Add to collection(s) Add to saved
  1. No category
Uploaded by Jessica Dennis

Lab 1 - Applying the Daubert Standard to Forensic Evidence

advertisement 
Lab 1 - Applying the Daubert Standard to Forensic Evidence
Part 1: Complete Chain of Custody
Note: The local police department has been investigating the case of an individual, Ralf Peterson, a
Fremont bank teller, who is suspected of credit card fraud. The officer in charge, John Doe, has
processed the search warrant and seized a hard drive captured at the suspect's home. The police
department has assigned 10001-FMT-CCD as the case number for the Peterson case.
In the next steps, you will review the search warrant and complete the chain of custody form to take
possession of seized property.
1. On the vWorkstation desktop, there is a folder named 10001-FMT-CCD. You will save your
work to this folder as the lab progresses.
2. Double-click the warrant.pdf file on the vWorkstation desktop to open it in Adobe Reader
and review it.
3. Close the Adobe Reader window.
4. Double-click the chain_of_custody_10001.pdf file on the vWorkstation desktop to open it in
Adobe Reader.
5. In the Transfer History section of the form, type the following information in the first block of
entries to record the transfer of data.
o Transferred from: John Doe
o Transferred to: yourname and date, replacing yourname and date with your own
name and the current date
o Where is the evidence now stored: Fremont PD
o How is the evidence now secured: Police storage locker
o Typically this document would be signed by the investigator as well, but you will not
be able to add an actual signature to this form.
6. From the Adobe Reader menu select Save As.
7. In the Save As dialog box, navigate to the 10001-FMT-CCD folder you created earlier in the
lab (This PC > Desktop > 10001-FMT-CCD), typeyourname_Chain_of_Custody in
the File name box, replacing yourname with your own name, and clickSave to save this file
to the evidence folder.
8. Close the Adobe Reader window.
Part 2: Extract Evidence Files and Create Hash Codes
Note: In the next steps you will use FTK Imager, a commonly used forensic tool, to create evidence
files for court that adhere to the Daubert standard. In the next steps you will create hashes of key
evidence files. To adhere to the Daubert standard, the prosecution must be able to show that the
evidence files were not altered in any way by the forensic process. The tools, processes, as well as
the product of the investigation are essential to enabling the judge to determine if product amounts
to admissible evidence. The hash codes you create with FTK Imager now will be validated using
other forensic tools in later parts of this lab.
1. Double-click the AccessData FTK Imager icon on the vWorkstation desktop to open the
application and maximize the Access Data FTK Imager window.
2. From the AccessData FTK Imager menu, select File > Add Evidence Item.
3. In the Select Source dialog box, click the Image File radio button and click Next to
continue.
4. In the Select File dialog box, click the Browse button and navigate to the vm_image folder
(This PC > Local Disk (C:) > ISSA_TOOLS > ForensicTools > vm_image) and doubleclick theevidence_drive.e01.E01 file click Open and then click Finish.
5. In the Evidence Tree pane at the top left, navigate to the [unallocated space] item
(evidence_drive.e01.E01 item > Partition 1 > NONAME > [unallocated space]).
Note: In Windows systems deleted file are not actually deleted; they are retained in
the unallocated space on the hard drive. This is often a very evidence-rich area of the
evidence drive, as deleted files always lead investigators to explore motives.
6. Click the first file in the File List pane at the top right to display the contents of the file in the
Display pane at the bottom right.
The File List pane displays file in alphabetical order based on the file name. The Display
pane will show images, hex view, or clear text, depending on the file type.
7. Click the second file in the File List pane to see how an image is displayed.
8. Click the 043458 file in the File List pane to see a deleted e-mail message.
9. Right-click the 043458 e-mail file in the File List pane and select Export File Hash
List from the context menu to create a hash code for this file.
Note: When you use the Export File Hash List, you are generating a human-readable file
that contains three important fields: MD5, SHA1, and filename location. The MD5 is the hash
value of the file, SHA1 is the file signature, and the filename location is the name of the
imaged/seized drive, along with full-path name (within the drive image) of the file. When
vetting/verifying evidence, as long as the file remains unchanged, these three fields will be
the same regardless of the forensic tool (FTK Imager, EnCase Imager, Electronic Evidence
Examiner (E3), or others) used to view it.
10. In the Save As dialog box, navigate to the 10001-FMT-CCD folder you created earlier in the
lab (This PC > Desktop > 10001-FMT-CCD), type 043458.csv in the File name box, and
click Save to save this file to the evidence folder.
You will have a chance to explore the .csv file later in this part of the lab.
11. In the Evidence Tree pane, navigate to the RECYCLER folder (evidence_drive.e01.E01
item > Partition 1 > NONAME > [root] > RECYCLER).
Note: The e-mail file included an attachment that was also deleted. In Windows systems, the
Recycler holds the files that the user deleted. Unlike the unallocated space of a computer,
the contents of the Recycler remain visible to the user and can be undeleted if required. It is
one of the first places an investigator should explore. Files in the Recycler no longer retain
the same file name as they did before being deleted; they are renamed Dcxx, but keep the
original file text. Because files in the Recycler could be restored, that original naming and file
location are retained in the INFO2 file, in all Windows systems except Windows Vista. The
fact that a file was deleted shows that the owner of this computer wanted to hide it. While not
criminal per se, this behavior is suspect.
12. In the Recycler, double-click the S-1-5-21-839522115-162531612-2147315267-500 item to
explore the contents.
13. In the File List pane, click the INFO2 file to view the file in the Display pane.
14. Use the scrollbar in the Display pane to view the complete contents of the file.
Note: The right pane of the INFO2 file contains the original file name and location of the
deleted files that are now stored as Dcx in the Recycler. In this case, Dc1.txt is the Recycler
name for the badnotes1.txt file that was deleted from the Downloads folder, according to the
information in the INFO2 file. Dc2.txt is the Recycler name for the badnotes2.txt file. The
remaining Dcx files are not relevant to this case.
15. Right-click the INFO2 file and select Export File Hash List from the context menu.
16. In the Save As dialog box, navigate to the 10001-FMT-CCD folder you created earlier in the
lab (This PC > Desktop > 10001-FMT-CCD), type INFO2.csv in the File name box, and
click Save.
17. In the File List pane, click the Dc1.txt file to view the contents in the Details pane.
You will see questionable content about the stolen credit cards, which is therefore worth
identifying as part of the evidence file for this case.
18. Make a screen capture using screenshot tool showing the contents of the Dc1.txt file
and paste it into the Lab Report file.
19. Right-click the Dc1.txt file in the File List pane and select Export File Hash List from the
context menu to create a hash code for this file.
20. In the Save As dialog box, navigate to the 10001-FMT-CCD folder you created earlier in the
lab (This PC > Desktop > 10001-FMT-CCD), type Dc1.csv in the File name box, and
click Save.
21. Repeat steps 17-20 for the Dc2.txt file, saving the file hash list for this file as Dc2.csv.
Note: At this point in the investigation you have identified badguy11111@gawb.com as a
suspected co-conspirator, based on a deleted email which proves that your original suspect,
Ralf Peterson, and badguy11111 were in communication about stolen credit cards. The
email included an attachment, badnotes2.txt, that was discovered in the Recycler with a
related file; badnotes1.txt. All of these files have been saved to the evidence folder for this
case. FTK Imager does not have a search function, so the search for evidence must be done
manually. A thorough investigation can take days, but you have a head-start because the
suspect, Ralf Peterson, was caught red-handed at his computer. You will be searching the
Desktop.
22. In the Evidence Tree pane, navigate to the Desktop (evidence_drive.e01.E01 item >
Partition 1 > NONAME > [root] > Documents and Settings > Administrator > Desktop).
23. Make a screen capture using screenshot tool showing the contents of the Desktop folder
and paste it into the Lab Report file.
24. Right-click the first file in the File List and selectExport File Hash List from the context
menu.
25. In the Save As dialog box, navigate to the 10001-FMT-CCD folder you created earlier in the
lab (This PC > Desktop > 10001-FMT-CCD), type filename.csv in theFile name box,
replacing filename with the actual filename of the file, and click Save.
26. Repeat steps 24-25 for each file in the File List.
27. Close the AccessData FTK Imager window.
28. Double-click the 10001-FMT-CCD folder on the vWorkstation Desktop to view the contents.
29. Right-click the 043458.csv file and select Open with > Notepad to open it.
The MD5 and SHA1 hash codes generated by FTK Imager will remain the same, no matter
which investigator, which program, or which day the files are touched. Only if the file
changes will these hash codes change, thereby assuring the court that the evidence they are
looking at has not been altered.
30. Copy the contents of the file and paste it into the Lab Report file.
31. Repeat steps 29-30 for each .csv file in the case folder.
32. Close the Notepad window.
33. Close the File Explorer.
Part 3: Verify Hash Codes with EnCase Imager
Note: In the next steps you will use Encase Imager, a popular forensic tool, to validate that the MD5
hash generated by FTK Imager does not change even when explored in another forensic tool.
1. Double-click theencase_forensic_imager_(x64)_709.exe icon on the vWorkstation desktop
to open the application.
2. If prompted, click No to dismiss the pop-up window.
3. In EnCase Imager, click the Add Evidence File link.
4. In the Add Evidence File dialog box, navigate to vm_image folder (This PC > Local Disk
(C:) > ISSA_TOOLS > ForensicTools > vm_image) and double-click
the evidence_drive.e01.E01 file to select it.
5. In EnCase Imager, click the untitled item in the Name column to open the Evidence tree
pane on the left of the window.
6. In the Evidence tree pane, double-click the RECYCLER to expand it and click the S-1-521-839522115-162531612-2147315267-500 item to view the contents.
7. In the right-hand pane, click the INFO2 checkbox, right-click the INFO2 file, and
select Acquire > Create Logical Evidence File from the context menu.
8. In the Create Logical Evidence File dialog box typethe following details,
replacing yourname with your own name.
o Name: INFO2
o Evidence Number: 1
o Case Number: 10001-FMT-CCD
o Examiner Name: yourname
o Output Path: C:\Users\ucertify\Desktop\10001-FMT-CCD\INFO2.Lx01
9. Click OK to save the evidence.
10. From the EnCase Imager menu, select Add Evidence > Add Evidence File.
11. In the Add Evidence File window, navigate to case folder (This PC > Desktop > 10001-FMTCCD) and click INFO2.Lx01 file and then click Open to open it.
12. In EnCase Imager, click the INFO2 item to open the Evidence tree pane.
13. In the Evidence tree pane, click the INFO2 object and use the scrollbar to locate to
the MD5 field.
14. Make a screen capture using screenshot tool showing the MD5 field in Encase Imager and
paste it into the Lab Report file.
15. In the Lab Report file describe how the value produced by EnCase Imager compares to the
value produced by FTK Imager.
16. In the Evidence tab of Encase Imager, click the green back button to return to the Table
View.
17. Repeat steps 5-16 for the remaining evidence files created and identified in Part 3 of this
lab. For this lab do not search for files in the unallocated space.
18. Close the EnCase Imager window.
Part 4: Verify Hash Codes with Electronic Evidence Examiner (E3)
Note: In the next steps, you will use Electronic Evidence Examiner (E3) to verify the MD5 hash
generated by FTK.
To save time, this lab part uses a pre-created Electronic Evidence Examiner (E3) case file
containing the evidence_drive.e01.E01 image.
1. Double-click the Electronic Evidence Examiner (E3) icon on the vWorkstation desktop.
The Electronic Evidence Examiner (E3) welcome screen opens with a navigation pane on
the left entitled Start your work here. This pane contains links to the most common activities
that forensic investigators will perform within the tool.
2. Close the welcome screen window, and on the CASEmenu, click Open Case.
3. In the Open window, click Documents > Paraben Corporation > Paraben's P2
Commander, and double-click the 10001-FMT-CCD.p2c file to open the file in Electronic
Evidence Examiner. Note: If the file is not showing in the window, then change the file type
to P2C Cases (*.p2c), and click Open. A warning window appears, click Yes.
The 10001-FMT-CCD.p2c file is case file that already contains the imported evidence drive
(evidence_drive.e01.E01 file).
4. In the Case Explorer tree in the left pane, navigate to the Recycler folder (10001-FMT-CCD
> evidence_drive.e01 > Partition Parser > Partition 0 > NTFS > Root > RECYCLER) and
double-click the S-1-5-21-839522115-162531612-2147315267-500 object to open it.
5. In the left pane, on the Sorted Files tab, expand Sorted Files, and double-click Databases.
In the middle pane, scroll down and click INFO2 file. Click Ok.
6. In the Properties pane at the right, use the scrollbar to locate the MD5 field.
7. Make a screen capture using screenshot tool showing the MD5 field in Electronic
Evidence Examiner (E3) and paste it into the Lab Report file.
8. In the Lab Report file describe how the value produced by Electronic Evidence Examiner
(E3) compares to the value produced by FTK Imager.
9. Repeat steps 4-8 for the remaining evidence files identified in Part 3 of this lab. On the
Databases, click dc.db file.
For this lab do not search for files in the unallocated space.
10. Close the Electronic Evidence Examiner (E3) window.
11. Click on the Upload my work icon to open its web page.
12. Click the choose button to open the File browse dialog box.
13. Select the files named yourname_Chain_of_Custody.pdf and 043458.csv from the 10001FMT-CCD case folder to your local computer and click on the Open button to upload it.
14. Click on the Upload button to upload the selected file. It will appear in the tabulatd form.
Alternatively, you can also click on the Evidence tabto see the uploaded files.
15. This exercise is completed now.
Related documents
ITT593 Lab 4
ITT593 Lab 4
DSF task2
DSF task2
Intellij IDEA 12 In version 12 use the right
Intellij IDEA 12 In version 12 use the right
Slide Layout Slide Views
Slide Layout Slide Views
BTT101 – Unit 5 - Database/Microsoft Access 1. Open Access
BTT101 – Unit 5 - Database/Microsoft Access 1. Open Access
Download
advertisement