Forensic Examination Project

Scenario:

You are a computer forensic examiner working for the Department of Homeland Security.  You will be investigating a forensic image of a flash drive found during the search of an office belonging to a suspected terrorist cell (you can assume you found it during your crime scene search).  Investigators suspect it may have critical evidence on it that will lead them to break up a terrorist cell.  It is believed that this cell is planning some type of attack in the

United States

. Your job is to conduct a forensic analysis of the disk and write a complete forensic report of your findings.

Tools:

·        

You may use any FORENSIC tools available to you.

• At the very least you should use:
  
• FTK Imager (to verify the image and hash values)
  
• FTK Toolkit (to conduct the majority of your investigation)
  
• ExifPro (to examine JPEG files)
  

• .

What to Look For:

·        

You may want to look for deleted files, internet files, images, documents, email communications, and any other file types or information you can find. 

·        

You may want to extract these files to analyze them closer. 

·        

Remember to look for metadata that may provide you with additional information. 

·        

Remember, you are looking for evidence to help break up a terrorist cell and prevent an attack.

·        

You may want to look for evidence of parties involved, locations, types of attack, etc.

·        

You may also want to establish a timeline – this may be crucial if an attack is imminent.

 
.

The Report:

·        

Your report will be approximately 10-20 pages OF TEXT (not including your screenshots, lists of evidence, content of evidence files, etc.)

·        

You should give a detailed (step by step) explanation of what you did, what you found, and how and where you found it.

·        

You may use screen shots and file content as an appendix.

• Do not include screen shots in the body of your report!!
  
• Do not include the content of the evidence files in the body of your report!!
  
• Crop your screenshots so only relevant information is showing I shouldn’t be able to see your desktop or other open files.
  

·        

Follow the “Forensic Report Guidelines” you have been given during lecture.

• Do not try to analyze the content of files.
  
• Stick to the FACTS!
  
• Your report should explain the technical aspects (e.x. what is a link file, why is this important, explain it so a non-technical person can understand.)
  
• Just giving a list of evidence with no explanation of how you found it and what it means (as far as the technical aspect) is insufficient.  Don’t just say you found it using FTK – explain!
  
• Analyze the metadata!
  
• You have more than enough evidence on the disk to EASILY write this much text.  If you are having a hard time, you probably missed a significant amount of evidence.
  

Formatting:

• Include a title page
  
• Text should be single spaced, 0 spacing before & after
  
• Font should be set to Arial or Calibri
  
• Font should be set to 12 point
  
• Margins should be set to 1 inch
  
• Paragraphs should be set to Justify (not left, right, or center aligned)
  

• .

·        

You should include headings and subheadings

• Your report should be in complete sentences, free of grammatical/spelling errors, easy to read, and professional.
  

<li style="margin-bottom: 6.0pt; margin-right: 54.0pt; ma