Practical Task Overview and notes
Tasks 1, 2, 3 : The Crime scene
Observe crime scene (photo) and identify sources of digital evidence.
Suggest possible content of forensic interest
Understand need to preserve the scene
examine photos of different environments, identify digital devices and possible evidence, make a record of exhibits to begin chain of custody
as above but compare photos and record from original and follow up visit to crime scene and identify possible tampering. Consider how to make an accurate and reliable record of crime scene.
(model building to consolidate 1 and 2)
Task 4, 5, 6 : Acquisition
FTK Imager, keep the records and files
4: Memory dump of live machine
5: Forensic copy of USB drive. Raw image of logical drive. Green drive 2-500MB. “Evidence”, some file deleted.
6: Speccy (machine profile)
Task 7, 8 : Basic examination
Manually browse suspect’s USB stick
Keep a record of examination and notes of forensic interest in chronological order
Obscure volume contents / files in some way (misnamed, wrong extensions etc)
ReviewUse Autopsy tool or similar to perform an analysis to detect the obscuration and generate forensic record
Task 10: image analysis: steganography
Task 11: Autopsy analysis of USB drive from “crime scene”