Professional Documents
Culture Documents
Final Practical Exam
Final Practical Exam
Final Practical Exam
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
Lorenze Salas
CFR101 Final
Practical Exam
12/3/20
1
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
BACKGROUND
In accordance with the CFR101: Final Practical Exam, I downloaded the image from Project:
Able to provide a detailed report by using FTK Imager and Autopsy application. Jonathan
Zdziarski stated that “In forensics, we often misplace our trust in tools that, unlike tried and true
scientific methods, are usually closed source. While true scientific process relies on making our
CASE SUMMARY
● Applicable
Facts:
1. When using FTK Imager, a forensic imaging tool, can “Generate hash reports for regular
files and disk images to use as a benchmark to prove the integrity of your case evidence”
(“FTK Imager”).
2. Autopsy, similar to FTK Imager and other digital forensic tools, is an”efficient tool for
hard drive investigation with features like multi-user cases, timeline analysis, registry
analysis, keyword search, email analysis, media playback, EXIF analysis, malicious file
2
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
EVIDENCE
Provide a description of the SD card, including make, model, and serial number (you can make
➢ Model: 100006053
➢ Serial Number:R064GS0SUG1953X
HASH VERIFICATION
MD5 02b2d6fc742895fa4af9fa5662
40b880 02b2d6fc742895fa4af9fa5662
40b880
SHA1
2d0af55e931f4ab2135606e94 2d0af55e931f4ab2135606e94
1ccc74785e4926d 1ccc74785e4926d
NARRATIVE
3
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
On December 3, 2020, I unzipped the able2.tar.gz from my pc and put the file to the CFR101
folder. Then I opened AccessData FTK Imager 4.3.1.1 to get under way performing the analysis.
In FTK Imager, I click “Add Evidence Item”, then Image File, select the able2.dd as the
evidence and click finished. Then it shows me the able2.dd file along with the 4 partitions and
unpartitioned space.
4
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
When describing the media architecture such as the total number of sectors, both allocated and
unallocated. In FTK Imager, I looked at the “Properties” section under the “Evidence Tree”,
which shows the sector count. To locate both allocated and unallocated files, I opened up each of
the Partitions and looked at the file list, it indicated that it is an unallocated space in the able2.dd
file. Unallocated space is defined “where deleted documents, file system information, and other
electronic artifacts reside on the hard drive, which is often able to be recovered and analyzed
through a forensic investigation. Unlike allocated space on the hard drive, the electronic
evidence in unallocated space may be overwritten (and thus lost completely) with new data as
swap] on each one of the partitions. The file system would be a Linux
5
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
When describing the various directories on the media, each partition (hard drive) has their own
amount of megabytes depending on how small or larger it is. Partition 3 doesn’t give enough
1 has a small amount of storage and a couple of files stored. For Partition 2 and 4, they have
To identify significant files, I found an image in the lolit_pics.tar file under the partition 2
GID 1,000
Name lolitaz2
6
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
UID 1,000
it shows that it was created in a specific folder on 11:37 PM on August 3, 2003. For the Hex
Value Interpreter, when highlighting the hexadecimals, it gives me specific value types and
spotlights the word “lolitazl”. Jamie McQuaid points out “If all your tools and scripts fail or
don’t support a given artifact, you can always fall back to a hex viewer to dig into an artifact to
To get the SHA-1 and MD5 hash values, I right clicked on able2.dd and hit verify drive/image.
7
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
Next, I opened Autopsy 4.15.0 as my secondary application to perform other analyses. In the
Autopsy application, I filled out the case information on the “New Case” option and saved it on
In the data source sections, I click the “Disk Image or XM File” option, for my data source I add
on “able2.dd”. I checked all the boxes except the last 4 boxes in the ingest modules. Then I
8
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
Once the data source and ingest modules finished, I got the complete results.
9
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
In the results feature, it gives me the extracted content, e-mail messages, and accounts data. The
operating system confirms it is Linux, which was mentioned earlier. In the e-mail messages
section, I found 7 messages in the source file, which is suspicious. Additionally, it gave me the
In the View feature, there are two different files: the file types and deleted files. When extending
the file types, It gave me a bunch of file types which includes the images, audio, archives, and
databases. On the deleted files, it gives me files that were deleted dated back to 1996 until 2003.
10
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
In the inguest modules, at the data source integrity, It calculated MD5 and SHA-1 hash values,
which match the FTK Imager hash verification. In the brower results, it found Microsoft Edge as
the only web browser. Lastly, there were a couple of errors encountered since there are a couple
deleted files.
11
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
CONCLUSION
In the conclusion of the final, FTK Imager and Autopsy are both
behavioral activities on the file. After investigating, the outcome from the “able2.dd” file shows
that it can gather and recover the evidence from a device. Based on the operating system,
partitions, email recoveries, images, file types, and additional information that has been
RESOURCES
Hex & Text Viewer. (2019, March 19). Retrieved December 06, 2020, from
https://www.magnetforensics.com/blog/hex-text-viewer/
One, T. (2020, February 29). Autopsy Tutorial for Digital Forensics. Retrieved December 06,
2020, from https://medium.com/@tusharcool118/autopsy-tutorial-for-digital-forensics-
707ea5d5994d
WHAT IS UNALLOCATED SPACE AND WHY DOES IT MATTER? (2018, April 25).
Retrieved December 06, 2020, from
https://insights.bit-x-bit.com/computerforensics/what-is-unallocated-space-and-why-
does-it-matter/
Zdziarski, J. (2014, March 28). The Importance of Forensic Tools Validation. Retrieved
December 06, 2020, from https://www.zdziarski.com/blog/?p=3112
12
DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
13