In this exercise, you will be investigating an imaged thumb drive to determine what conclusions can be drawn from the information in the thumb drive image. Are the file contents genuine or have they been tampered with?

You may download and use FTK Imager, which is an imaging utility developed by AccessData and in addition to its capabilities for creating disk images, it can also be used to explore the contents of a disk image. You may also find it useful to use other tools from your forensics distro.

Download the alienimage hash, alienimage.md$5,$ from iLearn onto your computer. Confirm that the image hash of your copy matches that in the MD$5$ file.

a$)$ Using whichever tools you prefer, load the alienimage.dd so that you can view the contents and explore the files, directories and image.

b$)$ Selectthefile"biodomesunset.jpg$"$withafilesizeof$339$KBandinahexview,lookfor text mentioning Adobe Photoshop. This text is part of the "Exchangeable Image File Format" or "EXIF" information that is inserted into image files by many digital cameras and graphics programs. The EXIF information should be examined in detail.

c$)$ Select the file "lily.jpg$"$ and examine the file, its properties and contents.

d$)$ Examinetheremainderofthefilestoassesstheirbearingontheexercisequestion$($s$).$

e$)$ Credits

$*$ The digital images used in this exercise are the artistic work of Mr$.$ Ryan Bliss, www$.$digitalblasphemy.com, and are used with his gracious permission.

$*$ The original dd file and other exercise material is from Southern Polytechnic State University.