Forensic Analysis Process

Question 1

What should be included in a response kit?

Answer 1

• digital camera
• latex gloves
• notepads
• property report for seizing evidence
• antistatic bags
• write blocking devices
• frequency shielding material
• toolkit
• misc: power cables, data cables, usb drives

Question 2

Program to use USB devices remotely?

Answer 2

• http://virtualhere.com/home

- requires a network connection where the USB keys are plugged in

Question 3

What is the free open source forensic tool system?

Answer 3

• Autopsy

- www.sleuthkit.org/autopsy

Question 4

What is the order of volatility, from most to least volatile?

Answer 4

1. live system
2. running
3. network
4. virtual
5. physical

Question 5

Forensic Image

Answer 5

• a bit-for-bit copy of the source device, stored in a forensic image format
• DD, E01, or AFF

Question 6

File signature analysis

Answer 6

• ensures the file extension matches the file type

Question 7

What website allows you to search File Signatures based on File Extension?

Answer 7

• https://filesignatures.net

Question 8

What are the steps in FTK to view/mount a forensic image?

Answer 8

1. File > Image Mounting
2. Mount Image to Drive menu
   2a. Mount Type: Physical and Logical
   2b. Drive Letter (select any letter)
   2c. Mount Method: Block Device/Read Only

Question 9

What to include in Forensic Document?

Answer 9

• your narrative
• pertinent exhibits
• supporting documentation