Background You’re a System Administrator at Company Y. It was reported to you that an employee, Ross, was seen viewing prohibited material on their work laptop (Windows OS) during working hours. When Ross was confronted by a colleague, he reportedly deleted the image and denied any wrongdoing. It was reported to you that the image may not have only broken company policy, but it may be illegal as well. Based on the report, you recognise that you need to conduct a digital investigation of Ross’ computer that is robust enough to withstand legal scrutiny.

Task

The following should be addressed

 -Before and after the acquisition of a Forensic image, hashes are taken. Do you agree with this practice? Explain.

- What are some major differences between Digital Forensic (DF) tools and ‘ordinary’ recovery software?

- Explain why it might be possible for a DF tool to recover deleted files.

- Choose one open-source DF Tool capable of recovering deleted files from Ross’ computer.  Justify the selection of this tool.

- Give a brief overview (either via screenshots or a live demonstration) of how the tool is used.