Course Project II: Analyzing A Case

Purpose

The course project is aligned with the course learning objectives:

1. Discuss computer forensics as a field and career.
2. Collect digital evidence on a variety of computer systems using accepted forensic processes.
3. Correctly use court accepted imaging and analysis tools.
4. Identify the legal challenges to collecting and analyzing digital evidence.

Directions

Case Facts

Virginia Beach Police informed that Over 20 weapons were stolen from a Virginia gun store. Federal agents have gotten involved in seeking the culprits who police say stole more than 20 firearms from a Norfolk Virginia gun shop this week. The U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives is working with Virginia Beach police to locate the weapons, which include handguns and rifles. News Outlets report they were stolen from a store called DOA Arms during a Tuesday morning burglary.

Based on the 'Probable Cause of Affidavit,' a search warrant was obtained to search the apartment occupied by Mr. John Doe and Mr. Don Joe in Manassas, Virginia. When the search warrant was executed, it yielded miscellaneous items and a computer. The Special Agent conducting the investigation seized the hard drive from the computer and sent it to Forensics Lab for imaging.

You are to conduct a forensic examination of the image to determine if any relevant electronic files exist that may help with the case. The examination process must preserve all evidence.

Your Job

• Forensic analysis of the image
  • The image file,suspect_ImageLinks to an external site., was provided to you by someone who imaged the suspect drive as you did in the first part of the course project.)
  • MD5 Checksum: 10c466c021ce35f0ec05b3edd6ff014f
• You have to think critically and evaluate the merits of different possibilities by applying your knowledge of what you have learned so far. As you can see, this assignment is about "investigating" a case. There is no right or wrong answer to this investigation. However, to assist you with the investigation, some questions have been created to guide you while you create a complete expert witness report. Remember, you must not only identify the evidence concerning the crime but tie the image back to the suspects showing which computer the image came from. Please note: -there isn't any disc Encryption like BitLocker. You can safely assume that the chain of custody was maintained.
• There is aCourse Project Forumfor the project. I enjoy seeing students develop their skills in critical thinking and the expression of their ideas. Feel free to discuss your thoughts without divulging your findings.

While you prepare your Expert Witness Report, trying to find answers to the following questions may help you prepare the report.

1. What is the first step you took to analyze the image?
2. What did you find in the image:
   1. What file system was installed on the hard drive, and how many volumes?
   2. Which operating system was installed on the computer?
   3. How many user accounts exist on the computer?
   4. Which computer did this image come from? Is there any indicator that it's a VM?
3. What actions did you take to analyze the artifacts you found in the image/computer? (While many files in the computer are irrelevant to the case, how did you search for artifactual/interesting files in the huge pile?
4. Can you describe the backgrounds of the people who used the computer, for example, Internet surfing habits, potential employers, known associates, etc.?
5. Is there any evidence related to the theft? Why do you think so?
   1. Who was possibly involved? Where do they live?
   2. What are the possible dates associated with the theft?
6. Are there any files related to this crime or another potential crime? Why did you think they were possible artifacts? What type of files are those? Any hidden file? Any Hidden data?

NOTE: Your report must be an expert witness report. A list of answered questions will not be accepted.

Submission

Please follow the directions carefully to complete this project. Click the Start Assignment button and attach your expert witness report (.docx or .pdf).

Grading

This assignment is graded on a 50-point scale.

You will be assessed on your analysis methods and how your analysis helped you turn your finding into evidence. To earn the maximum number of points, you should address (NOT just answer) the guided questions listed above in your report, keeping the following in mind.

• Explanation of the findings: What did you actually do to make the findings into evidence? 'I opened the image' is not considered an action because your forensic suite does that anyway.
• A timeline of events: This is extremely important - This will lead the investigation.
• A brief explanation of the people involved:You need to be very careful with this part. Your finding the word "Trex" somewhere in the image does not prove that Trex is related to your case. You need to make it evidence.
• Your personal verdict on if and why the suspect is guilty:This is the Fun part of concluding the case. Remember, you are stepping into the Administration of Justice area, and this is not a forensic analyst's job.
• Your analysis should be at most 10-12 pages, including the screen captures.Your analysis should be supported by appropriate screen captures! No points will be given without proper screen captures. All screen captures must accompany a date stamp. Inside the project report, if any screen capture is found without a date stamp, the project won't be graded.