CSEC 661 Lab 2 Answer / Digital Forensic Investigations
Step by step process to create a Hash Category Filter
Part I: Lab Questions:
Use Encase to create a Hash Category Filter. Use that filter to investigate, answer the following questions and bookmark items of interest:
a. There are two files that are peculiar what the files are and what is the peculiarity? Note in your final report. (Evidence Tab)
b. Within Internet Explorer Cache find images related to from stock trading. Bookmark this image in Pictures Bookmark Folder. (Records Tab)
c. Find and bookmark in the email folder the email that tells were Peterson is going to go to avoid the cops (it should include the name of a city or country). Where will he be staying while at this location? You may need to look for other evidence. (Records Tab)
d. Find and bookmark in the email folder the email describes how much money will be transferred to an account. (Records Tab)
e. Who wanted to sell their laptop? Find and bookmark the evidence in the appropriate folder. (Records Tab)
f. We need to prove that Peterson knew how to change the extension on his file. Find evidence and bookmark the evidence in the appropriate folder. (Records Tab)
g. Include in your write up URLs of any websites that have to do with money laundering as far as you can tell by their name. You may use screen shots and insert them into your final report. (Case Analyzer Tab)
h. Document the security ID’s of the accounts on Peterson’s hard drive that start with S and end with 20 or less (Case Analyzer Tab)
i. What is the IP address of the DHCP server? (Case Analyzer Tab)
j. What version of Windows and when was it installed? (Case Analyzer Tab)
Part II: Recover Photos: Within Encase process a SanDisk drive used in a camera that appears to have no files on it. Our task is to recover deleted pictures.
a. Bookmark one of the pictures of a guy wearing orange and include the file in your final report as an addendum. The bookmark should include the picture and the location of where the picture was on the SD card. Note how many picture files were recovered.