During this exercise, you will examine a video from EnCase and other cyber forensic vendors. In one document that clearly labels Parts A and B, provide short answers to all questions for both parts of this exercise.
Part A: The Forensic Process
Watch the following video:
This first short video demonstrates how to perform a simple forensic task using EnCase.
Computer Forensics: Recovering Deleted Files with EnCase (YouTube – 2:36)
Part A Questions
- What USB file information does EnCase show that is not seen in Windows Explorer?
- How does EnCase depict a deleted file?
- NIST SP 800-86, Links to an external site. Figure 3-1 identified 4 basic phases in the forensic process. The video showed aspects of 3 of those phases. Identify the 3 phases that were addressed in the video and explain why each phase you identify corresponds to activities in the video.
- This video was made in 2008 and the operating system target was Windows XP, which Microsoft no longer supports. Explain the impact of evolving technology on forensic tool selection.
Part B: Government-Sponsored Forensics
In Part B, you are going to watch a video documentary on how the Department of Defense (DoD) uses systems forensic science. This portion of the assignment will demonstrate how the forensic methods and tools are used in the real world of forensic investigations.
Watch the following video:
The video explores how digital forensics blends with other crime scene forensics investigations, providing insight on how digital forensics is used to build a case. This includes a discussion on the use of tools that examine hard drives, chips, and mobile devices. It also examines how the DoD deals with a different set of threats than most business organizations face.
Digital Detectives (2011) – Documentary on Computer Forensics in the DoD (YouTube – 28:24)
After viewing the video, respond to the following, and be sure to explain your answers:
Part B Questions
- An analyst describes a rape and murder case in Hampton Roads, Virginia. A system forensics investigation yielded information on two suspects. The first suspect was exonerated, but a second suspect was identified and later successfully prosecuted.
a. What type of stored data yielded information that helped to convict the second suspect?
b. Was the critical evidence available in the initial system forensics investigation, and why or why not?
c. Read NIST SP 800-86, Section 2.3 “Interactions with Other Teams”, pages 2-4 through 2-5. Consider the material in Section 2.3 and then briefly discuss what you learned from this case about how system forensics are used in conjunction with other crime scene investigations.
- Later in the video, an analyst describes using the Dossier tool to capture evidence and then discusses evidence derived from examining pictures. What type of forensic evidence is often correlated to the pictures that are very useful in the investigation, and how is used?
- In the discussion about cyber forensics training, OSI Chief Paul Alvarez says they seek students with three qualities that will determine their success in the field. Identify and explain the three qualities.
- Michael Milner of the Army’s Computer Crime Investigative Unit explains that 10 years ago, the primary threats investigated by the DoD were “recreational hackers.” What is the new predominant threat and why are the new threats a greater concern to the DoD?
- The video closes by noting that USAF system forensic investigators spend a lot of time protecting versus prosecuting their own personnel. Reference Section 2-1 of NIST SP 800-86: can you explain how system forensics is used for the purpose of protection?