Week 6 Homework 2 - Hands-On Project 6-2 pp.255-257 Computer Forensic & Investigation (3RD Edition) Bill Nelson Amelia Phillips Christopher Steuart Please, complete the following activity: In this project, you explore the MFT and learn how to locate date and time values in the metadata of a file you create. These steps help you identify fragments of MFT records, which you might find in unallocated disk space or Pagefile.sys. You need a Windows computer with the ProDiscover and WinHex software installed to complete this project. Both tools are included with your textbook CD disk. You can download WinHex by navigating to Course Materials - Chapter 6 Materials section on Blackboard. Then, follow these steps: 1. Start Notepad, and create a text file with one or more of the following lines: A countryman between two lawyers is like a fish between two cats. A slip of the foot you may soon recover, but a slip of the tongue you may never get over. An investment in knowledge always pays the best interest. Drive thy business or it will drive thee. 2. Save the file in your work folder as C6Prj02.txt, and exit Notepad. (If your work folder isnt on the C drive, make sure you save the C6Prj02.txt file on your C drive to have it entered in the $MFT files you copy later.) 3. Start ProDiscover Basic, and start a new project, using C6Prj02 for the project number and filename. 4. Click Action from the menu, point to Add, and click Disk. 5. In the Add Disk to Project dialog box, click PhysicalDrive0. Type c-drive in the Please enter unique name for physical disk text box, and then click Add. If you see the Add Disk warning message, click OK. 6. In the tree view, click to expand Content View, Disks, and PhysicalDrive0. Then click to select the C drive. 7. In the work area, scroll down, if necessary, and then right-click $MFT and click Copy File. In the Save As dialog box, navigate to your work folder, and then click Save. 8. When the $MFT file has been copied to your work folder, exit ProDiscover Basic, saving the project if prompted. Next, you examine the copied $MFT file to learn how metadata is stored. Follow these steps: 1. Start WinHex Demo. If you see an evaluation warning message, click OK. 2. Click the Open toolbar button. In the Open dialog box, navigate to your work folder, click the $MFT file, and then click Open. If you see another evaluation warning message, click the Do not display this kind of message again check box, and then click OK. 3. Click Search, Find Text from the menu. 4. In the text box for specifying the text string to search, type C6Prj02.txt. Click the Format Code list arrow (next to the list box containing the text ASCII), click Unicode, and then click OK. 5. Right-click the Data Interpreter window and click Options. In the Data Interpreter Options dialog box, click the Win32 FILETIME (64 bit) check box, and then click OK. The Data Interpreter should then have FILETIME as an additional display. 6. In the WinHex window, scroll up so that the MFT record label FILE for C6Prj02.txt is the first line at the top of the hexadecimal and text displays. 7. Click at the beginning of the record, on the letter F in FILE, and then drag down and to the right while you monitor the hexadecimal counter in the lower-right corner. When the counter reaches 50, release the mouse button. 8. Move the cursor one position to the left (to the next byte), and record the date and time of the Data Interpreters FILETIME values. 9. When youre finished, exit WinHex 10. Post a thread with the date and time values you recorded.