Step 1: FTK Imaging Lab Report

One of the first steps in conducting forensic investigations often involves creating an image of the forensic evidence. Forensic evidence can be found in operating systems, network traffic (including e-mails), and software applications. To help the detectives in your department understand the digital forensics investigation process better, you have offered to show them how you create an image using FTK Imager. FTK Imager can be used to analyze many types of media including audio, pictures, and videos. Graphics files can be a rich source of forensic evidence.

Because you are pressed for time, you go to the virtual lab and decide to create an image of the “My Pictures” directory on your computer. This process is very similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (CSEC662_Lab1_Name.ad1) that document your imaging process with information such as hash values.

Submit your report for review and ungraded feedback from the detectives (your instructor). Incorporate any suggested changes; you will include your report in the Use of Access Data Tools paper that you submit in Step 4.

Now that you have demonstrated the imaging process and investigative techniques to detectives, you are ready to proceed to the next step in which you demonstrate the use of Registry Viewer.

Step 2: Process an Image from the suspect Mantooth’s computer

Keywords: Examining meta data, File systems, Hexadecimal and ASCII,Operating Systems, Report writing, File system information gathering

In the previous step you imaged a directory for a forensic report using FTK Imager. Now the detectives have requested additional analysis so you decide to go to the virtual lab and use Registry Viewer to access user account information for the image from the Mantooth computer. The Mantooth image is a subset of a full computer image. While it is rich in artifacts, it is small enough to process in minutes rather than hours. Registry Viewer provides the ability to view the contents of various types of registry files so it will help to answer some of the questions posed by detectives. You can also investigate the suspect Mantooth’s e-mail activity and picture files.

The detectives have requested the following information:

1. 
Mantooth’s first name and a screenshot of a picture

2. 
Number of jpg files in the Mantooth evidence file

3. 
Names of the e-mail domains from the e-mail in this image, plus the number of sent and received messages and the dates of the oldest and newest sent and received e-mail message for each domain

4. 
Names of people who have sent e-mail to or received e-mail from Mantooth, and the number of e-mails sent or received to and from each person

5. 
Information on encryption—whether it was used for any of the e-mail, and if so, what type

6. 
Evidence of potential criminal activity within this image

7. 
Information on how PINs were captured

8. 
Vehicle Identification Number of the ’92 Dodge

9. 
Identity of Sean and his role in this case

10.             
Malware that initiates on startup

11.             
Information on password(s)—where you found it/them, whether it/they are usable, what it/they are used for

The detectives are also asking for:

1. 
Summary of findings

2. 
Case documentation, such as tools used, version, and image hashes

3. 
Screenshots or other forensic artifacts supporting your responses to the questions

You review your responses and summary information carefully for accuracy and completeness, and save them in a single file to be included in your final paper on Using Access Data tools (Step 4).

Just when you think that the detectives are satisfied with the information that you’ve provided, they request even more information on the suspects and the crime. You can’t say no, so you turn to PRTK to help you access that data…

Click here to request for this assignment help