C840 Task 2 v1 - Task 2 PDF

Preview

Summary

Task 2...

Description

Running head: FORENSICS RECOVERY PROCEDURES 1

C840 Task 2: Forensics Recovery Procedures Brian Downs Western Governors University

Forensic Recovery Procedures

2

A1: Steps Used to Create a Forensic Case File Once I was logged into the virtual machine, I opened the Electronic Evidence Examiner (E3) application and started a new case by clicking on Case, Create New Case.

Forensic Recovery Procedures

After clicking Next, on the Case Properties tab I labeled the new case with the Case Name of Brian Downs Task 2.

3

Forensic Recovery Procedures On the Additional Information tab, I entered Brian Downs in the Investigator name field.

4

Forensic Recovery Procedures

Once I completed creating the new case, I added the new evidence into the case. In the Add New Evidence window, I selected the Category Image File and Source Type Auto-Detect Image.

5

Forensic Recovery Procedures The image file named JSmith 1GB is the image file I used.

I clicked Ok to select the JSmith 1GB file.

On the NTFS Settings pop-up box, I chose: 

Search deleted files and folders

6

Forensic Recovery Procedures  

7

Recover folders structure for bad images Add the Unallocated Space folder to the NTFS root

After clicking OK, the Content Analysis Wizard opens and Sort data is checked. I clicked Next to move to the next screen.

Forensic Recovery Procedures

On the Data Analyzing Options screen, I selected all options in the Recursive data analysis section and clicked Next.

8

Forensic Recovery Procedures In the Advanced Options screen, all options are chosen in the Skip archive data and Skip OLE storage data sections.

The Image Analyzer Options is the last screen and is left blank. I clicked Finish to move on.

9

Forensic Recovery Procedures

In the Tasks section, the Content Analysis task is running.

10

Forensic Recovery Procedures

11

Once the task finishes, the Task Status Notification screen appears.

When looking at the Sorted Files tab, I saw the evidence that was found in the Content Analysis search phase.

Forensic Recovery Procedures

A2: Steps Used to Identify Potential Evidence The next screen shows 127 files found in the Documents folder and 11 found in the Graphics folder that could be relevant to the Oil Company.

12

Forensic Recovery Procedures

13

Forensic Recovery Procedures

14

I ran Keyword Search for the word Proprietary to search for company files that may have been taken by John Smith.

Forensic Recovery Procedures

15

The search came up with 2 files that included the words' Proprietary or Confidential.

The 2 files, Fracking Water Pollution Solution - Company Proprietary (1).pdf and Jagged Peak Energy - Confidential.pdf show the contents of the Proprietary and Confidential files discovered in the evidence search.

Forensic Recovery Procedures

16

Forensic Recovery Procedures

17

Forensic Recovery Procedures Several files were found during evidence discovery that might appeal to the Oil Company: PAYDAY.PDF

NEXT CAR.PDF

18

Forensic Recovery Procedures

19

STRAIT LINE.PDF

A3: Summary of Findings and Conclusions During my investigation, I found 2 pdf files that revealed confidential or proprietary information. At the top of the Jagged Peak Energy – Confidential.pdf , it indicated the information is confidential to the company. On the Fracking Water Pollution Solution – Company Proprietary (1).pdf, the file name contained the word “proprietary” indicating the information should remain inside the Oil Company. John Smith should not have access to these documents. However, the files were found on his machine. While John Smith is a research engineer, many of the files found contained technical documentation and instructions on how to set up servers, WordPress, databases, apache, etc. A research engineer should not have access to these types of documents.

Forensic Recovery Procedures

20

He also had interesting pictures on his machine. Payday.jpg is a picture of a duffel bag filled with cash; Next car.jpg is a picture of a white Bentley; Strait lane.pdf contained a house listing on the market for $2.6 million. I believe John Smith gained access to proprietary information for the Oil Company and had plans to use the information for financial gain. He planned on purchasing a luxurious house and car. It appeared that he planned to set up a website as a platform to sell the information....