This is digital forensics project due to COVID19 here some changes
1) We will still do the process using FTK Imager and you will submit the Matching Hash Document supplied for the folder image copy. This gives you experience with the Imaging Process that is critical to digital forensics.
2) Instead of using the Imaged file for the investigation, you will simply investigate the downloaded zip file using Autopsy evaluating all ten of the files in the folder. This means unzipping the folder and looking at all ten files. This process is a tiny version of looking at a large hard drive. You will submit your results in the Investigation portion.
3) You will still do the report just like previously.
COSC 5388/4388 Digital Forensics Roberts Spring 2020 Digital Forensics Project Hi everyone, I just want to detail the project for this course. Obviously, we can’t do the project using the Digital Forensics Laboratory nor will we have a crime scene scenario as originally planned. However, we can complete the project in general. The project will contain three phases. Imaging – 30% Investigation – 30% Written Report – 40% Phase 1 Imaging: 1. You will download Access Data FTK Imager 4.3.0.18. I will post instructions and a video for the download process in the CANVAS Project Imaging Module. 2. I will send you a folder with a set of files and a crime summary to your campus email. It will be a zip folder. You will need to unzip. These folders are unique to you. This will happen this week by Saturday April 4. 3. You will use FTK Imager to make an identical copy of the folder. 4. You will report the hash values reported by Imager and create a document. 5. You will submit the hash values in a word or pdf document and submit on the assignment in CANVAS. Phase 2 Investigation: 1. The number of files in the downloaded folders are limited. These are the exact files that were going to be used for the project in the Digital Forensics Laboratory. However, the use of Access Data’s Forensic Toolkit Software is limited to the laboratory. For this project, you will use the Autopsy Software used for the course labs for the investigation. 2. Due to the limited number of files being investigated, you should be able to provide details for each file and clear determine if the file is related to the case. 3. You will submit the details about each file in a word or pdf document and submit the assignment in CANVAS. Phase 3 The Report: 1. You will take the results from Phase 1 and Phase 2 and create a final report. I expect the report to be about 3-5 pages. A large portion will be provided by your documentation of Phase 1 and Phase 2. 2. You will detail your steps in the forensic process in order. These details are vital. What did you do first, second, third, and so on. The process and details are important – what software, what time, where, etc. 3. You will need to detail your findings as a forensic investigator to conclude the report. 4. You will submit the details about each file in a word or pdf document and submit the report in CANVAS. Note: At any time, if you are having difficulty please let me know. The FBI and the Texas Rangers are investigating an 18 wheeler holdup with stolen toilet paper in Tyler, TX. They serve a search warrant on a suspect and find a flash drive. More description Phase1 This is stage one of the digital forensics project. It details the process of creating an image of the flash drive evidence from the crime scene. Due to the change to online, the only way to simulate this is to send you a zipped folder containing files. Note every student has a different set of items in the folder and a case specific to them. You should have already downloaded FTK Imager. The step by step process for imaging the folder is detailed in this section including a narrated video going through the process. You will turn in the information that details the match of the image and both hash values for the original folder and the imaged folder. After creating the image, you will investigate the imaged folder to protect the original evidence. Phase 2 The student should use Autopsy to look at every file in the imaged folder. They should copy finding from Autopsy into a summary document. The details of all files should be explained. You will then submit a file that completes this part of the project. You will then be able to take information from this section to the final report. Phase 3 This report should be a simple straight forward report. It has multiple sections. Section 1 This includes a discussion detailing the process of imaging. It should include details about the software used and the resulting new image file and the matching of the hash values. Most of this will simply report the results of Project Part I Imaging. Section 2 This includes a discussion detailing the process of investigation of the contents of the folder. It should include details about the software used and the results for every single file on the folder. Most of this will simply report the results of Project Part II Investigation. Section 3 This section is your final interpretation of what you found in your investigation. You must give an unbiased assessment of your interpretation of the findings of the forensic investigation. If the evidence doesn't prove something happened or support of the case then you report that it does not. If it does support the case then you clearly state what items and how it supports the case. This report should be as concise as possible at max = 10 pages. At the end you will submit your report via file upload using Word. More description
-updated First, there is never a case where all the files will be relevant. The majority of files are not relevant. Think about it, if you have a 4 TB hard drive and it has files from the past three years, there will be tons and tons of files that are noise to the case. A digital forensic analyst has to be extremely patient and determined to sustain themselves through the investigation. It could be that only one file is relevant out of 500,000. In this project, it was scaled to take you through the process. I can tell you for a fact, that none of the folders have every item directly relevant to the Student Case. On top of that fact, there are some Student Case folders where none of the files are relevant. This is on purpose. For this project, I scaled it back intentionally so you could look at and evaluate each file. If you look at a file (there is only 10) then you say what it is and then deem whether or not it has anything to do with the case. It is completely doable. Phase1 This is stage one of the digital forensics project. It details the process of creating an image of the flash drive evidence from the crime scene. Due to the change to online, the only way to simulate this is to send you a zipped folder containing files. Note every student has a different set of items in the folder and a case specific to them. You should have already downloaded FTK Imager. The step by step process for imaging the folder is detailed in this section including a narrated video going through the process. You will turn in the information that details the match of the image and both hash values for the original folder and the imaged folder. After creating the image, you will investigate the imaged folder to protect the original evidence. Phase 2 The student should use Autopsy to look at every file in the imaged folder. They should copy finding from Autopsy into a summary document. The details of all files should be explained. You will then submit a file that completes this part of the project. You will then be able to take information from this section to the final report. Phase 3 This report should be a simple straight forward report. It has multiple sections. Section 1 This includes a discussion detailing the process of imaging. It should include details about the software used and the resulting new image file and the matching of the hash values. Most of this will simply report the results of Project Part I Imaging. Section 2 This includes a discussion detailing the process of investigation of the contents of the folder. It should include details about the software used and the results for every single file on the folder. Most of this will simply report the results of Project Part II Investigation. Section 3 This section is your final interpretation of what you found in your investigation. You must give an unbiased assessment of your interpretation of the findings of the forensic investigation. If the evidence doesn't prove something happened or support of the case then you report that it does not. If it does support the case then you clearly state what items and how it supports the case. This report should be as concise as possible at max = 10 pages. At the end you will submit your report via file upload using Word.