ECA137 – Computer Crime & Investigation

Instructor: Alan Bringardner

Imaging & Searching Lab

 

 

Objective: The student is supplied with a device image, and they will need to image the image file, validate the image, mount the image file, and examine the image to determine its  contents. The student should identify the file that corresponds with the supplied file  hash and examine the file to determine its contents.

Skills Involved:  Effective Communication (written)

Quantitative Literacy (analysis)

Information Literacy Skills (investigation)

Critical Thinking (decision making)

 

Specific Tasks:   Write Protection

Imaging

Image validation

Malware scanning

File Hashing

Searching

Examination

Documentation

 

Submission: The student should submit a report describing their forensics process and include any necessary screen shots or report to support this and to answer questions related to the scenario.

 

Scenario:  You are employed as a computer forensics specialist with a local police agency. As part  of an investigation into a possible extortion case handled by another investigator, you are given information concerning a suspicious document found that contained the listed text string.  The other investigator believed it was some type of code related to his investigation.  She supplied you with an image of a flash drive recovered in the investigation from the suspect’s businesses computer.

  •  What do you believe this number to be?
  • What evidence if any did you find on the flash drive?

 

Questions:

  1. What was the hash value of the image file you imaged?
  2. What type of value does the number string represent?
  3. What is the source of this value? (What item)
  4. What tool or tools did you use to determine the source of this value? You should use more than one tool to verify your opinion
  5.  What other files did you find on the device?
  6.  Was there anything else of importance on the drive?
  7.  Was there any overall “theme” to this scenario?