Scenario

A crime has taken place using a computer. A team of police has seized the computer and
other evidence from the crime scene. It is assumed that the suspect has used the computer to
do a crime.

The police team is not experienced and expert in the digital crime, therefore they require
digital forensic expert to analyze and produce a report. You examined the computer and
found that there is hard drive and produced a forensic image.

Major Tasks

Your assignment consists of performing a digital forensic investigation on the image that you
have collected as evidence. You must do so by applying the concepts that you have learned
from the lectures, reading assignments and lab assignments from the course. Also, they
expect to get some specific answers to the activities of the suspect. Overall this is the main
deliverable for this assignment.

Collection

1. Image file ACE Image.ad1

2. Thumbhashes.csv file.

Please make sure that you set the option in the FTK analyzer software for the case as
mentioned in the file Processing Options.

Very Important note:

Make sure that you capture screen for all the answer you find
during your investigations.

Analysis:

1. How many total files in the image?

2. Find all the user ID of the usernames in the image
3. Language identification of the file Daniel Ocean bio.doc
4. Which website has featured an outdoor product as Hummingbird Helix 12 Sonar.
5. Why did FTK determine the file “Getting Started with OneDrive.pdf has a bad
extension?
6. How many duplicate files are identified in the image?
7. What is the actual file type for the file “Belagio Map”
8. Use the provided Hash list, "Thumb Hashes.csv" to create a custom KFF group. What
is the filename which matches the MD5 of 297c9063001f74281faf9dc0f7aabc94?
9. What is the volume serial number of the hard drive in the image?
10. Run a pattern search using the default US phone number regular expression, what is
the phone number hit in the file “visit_0000244.htm” ? or file
“visit_id_0000244.html”
11. What is the subject line of the email with an attachment file “This is your guy.docx.
12. How many values are found for the word snipping tool in the Daniel’s NTUSER.dat
registry file?
13. What is the text content of the 9th thumbnail created form the video file
Casinodemo.mp4
14. Who conducted the user time change on the system?
15. What newspaper website is the subject of a web browser bookmark
16. Which British news source is within the Typed URL’s for Daniel’s user
17. What picture was taken at the corner of East Tropicana Avenue and South Las Vegas
Blvd
18. What is the email address of the Daniel’s parole officer?
19. How many file are labeled as Alternate Data Streams?
20. What is the domain name of the Johnny Rottencore email?
21. What software was used to edit the picture f_000631?
22. Which police department patch is depicted in the file Root\Users\Daniel
Ocean\AppData\Local\Packages1windowsie_ac_00
23. How many files in the case have extension .hlp?
24. Who deleted the file "My Art.bmp."
25. What is the computer name in the image?
26. What date the file “Daniel Ocean Bio.doc is last saved?
27. Run OCR analysis on only the graphic files in the directory L'sersiDaniel
Ocean/OneDrive/Documents. In the extracted OCR text view of the file "c scan.jpg,"
how much mayannise is required for the recipe?
28. What is the name of the person who created the AD1 image?
29. Using the Prefetch file for the executable, Windirstat.exe; . What was the last date and
time it was run?
30. Of the identified encrypted files, how many of them are "actual files?"