Scribd Logo
Upload

Welcome to Scribd!

  • Ejerciciodf210final PDF

    Uploaded by

    Willi Rincon
    8 views3 pages

    Original Title

    ejerciciodf210final (1).pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views3 pages

    Ejerciciodf210final PDF

    Uploaded by

    Willi Rincon

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    BUILDING AN INVESTIGATION FINAL PRACTICAL EXERCISE

    You have been asked to return to the processed Cavin case to address additional requests by the
    assigned examiner on this case.
    1. An additional piece of evidence has been recovered from residence. A previous
    investigator was unable to retrieve any information from the external device. Drag and
    drop the evidence file, Cavin External USB HDD.Ex01, and investigate further.
    a. The case agent needs to know if any other primary acquisitions were being
    conducted by Cavin aside from the OWAT code. Include any names or code names.

    2. What searches did Cavin conduct using the Internet Explorer browser and the search
    engine Yahoo?
    NOTE: The syntax within Yahoo searches includes

    3. Bookmark any yahoo searches found.

    View the PST mail store titled


    4. Locate email that contains purchase order information for the OWAT software.
    a. What is the purchase price?
    b. How is payment to be made?

    5. Bookmark any emails as well as attachments.

    Copyright © 2020 OpenText


    488 Building an Investigation with EnCase

    6. You have been informed that there is a TrueCrypt container file in the following path:
    C\Users\Cliff.Cavin\Downloads\For SM\ and that it is believed that the installer for
    the TrueCrypt application may have been downloaded and saved on computer.
    You were additionally told that Cliff told an informant that the password was
    a. Locate the TrueCrypt installer and container file and access the content of the
    encrypted container. List the files contained:
    _____________________________________________________________________________
    _____________________________________________________________________________

    7. Having mounted the encrypted container, bring the content into the EnCase interface
    (Single Files) and create a logical evidence file of that data.

    8. Identify any printed files (Windows\System32\Spool\Printers) that relate to the OWAT


    software or fund transfers to the offshore bank.
    a. Determine the printer driver involved in the print job.
    _________________________________________________________________________
    b. Through what application was the print job generated?
    _________________________________________________________________________
    c. What user account was responsible for the print job?
    _________________________________________________________________________

    9. Locate the SAM registry hive. How many local user accounts are defined?
    _____________________________________________________________________________

    10. What profile names are associated with those accounts?


    _____________________________________________________________________________

    Copyright © 2020 OpenText


    Building an Investigation Final Practical Exercise 489

    11. Locate the file titled There are two copies of this file; ignore the copy
    within user profile.
    a. Where is this file located?
    __________________________________________________________________________
    b. Where was it located prior to its current location?
    __________________________________________________________________________
    c. Who is the of this file, by name? ____________________________________
    d. Where was the answer to question c above located?
    __________________________________________________________________________
    e. Is there a shortcut for a file titled If so, what are the internal
    dates/times of the target file that are maintained within the shortcut?
    __________________________________________________________________________
    f. Does this shortcut point to the same file as the one you located earlier?
    __________________________________________________________________________
    g. Does any other data exist to indicate that Cavin accessed the file titled
    __________________________________________________________________________

    There is a second TrueCrypt container that requires a different password. Locate the second
    container file and the password and access the content of the encrypted container.

    HINTS:
    1. The container has a similar naming scheme as the prior TC container file.

    2. Cavin used as the password for the prior TC container. He likely uses a similar
    pattern for the password you are seeking.

    3. An anonymous source said that they thought Cliff likely received an email with the
    password at some time.

    end

    Copyright © 2020 OpenText

    You might also like