” to present a complete and unbiased account of a case. d. Daubert minimizes any responsibility of an expert witness when providing opinion testimony for a case. Answer: a. If an expert distorts, falsifies, or misrepresents facts, their opinions will be considered unreliable; c. Daubert defines that an expert has an “ethical responsibility” to present a complete and unbiased account of a case Explanation: The Daubert standard defines what ethical expectations and responsibilities an expert witness has when testifying in court. The expert witness must guard against advocating their position if what they are testifying to is based on questionable evidence and information. 20. What are the purposes of an intake form? (Choose all that apply.) a. The primary purpose of an intake form is to help you determine if there might be any conflict of interest when you are approached by an attorney inquiring about a case. b. The secondary purpose of an intake form is to obtain enough information about the potential case to determine if you can successfully work on the case and present evidence in court. c. The primary purpose of an intake form is to obtain enough information about the potential case to determine if you can successfully work on the case and present evidence in court. d. The secondary purpose of an intake form is to help you determine if there might be any conflict of interest when you are approached by an attorney inquiring about a case.

Answer: a. The primary purpose of an intake form is to help you determine if there might be any conflict of interest when you are approached by an attorney inquiring about a case; b. The secondary purpose of an intake form is to obtain enough information about the potential case to determine if you can successfully work on the case and present evidence in court Explanation: When you receive a request to work on a case, it is important to first make sure that there are no conflicts of interest that could disqualify you from performing the work. Once it is determined that there is no or very little chance of a conflict of interest, then the detailed work of collecting specific details about the case can be performed. 21. An attorney would like you to peer-review a report from another examiner submitted by an opposing attorney on a civil case. The report will have the other examiner’s name listed in it. What type of peer review should you write and submit to the attorney? a. Single-blind peer review b. Double-blind peer review c. Collaborative peer review d. Open peer review Answer: a. Single-blind peer review Explanation: Since you will be reading the original report, which should list the opposing digital forensics examiner’s name, a single-blind peer report should be written. If the attorney requesting you to do a peer review masks the other examiner’s name to minimize any biases on your part, it would be a double-blind peer review. Collaborative and open peer reviews are done in cooperation with the creator of a report 22. A digital forensics report peer review should provide which of the following? (Choose all that apply.) a. Criticism stating only what is wrong about the report b. Feedback about the examination performed by the other examiner c. Suggestions to improve the report’s findings and analysis d. Your personal opinion about information of the case in the report Answer: b. Feedback about the examination performed by the other examiner; c. Suggestions to improve the report’s findings and analysis; d. Your personal opinion about information of the case in the report Explanation: Your peer review should include constructive criticism of a report’s findings. If you have contrary opinions, use supporting evidence to describe what those opinions are and why they are significant. If you think another approach to an examination should be performed, suggest it and provide details.

23. What is your primary responsibility when writing a peer review? (Choose all that apply.) a. Provide constructive feedback only for collaborative peer review. b. Provide constructive feedback only for single-blind peer review. c. Provide constructive feedback only for triple-blind peer review. d. Provide constructive feedback for all peer reviews. Answer: d. Provide constructive feedback for all peer reviews. Explanation: Your primary responsibility when writing a peer review is to provide constructive feedback to the requester. This applies to all peer reviews no matter which type of review you are writing, such as a single-, double-, and triple-blind and collaborative peer reviews. By providing constructive criticism and feedback, you will present yourself as a professional that understands fair-mindedness in your work. 24. You should never list or describe your personal biases when writing a peer review. True or False? Answer: False Explanation: Biases are unavoidable in all investigations and examinations. It is important that you understand your own biases and list them in a peer review that relates to an examination or report’s finding. Clearly stating your biases along with facts that support them demonstrates objectivity, fairness, and professionalism as a digital forensics examiner.

Case Projects - Solutions Case Project 15-1 Estimated Time: 45 minutes Objective: Identify a conflict of interest using an intake form. Before You Begin: • •

Create Work folder C:\Work\Module_15\Case_Project_15-1. Download to your Work folder the following data file provided with the module: • Case_Project_15-1_Intake_Form_Review.pdf

This case project is a request to perform a digital forensics examination. You are to review the file Case_Project_15-1_Intake_Form.pdf to determine if there might be a conflict of interest that would prevent you from conducting a digital forensics examination. Once you have determined whether there is a conflict of interest, write a one-page letter to the requesting attorney stating that you would or would not be willing to accept the case. If you do accept the case, state in the letter that you will need payment before you can start the examination. If you think there is a conflict of interest, state in the letter that you cannot work on the case because of the conflict and include a short explanation of why there is a

conflict. For the letter, use the standard business-style format, which is typically provided as a template with word processing applications and save it as Case_Project_15-1_Letter.docx in your Work folder. When finished, submit to your instructor the following file: •

Case_Project_15-1_Letter.docx Solution Guidance: For this case project, there are two possible solutions. If the student has completed Project 2-4 from the module “Report Writing and Testimony for Digital Investigations,” they should have recognized the case and realized that it would be a conflict of interest for them to accept the new case presented in this Case Project. If they haven’t completed Project 2-4, they should write a letter accepting the new case. For examples of the output files that students will submit, see the following solution files: • Solution_Case_Project_15-1_Letter_Conflict_of_Interest.pdf • Solution_Case_Project_15-1_Letter_No_Conflict_of_Interest.pdf

Case Project 15-2 Estimated Time: 45 minutes Objective: Complete a peer review checklist of a case report. Before You Begin: • • • •

Create Work folder C:\Work\Module_15\Case_Project_15-2. Download to your Work folder the following data files provided with the module: Case_Project_15-2_Missing_Files_Case_Report.pdf Case_Project_15-2_Peer-Review_Checklist.docx

For this case project, you perform a review of the file Case_Project_152_Missing_Files_Case_Report.pdf and fill in the checklist form, Case_Project_15-2_PeerReview_Checklist.docx, as a preliminary step in preparing a peer review. When finished, submit to your instructor the following file: •

Case_Project_15-2_Peer-Review_Checklist.docx Solution Guidance: Students should provide brief statements for each checklist item listed in the form; however, because the case report is short, not all items in the checklist need to be completed, as is shown in the solution file. For an example of the output file that students will submit, see the following solution file: • Solution_Case_Project_15-2_Peer-Review_Checklist.pdf

Case Project 15-3 Estimated Time: 60 minutes Objective: Create a peer review memorandum of a previous case for an attorney. Before You Begin: •

• Create Work folder C:\Work\Module_15\Case_Project_15-3. Download to your Work folder the following data files provided with the module: • Case_Project_15-3_Report_to_Peer_Review.pdf • Case_Project_15-3_Peer-Review_Checklist.docx • Case_Project_15-3_Peer-Review_Memorandum.docx

For this case project, you will peer-review the file Case_Project_153_Report_to_Peer_Review.pdf and create a memorandum of your findings and opinions. To complete this case project, first fill in the file Case_Project_15-3_Peer-Review_Checklist.docx to organize your thoughts and then transfer that information into file Case_Project_153_Peer-Review_Memorandum.docx. While examining file Case_Project_153_Report_to_Peer_Review.pdf, note any major or minor errors you might find in the narrative for the memorandum. When finished, submit to your instructor the following files: •

Case_Project_15-3_Peer-Review_Checklist.docx

•

Case_Project_15-3_Peer-Review_Memorandum.docx Solution Guidance: For this report peer review, students should recommend additional steps to take as part of the investigation, such as following up to look for any trace evidence that might be residing on the computer used by the subject George Montgomery (as the original report suggested). In addition, students should look for any typographical errors in the report, such as the name of Steve Billing versus Mr. Billings. Students should cite this in their checklist and in the final memorandum. For examples of the output files that students will submit, see the following solution files: • Solution_Case_Project_15-3_Peer-Review_Checklist.pdf • Solution_Case_Project_15-3_Peer-Review_Memorandum.pdf

Case Project 15-4 Estimated Time: 45 minutes Objective: Determine a digital forensics examiner’s qualifications using a CV. Before You Begin: • •

Create Work folder C:\Work\Module_15\Case_Project_15-4. Download to your Work folder the following data files provided with the module: • Case_Project_15-4_Cynthia Kazakova_CV.pdf • Case_Project_15-4_Memorandum.docx

For this case project, you have been directed to examine a digital forensics examiners’ curriculum vitae (CV) to determine if they have the skills to perform an examination of the computer system on a commercial fishing troller. The fishing troller’s computer is connected to a vessel monitoring system device. Skills needed for this assignment include the following: • • • • •

General data recovery techniques Digital evidence preservation Global positioning satellite technologies Cloud operations and forensics Trial and deposition testimony experience

Review the file Case_Project_15-4_Cynthia Kazakova_CV.pdf and identify the skills listed in this CV. Then, write a memorandum in the file Case_Project_15-4_Memorandum.docx detailing your findings. In the memorandum, add any comments you think might be skills that can be adapted for this case project. When finished, submit to your instructor the following file: •

Case_Project_15-4_Memorandum.docx Solution Guidance: Students should read file Case_Project_15-4_Cynthia Kazakova_CV.pdf and make notes of the skills listed in the CV that closely relate to the following items: • General data recovery techniques • Digital evidence preservation • Global positioning satellite technologies • Cloud operations and forensics • Trial and deposition testimony experience For an example of the output file that students will submit, see the following solution file: • Solution_Case_Project_15-4_Memorandum.docx

Part 2 Instructor Manual Module 1 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

TABLE OF CONTENTS Purpose and Perspective of the Module ........................................................................... 2 List of Student Downloads ................................................................................................ 2 Module Objectives .............................................................................................................. 3 Module Outline.................................................................................................................... 3 An Overview of Digital Forensics ........................................................................................... 3 Digital Forensics and Other Related Disciplines ............................................................. 4 A Brief History of Digital Forensics Tools ........................................................................ 4 Understanding Case Law ..................................................................................................... 4 Developing Digital Forensics Resources ........................................................................... 4 Preparing for Digital Investigations ....................................................................................... 5 Understanding Public-Sector Investigations ................................................................... 5 Understanding Private-Sector Investigations .................................................................. 5 Maintaining Professional Conduct ......................................................................................... 5 Managing a Digital Forensics Investigation .......................................................................... 6 Five Steps of an Investigation ............................................................................................ 6 An Overview of a Computer Crime .................................................................................... 6 An Overview of a Company Policy Violation .................................................................... 6 Taking a Systematic Approach ........................................................................................... 7 Procedures for Private-Sector High-Tech Investigations ................................................. 7 Employee Termination Cases ............................................................................................. 7 Internet Abuse Investigations ............................................................................................ 7 Email Abuse Investigations ................................................................................................. 8 Attorney-Client Privilege Investigations ........................................................................... 8 Industrial Espionage Investigations ................................................................................... 8 Interviews and Interrogations in High-Tech Investigations .......................................... 8 © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Understanding Data Recovery Workstations and Software ............................................. 8 Setting Up Your Workstation for Digital Forensics......................................................... 9 Conducting an Investigation ................................................................................................... 9 Gathering the Evidence ....................................................................................................... 9 Understanding Bit-Stream Copies ..................................................................................... 9 Analyzing Your Digital Evidence ........................................................................................ 10 Critiquing the Case .............................................................................................................. 10 Note About Live Virtual Machine Labs ............................................................................ 10 Key Terms .......................................................................................................................... 11 Discussion Questions........................................................................................................ 14 Additional Projects ............................................................................................................15 Appendix............................................................................................................................ 16 Generic Rubrics ....................................................................................................................... 16 Standard Writing Rubric ......................................................................................................... 16 Standard Discussion Rubric .................................................................................................. 17

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to provide an overview of the field of digital forensics, highlighting the need for standardized digital forensics processes as more people around the world are accessing the same information online. This module also points out that digital forensics has evolved over the years from its earlier focus on securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases, to also encompass activities such as incident response, research, and e-discovery.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter:

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe the field of digital forensics. 2. Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations. 3. Explain the importance of maintaining professional conduct. 4. Describe how to manage a digital forensics investigation by taking a systematic approach. 5. Describe procedures for private-sector high-tech investigations. 6. Explain requirements for data recovery workstations and software. 7. Summarize how to conduct an investigation, including critiquing a case.

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

AN OVERVIEW OF DIGITAL FORENSICS 1. Explain that the definition of digital forensics evolved over the years, as well as that it can encompass different activities such as incident response, research, and e-discovery. 2. Point out to the students that a global standardized method for digital forensics was ratified, and that the Fourth Amendment to the U.S. Constitution protects everyone’s right to be secure in their person, residence, and property against unreasonable search and seizure.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Digital Forensics and Other Related Disciplines 1. Explain that digital forensics is different from data recovery, and it is used to investigate data that can be retrieved from a computer’s hard drive or other storage media. 2. Point out to the students the different areas and groups within digital forensics in which they can work and what skills are necessary for each.

A Brief History of Digital Forensics Tools 1. Explain that in less than fifty years computer technology has changed drastically, as did insider threats and the need for tools to ensure security. 2. Point out to the students that they should spend time to stay current with the software companies that are becoming savvier about digital forensics and investigations and producing more forensics tools to keep pace with technology.

Understanding Case Law 1. Explain that case law is used when relevant statutes or regulations do not yet exist because existing laws cannot keep up with the current rate of technological change. 2. Point out to the students that law enforcement personnel have the right or authority to confiscate a device an arrested person is carrying but not necessarily to search the device.

Developing Digital Forensics Resources 1. Explain that computer user groups in both the public and private sectors and outside experts on specific OSs can be helpful resources. 2. Point out to the students that to be a successful digital forensics investigator, they must be familiar with more than one computing platform and develop and maintain contact with digital, network, and investigative professionals.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

PREPARING FOR DIGITAL INVESTIGATIONS 1. Explain that digital investigations can be categorized in several ways; however, the most common is to divide them into two categories: publicsector investigations and private-sector investigations. 2. Point out to the students the main differences between public- and private-sector investigations and the respective focus of each.

Understanding Public-Sector Investigations 1. Explain that computers and networks can be used as tools to commit a crime; for this reason, many states have added specific language to criminal codes to define crimes involving computers. 2. Point out to the students that they must understand laws on computerrelated crimes, including standard legal processes, guidelines on search and seizure, and the steps required to build a criminal case. 3. Introduce the steps and requirements of following legal processes, including the training and experiences of people involved and that legal processes to follow depend on local customs, legislative standards, and rules of evidence. Understanding Private-Sector Investigations 1. Explain the steps to follow for private-sector investigations and how to proceed with them, such as establishing company policies, displaying warning banners, designating an authorized requester, conducting security investigations, and distinguishing personal and company property. 2. Point out to the students that they should remember that business usually focuses on continuing their usual operations and making profits, which must continue with minimal interruption from your investigation.

MAINTAINING PROFESSIONAL CONDUCT 1. Explain that professional conduct includes ethics, morals, and standards of behavior such as maintaining objectivity and confidentiality during an investigation, continually expanding technical knowledge, and conducting required steps with integrity.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

2. Point out to the students some of the ways they should behave and conduct investigations to maintain credibility and ethics, and explain that membership in professional organizations adds to their credentials in addition to education and training.

MANAGING A DIGITAL FORENSICS INVESTIGATION 1. Explain that a digital forensics professional’s role is to gather data from a suspect’s computer and determine whether there is evidence that a crime was committed or that company policies or industry regulations have been violated. 2. Point out to the students that they should approach each case methodically and document the chain of custody. Five Steps of an Investigation 1. Explain how and when to use each of the five steps of an investigation performed by a digital forensics examiner. 2. Point out to the students that the five steps are: form a hypothesis of the reported incident or crime; identify the artifacts that might contain evidence to support the hypothesis; collect and extract evidence from the artifacts; analyze the collected evidence to support or dispute the hypothesis; and create a thesis of your findings.

An Overview of a Computer Crime 1. Explain, through an example, how a computer crime would be accessed by law enforcement officers and how an investigator should proceed when recovering files and other storage media as evidence to help on the case. 2. Point out to the students that a range of software is available for use in an investigation for email messages, deleted files, and hidden files, such as Autopsy from Sleuth Kit.

An Overview of a Company Policy Violation 1. Explain that digital forensics specialists are often used to investigate policy violations such as employees surfing the internet, sending personal emails, using company computers for personal tasks during work hours, or other computer-based tasks that can waste company time. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

2. Point out to the students an example of a company policy violation and how it was approached.

Taking a Systematic Approach 1. Explain each of the twelve standard systems analysis steps that can be used when preparing a case. 2. Point out to the students that the amount of time and effort they should put into each step varies depending on the nature of the investigation, but they also should be prepared for the unexpected and have a contingency plan for the investigation.

PROCEDURES FOR PRIVATE-SECTOR HIGH-TECH INVESTIGATIONS 1. Explain that investigators need to develop formal procedures and informal checklists to cover all issues important to high-tech investigations. 2. Point out to the students some examples of procedures that digital investigators commonly use in private-sector high-tech investigations.

Employee Termination Cases 1. Explain that most investigative work for termination cases involves employee abuse of company resources. 2. Point out to the students that consulting with your organization’s general counsel and human resources department for specific directions on how to handle these investigations is recommended.

Internet Abuse Investigations 1. Explain that to conduct an investigation involving internet abuse, there are a few things that are necessary: the organization’s internet proxy server logs, suspect computer’s IP address obtained from the organization’s network administrator, suspect computer’s disk drive, and the investigator's preferred digital forensics analysis tool. 2. Point out to the students that before investigating an internet abuse case, they must research the state or country’s privacy laws to make sure they stay within legal boundaries.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Email Abuse Investigations 1. Explain that email investigations typically include spam, inappropriate and offensive message content, and harassment or threats. 2. Point out to the students that there is a list of things they need for an investigation involving email abuse that varies depending on where the email systems store the user's messages.

Attorney-Client Privilege Investigations 1. Explain that the attorney you are working for is the ultimate authority over the investigation and that all the findings during this type of investigation are confidential. 2. Point out to the students that there are eleven basic steps for conducting an ACP case that have to be followed along with three other guidelines to make the investigation more effective.

Industrial Espionage Investigations 1. Explain the difference between the standards of industrial espionage investigations and other private-sector investigations, including some guidelines on how to deal with violations of International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). 2. Point out to the students that there are seven basic steps for conducting an industrial espionage case, as well as that all suspected industrial espionage cases should be treated as criminal investigations.

Interviews and Interrogations in High-Tech Investigations 1. Explain the difference between an interrogation and an interview in the investigation context. 2. Point out to the students that common interview and interrogation errors include being unprepared for the interview or interrogation and not having the right questions or enough questions to increase your depth of knowledge.

UNDERSTANDING DATA RECOVERY WORKSTATIONS AND SOFTWARE 1. Explain the difference between data recovery and digital forensics. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

2. Point out to the students that if they start any operating system while examining a hard disk, the OS alters the evidence disk by writing data to the Recycle Bin, which corrupts the quality and integrity of the evidence they are trying to preserve. 3. Mention that Windows products are being developed that make performing disk forensics easier; however, because Windows has limitations in performing disk forensics, they need to develop skills in acquiring data with Linux.

Setting Up Your Workstation for Digital Forensics 1. Explain the seven things that are required for configuring a computer workstation or laptop as a forensic workstation. 2. Point out to the students the other useful items to include when setting up the workstation.

CONDUCTING AN INVESTIGATION 1. Explain that to begin conducting an investigation, the investigator should start by copying the evidence using a variety of methods and gathering the resources identified in the investigation plan. 2. Point out to the students that they need the original storage media, an evidence custody form, an evidence container for the storage media, a bitstream imaging tool, the forensic workstation to copy and examine the evidence, and a secure evidence locker, cabinet, or safe.

Gathering the Evidence 1. Explain, through the Montgomery_72022 case, the steps to gather evidence for a case. 2. Point out to the students that they need antistatic bags and pads with wrist straps to prevent static electricity from damaging digital evidence.

Understanding Bit-Stream Copies 1. Explain a bit-stream copy and a bit-stream image, and state that the more exact the copy, the better chance of retrieving the evidence needed from the disk.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

2. Point out to the students that the first rule of digital forensics is to preserve the original evidence and conduct analysis only on a copy of the data.

Analyzing Your Digital Evidence 1. Explain that recovering the data is the main job when analyzing digital evidence and that if users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. 2. Point out to the students some additional features of Autopsy, how to complete the case, and how to use Autopsy’s report generator.

Critiquing the Case 1. Explain that investigators need to meet with their department or a group of fellow investigators and critique the case in an effort to improve the work. 2. Point out to the students that they should take notes to themselves in a journal about techniques or processes that might need to be changed or addressed in future investigations, and then store their journals in a secure place.

[return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Affidavit: A notarized document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation. Also called a declaration when the document is not notarized. Allegation: A charge made against someone or something before proof has been found. Approved secure container: A fireproof container locked by a key or combination. Attorney-client privilege (ACP): The rules that protect communication between an attorney and client about legal matters as confidential communication. The purpose of having confidential communications is to promote honest and open dialogue between an attorney and client. This confidential information must not be shared with unauthorized people.

Authorized requester: In a private-sector environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer. Bit-stream copy: A bit-by-bit duplicate of data on the original storage medium; also called a forensic copy. The process of creating this copy is usually called acquiring an image or making an image. Bit-stream image: The file where the bit-stream copy is stored; usually referred to as an image, image save, or image file. Chain of custody: The route evidence takes from the time the investigator obtains it until the case is closed or goes to court.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Computer Technology Investigators Network (CTIN): A nonprofit group composed of law enforcement members, private corporation security professionals, and other security professionals whose aim is to improve the quality of high-technology investigations in the Pacific Northwest. Data recovery: The process of retrieving files that were deleted accidentally or purposefully. Digital Evidence First Responder (DEFR): A professional who secures digital evidence at the scene and ensures its viability while transporting it to the lab. Digital Evidence Specialist (DES): An expert who analyzes digital evidence and determines whether additional specialists are needed to assist with evidence analysis. Digital forensics: The application of computer science and investigative procedures for a legal purpose; involves analyzing digital evidence as well as obtaining search warrants, maintaining a chain of custody, validating with mathematical hash functions, using validated tools, ensuring repeatability, reporting, and presenting evidence as an expert witness. Digital investigations: The process of conducting forensic analysis of systems suspected of containing evidence related to an incident or a crime. Evidence bag: A nonstatic bag used to transport computer components and other digital devices. Evidence custody form: A printed form indicating who has signed out and been in physical possession of evidence; also called a chain-of-evidence form. Exculpatory evidence: Evidence that indicates the suspect is innocent of the crime. Exhibits: Evidence used in court to prove a case. Forensic workstation: A computer set up to allow copying of forensic evidence, whether it is on a hard drive, flash drive, or the cloud. It usually has software preloaded and ready to use. Fourth Amendment: The Fourth Amendment to the U.S. Constitution in the Bill of Rights, which dictates that the government and its agents must have probable cause for search and seizure.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Hostile work environment: An environment in which employees cannot perform their assigned duties because of the actions of others. Such actions could include sending threatening or demeaning emails or viewing pornographic or hate websites. Inculpatory evidence: Evidence that indicates a suspect is guilty of the crime with which they are charged. Industrial espionage: Theft of company-sensitive or proprietary company information, often to sell to a competitor. Insider threat: An employee or contractor who commits industrial espionage or hacks into corporate sites to do harm by stealing or destroying data or distributing malware on the corporate network. International Association of Computer Investigative Specialists (IACIS): An international organization of professionals that offers computer forensics training and certification restricted to law enforcement, former law enforcement, and government employees. Internet of Things (IoT): Devices and objects connected to the internet via sensors, software, and embedded chips, which may or may not be able to store data; may include objects such as cars, coffee makers, dishwashers, pet-tracking microchips, and TVs. Interrogation: The process of trying to get a suspect to confess to a specific incident or crime. Interview: A conversation conducted to collect information from a witness or suspect about specific facts related to an investigation. Line of authority: The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence, and have access to evidence. Multi-evidence form: An evidence custody form used to list all items associated with a case. See also evidence custody form. Network intrusion detection and incident response: The process of detecting attacks from intruders by using automated tools; also includes the manual process of monitoring network firewall logs. Professional conduct: Behavior expected of an employee in the workplace or other professional setting; includes ethics, morals, and standards of behavior. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

Repeatable findings: In a digital investigation, the ability of an investigator to repeat the steps they took to produce the same results. Search and seizure: The legal act of acquiring evidence for an investigation. See also Fourth Amendment. Search warrant: A legal document that allows law enforcement to search an office, a home, or another locale for evidence related to an alleged crime. Single-evidence form: A form that dedicates a page for each item retrieved for a case. It allows investigators to add more detail about exactly what was done to the evidence each time it was taken from the storage locker. See also evidence custody form. Verdict: The decision returned by a jury in a civil or criminal case. Vulnerability/threat assessment and risk management: The process of determining the weakest points in a system; includes physical security and the security of OSs and applications. Warning banner: Text displayed on computer screens when someone logs on to a company computer; states ownership of the computer and specifies appropriate use of the machine or internet access. White-collar crimes: Financial crimes, including falsification of financial information, fraud, identity theft, intellectual property theft and piracy, embezzlement, and money laundering.

[return to top]

1. Discussion: Digital Forensics Scope (Duration 20 minutes) a. The field of digital forensics has evolved considerably over the years. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

b. What are the concerns traditionally covered by digital forensics? Answer: Traditionally, the field used to focus on securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases. These concerns are still important but are no longer the only concerns. c. What new concerns have been incorporated into the field recently? Answer: The evolution of the field and internet technologies enlarged the target of digital forensics to cover activities such as incident response, research, and e-discovery. Together with the traditional concerns, these new concerns have to be covered by a digital forensics professional.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish. 1. Expectations on the Topic: What are the students’ expectations of this topic? The field of digital forensics is largely hyped by movies, novels, and sometimes even news. However, it is rarely accurately described. What do you expect to be covered by this study of digital forensics?

2. [Activity title]: What kind of professionals work with digital forensics? What are the formation requirements for a digital forensics professional? Does computer science proficiency suffice? What legal background is necessary?

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

APPENDIX GENERIC RUBRICS Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubric templates as you wish. The writing rubric indicates 40 points, and the discussion rubric indicates 30 points.

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

Grammar and Spelling

Meets Requirements Needs Improvement Incomplete The assignment clearly The assignment partially The assignment does not and comprehensively addresses some or all address the questions in addresses all questions in questions in the the assignment. the assignment. assignment. 0 points 15 points 8 points The assignment presents The assignment presents The assignment does not ideas in a clear manner ideas in a mostly clear present ideas in a clear and with strong manner and with a manner and with strong organizational structure. mostly strong organizational structure. The assignment includes organizational structure. The assignment includes an appropriate The assignment includes an introduction, content, introduction, content, and an appropriate and conclusion, but conclusion. Coverage of introduction, content, and coverage of facts, facts, arguments, and conclusion. Coverage of arguments, and conclusions are logically facts, arguments, and conclusions are not related and consistent. conclusions are mostly logically related and 10 points logically related and consistent. consistent. 0 points 7 points The assignment is based The assignment is based The assignment is not upon appropriate and upon adequate academic based upon appropriate adequate academic literature but does not and adequate academic literature, including peer include peer reviewed literature and does not reviewed journals and journals and other include peer reviewed other scholarly work. scholarly work. journals and other 5 points 3 points scholarly work. 0 points The assignment follows The assignment follows The assignment does not the required citation some of the required follow the required guidelines. citation guidelines. citation guidelines. 5 points 3 points 0 points The assignment has two The assignment has three The assignment is or fewer grammatical and to five grammatical and incomplete or spelling errors. spelling errors. unintelligible.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 1: Understanding the Digital Forensics Profession and Investigations

5 points

3 points

0 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

Meets Requirements Needs Improvement Incomplete Submits or participates in Does not participate or Does not participate in discussion by the posted submit discussion by the discussion. deadlines. Follows all posted deadlines. Does 0 points assignment instructions not follow instructions for initial post and for initial post and responses. responses. 5 points 3 points Comments stay on task. Comments may not stay Does not participate in Comments add value to on task. Comments may discussion. discussion topic. not add value to 0 points Comments motivate discussion topic. other students to Comments may not respond. motivate other students 20 points to respond. 10 points Maintains appropriate Does not always maintain Does not participate in language. Offers criticism appropriate language. discussion. in a constructive manner. Offers criticism in an 0 points Provides both positive offensive manner. and negative feedback. Provides only negative 5 points feedback. 3 points

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Instructor Manual Module 2 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

TABLE OF CONTENTS Purpose and Perspective of the Module ........................................................................... 3 List of Student Downloads ................................................................................................ 3 Module Objectives .............................................................................................................. 3 Module Outline.................................................................................................................... 4 Understanding the Importance of Reports With a View to Testifying ........................... 4 Limiting a Report to Specifics ............................................................................................ 4 Types of Reports................................................................................................................... 4 Guidelines for Writing Reports............................................................................................... 4 What to Include in Written Preliminary Reports ............................................................ 5 Report Structure ................................................................................................................... 5 Writing Reports Clearly ........................................................................................................ 5 Designing the Layout and Presentation of Reports ....................................................... 5 Generating Report Findings and Writing the Digital Forensics Report........................... 5 Building Report Resources .................................................................................................. 6 Determining Who Will Read the Report ........................................................................... 6 Putting the Digital Forensics Report Together ................................................................ 6 Preparing for Testimony .......................................................................................................... 6 Documenting and Preparing Evidence .............................................................................. 7 Creating and Maintaining Your CV ..................................................................................... 7 Preparing Technical Definitions ......................................................................................... 7 Preparing to Deal with the News Media ........................................................................... 7 Testifying in Court and Depositions...................................................................................... 7 Understanding the Trial Process........................................................................................ 8 Providing Qualifications for Your Testimony ................................................................... 8 General Guidelines on Testifying ....................................................................................... 8 © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Testifying During Direct Examination................................................................................ 8 Testifying During Cross-Examination ................................................................................ 9 Preparing for a Deposition or Hearing .............................................................................. 9 Guidelines for Testifying at Hearings ................................................................................ 9 Testimony Planning Review ................................................................................................ 9 Note About Live Virtual Machine Labs ............................................................................ 10 Key Terms ......................................................................................................................... 10 Discussion Questions.........................................................................................................12 Additional Projects ............................................................................................................13 Appendix............................................................................................................................ 14 Generic Rubrics ....................................................................................................................... 14 Standard Writing Rubric ......................................................................................................... 14 Standard Discussion Rubric .................................................................................................. 15

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to give the students guidelines on writing reports of their findings in digital forensics investigations. They learn about different types of reports and what to include in a typical report. They also examine how to generate report findings with forensics software tools in anticipation of testifying. The students learn about the types of testimony (trials and for depositions) and the difference between a fact witness and an expert witness. In addition, they learn how to avoid some common problems related to testimony as well as some techniques they can use to increase the value of the testimony. This module also offers an example of how to prepare forensics evidence for testimony.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Explain the importance of reports and testimony and preparing to testify. 2. Describe guidelines for writing reports. 3. Describe procedures for generating report findings and writing a digital forensics report. 4. Explain the preparation necessary for testifying as a fact witness or an expert witness. 5. Describe guidelines for testifying in court and in depositions.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

UNDERSTANDING THE IMPORTANCE OF REPORTS WITH A VIEW TO TESTIFYING 1. Explain to the students the importance of forensic reports to present evidence that may support further investigation and, in some situations, be admissible in court. 2. Point out that the report must be limited to specifics; consequently, they need to identify the audience and the purpose of the report to help focus on specifics.

Limiting a Report to Specifics 1. Explain to the students the importance of identifying the investigation’s goal or mission. 2. Point out the need to assess the audience and the purpose of the report before writing it.

Types of Reports 1. Explain to the students the main types of report: preliminary verbal or written report to an attorney; and formal written report of facts and findings. 2. Point out the need for an examination plan.

GUIDELINES FOR WRITING REPORTS 1. Explain to the students the basic guidelines to write forensic reports: make it easy to read; organize information; use simple and direct language; use technical terminology consistently; and care for text correctness. 2. Point out the importance of the report elements: evidence; appearance; data-collection methods; calculations; limitations of knowledge; conclusions; appendices; and references.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

What to Include in Written Preliminary Reports 1. Explain to the students that a written report is a high-risk document, as it will be available to the opposing attorney. 2. Point out that in addition to the information provided in verbal reports, a written report has to include a billing summary, the examiner notes, the tentative conclusion, the areas requiring further investigation, and a confirmation of the examination scope.

Report Structure 1. Explain to the students the usual sections of a writing report: abstract; table of contents; body of the report; and conclusion. 2. Explain to the students the usual supporting material sections: appendices; glossary; references; and acknowledgements.

Writing Reports Clearly 1. Explain to the students the importance of producing clear and concise reports. 2. Point out that the report writing style has to use a proper tone, using first-person perspective in a natural language style.

Designing the Layout and Presentation of Reports 1. Point out to the students the digital forensic report elements: evidence; appearance; methods for examination and data collection; the calculations; limitation statement; and conclusions. 2. Point out to the students the digital forensic report supporting elements: appendices and references.

GENERATING REPORT FINDINGS AND WRITING THE DIGITAL FORENSICS REPORT 1. Explain to the students the importance of determining the report audience prior to developing the report in order to identify the reader's needs.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

2. Point out the importance of building and maintaining report resources; for example: glossary; references bank; and curriculum vitae.

Building Report Resources 1. Explain to the students the documents usually included in writing reports: glossary; references; and curriculum vitae.

Determining Who Will Read the Report 1. Explain to the students the need for awareness of the written report audience. 2. Point out the importance of creating a digital forensic report audience worksheet.

Putting the Digital Forensics Report Together 1. Explain to the students the importance of analyzing the data and reviewing the examiner notes. 2. Point out that in order to produce a good written report it is necessary to draft a first version of the report before producing the final version.

PREPARING FOR TESTIMONY 1. Explain to the students how to prepare the evidence, including its documentation as well as the technical definitions. 2. Point out the importance of being ready to deal with all sorts of news and media, as some cases have the potential to generate interest from the news media.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Documenting and Preparing Evidence 1. Emphasize to the students the need for preserving evidence to ensure they are repeatable in case of challenges. 2. Point out the differences between being a consulting expert or an expert witness.

Creating and Maintaining Your CV 1. Explain to the students the importance of keeping their CV updated as it provides credibility. 2. Point out that a good CV should reflect their professional background, not being only specific to a given trial or situation.

Preparing Technical Definitions 1. Explain to the students the importance of establishing uniform definitions for technical terms. 2. Point out that you should be prepared to deliver clear, concise, and non-ambiguous definitions for technical terms employed in your testimony.

Preparing to Deal with the News Media 1. Explain to the students the need to prepare to address news media during the trial process. 2. Point out that the kind of information and opinions that should or should not be disclosed to the media.

TESTIFYING IN COURT AND DEPOSITIONS 1. Explain to the students the general guidelines on testifying, including the proper way to address the jury, the usage of graphic materials, and understanding misconduct risks. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

2. Point out the importance of understanding the trial process, particularly knowing the typical order of trial proceedings. 3. Emphasize the difference between testifying as an expert witness or a fact witness. 4. Explain to the students the differences between testifying during direct examination and during cross-examination.

Understanding the Trial Process 1. Explain to the students the different stages of a trial process: motions in limine; impaneling the jury; opening statements; plaintiff; defense; rebuttal; closing arguments; and jury instructions. 2. Point out that the usual intervention of an expert happens during the plaintiff, defense, and rebuttal stages.

Providing Qualifications for Your Testimony 1. Explain to the students the importance of the voir dire phase where the expert qualifications are explained by the attorney. 2. Point out that the proper explanation of the expert qualifications also have implications in the cross-examination stage.

General Guidelines on Testifying 1. Explain to the students the usual guidelines in testimonies, either as expert witness or fact witness. 2. Point out that need for previous preparation to answer usual technical questions. 3. Emphasize the concerns while using graphical data during testimony to be clear and precise.

Testifying During Direct Examination 1. Explain to the students the importance of being prepared to deliver answers to the attorney who hired you. 2. Point out that all questions should be reviewed and rehearsed prior to the testimony to provide credibility. 3. Emphasize the different kinds of information sources for testimony: Independent recollection; customary practice; and documentation of the case. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Testifying During Cross-Examination 1. Explain to the students the usual pitfalls encountered while delivering testimony during the cross-examination phase. 2. Emphasize the importance of being prepared to answer questions that try to undermine the credibility of their findings or their opinions. 3. Point out that the opposing attorney may attempt to discredit their testimony by also attacking their motives and knowledge. 4. Stress that their behavior should avoid being argumentative, defensive, talkative, too technical, or appear surprised and unprepared.

Preparing for a Deposition or Hearing 1. Explain to the students the difference between a deposition and a hearing. 2. Point out the importance of being polite and professional during depositions. 3. Call the students attention to the fact that being deposed in a discovery deposition is an unnatural process, and as such, the opposing attorney may try to push them into making mistakes.

Guidelines for Testifying at Hearings 1. Explain to the students the importance of hearings, which are similar to testimonies in a trial. 2. Point out that even without the presence of a judge or jury, the hearing process may be a preliminary stage before a trial is admitted.

Testimony Planning Review 1. Explain to the students the need for the review to wrap-up the testimony planning. 2. Point out the need to have your CV updated as well as to prepare all evidence, including written report and graphical materials, to be fully ready and rehearsed before testifying.

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Bona fides: A statement listing proof of one’s qualifications, credentials, and legitimacy as an expert in the form of a summary, resume, or curriculum vitae. Conflicting out: The practice of opposing attorneys trying to prevent a digital forensics examiner from testifying by claiming the examiner has discussed the case with them, and therefore, has a conflict of interest. Curriculum vitae (CV): An extensive outline of a person’s professional history, including education, training, and work experience. For an examiner, it should include the cases they have worked on as well as training they have conducted, publications they have contributed to, and professional associations and awards received. Deposition: A formal examination in which a witness is questioned under oath with only the opposing parties, the witness’s attorney, and a court reporter present— without a judge or jury. Its purpose is to give the opposing counsel a chance to preview testimony before trial. © 2025 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

Deposition bank: A library of previously given testimony that law firms can access. Discovery: The process by which attorneys seek information from the other side before a trial; it may include demands for documents, depositions, interrogatories (written questions answered in writing under oath), and written requests for admissions of fact. Discovery deposition: A type of deposition during which the opposing attorney conducts the equivalent of both direct and cross-examination of the witness; considered part of the discovery process. See also deposition. Examination plan: A document that lets a witness know what questions to expect when they are testifying. Expert witness: A witness whose testimony includes opinions based on experience and facts gathered during an investigation. Fact witness: A witness who testifies only to the facts (findings of an investigation); no opinion is given in court.

Hash algorithm: A specifically designed mathematical formula that provides a unique value for data or individual files. High-risk document: A document, such as a written preliminary report, containing sensitive information; such a document could create an opening for the opposing attorney to demand discovery about the document with the goal of discrediting a witness. Lay witness: A person whose testimony is based on personal observation or perception; not considered to be an expert in a particular field. Testimony-preservation deposition: A deposition held to preserve testimony in case of schedule conflicts or health problems; usually videotaped as well as recorded by a stenographer. See also deposition. Voir dire: The qualification phase of testimony in which an attorney asks questions to establish an expert witness’s credentials; the process of qualifying jurors is also called voir dire.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

[return to top]

DISCUSSION QUESTIONS The following are discussion questions that do not appear in the text, PPTs, or courseware (if courseware exists) – they are for you to use as you wish. You can assign these questions several ways: in a discussion forum in your LMS; as wholeclass discussions in person; or as a partner or group activity in class. 1. Discussion: Limit Reports to Specifics (Duration 20 minutes) a. At the start of the investigation, the client should define the investigation’s goal or mission. b. Why is it important to limit the forensic report to the specifics? Answer: Given the investigation's goal or mission, limiting the forensics report scope to the specifics allows the reduction of the time and cost of the examination and is especially important as the size of hard drives and the complexity of networks continues to increase. c. If the audience has little technical knowledge, should this alleviate or make it even more important to limit the reports to specifics? Answer: Limiting the reports to specifics is generally an advantage, but when the audience has little knowledge, it is even more important to do so, as extra information is more likely to confuse the audience.

2. Discussion: The Fact and Expert Witness Roles (Duration 20 minutes) a. While preparing for testimony, a forensics examiner can play one of two roles: fact witness or expert witness. b. What kind of action is expected from an expert witness that is not expected from a fact witness? Answer: A fact witness should provide only facts based on the evidence and how it was obtained, without issuing any conclusions. However, as an expert witness, you are supposed to

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

express logical conclusions deriving from your experience and deductive reasoning from the presented evidence. c. How do you know if your role will be of a fact witness or an expert witness? Answer: Usually, it is up to the retaining attorney to inform you of your role during the thorough preparation that is expected before testimony.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. Simulate a report audience worksheet analysis: Group the students in pairs, having one student be the report analyst and the other the client. The client student must take a digital forensic report audience worksheet (it could be the one exemplified in the module) and change some information in order to include problems. Then, the report analyst student needs to try to figure out what changes from the original worksheet were made.

2. Simulate a forensic examiner testimony: Group the students in pairs, having one student be the forensic examiner and the other the guesser. a. The forensic examiner student must present a testimony address imagining themselves as either a fact witness or an expert witness to the guesser. The guesser must then guess if the testimony was from a fact witness or an expert witness and explain why. b. Afterwards, the students must exchange their roles (forensic examiner and guesser).

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

[return to top]

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 2: Report Writing and Testimony for Digital Investigations

adequate academic literature, including peer reviewed journals and other scholarly work. 5 points Research

Grammar and Spelling

literature but does not include peer reviewed journals and other scholarly work. 3 points

and adequate academic literature and does not include peer reviewed journals and other scholarly work. 0 points The assignment follows The assignment follows The assignment does not the required citation some of the required follow the required guidelines. citation guidelines. citation guidelines. 5 points 3 points 0 points The assignment has two The assignment has three The assignment is or fewer grammatical and to five grammatical and incomplete or spelling errors. spelling errors. unintelligible. 5 points 3 points 0 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Instructor Manual Module 3 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

TABLE OF CONTENTS Purpose and Perspective of the Module ........................................................................... 2 List of Student Downloads ................................................................................................ 3 Module Objectives .............................................................................................................. 3 Module Outline.................................................................................................................... 3 Understanding Forensics Lab Accreditation Requirements ............................................. 4 Identifying Duties of the Lab Manager and Staff ........................................................... 4 Lab Budget Planning ............................................................................................................ 4 Acquiring Certification and Training .................................................................................. 4 Determining the Physical Requirements for a Digital Forensics Lab ............................. 5 Access and Security ............................................................................................................. 5 Security for High-Risk Investigations ................................................................................ 5 Evidence Storage Containers ............................................................................................. 5 Facility Maintenance ............................................................................................................ 6 Auditing a Digital Forensics Lab ........................................................................................ 6 Floor Plans for Digital Forensics Labs .............................................................................. 6 Selecting a Basic Forensic Workstation ............................................................................... 6 Selecting Workstations for a Lab ...................................................................................... 7 Selecting Workstations for Private-Sector Labs ............................................................ 7 Stocking Hardware Peripherals .......................................................................................... 7 Maintaining Operating Systems and Software Inventories ........................................... 7 Using a Disaster Recovery Plan .......................................................................................... 7 Planning for Equipment Upgrades ..................................................................................... 8 Building a Business Case for Developing a Forensics Lab ............................................... 8 Preparing a Business Case for a Digital Forensics Lab ................................................. 8 Evaluating Digital Forensics Tools ........................................................................................ 8 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Types of Digital Forensics Tools ........................................................................................ 9 Tasks Performed by Digital Forensics Tools ................................................................... 9 Tool Comparisons ................................................................................................................. 9 Other Considerations for Tools .......................................................................................... 9 Digital Forensics Software Tools ........................................................................................... 9 Command-Line Forensics Tools ....................................................................................... 10 Linux Forensics Tools ......................................................................................................... 10 Other GUI Forensics Tools ................................................................................................. 10 Digital Forensics Hardware Tools......................................................................................... 10 Forensic Workstations ........................................................................................................ 11 Using a Write-Blocker ......................................................................................................... 11 Recommendations for a Forensic Workstation ............................................................. 11 Validating and Testing Forensics Software ........................................................................ 11 Using National Institute of Standards and Technology Tools ..................................... 11 Using Validation Protocols ................................................................................................. 12 Note About Live Virtual Machine Labs .............................................................................12 Key Terms ..........................................................................................................................12 Discussion Questions........................................................................................................ 14 Additional Projects ........................................................................................................... 16 Appendix............................................................................................................................ 16 Generic Rubrics ....................................................................................................................... 16 Standard Writing Rubric ......................................................................................................... 17 Standard Discussion Rubric .................................................................................................. 17

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to discuss technical issues related to the tools to perform the necessary examination of digital forensics subjects. The presented topics focus on the needs to establish an investigator's laboratory. This encompasses the © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

necessary certifications, the physical requirements including a forensic workstation, and all the hardware and software tools. The module focuses on evaluation, choices, and validation of digital forensics tools.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe the certification requirements for digital forensics labs. 2. List the physical requirements for a digital forensics lab. 3. Explain the criteria for selecting a basic forensic workstation. 4. Describe the components of a business case for developing a forensics lab. 5. Explain how to evaluate digital forensics tools. 6. Describe available digital forensics software tools. 7. Identify considerations for selecting digital forensics hardware tools. 8. Describe methods for validating and testing forensics tools.

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

UNDERSTANDING FORENSICS LAB ACCREDITATION REQUIREMENTS 1. Explain to the students the accreditation requirements of forensic lab investigations according to the ANSI National Accreditation Board. 2. Point out that for accreditation, the investigator needs to make sure they have defined policies, processes, and procedures before beginning any casework to ensure the integrity of the analysis and its results.

Identifying Duties of the Lab Manager and Staff 1. Explain to the students that each lab should have specific objectives established by a parent organization, and the lab’s director or manager and that staff members in a forensics lab should have enough training to perform their tasks. 2. Point out that besides performing general management tasks, the lab manager also establishes and promotes quality assurance processes, creates and monitors lab policies for staff, provides a safe and secure workplace for staff and evidence, and accounts for all activities the lab staff conducts to complete its work.

Lab Budget Planning 1. Explain to the students that to conduct a professional digital investigation, understanding the cost of the lab operation is important to delegate resources for each investigation. 2. Point out that there are steps to follow in order to make the planning as effective as possible, such as creating a budget; collecting statistics; gathering enough information to make an educated guess; estimating how many investigations the lab might conduct; and checking with management, human resources, and security departments to determine the types of complaints and problems reported in the past year. 3. Explain that time management is a major factor when choosing software and hardware to purchase because the faster the network, the faster data can be transferred to and from the forensic server and workstations, increasing speed and reducing the time needed to process cases.

Acquiring Certification and Training 1. Explain to the students that to have a career in digital investigations and forensic analysis, they need to continue to upgrade their skills through training and certification in digital forensics and investigations that may be required in some states before they can apply for a license.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

2. Point out some of the different programs and certifications that organizations offer and their respective details and differences.

DETERMINING THE PHYSICAL REQUIREMENTS FOR A DIGITAL FORENSICS LAB 1. Explain that lab facilities must be physically secure so that evidence is not lost, corrupted, or destroyed. 2. Point out the use of inventory control methods to track computing assets, such as maintaining a complete and up-to-date inventory of all major hardware and software items in the lab.

Access and Security 1. Explain that digital forensics labs need an enclosed room where a forensic workstation can be set up; otherwise, it allows easy access by unauthorized persons to evidence. 2. Point out to the students that access to the lab should be restricted to only those who have a need to be there to conduct an examination or to assist in an examination.

Security for High-Risk Investigations 1. Explain that high-risk investigations demand more security than the minimum lab requirements provide. 2. Point out to the students what a TEMPEST-qualified lab is and when to consider its use.

Evidence Storage Containers 1. Explain that secure evidence storage requires the use of high-quality locks and routine container inspection. 2. Point out to the students that locking system practices entail safeguarding combinations for combination locks, destroying old combinations, and regular updates.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Facility Maintenance 1. Explain that any damage to the floor, walls, ceilings, or furniture should be repaired immediately to ensure the safety and health of lab personnel. 2. Point out that placing antistatic pads around electronic workbenches and workstations and cleaning floors and carpets at least once a week help minimize dust that can cause static electricity. 3. Point out to the students that using separate trash containers maintains the integrity of criminal investigation processes and protects trade secrets and attorney–client privileged communication in a private company.

Auditing a Digital Forensics Lab 1. Explain that routine inspections, such as checking lab components and evaluating physical functionalities, play a vital role in ensuring adherence to security policies and practices. 2. Point out to the students the integral practices to uphold security measures on a forensic workstation.

Floor Plans for Digital Forensics Labs 1. Explain that the way in which the work area for a digital forensics lab is configured will depend on the budget, the amount of available floor space, and the number of computers assigned to each computing investigator. 2. Point out to the students that the ideal configuration for multiple workstations is to have two forensic workstations plus one non-forensics workstation with internet access. 3. Remind students that middle-sized and large labs should have at least two controlled exits and no windows for safety reasons.

SELECTING A BASIC FORENSIC WORKSTATION 1. Explain that the workstation used as an analysis system depends on budget and specific needs. 2. Point out to the students that they should use less powerful workstations for mundane tasks and multipurpose workstations for resource-heavy analysis tasks.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Selecting Workstations for a Lab 1. Explain that a police department lab in a major city typically has an extensive and diverse set of requirements for digital investigation tools because the organizations and individuals within such a large community likely use a wide assortment of computing systems. 2. Point out to the students that computing systems in a lab should be able to process typical cases in a timely manner. 3. Consider the need to perform password cracking to access a suspect’s encrypted data.

Selecting Workstations for Private-Sector Labs 1. Explain that commercial businesses providing forensics analysis for other companies can tailor their services to specific markets. 2. Point out to the students that private companies conducting their own internal digital investigations can determine the type of forensic workstation they need based on the types of computers they use.

Stocking Hardware Peripherals 1. Explain that all labs should have a wide assortment of cables and spare expansion slot cards. 2. Point out to the students the different peripheral devices available.

Maintaining Operating Systems and Software Inventories 1. Explain that it is important to maintain licensed copies of as many legacy OSs as possible to handle cases involving unusual systems. 2. Point out to the students what software inventory should be included in the current and older versions for each OS.

Using a Disaster Recovery Plan 1. Explain that a disaster recovery plan ensures that workstations and file servers can be restored to their original condition or a lablike building if a catastrophic failure occurs. 2. Point out to the students that the system backups should be easily accessible with one copy on site and a duplicate in a safe off-site facility. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

3. Remember that the recovery plan should outline how to uninstall software and delete any remaining files the uninstall process hasn’t removed so that you can restore the system to its original configuration.

Planning for Equipment Upgrades 1. Explain that it is crucial to create a schedule to replace critical equipment the lab depends on before it fails. 2. Point out to the students that to keep a lab current with updates in hardware technology, hardware replacements should be scheduled at least every eighteen months and preferably every twelve months.

BUILDING A BUSINESS CASE FOR DEVELOPING A FORENSICS LAB 1. Explain what a business case is, what it does, and to whom it should be given. 2. Point out to the students that the steps required to develop a business case depend on the organization they support. 3. Give some examples of business cases in action and the difference they make in the organization.

Preparing a Business Case for a Digital Forensics Lab 1. Explain the key elements for creating a digital forensics business case, such as: justification; budget development; implementation; acceptance testing; correction for acceptance; and production. 2. Point out to the students that when developing a business case for a digital forensics lab, they have to justify it by pointing out what type of digital forensics investigations will be conducted in the lab, and who will pay for the lab’s operation.

EVALUATING DIGITAL FORENSICS TOOLS 1. Explain that the goal is to find the best value for as many features as possible; therefore, it is important to consider open-source tools, which sometimes include technical support.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

2. Point out to students that they should keep in mind the OSs and file types they will be analyzing before selecting a tool to use.

Types of Digital Forensics Tools 1. Explain that digital forensics tools are divided into two major categories: hardware and software. 2. Point out to the students that software forensics tools are commonly used to copy data from a suspect’s drive to an image file.

Tasks Performed by Digital Forensics Tools 1. Explain that all digital forensics tools, both hardware and software, perform specific functions. 2. Point out to the students that for evaluating digital forensics tools, the following categories of functions can be used as guidelines: acquisition; validation and verification; extraction; reconstruction; and reporting.

Tool Comparisons 1. Explain that a comparison table of functions, subfunctions, and vendor products is useful to help determine which forensics tool to purchase. 2. Point out to the students a sample comparison table of forensics tool functions.

Other Considerations for Tools 1. Explain the importance of determining which tools offer the most flexibility, reliability, and future expandability. 2. Point out to the students that an investigator has the responsibility to find information on changes in new hardware or software releases and changes planned for the next release.

DIGITAL FORENSICS SOFTWARE TOOLS 1. Explain the command-line and GUI tools in both Windows and Linux.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

2. Point out to the students that they have an option to selecting a tool that enables them to analyze digital evidence through the command line or in a GUI.

Command-Line Forensics Tools 1. Explain that the advantage of using command-line tools for an investigation is that they require few system resources because they are designed to run in minimal configurations. 2. Point out to the students that some command-line forensics tools are created specifically for Windows command-line interface (CLI) platforms; others are created for macOS and Linux.

Linux Forensics Tools 1. Explain that Linux platforms are widely used in developing and emerging nations because most of them are free. 2. Point out to the students that Kali Linux includes a variety of tools and has an easy-to-use KDE interface such as Autopsy and Sleuth Kit.

Other GUI Forensics Tools 1. Explain that GUI forensics tools do not require the same understanding of the Windows CLI and file systems that command-line tools do, so they can simplify digital forensics investigations. 2. Point out to the students the advantages and disadvantages of GUI tools, the concern using GUI tools, and the danger of creating investigator dependence on using only one tool.

DIGITAL FORENSICS HARDWARE TOOLS 1. Explain the computer hardware used for forensics investigations. 2. Point out to the students that to expect the forensic workstation to be running, they need to anticipate physical equipment failure and the expense of replacement equipment.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Forensic Workstations 1. Explain that forensic workstations can be divided into stationary workstations, portable workstations, and lightweight workstations. 2. Point out to the students that they can easily build their own workstation, but it can quickly become expensive.

Using a Write-Blocker 1. Explain the importance of write-blockers to protect evidence disks by preventing data from being written to them. 2. Point out to the students what the differences are in how the hardware and software write-blockers perform the same function.

Recommendations for a Forensic Workstation 1. Explain the technology recommendations for a forensic workstation depending on multiple factors, such as physical space, software needs, budget, and preferences. 2. Point out to the students that regardless of the vendor, they need to make sure the devices they select perform the functions they expect to need as an investigator.

VALIDATING AND TESTING FORENSICS SOFTWARE 1. Explain that the evidence recovered and analyzed has to be able to be admitted in court. 2. Point out to the students the validation tools available to test and validate the evidence, and how to develop validation protocols.

Using National Institute of Standards and Technology Tools 1. Explain that the National Institute of Standards and Technology (NIST) publishes articles, provides tools, and creates procedures for testing and validating computer forensics software, which should be verified to improve evidence admissibility in judicial proceedings.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

2. Point out to the students that a lab must meet the specific criteria and keep accurate records so that when new software and hardware become available, testing standards are in place.

Using Validation Protocols 1. Explain that investigators must be confident in a tool’s capability to produce consistent and accurate findings during analysis. 2. Remind the students that understanding how the tool works is equally important, as they might not have vendor support in a courtroom. 3. Point out to the students using the GUI tools what the recommended protocols are to validate their findings.

[return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Acquisition: The process of creating a duplicate image of data; one of the required functions of digital forensics tools.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

ANSI-ASQ National Accreditation Board (ANAB): A wholly owned subsidiary of ANSI (American National Standards Institute) that provides accreditation of crime and forensics labs worldwide. Business case: A document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading a facility. Brute-force attack: The process of trying every combination of characters—letters, numbers, and special characters typically found on a keyboard—to find a matching password or passphrase value for an encrypted file. Certified Computer Examiner (CCE): A certification from the International Society of Forensic Computer Examiners (ISFCE). Certified Forensic Computer Examiner (CFCE): A certification awarded by the International Association of Computer Investigative Specialists (IACIS) at completion of all portions of a digital forensics exam. Change management: The process of reviewing and validating new methods or resources being used in a digital forensics lab. Computer Forensics Tool Testing (CFTT): A computer forensics tools testing program run by the National Institute of Standards and Technology (NIST). Configuration management: The process of keeping track of all upgrades and patches applied to a computer’s OS and applications. Digital forensics lab: A lab dedicated to digital investigations; typically, it has a variety of computers, Oss, and forensics software.

Extraction: The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools. High Tech Crime Network (HTCN): A national organization that provides certification for computer crime investigators and digital forensics technicians. Keyword search: A method of finding files or other information by entering relevant characters, words, or phrases in a search tool. National Software Reference Library (NSRL): A NIST project with the goal of collecting all known hash values for commercial software and OS files. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Password dictionary attack: An attack that uses a collection of words or phrases that might be passwords for an encrypted file; password recovery programs can use a password dictionary to compare potential passwords to an encrypted file’s password or passphrase hash values. Reconstruction: The process of rebuilding data files; one of the required functions of digital forensics tools. Risk management: The process of assessing possible risks and determining how much risk is acceptable for any process or operation, such as replacing equipment. Secure facility: A facility that can be locked and that allows limited access to the room’s contents. TEMPEST: A term describing facilities that have been hardened so that electrical signals from digital devices, computer networks, and telephone systems can’t be monitored or accessed easily by someone outside the facility. Uniform Crime Report: Information collected at the federal, state, and local levels to determine the types and frequencies of crimes committed. Validation: The process of confirming that a tool is functioning as intended; one of the functions of digital forensics tools. Verification: The process of proving that two sets of data are identical by calculating hash values or using another similar method; one of the functions of digital forensics tools. Write-blocker: A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC’s BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.

[return to top]

DISCUSSION QUESTIONS The following are discussion questions that do not appear in the text, PPTs, or courseware (if courseware exists) – they are for you to use as you wish. You can

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

assign these questions several ways: in a discussion forum in your LMS; as wholeclass discussions in person; or as a partner or group activity in class.

1. Discussion: The need for a digital forensics lab (Duration 20 minutes) a. Encourage the students to discuss what are the main needs for a digital forensic lab. b. What are the certification needs for a digital forensic lab? Answer: A digital forensic lab should comply with rules and regulations; for instance, to be able to analyze digital evidence, a lab has to possess an accreditation of crime and forensics lab such as the one from ANAB (ANSI National Accreditation Board). Other possible accreditations are the ones provided by IACIS, HTCN, EnCase, and Exterro. c. What are the physical requirements for a digital forensics lab? Answer: The physical requirements start with the definition of physical access and physical security but also includes the concerns with physical structure, like floor-to-ceiling walls, lockable doors, safes, and visitor logs.

2. Discussion: The basic forensic workstation (Duration 20 minutes) a. Encourage the students to discuss how to select a basic forensic workstation. b. What computer platforms are necessary to have in a forensic workstation? Answer: A digital forensic workstation must be able to run code in current platforms, like the Windows/PC and Apple/Mac, but also with legacy systems like the old versions, and even old operating systems such as CP/M or Minix. c. What kinds of hardware peripherals are interesting to have in a digital forensics lab? Answer: Besides workstations and software, it is important to stock hardware ranging from several external CD/DVD drives, cables and connectors of several formats, a variety of hard drives, plus several physical tools necessary to assemble and disassemble machines and devices. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. SImulate the Inventory of a digital forensics lab: Form groups of students and ask them to define the elements of software and hardware they consider are necessary to set up a digital forensics lab. a. The students are supposed to create lists of assets including machines and peripherals, plus software artifacts including operating systems in several versions and specific software tools to deal with usual document formats.

b. The students must not limit themselves defining only current equipment and software artifacts, but also older version of both hardware and software because a digital forensics lab needs to be able to deal with evidences from legacy assets that may still be in use.

[return to top]

APPENDIX GENERIC RUBRICS Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

and progress, and they improve students’ work through timely and detailed feedback. Customize these rubric templates as you wish. The writing rubric indicates 40 points, and the discussion rubric indicates 30 points.

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

Grammar and Spelling

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Meets Requirements Needs Improvement Incomplete Submits or participates in Does not participate or Does not participate in discussion by the posted submit discussion by the discussion.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 3: The Investigator’s Laboratory and Digital Forensics Tools

Contribution Quality

Etiquette

deadlines. Follows all assignment instructions for initial post and responses. 5 points Comments stay on task. Comments add value to discussion topic. Comments motivate other students to respond. 20 points

posted deadlines. Does 0 points not follow instructions for initial post and responses. 3 points Comments may not stay Does not participate in on task. Comments may discussion. not add value to 0 points discussion topic. Comments may not motivate other students to respond. 10 points Maintains appropriate Does not always maintain Does not participate in language. Offers criticism appropriate language. discussion. in a constructive manner. Offers criticism in an 0 points Provides both positive offensive manner. and negative feedback. Provides only negative 5 points feedback. 3 points

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Instructor Manual Module 4 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

TABLE OF CONTENTS Purpose and Perspective of the Module ........................................................................... 2 List of Student Downloads ................................................................................................ 3 Module Objectives .............................................................................................................. 3 Module Outline.................................................................................................................... 3 Understanding Storage Formats for Digital Evidence ....................................................... 3 Open-Source Imaging Formats .......................................................................................... 4 Proprietary Formats ............................................................................................................. 4 Acquisition Planning................................................................................................................. 4 Developing an Acquisition Action Plan ............................................................................. 4 Determining the Best Acquisition Method ....................................................................... 5 Calculating Acquisition Times ............................................................................................ 5 Contingency Planning for Image Acquisitions ..................................................................... 5 Using Acquisition Tools ........................................................................................................... 6 Using Linux Live CD/DVD and USB Distributions ............................................................ 6 Mini-WinFE Boot CDs and USB Drives .............................................................................. 6 Kali Linux Live Features ...................................................................................................... 6 FTK Imager Features ............................................................................................................ 7 Preparing a Target Drive for a Forensic Acquisition....................................................... 7 Understanding the Boot Sequence.................................................................................... 7 Using xcopy to Collect Evidence........................................................................................ 7 Using robocopy to Collect Evidence ................................................................................. 8 Validating Data Acquisitions................................................................................................... 8 Linux Validation Methods .................................................................................................... 8 Windows Validation Methods ............................................................................................. 8 Solid-State Drive Concerns ................................................................................................ 8 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Media Failure Concerns ....................................................................................................... 9 Using Compare Functions to Validate Data ..................................................................... 9 Performing RAID Data Acquisitions ....................................................................................... 9 Understanding RAID ............................................................................................................. 9 Acquiring RAID Disks ........................................................................................................... 10 Using Other Forensics Acquisition Tools ............................................................................ 10 ASR Data SMART.................................................................................................................. 10 ILookIX IXImager .................................................................................................................. 10 PassMark Software OSForensics OSFClone ................................................................... 10 Runtime Software DiskExplorer ........................................................................................ 11 ForensicSoft SAFE Boot Disk ............................................................................................ 11 X-Ways Imager ..................................................................................................................... 11 Note About Live Virtual Machine Labs ............................................................................. 11 Key Terms ..........................................................................................................................12 Discussion Questions........................................................................................................ 14 Additional Projects ............................................................................................................15 Appendix............................................................................................................................ 16 Generic Rubrics ....................................................................................................................... 16 Standard Writing Rubric ......................................................................................................... 16 Standard Discussion Rubric .................................................................................................. 17

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to discuss the process of data acquisition, i.e., the task of collecting digital evidence from electronic media. The module points out the two types of data acquisition: static acquisitions and live acquisitions. The module also defines the goal of data acquisition to be the preservation of the digital evidence, including by creating a bit-by-bit copy of the drive, also known as a forensic image.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe digital evidence storage formats. 2. Understand how to plan for a digital forensics acquisition. 3. Describe contingency planning for data acquisitions. 4. Explain how to use acquisition tools. 5. Describe how to validate data acquisitions. 6. Describe RAID acquisition methods. 7. List other forensics tools available for data acquisitions.

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

UNDERSTANDING STORAGE FORMATS FOR DIGITAL EVIDENCE 1. Explain that the data collected by a forensics acquisition tool is stored as an image file, either in an open-source or proprietary format. 2. Point out to the students that each data acquisition format has unique features along with advantages and disadvantages. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Open-Source Imaging Formats 1. Explain that there are two main image file formats, RWA and Advanced Forensic Format (AFF), and describe their properties. 2. Point out to the students that the advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive, while for AFF, digital forensics vendors have no implementation restrictions since it is open source.

Proprietary Formats 1. Explain that most commercial forensics tools have their own formats for collecting digital evidence that offer features that complement the vendor’s analysis tool. 2. Point out to the students that one major disadvantage of proprietary format acquisitions is the inability to share an image between different vendors’ computer forensics analysis tools.

ACQUISITION PLANNING 1. Explain that spending time to prepare and plan an acquisition will give the opportunity to anticipate potential problems and unanswered questions and plan workarounds for some problems. 2. Point out to the students that they should properly prepare themselves before initiating a digital forensics acquisition to save time and reduce potential failures of the acquisition.

Developing an Acquisition Action Plan 1. Explain that a general acquisition action plan includes planning resources, having an outline showing how the acquisition will be executed, preserving the evidence, and securing the evidence before, during, and after the acquisition. 2. Point out to the students that they should be prepared for a long stay at the remote site while doing the acquisition.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Determining the Best Acquisition Method 1. Explain how to decide between the two types of acquisitions, static acquisitions and live acquisitions, depending on the situation and needs as well as the size of the source (suspect) disk, whether the investigator can retain the source disk as evidence or must return it to the owner, how much time is needed to perform the acquisition, and where the evidence is located. 2. Point out to the students that an easy way to test lossless compression is to follow these steps: (1) perform an MD5 or SHA-256 hash on a file before its compressed, (2) compress the file, (3) uncompress it into a new file name or locate it in a different folder, and (4) hash the new file. If the compression is done correctly, both versions of the file will have the same hash value.

Calculating Acquisition Times 1. Explain that the time it takes for data to transfer from one device (disk or partition) to an image file on another device can vary depending on the source drive’s data transfer read speed, the controller interface speed, such as a SATA and a USB controllers, and the target drive’s data transfer write speed. 2. Point out to the students that by dividing the slowest device’s data transfer rate by the size of the source drive, an approximate total acquisition time can be calculated in four steps.

CONTINGENCY PLANNING FOR IMAGE ACQUISITIONS 1. Explain that as a standard practice, investigators should make at least two images of the digital evidence they collect, and if they have more than one imaging tool, the first copy should be made with one tool and the second copy with the other tool. 2. Point out to the students that they should make contingency plans in case software or hardware does not work or they encounter a failure during an acquisition. 3. Mention that a static acquisition on most whole disk encrypted drives currently involves decrypting the drives, which requires the user’s cooperation in providing the decryption key.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

USING ACQUISITION TOOLS 1. Explain that acquisition tools make acquiring evidence from a suspect drive more convenient, especially when used with hot-swappable devices, such as USB-3, FireWire 1394A and 1394B, or SATA, to connect disks to a workstation. 2. Point out to the students that accessing a disk drive directly might not be practical for a forensics acquisition. Using Linux Live CD/DVD and USB Distributions 1. Explain that several Linux distributions provide ISO images that can be burned to a CD or DVD and be written to USB drives with specialized applications. 2. Point out to the students that most of the Linux distributions are for Linux OS recovery, not for digital forensics acquisition and analysis. 3. Mention that ISO images can be downloaded to any computer, including a Windows system.

Mini-WinFE Boot CDs and USB Drives 1. Explain what Mini-WinFe is, what it modifies, one of its advantages, and the benefit of this feature. 2. Point out to the students that they need to connect a larger USB drive to the computer to perform the acquisition before booting a suspect computer with Mini-WinFE.

Kali Linux Live Features 1. Explain that when Kali Linux Live is started, it displays a boot menu that includes a forensic mode option that skips mounting drives connected to the computer to prevent writing to these drives. 2. Point out to the students that Kali Linux is designed for penetration testing and contains many network security assessment and forensics acquisition tools, along with the Linux version of Autopsy.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

FTK Imager Features 1. Explain what Exterro's FTK Imager is and that it calculates the MD-5 and SHA-1 hashes of the original source drives and then verifies the image files to see if they match as it performs the acquisition. 2. Point out to the students that FTK Imager requires a hardware writeblocker or a forensics Windows software-enabled boot media, such as Mini-WinFE, to perform static acquisitions.

Preparing a Target Drive for a Forensic Acquisition 1. Explain in detail the three steps of preparing a target disk drive: wiping and formatting the target drive, document media information, and preserving and securing the forensic media. 2. Point out to the students that the most important task in conducting a digital forensics examination is the collection and preservation of evidence.

Understanding the Boot Sequence 1. Explain that to ensure that there is no contamination or altering of data on a suspect’s system, the investigator must know how to access and modify complementary metal oxide semiconductor, basic input/output system, extensible firmware interface, and unified extensible firmware interface settings. 2. Point out to the students that determining the information for their forensic boot and target drives makes it easy to identify the correct drive to select from the boot menu, which minimizes the chance of mistakenly booting the computer’s internal boot drive.

Using xcopy to Collect Evidence 1. Explain that for investigations in which only specific files need to be acquired, the DOS xcopy command provides a few more features than the DOS copy command. 2. Point out to the students some xcopy command features that they can use and inform them where to find a more extensive list of features.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Using robocopy to Collect Evidence 1. Explain that the robocopy command is typically used in e-discovery cases when only the data files are required for evidence collection. 2. Point out to the students some robocopy command features that they can use and inform them where to find a more extensive list of features.

VALIDATING DATA ACQUISITIONS 1. Explain that validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. 2. Point out to the students that the exceptions to the hashing algorithm utility are called collisions but they are of little concern for forensic examinations of data files on a disk drive.

Linux Validation Methods 1. Explain that Linux is rich in commands and functions used for hashing. 2. Point out to the students the Linux dd command validation methods, the dcfldd command validation methods, and the dc3dd command validation methods.

Windows Validation Methods 1. Explain that prior to PowerShell version 2.0, the Windows OS had no hashing algorithm commands, but now the cmdlet get-filehash provides this service. 2. Point out to the students the Windows built-in hash functions and the third-party Windows hashing tools and examples of their respective uses and functions.

Solid-State Drive Concerns 1. Explain how data is stored in SDDs, including how they use NAND flash memory cards to store data and that the operating system’s view will © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

typically display sectors, or blocks, in 512 bytes each and clusters in their assigned file system format. 2. Point out to the students the key differences between SDDs and HDDs and when to use each depending on needs and priorities. 3. Mention the technologies implemented within the NAND flash controller to manage the memory chips such as wear leveling, garbage collection, and TRIM to ensure useful life of the SDD.

Media Failure Concerns 1. Explain that there may be an occasion when there are mismatched hashes from the original data to the copied data, which can be fixed if the investigator has the original data, or it could indicate that the original media is faulty. 2. Point out to the students that all media storage devices have what is referred to as a mean time to failure (MTTF), which is typically defined in the number of hours before a device will most likely fail.

Using Compare Functions to Validate Data 1. Explain that there may be an occasion to compare files to determine their differences, and that operating systems, like Windows and Linux, provide shell commands that can compare files. 2. Point out to the students descriptions and references on how to use these shell commands to compare data in Windows and in Linux.

PERFORMING RAID DATA ACQUISITIONS 1. Explain that size is the biggest concern because many RAID systems are now pushing into zettabytes or more of data. 2. Point out to the students that acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.

Understanding RAID 1. Explain what redundant array of independent disks (RAID) are and what they were developed for, differentiating between software and hardware RAID

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

2. Point out to the students the functions of different number RAIDs, as well as that the variations of RAID besides 0, 1, and 5 are specific to their vendor or application.

Acquiring RAID Disks 1. Explain that there is no simple method for getting an image of a RAID server’s disks, which is why the investigator must address several concerns, especially regarding data storage and the type of RAID used. 2. Point out to the students that when dealing with very large RAID servers, they should consult with the forensics vendor to determine how to best capture RAID data.

USING OTHER FORENSICS ACQUISITION TOOLS

1. Explain that there are many other commercial tools that can perform digital forensics acquisitions. 2. Point out to the students that prices for some tools are discounted for law enforcement officers working in digital forensics.

ASR Data SMART 1. Explain that ASR Data SMART is a Linux forensics analysis tool that can make image files of a suspect drive. 2. Point out to the students the capabilities of this tool.

ILookIX IXImager 1. Explain that IXImager is a stand-alone, proprietary-format acquisition tool designed to work only with ILookIX. 2. Point out to the students that the IXImager proprietary format can be converted to a raw format if other analysis tools are used.

PassMark Software OSForensics OSFClone 1. Explain that PassMark Software offers a bootable ISO image named OSFClone. 2. Point out to the students that when booting OSFClone, a Linux terminal shell window appears that can access a variety of acquisition tools, including dc3dd. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Runtime Software DiskExplorer 1. Explain that Runtime Software offers several compact shareware programs for data acquisition and recovery, including DiskExplorer for FAT and DiskExplorer for NTFS. 2. Point out to the students what those tools allow the investigator to do.

ForensicSoft SAFE Boot Disk 1. Explain that ForensicSoft’s SAFE Boot Disk is a bootable Windows CD or USB drive that can perform forensic data acquisitions along with other data analysis functions. 2. Point out to the students to get all the features of SAFE Boot Disk, a dongle license must be purchased.

X-Ways Imager 1. Explain that to use X-Ways Imager, a hardware or software write-block must be implemented for performing a static acquisition. 2. Point out to the students that X-Ways Imager acquires data either from a locally connected disk drive or a remote network-connected computer with high speed.

[return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Advanced Forensic Format (AFF): An open-source data acquisition format that stores image data and metadata; file extensions include .afd for segmented image files and .afm for AFF metadata. Cyclic redundancy check (CRC): A mathematical algorithm that translates a file into a unique hexadecimal value. Garbage collection: In SSD and flash drives, the utility that maintains the list of pages that have data assigned to them, keeps track of which pages are free to receive new data, moves data from one memory cell to a new memory cell, and gets instructions from the TRIM utility regarding when to move and erase data. With the TRIM and wearleveling utilities, garbage collection helps maintain the longevity of the NAND flash chips used in SSDs and thumb drives. Hash value: A unique hexadecimal value that identifies a file or drive.

Host protected area (HPA): An area of a disk drive reserved for booting utilities and diagnostic programs; not visible to the computer’s OS. Live acquisition: A data acquisition method used when a suspect computer cannot be shut down to perform a static acquisition; captured data might be altered during a live acquisition because it is not write-protected. Live acquisitions are not repeatable because the suspect computer’s OS is continuously altering data. See also static acquisition. Logical acquisition: A data acquisition method that captures only specific files of interest to the case, or specific types of files, such as Outlook .pst files. See also sparse acquisition.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Message Digest 5 (MD5 : An algorithm that produces a hexadecimal value of a file or storage media; used to determine whether data has been changed. Mean time to failure (MTTF): The average time that a part, component, or device will work before it might fail; manufacturers of HDD and SSD devices typically list the MTTF in hours. Raw format: A data acquisition format that creates simple, sequential flat files of a suspect drive or data set. Redundant array of independent disks (RAID): A computer configuration in which two or more disks are combined into one large drive in several configurations for special needs; some RAID systems are designed for redundancy to ensure continuous operation if one disk fails. Another configuration spreads data across several disks to improve access speeds for reads and writes. Secure Hash Algorithm version 1 (SHA-1): A forensic hashing algorithm created by NIST to determine whether data in a file or on storage media has been altered. SHA-1 hashes use 160 bit long keys. See also National Institute of Standards and Technology (NIST). Secure Hash Algorithm version 1 (SHA-256): A more advanced version of SHA-1, SHA256 provides a higher level of accuracy and uses 256 bit long keys. Sparse acquisition: A data acquisition method that captures only specific files of interest to the case; similar to a logical acquisition, but this method also collects fragments of unallocated (deleted) data. See also logical acquisition.

Static acquisition: A data acquisition method used when a suspect drive is writeprotected and cannot be altered; if disk evidence is preserved correctly, static acquisitions are repeatable. TRIM: In SSD and flash drives, the utility that communicates with the computer’s operating system in managing unused or recently unallocated pages and instructs the garbage collection utility regarding when to move and erase memory cell blocks previously allocated that have had their data deleted or moved to new memory cells. Wear leveling: In SSD and flash drives, the utility that ensures that all memory cells get used and have the same number of reads, writes, and erases to maintain endurance of the SSD. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

Whole disk encryption: An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

[return to top]

1. Discussion: The difference between static and live acquisitions (Duration 20 minutes) a. Ask the students to consider the differences between acquiring data statically or live. b. When is a static acquisition usually done? Answer: The case in which a static acquisition is performed is when a computer, or another digital device, is seized by authorities, and then kept turned down until the digital forensics expert needs to extract the information, as, for example, performing a disk-to-image copy. c. When is a live acquisition usually done? Answer: A live acquisition is done when the computer, or digital device, is not turned down before the data acquisition is performed, creating copies of the system as it was in a specific situation.

2. Discussion: Kinds of imaging formats (Duration 20 minutes) a. Ask the students to describe the different imaging formats. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

b. Give the example of one open-source imaging format. Answer: The most common open-source imaging format is the Raw Format, which is the traditional format for copying data for the purpose of evidence preservation. However, there is also the AFF (Advanced Forensic Format) that is also an open-source format that provides more features than the Raw Format. c. Cite disadvantages of proprietary imaging formats. Answer: The major disadvantage of proprietary format acquisitions is the inability to share an image between different vendors’ computer forensics analysis tools.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. Acquisition Action Plan: Ask the students to develop an acquisition action plan. a. Create a scenario choosing a platform (hardware and software); for example, a Windows PC under Operating System Windows 10, where a disk image needs to be collected as evidence. Then, ask a group of students to elaborate an acquisition action plan to perform the data acquisition, including the definition of the best acquisition method and calculating acquisition times.

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

Grammar and Spelling

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 4: Data Acquisition

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Instructor Manual Module 5 Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

TABLE OF CONTENTS Purpose and Perspective of the Module ........................................................................... 2 List of Student Downloads ................................................................................................ 3 Module Objectives .............................................................................................................. 3 Module Outline.................................................................................................................... 4 Identifying Digital Evidence .................................................................................................... 4 Understanding Rules of Evidence ...................................................................................... 4 Collecting Evidence at Private-Sector Incident Scenes .................................................... 5 Processing Law Enforcement Crime Scenes....................................................................... 5 Understanding Concepts and Terms Used in Warrants ................................................ 5 Preparing for a Search............................................................................................................. 6 Identifying the Nature of the Case .................................................................................... 6 Identifying the Type of OS or Digital Device .................................................................... 6 Determining Whether You Can Seize Computers and Digital Devices ........................ 7 Getting a Detailed Description of the Location .............................................................. 7 Determining Who Is in Charge ............................................................................................ 7 Using Additional Technical Expertise ................................................................................ 8 Determining the Tools You Need ....................................................................................... 8 Preparing the Investigation Team ...................................................................................... 8 Securing a Digital Incident or Crime Scene ......................................................................... 8 Seizing Digital Evidence at the Scene .................................................................................. 9 Preparing to Acquire Digital Evidence............................................................................... 9 Processing Incident or Crime Scenes ............................................................................... 9 Processing Data Centers with RAID Systems ................................................................. 10 Using a Technical Advisor .................................................................................................. 10 Documenting Evidence in the Lab.................................................................................... 10 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Processing and Handling Digital Evidence ...................................................................... 10 Special Situation Needs ..................................................................................................... 11 Archival Storage and Transportation of Digital Evidence ................................................ 11 Archiving of Digital Evidence ............................................................................................. 11 Evidence Retention and Media Storage Needs .............................................................. 11 Documenting Evidence ....................................................................................................... 12 Managing Digital Evidence Forms ..................................................................................... 12 Transporting Digital Evidence............................................................................................ 12 Obtaining a Digital Hash ......................................................................................................... 12 Employee Compliance Investigations .................................................................................. 13 Note About Live Virtual Machine Labs .............................................................................13 Key Terms ......................................................................................................................... 14 Discussion Questions.........................................................................................................15 Additional Projects ............................................................................................................17 Appendix............................................................................................................................ 18 Generic Rubrics ....................................................................................................................... 18 Standard Writing Rubric ......................................................................................................... 18 Standard Discussion Rubric .................................................................................................. 19

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students how to process digital investigation scenes concerning a crime or an incident under investigation. This includes giving the students some basic knowledge on the police and U.S. Department of Justice procedures to understand field-of-evidence recovery tasks, as well as the legal implications of these procedures in the light of the Fourth Amendment rights applied to private-sector and law enforcement digital investigations within the U.S. It is part of the purpose of this module to highlight the differences and similarities between the investigations conducted by law enforcement personnel as well as private sector investigators. Finally, it is important to call the student's attention to investigations conducted in an international setting, © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

as cybercrimes and incidents nowadays often concern international operations of fraud and money laundering.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Explain how to identify digital evidence. 2. Describe how to collect evidence at private-sector incident scenes. 3. Explain guidelines for processing law enforcement crime scenes. 4. List the steps in preparing for an evidence search. 5. Describe how to secure a computer incident or crime scene. 6. Explain guidelines for seizing digital evidence at the scene. 7. List procedures for transporting and storing digital evidence. 8. Explain how to obtain a digital hash. 9. Understand employee compliance investigations.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

IDENTIFYING DIGITAL EVIDENCE 1. Explain that digital evidence can be anything stored or transmitted in digital form. 2. Point out to the students that U.S. courts accept digital evidence as physical evidence, which means digital data is treated as a tangible object, similar to a weapon, paper document, or visible injury that is related to a criminal or civil incident. 3. Mention that there are groups that work in the field of digital evidence that set standards for recovering, preserving, and examining digital evidence.

Understanding Rules of Evidence 1. Explain that investigators should apply the same security and accountability controls for evidence in a civil lawsuit as in a major crime to comply with their state’s rules of evidence or with the Federal Rules of Evidence (FRE). 2. Point out to the students that they should keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence. 3. Mention that there are several ways of categorizing digital records and introduce those ways to students, especially dividing them into computergenerated records and computer-stored records. 4. Remind students that computer-generated records, such as system logs or the results of a mathematical formula in a spreadsheet, are not hearsay. Computer-stored records that a person generates are, however, subject to rules governing hearsay.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

COLLECTING EVIDENCE AT PRIVATE-SECTOR INCIDENT SCENES 1. Explain that private-sector organizations, including small to medium businesses, large corporations, and NGOs, must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws. 2. Point out to the students that investigative practices in the private sector differ from crime scenes. Incident scenes often involve workplaces, enabling controlled investigations. Students should note the importance of accessing inventory databases, identifying applications on suspected computers, and considering specialized web browsers during investigations. 3. Mention that investigator actions should align with privacy laws, notification requirements, and coordination with management, especially in cases involving evidence of criminal activities.

PROCESSING LAW ENFORCEMENT CRIME SCENES 1. Explain that for all criminal investigations in the United States, the Fourth Amendment limits how governments search and seize evidence. 2. Point out to the students that law enforcement officers might not have the time to research the correct language for stating the nature of the complaint to meet probable cause requirements. 3. Mention that with probable cause, a police officer can obtain a search warrant from a judge to authorize a search and the seizure of specific evidence related to the criminal complaint.

Understanding Concepts and Terms Used in Warrants 1. Explain that digital investigations often involve extensive data sorting to uncover evidence. 2. Point out to the students that the "plain view doctrine" applies when evidence related to the crime is discovered outside the warrant location or evidence of an unrelated crime is found. 3. Mention that the "Horton test" for the plain view doctrine requires lawful presence, lawful access, and immediate incriminating character recognition.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

PREPARING FOR A SEARCH 1. Explain that preparing for search and seizure of computers or digital devices is probably the most important step in a digital investigation. 2. Point out to the students that a person of interest could be a suspect or just someone with additional knowledge who might be able to provide enough evidence of probable cause for a search warrant or arrest.

Identifying the Nature of the Case 1. Explain that the nature of the case dictates how they proceed and what types of assets or resources they need to use in the investigation. 2. Point out to the students that when they are assigned a digital investigation case, they should start by identifying the nature of the case, including whether it involves the private or public sector.

Identifying the Type of OS or Digital Device 1. Explain that for private-sector investigators, configuration management databases make identifying the type of OS of digital device easier. 2. Point out to the students that they should estimate the size of the storage device on suspect computers and determine how many digital devices they have to process at the scene if they can identify the OS or device.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Determining Whether You Can Seize Computers and Digital Devices 1. Explain that the ideal situation for incident or crime scenes is seizing computers and digital devices and taking them to the lab for further processing. 2. Point out to the students that if they are not allowed to take the computers and digital devices to their lab, they should determine the resources they need to acquire digital evidence and which tools can speed data acquisition.

Getting a Detailed Description of the Location 1. Explain that the more information the investigator has about the location of a digital crime, the more efficiently they can gather evidence from the crime scene. 2. Point out to the students that before acquiring the data, a hazmat technician might suggest that they put the target drive in a special hazmat bag, leaving the data and power cables out of the bag but creating an airtight seal around the cables to prevent any contaminants from entering the bag and affecting the target drive.

Determining Who Is in Charge 1. Explain that a company needs an established line of authority to specify who can instigate or authorize an investigation. 2. Point out to the students that private-sector investigations usually require only one person to respond to an incident or crime scene and that processing evidence usually involves acquiring an image of a suspect’s drive.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Using Additional Technical Expertise 1. Explain that for the additional skills needed to process the crime scene, such as enlisting help with a high-end server, OS must be identified during an investigation. 2. Point out to the students that they should identify the applications the suspect uses, such as Oracle databases, when working at high-end computing facilities.

Determining the Tools You Need 1. Explain that being overprepared is better than being underprepared, especially when it is determined that the computer cannot be transferred to a lab for processing. 2. Point out to the students that they should consider creating an initialresponse field kit and an extensive-response field kit and learn which one to use when processing each incident or crime scene.

Preparing the Investigation Team 1. Explain that before initiating a search and seizure of digital evidence at incident or crime scenes, all the available facts, plans, and objectives must be reviewed with the investigation team. 2. Point out to the students the tables of tools in an initial-response field kit and the needed tools in an extensive-response field kit with their respective numbers.

SECURING A DIGITAL INCIDENT OR CRIME SCENE 1. Explain that securing an incident or crime scene is essential to preserve evidence and maintain confidentiality, preventing public access that might compromise an investigation. 2. Point out to the students that major crime scenes usually involve specialized teams for perimeter security while digital investigators focus on processing digital evidence.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

SEIZING DIGITAL EVIDENCE AT THE SCENE 1. Explain that in a criminal matter, investigators seize entire drives to preserve as much information as possible and make sure no evidence is overlooked. 2. Point out to the students that they should follow the U.S. DOJ standards for seizing digital data when seizing digital evidence in criminal investigations.

Preparing to Acquire Digital Evidence 1. Explain that the evidence acquired at the scene depends on the nature of the case and the alleged crime or violation. 2. Point out to the students that seizing peripherals and other media ensures that they leave no necessary system components behind, yet it can be difficult to predict what components might be critical to the system’s operation. 3. Mention that before collecting digital evidence, they must ask a series of questions of their supervisor or senior forensics examiner in the organization.

Processing Incident or Crime Scenes 1. Explain that guidelines for processing incident or crime scenes offer suggestions that can be customized based on experience and specific cases. 2. Point out to the students that keeping a detailed journal is crucial for documenting activities at the scene, including dates, times, encountered individuals, and significant tasks performed, and that while mobile devices can aid in recording, access control must be ensured. 3. Mention that evidence collection should be managed by a designated person, evidence must be tagged and logged with relevant details, and all hardware, software, media, and documentation should be collected as part of the analysis and processing of the scene.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Processing Data Centers with RAID Systems 1. Explain that digital investigators sometimes perform forensics analysis on RAID systems or server farms, which are rooms filled with extremely large disk systems typical of large business data centers, such as banks, insurance companies, and ISPs. 2. Point out to the students that if they have a digital forensics tool that accesses unallocated space on a RAID system, they should test the tool on another system first to make sure it does not corrupt the RAID system.

Using a Technical Advisor 1. Explain that when working with advanced technologies, a technical advisor can help list the tools needed to process the incident or crime scene. 2. Point out to the students the seven main responsibilities in a scene for a technical advisor other than helping direct other investigators to collect evidence correctly.

Documenting Evidence in the Lab 1. Explain that a forensics lab should be a controlled environment that ensures the security and integrity of digital evidence. 2. Point out to the students that in any investigative work, they should record their activities and findings as they work so the same results can be reproduced when they or another investigator repeats the steps they took to collect evidence.

Processing and Handling Digital Evidence 1. Explain the four steps to create image files to be processed and handled as evidence. 2. Point out to the students that they should never work with the original media, as it should be stored in a secure cabinet that has an evidence custody form. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Special Situation Needs 1. Explain that when seizing digital evidence from a crime or incident scene, it may be necessary to keep a suspect’s computer powered on before processing it and shutting it down. 2. Point out to the students that the device WiebeTech HotPlug Field Kit allows them to disconnect the power of the suspect’s computer from its electrical power source and allows it to continue running.

ARCHIVAL STORAGE AND TRANSPORTATION OF DIGITAL EVIDENCE 1. Explain that the storage and transportation of digital evidence is extremely important for all investigations. 2. Point out to the students that for the storage of digital evidence, they need to use the best media available that is cost effective, durable, and reliable.

Archiving of Digital Evidence 1. Explain that the amount of time that evidence needs to be retained varies depending on the case, and in some situations, by provincial, state, or federal regulations. 2. Point out to the students the advantages and disadvantages of optical media compared to magnetic tapes and M-Discs, depending on the need, type of media, size of data, time constraints, and budget.

Evidence Retention and Media Storage Needs 1. Explain that in cases in which child pornography is discovered, a private-sector investigator is allowed to examine these files and they must stop what they are doing and call federal investigators. 2. Point out to the students that they might need to retain evidence indefinitely depending on the type of crime they are supporting.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Documenting Evidence 1. Explain that because of constant changes in technologies and methods for acquiring data, an evidence custody form should be created using a word processor or spreadsheet file that can be modified as needed. 2. Point out to the students that commercially made evidence bags typically include evidence form labels they can use to document their evidence; however, not all commercially-made bags provide antistatic protection.

Managing Digital Evidence Forms 1. Explain that the purpose of an evidence form is to maintain the chain of custody of the evidence and to provide a description of the evidence. 2. Point out to the students that the examiner must place the evidence back into the secure evidence locker and record on the evidence form that it was returned with the appropriate dates and times when the examination was completed or suspended.

Transporting Digital Evidence 1. Explain that because electrical components are fragile and easily altered or damaged by electromagnetic fields or extreme temperatures, the proper packaging materials should be on hand to prevent them from being damaged in transit. 2. Point out to the students that the evidence must be under surveillance at all times by them or the assigned evidence custodian.

OBTAINING A DIGITAL HASH 1. Explain that hashing methods are used to ensure data integrity by generating unique hash values based on file contents and are compared before and after processing to verify that files have not changed.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

2. Point out to the students the difference between a non-keyed hash set and a keyed hash set and their advantages. 3. Mention that the advantage of using hash algorithms for extremely large files is that it is quicker to compute hash then it is to do a byte-by-byte comparison between an original file to the copied file.

EMPLOYEE COMPLIANCE INVESTIGATIONS 1. Explain that compliance investigations are conducted by organizations to ensure employees follow company policies, contractual obligations, or government regulations. 2. Point out to the students that covert compliance investigations involve monitoring employees' activities, often using tools like keyloggers and network sniffers. 3. Mention that preinstalled software and remote access capabilities in digital forensics tools enhance remote data collection for investigations, minimizing direct contact with suspects and their devices. [return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail.

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

KEY TERMS Automated Fingerprint Identification System (AFIS): A computerized system for identifying fingerprints that is connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed. Computer-generated records: Data generated by a computer, such as system log files and proxy server logs. Computer-stored records: Digital files generated by a person, such as electronic spreadsheets. Covert surveillance: The observation of people or places without being detected, often by using electronic equipment such as video cameras or keystroke/screen capture programs. Digital evidence: Evidence consisting of anything stored or transmitted in electronic form. Extensive-response field kit: A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers; it should contain two or more types of software or hardware forensics tools, such as extra storage drives. Hazardous materials (hazmat): Chemical, biological, or radiological substances that can cause harm to people. Initial-response field kit: A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field. Innocent information: Data that does not contribute to evidence of a crime or violation. Keyed hash set: A value created by an encryption utility’s secret key. Limiting phrase: Wording in a search warrant that limits the scope of a search for evidence. National Institute of Standards and Technology (NIST): An agency of the U.S. Department of Congress and one of the governing bodies responsible for setting standards for some U.S. industries.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Non-keyed hash set: A unique hash number generated by a software tool used to identify a file. Person of interest: Someone who might be a suspect or someone with additional knowledge that might be able to provide enough evidence of probable cause for a search warrant or arrest. Plain view doctrine: A legal doctrine that states that objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence; when applied to searches of computers, the plain view doctrine’s limitations are less clear. Probable cause: The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest based on facts or circumstances that lead a reasonable person to believe a crime has been committed or is about to be committed. Professional curiosity: The motivation of law enforcement and other professional personnel to examine an incident or crime scene to see what happened. Scientific Working Group on Digital Evidence (SWGDE): A group that brings together individuals and organizations that work with digital evidence to set standards for recovering, preserving, and examining digital evidence. Sniffing: Detecting data transmissions to and from a suspect’s computer and a network server to determine the type of data being transmitted over a network. [return to top]

1. Discussion: Computer Evidence Kinds (Duration 15 minutes) © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

a. In some countries there is a distinction between “real computer evidence” and “hearsay computer evidence.” b. What is the difference between “real computer evidence” and “hearsay computer evidence”? Answer: A “real computer evidence” is a fact that can be proved by a written log or other computer record that corroborates the fact, while “hearsay computer evidence” is a fact that can be assumed to be true, as it is the natural consequence of a fact that is a “real computer evidence.” c. Give an example of “real computer evidence.” Answer: One possible example of “real computer evidence” is the proof that an email was sent by a given user at a specific date and time, because it can be proven by the log of sent emails, that have the sender, date, and destination address. d. Give an example of “hearsay computer evidence.” Answer: One possible example of “hearsay computer evidence” is, given the record-based proof that an email was sent, to assume that the sent email content is the same as the content of the received email, as this is logically what happens if the message was not changed intentionally by the receiver.

2. Discussion: Fourth Amendment (Duration 20 minutes) a. The Fourth Amendment of the U.S. Constitution limits how governments search and seize evidence. b. What are the restrictions brought forward by the Fourth Amendment to collect evidence in a digital forensic crime or incident scene? Answer: A law enforcement agent or a private sector investigator working for the law enforcement can search for and seize criminal evidence only with probable cause. Thus, only hardware, software, or data related to the crime or incident under investigation can be seized for examination. c. Who has the right to establish what components of a digital system can be object to a digital investigation? Answer: It is the judge warrant that establishes what parts of the digital system can be seized while conducting a crime or incident scene investigation. However, it is recommended to be general in the judge's warrants writings, stating, for example, “computer and

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

all associated parts” instead of being specific about the hardware, software, or data files to be seized.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [SImulate a Warrant for Collect Digital Evidence]: Form pairs of students and ask one of them to simulate a judge writing a faulty warrant for a specific case needing the collection of digital evidence. The second student should take the faulty warrant and try to imagine a situation in which the warrant prevents the full collection of evidence. The first student should write the warrant avoiding the usual general terms (“computer and all associated parts”) and instead specify, for example, only the hardware and data. Then, the second student must try imagining a situation where, for example, the software seizure is necessary to fully collect the evidence.

2. [Preparing for Evidence Collection in Crime or Incident Scene]: Form pairs of students and ask the students to each establish a list of concerns to be addressed in preparation for Evidence Collection in Crime or Incident Scene, and then have them exchange their lists towards an agreement of a common list. Each student must prepare an individual list of concerns (5 minutes is a good length of time to gather this information). Once both students have their lists, they must check against each other to see what is missing in each other's lists and then come to an agreement on what the list should be. After reaching the agreement on the list, the students should check in the module text to see if there were any mistakes (unnecessary items or forgotten items). © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

[return to top]

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 5: Processing Crime and Incident Scenes

Research

Grammar and Spelling

The assignment follows The assignment follows The assignment does not the required citation some of the required follow the required guidelines. citation guidelines. citation guidelines. 5 points 3 points 0 points The assignment has two The assignment has three The assignment is or fewer grammatical and to five grammatical and incomplete or spelling errors. spelling errors. unintelligible. 5 points 3 points 0 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Instructor Manual Module 6 Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Understanding File Systems................................................................................................... 4 Understanding Disk Drives

Exploring Microsoft File Structures ...................................................................................... 4 Disk Partitions

Examining FAT Disks................................................................................................................ 5 FAT Sector and Cluster Configurations

Drive Slack Space

File Fragmentation

Deleting FAT Files

Exploring NTFS Disks ............................................................................................................... 6 NTFS System Files

$UsnJrnl System File

Prefetch

NTFS Alternate Data Streams

NTFS Compressed Files

NTFS Encrypting File System

Deleting NTFS Files

Resilient File System Overview

Understanding Whole Disk Encryption ................................................................................. 8 Examining Microsoft BitLocker

Examining Third-Party Disk Encryption Tools

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Understanding the Windows Registry .................................................................................. 9 Data Types in the Registry

Exploring the Organization of the Windows Registry

Windows Forensics Artifacts ................................................................................................ 10 The hiberfile.sys File

Internet History Files

The pagefile.sys File

The $Recycle.Bin Folder

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics ....................................................................................................................... 18 Standard Writing Rubric ......................................................................................................... 18 Standard Discussion Rubric .................................................................................................. 19

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to prepare the students to handle Microsoft File Systems and to access the Windows Registry information. These skills are necessary for the digital forensic expert to collect evidence on data stored in files and folders stored in a digital environment using the Windows Operating System (OS). In such a way, the students need to understand the basic structure and implementation of Windows file systems, as well as how the overall storage of data in drives is made within the Windows OS, assuming standard disk-based storage and FAT or NTFS file systems.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Explain the purpose and structure of file systems. 2. Describe Microsoft file structures. 3. Explain the structure of FAT disks, 4. Explain the structure of NTFS disks. 5. Describe whole disk encryption. 6. Explain how the Windows Registry works. 7. Identify Windows artifacts.

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

UNDERSTANDING FILE SYSTEMS 1. Explain to the students that they must understand how the most commonly used OSs work and how they store files. 2. Point out that the investigator should be familiar with both the computer’s operating system and file system when they need to access a suspect computer to acquire or examine data related to an investigation.

Understanding Disk Drives 1. Explain to the students the disk drive components of geometry, head, tracks, cylinders, and sectors. 2. Point out that other disk properties, such as zone bit recording (ZBR), track density, areal density, and head and cylinder skew, are handled at the drive’s hardware or firmware level.

EXPLORING MICROSOFT FILE STRUCTURES

1. Explain to the students what clusters are in Microsoft file structures and what the purpose is of using clusters on the OS. 2. Point out that clusters have a logical address and a physical address specific to a disk partition.

Disk Partitions 1. Explain to the students that modern OSs can have one or more partitions, including hidden partitions between partitions on a disk drive, called partition gaps. 2. Point out that tools with administrator privileges can activate the hidden disk partition by updating the partition table or directly accessing and copying the data from the hidden areas to other mounted media using a disk editor. 3. Point out to the students how to examine the MBR and the extended partition table, as well as exploring the GUID Partition Table and the Windows Boot Partitions.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

EXAMINING FAT DISKS 1. Explain that the file allocation table (FAT) is the file structure database that Microsoft designed originally for floppy disks to be used to organize files on a disk so that the OS can find the files it needs. 2. Point out the evolution of FAT versions such as FAT12, FAT16, FAT32, exFAT, and VFAT.

FAT Sector and Cluster Configurations 1. Explain that for FAT32 file systems, cluster sizes are determined by the OS and can range from one sector consisting of 512 bytes to 128 sectors of 64 KB. 2. Point out the table comparing the drive size to the sectors per cluster and the FAT16.

Drive Slack Space 1. Explain that drive slack is the unused space in a cluster between the end of a file’s contents and the end of the cluster, including RAM slack and file slack. 2. Point out what the contents of RAM slack are compared to file slack through a situational example for better understanding.

File Fragmentation 1. Explain that in FAT16, file fragmentation was reduced as cluster sizes increased; because of this inefficient allocation of sectors to clusters when nearly full, Microsoft created the FAT32 file system. 2. Point out to the students that for newer drives, such as SSD or HDD, fragmentation is less likely because larger areas of the disk are allocated for files.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Deleting FAT Files 1. Explain that when a file is deleted in a FAT file system with File Explorer or with the MS-DOS delete command, the OS inserts a HEX E5 (0xE5) value in the file name’s first letter position in the associated directory entry. 2. Point out that when a file is deleted in the FAT file system, the data in the file remains on the disk drive, and it frees up unallocated disk space.

EXPLORING NTFS DISKS 1. Explain that NT File System (NTFS) was introduced when Microsoft created Windows NT and is still the main file system in Windows 10 and 11. 2. Point out to the students that on an NTFS disk, the first data set is the Partition Boot Sector, followed by the Master File Table (MFT).

NTFS System Files 1. Explain that data management for NTFS uses many different system files of interest to a digital forensics examiner. 2. Point out to the students that to view or extract NTFS files, they can use tools such as FTK Imager or another digital forensics tool as well as some hexadecimal editors. 3. Explain details about the different NTFS system files, header fields, and file attributes such as $MFT, MFT, and $I30.

$UsnJrnl System File 1. Explain that the Update Sequence Number Journal ($UsnJrnl) provides a log of actions performed on a file, such as when data was added to a file or if a file was renamed. 2. Point out to the students the Metadata records in $J table that logs the changes of a file’s activities.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Prefetch 1. Explain that the first time an application is run in Windows, the OS will create a prefetch file for it. The next time the application is run, Windows preloads the necessary links to other data or executable files into the computer’s memory. 2. Point out to students that the contents of an application’s prefetch file can reveal information about an application, such as when an application was installed, how many times the application had been run, the dates and times an application was run, and what other data or executable files were used or accessed by the application, which can provide additional evidence needed for a case such as when an application was installed. 3. Explain the uses and function of the PECmd.exe tool.

NTFS Alternate Data Streams 1. Explain that NTFS alternate data streams, which are methods by which data can be appended to existing files. 2. Point out to the students that one way they can tell whether a file has an alternate data stream attached is by examining the file’s $MFT record entry.

NTFS Compressed Files 1. Explain that NTFS provides compression similar to FAT DriveSpace 3, a Windows 98 compression utility, to improve data storage on disk drives. 2. Point out to the students that forensics tools that can uncompress and analyze compressed Windows data might have difficulty with third-party compression utilities such as the .rar format.

NTFS Encrypting File System 1. Explain that NTFS Encrypting File System uses public key and private key methods of encrypting files, folders, or disk volumes. 2. Point out to the students that they can apply EFS to files stored on their local workstations or a remote server. 3. Explain the purpose of the recovery certificate and that the recovery key is stored in one of two places: the local domain server’s administrator account or the local administrator account. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Deleting NTFS Files 1. Explain that File Explorer is the typical way to delete files from a disk, but the user can also use the delete MS-DOS command. 2. Point out to the students each of the five steps the OS takes when delete a file or a folder in Windows or File Explorer.

Resilient File System Overview 1. Explain that Resilient File System (ReFS) is designed to address very large data storage needs, such as the cloud. 2. Point out to the students that maximized data availability, improved data integrity, and scalability are features incorporated in the ReFS design. 3. Explain that ReFS uses a method called “allocate-on-write” that copies updates of data files to new locations preventing overwriting the original data files.

UNDERSTANDING WHOLE DISK ENCRYPTION 1. Explain that concerns have arisen due to computer theft resulting in the loss of personal identifiable information (PII) like employee names, birthdates, addresses, Social Security numbers, and trade secrets. 2. Point out to the students that the theft of devices like laptops and smartphones poses heightened concerns, as owners could be held liable for damages such as identity theft or trade secret leakage.

Examining Microsoft BitLocker 1. Explain the hardware and software requirements to run Bitlocker such as the OD, TPM microchip, and others. 2. Point out to the students that BitLocker is Microsoft’s utility for protecting drive data. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Examining Third-Party Disk Encryption Tools 1. Explain that since BitLocker can encrypt only NTFS drives, a third-party solution has to be brought up to encrypt a FAT drive. 2. Point out to the students available third-party WDE utilities such as BROADCOM, Endpoint Encryption, and Jetico BestCrypt Volume Encryption.

UNDERSTANDING THE WINDOWS REGISTRY 1. Explain that registry is a database that stores hardware and software configuration information, network connections, user preferences, and setup information. 2. Point out to the students that they can use the Edit, Find menu command in Registry Editor to locate entries that might contain trace evidence, such as information identifying the last person who logged on to the computer, which is usually stored in user account information.

Data Types in the Registry 1. Explain that the Registry is a hierarchical structured database that contains keys that are like folders on a disk partition, and subkeys that contain values like data and references to files. 2. Point out to the students the table with the subkey types is divided into type of data and type of content.

Exploring the Organization of the Windows Registry 1. Explain that the number of files the Registry uses depends on the Windows version. In Windows 9x/Me, it uses only two files, in Windows NT and later, there are six files. 2. Point out to the students the list of registry terminology they should get familiar with to use the database to its best capacities. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

WINDOWS FORENSICS ARTIFACTS 1. Explain the in addition to the $I30, $MFT, $UsnJrnl, and Prefetch files used by Windows, there are several other data files that might contain digital evidence, such as hiberfile.sys, Internet history files, pagefile.sys, Recycle.Bin, etc. 2. Point out to the students that understanding files where artifacts might contain digital evidence will provide a good starting point for an examiner when deciding where to look for clues relevant to an investigation.

The hiberfile.sys File 1. Explain that the hiberfile.sys file is where Windows stores volatile data (RAM) when Windows is suspended, that is, when it is placed in hibernation mode by the user. 2. Point out to the students that because the hiberfile.sys file is RAM data, examining its contents requires memory-analysis techniques.

Internet History Files 1. Explain that web browsers are designed to collect and transmit users’ activities to data analytics servers and even marketers. 2. Point out to the students that they can use Internet history files to better understand a suspect’s motives and collect facts for an investigation.

The pagefile.sys File 1. Explain the difference between pagefile.sys and to hiberfile.sys as both store RAM data; however, pagefile.sys is used as an extension storage area for RAM. 2. Point out to the students that it is common that pagefile.sys will be located on its own disk partition on computers that have multiple drives.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

The $Recycle.Bin Folder 1. Explain that under normal operations, when a file or folder is deleted, Windows relocates the data within the file or folder to $Recycle.Bin and they serve as a backup in case the deletion was accidental, or the user later realizes they need to restore and undelete the data. 2. Point out to the students the details of $Recycle.Bin configuration and how to recover data from it.

[return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

KEY TERMS Alternate data streams: Ways in which data can be appended to a file (intentionally or not)— potentially obscuring evidentiary data. In NTFS, alternate data streams become an additional file attribute. American Standard Code for Information Interchange (ASCII): An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols. Areal density: The number of bits per square inch of a disk platter. Attribute ID: In NTFS, an MFT record field containing metadata about the file or folder and the file’s data or links to the file’s data. Cluster: A storage allocation unit composed of groups of sectors; clusters are 512, 1024, 2048, or 4096 bytes each. Cylinder: A column of tracks on two or more disk platters. Data runs: Cluster addresses where files are stored on a drive’s partition outside the MFT record; data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components’ content. Drive slack: Unused space in a cluster between the end of an active file and the end of the cluster; it can contain deleted files, deleted email, or file fragments. Drive slack is made up of both file slack and RAM slack. See also file slack and RAM slack. Encrypting File System (EFS): A Windows operating system security utility that will encrypt files or whole folders; Windows EFS uses public keys to secure data. File Allocation Table (FAT): The original Microsoft file-structure database; it is written to the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variations of FAT are FAT12, FAT16, FAT32, VFAT, and FATX. File slack: The unused space created when a file is saved; if the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted emails.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

File system: The way files are stored on a disk; it gives an OS a road map to data on a disk. GUID Partition Table (GPT): One of two types of file system programs that define the logical partition volume or volumes on a drive; due to the limits of accessing disk drives over 2 TB with Master Boot Record (MBR), manufacturers created GPT, which can access up to 9.7 zettabytes disk storage. GPT will only work on newer computers that have firmware standard Extensible Firmware Interface (EFI). See also Master Boot Record (MBR). Geometry: A disk drive’s internal organization of platters, tracks, and sectors. Head: The device that reads and writes data to a disk drive. Head and cylinder skew: A method used by manufacturers to minimize lag time; the starting sectors of tracks are slightly offset from each other to move the read-write head. High Performance File System (HPFS): The file system IBM uses for its OS/2 operating system. Info2 file: In Windows NT through Vista, the control file for the Recycle Bin; it contains ASCII data, Unicode data, and date and time of deletion. Logical address: An address generated by the OS for each cluster on a disk’s drives partition; when files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2 for FAT formatted partitions and 0 for NTFS formatted partitions. Logical addresses point to relative cluster positions, using these assigned cluster numbers. Logical block address (LBA): A disk-addressing design that is used to access data on a disk drive; older methods for accessing disk data, such as MBR-formatted drives, compute data locations by cylinder, head, and sector (CHS) values. GPT-formatted drives use LBA values instead of CHS to access data. Logical cluster number (LCN): The number sequentially assigned to each cluster when an NTFS disk partition is created and formatted; the first cluster on an NTFS partition starts at count 0. LCNs become the addresses that allow the MFT to read and write data to the disk’s nonresident attribute area. See also data runs and virtual cluster number (VCN).

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Master Boot Record (MBR): One of two types of file system programs that define the logical partition volume or volumes on a drive; on Windows and DOS computers, this boot disk file contains information about partitions on a disk and their locations, size, and other important items. Master File Table (MFT): The database used in NTFS to store and link to files; it contains information about files such as access rights, date and time stamps, and system attributes. Metadata: In NTFS, information stored in the MFT. See also Master File Table (MFT). NT File System (NTFS): The file system Microsoft created to replace FAT; it uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system. NTFS is used mainly on newer OSs, starting with Windows NT. One-time passphrase: A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive; this passphrase can be used only once, and then it expires. Pagefile.sys: An extension storage area for RAM; at startup, data and instruction code are moved in and out of this file to optimize the amount of physical RAM available during startup. Partition: A logical drive on a disk; it can be the entire disk or part of the disk. Partition Boot Sector: The first data set of an NTFS disk; it starts at sector [0] of the disk drive and can expand up to 16 sectors. Partition gap: Unused space or void between the primary partition and the first logical partition. Personal identifiable information (PII): Any information that can be used to distinguish who someone is that can be used to create bank or credit card accounts, such as name, home address, Social Security number, and driver’s license number. Physical address: The actual sector in which a file is located; sectors reside at the hardware and firmware level. Private key: In encryption, the key used to decrypt the file; the file owner keeps the private key. Public key: In encryption, the key used to encrypt a file; it is held by a certificate authority, such as a global registry, network server, or company, such as VeriSign. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

RAM slack: The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster; any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. RAM slack is found mainly in older Microsoft OSs. Recovery certificate: A method used by NTFS to allow a network administrator to recover encrypted files if the file’s user/creator loses the private key encryption code. Registry: A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information. Resilient File System (ReFS): A file system developed for Windows Server 2012; it allows increased scalability for disk storage and has improved features for data recovery and error checking. Sector: A section on a track, typically made up of 512 bytes for MBR formatted drives or 4096 bytes for GPT drives. Track density: The space between tracks on a disk; the smaller the space between tracks, the more tracks fit on a disk. Older drives with wider track densities allowed the heads to wander. Track: One of the concentric circles on a disk platter where data is stored. Unallocated disk space: Partition disk space that is not allocated to a file; this space might contain data from files that have been deleted previously. Unicode: A character code representation that is replacing ASCII; it is capable of representing more than 64,000 characters and non-European-based languages. UTF-8 (Unicode Transformation Format): One of three formats Unicode uses to translate languages for digital representation. Virtual cluster number (VCN): A subfield within the $DATA field of an MFT record that contains the LCN and the number of assigned clusters for a file stored on a disk partition. For highly fragmented disk partitions, a large file can have several VCN. See also data runs and logical cluster numbers (LCNs). Zone bit recording (ZBR): The method used by most manufacturers to deal with a platter’s inner tracks being shorter than the outer tracks; grouping tracks by zones ensures that all tracks hold the same amount of data. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

[return to top]

1. Discussion: Disk Partitions (Duration 15 minutes) a. A physical device is often split into partitions that are dealt within Windows OS as logical drives. b. Where the information about the existing partitions of a physical drive is stored? Answer: The partitions in a physical drive are stored in a partition table that is usually stored in the Master Boot Record (MBR), a portion of data stored in the sector 0 of the physical drive. c. What are hidden partitions, and how to access them? Answer: Usually, between the sectors holding a normal (visible) partition there are some unused regions, called partition gaps. While usually these partition gaps are usually small (1 Mbyte), it is possible to extend a partition gap to hold in it a hidden partition that is not visible by standard usage of the Windows OS file system (for example, drives with letters C: or D:). However, a hidden partition can be accessed as part of the file system structure of a standard drive, or even by the physical sector address (usually when the partition was deleted and not overwritten).

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

2. Discussion: FAT Evolution (Duration 15 minutes) a. The File Allocation Table (FAT) is the file structure database that Microsoft designed originally for floppy disks, but it has been generally used even for other OS than Windows OS, notably in external drives initial configurations since those formats are also used in Linux and MacOS systems as well. b. What are the versions of FAT, including the deprecated and current ones? Answer: The first version of FAT was the FAT for Microsoft DOS 6.22 and it had a limitations of 8 characters for the file name and 3 characters for the file extension. Other deprecated versions commonly found still are FATX, VFAT, and FAT12. The current FAT versions are FAT16, FAT32, and exFAT. c. What are the limitations in size for the current versions of FAT? Answer: Current versions of FAT are FAT16, FAT32, and exFAT. While following similar technology, the current versions of FAT differ mostly due to the size limit of partitions it can handle. While FAT16 is capable of being used in disks up to 4GB, FAT32 can address disks of up to 8TB or 16TB depending on the Windows OS version. Over that capacity, only exFAT can be used (within a limit of 128 PB). Another common difference is the maximum size of files that can be handled by each one of them. While FAT16 has the file size limit of 2GB, FAT32 can hold files up to 4GB, and exFAT can hold files of up to 16EB.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

1. [Using Disk Editor]: Attach an external drive to your computer and open a disk editor, for example, HxD, to analyze its partition table. a. This project can be done by each student individually, or by a pair of students. The external drive to attach must not contain unsaved data, as the experiment may damage its file structure. b. The student(s) will open the disk editor and locate the MBR to identify the partitions existing there and their type according to the values stated on Table 6.1 and exemplified in Figure 6.3. c. Optionally, the student(s) may format the drive creating new partitions and repeat the step (b) to check the changes in the MBR information, identifying both the partitions type, size, and sector addresses for the start and end of each partition. This can be done by creating both another FAT partition (they can create FAT16, FAT32, and exFAT partitions alike), and also a NTFS partition. It is important to be aware that this process will likely erase previous content in the external drive, so the student(s) must use an external drive without data in it, like, for example, an empty flash drive.

[return to top]

STANDARD WRITING RUBRIC Criteria

Meets Requirements

Needs Improvement

Incomplete

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Content

Organization and Clarity

Research

Grammar and Spelling

The assignment clearly The assignment partially The assignment does not and comprehensively addresses some or all address the questions in addresses all questions in questions in the the assignment. the assignment. assignment. 0 points 15 points 8 points The assignment presents The assignment presents The assignment does not ideas in a clear manner ideas in a mostly clear present ideas in a clear and with strong manner and with a manner and with strong organizational structure. mostly strong organizational structure. The assignment includes organizational structure. The assignment includes an appropriate The assignment includes an introduction, content, introduction, content, and an appropriate and conclusion, but conclusion. Coverage of introduction, content, and coverage of facts, facts, arguments, and conclusion. Coverage of arguments, and conclusions are logically facts, arguments, and conclusions are not related and consistent. conclusions are mostly logically related and 10 points logically related and consistent. consistent. 0 points 7 points The assignment is based The assignment is based The assignment is not upon appropriate and upon adequate academic based upon appropriate adequate academic literature but does not and adequate academic literature, including peer include peer reviewed literature and does not reviewed journals and journals and other include peer reviewed other scholarly work. scholarly work. journals and other 5 points 3 points scholarly work. 0 points The assignment follows The assignment follows The assignment does not the required citation some of the required follow the required guidelines. citation guidelines. citation guidelines. 5 points 3 points 0 points The assignment has two The assignment has three The assignment is or fewer grammatical and to five grammatical and incomplete or spelling errors. spelling errors. unintelligible. 5 points 3 points 0 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 6: Working with Microsoft File Systems and the Windows Registry

Contribution Quality

Etiquette

5 points Comments stay on task. Comments add value to discussion topic. Comments motivate other students to respond. 20 points

3 points Comments may not stay Does not participate in on task. Comments may discussion. not add value to 0 points discussion topic. Comments may not motivate other students to respond. 10 points Maintains appropriate Does not always maintain Does not participate in language. Offers criticism appropriate language. discussion. in a constructive manner. Offers criticism in an 0 points Provides both positive offensive manner. and negative feedback. Provides only negative 5 points feedback. 3 points

[return to top]

PA GE \* ME RG EF

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

Instructor Manual Module 7 Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Examining Linux File Structures ............................................................................................ 4 File Structures in ext4

Inodes

Hard Links and Symbolic Links

Understanding Macintosh File Structures ........................................................................... 5 An Overview of Mac File Structures

Apple File System

Forensics Procedures in Mac

Acquisition Methods in MacOS

Using Linux Forensics Tools ................................................................................................... 6 Using the dc3dd Command

Using the Kali Linux Forensics Tools

Exploring Sleuth Kit

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics ....................................................................................................................... 13 Standard Writing Rubric ......................................................................................................... 13 Standard Discussion Rubric .................................................................................................. 14 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to prepare the students to handle Unix-like file systems commonly encountered in devices using Linux and MacOS operating systems. These skills are necessary for the digital forensic expert to collect evidence on data stored in files and folders stored in a digital environment using these operating systems (OSs). In such a way, the students need to understand the basic structure and implementation of Linux and MacOS file systems, as well as how the overall storage of data in drives is made within Unix-like OSs, assuming standard disk-based storage and EXT or APFS file systems.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe Linux file structures. 2. Describe Macintosh file structures. 3. Use Linux forensics tools.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

EXAMINING LINUX FILE STRUCTURES 1. Explain to the students that the term “kernel” is often used when discussing Linux because technically, Linux is only the core of the OS and all other tools, GUIs, and so forth are maintained and developed by others. 2. Point out the tables of Linux system files and core top-level directories of a Linux system.

File Structures in ext4 1. Explain to the students that UNIX/Linux has four components defining the file system: boot block, superblock, inode block, and data block, detailing their respective purposes. 2. Point out that one of the main design goals of ext4 was that it be backward compatible with ext2/ext3, and using it has four main advantages.

Inodes 1. Explain to the students that an inode contains file and directory metadata and provides a mechanism for linking data stored in data blocks. 2. Point out what kind of information is assigned when a file or directory is created on a Linux file system.

Hard Links and Symbolic Links 1. Explain to the students that a hard link is a pointer that allows users to access the same file using different file names, which are same inode and physical location on a drive.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

2. Explain that a symbolic link is a pointer to another file that is not included in the link count. 3. Point out some of the differences between hard and symbolic links.

UNDERSTANDING MACINTOSH FILE STRUCTURES 1. Explain the evolution of Mac OSs through time and its technology advances, including that Apple no longer provides support for HFS in acOS Sierra 10.12 and removed support for mounting and reading HFS devices with MacOS Catalina 10.15. 2. Point out that before OS X, the Hierarchical File System (HFS) was used and files were stored in directories that could be nested in other directories. With MacOS 8.1, Apple introduced the MacOS Extended (HFS1) file system.

An Overview of Mac File Structures 1. Point out to the students that in older versions of MacOS, a data file is a file structure containing two parts: a data fork, where data is stored, and a resource fork, where file metadata and application information are stored. 2. Explain details of file storage and how the system catalogs files and clumps of allocation blocks. 3. Point out that file-mapping information is stored in two locations: the extents overflow file and the file’s catalog entry.

Apple File System 1. Point out to the students that APFS is the successor file system to HFS+ and its characteristics and features. 2. Explain that APFS was designed to maintain data integrity through the use of snapshots and redundant copies of data before committing writes.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

Forensics Procedures in Mac 1. Explain the differences between the Linux and MacOS file systems. 2. Point out that for forensics procedures in MacOS application settings are in three formats: plain text files, plist files, and the SQLite database. 3. Point out that since MacOS 8.6, Keychain Access has been used to manage passwords for applications, websites, and other system files.

Acquisition Methods in MacOS 1. Explain that Apple products can use nonstandard or soldered-on components for storage and may have data encrypted with Apple’s T2 Security Chip or native Secure Enclave platform. 2. Point out that Cellebrite Digital Collector and Sumuri Recon ITR have a function for disabling and enabling Disk Arbitration, which is a MacOS feature for disabling and enabling automatic mounting when a drive is connected via a USB or FireWire device. 3. Point out to the students that before attempting an acquisition of an Apple product, they should be sure to collect the custodian’s name, username, and password as well as the system administrator username and password.

USING LINUX FORENSICS TOOLS 1. Explain that knowing how to use Linux forensics tools can come in handy when Windows tools do not work or they are having trouble getting a Windows machine to boot. 2. Point out to the students that Kali Linux offers penetration-testing, password-cracking, and cybersecurity features in addition to its forensics tools.

Using the dc3dd Command 1. Explain that the dc3dd utility is a command-line acquisition application that needs to be installed on a Linux distribution and has many features for © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

acquiring data, offering several improvements over the dd and dcfldd commands. 2. Point out to the students that they should be careful not to switch the source device with the target device or file when using the dd, dcfldd, or dc3dd commands so they do not overwrite the source device with the content from the target device or file, which will destroy the evidence.

Using the Kali Linux Forensics Tools 1. Explain that there is a variety of available tools, including Forensics Carving Tools, Forensics Imaging Tools, PDF Forensics Tools, the Sleuth Kit Suite, Autopsy, binwalk, bulk_extractor, and hashdeep, with which students need to be familiar. 2. Point out to the students what forensics carving tools and forensics imaging tools do and how to use them.

Exploring Sleuth Kit 1. Explain that the Linux version of Sleuth Kit is more of a command-line tool chest or collection of tools that do at the command line what the GUI tools do automatically. 2. Point out to the students that Sleuth Kit is also useful for network forensics.

[return to top]

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail.

[return to top]

KEY TERMS Allocation block: A unit of storage for various file systems developed by Apple; a group of consecutive logical blocks. Apple File System (APFS): A 64-bit file system utilized by Apple operating systems after MacOS 10.13 High Sierra; it is the successor file system to HFS+ and provides numerous benefits for the user, including data encryption, data integrity, and resiliency against data corruption. B-tree: A type of data structure used to organize the directory hierarchy and fileblock mapping of file systems.

Bad block inode: In Linux, inode 1, which lists the bad physical sectors on the drive. Block: The smallest disk allocation unit in the UNIX/Linux file system; it can be 512 bytes and up; block size depends on how the disk volume is initiated. Boot block: The block in the UNIX/Linux file system that contains the bootstrap code (instructions for start-up); a UNIX/Linux computer has only one boot block, on the main hard disk. Catalog: The listing of all files and directories on the volume; used to maintain relationships between files and directories on a volume using HFS, HFS+, or APFS file systems. Clump: A group of contiguous allocation blocks used to minimize file fragmentation within MacOS. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

Data block: In Linux, the block where directories and files are stored on a disk drive; this location is linked directly to inodes. Data fork: A part of the file structure associated with a data file stored on Apple file systems; it contains data. Double-indirect pointer: Each pointer in the second layer of inode pointers. Extents: Contiguous areas of physical storage in the ext4 file system used to reduce file fragmentation; they store less of the metadata of all the blocks used for large files. They instead store the first and last inode/block information. Extents overflow file: A data file used to store any file information not in the Master Directory Block or a Volume Control Block. Flexible group blocks: Contiguous group blocks that allow several block groups to be one logical group; it is designated by flex_bg. Fourth Extended File System (ext4): A Linux file system which was introduced to the Linux kernel in 2008; one of the main design goals of ext4 was that it be backwardly compatible with ext2/ext3. It automatically mounts ext3 filesystems, uses longer file names, allows for larger files, and eliminates indirect pointers by introducing extents. Hard link: A pointer that allows users to access the same file using different file names; the file names refer to the same inode and physical location on a drive. Header node: A data file containing information about a B-tree file. Hierarchical File System (HFS): A 16-bit file system utilized by Apple operating systems prior to MacOS 8.1. Index node: A data file containing information about the previous and next node. Indirect pointer: Each of the first ten pointers in a file’s inode. Inode: In Linux, a data structure that contains file and directory metadata and provides a mechanism for linking data stored in data blocks; an inode is assigned when a file or directory is created on a Linux file system. Inode block: In Linux, the component that contains the first data after the superblock; an inode is assigned to every file allocation unit. As files or directories are created or deleted, inodes are also created or deleted.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

Keychain Access: An Apple application for managing passwords. Link count: A field inside each inode that specifies the number of hard links; if two files have the same inode number, the link count will be two. If a user deletes one of them, the link count drops to one. Logical block: A fundamental unit of storage for Apple file systems; can hold 512 bytes of data. Logical EOF: A descriptor that indicates the end of the data file within an allocation block. Mac OS Extended (HFS+): A 32-bit file system utilized by Apple operating systems after MacOS 8.1 until MacOS 10.13 High Sierra. Map node: A data file containing the node descriptor and map record. Master Directory Block (MDB): An area of the HFS volume that contains all information about that volume; a copy of this block exists at the next-to-last block on the volume to support disk utility functions. Physical EOF: A descriptor that indicates the number of bytes allocated on the volume for a file. Plist file: A preference file for installed applications on an Apple product. Resource fork: A part of the file structure associated with a data file stored on Apple file systems; it contains metadata and application information. Second Extended File System (ext2): A Linux file system which replaced the original Extended File System. Snapshot: A function of the APFS file system, where a “picture” of the file system is taken at a particular point of time for data recovery purposes without incurring significant storage penalties. Super block: A UNIX/Linux component that contains vital information about the system and is considered part of the metadata; it specifies the disk geometry and available space, keeps track of all inodes, and manages the file system, including configuration information, such as block size for the drive, file system names, blocks reserved for inodes, and volume name.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

Symbolic link: A pointer to another file; unlike hard links, symbolic links can point to items on other drives or other parts of the network; they simply need an absolute path. Symbolic links have their own inode and are not included in the link count. Also known as a soft link or a symlink. Third Extended File System (ext3): A Linux file system, which replaced ext2 in November of 2001 in most Linux distributions; its major difference from ext2 was that it was a journaling file system that has a built-in file recovery mechanism used after a crash. Tarball: A highly compressed data file containing one or more files or directories and their contents; it is similar to Windows zip utilities and typically has a .tar or .gz extension. This tool has not been updated in over a decade but may still be useful. Triple-indirect pointer: Each pointer in the third or last layer of inode pointers. Volume Control Block (VCB): Information read from the MDB of the mounted volume is stored in the VCB, which is stored in the computer's memory.

[return to top]

DISCUSSION QUESTIONS The following are discussion questions that do not appear in the text, PPTs, or courseware (if courseware exists) – they are for you to use as you wish. You can assign these questions several ways: in a discussion forum in your LMS; as wholeclass discussions in person; or as a partner or group activity in class. 1. The Evolution of ext File Systems (Duration 15 minutes) a. Linux supports a wide range of file systems, but the native file systems used in Linux distributions is based on the Extended File System (ext) that had several versions. b. What are the versions of the ext File systems and what are its main characteristics? Answer: The first version of ext was named only ext and was briefly used in Linux distributions in 1992. The first widely used version was the ext2 (Second Extended File System), and as all © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

ext File systems, it might work with different block sizes (1, 2, 4, or 8 KB). According to this choice, it can hold files from 16GB up to 2TB, being that the maximum size of drives can be from 4TB up to 32TB. The succeeding version was the ext3 (Third Extended File System) with the same size limits but with the addition of the journaling of files. This addition allows for saving metadata, and file contents are written to the journal before being committed to the main file system. The current version is the ext4 (Fourth Extended File System) that considerably extends the maximum sizes of files and the whole file system; plus, it adds functionalities to handle large files and a virtually infinite number of items within a folder. Additionally, the ext4 provides back compatibility with the previous ext2 and ext3.

2. The Apple File Systems (Duration 15 minutes) a. Even though MacOS systems can handle different file systems, the Apple Operating Systems, since version MacOS X, offer native file systems, namely HFS, HFS+, and APFS. b. What is the basic data structure to store items (files and folders) physical address, and what is the main advantage of such a structure? i. Answer: All versions of native files systems since MacOS X use the B-tree data structure or one of the B+Tree and B*Tree variations. These data structures provide efficient retrieval of contents with a hierarchical organization of the contents that is very suitable for file systems. [return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish. 1. [The difference between Hard and Symbolic Links]: Promote the discussion with groups of two to four students to discuss the differences between hard links and symbolic links in the ext4 file system.

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

The students in the group must first agree upon a two-sentence statement of the differences between Hard Links and Symbolic Links. Then, the student within a group should split into two subgroups (it is ok if a subgroup remains with one single student), and the subgroups should advocate each why it is better to use either Hard Links (for one subgroup) or Symbolic Links.

[return to top]

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 7: Linux and Macintosh File Systems

Research

Grammar and Spelling

The assignment is based upon appropriate and adequate academic literature, including peer reviewed journals and other scholarly work. 5 points

The assignment is based The assignment is not upon adequate academic based upon appropriate literature but does not and adequate academic include peer reviewed literature and does not journals and other include peer reviewed scholarly work. journals and other 3 points scholarly work. 0 points The assignment follows The assignment follows The assignment does not the required citation some of the required follow the required guidelines. citation guidelines. citation guidelines. 5 points 3 points 0 points The assignment has two The assignment has three The assignment is or fewer grammatical and to five grammatical and incomplete or spelling errors. spelling errors. unintelligible. 5 points 3 points 0 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PA GE \* ME RG EFO RM

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Instructor Manual Module 8 Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Media Files................................................................................................................................. 4 Understanding Digital Photograph File Formats

Understanding Bitmap and Raster Images

Understanding Vector Graphics

Understanding Metafile Graphics Files

Graphics File Formats

Audio and Video File Formats

Viewing and Examining Media Files

Data Compression and Obfuscation ..................................................................................... 6 Understanding Data Compression

Steganography in Graphics Files

Understanding Copyright Issues with Graphics

Additional Data-Hiding Techniques ...................................................................................... 7 Bit-Shifting

Encrypted Files

Hiding Data

Marking Bad Clusters in FAT

Using Passwords to Protect Files

Locating and Recovering Media Files ................................................................................... 8 Identifying Media File Fragments © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

8 PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Determining Unknown File Formats

Repairing Damaged Headers

Searching for and Carving Data

Rebuilding File Headers

Reconstructing File Fragments

Digital Evidence Validation and Discrimination ................................................................. 10 Using Hash Values to Discriminate Data

Examination Planning ............................................................................................................. 10 Preparing for the Examination

Planning the Examination

Performing the Examination

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics ....................................................................................................................... 16 Standard Writing Rubric ......................................................................................................... 16 Standard Discussion Rubric .................................................................................................. 17

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to introduce important concepts for handling media files as images, audios, and videos. Given the non-textual nature of media files, this module also introduces some compression techniques employed to handle these challenging files. Software tools to visualize and recover media files are described in this module, which also presents steganography and copyright issues, as those are frequently important to the digital forensic activities. As such, this module integrates with the data acquisition from previous modules, as well as with the modules concerning data acquisition in file systems Windows and Unix-like. After all, media files are also stored in file systems, but unlike regular textual files, they have a more complex structure, which is relevant to forensic activities.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Identify different types of media files. 2. Summarize data compression and obfuscation. 3. Define data-hiding techniques. 4. Explain how to locate and recover media files. 5. Explain digital evidence validation and discrimination techniques. 6. Describe an examination plan. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

MEDIA FILES 1. Explain to the students that graphic images and other media are becoming much more common in all types of digital forensics investigations. 2. Point out that there are many different types of media file formats and tools for viewing them.

Understanding Digital Photograph File Formats 1. Explain to the students that as digital forensics investigators, they might need to examine a digital photo created by witnesses or suspects. 2. Point out the differences between working with the Raw file format and Exchangeable image file format and each of their specifications.

Understanding Bitmap and Raster Images 1. Explain to the students that a bitmap image stores information in a grid of pixels, whereas a raster image stores the pixels in rows. 2. Explain that the more advanced the video card’s electronics and the more memory it has, the more detailed instructions it can accept, resulting in higher-quality images. 3. Point out that software and the number of colors the monitor displays also contribute to image quality.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Understanding Vector Graphics 1. Explain to the students that vector graphics use lines instead of dots to make up an image. 2. Point out that enlarging a vector graphic does not affect image quality because the graphics programs compute the image mathematically.

Understanding Metafile Graphics Files 1. Explain that metafile graphic files combine raster and vector graphics and can have the characteristics of both file types. 2. Point out that if students enlarge a metafile graphic, the area created with a bitmap loses some resolution, but the vector-formatted area remains sharp and clear.

Graphics File Formats 1. Explain that graphics files can be created and saved in a graphics editor in one or more standard graphics file formats and also in less common, nonstandard graphics file formats. 2. Point out to the students the names and extensions of standard graphics file formats and of nonstandard graphics file formats, respectively.

Audio and Video File Formats 1. Explain that audio and video files have specific purposes that have been developed differently by various manufacturers. 2. Point out to the students the most common audio and video file formats currently available.

Viewing and Examining Media Files 1.

Explain how to view and examine different media file formats.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

2. Point out to the students the specific tools and techniques for viewing and examining these types of files.

DATA COMPRESSION AND OBFUSCATION 1. Explain that there are two main reasons why data would be intentionally altered: to compress it to save storage space or to minimize the quantity of data being transmitted via a network, and to hide the data either by obfuscating it or by encrypting it to prevent it from being easily examined. 2. Point out that it is important to understand how data can be secured using obfuscated marking methods.

Understanding Data Compression 1. Explain that data compression is the process of coding data from a larger form to a smaller form. 2. Point out to the students how the two techniques of data compression, lossless and lossy, work along with its uses and some compression tools.

Steganography in Graphics Files 1. Explain that steganography is defined as hiding messages in such a way that only the intended recipient knows the message is there. 2. Point out to the students that the two major forms of steganography are insertion and substitution. 3. Remind that there are methods and tools to run a steganalysis.

Understanding Copyright Issues with Graphics 1. Explain that because each country has its own copyright laws, enforcement can be difficult, but steganography can be used to protect copyrighted material by inserting digital watermarks into a file. 2. Point out to the students that they should be aware of fair use guidelines and be able to distinguish it from copyright infringement. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

ADDITIONAL DATA-HIDING TECHNIQUES 1. Explain that data hiding involves changing or manipulating a file to conceal information by masking or altering it in a variety of ways. 2. Point out to the students some of the several data-hiding techniques.

Bit-Shifting 1. Explain that bit-shifting is the process of shifting one or more digits in a binary number to the left or right to produce a different value, changing data from readable code to data that looks like binary executable code. 2. Point out to the students that they should consider getting training in assembly language and higher-level programming languages before analyzing data that might involve bit-shifting.

Encrypted Files 1. Explain that to decode an encrypted file, users supply a password or passphrase, and that without it, recovering the contents of encrypted files is difficult. 2. Point out to the students that there are two categories of programs for file and folder encryption: programs specifically designed to encrypt data, and archive compression programs that have password or passphrase encryption features.

Hiding Data 1. Explain the two main techniques used to hide data and their respective purpose and outcome. 2. Point out to the students what entire partitions can be hidden using the Windows disk partition utility “diskpart” and unhidden by using the “diskpart assign letter” command.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Marking Bad Clusters in FAT 1. Explain that marking bad clusters in FAT is another data-hiding technique used in FAT file systems by placing sensitive or incriminating data in free or slack space on disk partition clusters. 2. Point out to the students that this technique is not widely used anymore because it requires older utilities.

Using Passwords to Protect Files 1. Explain that Brute-force attacks use every possible letter, number, and character found on a keyboard to crack any password; however, this method can require a lot of time and processing power, especially if the password is very long. 2. Point out to the students what the rainbow table method and the salting passwords technique are and what they do.

LOCATING AND RECOVERING MEDIA FILES 1. Explain that because images and videos are not always stored in standard media file formats, investigators should examine all files the forensics tools find, even if they are not identified as media files. 2. Point out to the students that they should follow standard procedures for each case to make sure their analysis is thorough. 3. Mention that to reconstruct a fragmented file, students need to identify the data patterns the media file uses and eventually repair or rebuild parts of the file.

Identifying Media File Fragments 1. Explain that recovering any type of file fragments is called carving or salvaging. 2. Point out to the students that many digital forensics programs can recognize patterns in the various headers of known media files and carve them from slack to free space automatically. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Determining Unknown File Formats 1. Explain that as part of their investigation, students may need to research both old and new file types to better understand the purpose of each format and how it stores data. 2. Point out to the students some websites they can consult for particular file formats.

Repairing Damaged Headers 1. Explain that if students locate header data that is partially overwritten, they must reconstruct the header to make it readable by comparing the hexadecimal values of known media file formats with the pattern of the file header they found. 2. Point out to the students an example of what a damaged header can look like in real life.

Searching for and Carving Data 1. Explain how to carve data from an unallocated area of a disk partition in order to recover data that may not be recoverable with a digital forensics tool. 2. Point out to the students that from a digital forensics view, rebuilding header data could be considered corrupting the evidence, but knowing how to reconstruct data is part of an investigator’s job.

Rebuilding File Headers 1. Explain that the first step in rebuilding a file’s header is to determine what the expected hexadecimal values are for the specific file format. 2. Point out to the students that the process of repairing file headers is not limited to JPEG files, as they can apply the same technique to any file for which they can determine the header value.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Reconstructing File Fragments 1. Explain how to locate file data in an NTFS-formatted drive that has noncontiguous clusters of a file. 2. Point out to the students that reconstructing file fragments is a sevenstep process.

DIGITAL EVIDENCE VALIDATION AND DISCRIMINATION 1. Explain that the most critical aspect of digital forensics is validating digital evidence because ensuring the integrity of data collected is essential for presenting evidence in court. 2. Point out to the students that if the hashes do not match, the forensic tool produces an error message indicating that the digital evidence has been corrupted.

Using Hash Values to Discriminate Data 1. Explain that KFF filters known program files from view and contains the hash values of known illegal files to compare the known file hash values with files on the evidence drive or image files to see whether they contain suspicious data. 2. Point out to the students that block-wise hashing is a process that builds a data set of hashes of sectors from the original file and then examines sectors on the suspect drive to see whether any other sectors match.

EXAMINATION PLANNING 1. Explain that in civil and criminal cases, the scope of an investigation is often defined by search warrants or subpoenas that specify what data can be recovered.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

2. Point out to the students that having a plan they deliberately revise along the way is much better than searching for evidence haphazardly.

Preparing for the Examination 1. Explain the ten basic steps for all digital forensics examinations. 2. Point out to the students that the first task for all digital forensics examinations is to preserve all evidence.

Planning the Examination 1. Explain that it is important to refine the examination plan as much as possible by trying to determine what the case requires. 2. Point out to the students that before they initiate any analysis of data, it is extremely important to preserve the data on all solid-state devices such as solid-state drives (SSDs) and flash drives.

Performing the Examination 1. Explain that there are three non-inclusive steps to follow for all digital forensics’ examinations. 2. Point out to the students that preparing, conducting, and reporting have to be modified as needed depending on the requirements of the examination.

[return to top]

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Bitmap images: Collections of dots, or pixels, in a grid format that form a graphic. See also pixels. Bit-shifting: The process of shifting one or more digits in a binary number to the left or right to produce a different value. Block-wise hashing: The process of hashing all sectors of a file and then comparing them with sectors on a suspect’s drive to determine whether there are any remnants of the original file that couldn’t be recovered. Carving: The process of recovering file fragments that are scattered across a disk. Cover-media: In steganalysis, the original file with no hidden message. See also stego-media. Data compression: The process of coding data from a larger form to a smaller form. Demosaicing: The process of converting raw picture data to another format, such as JPEG or TIF. Exchangeable Image File (Exif): A file format the Japan Electronics and Information Technology Industries Association (JEITA) developed as a standard for storing metadata in JPEG and TIF files. Fair use: A guideline that describes the free use of copyrighted material for news reports, critiques, noncommercial use, and educational purposes. False positives: The results of keyword searches that contain the correct match but are not relevant to the investigation.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Geolocation: For mobile computing devices with global positioning satellite (GPS) receivers, such as smartphones, tablets, or advanced digital cameras, if turned on, will record the latitude and longitude location information of a still or motion picture file in its metadata. Key escrow: A technology designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. Known File Filter (KFF): An AccessData database containing the hash values of known legitimate and suspicious files. It is used to identify files that are possible evidence or eliminate files from an investigation if they are legitimate. Least significant bit (LSB): The lowest valued bit in a byte, which is typically displayed from right to left as 00000001, where 1 is the lowest value in a byte. Lossless compression: A compression method in which no data is lost. With this type of compression, a large file can be compressed to take up less space and then be uncompressed without any loss of information. Lossy compression: A compression method that permanently discards bits of information in a file. The removed bits of information reduce image quality. Metafile graphics: Graphics files that are combinations of bitmap and vector images. See also bitmap images and vector graphics. Most significant bit (MSB): The highest valued bit in a byte, which is typically displayed from right to left as 10000000, where 1 is the highest value in a byte. Nonstandard graphics file formats: Less common graphics file formats, including proprietary formats, newer formats, formats that most image viewers do not recognize, and old or obsolete formats. Pixels: Small dots used to create images; the term comes from “picture element.” Rainbow table: A file containing the hash values for every possible password that can be generated from a computer’s keyboard. Raster images: Collections of pixels stored in rows rather than a grid, as with bitmap images, to make graphics easier to print; usually created when a vector graphic is converted to a bitmap image. See also pixels. Raw file format: A file format typically found on higher-end digital cameras; the camera performs no enhancement processing—hence the term “raw.” This format maintains the best picture quality, but because it is a proprietary format, not all image viewers can display it. Resolution: The density of pixels displayed onscreen, which governs image quality. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

Salting passwords: Adding bits to a password before it is hashed so that a rainbow table cannot find a matching hash value to decipher the password. See also rainbow table. Salvaging: Another term for carving, used outside North America. See also carving. Scope creep: The result of an investigation expanding beyond its original description because the discovery of unexpected evidence increases the amount of work required. Standard graphics file formats: Common graphics file formats that most graphics programs and image viewers can open. Steganalysis: The analysis of files that may contain steganographic data. Steganography: A cryptographic technique for embedding information in another file for the purpose of hiding that information from casual observers. Stego-media: In steganalysis, the file contains the hidden message. See also covermedia. Vector graphics: Graphics based on mathematical instructions to form lines, curves, text, and other geometric shapes. Vector quantization (VQ): A form of compression that uses an algorithm similar to rounding off decimal values to eliminate unnecessary bits of data.

[return to top]

1. Copyright Issues (Duration 20 minutes) a. Copyright protects “original works of authorship” that are fixed in a tangible form of expression. Anything that would ordinarily be copyrighted through non-computer means and is now being created on © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

digital media is considered to be copyrighted, as long as the process for obtaining a copyright has been followed. b. What can be done to media files to ensure that the process to obtain the copyright was followed? Answer: The use of digital watermarks is a common means to ensure that the work is copyrighted. These watermarks can be visible as the use of logos or even a copyright symbol ©, or invisible as modifying the file's LSB into a known unique pattern. c. What is the fair use guideline in this context? Answer: The fair use guideline is a common case of exemption of the copyright that includes the use of copyrights material; for example, to news reporting and critique, but also for noncommercial and educational purposes. However, the distinction between fair case usage and copyright infringement is often a matter of debate.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [Analyzing Exif photos metadata]: This activity can be conducted with students working alone or in pairs. Provide the students with a set of photos in Exif-JPEG format and ask the students to identify the ones that came from the same source by identifying the device information. a. You can get image samples with complete Exif info easily on the Internet, e.g. https://pixelpeeper.com/photos. b. The students may use any Exif tool, e.g. EXIF Viewer (https://exifviewer.en.softonic.com), to verify the information in the images.

2. [Searching HTML steganography]: This activity can be conducted with students working alone or in pairs. Provide the students with a set of web © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

pages in which the hidden property may or may not be used and ask the students to find the messages within. a. You can produce some simple web pages (.html files) as described at several simple tutorials, e.g. https://www.w3schools.com/tags/att_global_hidden.asp and https://dev.to/ziizium/how-to-hide-web-page-elements-1be5 b. The students will open each web page by just double clicking (it will display the web page in a browser), and then see the web page source code by opening the .html file in a text editor, or by the view source option in the browser.

[return to top]

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

facts, arguments, and conclusions are logically related and consistent. 10 points Research

Research

Grammar and Spelling

conclusion. Coverage of arguments, and facts, arguments, and conclusions are not conclusions are mostly logically related and logically related and consistent. consistent. 0 points 7 points The assignment is based The assignment is based The assignment is not upon appropriate and upon adequate academic based upon appropriate adequate academic literature but does not and adequate academic literature, including peer include peer reviewed literature and does not reviewed journals and journals and other include peer reviewed other scholarly work. scholarly work. journals and other 5 points 3 points scholarly work. 0 points The assignment follows The assignment follows The assignment does not the required citation some of the required follow the required guidelines. citation guidelines. citation guidelines. 5 points 3 points 0 points The assignment has two The assignment has three The assignment is or fewer grammatical and to five grammatical and incomplete or spelling errors. spelling errors. unintelligible. 5 points 3 points 0 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

PAG E \* ME RGE FOR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, Core ISBN; Module 8: Media Files and Digital Forensics

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

Instructor Manual Module 9 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

An Overview of Virtual Machine Forensics

Investigating Hypervisor Systems

Other VM Examination Methods

Performing Live Acquisitions

Performing a Live RAM Acquisition in Windows

Performing a Live Acquisition in Linux

Selective File Live Acquisitions

Remote Acquisition Tools

Belkasoft Remote Acquisition

F-Response Collect

Magnet AXIOM Cyber – Remote Acquisition

Using Microsoft’s File System Utility Command

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics

Standard Writing Rubric

Standard Discussion Rubric

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students how to proceed with forensic analysis over virtual machines, as well as with live and remote acquisitions. Specifically, we discuss how to identify basic information about a virtual machine in a setting where information is acquired while the virtual machine is running (live acquisition), or when the virtual machine is accessed through a network environment (remote acquisition). In order to capacitate the students to perform such forensic activities, tools and techniques within this context are exemplified. The examples cover usual platforms such as Windows and Linux (which can be generalized, to some extent, to MacOS and Solaris, which are similar operating systems).

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe virtual machines and virtual machine forensics. 2. Explain how live acquisitions are performed. 3. Describe tools used for remote acquisitions. 4.

Explain how to use Microsoft’s File System Utility Command.

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

AN OVERVIEW OF VIRTUAL MACHINE FORENSICS 1. Point out that virtual machines (VMs) are now common for both personal and business use, as they can help offset hardware costs for companies; in many companies, even full networks are virtual, which substantially reduces costs. 2. Explain that there are two types of hypervisors: type 1 and type 2.

Investigating Hypervisor Systems 1. Show the students some available products and help them understand the impact type 1 hypervisors have on forensics investigations. 2. Point out that, as with most other type 2 hypervisors, they can select different virtual hard drive types when creating a VirtualBox VM. 3. Explain the five-step procedure to conduct a forensics analysis of VMs.

Other VM Examination Methods 1. Explain to the students that by mounting a VM as a drive, they can make it behave more like a physical computer, which means they can use the standard examination procedures for a static hard drive. 2. Explain that another method of examining a VM is making a copy of its forensic image and then starting it as a live VM. 3. Point out the basic five steps to run forensics software on the image to search for clues, such as malware and penetration-testing tools.

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

PERFORMING LIVE ACQUISITIONS 1. Explain to the students that live acquisitions are especially useful when dealing with active network intrusions and attacks or if they suspect employees are accessing network areas they shouldn’t. 2. Point out that although investigators differ on the exact steps, the general procedure for a live acquisition consists of six steps. 3. Mention that there are also remote acquisitions, typically done on corporate networks.

Performing a Live RAM Acquisition in Windows 1. Explain the acquisitions process as the process to gather evidence from virtual machines. In the RAM, they may find things such as passwords, login names, websites, data, instructions, and partially written items. 2. Point out that graphical user interface (GUI) tools are easy to use, but they often require a lot of system resources or may get false readings in Windows OSs.

Performing a Live Acquisition in Linux 1. Explain that live acquisitions in Linux differ from live acquisitions in Windows because there are many different flavors and kernels involved with Linux. 2. Point out to the students some good resources with more information on Linux live acquisitions.

Selective File Live Acquisitions 1. Explain that many investigations require the acquisition of only certain files rather than all the data on a disk. 2. Point out to the students that tools used for a selective live acquisition may include Windows DOS commands such as xcopy or robocopy, vendor tools such as FTK Imager or X-Ways Imager or other commercially available e-discovery tools.

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

REMOTE ACQUISITION TOOLS 1. Explain that most remote acquisition tools are very expensive and have special requirements to operate, such as administration privileges and knowledge of network configurations. 2. Point out to the students some of the most popular digital forensics remote acquisition tools currently available.

Belkasoft Remote Acquisition 1. Explain that Belkasoft R can perform remote acquisitions on computer’s internal and external connected drives (Macintosh and Windows), memory acquisitions of remote computers (Macintosh and Windows), and mobile devices (Android and iOS). 2. Point out that a Secure Sockets Layer (SSL) certificate to encrypt communications for Windows systems can be set up between the server and the endpoint computer.

F-Response Collect 1. Explain that F-Response provides a wide assortment of network management tools as well as scripts that can acquire data from cloud servers and individual files and conduct remote file share collections from network attached storage devices and remote Windows, Linux, and Apple servers.

Magnet AXIOM Cyber – Remote Acquisition 1. Explain that the Magnet AXIOM Cyber can acquire disk and memory data from remote Windows computers and access various cloud services such as AWS S3 Buckets and EC2 Instances.

USING MICROSOFT’S FILE SYSTEM UTILITY COMMAND 1. Explain that, in some cases, malware programs will change their names and then delete themselves in an effort to hide their presence on a victim’s computer. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

2. Point out to the students that to examine whether files have been renamed on a computer, the Windows DOS command fsutil can be used to extract log data from the $UsnJrnl:$J file.

[return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

KEY TERMS Hypervisor: The software that runs virtual machines. Order of volatility (OOV): A term indicating how long an item on a network lasts; RAM and running processes might last only milliseconds, while data stored on hard drives can last for years. Remote acquisition: The process of monitoring, imaging and remotely accessing/imaging a device over a network over many miles. Type 1 hypervisor: A virtual machine interface that loads on physical hardware and contains its own OS. Type 2 hypervisor: A virtual machine interface that loads on a host OS and supports virtual machine OSs.

[return to top]

1. Hypervisors Overview Duration 20 minutes. a. A virtual machine is an alternate OS that runs within an existing OS on a computer. A hypervisor is a software module that supports the installation of virtual machines, each one with its own OS. b. What is the main difference between type 1 and type 2 hypervisors? Answer: A Hypervisors type 1 is a software module that runs directly over the hardware, thus performing all OS functions by

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

itself. A hypervisor type 2, on the contrary, is a software module that runs over a host OS (the host OS accesses the hardware). c. From a user point of view, is there a difference between types of hypervisors? Answer: No, from the user point of view, either the VM installer or the VM user, there is no difference between VMs provided by a Hypervisor type 1 or a Hypervisor type 2.

d. From the perspective of a forensic professional acquiring evidence, is there a difference between types of hypervisors? Answer: Yes, from the forensic professional point of view, the difference between VMs provided by a Hypervisor type 1 or a Hypervisor type 2 is that it is only relevant for the ones of type 2 to also consider the status of the host OS.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [Analyzing VMware VM files]: This activity can be conducted with students working alone or in pairs. Provide the students with a VMware installed VM saved in the VM file. a. You can install VMware from the official webpage and use it to install a VM in your own machine. It is important to pass along to the students the VM with the login information for the hosted OS. b. The students will need to install VMware in their own machines and then plug in their copy of the VM provided by the instructor. c. Once the VM is running on the student’s own device, the students need to access the host OS terminal and identify the VMware files specific to the running VM. Namely, the students must be able to identify the files

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

.ova or .ovf, .vmx, and .log. These files should be the directory chosen to hold the VM while installing VMware.

2. [Analyzing VirtualBox VM files]: This activity can be conducted with students working alone or in pairs. Provide the students with a VirtualBox installed VM saved in the VM file. a. You can install VirtualBox from the official Oracle's VirtualBox webpage and use it to install a VM in your own machine. It is important to pass the VM along to the students with the login information for the hosted OS. b. The students will need to install VirtualBox in their own machines and then plug in their copy of the VM provided by the instructor. c. Once the VM is running on the student’s own device, the students need to access the host OS terminal and identify the VirtualBox files specific to the running VM. Namely, the students must be able to identify the files .ova or .ovf, .vdi, .vbox, and .log. These files should be the directory chosen to hold the VM while installing VirtualBox.

[return to top]

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

Grammar and Spelling

[return to top]

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 9: Virtual Machine Forensics and Live Acquisitions Forensics

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PAG E \* ME RGE FOR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

Instructor Manual Module 10 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Network Forensics Overview

NETWORK FORENSICS STANDARD PROCEDURES

Securing a Network

Developing Procedures and Models for Network Forensics

Effectively Reading Network Logs

Exploring Common Network Forensics Tools

Packet Analyzers

Intrusion Detection and Intrusion Prevention Tools

Investigating Virtual Networks

Researching and Investigating Types of Attacks

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics

Standard Writing Rubric

Standard Discussion Rubric

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students how to proceed with forensic analysis over a network environment that was likely the target of a cyber attack. As such, we introduce the basic concepts of network investigation and some common uses of network forensic tools. We also discuss how to conduct forensic analysis over a virtual network environment and some basic concepts of cyber security with a focus on kinds of attacks.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe network forensics. 2. Explain the process of a network investigation. 3. Use network forensics tools. 4. Describe virtual network forensics. 5.

Describe how to research and investigate types of attacks.

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

NETWORK FORENSICS OVERVIEW 1. Explain to the students that when intruders break into a network, they leave a trail, and it is possible to spot variations in network traffic that can help track intrusions. 2. Point out that vulnerabilities in a network may also be a result of things such as the settings and validation options used when installing additional servers, such as a database server. 3. Mention that organizations must also decide how much data will be stored and for how long. This decision has an impact on any future network forensics investigation and should be made with that in mind.

NETWORK FORENSICS STANDARD PROCEDURES 1. Explain to the students that network forensics examiners must establish standard procedures for how to acquire data after an attack or intrusion incident. 2. Point out that investigative work is typically done by a cybersecurity group of information technology (IT) and digital forensics specialists along with representatives from the human resources and legal departments within an organization. Securing a Network 1. Explain to the students that hardening a network includes a range of tasks, from applying the latest patches to using a layered network defense strategy. 2. Explain that the defense in depth (DiD) strategy has three modes of protection: people, technology, and operations. 3. Point out that small companies with fewer than ten employees often do not consider security precautions against internal threats necessary, so they can be more susceptible to problems caused by employees revealing proprietary information to competitors. Developing Procedures and Models for Network Forensics 1. Explain to the students that log files are often examined along with forensic image files collected from devices as part of a digital forensics investigation. 2. Point out that there is a five-step standard procedure often used in network forensics.

Effectively Reading Network Logs 1. Explain that network logs record traffic of network servers, routers, firewalls, and other devices in and out of a network.

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

2. Point out to students that when viewing network logs, examining port information can provide clues to further the investigation. 3. Mention that network logs can show them patterns, such as an employee transmitting data to or from a particular IP address frequently.

EXPLORING COMMON NETWORK FORENSICS TOOLS 1. Explain that tools such as Splunk, Spiceworks, Nagios, and Cacti help network administrators monitor a network efficiently and thoroughly and provide evidence that can be used as part of a forensics investigation. 2. Point out to the students that the tools can also be used to monitor a network and shut down machines or processes that could be harmful.

Packet Analyzers 1. Explain that to fully understand what is happening on a network, they often have to look at the higher layers by using custom software that comes with switches and routers. 2. Point out to the students that packets include the source, destination, data, and other information about what is being transmitted. 3. Explain how and when to use certain information extracting tools such as Tcslice, Ethrape, and Wireshark.

Intrusion Detection and Intrusion Prevention Tools 1. Explain that Snort is one of the more powerful network tools in the industry because it is an intrusion prevention system (IPS) and an IDS that can be used for network forensics. 2. Point out to the students that Snort has three modes: sniffer, packet logger, and network intrusion detection, but because this software is so popular, third-party tools have been developed as dashboards and administrative add-ins.

INVESTIGATING VIRTUAL NETWORKS 1. Explain that the feature of virtual switches grew out of the need to set up virtual machines (VMs) on isolated networks even when they reside on the same physical rack server as other virtual networks. 2. Mention that network forensics investigations in the cloud are hampered by the very qualities that make the cloud appealing—elasticity and flexibility. 3. Point out that Wireshark and Network Miner are two tools capable of analyzing virtual networks, but as these networks become more complex, newer or updated tools will be needed.

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

RESEARCHING AND INVESTIGATING TYPES OF ATTACKS 1. Explain what the Honeynet Project is, its members, and how it was developed to make information and security tools more widely available as part of an effort to thwart Internet and network attackers. 2. Explain in detail the two biggest threats to security: distributed denialof-service (DDoS) attack and zero-day attack. 3. Point out to the students that in any organization, they must determine the value of the data being protected and weigh it against the price of the defense system they plan to install. When an attack hits, their first response must be to stop the attack and prevent it from going further. 4. The use of dockers, or container technology, allows organizations to set up honeypots on virtual networks. [return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Defense in depth (DiD): A network security approach created by the NSA that has three modes of protection: people, technology, and operations.

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

Distributed denial-of-service (DDoS) attack: A type of attack in which other online machines are used, without the owners’ knowledge, to launch an attack. Honeypot: A computer set up to look like any other machine on a network; its purpose is to lure attackers to a network, but it contains no information of real value. Honeywall: A computer set up to monitor what is happening to honeypots on a network and record what attackers are doing. Layered network defense strategy: An approach to network security that involves hardening a network by setting up layers of protection to hide the most valuable data at the innermost part of the network; this approach ensures that the deeper into the network an attacker gets, the more difficult access becomes and the more safeguards the attacker encounters. Network forensics: The process of collecting and analyzing raw network data and systematically tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network. Packet analyzers: A device or software placed on a network to monitor traffic. Zero-day attack: An attack launched before software vendors or network administrators have discovered a particular vulnerability; attackers look for holes in networks and OSs and exploit these weaknesses before patches are available. Zombie: A computer used without the owner’s knowledge as part of a DDoS attack.

[return to top]

1. Network Logs Duration 20 minutes. a. Network servers, routers, firewalls, and other devices record logs about the traffic in and out of a network. The data stored in those logs represent useful information to provide evidence on attacks. b. Using typical commands as tcpdump, is it possible to retrieve what kind of information? Answer: The logs are typically textual files stating Transport level packet exchanges informing data and time, protocol (usually TCP), © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

physical interface, size of the package, origin IP address:port (from), and destination address:port (to). c. Given the log information obtained by commands as tcpdump how can you identify how frequently a given website was accessed? Answer: You can count (automatically or manually) the number of exchanges coming or going to the IP address(es) employed by the web site under investigation.

2. Kind of Attacks Duration 20 minutes. a. One of the main reasons to perform forensic analysis is to investigate cyber attacks. The search for evidence is affected by the kind of attack under investigation. In this context, it is important to be aware of the more common cases of cyber attacks. b. What is the difference between the distributed denial-of-service attack and the zero-day attack? Answer: The distributed denial-of-service attack is a kind of attack usually performed by machines unaware of the attacks (zombies) that attack the target machine to overload it. The zero-day attack is an entirely different kind of attack that is denominated as such not by the nature of the attack itself, but by the fact that it is done with the attackers exploiting a vulnerability of a system before the system owners are aware of the vulnerability's existence.

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [Package analyzers]: This activity can be conducted with students working alone or in pairs. Provide the students with a tcpdump output file.

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

a. You can get samples with tcpdump outputs, as well as command line commands to produce new tcpdump files at the page: https://hackertarget.com/tcpdump-examples/. b. The students may use any text editor to search the more frequently accessed IP addresses from the machine under investigation. This is done by counting the IP address more frequently appearing at the field "to" in the log. c. The students may use any text editor to search the IP addresses that have accessed the machine under investigation more frequently. This is done by counting the IP address that appears most frequently at the field "from" in the log. [return to top]

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

PAG E

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 10: Network Forensics

facts, arguments, and conclusions are logically related and consistent. 10 points Research

Research

Grammar and Spelling

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PAG E

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Instructor Manual Module 11 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

An Overview of Cloud Computing

History of the Cloud

Cloud Service Levels and Deployment Methods

Cloud Vendors

Basic Concepts of Cloud Forensics

Legal Challenges in Cloud Forensics

Service-Level Agreements

Jurisdiction Issues

Accessing Evidence in the Cloud

Technical Challenges in Cloud Forensics

Architecture

Analysis of Cloud Forensic Data

Anti-Forensics

Incident First Responders

Role Management

Standards and Training

Acquisitions in the Cloud

Conducting a Cloud Investigation

Investigating CSPs

Investigating Cloud Customers

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Understanding Prefetch Files and Artifacts

Examining Stored Cloud Data on a PC

Using Cloud Forensics Tools

An Overview of the Internet of Things, the Internet of Anything, and the Internet of Everything 10 Technologies Supporting the Growth of the Internet of Things Categories of the Internet of Anything

11 11

Consumer Internet of Things

Commercial Internet of Things

Industrial Internet of Things

Infrastructure Internet of Things

Internet of Military Things

Forensics of the Internet of Anything

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics

Standard Writing Rubric

Standard Discussion Rubric

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students the principles of conducting forensic analysis over a cloud environment. To do so, the students are introduced to the basic concepts of cloud and the Internet of Anything (IoA) which encompass the currently available resources on the Internet, plus the foreseeable and future available resources in terms of processing and storage capabilities. Therefore, as digital forensic investigators, the students should be able to perform forensic analysis over the cloud because much of the data is currently being handled in such an environment.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe the main concepts of cloud computing. 2. Summarize the legal challenges in conducting cloud forensics. 3. Explain the technical challenges associated with cloud forensics and how to acquire cloud data. 4. Explain how to conduct a cloud investigation and describe some of the commonly used tools. 5. Define the Internet of Anything. 6. Describe the five main categories of the Internet of Anything. 7. Explain the challenges of forensics on the Internet of Anything.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

AN OVERVIEW OF CLOUD COMPUTING 1. Explain to the students that the development of commercially available cloud computing started at the beginning of the 2000s. 2. Point out that cloud services have allowed companies to migrate email services to the cloud for employees anywhere in the world to access, and individuals can use these services to sync their devices and back up their personal data to the cloud. 3. Mention that cloud computing offers many benefits to individuals and organizations while also introducing some unique challenges in connection with digital forensics investigations.

History of the Cloud 1. Explain to the students that the idea of cloud computing came from several people. 2. Point out that in 1968, the ARPA Program Plan No. 723, Resource Sharing Computer Networks, was initiated to engineer a solution for sharing networked resources. 3. Mention that in 1999, Salesforce.com developed a customer relationship management (CRM) web service that applied digital marketing research to business subscribers so they could do their own market analysis; this service eventually led the way to the development of the cloud.

Cloud Service Levels and Deployment Methods 1. Explain to the students that the National Institute of Standards and Technology (NIST) outlines three basic service levels for cloud computing: SaaS, PaaS, and IaaS. 2. Point out that there are four available cloud deployment methods: public, private, community, and hybrid.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Cloud Vendors 1. Explain to the students that cloud service providers use a variety of approaches and systems to build their cloud systems, such as servers using distributive processing methods with data farms for storage or mainframes running OSs as virtual machines (VMs). 2. Point out some CSPs and cloud applications, summarizing their respective functions and uses.

Basic Concepts of Cloud Forensics 1. Explain to the students that when intruders break into a network they leave a trail, and it is possible to spot variations in network traffic that can help track intrusions. 2. Point out that forensic tools should have the capabilities to handle acquiring data from a cloud, such as forensic data collection; elastic, static, and live forensics; evidence segregation; and investigations in virtualized environments. 3. Mention that becoming proficient as a cloud manager on platforms like vSphere takes a few years of experience in maintaining these systems.

LEGAL CHALLENGES IN CLOUD FORENSICS 1. Explain to the students that laws have not kept up with the implications of storing files and data in locations that are not physically within reach, due to technology’s rapid changes. 2. Point out the contract obligations a CSP has to its cloud users and how warrants and subpoenas are applied to CSPs and users.

Service-Level Agreements 1. Explain to the students that cloud service agreement (CSA) describes what services are being provided and at what level. 2. Explain that the Cloud Standards Customer Council has published guidelines to help customers understand their rights and responsibilities in the Practical Guide to Cloud Service Agreements. 3. Point out that digital forensics examiners should be most concerned with restrictions applied to customers and security measures.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

4. Mention that even if a contract delineates access to data and processes for acquiring it, a country’s laws might expand, limit, or even reject the rights specified in the contract’s terms.

Jurisdiction Issues 1. Explain to the students that no law ensures uniform access or required handling procedures for the cloud, so cases that encompass multiple jurisdictions raise a variety of concerns for investigators. 2. Point out that although the CSA or associated contracts and addenda can prescribe what laws are enforceable, they do not usually control privacy issues and criminal or civil procedures. 3. Mention that some problems are as fundamental as establishing definitions of terms and roles and determining which law is applicable.

Accessing Evidence in the Cloud 1. Explain to the students that they need to know where the evidence may be located in order to effectively conduct their investigation. 2. Point out that cloud forensics typically involves litigation of criminal or civil matters. 3. Mention and describe the five mechanisms the government can use to get electronic information from a provider: search warrants, subpoenas, subpoenas with prior notice to the subscriber or customer, court orders, and court orders with prior notice to the subscriber or customer.

TECHNICAL CHALLENGES IN CLOUD FORENSICS 1. Explain that cloud forensics procedures combine many computing and networking tasks such as data recovery, network analysis to detect intrusions, database administration and security, software security, and international relations. 2. Point out to the students that the Cloud Forensics Capability Maturity Model explores the needs, processes, and responsibilities of both customers and the CSP during an incident response to a VM compromised in a cloud environment. 3. Mention the list of challenges in conducting cloud forensics.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Architecture 1. Explain that no two CSPs are configured in exactly the same way. 2. Point out to the students that identifying data storage locations can be a problem because most CSPs keep these locations confidential for security reasons.

Analysis of Cloud Forensic Data 1. Explain that analyzing digital evidence collected from a cloud requires verifying the data with other data and log records. 2. Point out to the students that examining logs can be useful to compare the modified, last access, and create (MAC) dates and times for files.

Anti-Forensics 1. Explain that anti-forensics tactics to destroy ESI that is potential evidence are used in cloud environments as well as in other network environments. 2. Point out to the students that additional methods for anti-forensics include inserting malware programs in other files, using encryption to obfuscate malware programs activated through other malware programs, and using data-hiding utilities that append malware to existing files.

Incident First Responders 1. Explain that CSPs have personnel trained to respond to network incidents, such as legal advisors and system and network administrators who handle normal support services for the cloud. 2. Point out to the students that forensics examiners should organize CSP staff to handle first responder tasks in case a CSP does not have an internal first responder team.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Role Management 1. Explain that role management in the cloud covers data owners, identity protection, users, access controls, and so forth. 2. Point out that an investigator needs to collect information so that they can identify additional victims or suspects.

Standards and Training 1. Explain that the standardization of cloud architectures for operating procedures, interoperability, testing, validation, and so on has become more established. 2. Point out to the students some resources for cloud forensics training and their use. 3. Explain that cloud investigators should have an understanding of cloud architecture in addition to basic digital and network forensics skills.

Acquisitions in the Cloud 1. Explain that the methods used to collect evidence in cloud investigations depend on the nature of the case. 2. Mention that for e-discovery and investigations that require collecting specific files and recovering deleted artifacts, the standard acquisition methods must be used whether they are static or remote acquisitions. 3. Point out that many CSPs and third parties offer encryption services for cloud users as a security measure, so students should expect to encounter encrypted files in cloud investigations. 4. Cite that there are many encryption services for cloud data available by vendors. 5. Explain that homomorphic encryption uses an “ideal lattice” mathematical formula to encrypt data and to make encryption more difficult to break.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

CONDUCTING A CLOUD INVESTIGATION 1. Explain that the type of incident determines how to proceed with planning the investigation. 2. Mention the importance of taking a methodical approach to digital forensics examinations and using this same approach when investigating cloud incidents.

Investigating CSPs 1. Explain that CSPs such as AWS, Microsoft Azure, and Google Cloud usually have incident response teams trained to handle events such as cyberattacks and responding to e-discovery demands. 2. Mention the five main questions to ask as an investigator to understand how the CSP is set up when the CSP has no team or limited staff.

Investigating Cloud Customers 1. Explain that cloud customers access CSPs through computers and mobile devices such as tablets and smartphones, and they can do this through a website, an app, or other methods. 2. Point out to the students that if a cloud customer does not have the CSP’s application installed, they might find cloud-related evidence in a web browser’s cache file.

Understanding Prefetch Files and Artifacts 1. Explain that to reduce the time it takes to start applications, Microsoft has created prefetch files which contain the .dll pathnames and metadata used by an application. 2. Point out to the students that in a prefetch file, the application’s create date and time are at offset 0x80, the modified date and time are at offset 0x88, the last-access date and time are at offset 0x90, and the record date and time are at offset 0x98. 3. Mention that the prefetch file can tell you how many times an application has run along with the disk it was installed on. 4. Remind students that prefetch programs can search for deleted items, malware, programs run from a USB, and traces of files that were wiped. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Examining Stored Cloud Data on a PC 1. Point out that several vendors offer cloud storage to the public such as Dropbox, Google Drive, and One-Drive. 2. Explain to the students that when installed, these services have storage space on a user’s computer that can be used when the user’s computer is offline, and they update cloud-stored files based on the user’s stored files. 3. Mention that because security is such an important issue with cloud storage, users must maintain control over access to their cloud accounts. 4. Explain the specifications and the different file handling and storage formats on Dropbox, Google Drive, and One Drive.

Using Cloud Forensics Tools 1. Explain that in the early days of cloud forensics, many digital, network, and e-discovery tools were used to handle collecting and analyzing data from the cloud. 2. Point out some vendors with integrated tools that can be applied to cloud forensics such as Forensic Open-Stack Tools (FROST), F-Response, and Magnet AXIOM.

AN OVERVIEW OF THE INTERNET OF THINGS, THE INTERNET OF ANYTHING, AND THE INTERNET OF EVERYTHING 1. Explain that the Internet of Things (IoT), coined for a P&G presentation, refers to the network of devices connected to the Internet via embedded sensors and software that allow the devices to easily send and receive data. 2. Explain that the term Internet of Anything (IoA) was an exponential growth from IoT, encompassing all things that can be or will be connected to the Internet via various communications protocols. 3. Point out that the Internet of Everything (IoE), coined by Cisco Systems, differs from the IoT and the IoA in that it refers to a large, interconnected intelligent network.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

4. Mention that IoE allows more data to be processed faster and considers people-to-people (P2P), machine-to-people (M2P), and machine-tomachine (M2M) connections. Technologies Supporting the Growth of the Internet of Things 1. Explain that radio frequency identification (RFID) was introduced commercially to help organizations track inventory, and it provides an early example of a technology that allowed devices to connect with each other. 2. Point out to the students that connectivity between IoT devices now falls into three categories: Wi-Fi, Bluetooth, and cellular.

CATEGORIES OF THE INTERNET OF ANYTHING 1. Explain that IoT technology is grouped into following five categories: Consumer Internet of Things, Commercial Internet of Things, Industrial Internet of Things (IIoT), Infrastructure Internet of Things, and Internet of Military Things (IoTM). 2. Point out to the students that each category uses similar types of technology; however, the devices and factors vary.

Consumer Internet of Things 1. Explain that the Consumer Internet of Things (CIoT) is made up of applications and devices designed for personal use, with a focus on where and how people live, what they wear, and what they drive. 2. Point out to the students that there are so many devices accessing the Internet such as smart appliances and smart homes, thermostats, smart televisions, garage door openers, electric vehicles, wearable computers, health and fitness wearables, and virtual assistants.

Commercial Internet of Things 1. Explain that the Commercial Internet of Things focuses mainly on sectors such as commercial, office, and large residential buildings, healthcare, entertainment, hotels, and travel, among others. 2. Point out to the students that IoT technology can be used to restrict access to buildings, to cut down on the amount of time people must wait in line to get in and out of parking facilities, for concert ticket access, and for applications and devices used in healthcare and medical care facilities. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Industrial Internet of Things 1. Explain that the Industrial Internet of Things (IIoT) covers sectors such as agriculture, energy, manufacturing, and supply-chain logistics, among others. 2. Point out to the students that the IIoT often interfaces with existing systems such as supervisory control and data acquisition (SCADA) systems. 3. Mention that tracking the location of valuable physical assets, such as vehicles, machinery, livestock, and tools, is critical in some industries. 4. Explain that on a broader scale, logistics and shipping companies have had to become more sophisticated as the global supply chain continues to grow more complex.

Infrastructure Internet of Things 1. Explain that the Infrastructure IoT includes technologies that manage infrastructure both for rural areas and for smart cities, through applications such as traffic control, energy, water and waste management, and public safety. 2. Point out to the students that thousands of IoT sensors are used to make smart cities more efficient. In some cases, the IoT for smart cities also allows for exchange of data. 3. Explain that the new IoT application, vehicle-to-vehicle (V2V) communication, allows vehicles to exchange information about their location, direction, and speed. 4. Highlight that waste and water management infrastructure is another critical part of the IoT-connected infrastructure in many cities and rural areas. 5. Mention that the public safety arena is particularly important in terms of the use of IoT sensors. For instance, tsunami warning sensors are placed on buoys that float in the ocean off the coasts of places around the world, including Hawaii and the Pacific Northwest of the United States.

Internet of Military Things 1. Explain that the Internet of Military Things (IoMT) covers the use of IoT technologies, such as military drones and body cameras, for military applications. 2. Point out to the students that the military is a vast network of people, machines, vehicles, and sensors, and the sheer enormity of the IoMT is one the average citizen does not likely consider.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

3. Explain that the movement of people, machinery, and weapons is critical and is monitored via the IoMT, especially because drones are one way in which the military obtains information. 4. Mention that the number of items that make up the IoMT cannot be reliably determined because so many are sensitive from a security standpoint or are in the developmental phase; however, smart bases are one area of focus for the military.

FORENSICS OF THE INTERNET OF ANYTHING 1. Explain that addressing the challenges of the forensics of the Internet of Anything (IoA) requires one to return to the basics of forensics. 2. Point out to the students that there is a critical need to establish a digital chain of custody (DCoC) and address a myriad of other factors in cases involving IoT applications and devices. 3. Explain that when it comes to data breaches and hackers, forensics and security are interrelated, as cybersecurity is a significant area of concern across all categories of the IoT, and forensics investigations related to these devices and networks can be challenging. 4. Mention that trying to prevent and investigate IoT attacks is difficult in many industries where IoT sensors and devices were often designed for expediency and, in many instances, without security in mind. 5. Highlight that when it comes to forensics investigation, smart devices have sometimes been referred to as “invisible witnesses” because of the critical evidence they can provide. 6. Explain that a key point to consider in investigations involving IoT devices is the type of sensors in the devices, how they are connected to the Internet, and where the data is stored.

[return to top]

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Advanced metering infrastructure (AMI): A technology used for smart water metering which helps local governments reduce operating costs and better manage water usage. Amazon Key for Business: A system that provides Amazon delivery personnel with a time window to deliver packages to gated communities. They do not have to ring the person receiving the package; rather, they can use the electronic key to obtain entry to deliver the package. Cloud service agreement (CSA): A contract between a cloud service provider and a cloud customer; also called a master service agreement of a service-level agreement (SLA). Any additions or changes to a CSA can be made through an addendum. See also cloud service provider (CSP). Cloud service provider (CSP): A vendor that provides on-demand network access to a shared pool of resources (typically remote data storage or web applications).

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Commercial Internet of Things: The segment of the IoT that focuses on businesses in sectors such as commercial, office, and large residential buildings, healthcare, entertainment, hotels, and travel, among others. Community cloud: A shared cloud service that provides access to common or shared data. Consumer Internet of Things (CIoT): The segment of the IoT that includes applications and devices created for the consumer market, such as smart watches and other wearables, smart speakers, smart appliances, and smart homes. Deprovisioning: Deallocating cloud resources that were assigned to a user or an organization. See also provisioning. Digital chain of custody (DCoC): The route that digital evidence takes from the time the investigator obtains it until the case is closed or goes to court; ensuring that the necessary data is preserved so that it can be presented in court is a critical part of the digital chain of custody. The number of sensors and devices in the IoT presents challenges in preserving the digital chain of custody. Human machine interface (HMI): Part of a SCADA system that allows operators and engineers to monitor and interact with the system to make necessary updates. Hybrid cloud: A cloud deployment model that combines public, private, or community cloud services under one cloud; segregation of data is used to protect private cloud storage and applications. Industrial Internet of Things (IIoT) The segment of the IoT that includes sectors such as agriculture, energy, manufacturing, and supply chain logistics. Infrastructure as a service (IaaS): A cloud computing model in which customers can rent hardware, such as servers and workstations, and install whatever OSs and applications they need; with this model, an organization supplies its own OS, applications, databases, and operations staff, and the cloud provider is responsible only for selling or leasing the hardware. See also cloud service provider (CSP). Infrastructure Internet of Things: The segment of IoT that includes technologies that improve efficiencies and manage infrastructure both for rural areas and for smart cities in applications such as traffic control, energy, water and waste management, and public safety.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Internet of Anything (IoA): A term that encompasses all things that can be or will be connected to the Internet via various communications protocols; the IoA could eventually include physical devices as well as intangible or virtual components, such as cloud-based services, software models, and virtual reality environments. Internet of Battlefield Things (IoBT): The segment of the IoT that includes all the IoT connected machinery, people, supplies, and weapons on the battlefield. Internet of Everything (IoE): A term defined by Cisco as the interaction of people, data, processes, and devices. Internet of Military Things (IoMT): The segment of the IoT that covers the use of IoT technologies, such military drones and body cams, for military operations. Internet of Things (IoT): The network of devices connected to the Internet via embedded sensors and software that allows them to easily send and receive data. IoT edge device: A device located close to IoT sensors that can quickly perform analysis of data from devices that have little to no processing or storage; after the data is analyzed and sorted at the source, it is then sent to the cloud or central processing center. Machine to machine (M2M): Communication between devices or sensors within the Internet of Everything. Machine to people (M2P): Communication between humans and devices or sensors within the Internet of Everything. Multitenancy: A cloud deployment approach in which more than one client’s data is on a server. Operational technology (OT): The software and hardware used to identify, monitor, and manage physical devices and processes in various industries. People to people (P2P): Communication between people within the Internet of Everything. Platform as a service (PaaS): A cloud computing model in which an OS has been installed on a cloud server; the customer can use the platform to load their own applications and data. The cloud service provider (CSP) is responsible only for the OS and hardware it runs on; the customer is responsible for everything else that they have loaded onto it. See also cloud service provider (CSP). © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Private cloud: A cloud service dedicated to a single organization. Provisioning: Allocating cloud resources, such as additional disk space. See also deprovisioning. Public cloud: A cloud service that is available to the public. Radio frequency identification (RFID): A technology that uses radio frequency waves to connect devices; introduced commercially to help track inventory. Software as a service (SaaS): A cloud computing model in which applications are delivered via the Internet; with this cloud service level, a web hosting service typically provides applications for subscribers to use. See also cloud service provider (CSP). Spoliation: The failure to preserve evidence. Supervisory control and data acquisition (SCADA): A type of automated control system used in many industries to monitor processes and machines. Vehicle to vehicle (V2V): Communication that allows vehicles to exchange information about their location, direction, and speed; predicted to become a way to allow buses, trains, and light rail to work together more efficiently.

[return to top]

1. Encryption in the Cloud Duration 20 minutes. a. Many CSPs (Cloud Service Providers) and third parties offer encryption services for cloud users as a security measure, so you should expect to encounter encrypted files in cloud investigations. b. In what measure should this affect your plan to perform forensic investigation in the cloud? © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

Answer: Knowing how encryption is used in cloud computing helps you plan your investigation and data acquisition. Capturing encrypted data in the cloud is handled the same way as acquiring any encrypted digital evidence. You need assistance from the data owner (the cloud user) or the CSP to decrypt data with the right encryption key. If the data owner is uncooperative, you might need to turn to the attorneys handling the case or the data owner’s management and have them direct the data owner to provide the information needed to access files. c. What are the possible states of data encrypted in the cloud? Answer: Encrypted data in the cloud is in two states: data at rest (data that has been written to disk) and data in motion (data being transmitted over a network). Some systems also have encryption for data in use (data that is in RAM).

2. Cloud forensic technical procedures Duration 20 minutes. a. The technical dimension of cloud forensic deals with procedures and specialized applications designed to perform forensics recovery and analysis in the cloud. b. What are the capabilities of forensics tools to handle acquiring data from the cloud? Answer: Forensic data collection, elastic, static, and live forensics, evidence segregation, and investigations in virtualized environments. [return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

1. [Cloud Service Levels]: This activity can be conducted with students working in pairs or trios. According to the National Institute of Standards and Technology (NIST) there are three service levels for cloud computing: SaaS, PaaS, and IaaS, respectively, Software as a service, Platform as a service, and Infrastructure as a service. Ask the students to enumerate known cloud services and to classify them into one of the three service levels according to NIST criteria. You can enhance this activity including a prior step that is to make students look for currently available services. They can refer to the basic service provider as listed in the module text (Cloud Vendor section) to look for currently available services.

[return to top]

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

Grammar and Spelling

[return to top]

PAG E \* MER GEF OR MAT

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 11: Cloud Forensics and the Internet of Anything

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PAG E \* MER GEF OR MAT

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

Instructor Manual Module 12 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Understanding Mobile Devices and Cellular Networks

Types of Mobile Devices

Cellular Networks

Cell Phone Tower Communications

Cell Phone Tracking

Cell Phone Data Logs

Mobile Device Evidence Sources

Inside Mobile Devices

Mobile Device Data

Apple Advanced Data Protection

SQLite Databases

Mobile Device Security

Mobile Device Management

Apple Lost Mode

File System Encryption

Seizing and Securing Mobile Devices

Isolating the Mobile Device

Protecting the Mobile Device’s Data

Mobile Device Evidence Extraction and Examination Preparing for an Acquisition © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

8 8 PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

Perform the Extraction

Apple iOS Encrypted Backup

Common Extraction Methods

Advanced Extraction Methods

Workflow Documentation and Verification

Mobile Device Forensics Tools

Andriller CE

Belkasoft

Cellebrite

CellHawk

DataPilot

FQLite

Magnet Forensics

Micro Systemation AB

MOBILedit Forensic

Oxygen Forensics

Paraben Software

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics

Standard Writing Rubric

Standard Discussion Rubric

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students how to proceed with forensic analysis over mobile devices. This module, therefore, discusses the procedures adopted to forensic investigation of mobile devices, including but not limited to smartphones. After presenting the main aspects of mobile device technologies, the security issues and specific concerns to access and preserve data for mobile devices is discussed with specific details for the major operating systems of the more popular mobile devices (Android and Apple's iOS).

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe the components of mobile devices and cellular networks. 2. Explain mobile device evidence sources. 3. Describe mobile devices security features. 4. Explain mobile device acquisition processes. 5. Describe how to extract and analyze mobile device evidence. 6. Describe mobile device forensics tools.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

UNDERSTANDING MOBILE DEVICES AND CELLULAR NETWORKS 1. Point out that many people store more information on their smartphones and tablets than on computers because these devices have the same computing power as desktops of a few years ago. 2. Explain that because phones often contain private or sensitive information, any information that does not pertain to the case must be redacted from the public record. Types of Mobile Devices 1. Point out that mobile devices include cell phones, tablets, drones, wearable devices, and personal digital assistant (PDA) devices. 2. Explain the different uses and features of each mobile device. Cellular Networks 1. Explain to the students that the technology that allows mobile devices to communicate wirelessly around the world is divided into “generations,” indicating specific characteristics of wireless technology that define a specific cellular network type. 2. Explain that most CDMA networks conform to the IS-95 standard, created by the Telecommunications Industry Association (TIA). 3. Point out five of the specific technologies introduced with 4G networks to improve speed and accuracy. Cell Phone Tower Communications 1. Explain to the students that although cellular networks use different technologies, they operate on the same basic principles as digital networks. 2. Point out the three main components used for communication with geographic areas are divided into cells. 3. Mention that each cell tower has limitations in how many subscribers can connect to it at any one time; that is, the number of individual cell phone connections it can process.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

Cell Phone Tracking 1. Explain that cell phones can be tracked by cellular providers and smartphone applications through Bluetooth, cell towers, global positioning system (GPS) satellites, and Wi-Fi networks. 2. Point out that devices such as the Stingray typically have two modes: The passive mode that records data being transmitted to and from cell phones and cell towers and is referred to as an IMSI catcher and the active mode that produces a stronger signal than a cell tower, causing all cell phones in the immediate area to connect to it. Cell Phone Data Logs 1. There are three types of cell phone log files that cellular carriers can provide to investigators: call detailed records (CDR) log, cell-site location information (CSLI) log, and cell phone pinging report. 2. Point out specificities and uses of each of the three types of data logs.

MOBILE DEVICE EVIDENCE SOURCES

1. Explain to students that mobile devices are essentially cloud-enabled computing access terminals. 2. Point out that the data stored in or accessible with a mobile device can be divided into two categories: external storage or internal storage.

Inside Mobile Devices 1. Explain that mobile device hardware consists of a microprocessor, ROM, RAM, a digital signal processor, a radio module, a micro-phone and speaker, hardware interfaces, and a liquid crystal display. 2. Point out to the students that they should determine whether a mobile device uses soldered-on storage or user-removeable memory cards, so they can seize any memory cards that were used with the mobile device. Mobile Device Data 1. Explain that cloud and web-based mobile device connectivity are both considered external storage, and access to these services is via a cellular provider’s network or Wi-Fi services. 2. Point out four of the most common types of mobile device data.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

Apple Advanced Data Protection 1. Explain that Apple Advanced Data Protection is a service that protects a user’s iCloud data with end-to-end encryption for which only the user can decrypt the data. 2. Point out the three recovery methods to recover a decryption key in an Apple device. SQLite Databases 1. Explain that mobile devices employ SQLite as the database for storing data, such as text messages, photos, and system configuration data. 2. Point out to students that recovering a deleted record from a mobile device’s SQLite database is only possible if a forensics acquisition is performed immediately after the record is deleted.

MOBILE DEVICE SECURITY 1. Explain that mobile devices have built-in security features as well as third-party utilities designed to prevent unauthorized access. Mobile Device Management 1. Point out that mobile device management (MDM) provides administrators with policy and technical controls for managing an organization’s mobile devices. 2. Mention that MDM tools include Microsoft Intune and Samsung Knox Manage. 3. Remark that extracting data when MDM is enabled is difficult or impossible since it is designed to resist attempts by a mobile forensics extraction tool such as Cellebrite or XRY. 4. Explain that the presence of MDM may not be shown on the mobile device’s application directory, but its existence can be inferred by reviewing the mobile device’s screen timeout setting. Apple Lost Mode 1. Point out that the lost mode feature is initiated remotely from the user’s iCloud account or the corporation MDM console. 2. Explain that when the Apple device is in lost mode, the device is locked and can only be accessed after entering a passcode. 3. Remark that when seizing an Apple mobile device, data may be destroyed with the Apple lost mode service.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

File System Encryption 1. Point out that methods that encrypt data at rest and in motion are referred to as end-to-end encryption. 2. Explain that if a backdoor utility is available, law enforcement can obtain a search warrant to use this tool to recover encrypted data for an investigation, but Google and Apple have refused to provide backdoor access to their encryption applications. 3. Explain to students the different message encryption process done by Apple on iMessage and by Google on their message system.

SEIZING AND SECURING MOBILE DEVICES 1. Point out the main concerns when working with mobile devices are loss of power, synchronization with cloud services, and remote wiping. 2. Explain that, at investigations, if examiners cannot determine whether the device was charged at the time of seizure, they have to note it in their log and check if the device is on and what the battery’s current charge level is; if it is off, they should keep it off. Isolating the Mobile Device 1. Point out that because mobile devices are often designed to synchronize with applications, any mobile device attached to a PC or tablet via a USB cable or micro-USB cable should be disconnected immediately. 2. Explain that students should collect the suspect computer and any peripheral devices to determine if the hard drive contains any backup data from the mobile device. Protecting the Mobile Device’s Data 1. Point out that it is important to make sure that nothing is altered on the mobile device it from the time it is seized, including, for instance, the device receiving new data such as a new text message. 2. Mention that there are four options to isolate the device from incoming signals. 3. Explain that the battery of a mobile device placed in a Faraday bag could also be drained if it is not in airplane mode.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

MOBILE DEVICE EVIDENCE EXTRACTION AND EXAMINATION 1. Point out that students should research the specific mobile device’s features before performing any data extractions. 2. Explain that the best method of retrieving information from a mobile device is by acquiring a forensic image, which might enable the recovery of deleted text messages and similar data. 3. Mention that an alternative method of examining a mobile device is to connect it to a computer’s USB port with a USB write-blocker, but its passcode is needed to do so. Preparing for an Acquisition 1. Point out that a static type of acquisition is not possible, as mobile device acquisitions are more aligned with live acquisitions in that they require the device to be powered on and logged into at the time of the acquisition. 2. Explain that there are steps for acquisition preparation, such as charging the phone’s battery to at least 80% before starting the extraction, checking the data port for dirt or debris, and cleaning it with electrically nonconductive tools. 3. Expand on specifics of the forensics workstation preparation, configuring a suspect Android mobile device, configuring a suspect Apple mobile device, and mobile device storage needs.

Perform the Extraction 1. Point out that the general procedure for conducting a mobile device extraction has six steps. 2. Explain that after acquiring the mobile device’s internal data, the next step is to acquire any existing data from SIM or SD cards. 3. Remind students that with most SIM cards, they have three attempts at entering an access code before the device is locked, which then requires calling the service provider to get the personal unlock key (PUK) and waiting a certain amount of time before trying again.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

Apple iOS Encrypted Backup 1. Point out that iOS encrypted backups contain additional information that may be more relevant for the investigation than then data present in an unencrypted backup. 2. Explain that the type of information found in an iOS encrypted backup can include saved passwords for other accounts, Wi-Fi settings, browser history, health data, and call history. Common Extraction Methods 1. Point out the four different types of extraction methods most commonly used for acquiring mobile devices. 2. Explain and describe the use of manual extraction, logical extraction, selective logical extraction, and physical extraction. Advanced Extraction Methods 1. Point out that mobile devices are particularly susceptible to damage, evidence can be recovered from a damaged smartphone either intentionally or unintentionally. 2. Explain the four methods that should only be considered if the case is extremely important and there is no alternative to safely acquire the evidence.

Workflow Documentation and Verification 1. Point out that during the extraction process, the process must not be interrupted, and it should be monitored to maintain the integrity and chain of custody of the evidence. 2. Explain that mobile device extractions are known to routinely fail for a variety of reasons, so it is important to verify the extraction and factor in time during the investigation for decoding and analysis.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

MOBILE DEVICE FORENSICS TOOLS 1. Point out that there is no single tool that can perform every single forensic investigative function for every single mobile device. 2. Explain that it is necessary to be proficient with at least two tools and to be aware of other tools’ shortcomings in the event that one tool alone is not enough to successfully extract or analyze data from a mobile device. Andriller CE 1. Explain that Andriller CE is a freeware Python script designed to perform forensics acquisitions and analysis on Android smartphones and tablets. 2. Point out the steps and specific information for installing and applying Andriller CE to perform extractions. 3. Mention that when Andriller finishes, it will automatically open an HTML extraction report in the default web browser. Belkasoft 1. Explain that Belkasoft Evidence Center X is a commercially sold, all-inone digital forensics solution. 2. Point out to students that Belkasoft is one of the easier tools to use when conducting Apple iCloud acquisitions. 3. Explain that depending on the device being examined, this software suite can decode a variety of user artifacts, including chat messages, browser behavior for traditional or mobile devices, and geolocation and multimedia artifacts for drones. Cellebrite 1. Explain that Cellebrite is a commercially sold product that includes both a field extraction kit and analysis software for use on a laptop or desktop computer. 2. Point out that the kit is designed for nontechnical users, and it comes with a bag of various adapter cables for a wide range of mobile devices. 3. Explain that there are two types of hypervisors: type 1 and type 2. CellHawk 1. Explain that Hawk Analytics’ CellHawk is a web-based software-as-aservice platform designed to analyze CDR. 2. Point out that processing CDR data with CellHawk allows for an investigator to identify with which cellular towers the mobile device was communicating, mobile device location and movement over time, with which phone numbers the mobile device communicates the most, and © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

behavior analytics of the mobile devices themselves or with potential collaborators. DataPilot 1. Explain that DataPilot is a commercially sold product that can extract data from Android, Apple, and KaiOS mobile devices. 2. Point out that it also includes case management and case analysis triage features and the ability to do searches and report analysis showing links between people and devices. FQLite 1. Point out that virtual machines (VMs) are now common for both personal and business use, as they can help offset hardware costs for companies; in many companies, even full networks are virtual, which reduces costs substantially. 2. Explain that there are two types of hypervisors: type 1 and type 2. Magnet Forensics 1. Explain that Magnet Forensics is a commercially sold product that has three tools to handle digital forensics investigations. 2. Point out that it is used to convert the extracted data into a readable format. 3. Mention that it creates a database of all the evidence it has processed. Micro Systemation AB 1. Explain that Micro Systemation AB is a commercially sold product that has a family of mobile forensics tools that include XTY, XAMN, and XEC. 2. Point out that the tools conduct physical and logical examinations, as well as manage fleet deployment of extraction kiosks. MOBILedit Forensic 1. Explain that MOBILedit Forensic is a commercially sold product specifically designed for mobile forensics. 2. Point out that it has a built-in write-blocker and can connect to phones directly via Bluetooth, irDA, or a cable. Oxygen Forensics 1. Explain that Oxygen Forensics is a commercially sold product that has a field acquisition kit with a tablet computer that has the Oxygen Forensics extractor tool.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

2. Point out that it supports decoding data from mobile devices, drones, and cloud sources. Paraben Software 1. Explain that Paraben Software is a commercially sold product that has several digital forensics tools, including mobile forensics application tools named E3:DS. 2. Point out that it examines Internet of Things devices, has a bootloader for locked mobile devices, and can perform data parsing and cloud data capture.

[return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

KEY TERMS Application programming interface (API): A communication interface allowing communications between other programs. Call detailed records (CDR): A report listing all calls to and from a telephone. CDMA2000: A wireless interface standard for CDMA. See also Code Division Multiple Access (CDMA). CDMAOne: An older 2G telecommunications standard of CDMA. See also Code Division Multiple Access (CDMA). Cell phone pinging report: A report showing the exact latitude and longitude location of a specific mobile device. Cell tower dump: See cell-site location information (CSLI). Cell-site location information (CSLI): A report that lists all mobile devices connected to a specific cell tower or a list of towers that a specific cell phone had connected to; also referred to as a cell tower dump. Cell-site simulator: A portable cell tower used in active mode in an investigation; it produces a stronger signal than a cell tower, causing all cell phones in the immediate area to connect to it. See also IMSI catcher. Code Division Multiple Access (CDMA): A widely used digital cell phone technology that makes use of spread-spectrum modulation to spread the signal across a wide range of frequencies. Data-at-rest: Data that is residing on a media storage device such as a disk or cloud server. Data-in-motion: Transmitted data that is encrypted. Electronically erasable programmable read-only memory (EEPROM): A type of nonvolatile memory that can be reprogrammed electrically without having to physically access or remove the chip.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

Encrypted-at-rest: An encryption practiced in which data that is located on media storage system, such as a disk drive or a cloud server, is always encrypted. End-to-end encryption: Data that remains encrypted during transmission and when stored on a disk. Enhanced Data GSM Environment (EDGE): An improvement to GSM technology that enables it to deliver higher data rates. See also Global System for Mobile Communications (GSM). Faraday bag: A special bag that is made of material that blocks electromagnetic waves; it is used to prevent communication to or from a mobile device. Fifth-generation (5G): The most recent generation of cellular networks that provides greater speed than 4G and has allowed for improved communications for the Internet of Things (IoT). Fourth-generation (4G): A generation of cellular networks that is still widely used; it introduced updates to the network that improved call resiliency and allowed for gaming and high-definition video streaming. Global System for Mobile Communications (GSM): A second-generation cellular network standard; currently the most used cellular network in the world. IMSI catcher: A portable cell tower used in passive mode in an investigation to record data being transmitted to and from cell phones and cell towers. See also cell-site simulator. International mobile subscriber identity (IMSI): A unique identification number assigned to a cellular mobile device; this number is used by the cell provider to identify the specific cell phone. International Telecommunication Union (ITU): An international organization and agency of the United Nations dedicated to creating telecommunications standards. Joint Test Action Group (JTAG): A group that has developed standards for interconnections of printed circuit boards. Orthogonal Frequency Division Multiplexing (OFDM): A 4G technology that uses numerous parallel carriers instead of a single broad carrier and is less susceptible to interference. Personal unlock key (PUK): Personal unlocking key that is used to access a SIM chip when the PIN or other access code has been forgotten by the user; the SIM’s PUK is © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

typically listed on the packaging that originally contained the SIM. Cell phone providers also offer PUK recovery through their websites or help telephone service. Sixth-generation (6G): The next generation of cellular network that will provide faster network speeds and better reliability than 5G; it is currently in development and is expected to be available by 2030. Smartphone: A mobile telephone with more features than a traditional phone, including a camera, an email client, a web browser, a calendar, contact management software, an instant-messaging program, and the ability to download and run a wide variety of apps developed specifically for smartphones. Subscriber identity module (SIM) card: A removable card in a GSM phone that contains information for identifying subscribers; it can also store other information, such as messages and call history. Telecommunications Industry Association (TIA): A U.S. trade association representing hundreds of telecommunications companies that works to establish and maintain telecommunications standards. Test access port (TAP): The interface used by JTAG when accessing integrated circuits. Third-generation (3G): A generation of mobile phone standards and technology that provided more advanced features and faster data rates than the older analog and personal communications service (PCS) technologies. Time Division Multiple Access (TDMA): The technique of dividing a radio frequency into time slots, used by GSM networks; also refers to a cellular network standard covered by Interim Standard (IS) 136. See also Global System for Mobile Communications (GSM).

[return to top]

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

1. Cellular Digital Networks Duration 20 minutes. a. Cellular networks, the technology that allows mobile devices to communicate wirelessly around the world, are divided into “generations”, indicating specific characteristics of wireless technology that define a specific cellular network type. Furthermore, many digital networks are used in the mobile phone industry. b. What are the generations of cellular networks and its main characteristics? Answer: They are: 1. First-generation technology that uses analog voice communications with cellular phones. 2. Second-generation technology that uses digital communication between cellular phones (including for voice) and providing SMS texting between devices. 3. Third-generation (3G) technology that allows users to communicate while a mobile device is moving and supports mobile web browsing. 4. Fourth-generation (4G) technology that introduces updates to cellular networks improving call resiliency and allows high-resolution games and high-definition video streaming. 5. Fifth-generation (5G) technology that increases the transfer rate and provides infrastructure for machine-tomachine communications. 6. Sixth-generation (6G) technology that is still being planned and is expected to improve speed and reliability over 5G. c. Name some cellular digital network protocols and their main characteristics concerning usability. Answer: They are: © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

1. CDMA - Code Division Multiple Access, the oldest protocol and still one of the most employed protocols. 2. GSM - Global System for Mobile Communications, the second oldest protocol but the most employed protocol in the industry. 3. TDMA - Time Division Multiple Access, a protocol similar to CDMA, not frequently employed. 4. iDEN - Integrated Digital Enhanced Network, a Motorola developed protocol, not frequently employed. 5. D-AMPS - Digital Advanced Mobile Phone Service, a digital adaptation of the analog standard for cell phones. 6. EDGE - Enhanced Data GSM Environment, an evolution of the GSM protocol designed to deliver data. 7. OFDM - Orthogonal Frequency Division Multiplexing, a protocol similar to CDMA and TDMA, but designed for 4G Cellular Networks providing more efficiency and reliability due to be less affected by interference. [return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [Mobile Device Evidence Extraction and Examination]: This activity can be conducted with students working in pairs or in trios. Ask the students to get one mobile device (it can be one of the students’ mobile devices, since no harm will be done to the device itself). a. Tell the students to prepare the device to be examined. The students should perform the steps described in the section Configuring a Suspect Android Mobile Device or Apple Mobile Device, according to the device being analyzed. b. This exercise can be repeated to the cell phones of the other students. This exercise can be richer if, by chance or your choice, there are different cell phones in the group. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

[return to top]

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

PAG E \* MER GEF OR MA

Instructor Manual: Author, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 12: Mobile Device Forensics

Research

Grammar and Spelling

The assignment is based upon appropriate and adequate academic literature, including peer reviewed journals and other scholarly work. 5 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

PAG E \* MER GEF OR MA

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

Instructor Manual Module 13 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Exploring the Role of Email in Investigations

Exploring the Client and Server Roles in Email

Investigating Email Crimes and Violations

Understanding Forensic Linguistics

Examining Email Messages

Copying an Email Message

Viewing Email Headers

Examining Email Headers

Examining Additional Email Files

Tracing an Email Message

Using Network Email Logs

Understanding Email Servers and Server Logs

Examining UNIX/Linux Email Server Logs

Examining Microsoft Email Server Logs

Using Specialized Email Forensics Tools

Using a Hex Editor to Carve Email Messages

Recovering Outlook Files

Email Case Studies

Applying Digital Forensics Methods to Social Media Communications and ChannelBased Messaging Tools 10 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

Social Media Forensics on Mobile Devices

Forensics Tools for Social Media Investigations

Investigating Channel-Based Messaging Tools

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics

Standard Writing Rubric

Standard Discussion Rubric

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students how to proceed to trace, recover, and analyze email messages and social media content. The students are introduced to procedures to do so using forensics tools designed for investigating email messages and logs, but also general-purpose tools such as disk editors. These include email access to specific applications, as well as browser-managed email access. Additionally, the students are presented to the main topics of message exchange using social media platforms as Facebook, Instagram, LinkedIn, Snapchat, and TikTok.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Explain the role of email and social media in investigations. 2. Describe client and server roles in email. 3. Describe tasks in investigating email crimes and violations. 4. Explain the use of email server logs. 5. Describe some specialized email forensics tools. 6. Explain how to apply digital forensics methods to investigating social media communications and channel-based messaging tools.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

EXPLORING THE ROLE OF EMAIL IN INVESTIGATIONS 1. Explain to the students that digital forensics investigators must know how email is processed to collect essential evidence as part of any computing investigation. 2. Point out that phishing emails attempt to get personal data from the recipient by luring them with false information and promises. 3. Mention that when pharming is used, readers might click a hyperlink with text that appears to point to a legitimate website address, but the hyperlink redirects them to a fake site instead.

EXPLORING THE CLIENT AND SERVER ROLES IN EMAIL 1. Explain to the students that in both email environments (Internet or intranet), messages are distributed from a central server to many connected client computers, a configuration called a client/server architecture. 2. Point out that regardless of the OS or email program, users access their email based on permissions the email server administrator grants. 3. Mention that, overall, an intranet email system is for the private use of network users, and Internet email systems are for public use. 4. Explain that a company that provides public email services, such as Gmail, iCloud, or Yahoo, owns the email server and assigns each person who signs up for the service a username and password. 5. Point out that with the expansion of cloud service providers, many companies are migrating their email services to the cloud.

INVESTIGATING EMAIL CRIMES AND VIOLATIONS 1. Explain to the students that the goal of investigating crime or policy violations involving email is to find out who is behind the crime or policy violation, collect the evidence, and present the findings to build a case for reprimands, prosecution, or arbitration. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

2. Point out that email crimes and violations depend on the laws of the city, state/province, and country in which the email originated. 3. Mention that because email is a major communication medium, any crime or policy violation can involve email as well as text messages and social media communication.

Understanding Forensic Linguistics 1. Explain to the students that forensic linguistics is a field divided into four categories: language and law; language in the legal process; language as evidence; and research/teaching, in which language and the law intersect. 2. Point out that forensic linguistics trains people to listen to voice recordings to determine who is speaking or to read email and other writings known to be by a certain person and determine whether that person also wrote the email or letter in question. 3. Mention that AI generally refers to computer systems that can simulate human intelligence and learn from experience, allowing them to perform tasks that typically require human intelligence. 4. Explain that Tools such as ChatGPT, Microsoft Bing, Google Bard, and other natural language learning processing tools can be used for email.

Examining Email Messages 1. Explain to the students that after having determined that a company violation or a crime involving email has been committed, it is necessary to access the victim’s computer or mobile device to recover the evidence on it. 2. Point out that the header of an offending message contains unique identifying numbers, such as the server’s Internet Protocol (IP) address, that can help trace the email to the suspect.

Copying an Email Message 1. Explain to the students that as part of an email investigation, it is needed to copy the email involved in the crime or policy violation. 2. Point out the five steps on how to use Outlook to copy an email message to a USB drive. 3. Remind students that after copying an email, they should work only with the copy, not the original version, to avoid altering the original evidence by mistake.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

Viewing Email Headers 1. Explain to the students that after copying a message, they can use the email program that created it to find the email header, and copy and paste it into a text document so they can read it with a text editor, such as Windows Notepad1, Linux Vim, Nano (used with UNIX), or macOS TextEdit. 2. Mention that installing and becoming familiar with as many email programs as possible is beneficial. 3. Point out the three steps to view an email header in Gmail. 4. Point out the four steps to view an email header in Yahoo!.

Examining Email Headers 1. Explain to the students that the main piece of information to look for in the header is the originating email’s domain address or an IP address, the date and time the message was sent, the file names of any attachments, and the unique message number, if it is supplied. 2. Point out that if a message includes an attachment, it should be investigated as a supporting piece of evidence.

Examining Additional Email Files 1. Explain to the students that how emails are stored depends on settings on the client and server. 2. Point out that investigators could save all their email in a separate folder on the client’s computer for record-keeping purposes. 3. Mention that in web-based email, messages are displayed and saved as webpages in the browser’s cache folders.

Tracing an Email Message 1. Explain that as part of an investigation, investigators may need to determine an email’s origin by further examining the header with one of many free Internet tools. 2. Point out to the students that if the point of contact is not listed on the website or the domain does not have a website, they need to use a registry site. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

Using Network Email Logs 1. Explain that network administrators maintain logs of the inbound and outbound traffic that routers handle. 2. Point out to the students that in most cases, a router is set up to track all traffic flowing through its ports, and using these logs, investigators can determine the path a transmitted email has taken. 3. Mention that when a network administrator provides firewall log files, you can open them in a text editor, such as Notepad in Windows or vim in Linux.

UNDERSTANDING EMAIL SERVERS AND SERVER LOGS 1. Explain that an email server contains software that uses email protocols for its services and maintains logs that they can examine and use in their investigation. 2. Point out to the students that as investigators, their focus is not to learn how a particular email server works but rather how to retrieve information about emails for an investigation. 3. Cite that most email administrators log system operations and message traffic to recover emails in case of a disaster, make sure the firewall and email filters are working correctly, and enforce company policy. 4. Explain that email logs generally identify the email messages an account received, the IP address from which they were sent, the time and date the email server received them, the time and date the client computer accessed the email, the email contents, system-specific information, and any other information the email administrator wants to track. 5. Mention that if you have a date and time stamp for an email, the email administrator should be able to recover it from backup media if the message is no longer on the email server.

Examining UNIX/Linux Email Server Logs 1. Explain that more than a dozen UNIX/Linux email server programs are available, and most produce log files such as Postfix and Sendmail.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

2. Point out to the students that because a UNIX system has a variety of email servers available, the syslog.conf file simply specifies where to save different types of email log files. 3. Mention that If someone is examining a UNIX/Linux computer and does not find the email logs in /var/log, they can use the find or locate command to find them. 4. Explain that UNIX email servers do not usually use groups to prevent users from accidentally viewing email that does not belong to them; however, email groups can be useful for investigative purposes, as long as a warrant is secured.

Examining Microsoft Email Server Logs 1. Mention that Exchange Server, generally called Exchange, is the Microsoft email server software. 2. Explain that Messaging Application Programming Interface (MAPI) enables different email applications to work together. 3. Point out to the students that like UNIX email servers, Exchange maintains logs to track emails. To retrieve them, they can use a Windows PowerShell script. 4. Explain that if the message tracking feature has been enabled and the email administrator selects verbose (detailed) logging, investigators can see the timestamp, IP address of the sending computer, and the email’s contents or body.

USING SPECIALIZED EMAIL FORENSICS TOOLS 1. Explain that if they cannot find an email administrator willing or able to help with the investigation, or they encounter a highly customized email environment, they can use data recovery tools and forensics tools designed to recover email files. 2. Point out the extensive list of tools specifically created for email recovery, including recovering deleted attachments from a hard drive. 3. Mention that forensics tools enable investigators to find email database files, personal email files, offline storage files, and log files. 4. Remark that one advantage of using data recovery tools is that they do not need to know how the email server or email client operates to extract data from these computers.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

5. Explain that with some tools, they can scan email database files on a suspect’s Windows computer, locate any emails the suspect has deleted, and restore them to their original state.

Using a Hex Editor to Carve Email Messages 1. Explain that vendor-unique email file systems, such as Microsoft .pst or .ost, typically use Multipurpose Internet Mail Extensions (MIME) formatting, which can be difficult to read with a text or hexadecimal editor. 2. Point out to the students that for email recovery that requires extracting only email data from a computer, the Linux tar command is easy to use. 3. Cite the seven steps necessary to acquire information from an .evolution file.

Recovering Outlook Files 1. Explain that as a forensics examiner recovering email messages from Outlook, they might need to reconstruct .pst files and messages. 2. Point out to the students that with many advanced forensics tools, such as Magnet AXIOM, OSForensics, X-Ways Forensics, Exterro FTK, and Guidance Software EnCase, deleted .pst files can be partially or completely recovered. 3. Cite that other recovery tools are designed to reconstruct email data in Outlook and other email formats such as DataNumen Outlook Repair, one of the better email recovery tools on the market.

Email Case Studies 1. Explain that one major and very well-publicized case involving corporate email is the Enron case, which required retrieving thousands of emails as part of the discovery process at a time when few policies for collecting this information existed. 2. Mention that as a regular part of doing business, Enron employees sent internal emails with spreadsheet attachments containing personal information about employees and customers.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

APPLYING DIGITAL FORENSICS METHODS TO SOCIAL MEDIA COMMUNICATIONS AND CHANNEL-BASED MESSAGING TOOLS 1. Explain that social media platforms, such as Facebook, Instagram, LinkedIn, Snapchat, TikTok, and YouTube, are not just a way of communicating with friends and family, but they are also used to conduct business, brag about criminal activities, raise money, and have class discussions. 2. Mention four types of information that can be found on social media such as evidence of cyberbullying and witness tampering, company’s position on an issue, whether intellectual property rights have been violated, who posted information and when. 3. Tell students that in this age of accusations of “fake news,” investigators must be careful to verify their data. 4. Explain that social media sites involve multiple jurisdictions that might even cross national boundaries, and social media vendors prohibit access to their servers.

Social Media Forensics on Mobile Devices 1. Explain that jailbreaking refers to the process of circumventing provider and user security measures to get low-level OS and file system access on a mobile device. 2. Point out to the students that in mid-2023, Facebook had 2.93 billion users worldwide. Of those, almost 100% were mobile users. 3. Mention that following standard procedures—doing a logical acquisition followed by a physical acquisition—can yield solid evidence, especially with devices that are not locked.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

Forensics Tools for Social Media Investigations 1. Point out that a number of social media tools that were free or inexpensive have now been incorporated into forensics suites, such as FTK Social Analyzer. 2. Explain that investigators often run into the problem of finding information unrelated to a case, and sometimes they must stop to get another warrant or subpoena, such as in a case where they are investigating a claim of fraud and then find evidence of corporate espionage. 3. Point out to the students the four-step approach to use to access only a public profile or become friends with the suspect's friends, which might provide limited information.

Investigating Channel-Based Messaging Tools 1. Point out that while IM tools and direct messaging apps have been around since the late 1990s, channel-based messaging tools have become increasingly popular since the introduction of Slack in 2013. 2. Explain to the students that another social chat platform that has grown in popularity in recent years is Discord, which has continued to expand beyond its original base of online gamers to users interested in setting up online communities for teams and others with shared interests. 3. Mention that messaging platforms designed for teams include Webex, Microsoft Teams, and many others, most of which can be installed on a laptop, desktop, or mobile device. 4. Explain that other tools are also being developed that can be used to perform forensic investigations on devices with Discord installed but most of these tools, such as DiscFor, can only perform on the client side.

[return to top]

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Artificial intelligence (AI): Computer systems that can simulate human intelligence and learn from experience, allowing them to perform tasks that have typically required human intelligence. AI apps have been created to mimic the human brain in things such as decision making and visual recognition. Client/server architecture: A network architecture in which each computer or process on the network is a client or server; in such an architecture, emails are distributed from a central server to many connected client computers. Electronic Communications Privacy Act (ECPA): A law enacted in 1986 to extend the Wiretap Act to cover email and other data transmitted via the Internet. Enhanced/Extended Simple Mail Transfer Protocol (ESMTP): An enhancement of SMTP for sending and receiving email messages that allows graphics and other items to be transmitted via email. Forensic linguistics: A field in which language and the law intersect to determine the author of emails, text messages, and other online communications. The International Association of Forensic Linguists divides this field into four categories: language and law, language in the legal process, language as evidence, and research/teaching. Digital forensics focuses on language as evidence. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

Internet Message Access Protocol 4 (IMAP4): An Internet standard protocol used by email clients to retrieve data from the email server. Mbox: A method of storing email messages in a flat plaintext file. Messaging Application Programming Interface (MAPI): The Microsoft system that enables other email applications to work with each other. Multipurpose Internet Mail Extensions (MIME): A specification for formatting nonASCII messages, such as graphics, audio, and video, for transmission over the Internet. Pharming: A type of email scam in which a recipient is redirected to a fake site if they click on a hyperlink in an email that appears to point to a legitimate website address. Phishing: A type of email scam that involves sending emails that attempt to get personal data by luring recipients with false information and promises. Post Office Protocol version 3 (POP3): A protocol for retrieving email messages from an email server. Simple Mail Transfer Protocol (SMTP): A protocol for sending email messages between servers. Social media platform: An online service that provides a virtual environment where people can create and share text, pictures, and videos to communicate with friends, family, and businesses. Spoofing: A type of email scam in which the hacker presents themselves as a legitimate entity by altering the email header so that its point of origin appears to be from different sender. Stored Communications Act (SCA): Part of the Electronic Communications Privacy Act that extends to the privacy of stored communications, such as email.

[return to top]

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

1. Tracing Email Messages Duration 20 minutes. a. Email messages are composed of a header part and the message payload itself. Most of the forensic on emails concern the examination of the email headers. b. How can a forensic investigator determine the actual sender of an email message examining the message header? Answer: Examining the full header information, the forensic investigator will find all servers that received and retransmitted it from the original source until the final destination. Generally, email servers list these servers from the one closest to the destination to the one furthest from destination. Therefore, by finding the last listed server in the full header, the forensic investigator can identify the IP address of the original server. With this information, websites such as arin.net, internic.com, and Whois.net can be employed to identify who owns the server sending the message, thus allowing the investigator to identify the real sender of the email message.

2. Email Logs and Servers Duration 15 minutes. a. An email server contains software that uses email protocols for its services and maintains logs you can examine and use in your investigation. In order to be able to analyze servers and logs of email exchanges, it is necessary to be aware of the protocol employed, which may depend on the native OS where the server is running and admin and user choices. b. What are the most common protocols for email exchange in Unix/Linux based OS? Answer: The more common email exchange protocols employed in Unix/Linux based OSs are Simple Mail Transfer Protocol © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

(SMTP), Post Office Protocol version 3 (POP3), and Internet Message Access Protocol 4 (IMAP4). c. What is the more common email exchange protocol in Windows-based OS? Answer: The more common email exchange protocols employed in Windows-based OSs (Exchange server) is the Messaging Application Programming Interface (MAPI).

[return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [Analyzing email headers]: This activity can be conducted with students working alone or in pairs. Ask the students to get, from their own email accounts, unusual email messages (for example, from their spam folder) to be analyzed. a. The students can use their own email app to show the full email header of each chosen message. If working in groups, the students may analyze each other's messages within the group; otherwise, each student may analyze only their own emails. The analysis of each email must include the detection of the actual origin of the email, as well as the information of the path the message took until arriving at the recipient server. b. The students produce a written report summarizing the findings, as well as expressing an educated guess if each of the analyzed messages comes in fact from the informed sender in the email app.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

[return to top]

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 13: Email and Social Media Investigations

Research

Grammar and Spelling

0 points The assignment follows The assignment follows The assignment does not the required citation some of the required follow the required guidelines. citation guidelines. citation guidelines. 5 points 3 points 0 points The assignment has two The assignment has three The assignment is or fewer grammatical and to five grammatical and incomplete or spelling errors. spelling errors. unintelligible. 5 points 3 points 0 points

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

Instructor Manual Module 14 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: e-Discovery

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Overview of e-Discovery, Rules, and Policies

The Relationship between e-Discovery and Digital Forensics

Rules, Laws, and Regulations Impacting e-Discovery

The Impact of Case Law on e-Discovery

Case Law in the United States

Enron e-Discovery

EDRM and e-Discovery Case Flow

Information Governance Reference Model

Stages of the ERDM

Common e-Discovery Tools

Note About Live Virtual Machine Labs

Key Terms

Discussion Questions

Additional Projects

Appendix

Generic Rubrics

Standard Writing Rubric

Standard Discussion Rubric

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students the basis of e-discovery, the process of identifying, gathering, and producing electronically stored information (ESI) for use in lawsuits or investigations. This process differs from traditional digital forensics in aspects such as the previous knowledge of the target of the investigation. Specifically, the students will be introduced to the federal rules governing the use of e-discovery, as well as its processes, business considerations, and legal aspects. The students are also presented with the impact of e-discovery in the common-law countries as the UK, the Netherlands, and the US, as it is frequently applied to incidents across border because they concern evidence from the Cloud.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Describe e-discovery and its relationship to digital forensics. 2. Explain the impact of case law on e-discovery. 3. Outline the phases of Electronic Discovery Reference Model and the ediscovery case flow. 4. List some common e-discovery tools.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

OVERVIEW OF E-DISCOVERY, RULES, AND POLICIES 1. Explain to the students that before computers and other digital technology were in widespread use, most legal discovery work involved items such as documents, photographs, videotapes, test samples, products, and other physical objects. 2. Point out that in the context of e-discovery, digital data is often referred to as electronically stored information (ESI), which refers to any information that is created or stored electronically. 3. Mention that given the amount of ESI that may be part of a particular investigation, it is helpful to think about how and where organizations store information. 4. Explain that investigators must keep in mind that some metadata may be lost as documents go from their native format such as Microsoft Word to PDF.

The Relationship between e-Discovery and Digital Forensics 1. Explain to the students that one way in which e-discovery differs from digital forensics is that the two parties involved in a litigation e-discovery process will ask the opposing party for data specifically related to the subject of the litigation. 2. Point out that experts in e-discovery tend to view digital forensics as part of their process, while digital forensics experts often see the two fields as overlapping. 3. Mention that in e-discovery the investigators know that they are looking for information related to such things as a contract dispute, intellectual property rights, product defect, or false financial information.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

Rules, Laws, and Regulations Impacting e-Discovery 1. Explain to the students that a wide range of rules, laws, and regulations influence e-discovery processes at the state and federal level. 2. Point out that today, many companies have offices not only in different states or provinces but also in different countries. As a result, investigators must be aware of what laws are in effect when they are identifying and preserving data during e-discovery. 3. Explain that three sets of federal rules have a significant impact on digital forensics and cite the processes that must be followed as part of ediscovery: the Federal Rules of Criminal Procedure, the Federal Rules of Evidence, and the Federal Rules of Civil Procedure. 4. Explain the Computer Fraud and Abuse Act, the USA PATRIOT Act, and the SATBANES-Oxley Act. 5. Mention that other laws and regulations that impact the process of ediscovery include the United Nations Model Law, which was targeted to ecommerce investigations across multiple borders. 6. Cite that the Sedona Principles provide recommendations for managing e-discovery, with fourteen principles that map to the Federal Rules of Civil Procedure (FRCP).

THE IMPACT OF CASE LAW ON E-DISCOVERY 1. Explain to the students that the body of law created by prior judicial decisions regarding a particular legal issue is referred to as case law. 2. Point out that the United States and approximately 40% of the countries of the world use common law.

Case Law in the United States 1. Explain to the students that two good examples of the impact of case law in a common-law nation such as the United States are Olmstead v. United States and Katz v. United States, two cases that occurred more than forty years apart. 2. Point out that when researching federal court cases that have impacted case law in the United States, it is important to understand the structure of the federal court system and how that impacts the appeals process. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

3. Explain legal research tools and the FIRAC Method to approach legal analysis.

Enron e-Discovery 1. Provide background information on the innovative energy company Enron Corporation. 2. Explain to the students that while it has been over two decades since the collapse of Enron, the e-discovery process followed in that case holds many examples of what can go wrong. 3. Point out that the database of Enron emails was available to the public for several years before it was sanitized and re-released.

EDRM AND E-DISCOVERY CASE FLOW 1. Explain to the students that the Electronic Discovery Reference Model (EDRM) is a conceptual framework created by Tom Gelbmann and George Socha in 2005 to address how to process ESI in a legal case or an investigation. 2. Mention that the EDRM was developed to ensure ESI makes its way to court in both civil and criminal cases. 3. Point out that the EDRM is not intended to be strictly linear; that is, some of the steps may be carried out in a different order, and in some cases, not all steps will be required.

Information Governance Reference Model 1. Explain to the students that the Information Governance Reference Model (IGRM), which feeds into the steps of the EDRM, is a framework and set of guidelines developed in 2012 to help companies manage their information resources. 2. Point out that information governance ensures that ESI is usable and available, and that the data has integrity and security. 3. Explain that the IGRM helps businesses create information-management processes that meet any pertinent regulatory and legal requirements and ensure users have access to the information they need.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

Stages of the ERDM 1. Explain in detail each of EDRM’s eight stages: identification, preservation, collection, processing, review, analysis, production, and presentation. 2. Mention that the e-discovery team must also look for documents containing trade secrets, software code, recipes, and other intellectual property to determine if they are relevant and if they should be held back from production. 3. Point out that the ESI may be in a native format, such as Microsoft Word, or in other formats that make it easier for the person viewing to ask for more information.

COMMON E-DISCOVERY TOOLS 1. Explain that the field of e-discovery is specialized, and the software related to it is in what is referred to as a vertical market, meaning that only a certain type of clientele uses the software. 2. Point out to the students that digital forensics software acquires the data, searches for deleted data, validates data using hash values, and preserves evidence. 3. Remind students that when researching the software, they should notice that the companies’ websites may focus on topics and software features that vary significantly depending on the industry or type of investigation for which the tool is intended. 4. Explain and review the uses and specifications of different e-discovery software so companies can determine which one best addresses their needs.

[return to top]

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Computer Fraud and Abuse Act (CFAA): A federal law passed in 1986 as an update to the Counterfeit Access Device and Abuse Act to address crimes related to the unauthorized access of computers. Data: Information, such as documents, spreadsheets, graphics, and email, that is stored on digital devices and transmitted electronically. Deduplication: In e-discovery, the process of reducing the amount of data included as part of e-discovery by identifying and removing duplicate documents, emails, and other types of data. Electronic Discovery Reference Model (EDRM): A framework created by Tom Gelbmann and George Socha in 2005 to address how to process ESI; although it is focused on e-discovery, EDRM can be useful in a variety of cases. Electronically stored information (ESI): Any information created or stored electronically; ESI includes things such as documents and other files, emails, text messages, photos, and videos or audio recordings. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

Federal Rules of Civil Procedure (FRCP): The set of 86 federal rules created in 1938 to provide “just, speedy and inexpensive” resolution of federal cases. Rule 34 of the FRCP was put into place in 1970 to address ESI; Rules 16, 26, 33, and 37 also affect digital evidence and e-discovery. Federal Rules of Criminal Procedure (FRCrP): The set of federal rules that were established by the Supreme Court in 1944 and went into effect in 1946 that were intended to standardize the methods used for criminal proceedings in all states. Federal Rules of Evidence (FRE): The set of federal rules signed into law in 1973 that address how evidence can be seized and when it is admissible in court in both civil and criminal cases. Information governance: The framework and guidelines used by an organization to manage its information resources. Information Governance Reference Model (IGRM): A framework and set of guidelines developed to help companies manage their information resources; it addresses stakeholders and factors that impact information governance, including users, security, privacy, legal and risk. Legally defensible: A term used to describe something, such as data, that can withstand a challenge in court. Litigation hold: A notification from an organization’s legal team informing employees that they must stop overwriting backups, deleting files, and performing other tasks that could destroy evidence related to an anticipated litigation. This step is intended to preserve data that may be relevant to a lawsuit. Metadata: Data about data; this includes data showing when the data was created, modified, or viewed. Optical character recognition (OCR): A text-recognition technology used to convert handwritten or typed text into searchable characters; commonly used with PDF documents. Public Company Accounting Oversight Board (PCAOB): The nonprofit corporation created by the Sarbanes-Oxley Act to establish auditing standards and monitor accounting firms that audit publicly held companies. Rule 41 of the FRCrP: The “Search and Seizure” rule of the Federal Rules of Criminal Procedure which addresses how evidence can be obtained in criminal investigations. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

Sarbanes-Oxley Act: A federal law passed in 2002 to prevent incidents such as the Enron accounting scandal by monitoring the accounting practices of firms. The act governs the way public firms maintain, preserve, and present data in legal proceedings. Sarbanes-Oxley requires public corporations to maintain email, financial data, and other documents for five years.

[return to top]

1. The FIRAC Method Duration 20 minutes. a. The FIRAC method is an approach to legal analysis that can be a useful tool for evaluating cases and determining their relevance to the specific issues you are facing as a digital forensics investigator. b. Which are the five items of the FIRAC method and what each one of them concerns? i. Answer: The first item of the FIRAC method is Facts and concerns the determination of the actual facts in the case, i.e., to answer who, what, when, where, and how. ii. Answer: The second item of the FIRAC method is Issues and concerns the issues resulting from the case, i.e., what needs to be considered. iii. Answer: The third item of the FIRAC method is Rules and References and concerns which rules are applied to the case and which other cases or events are referenced. iv. Answer: The fourth item of the FIRAC method is Analysis and concerns which analysis was applied to the previous items (facts, issues, rules, and references). © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

v. Answer: The fifth item of the FIRAC method is Conclusions and concerns what can be concluded and for what reason. [return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [e-discovery tools]: This activity can be conducted with students working alone or in pairs. Provide the students with links for some e-discovery tools. a. You can use the tools mentioned in this module as logikcull.com, digitalwarroom.com, nextpoint.com, casefleet.com, iconect.com, ipro.com/products/open-discovery, everlaw.com, and gimmal.com/gimmal-discovery-attender. b. Each student (or group) should be assigned one of the tools to develop a presentation of the main aspects they address, and present their findings.

[return to top]

APPENDIX GENERIC RUBRICS Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

Customize these rubric templates as you wish. The writing rubric indicates 40 points, and the discussion rubric indicates 30 points.

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

Grammar and Spelling

[return to top]

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 14: eDiscovery.

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

Instructor Manual Module 15 Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

TABLE OF CONTENTS Purpose and Perspective of the Module

List of Student Downloads

Module Objectives

Module Outline

Applying Ethics and Codes to Expert Witnesses

Forensics Examiners’ Roles in Testifying

Considerations in Disqualification

Factors to Consider for All Cases

Determining Admissibility of Evidence

Organizations with Codes of Ethics

International Society of Forensic Computer Examiners

International High Technology Crime Investigation Association

International Association of Computer Investigative Specialists

American Bar Association

American Psychological Association

Dealing with Ethical Challenges

Ethical Responsibilities Owed to You

Standard Forensics Tools and Tools You Create

Using an Intake Form

Performing Peer Reviews for Digital Forensics

How to Peer-Review a Case

Writing a Peer Review

Note About Live Virtual Machine Labs

Key Terms

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

Discussion Questions

Additional Projects

Appendix

Generic Rubrics

Standard Writing Rubric

Standard Discussion Rubric

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

PURPOSE AND PERSPECTIVE OF THE MODULE The purpose of this module is to show the students the ethics and professional responsibilities that a digital forensic investigator must be aware of and comply with in order to better understand the ethics of organizations that are part of the investigation, but mostly to drive the investigator’s actions to preserve their own credibility. Additionally, the students are introduced to aspects that might allow them to identify ethical challenges and avoid potential ethical problems.

LIST OF STUDENT DOWNLOADS Students should download the following items from the Student Companion Center to complete the activities and assignments related to this chapter: ●

MODULE OBJECTIVES The following objectives are addressed in this module: 1. Explain how ethics and codes apply to expert witnesses. 2. Explain how other organizations’ codes of ethics apply to expert testimony. 3. Identify ethical challenges in expert testimony. 4. Perform peer reviews of digital forensics examinations.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

MODULE OUTLINE Consider the following teaching tips when assigning this module to your students.

APPLYING ETHICS AND CODES TO EXPERT WITNESSES 1. Explain to the students that the standards that others apply to them or that they are compelled to adhere to by external forces, such as licensing bodies, can be called ethics, but they are more accurately described as rules of conduct. 2. Point out to the students that one of the most effective mechanisms for protecting themselves at a personal level and a legal level is to ensure that they have nothing to hide. 3. Mention that expert witnesses are expected to present unbiased, specialized, and technical evidence to a jury; however, experts, like the attorneys who hire them, have biases and other ethical failings. 4. Explain that efforts to create a general code of ethics for expert witnesses are ongoing.

Forensics Examiners’ Roles in Testifying 1. Explain to the students that forensics examiners have two roles in terms of testifying: testifying to facts found during evidence recovery (fact witness) and rendering an opinion based on education, training, and experience (expert witness). 2. Point out that the most effective way to prevent opinion shopping is to require that the attorney retaining their services send them enough material on the case for them to make an evaluation.

Considerations in Disqualification 1. Explain to the students that the process by which an expert witness is excluded from testifying due to the violation of court rules or laws is called disqualification. 2. Point out that some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them. 3. Remind students that before allowing an attorney to describe any case details, they should determine who the parties are to reduce the possibility of a conflict. 4. Explain the many situations and factors courts have used in determining whether to disqualify an expert. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

Factors to Consider for All Cases 1. Explain to the students that expert witnesses should be careful and professional in their work, and with each case, they should carefully consider four main factors. 2. Point out that the work process protects investigators from future liability or ethical complaints.

Determining Admissibility of Evidence 1. Explain to the students that although stating hypothetical questions during examination is no longer required in court, these questions can provide the factual structure to support and defend your opinion. 2. Mention that if a question on admissibility arises under FRE 702 or 703, the court might require underlying facts or data to determine whether or to what extent the expert should be permitted to testify.

ORGANIZATIONS WITH CODES OF ETHICS 1. Explain to the students that no single source offers a definitive code of ethics for expert witnesses, so they must draw on standards from other organizations to form their own ethical standards. 2. Many professional organizations have rules to guide their members in areas such as interaction with patients and clients, objectivity, role in society, fees, solicitation, independence, and contractual relationships.

International Society of Forensic Computer Examiners 1. Explain to the students that the International Society of Forensic Computer Examiners (ISFCE) Code of Ethics and Professional Responsibility provides guidelines for its members on how they are expected to perform their duties as forensics examiners. 2. Point out the ISFCE code of ethics’ six guidelines. 3. Mention that members of ISFCE are expected to maintain their integrity by reporting other members who violate the code of conduct to the society.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

International High Technology Crime Investigation Association 1. Explain to the students that the International High Technology Crime Investigation Association (HTCIA) provides a detailed Code of Ethics of Professional Standards Conduct for its members. 2. Point out that HTCIA core values include the two requirements related to testifying.

International Association of Computer Investigative Specialists 1. Explain to the students that the International Association of Computer Investigative Specialists (IACIS) provides a well-defined, simple guide describing the expected behavior of forensics examiners. 2. Point out that these standards follow the principles defined by other professional organizations for investigations and testimony and include five standards that apply to testifying.

American Bar Association 1. Explain to the students that the American Bar Association (ABA) is not a licensing body, but the ABA’s Model Code of Professional Responsibility (Model Code) and its successor, the Model Rules of Professional Conduct (Model Rules), are the basis of state licensing bodies’ codes. 2. Point out that the ABA has stated that expert witnesses, unlike attorneys, do not owe a duty of loyalty to their clients.

American Psychological Association 1. Explain that for psychologists, the broadly accepted guidelines governing their conduct as experts are the American Psychological Association’s (APA) Ethical Principles of Psychologists and Code of Conduct (commonly referred to as the Ethics Code). 2. Point out to the students that the Ethics Code consists of standards that are enforceable rules for the conduct of psychologists and applies only to psychologists’ activities in scientific and professional functions that are psychological in nature.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

DEALING WITH ETHICAL CHALLENGES 1. Explain that there are inherent conflicts between the goals of attorneys and the goals of scientists or technicians (experts). 2. Point out to the students that an expert can appear in the role of an impartial educator whose purpose is to help the judge or jury understand a fact or an issue. 3. Argue that ethical problems surface when experts decide to advocate for one side, as they must consider the line between using research to argue one side of an issue fairly and distorting and misrepresenting available research. 4. Explain that all guidelines rely primarily on the internalization of the codes and the witnesses’ analyses of when and how they will participate in a case.

Ethical Responsibilities Owed to You 1. Explain to the students that attorneys owe them a fair statement of the case or situation, adequate time to review the evidence and prepare their report, and a reasonable opportunity to examine data, conduct testing, and investigate the matter before rendering an opinion. 2. Mention to the students that most attorneys, including opposing counsel, are competent, courteous professionals, but if they are not, abuses might include inquiry into their personal finances; unless this inquiry is about compensation terms for the current case, it is inappropriate. 3. Point out to the students that a less costly alternative is arranging to have their attorney available by phone during the deposition.

Standard Forensics Tools and Tools You Create 1. Explain that the tools they use to recover, control, and track evidence are subject to review by opposing parties. 2. Mention that “borrowing” code from other products or incorporating other tools into their own without acknowledgment or paying royalties could be a violation of copyright law and is considered theft. 3. Point out to the students that it is important that a digital forensics examiner uses software applications that are licensed to their organization or to themselves. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

Using an Intake Form 1. Explain that for digital forensics examiners working in the private sector, it is wise to consider creating an intake form for all requested examinations. 2. Mention that when developing an intake form, they should keep in mind its primary purpose, which is to identify any possible conflicts of interest that may occur when being asked for their services or their opinion by someone they have no or little knowledge about. 3. Point out the specific information of intake form references, and digital forensics intake form contents.

PERFORMING PEER REVIEWS FOR DIGITAL FORENSICS 1. Explain that as a digital forensics examiner, they may be asked to provide peer reviews of other examiners’ casework. 2. Point out to the students that an adequately written peer review should provide feedback to the requester along with other ideas and opinions not considered by the original examiner’s analysis of a case. 3. Explain that there are five types of peer reviews for academic white papers that also can apply to digital forensics: single-blind review, doubleblind review, triple-blind review, collaborative review, and open review.

How to Peer-Review a Case 1. Explain that the primary responsibility when conducting a peer review is to provide honest, constructive feedback on the creator’s report. 2. Mention the multiple action items when reviewing a report or a case in general. 3. Point out that for every point listed in a case report, they should provide a counterpoint argument.

Writing a Peer Review 1. Explain that peer reviews can be written as a simple memorandum, such as an informal report, or as a formal report.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

2. Mention the multiple content and topic requirements that whichever format of peer review should contain. 3. Point out that a peer review report should be objective and should include evidence that supports or disputes the other examiner’s findings.

[return to top]

NOTE ABOUT LIVE VIRTUAL MACHINE LABS The live virtual machine labs provide hands-on practice that will help students learn the material covered in each module. Throughout the labs, students will encounter gradable assessments in the form of multiple-choice questions, as well as requests to use lab functionality and record screenshots of their live virtual machine lab desktop, noting their progress in the lab. The introduction in the content pane in each live virtual machine lab provides a list of learning outcomes that students should be able to do after they complete the module. There is also a list of the exam objectives that each lab covers. The main focus of the live virtual machine labs is to cover the practical, hands-on aspects of the exam objectives. The labs do not map directly back to the topics covered in each module of the book or MindTap course. It is recommended that students refer to course materials to research theoretical topics in more detail. [return to top]

KEY TERMS Code of professional conduct or responsibility: A set of external rules that often have the effect of law in limiting professionals’ actions; breach of these rules can result in discipline, including suspension or loss of a license to practice as well as civil and criminal liability. Contingency fees: Payments that depend on the content of the expert’s testimony or the outcome of the case. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

Disqualification: The process by which an expert witness is excluded from testifying. Ethics: Rules that people internalize and use to measure their performance; sometimes refers to external rules (codes of professional conduct or responsibility).

[return to top]

1. Ethics and Rules Duration 15 minutes. a. Ethics are the rules you internalize and use to measure your performance. The standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies, can be called ethics, but they are more accurately described as rules of conduct. b. While ethics is a personal matter, who usually establishes rules of conduct? Give examples. Answer: Many professions now call a set of those types of rules a code of professional conduct or responsibility. Examples of such codes are the ones produced by the International Society of Forensic Computer Examiners (ISFCE) Code of Ethics and Professional Responsibility, and the International High Technology Crime Investigation Association (HTCIA) Code of Ethics of Professional Standards Conduct. c. Provide examples of some practical differences between ethics and rules of conduct for expert witnesses. Answer: Ethics, as a personal matter, may include present unbiased, specialized, and technical evidence. A rule of conduct © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

similar to the ethics topics mentioned is expressed, for example, by the International Society of Forensic Computer Examiners (ISFCE): Maintain the utmost objectivity in all forensic examinations and present findings accurately; Conduct examinations based on established, validated principles; Testify truthfully in all matters before any board, court, or proceeding; Avoid any action that would appear to be a conflict of interest; Never misrepresent training, credentials, or association membership; Never reveal any confidential matters or knowledge learned in an examination without an order from a court of competent jurisdiction or the client’s express permission. [return to top]

ADDITIONAL PROJECTS The following are activities and assignments developed by Cengage but not included in the text, PPTs, or courseware (if courseware exists) – they are for you to use if you wish.

1. [Peer-Review a Case]: This activity can be conducted with students working individually or in groups. Provide the students with a set of case reports. a. You can get samples of digital forensic reports at the page: https://www.salvationdata.com/work-tips/write-a-forensic-report/. b. The students will write a peer-review for one of the cases provided according to the instructions stated in the Analysis section of this module. c. The students (or groups) may exchange the peer-review reports produced to analyze their problems.

[return to top]

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

STANDARD WRITING RUBRIC Criteria Content

Organization and Clarity

Research

PAG E \* MER GEF ORM AT 1

Instructor Manual: Phillips, Guide to Forensics and Investigations, 7th Edition, 9780357672884; Module 15: Ethics and Professional Responsibilities

Research

Grammar and Spelling

[return to top]

STANDARD DISCUSSION RUBRIC Criteria Participation

Contribution Quality

Etiquette

[return to top]

PAG E \* MER GEF ORM AT 1