Bonus Exercise 1 (5 points): Assume that you have a write-protected USB device.
Image a USB device or a floppy disk to create an image in a DD format. (
Note: You are not able to use the 841_Win_Forensics_Updated VM to perform this bonus exercise.
Y ou have to use your own computer for this exercise).
Provide a snapshot from FTK Imager .
Requires: a USB device or a floppy disk
Launch FTK Imager
Click File > Create Disk Image
Click Physical Drive and Next
Select the device and select Raw (dd) Image Type
Computer Forensics - FTK 1

Exercise 2: View images
Click File > Add Evidence Item
Select Image file and then click Next
Browse to your WinLabEnCase.E01 image and click Finish
View the image in the Evidence Tree view
Question 1: What is the VBR file used for? How to export this file? How to export a file Hash?
VBR file contain information that will enable client machine to use the remote application . we can export this file by press export , hash file will export as a plain text.
Exercise 3: Convert the WinLabEnCase image to a DD image
Exercise 4: Verify images
Question 2: What are the results of verification? Comparing both hashes, are they same or not?
The verification matched and both hashes are the same
DETAILED PROCEDURES THAT MAY HELP YOU TO GO THROUGH
THE FTK SOFTWARE
Exercise 1: Starting a New Case
Question 3: What information is required to create a new case using the FTK New Case
Wizard?
The information needed are : investigator name , address , phone , email , case number , case name , case path , case folder and case destination
Question 4: What are the types of evidence that can be added to a case in FTK?
Image of drive , local drive , folders and individual file
Computer Forensics - FTK 2

Exercise 2: Working with FTK
Click the OVERVIEW tab; note the numbers for each type of file.
Question 5: How to make the number of the Checked Items to go up? How to make the number of Flagged Thumbnails to go up?
After open each file , items will added to the checked item folder , flagged thumbnails will go up with each file we change the point which down it from red to green .
File Signatures
A file type (JPEG, Word Document, MP3 file) can be determined by the file’s extension and by a header that precedes the data in the file. If a file’s extension has been changed, then the only way to determine its type is by looking at its header.
Question 6: Click on Bad Extension from Overview tab. Do you find any signature mismatch?
What are they?
There are 11 files , 8 of them are TMP extension , 1 XLS , 1 PDF and 1 DOC
Data Carved Files:
Question 7: Check the number of Data Carved Files, what is the number? zero
Question 8: Check the number of Data Carved Files from Overview, how many files added to the case by data carving?
TWO
Question 9: What are those files found by performing data carving process? Why is this process so important?
The files which found are the files with GIF extension , this process is very important because it helps the investigator to focus on one type of files which he looking for .
Explore Tab
Check mark List all descendants.
Computer Forensics - FTK 3

Question 10: What is the file system of this Image?
FAT 16
Question 11: Right-click a folder and select File Properties, What information do you get?
Path , file name , system attributes , file source info and file content info .
Question 12: Select a file, and right-click on that file and select File Properties, What information do you get?
Path , file name , system attributes , file source info , file content info and file size .
Question 13: Select Documents and Settings\psmith\Recent, what kind of files contain in this folder? Select each file in this folder, what kind of information do you get from the up-right window?
The latest files which open on this machine are on recent file .
We can get information about each file like creation time , last write time , last access time and what kind of file it is.
Question 14: Select Documents and Settings\psmith\Local
Settings\History\History.IE5\index.dat, what kind of files contain in this file? Select each file, what kind of information do you get from the up-right window?
We can fine internet explorer daily browsing history , we can get last accessed time for different websites which opened in the browser .
Question 15: Select Documents and Settings\psmith\Favorites, what are psmith’s favorite links? www.monster.com
www.aerospace-technology.com/contractors www.jsfirm.com/searchcontractors.asp
yahoojobs as we see the suspect man was looking for a job
Computer Forensics - FTK 4

Question 16: Looking into the Recycled folder, which files are currently in the recycler? Select the INFO2 file from the Recycled folder, what information do you get from that file?
We found 2 files , ogdiagram.gif , tse082800.pdf , in the info2 file we get information about last file which put in the recycle , what is the name and the time when the file deleted .
Question 17: Looking into WINDOWS\System32\spool folder, what information can you get from this folder?
From spool we get information about all the drivers and printers which install on that machine .
Windows Registry
Locate ntuser.dat from the Documents and Settings\psmith folder
Export the ntuse.dat; then launch the AccessData Registry Viewer to include this file in the
Registry Viewer. (You may also right click the file and choose View in Registry Viewer
In the Registry Viewer, explore the list.
Action 18: List any interesting results
All the information about registry and all softwares which are on that machine .
Graphics Tab
The Graphics Tab allows you to quickly see all the pictures in the case.
Check mark List all descendants .
You will now see all of the pictures contained on all of the devices in the case.
Question 19: If a file’s extension has been changed to a non-graphics file type (such as changing jpg to txt), will it be displayed in the Gallery view? Provide one example to support your statement. Does EnCase work in the same way?
Yes it does , and this is an advantage of FTK compared to encase
Export and Copy Special
Export these five graphics to your desktop.
Computer Forensics - FTK 5

Question 20: What is the major difference between Export a file and Copy Special a file?
Export will copy the file to a specific location on the machine while copy special give us option to copy what we need from file like file type , modification date and so on.
Keywords and Searching
Searching evidence for information pertaining to a case can be one of the most crucial steps in the examination. FTK support two kind of search, indexed and live searches. An indexed search uses the index file to find a search term while a live search involves an item-by-item comparison with a search term. The index file could be generated during the creation of a case or be indexed later.
Question 21: What is the advantage to use indexed search vs. the live search?
Index search will look inside the files for the needed information while live search check the subject of each file only
Examining the Options and Import feature in the indexed Search
Question 22: What are these two features used for?
Options need for change search brooding options , search result options and search limiting options.
Import search in side the files as a text file
Question 23: Do you find any files containing US Phone numbers? List two files that in the result list.
I found 299 hits in 8 files .
Aviation.htm
Contacts.htm
Email
Computer Forensics - FTK 6

Question 24: Read the manual and find out what kind of email formats do FTK support?
FTK now supports the decryption of RSA standard PKCS7 S/MIME email items. This includes support for MBOX, DBX, RFC822, and some PST/EDB archives
Question 25: Did anything happen? Do you find any important information? If so, what kind of information you got? ye s I found a lot of information like that the suspect talk with someone about meeting and offering him an offer of work
Case Report
After performing a thorough forensic investigation, it is critical that you are able to publish and present your findings. FTK has a sophisticated report wizard that allows you to assemble and publish case information. The final report generated by the FTK wizard is in HTML format.
Click File > Report Wizard
Fill in the Case information which will appear on the Case Information page of the report.
Create a report to include the following: a) all bookmarks and export all bookmarked files b) Export full-size graphics and link them to the thumbnails c) Include the Date and Time file Properties for the Bookmarked Files d) Include only graphics flagged green in the Graphics View e) Group 6 thumbnail per row f) Include Bad Extension files in the report and export the files to the report along with its data and time property g) Add one or more of your own file to the report that support your statement h) Create a custom graphic for the report.
Action 26: Include two screenshots of this report in your submission.
Computer Forensics - FTK 7

Computer Forensics - FTK 8

Computer Forensics - FTK 9

Computer Forensics - FTK 10