Individual Report: 1) Check the Hash file to confirm the integrity of the image: A71C5192895F3A009596E4E3002BE636 To investigate the case:

1) Using WinHex student can interpret the image file as a disk or using ftk imager student can view all the information in the image.

2) Try to identify if any of the files were renamed/modified a) ?am2.jpg file signature indicates that it was a document file

b) Try to recover this file and unable to open it c) Family.jpg file can be viewed and it is just a picture d) Info.doc the file signature indicates it is a wma file rather than a .doc file. Hence file has been modified

30 26 B2 75 8E 66 CF 11 0&u.f. A6 D9 00 AA 00 62 CE 6C ..bl

e) Recover the copy of this and rename it to wma. It is a password information to an excel sheet f) PrototypeModXT4.pdf file was deleted. Recovering it indicates that it is a file information of the prototype of a product g) Sam.jpg file was modified from docx to jpg from the file signature indication

50 4B 03 04 14 00 06 00 PK......

h) Recover the file will indicate a document indication that Sam was sharing the prototype information i) Sam2.docx file was deleted. Recovering the copy indicates Sam giving instruction as to how to access excel sheet. j) SUMFC_prototype.jpg file was also deleted. From FTK imager can indicates a picture of a prototype k) From the document Sam2.docx we know there is a user.xslx file. The user.doc file hence has been renamed. Attempt to recover and open the user.doc failed. However after renaming the file to xslx able to open. Prompted for a password, used the information provided in the audio file that was recovered info.wma; able to open the file which has login information .