In this assignment , you will be asked to forensically examine a hard drive for evidence. Your assignment is to examine the drive, gather evidence in a forensically-sound manner, and present a report of your investigation. The incident in question occurred in October, 2016. You should focus your investigation on that time window.
1. The Investigation Report - this is really the whole package
2. Physical evidence tag/label. Refer to textbook for information that should be included. If you use a template or example from the Interwebs, site your sources. ("Appendix A" to investigation report.)
3. Key Evidence listing. Should be a table of (at a minimum) files examined and their hashes. ("Appendix B" to the investigation report.)
4. Tools listing. Should be a table of (at a minimum) executables used to examine or process files, and their hashes. Definitely list a tool like "pasco". You probably don't need to include commands like "cd" or "ls". Unless you're doing a live system acquisition. ("Appendix C" to the investigation report.)
5. Your case investigation activity log (your notes). Either include scans of your notebook, or photos of the pages, or if you use electronic notes, the notes file.
A note on presenting actual evidence files. Do NOT create a printed version of the super timeline. In your report, highilight key events (e.g. software was installed, a document was deleted) and include the key timeline entry rows for the event, or the start/end of the event (software installation may produce many dozens of pages). Also Do NOT try to hexdumpthe entire hard drive and print it out.
INVESTIGATION REPORT:
The report should clearly and concisely present evidence. Avoid drawing any conclusions in the report. Start each section with a summary of the key findings for that section. List the basic steps you took to arrive at that conclusion. Make references to your notes ("see Case 001 notes, page 2"). Pictures with labels, or screenshots of tool output, are appropriate. Hashes are appropriate. Time and date labels of the steps are appropriate. Explanations such as "this file is of type XYZ and includes data about ABC" are appropriate. Pasting your command history from the terminal is too much detail. Use "Page X of YY" on every page. Label every page with the Case Number (you can make one up).
1. Title Page:
"CS 447/547: Case 0000-001, October 2016", author's name. File name.pdf.
2. Executive Summary
This should begin something like: "In the investigation of Case 0000-001, involving the examination of a suspect harddrive, I reviewed the filesystem, including X user profile(s), examined the activity of user "", and recovered Z deleted files. The evidence included in this report includes the following:" Use your own words, or mine.
3. Physical Evidence:
List the information you can determine from the drive you received, without opening it up and exposing the platters. Not necessary for this investigation.
4. File Systems and Partitions:
List the information you can determine about the file systems contained on this drive. Demonstrate that you have not altered the evidence.
5. Computer System Information
Mount the partitions and examine their contents. List the information you can determine about the system this was running on (e.g. what OS?, what users present? what software installed? important registry key values?)
6. Deleted files
Recover key deleted files and report on them.
7. Web browsing history
In one user's home directory, there is evidence of web-browsing activity. What can you determine from it?
8. Recovered emails
In one user's home directory, there is email. What can you recover from it?
9. Appendix A: Physical evidence
10. Appendix B: Key digital evidence
11. Appendix C: Tools used during investigation
12. Appendix D: Investigator's Notes