The question you need to answer

It describes in detail the chain of custody process for the computer and USB memory.
Calculates the MD5 and SHA1 hashes of the acquired forensic images.
Dedicate a section of the report to analyze the security policy. Can the company analyze the
employee's computer? And your email? And the USB stick?

Regarding the hard drive

How many partitions does the device have?

Indicates of each partition: file system, initial sector, total number of sectors and size.
What is the bootable partition?
Indicates in detail the information of the installed operating system (name, version,
installation date, etc.)
What time zone did the system have configured?
What users are logged into the computer? Who was the last user who logged on to the
computer and what date and time was that last login?
What Internet browsers did the equipment have installed?
What searches (relevant to the requested expert) have you carried out through these
browsers (indicating date and time)?
What web pages (relevant to the requested expert) has the user accessed (indicating date
and time)?
What email software was installed on the computer?
What email accounts did you have set up?
Get the emails of interest sent and received.
Also get any possible deleted emails.
Detail and justify the technical analysis you have carried out and how you ensure respect for
the fundamental rights of the people involved.
What searches has the user performed in the operating system explorer?
What have been the last ten open office files?
Has any cloud file hosting service been used? Does it identify the user account used for that
service?
Has the user tried to hide his actions using anti-forensic techniques? What techniques or
tools have you used?

Regarding the pendrive

The company asks the expert for a list of the files contained in the USB memory and a
description of their content. Note: this USB stick comes from another forensic scene and
contains erased information; this information should not be retrieved.

Information sources
The following pieces of digital information are provided to the student:

A forensic image of the worker's computer hard drive.

The forensic image of the pendrive with information, a priori personal.
The extract of the organization's security policy.

Extract from the company's security policy

«Section 3. Treatment of confidential information

Confidential electronic files should be stored and maintained on authorized external storage
devices and on secure network drives.
Paper documents and confidential electronic files can only be consulted within the
permitted hours of 10:00 a.m. to 4:00 p.m., with the corresponding permissions.
Unauthorized electronic devices, such as laptops, portable storage devices, and smart
devices, cannot be brought into the company.
All employees must go through the security control system.
All storage devices like HDD, SSD, USB sticks, and CD / DVD are prohibited under the security
control rules.
Personal use of corporate computer equipment is prohibited.
The worker is advised that the company can analyze corporate computer systems with
justified cause and that he should not have any expectation of privacy when using them.