Instructions Data Acquisition and Analysis – Lab Assignment #1 (Data Acquisition): Each student uses software tools to create a forensic image of a suspect’s hard drive. Using the chain of custody and audit trail, they should create a baseline of what has occurred prior to the device being passed on to the forensic analyst. Students will prepare a complete forensic investigation report.
Lab #1 Instructions
Please see the PDF documents attached for details on Lab #1 directions, questions, grading criteria, and step-by-step illustrations.
Additional Material – Advanced Forensic Handbook
The attached 169-page document describes several advanced techniques first responders can use to further support the incident handling process. Topics include Log File Analysis with SWATCH and Log Parser, Building a Forensic Toolkit, persistent and volatile data collection, and identifying and tracing spoofed email. This is the login information to see all of the instructions and do the lab.

Lab 1 Notes Sheet:

Part I

List Steps taken
Incorporate screen shots and information from your notes into your final report.
4. ______________________________________
Write down the files in the projects folder:
6. Write down the IP address displayed for the Student First VM

7. Take a screen shot of the output from using the $ losetup-1 command

8. Take a screen shot of the results from using $ gnome-disks command

11. Take a screen shot of the results from using $ sudo mount command
Write down the complete path displayer in your Terminal Window

Type: $ mount | grep /dev/loop
Write down your results. What does this give us? Same result?
13. Take screenshot of the files in the downloads directory after using the $ ls command
14. Take a screenshot of your hash value. Does your hash value match the instruction hash value?
Part II
3. Take a screenshot of your hash value after making the forensic copy. Does your hash value match the instruction hash value?
Part III of Exercise II
No screenshot required
Part IV
5. Take a screenshot of the desktop of you lab VM showing the files that were created
6. Record the hash values contained in the text file memecapture.ad1 text file.

Part V
7. Provide screenshots of the results of your commands
8. Provide screenshots of the results of your commands

Report Writing and Grading Instructions
The grade for your digital forensics imaging task report, will be determined by the number and quality of tasks you perform according the project instructions, documentation of screen shots, answers to questions presented within the project, additional announcement instructions provided by your instructor, incorporation of applicable checklists used in the course, the structure and organization of your report format minimally incorporating suggested in report writing examples, templates or outlines provided in the course as follows :

T1 – Imaging Project Report Template
Note: Use I, II, III, IV and VI for your imaging lab report

Cover Page
Title: Digital Forensics Examiners Report
Project No.

I. Introduction – How you received the case, etc.
II.Task Summary
III. File Details
IV.Steps Taken
V. Exhibits- Not Applicable
VI.Chain of Custody –
VII. Opinions – Not Applicable
Attached to your report will be a separate sheet of brief Notes listing the following:
1.list dates and times for your work
2.list your answers to project questions
3.list tasks performed/completed in the project
4.list observations
5.note discoveries
6.document relevant analysis, etc.

Your notes will be used to the summary, steps taken, notable items, analysis, opinions and exhibits referenced in you imaging project report or case report.
Take a screenshot showing the icon disappears after the disk volume is unmounted.

Your Forensic Examiners Report should be written using the following format:


Digital Forensics Examiners Report – Imaging Project Only
I. Introduction
1st paragraph
(State how you got the case and tasks you were requested to perform or examine
a. Who or where you obtained case file information from
b. Describe the purpose of you task or examination (e.g. to image a hard drive for
digital forensics examination; search for evidence of illegal activity, etc.)

II. Examination Summary
1-3 paragraphs
(Brief Summary/Overview of the requested task(s) you completed in and imaging only request; or in a case investigation briefly summarize the most important evidence that you found in relationship to the case investigation)

III. File Details (Important Files Are Highlighted)
* bullet point most important files you worked with in an imaging only task
In Case Investigation
* bullet point most important files you worked with (Note/List top 5 files, or top 10 files, etc. you found that are important to the case)
* label photos or evidence details w/ a short caption
e.g. this photo contains an image of … ;or
e.g. photo ace.jpg contains an image of a wrench

IV. Steps Taken (Explain How Examination Was Conducted)
* A forensic image of the hard disk was made using FTK Imager
* A checksum was performed on the hard disk and an MD 5 hash was
* The hard drive was examined using Linux Commands, Encase 6.0.
* A Forensics Examiners report was completed for the hard disk examination,
to image the drive

V. Exhibits (List Exhibits by File Type Documents, Images, RAR etc.)
Exhibits 1-5 contain recovered text file documents obtained from the hard disk
Exhibits 6-10 contain recovered image files obtained from the hard disk
Exhibit 11 contains email messages obtained from the hard disk

VI. Chain of Custody (Document where & how media obtained & processed)
“The Modern hard disk No. LRDP102839 was received by Fed Ex Shipping No. 67201732 and stored in the locked evidence bin/drawer #6.Chain of custody form was completed.

A forensic image of the original hard disk forensic was made and the original was returned to evidence bin/drawer #1 for safekeeping.
An examination was conducted on the forensic hard disk image working copies.
The original Modern hard disk No. AD42783 was returned to the Daylight Company by FED Ex Shipping No. XYT42071 after completion of the examination.

All files and exhibits and the examination report are contained in “ Daylight Examination Folder” on a CD labeled Daylight Examination Case No. 7632019.

VII. Opinions (State your opinion based upon what you found and why it appears to be important for the client purposes, to the investigation or the task assigned)

It is my opinion that ….
e.g. the recovered photos of broken glass on the showroom floor
is consistent with unauthorized access after normal business hours, or;

is inconsistent with a malware intrusion, or;

is consistent with the user’s placement of the unlicensed software on the
desktop, or:
the bike photos appear to be what the investigator is looking for but
additional follow up may be needed to determine the actual bike
owner’s identity, and whether the type, color and model are consistent
with the description of the missing bike in the theft case .