Parts of this protocol are based on
Quick Start Training Manual f
or Education Distribution
Copyright 2003 guidance software
January 18, 2012
Creating a Case
Copying Evidence Files
Logon to your lab computer
as Labuser and open VirtualBox. Start up the Forensics VM. This
semester you will use VirtualBox to run the forensics tools and analyze evidence.
On your VM (
f the following instructions refer to your forensics VM, not the lab
and create the following
archive and copy the following evidence files into the
EnCaseWrkshp4E.E01 is an EnCase evidence file created f
rom a USB thumbstick drive
using the FTK imager available on the Helix CD.
This imager records hash verification
information in the file EnCaseWrkshp4
. Because the file includes case information
and block CRC codes, a simple hash of the evidence fi
le, outside of the EnCase utilities will
NOT produce a matching hash. The hash for EnCase evidence files can only be calculated by
a forensic tool that can read the
evidence file, like EnCase or FTK
Imaging record accompanying evidence
investigation and acquiring media, consider how to access the case once it has been
It may be necessary for more than one investigator to view the information simultaneously.
ows multiple concurrent users to access the same evidence information.
However, if each workstation has their own instance of the FTK database, evidence files
file should be
placed on a central file server and copies of the case file should be used on each
One of the ways of organizing cases is to create a folder for each case and place the case file and
evidence files associated with that case in that folder.
The reports and evidence copies may be placed in
the same folder or in
Forensic best practices calls for
use a second hard drive or at least a second partition on
the boot hard drive, for the acquisition and examination of digital evidence. It is preferable to wipe an
entire drive or partition,
rather than individual folders, to ensure all of the temporary, suspect related
data is destroyed.
This will aid in deflecting any claims of cross contamination by the opposing counsel if
the forensic hard drive is used in other cases.
from the l
ink on the desktop.
After the splash screen disappears, you will be presented
with a login dialog box in order to access the
New Case Options
x will appear.
folder you set up
Case Folder Directory
Creating a new case.
New Case options.
After entry, click
Adding Evidence Files
In preparation for the acquisition of evidence, devices (such as
local drives, cell phones,
etc.) must be added to the case.
from the previous step, you shou
ld see the following screen:
Managing Evidence window.
button and select the default (
Navigate to where you un
zipped the EnCase evidence file and select
appropriate time zone (
) and click
FTK will then process the evidence file and add it to your case.
after processing has
Once the evidence file has been added, it is important to verify that nothing has changed on the
This can be done by comparing the hash of the acquired image with the hash of the
unzipped image saved to the workstation’s hard drive.
To see the hash of the acquired image in
click on the
pane and scroll to the
You can compare this hash with the hash found in the
Verifying the MD5 hash in FTK.
The EnCase Evidence File
EnCase evidence file
(sometimes called the Expert Witness format)
is a de facto standard in the
forensics field. It
contains three basic components
the header, checksum, and data blocks
together to provide a secure and self
checking description of the state of the
computer disk at the time
Cyclical Redundancy Check (CRC)
The cyclical redundancy check is a variation of the checksum, and works much the same way.
advantage of the CRC is that it is order sensitive.
That is, the string “1234” and “4321”
will produce the
same checksum, but not the same CRC.
In fact, the odds that two sectors containing different data will
produce the same CRC is roughly one in a billion.
Most hard drives store one CRC for every sector.
When a read error is generated from
a disk, this usually
means that the CRC value of the sector on the disk does not match the value that is recomputed by the
drive hardware after the sector is read.
If this happens, a low level read error occurs.
Evidence File Format
Each file is an exact s
ector by sector copy of a floppy or hard disk.
When a file is created, the user
supplied information relevant to the investigation.
EnCase archives of this and other information inside
the evidence file along with the contents of the disk.
Every byte of th
e file is verified using a 23
making it extremely difficult, if not impossible, to tamper with the evidence once it has be
This allows the investigators and legal team to
confidently stand by the evidence in court.
Rather than compute
a CRC value for the entire disk image, EnCase computes a CRC for every block of
64 sectors (32 KB) written to the evidence file.
This provides a good compromise between integrity and
A typical disk image will have many tens of thousands of CRC check
The investigator will be able
to identify the location of any error in the file and disregard that group of sectors, if necessary.
Compression technology allows EnCase to store data from a large disk in a relatively small file.
It uses an
industry standard compression algorithm that achieves an average size reduction of 50%.
If most of the
disk is unused, the compression ratio may be much higher.
This can result in great savings in this storage
Compressed evidence files
take longer t
o generate because of the additional processing time
required to compress the information.
Compression never has any effect on the final evidence and
compressed blocks are checked for validity in the same way as uncompressed ones.
enever an evidence file is added to a case,
will begin to verify the integrity of the entire disk
image in the background.
This is usually qute fast for a small evidence file but can take a long time for
hard disk files.
During the verification
process, the investigator can continue working on the case
If the case is saved and closed while the verification process is running, the verification
process is canceled.
This process then starts over when the case is reopened.
K Examiner User Interface
After logging in and creating a case or selecting an existing case from the FTK Case Manager, FTK opens
into the FTK Examiner view.
The Examiner view is used to navigate through the evidence that has been
added to the case.
this view, you can view the files on a single piece of evidence or all the files
found on several pieces of evidence.
The overview, email, graphics, bookmarks, live search, index
search, and volatile views are all accessed from the default Examiner view.
The screen is initially divided into three sections:
Tab pane, File Content pane, and File List pane.
Filter Toolbar can be found under the Me
The basic layout of the FTK Examiner User Interface.
The tabs in FTK help the investigator to explore and refine evidence.
The FTK interface contains eight
main tabs, and there may be other optional tabs if their correlating product is installed, each with a
Most tabs also contain a common
toolbar and file list with customizable columns.
Additional tabs can be user
Changing tabs helps the investigator to zero
in on meaningful
The following are the default tabs included in FTK:
Live Search Tab
Index Search Tab
: the Explore tab displays all the contents of the case evidence files and
original user would have seen them
: the Overview tab provides a general v
iew of a case.
You can find the number of items in
various categories, view lists of items and lists of individual files by category, status, and extension.
: the Email tab displays email mailboxes and their associated messages and attachments.
display is a coded HTML format.
: the Graphics tab displays the case in photo
Each graphic file is shown in a
A graphic displays in the Graphics Tab Thumbnail view when its thumbnail is checked in
the File Content
: a bookmark is a group of files that you want to reference in your case.
These are user
list is stored for later reference, and for us
in the report output.
You can create as
many bookmarks as needed in a case.
Bookmarks can be nested within other bookmarks for
convenience and categorization purposes. Bookmarks help organize the case evidence by grouping
related or similar files.
For example, you can create a bookmark of graphics that contain similar or
The Bookmarks tab lists all bookmarks that have been created in the current
: the Search Tabs give you tools for conducting an indexed search or a live search on the
An indexed search is faster, while a live searc
h is more flexible and powerful.
a process that involves a bit
bit comparison of the entire evidence set with the
: scans the case Index file to find the search term.
: the Volatile tab provides tools
for viewing, finding, and comparing data gathered from live
agent systems in your network.
. The top
left pane, called the
works a lot like Windows
Explorer, providing the user with at tree
ed view of the evidence, and illustrating the
relationship of each folder hierarchically.
It presents each evidence file in a folder that contains
additional folder and files.
Only evidence files and folders contained within them are displayed in this
Individual files are not displayed.
An icon that quickly identifies the type of evidence precedes
each evidence file.
The plus and minus signs can be used to expand and contract the tree structure.
clicking on a
folder will bring up the context men
A useful feature of the tree pane is the
QuickPicks button to the left of every node in the
(see Figure 7)
After clicking this button, the arrow becomes green. This feature displays all contents
of the current directory, as well as th
e contents of all sub
directories in the File Content pane.
turn QuickPicks on or off quickly by selecting the QuickPicks filter button on the
Figure 7. The QuickPicks Button
File List Pane
The File List Pane lists the files available
in the current tabbed view.
In this pane you can choose which
columns to display, as well as the order of those columns, create bookmarks, crate labels, and copy or
export file lists.
The File List pane is displayed by default in all default tabs.
ewing data in the File List, use the type
down control feature to locate specific files.
list is sorted by name, select an item in the list, then type the first letter of the desired file.
moves down the list the the first file beginnin
g with that letter.
The more letters you type, the closer the
match will be to the file you are looking for.
The File List Pane includes both the File List Toolbar and the
File List view.
File Content Pane
The File Content Pane displays the contents of the
item selected in the File List Pane.
A large amount of
evidence gathering is conducted from the File Content Pane.
Here, you can select various amount of
data and bookmark that information which can then be included in the report.
The File Content Pane
ntains several sub
tabs that provide different views of the same file.
Viewer Top Tabs: Hex Tab
The Hex tab shows the file content in Hex view.
It is different from the Hex Interpreter tab at the bottom
of the screen.
The Hex display in FTK.
clicking on the Hex display will make available a number of different options.
Viewer Top Tabs: Text Tab
The Text tab displays the file’s content as text using the code page selected from the drop
The File Content Pane currently provides man
y code pages from which to choose.
When the desired
code page is selected, the Text tab will present the view of the selected file in text using the selected
code page language.
The Text view in FTK.
View Top Tabs: Filtered Tab
The Filtered tab
shows the file’s text created during indexing.
The Filtered View in FTK.
The text is taken from an index created for the current FTK session if indexing was not previously
Viewer Top Tabs: Natural Tab
The Natural tab displays a file’s
contents as it would appear normally.
This viewer uses the Oracle
Stellent INSO filters for viewing hundreds of file formats without the native application being installed.
Viewing large items in their vative applications is often faster than waitin
g for them to be
rendered in an FTK viewer.
The Natural View in FTK.
Where it is possible to recover deleted files or directories automatically, these are recovered and appear
in the table view.
Files and directories
recovered from deleted entries appear with a red “x”.
Navigate to the “Terrorist” directory.
The deletion indicators show that all of the files in this
directory had been deleted from the original media.
Searching the Case
FTK provides a powerful search
engine to locate information anywhere on the physical or logical media.
It comes with an Index Search that gives instantaneous results, as well as three different Live Search
modes: text, pattern (regex), and hexadecimal.
Search results, or “hits,” are eas
ily viewed from the
Search Tab File List and File Contents views.
Conducting an Index Search
The Index Search uses the index to find the search term.
Indexing is simply the process of creating an
index, or a searchable list of the discrete words, or string
s of characters in a case.
Evidence items may be
indexed when they are first added to the case
Index searches are instantaneous.
Index evidence when it is added to the case by checking the dtSearch Text Index box on the Evidence
Processing Options dialog
, or index after the fact by clicking and specifying indexing options
Click on the
tab in the FTK interface.
In the top left in the
pane, type in the term
Notice that hits on that term as
well as similar terms are
Select the term
from the list and hit the
The search term will now show up in the
pane to the right.
You can adjust the
search with the options shown (
For now, use the default settings and hit
Include all files
option (should be the default) and hit
The results will be listed in the
Index Search Results
hit from the
from the context menu.
This will bring up the
can select the
button on the File List Toolbar.
A bookmark is a group of files that you want to reference in your
These are user
and the list is stored for later reference and for use in the report output.
You can create as many
bookmarks as needed in a case.
Bookmarks can be nested within other bookmarks for
convenience and categorization purposes.
kmarks help organize the case evidence by
grouping related or similar files.
For example, you can create a bookmark of graphics that
contain similar or related graphic images.
tab lists all bookmarks that have been
created in the current case
Bookmarked files are pink.
Bookmarks can also be made from selected text.
From any tab, select a file to be displayed in
Select the text you want to bookmark and hit the
Give your bookmark
in the comment write “This file
contains a version of the Anarchist Cookbook” or something similar. S
Switch over to the
tab at the top of the main interface and you should be able to see
your new bookmark listed under
Conducting a Live Search
The live search takes slightly more time than an index search because it involves a bit
of the search t
erm to the evidence.
A live search is flexible because it can find patterns of non
alphanumeric characters, including those that are not generally indexed.
It is powerful because you can
define those patterns to meet your needs in an investigation.
ference between a Pattern search and a Text search is that a text search searches for the exact
typed text, there are no operands so the results return exactly as ty
Pattern search allows you to
find all strings that match a certain pattern, such as
for any 10
digit phone number (
), or a
digit social security number (
). A Text search finds all strings that match an exact entry,
such as a specific phone number (801
A Live Text Search gives you options such as ANSI
, Unicode with UTF
16 Little Endian, UTF
16 Big Endian,
8. The latter two are always case
sensitive. You can also choose from a list of other Code Pages
to apply to the current search. In addition, you can select Case Sensitivity for any Live Text
Search terms can be entered then exported as .XML files, then imported at any time, or with any case,
depending on the folder where it is saved. Text (.TXT) files can be imported and used in Live Search,
however the Live Search Export feature suppo
rts only .XML format.
Click on the
tab in the FTK interface.
tab, click the
Performing a Live Search.
if you want to search specifically the uppercase or low
ercase letters as
FTK ignores case if this box is not checked.
Enter the term
to add the term to the Search Terms window.
You can add as many search terms as
Max Hits per File
field, enter the maximum number of search hits you want listed per file.
The default is 200.
The range is 1 to 65,535.
Leave the default.
A Data Processing window will open that displays the progress of the live search.
it finish and then
The results are displayed in the
Live Search Results
Notice any differences between the
you performed previously.
You can bookmark any results here just like in the Index Search.
Email messages will
have a typical format with data fields such as from, to, subject, created date, sent
date, received date, header, and attachments.
There are a variety of email application programs, each of
which has its own file formats for this data.
In addition to a var
iety of different data file formats, email
programs may encrypt the file.
It is up to the examiner to survey systems under examination to
determine what email clients may have existed on the system.
The Email tab displays email mailboxes and their associa
ted messages and attachments.
isplay is a
coded HTML format.
Email Status Tree
The Email Status tree lists information such as the send of the email and whether an email has
They are listed according to the groups they belong to.
email items by stats, as
Email Attachments (Contains only attachments to emails)
Email Reply (Contains emails with replies)
Forwarded Email (Contains only emails that have been forwarded)
From Email (Contains everything derived from an email sour
ce, i.e. email related)
Email Archives Tree
The Email Archives tree lists Email related files that are considered “containers.”
Item types include
, and so forth.
The tree is limited to archive types found
in the evidence during processing.
The Email tree lists messages counts, AOL DBX counts, PST counts, NSF counts, MBOX counts, and other
Exchange and PST Emails can be exported to MSG format.
In addition, MSG files resulting from an
of Internet email look the way they should.
FTK makes it easy to process email.
Acquiring Additional Evidence
Raw image files can be added to FTK in much the same way that an EnCase evidence file is acquired
from a device.
Verifying Raw Images
file you downloaded previously, copy three files into
is a 1.4k raw image file created
from a floppy drive using the imager available
on the Helix CD.
This imager records hash verification information in the file
After downloading, use the following process to verify that the
MD5 hash of your copy of the image dupl
icates exactly the verified hash recorded in the file
from the Start menu and enter the command
to bring up a command prompt.
Change directories with the following commands:
the text file containing the original verified hash using the
Calculate the MD5 hash for the image file using the md5deep program:
Verifying the MD5 hash of a raw image
Now that you’ve verified the MD5 hash, we can add the floppy drive image to our current case.
menu and then
This will open the
dialog you saw when you first created the case except it
image listed already.
button and select
(should be the default).
Navigate to the
folder you just created and select the
file and hit
and FTK will add the raw image to the case.
Recovering Data from Formatted Drives using Meta Carving
Some people believe that formatting the drive is the same as wiping it. This is not the case. Formatting
the drive is analogous to erasing a tabl
e of contents of a book and writing a new table of contents in its
place. The official contents of the book have changed, but the actual pages of the book have not.
In this case, the floppy disk that was imaged to the
file was formatted. Yo
u can use
FTK’s meta carve feature to recover the contents of the drive before it was formatted. Meta carving
searches the volume free space for deleted directories that have been orphaned. An
orphaned directory is a directory whose parent dire
ctory or whose entry in its parent directory has been
The deleted directory entries often lead to data and file fragments tha
t can prove useful to
that could not be found otherwise.
Go to the
menu, and select
he meta carve box (see Figure 14
Data Processing Status
window should pop
up. For these small evidence files, it should take
a few minutes to complete the meta carve process.
Once the meta carving process completes, expanding th
e WrkShpFlppy1.dd evidence file and
the FAT12 nodes in the tree pane will reveal the Meta carve folder with th
e recovered files (see
. The meta carve option.
. The recovered “2” directory using meta carving.
Bookmarks provide the basis for annotating evidence as it is found. These bookmarks can also
be exported directly into word processing or web
base reports. Because of this export capability,
much of the report construction can be developed i
n FTK, leaving only minor formatting and
organizing tasks for web page and document editing tools.
Sweep Bookmarks for Data
Perform an indexed search for “dry ice”. In the results, under “Allocated Space”, click “Documents” and
expand the search hits for
Select hit #19 “USES FOR DRY ICE”. In the “File Content” pane, highlight the first two
paragraphs. Click the “Create Bookmark” button on the “File Content” toolbar.
Enter “Dry Ice” in the “Bookmark Name” field. In the “Bookmark Commen
t” field, enter:
“One of several copies of the Anarchist’s Cookbook found on the thumb drive.
The cookbook contains instructions for making simple, delayed action time
bombs by sealing dry ice in a plastic container.”
Check the “Bookmark Selection in Fil
e” box, select your username in the “Select Bookmark
Parent” field, and click “OK”.
Sweep Bookmarks for Documents
With the “Dc555.doc” document selected in the previous search hit, select the “Natural” tab of
the File Content Pane. Scroll to the top of the
document, and highlight the title, author and table
of contents. In the bookmark comment field include the following:
and Table of Contents of ‘The Anarchists'
Check the “Bookmark Selection in File” box, select your username in t
he “Select Bookmark
Parent” field, and click “OK”.
Sweep Bookmarks for Email
Some email programs store emails in database files (for example, Outlook stores email in a PST
file). In order to search these database files, they must first be expanded. Under
menu, select, “Additional Analysis”. Under Miscellany, check the “Expand Compound Files”
box, as well as the “dtSearch Text Index” box under “Search Indexes”. Click “OK”.
Perform a search using two separate search terms: “Dry Ice” and “Yew a
lley”. Find the search
hit from the Outlook PST file. Bookmark the text of the email with the comment, “Reference to
Yew Alley & Dry Ice
Notable Files Bookmarks
Go to folder “2” in the MetaCarve folder under WrkShpFlppy1.dd (previously found usi
carve case processing step). Bookmark the document, “NE Dictonary.Doc” with the name
English Dictionary”. In the comment field, enter “Perhaps related to 419 scam.” Click
File Group Bookmarks for Deleted Material.
Navigate to th
e My Documents
Terrorist directory. Note that all entries have been deleted. Sort
by extension and highlight and bookmark all JPG files. In the comment field, type:
All files in the terrorist subdirectory had been deleted. These
included multiple versi
ons of the Anarchist Cookbook and many
images of bombs and explosions.
Create a bookmark for the “Prizes” folder with the comment, “
The entire Prizes Folder, with its
four images of terrorist explosions had been deleted.
” Select all four deleted images i
“Prizes” folder, right
click, and select “Add to Bookmark”, and select the bookmark you just
created for the “Prizes” folder.
Creating a Report
At any time during or after the investigation and analysis of a case, you can have AccessData FTK create
a report that summarizes the relevant evidence of the case. The final report is made available in several
formats, including HTML and PDF formats plus one that is viewable in a standard Web browser.
to create a report. Access the Re
port Wizard by selecting
Report Wizard is then displayed.
Entering Case Information
dialog provides fields for basic case information, such as the investigator and the
organization that analyzed the case.
box in the
on the left side of the screen.
field for each entry and enter the following information:
Add and remove entries with the
To add additiona
l entries, click
and edit the
To remove entries, highlight the entry line to be removed and click
Add a new entry and call it
. Place the following in the
Duke Buntline; Rollingcat Corporation;
Assignment in ISYS 565
Do not mark the
Include File Extensions
box to include a File Extensions List and count in the
File Overview portion of the report.
Include File Extensions
box is unmarked by default. If you wish to include in the report
of file extensions such as is found in
, mark the
box. The list of file extensions will appear in the report under Case Information,
after File Items and File Category, and before File Status. The File Ext
ensions List is long and
may span many pages. If you intend to print the Report, this may not be desirable.
once all report creation information has been entered or selected.
If you inadvertently close the Report Wizard, simply re
open it by
Verify the Case Information and move to the next section. Report settings are persistent,
meaning that once set, the settings remain until changed by the user.
Managing Bookmarks in a Report
The Bookmarks dialog allows you to cre
ate a section in the report that lists the bookmarks that were
created during the case investigation. You can also choose not to create a bookmark section by
settings can be unique for
Select any of the bookmarks made previously to include in the Report.
You can apply any filter to the bookmarks by selecting one from the filter dropdown box.
Customize the properties columns to display in the report
You can select or customize the properties columns to include in the report. You can import an
existing custom column template and use it here if the template you want is not readily
available or would take too long to re
create. We will use the
When you are done defining the columns settings to use, click
When you make changes to the columns settings, you can apply them to child files by clicking on
Apply these settings to children
Managing Graphics in a Report
dialog allows you to create a section in the report that displays thumbnail images of the
case graphics and can link them to original graphics if desired.
Mark the box labeled
Export and link full
size graphics to thumbnails
Include checked graphi
as the number of graphics to display per row.
Leave unchecked the checkbox
Group all filenames at end of report
. Check this box if you want
to group all the graphics filenames at the end of the report.
You can sort the graphics by
Click the dropdown arrow on the right side of the line to select either
Selecting a File Path List
The File Paths dialog allows you to create a section in the report that lists the file paths of files
selected categories. The File Paths section simply displays the files and their file paths; it does not
contain any additional information.
in the left pane.
group in the
Select and drag
Mark the box to select
Adding a File Properties List
The File Properties dialog allows you to create a section in the report that lists the file properties of files
in selected categories. Th
ere are several options to choose from, allowing you to make the File
Properties List in the report as specific or as general as you want it to be.
drag the graphics category to the
when you have made all of the modifications needed.
as the file type and choose the
to save the report.
to generate the report.
Open the report in Word to make other additions to the report.
On November 10, 2015, Duke Buntline, head of security for RollingCat Corporation, requested forensic
examination of two items of computer media: one thumbstick and one
floppy diskette. Mr. Buntline
reported that the media had been removed from the office of Mr. Dan Kojak, a computer information
systems intern with the company. Mr. Buntline suspected that Kojak was operating a 419 scam among
RollingCat employees using
his assigned computer workstation, a violation of company policy. The
investigation was hampered by the destruction of the hard drive of Kojak’s computer workstation. It
appeared to have been was destroyed by a powerful acid, perhaps nitric, set to opera
te as a timed
internal pipe bomb, perhaps using dry ice as a timer.
Mr. Buntline asked that the media be examined for any evidence of time bombs, pipe bombs, dry ice, or
“419 Nigerian” scams, or any other notable evidence of suspicious activity by Kojak.
The thumb drive contained several copies of “The Anarchist Cookbook” which included many references
to both pipe bombs and time bombs. There were also references to the construction of time bombs
using dry ice. The cookbook includes in
structions for constructing such devices. There were also many
photos of explosion scenes. All of this evidence was in a subdirectory named “Terrorist”, and these files
had been deleted. The files were recovered from free space or the Recycler.
mb drive also contained a collection of cook books, recipes, photos of food, and text files of
books and literature.
There was also one email message with a reference to dry ice and a “yew alley”. This may have been a
reference to a “yew alley” mentioned
in one of the literary works (“The Hound of the Baskervilles”), but
the meaning of this connection is not clear to the examiner.
The floppy diskette had been formatted, but we recovered one directory containing a small Danish
English dictionary and a dic
tionary of “Nigerian English”. There is no obvious relationship between the
material on the floppy and the material on the thumb drive, although the latter dictionary could be
somehow related to the 419 scam.
[Discuss bookmarks and fi
The evidence item, original memory stick, was attached via a write protection block o a computer
operating under Windows XP, and imaged using the FTK Imager as an EnCase Evidence file. The MD5
hash of the original device was calcul
ated in this process. An image of this memory stick was then
copied to a Virtual Computer operating EnCase Forensics Analysis software. Upon completion of the
transfer process, EnCase was again used to verify the integrity of the evidence file and calcul
ate a MD5
Hash for the evidence and it was verified that the evidence image was unchanged by the imaging or the
transfer process. The original memory stick was then removed from the computer and stored in a
The evidence item, the flop
py diskette was write protected, read by a computer operating under
Windows XP, and imaged as a simple dd image file using the FTK imager. The MD5 hash of the original
floppy volume was calculated in this process. attached via a write protection block o,
and a hash
calculated md5deep. An image of this memory stick was then copied to a Key Computer Service hard
disk drive using dd for windows).
The image of this diskette was then copied to a Virtual Computer operating EnCase Forensics Analysis
Upon completion of the transfer process, md5deep was used to calculate a MD5 Hash for the
image and it was verified that the evidence image was unchanged by the imaging or the transfer
process. This evidence was then loaded into EnCase, acquired by EnCase
, and EnCase again used to
verify the integrity of the evidence file and calculate a MD5 Hash for the evidence. It was verified that
the evidence image was unchanged by the imaging, transfer or acquisition process. The original diskette
was then removed
from the computer and stored in a locked repository.
Encase automatically recovered the files deleted from the original thumb stick, most notably all files in
the directory “Terrorist”. There was a single outlook pst (personal folders) file,
unencrypted, on the
thumb drive. The structure of this file was restored by means of an EnCase keyword search.
The floppy diskette appeared to be blank, however, applying the “Recover Folders” procedure of EnCase
recovered one folder, indicating that the
floppy was likely formatted.
Chain of custody
Nov 10, 9.50 am. Bloomguys received the two evidence items from Buntline at his offices in Broad St.
Nov 10, 11.30 am. Bloomguys seals the two evidence items in a tamperproof bag and locks the parcel in
evidence repository safe in his offices in Broad St.
See the Chain of Custody Form attached to this report for further details
All software utilized is licensed to, or authorized for use by, the examiner and/or
Buck Bloomguys is a forensics examiner trained at
Brigham Young University
, in its information security
and its digital forensics courses. He has two years of experience as a computer specialist. Expecting to
graduate in 2015, Blo
omguys will hold a Master’s Degree in Management Information Systems
Finalizing the Report
Reorder the sections of the report so that the most important findings (the bookmarks) appear
immediately after the “Case Overview” and “Executive Summar
Since forensic reports are generally for managerial audiences, create appendices for highly detailed
information. You can then reference these appendices as needed.
Finally, format your report professionally as you see fit.
Email your complete
d report to Kent Norman at