Please read through Hands-On Project 16-1, Assume that your group is assigned with the duty to conduct the investigation of the case. Please first explain the key steps in a digital forensic investigation process. Please then explain which step(s) the tasks in Hands-On Project 16-1 fell into. Please list the skill gaps of your groups at the moment to identify the needed training. Please feel free to say that we dont know what this operation/task is about and/or what this operation/task is for. Hands-On Projects The following projects are a continuation of data carving from the in-chapter activity and case analysis of additional persons of interest developed from the Chapters 14 and 15 projects. Before beginning these projects, create a Work\Chap16\Projects folder on your system (referred to as your work folder in steps). Download to this work folder all the files from this chapters downloads section on the student companion site for this book. Hands-On Project 16-1 As you learned previously, Mr. Shu stated that a couple of JPG files with the name Kayak are on his second computer. For this project, you need the GCFI-js02.001 image you used in in-chapter activities. Follow these steps to carve the second orphan JPG file: 1. In File Explorer, double-click the Ch16-Data-Carve.exe file you downloaded and click Extract to extract the Ch16-Data-Carve.xlsx spreadsheet to your work folder. 2. Start FTK Imager Lite, and click File, Image Mounting from the menu. In the Mount Image To Drive dialog box, click the . . . button next to the Image File text box, navigate to your work folder, click GCFI-js02.001, and then click Open. Click the Mount button, and keep this dialog box open. Remember to leave FTK Imager Lite running so that you can access this image as a mounted drive. 3. Start WinHex. Click Tools, Open Disk from the menu. In the Select Disk dialog box, click GCFI-js02 (G:), and then click OK. (Note: Your drive letter might be different.) 4. Click Search, Find Text from the menu to open the Find Text dialog box. In the text box at the top, type Kayak4, click the List search hits, up to check box, and click OK. In the Search complete message box, click OK. 5. In the upper pane, click the Name column header once to sort alphabetically from A to Z, and then scroll down and click the row with the first occurrence of $MFT. Scroll up in the bottom pane to show FILE0 (see Figure 16-23). Figure 6. In the hexadecimal pane, start at the first byte of the record, offset 00361400, and navigate to the last byte of the file header field, then the last byte of attribute 0x10, and then the last byte of attribute 0x30 to find the starting position for attribute 0x80 (offset 00361508). (For additional guidance on this step, see Navigating Through an MFT Record earlier in this chapter.) 7. Open the Ch16-Data-Carve.xlsx spreadsheet and enter the data run values. 8. In WinHex, find the first data run for this file (offset 00361548), and then place the cursor 1 byte to the right (offset 00361549). Record the value shown for 8 Bit() in the Data Interpreter window. Figure 16-24 shows this files data runs. In the Ch16-Data-Carve.xlsx spreadsheet, enter the LCN address 2552 in cell B17, and then type the first data runs number of clusters in cell B18 (see Figure 16-25). In WinHex, click the Drive G: tab listing search results (substituting your drive letter, if needed), and then click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the first data runs starting address, 2552 (listed in spreadsheet cell D17), in the =Cluster text box, and click OK. At the start of the cluster, right-click the first byte of the file header and click Beginning of block Click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the first data runs ending address, 2557 (listed in spreadsheet cell D19), in the =Cluster text box, and click OK. To mark the ending block for the data run, scroll up one row in the lower pane, and then right-click offset 009FCFFF and click End of block 13. Click Edit from the menu, point to Copy Block, and click Into New File. In the Save File As dialog box, navigate to and click your work folder, type Kayak-dr1.jpg in the File name text box, and click Save. Caution When marking the beginning and ending blocks, press the Esc key to avoid highlighting the entire image file after saving the data run. 14. Click the Drive G: tab listing search results (substituting your drive letter, if needed), and then click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the second data runs starting address, 2484 (listed in spreadsheet cell D21), in the =Cluster text box, and click OK. At the beginning cluster, right-click the first byte of the file header and click Beginning of block. 15. Next, click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the second data runs ending address, 2489 (listed in spreadsheet cell D23), in the =Cluster text box, and click OK. To mark the ending block for the data run, scroll up one row in the lower pane, and then right-click offset 009B8FFF and click End of block. 13. Click Edit from the menu, point to Copy Block, and click Into New File. In the Save File As dialog box, navigate to and click your work folder, type Kayak-dr1.jpg in the File name text box, and click Save. Caution When marking the beginning and ending blocks, press the Esc key to avoid highlighting the entire image file after saving the data run. 14. Click the Drive G: tab listing search results (substituting your drive letter, if needed), and then click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the second data runs starting address, 2484 (listed in spreadsheet cell D21), in the =Cluster text box, and click OK. At the beginning cluster, right-click the first byte of the file header and click Beginning of block. 15. Next, click Navigation, Go To Sector from the menu. In the Go To Sector dialog box, type the second data runs ending address, 2489 (listed in spreadsheet cell D23), in the =Cluster text box, and click OK. To mark the ending block for the data run, scroll up one row in the lower pane, and then right-click offset 009B8FFF and click End of block.