Unit 7: Windows Forensics Analysis 7.3 Activity and Discussion Activity: Case Study

ACTIVITY: CASE STUDY

Time: This activity should take you approximately 60 minutes to complete.

SOFTWARE AND DOWNLOADS

In this activity, we will use the GUI-based open-source forensic analysis tool, Autopsy, to analyze a Windows image.  You may have downloaded and installed Windows Autopsy for Unit 4 activities.

• Autopsy download
• Autopsy User Guide

Download and unzip the image, WinLabEnCase.E01 and validate both md5 and sha1hash values.

• WinLabEnCase.E01 download (zip file)
  • MD5 = dcd36624bdacf017bf8f913ea1340e8f
  • SHA1 468b3a258133639cfa5dc06afba8887803074b87

CASE SCENARIO

ACME Industry develops custom software for the aviation industry. Its main competitors are companies like Raytheon and Boeing, as well as a few smaller contractors.

Pat Smith has worked for ACME Industry for five years. Pat’s supervisor has noted that after being passed over several times for a promotion, Pat has become quite disgruntled. The company fears that Pat may be offering proprietary company information to a competitor in exchange for a job.

An EnCase image of Pat’s computer’s hard drive has been generated. Your job is to examine the image and extract all pertinent information to support or disprove the statement of Pat may be offering proprietary company information to a competitor in exchange for a job.

INSTRUCTIONS

1. Launch Autopsy from the Toolbox folder on the desktop and follow the instruction below to create a case and add the given image into the case.
2. Select > Create New Case
3. Name the case as “ACME Case”.
4. Use the default Base Directory (Desktop) to store the case data in DesktopACME Case.
5. Enter the Case Number as “1” and enter your name as “Examiner.”
6. Click Finish. You will see the "Add Data Source" window.
7. Select data source type: choose Disk Image or VM File; browse and select the path to "WinLabEnCase.E01".
8. In our case, the computer image’s time zone is North American Eastern Time Zone. Select the time zone accordingly and click Next.
9. In the Ingest (processing) modules window, leave all modules checked; click Next and then click Finish.
10. Examine the files in Data Sources > WinLabEnCase.E01 and categorized data under Views and Results to identify pertinent evidence.
11. Explore the image contents to answer the Check Your Work questions.

Note: Once you have created the case, you can reopen it at any time in Autopsy using "Open Existing Case," and choosing DesktopFinancial CaseACME Case.aut.

If you are interested, you can also try other Autopsy features and examine other artifacts that are not covered in “Check Your Work”.

You can also try other features that Autopsy supports such as:

• View Images/Videos
• Timeline
• Tag and bookmark for reporting
• Generate Report.

You can examine many other artifacts for this exercise. For example:

• Documents and SettingspsmithLocal SettingsHistoryHistory.IE5index.dat
• Recycled
• Documents and Settingspsmithntuser.dat
• WINDOWSsystem32spoolPRINTERS.

Enjoy the fun of forensic investigation!