In this lesson, you explored the basic principles of computer forensics, and the processes that are a part of systems forensics, investigations, and response. You also learned that the ability to formulate a rationale, or reasoning, behind computer forensic activities that can be understood by lay persons in a court is a critical competency for computer forensic specialists.

In this lab, you will you will act as a forensic specialist assisting the lead forensics investigator at the Cyber Crimes Division (CCD) for the City of Fremont Police Department. You have been given a hard drive image taken from a seized computer suspected of containing stolen credit card numbers. You will review the search warrant and complete the chain of custody form that accompanies the evidence drive. Using a variety of forensic tools, you will prepare the contents of the seized hard drive image as evidence, in accordance with the Daubert standard. For example, you will use FTK Imager to create hashes for key evidence files. You will also validate the hash code using EnCase Imager and P2 Commander.

1. Why is the unallocated space of a Windows system so important to a forensic investigator?

2. From where were the badnotes1.txt and badnotes2.txt files recovered?

3. What is the INFO2 file used for?

4. How do you generate a hash file in FTK Imager?