In this lab, you acted as a forensic specialist assisting the lead forensics investigator at the Cyber Crimes Division (CCD) for the Fremont Police Department. You were given a hard drive image taken from a seized computer suspected of containing stolen credit card numbers. You reviewed the search warrant and completed the Chain of Custody form that accompanied the evidence drive. You prepared the contents of the seized hard drive using a variety of forensic tools as evidence in accordance with the Daubert standard. You used FTK Imager to create hashes for key evidence files. You then validated the hash code using EnCase Imager and P2 Commander, two common forensic analysis tools.
Lab Assessment Questions & Answers
1. Why is the unallocated space of a Windows system so important to a forensic investigator?
2. From where were the badnotes1.txt and badnotes2.txt files recovered?
3. What is the INFO2 file used for?
4. How do you generate a hash file in FTK Imager?
5. What was the MD5 hash value in 043458.csv, the deleted e-mail file?
6. What is the Daubert standard?
7. Why must a forensic investigator be familiar with emerging technologies?