Login
Menu

Forensic Examination Project

Home / Blog / Forensic Examination Project

Forensic Examination Project

Forensic Examination Project

Forensic Examination Project

Scenario:
You are a computer forensic examiner working for the Department of Homeland Security.  You will be investigating a forensic image of a flash drive found during the search of an office belonging to a suspected terrorist cell (you can assume you found it during your crime scene search).  Investigators suspect it may have critical evidence on it that will lead them to break up a terrorist cell.  It is believed that this cell is planning some type of attack in the United States. Your job is to conduct a forensic analysis of the disk and write a complete forensic report of your findings.

Tools:
•    You may use any FORENSIC tools available to you.
o    At the very least you should use:
?    FTK Imager (to verify the image and hash values)
?    FTK Toolkit (to conduct the majority of your investigation)
?    ExifPro (to examine JPEG files)

What to Look For:
•    You may want to look for deleted files, internet files, images, documents, email communications, and any other file types or information you can find.
•    You may want to extract these files to analyze them closer.
•    Remember to look for metadata that may provide you with additional information.
•    Remember, you are looking for evidence to help break up a terrorist cell and prevent an attack.
•    You may want to look for evidence of parties involved, locations, types of attack, etc.
•    You may also want to establish a timeline – this may be crucial if an attack is imminent.

The Report:
•    Your report will be approximately 10-20 pages OF TEXT (not including your screenshots, lists of evidence, content of evidence files, etc.)
•    You should give a detailed (step by step) explanation of what you did, what you found, and how and where you found it.
•    You may use screen shots and file content as an appendix.
o    Do not include screen shots in the body of your report!!
o    Do not include the content of the evidence files in the body of your report!!
o    Crop your screenshots so only relevant information is showing… I shouldn’t be able to see your desktop or other open files.
•    Follow the “Forensic Report Guidelines” you have been given during lecture.
o    Do not try to analyze the content of files.
o    Stick to the FACTS!
o    Your report should explain the technical aspects (e.x. what is a link file, why is this important, explain it so a non-technical person can understand.)
o    Just giving a list of evidence with no explanation of how you found it and what it means (as far as the technical aspect) is insufficient.  Don’t just say you found it using FTK – explain!
o    Analyze the metadata!
o    You have more than enough evidence on the disk to EASILY write this much text.  If you are having a hard time, you probably missed a significant amount of evidence.

Formatting:
•    Include a title page
•    Text should be single spaced, 0 spacing before & after
•    Font should be set to Arial or Calibri
•    Font should be set to 12 point
•    Margins should be set to 1 inch
•    Paragraphs should be set to Justify (not left, right, or center aligned)
•    You should include headings and subheadings
•    Your report should be in complete sentences, free of grammatical/spelling errors, easy to read, and professional.
•    If you use any outside sources, you must cite them using APA citations
•    Your report must have a red watermark on every page stating: “THIS IS AN EDUCATIONAL PROJECT”.  Any project that does not have this will be a zero.
o    Page Layout – Watermark – Custom Watermark – Text Watermark
o    Change the text to “THIS IS AN EDUCATIONAL PROJECT”
o    Change the color to RED, transparency to 75%
•    Your file must be less than 10MB to be submitted to SafeAssign.
o    Compress your graphics by using the “Compress Pictures” option in Word.
o    Choose the smallest file size possible.

Hints:
•    Remember:  your report should read like a story.  A list of evidence is not sufficient for a report… you need to explain how/where you found the evidence.
•    You are not a terrorism analyst, so do not try to interpret the evidence… present the facts as you find them.  Remember… you can’t say a specific person did something.
•    Your report should document each step in your analysis and explain what you did, what you found, how, where, what the technical aspects mean
•    Don’t interpret the file content – that is out of the scope of your job!
•    You can’t say a specific person did something – make sure you differentiate between PEOPLE and USERNAMES
•    Stick to the facts
•    Write in first person
•    Include LOTS of screenshots – but these go in the appendix, not the body of your report!
•    Don’t forget to include the basics in your report – who are you? Your authority? What case is this? Background?
•    Open the image with FTK Imager – verify it to make sure the hash values match what was given
•    Open the image in FTK to start your analysis
•    Document each step!!

Checklist:

Content:
?    I included the case background, my name, who I work for, etc.
?    I verified the hash value before anything else.
?    I included the given hashes and calculated hashed.
?    My report only includes FACTS, no opinions or interpretations.
?    I did not analyze the file content.
?    My report includes the file names of evidence items.
?    My report includes the file paths of evidence items.
?    My report includes the MAC dates and times of evidence items.
?    My report explains if the evidence is a file, deleted file, etc. and explains what this means.
?    Someone could read my report and follow my steps exactly step by step.  (I explain what I did.)
?    Any technical term includes an explanation of what it is, in layman’s terms. (I explain what everything means.)
?    All evidence mentioned in the report is in the appendix.
?    I don’t say a specific person did something. (Usernames are differentiated from a person’s name.)
?    All evidence is documented in the report.
?    I do not have any inaccurate information in my report.

Formatting:
?    I included my watermark.
?    I compressed my graphics and my project is less than 10MB.
?    I followed formatting guidelines for font, line spacing, etc.
?    I do not have screenshots in the body of my report.
?    I do not have file content in the body of my report.
?    My appendix has labels for each evidence item.
?    I spell checked and proof read my report.
?    My report is well formatted and easy to read.
?    I use headings and subheadings.
?    I do not have long paragraphs.
?    Only one evidence item is discussed per paragraph.

Is this the question you were looking for? If so, place your order here to get started!