Your Perfect Assignment is Just a Click Away

We Write Custom Academic Papers

100% Original, Plagiarism Free, Customized to your instructions!

How It Works
Order Now
glass
pen
clip
papers
heaphones

What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)?

Computer Science

Computer Science

What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)?

 What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)?

Advanced Computer Forensics

Windows EnCase Forensics Lab
Exercise 1: Starting a New Case
Question 1: What is the file system of this raw Image?

(Hint: 1. Check “report” from the bottom pane OR

2. choose “Disk View…” from the top drop-down disk manual, image1.png

then click the first sector (in red), the volume boot, image2.png

and read the text in the bottom pane.)

FAT 12

Question 2: What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)?

EB

Question 3: What type of files can be added using EnCase’s “Add Evidence Files”

Legacy evidence files , current evidence files , safeback files , vmware files , logical files , current logical , virtual files

Exercise 2: Using Encase

Set the Time Zone
Question 4: Where does the Time Zone information reside in a Windows system? (Hint: See EnCase 7 User guide, page 122 or watch Processing Evidence Part 1 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/2617/index.aspx).

It stored in registry in the path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation key

Question 5: How do you modify Time Zone Settings, show a screen shot below.

image3.jpg

Now that you have the evidence added and the time zone set, you can analyze the evidence.
Timeline View
Question 6: Why is Timeline View useful for your investigation?

Help us to get a better information which help us in the investigation .

Gallery View
Question 7: In the Raw Image, how many pictures are shown in Gallery View?

Three images

Question 8: Read the EnCase manual to find out how Recover-Folders recover deleted folders for FAT and NTFS file systems respectively?

FAT : searches through the unallocated clusters of a specific FAT partition for the “dot, double-dot” signature of a deleted folder; when the signature matches, EnCase can rebuild the files and folders that were within that deleted folder.

NTFS: EnCase can recover NTFS files and folders from Unallocated Clusters and continue to parse through the current Master File Table (MFT) records for files without parent folders. This is particularly useful when a drive has been reformatted or the MFT is corrupted. Lost files that are recovered are placed in the gray Recovered Folders virtual folder in the root of the NTFS partition. To recover folders on an NTFS partition, right-click on the volume and select Recover Folders

Question 9: What information is listed for each file type?

File name , file extension , header signature and unique tag .

Question 10: What can an investigator do if the header of a file is unknown in your current setting of the EnCase?

Changing the settings of encase or try to open the file with any software

Question 11: What different terms you see in the Signature Analysis column?

Alias , unknown , match and bad signature

Question 12: Do you find any signature mismatch? List them.

No

Question 13: Are there any graphics files on the WinLabRaw image whose file extensions have been changed? List them.

Yes there are

(3) file3.xls

(4) files.csv

(5) tt-logo.gif

(7)file6.

(8) file7.zip

Question 14: If a file’s extension has been changed to a non-graphics file type (such as changing jpg to txt), will it be displayed in the Gallery view? If not, what could you do to fix this?

It won’t display but we need to signature analysis regarding to type .

Question 15: What are the types of files that will not have a hash generated?

The deleted files

Question 16: What are the three most common uses for hashes analysis?

secure files , very helpful in investigation , we can compare the hashes to know if we have the right file .

Compound Files
Question 17: Did anything happen? Do you find any important information? If so, what kind of information you got?

The files expanded and we can see all the folders and the files inside each folder

Question 18: What interesting information do you see from emails?

I can find different folders like deleted items , inbox , sent item and folders

Question 19: Read EnCase Forenscis V7 User Guide (page 208), briefly describe what are these features.

These features are very helpful in investigation with this features we can focus on a specific subject which we want and help us in email investigation

Question 20: Under the Records view, you should also see Thumbnails under WinLabRaw Image, what are thumbnails? List three of them.

Thumbnails are the files which we flagged and we interesting to focus on it in the investigation

Question 21: What kind of information do you see in the record for Internet?

We can find information regarding to internet browser like cookies history and bookmark

Question 22: How does “search unallocated space for internet artifacts” affect your search results in the record?

This search will look for all files that have relation with the internet on the entire hard disk even in the unallocated space

Question 23: What are the results? List 2 files that contain the term “search” in their contents.

The results are all the files which have the word search in their titles and contents

Search[1]

Search contractors

Questions 24: What are the other search options besides “Search entry slack”?

Skip contents for known files , undelete entries before searching and use initialized size

Question 25: What do you see from Search Hits? List two files from the search hits.

Search hits are more or same number as items for computer keyword , I found three hits

Raytheon.htm

Order Solution Now

Our Service Charter

1. Professional & Expert Writers: Writers Hero only hires the best. Our writers are specially selected and recruited, after which they undergo further training to perfect their skills for specialization purposes. Moreover, our writers are holders of masters and Ph.D. degrees. They have impressive academic records, besides being native English speakers.

2. Top Quality Papers: Our customers are always guaranteed papers that exceed their expectations. All our writers have +5 years of experience. This implies that all papers are written by individuals who are experts in their fields. In addition, the quality team reviews all the papers before sending them to the customers.

3. Plagiarism-Free Papers: All papers provided by Writers Hero are written from scratch. Appropriate referencing and citation of key information are followed. Plagiarism checkers are used by the Quality assurance team and our editors just to double-check that there are no instances of plagiarism.

4. Timely Delivery: Time wasted is equivalent to a failed dedication and commitment. Writers Hero is known for timely delivery of any pending customer orders. Customers are well informed of the progress of their papers to ensure they keep track of what the writer is providing before the final draft is sent for grading.

5. Affordable Prices: Our prices are fairly structured to fit all groups. Any customer willing to place their assignments with us can do so at very affordable prices. In addition, our customers enjoy regular discounts and bonuses.

6. 24/7 Customer Support: At Writers Hero, we have put in place a team of experts who answer all customer inquiries promptly. The best part is the ever-availability of the team. Customers can make inquiries anytime.

Menu
Free resources
 
Dissertation help
 
Email
support@writeship.com
Writershero.org ©2023 All rights reserved. Terms of use | Privacy Policy