What are the results of verification? Comparing both hashes, are they same or not?
As the following figures show, the outcome of checking of all images coincides. Furthermore, both images have mutual report and computed hash values for MD5. The two images have common computed SHA1 hash values.
How to make the number of the Checked Items to go up? How to make the number of Flagged Thumbnails to go up?
Growth of Checked Items can be achieved by choosing directories and files from Explore window. Having done this, we should choose the option “Check All Files in The Current List”. After that, we should expect the rise of the number of the Checked Items.
The number of Flagged Thumbnails will go up if we go to Explorer window and choose specific image or folder. After that, all the sub-files, included either with red or green buttons, can be checked choosing option “List all descendants”.
Files of JPEG, Word Document, MP3 types can be resolved by the file’s extension, and also they can be determined by a header that foregoes the data, but you should at file’s heading, when the file’s extension was changed.
What are those files found by performing data carving process? Why is this process so important?
The importance of the data carving process lies in the fact that it is a good way to recover the embedded and deleted files. If these files contain some helpful information, they can help the investigation analysis. Files are curved with FTK, which use file header and list them in the case image. Then, deleted files are under investigating process.
Select Documents and Settings\psmith\Recent, what kind of files contain in this folder? Select each file in this folder, what kind of information do you get from the up-right window?
There are link files in this folder. They are shortcut files with file extension “LNK”. Information records about each running file or application are contained in those files. The link for file has some important information about the original file (creation data, modification data, access data, original file path, and size of the original file), and creates when we open a new file. Such files contain information about configuration of computer at a specific time. Moreover, if we open an installed application, a correspondent link file is created. These files can stay in the computer, even though they were deleted. The investigator also stores important information about committed actions and deleted files. In folder called “Recent” we can find such files as diagram.gif, project47x.doc, outlook express, cleanup.log, and confidential folder, which user has recently accessed. Each link file provides link target information such as local path, volume type, size, and file dates (creation, modification, access). Furthermore, link provides some target system information (NetBIOS name and MAC address).
Select Documents and Settings\psmith\Local Settings\History\History.IE5\index.dat, what kind of files contain in this file? Select each file, what kind of information do you get from the up-right window?
There are Internet Explorer master and daily browsing history in this file, which keep a URL record of all activities, and it also records information such as user name, page title, URL, URC, UTC, last accessed, and use count. Subsequently, it keeps a record of history logs and browsing activity of the user. This file provides us with all URLs and files that were browsed and accessed by psmith. Since it also records the time, we can see when and how many times psmith opened these files and how many times he accessed them.
Looking into the Recycled folder, which files are currently in the recycler? Select the INFO2 file from the Recycled folder, what information do you get from that file?
Currently, there is recovered folder called De2 that contains file of PDF format, gif image and ps postscript. Also in the recycler bin we can find file named INF02 which records each deleted file. Information about new created entry in the recycled bin automatically adds to this file (INFO2). It includes file name, deleted or recycled date, original name and path, and index number. Since the INFO2 shows all intentionally deleted files, it shows that psmith deleted a folder that had a name “Boeing” which was located in “My Documents” folder.
Looking into WINDOWS\System32\spool folder, what information can you get from this folder?
This folder contains incomplete and unprinted jobs. There are two files created for each kind of job, they are: shadow file SHD and SPL. SHD keeps information about owner, filename, printer, file path, way of printing (RAW or EMF), corresponding to certain file. The factual data for being printed is contained in SPL file. After printing is done, these files are deleted from the folder, but in case they are in unallocated space, there is a special tool (FTK) to carve the EMF data. There are two SPL files in folder Spool folder. One of the files shows that the user, whose IP is 192.168.1.106, tried to print project47x.doc and project238x.rtf. These are evidences that should be taken against psmith.
What is the major difference between Export a file and Copy Special a file?
Export a file:
This function helps the investigator to use chosen files for different purposes such as: to export those files to other devises to join to investigation other sides or to attach to further investigational process. If investigators find some encoded files which can help the investigation, investigator may use various tools to export those files.
Copy Special a file:
This feature is quite narrow because it only allows copying selected files or information about them. Unlike export a file option, this feature does not allow us to export a file or to recover file content. The information about file name, different dates, file type, file full paths, and other file information can be chosen by investigator to be copied. Such information can be copied to clipboard, text file, or MS access database file.
What is the advantage to use indexed search vs. the live search?
The main advantage of using indexed search is the fact that it takes less time to find requested information, because it works up only the index database, which can not be said about live search. It does not waste time on processing files headers, but it goes through the files contents only. Another significant benefit of indexed search is creating of an index database of a whole hard drive at the beginning. Subsequently, if the investigator decided to find a file by its header, he won’t get positive result from it.
From the other point of view, the reason of tardiness of a live search is because it searches the whole drive bit by bit. This comes in use when there is a need in search of the whole drive bit by bit for some phrases or keywords. Indexed search can search simultaneously for two parts of file of a keyword, but live search is capable only in searching for the extra phrase, so if one letter is misspelled, the live search ignore that result.
Indexed search created index database at the beginning. The main advantage of using index is time needed to process; it is significantly faster than live search. The reason is that it searches the index database only. This option processes the file’s content only, not headings. Moreover it can go through to two files simultaneously (looking for a keyword while looking for the other part in some other files).
Live search needs longer time because of searching the whole drive bit by bit. It is helpful when the search of the whole drive bit by bit for some keywords or phrases is needed. Moreover, it won’t work if investigator misspelled some letter because it needs an exact phrase.
Click the Search > Indexed Search tab. In the Search Term box, type some keywords, for example “Project”; and then click Add.
Click View Cumulative Results if you add multiple keywords or click “view item results”
Expand the search results.
Select one file and find the instances of “Project” in the file.
Create a bookmark to keep a couple of important files in the bookmark called Search Bookmark.
Did anything happen? Do you find any important information? If so, what kind of information you got?
Yes, this gives some useful information about exchange of emails. There was some information sent by Pat Smith to Raytheon Company in order to offer them some materiel from ACME Company to exchange and acquire a position at Raytheon. In order to cover his conversations from other competitors he deleted all messages. He didn’t get a respond from Raytheon. There are hypertext documents attachments in these emails.
Exporting VBR file:
To export the VBR file, the investigator needs to right-click on the VBR file and choose “Export Files”. Then, the window will pop-up offering the destination where to export it.
Exporting a file Hash:
Right-click on the VBR file and select “Export File Hash List”. Then will appear a window offering the list of possible destination folders where the investigator can save the VBR file's hash list.
These files might contain some information that can help the investigation. They can be carved and listed by FTK which uses file header. After that, investigation process is performed against these deleted files.
Earn 10% from every order!
Earn money today! Refer our service to your friends