Practical Final Report:

The image in question was taken off of the suspects physical media for
analysis. To do the analysis I set the image to be analyzed using the forensic tool,
Autopsy version 4.0.0. The information that I found was enormous in quantity and
explains quite a bit about the suspects actions in taking physical media away from
the work place.
The image in question is of the NTFS/exFAT file system meaning that the
image was most likely taken off a windows based computer. The image consists of 4
volumes.

The total of deleted files comes to 7459.

There were several search terms found on the image. About 37 to be exact. They
mostly have to do with cases and methods involving information leakage. Also,
there are recently used files that indicate that the suspect in question was intending
to use company information against the company due to a proposal document that
was found implicating the suspect and another informant.

A few devices have been plugged into the computer in question as well. Such
devices include a few usb drives, a computer mouse, and a root hub.

In the list of bookmarked sites, there is indication of foul play as 2 bookmarked sites
lead to a place called the web slice gallery. This can only mean that the suspect was
learning how to drain information and hide it until it can be used.

The continued analysis puts the image of this computer in the mountain time zone.

I can tell by this information alone that for some reason, the suspect in question had
intended to extract company files and intended to take them with him upon leaving
the company.