M3A1: Textbook Activity- Digital Evidence
IT406: Computer Forensics
Submit your findings for each hands-on project in a Word document, 2–3 pages in length, double spaced, and in 12-point font.
Just a reminder on the format of your papers, they must have an introduction, details about the topic, include screen shots with narrative of those screen shots (no narrative reduces your credit), a conclusion of what you learned from the assignment, and references (every paper should have references on what you researched on the topic).
Hands-On Project 5-3
You’re at a crime scene, which is the home of a suspected drug dealer. You find a computer turned on with three applications running. An online session is also open through a DSL connection. Write a one to two page paper outlining what you should do to document the crime scene and collect and package the evidence.
Hands-On Project 5-4
In this project, you create a file on a USB drive and calculate its hash value in FTK Imager. Then you change the file and calculate the hash value again to compare the files. You need a Windows computer and a USB drive.
1. Create a folder called C5Prj04 on your USB drive and then start notepad.
2. In a new text file, type This is a test of hash values. One definition of a forensic has is that if the file changes, the hash value changes.
3. Save the file as hash1.txt. in the C5Prj04 folder on your USB drive, and then exit notepad.
4. Start FTK Imager, and click File, Add Evidence Item from the menu. In the select Source dialog box, click the Logical Drive option button, and then click Next.
5. In the select Drive dialog box, click the Drive Selection list arrow, click to select your USB drive, and then click Finish.
6. In the upper-left pane, click to expand your USB drive and continue expanding until you can click the C5Prj04 folder. In the upper-right pane, you should see the hash1.txt file created.
7. Right-click the file and click Export File Hash List. Save the file as Original hash in the C5Prj04 folder on your USB drive. FTK Imager saves it as a .csv file. Exit FTK Imager, and start Notepad.
8. Open hash1.txt in Notepad. Add one letter to the end of the file, save it, and exit Notepad.
9. Start FTK Imager again, Repeat 4 to 7(but without starting Notepad again), but this time when you export the file hash list, save the file as changed hash.
10. Open the original hash and changed hash files on your USB drive in Excel(or another spreadsheet program). Compare the has values in both files to see whether they are different, and then exit Excel.