Project 4: EnCase Investigations  One of the most common commercial digital forensic tools is EnCase, an integrated tool used in many types of digital forensic investigations, with a focus on computers and servers.

Additional Access Data tools that are commonly used include Password Recovery Toolkit (PRTK) and Registry Viewer. 

There are three steps in this project. In those steps, you will use EnCase and other tools to image two computers and a thumb drive or USB stick. Each step in the project requires you to respond to detectives’ questions based on computer images.

The final assignment is a paper that helps detectives better understand the use of EnCase to access and image computers and thumb drives. In Step 1, you introduce detectives to the basics of forensic digital investigation by creating an image using EnCase.  

Step 1: Create an Image in FTK Imager

One of the first steps in conducting digital forensic investigations involves creating a forensic image of the digital evidence disk or drive. Digital forensics evidence can be found in operating systems, disk drives, network traffic, emails, and in software applications. To help the detectives in your department to better understand the digital forensics investigation process, you have offered to show them how you create an image using FTK Imager. Media investigations of digital storage devices can include audio files, pictures, videos, words, portions of files, graphic files, and information about a file. Graphics files can be a rich source of forensic evidence.

Because you are pressed for time, you go to the virtual lab and decide to create an image of the “My Pictures” directory on your computer. This process is similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (DFC620_Lab1_Name.ad1) that document your imaging process with information such as hash values.  

Step 2: Process an Image From the Suspect Mantooth’s Computer

In the previous step, you imaged a directory for a forensic report using FTK Imager. Now the detectives have requested additional analysis, so you decide to go to the virtual lab and use EnCase to access user account information for the image from a computer owned by a suspect named Mantooth. Detectives don’t yet have the suspect’s first name and are seeking more information.

Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering. 

Step 3: Process an Image From the Suspect Washer’s Computer

The Mantooth image has provided a lot of new information, but the detectives want more. EnCase is the tool that can uncover it. An image has been taken of the hard drive in a computer belonging to a suspect named Washer.

Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering.