Digital Forensics task 2

 

A.   Write a report for the team of investigators by doing the following:

1.   Describe all steps taken in Autopsy to create the forensic system case file. Provide screenshots of these steps along with the Name, Email, and Student ID located on the desktop of the virtual environment. 

Note: The “Student ID” that appears on the desktop of the virtual lab environment is not intended to be your actual WGU Student ID, but it is generated by the lab as a different identifier. Therefore, you should provide all screenshots of the virtual desktop as it appears in the lab.

2.   Describe all steps taken in Autopsy to identify potential evidence, including data files, deleted data files, directories, or drive partitions. Provide screenshots of these steps along with the Name, Email, and Student ID located on the desktop of the virtual environment.

3.   Summarize the findings you identified during your investigation and the conclusions you made regarding the suspect and the collected evidence. Provide screenshots from Autopsy or reports in support of your findings and conclusions. In each screenshot, include the Name, Email, and Student ID located on the desktop of the virtual environment.

B.   Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

C.   Demonstrate professional communication in the content and presentation of your submission.

INTRODUCTION

In today’s digital world, most fraud can be tracked electronically. In this task, you will use Basis Technology’s Autopsy application to analyze a storage device for evidence related to a possible violation of company policy. You will analyze the storage device for data files, deleted data files, directories, or drive partitions. You will need to provide screenshots of your evidence and then write a final report to present the findings to senior management.
To access the Autopsy application and the files you need to recover, you will use the “Performance Assessment Lab Area” (see Web Links section). Instructions for how to access the tools will be included in the lab area.

SCENARIO

An oil company’s senior management has reason to suspect that John Smith, one of the company’s mechanical engineers allegedly took information that was clearly identified as proprietary. The company’s legal office has requested digital evidence regarding the potential violation of company policy, which prohibits the sharing of proprietary information without prior approval. The employee was not authorized to access proprietary information. All employees sign nondisclosure agreements (NDAs) and acceptable use policies (AUPs). Senior management and the legal office have approved this request.
You are a member of the investigative team that has been assigned to examine the digital evidence captured from the suspect’s office laptop computer and create an incident report.

REQUIREMENTS

Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. The originality report that is provided when you submit your task can be used as a guide.

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.

Tasks may 
not be submitted as cloud links, such as links to Google Docs, Google Slides, OneDrive, etc., unless specified in the task requirements. All other submissions must be file types that are uploaded and submitted as attachments (e.g., x, , .ppt).

A.   Write a report for the team of investigators by doing the following:

1.   Describe 
all steps taken in Autopsy to create the forensic system case file. Provide screenshots of these steps along with the Name, Email, and Student ID located on the desktop of the virtual environment. 

Note: The “Student ID” that appears on the desktop of the virtual lab environment is not intended to be your actual WGU Student ID, but it is generated by the lab as a different identifier. Therefore, you should provide all screenshots of the virtual desktop as it appears in the lab.

2.   Describe 
all steps taken in Autopsy to identify potential evidence, including data files, deleted data files, directories, or drive partitions. Provide screenshots of these steps along with the Name, Email, and Student ID located on the desktop of the virtual environment.

3.   Summarize the findings you identified during your investigation and the conclusions you made regarding the suspect and the collected evidence. Provide screenshots from Autopsy or reports in support of your findings and conclusions. In each screenshot, include the Name, Email, and Student ID located on the desktop of the virtual environment.

B.   Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

C.   Demonstrate professional communication in the content and presentation of your submission.

Task 2 D431 screeshoots

I named the case : Investigation on John Smith

These are just instructions I used in doing the lab.

Lab Instructions

1. Run 
Autopsy

2. To create a New Case, select: 
New Case 

3. The New Case wizard dialog will open. Enter the 
Case Name

4. Enter a Base Directory use the browse button: 
C:\Users\LabUser\Desktop\Evidence Files. Click on 
Next 

5. Add 
Case Number = your Student ID

6. Add 
Name = your Student ID, then click on 
Finish 

7. 
Select Host, accept the default settings and click 
Next

8. Select the 
data source type, in this case 
Disk Image or VM file and click 
Next 

9. Select 
Data Source path, browse to: 
C:\Users\LabUser\Desktop\Evidence Files\JSmith_Q1.001

10. 
Select Data Source accept defaults, 
Next

11. 
Configure Ingest, accept defaults, 
Next

12. 
Add Data Source, when you see the message 
“Data source has been added to the local database. Files are being analyzed”, click on 
Finish 

13. Time to begin your analysis

14. While doing your analysis. 
Right click on a file name select 
Extract File(s) and save the files to the 
Export Folder, 
C:\Users\LabUser\Desktop\Evidence Files\Example\Export 

15. For this task, you will need to take a screenshot that includes your student information, along with your Autopsy case. Please resize the Autopsy Window as needed by pointing the cursor to the side of the window until you see a double-arrow. Click and drag until you can clearly see your student information, as well as your Autopsy case. Use a screenshot tool outside of the virtual environment on your personal computer such as Snipping Tool (Windows) or using Screenshot (Mac, by using “Shift,” “Command,” and “3”).

Each screenshot should have the Name, Email, and Student ID found on the desktop of the Virtual Environment.

image7

image8

image9

image10

image11

image12

image13

image14

image15

image16

image17

image18

image19

image20

image21

image22

image23

image24

image25

image26

image1

image2

image3

image4

image5

image6

Task 2 of D431 just in case

Investigation on John Smith (case name)

Deleted files

These deleted data, access time could be an evidence.

image7

image8

image9

image10

image11

image12

image13

image14

image15

image16

image17

image18

image19

image20

image21

image22

image23

image1

image2

image3

image4

image5

image6

Task 2 Attempt 3 of D431

Run the Autopsy

1- Description of how to create a case.

I clicked on autopsy64 twice. Once it opened, I clicked on the new case which displayed the below screenshot.

Then I chose case name: Investigation on John Smith and put in the directory C:\Users\LabUser\Evidence Files. I later clicked on next, and it displayed the below screenshot.

I put in a case number 011018126 followed by name 011018126 then clicked finish.

2- Description of steps taken in Autopsy to Identify evidence, data Files, deleted data files and directories.

Once done creating a case, I got in select host as display in the screenshot below.

Then select data source type, make sure Disk image or VM file was ticked then clicked on next.

I selected data source, typed in C:\User\LabUser\Desktop\Evidence Files\JSmith_Q1.001 then click on next, the screenshot below came up.

On configure Ingest, I accepted the defaults then clicked next as seen below.

Below is a screenshot of the file that has been analyze.

In deleted data files, I see suspicious business strategies pdf as shown on the screenshot below.

Another evidence could be suspicious bitcoin purchase.

Then summarize everything

image6

image7

image8

image9

image10

image11

image12

image13

image14

image15

image16

image1

image2

image3

image4

image5