• Properly process and handle evidence for a case and perform other case management functions
• Select and use appropriate digital forensics tools
• Prepare and annotate an inventory of files present on an evidence drive
• Triage an evidence drive using a forensic tool to view and analyze partitions, folders, and files to:
o Identify and properly address the presence (if any) of contraband (adult and child pornography, evidence related to narcotics)
o Identify and properly address the presence of evidence related to violations of an employment agreement or violations of company policy
• Evaluate an assessment (formal or informal) performed by another party and provide a formal response (“equivocal assessment”) in which you address the other party’s procedures and findings
• Write a reasonably professional and comprehensive AssessmentReport for a forensic examination
Required Deliverables:
1. Assessment Report (75% of grade)
2. Annotated Inventory of Forensically Interesting Files (25% of grade)

Scenario for Forensic Report #1
James Randell, president and owner of Practical Applied Gaming Solutions, Inc. (PAGS), has contacted you to request assistance in handling a sensitive matter regarding the unexpected resignation of his company’s Assistant Chief Security Officer, George Dean. PAGS is a contractor to several state gaming (gambling) commissions. The company and its employees are required to maintain high ethical standards and are not allowed to participate in any forms of gaming or gambling, including lotteries,due to their involvement as security consultants to the gaming commissioners. The unexpected resignation and disappearance of a senior staff member is a reportable security incident under the terms of several of the company’s contracts with state gaming commissions. Thus, Mr. Randell needs an independent, outside assessment of the facts and evidence pertaining to Mr. Dean’s resignation.
Background (Information Obtained During Client Interview)
Mr. Randell became concerned about Mr. Dean’s activities after his Human Resources Officer, Norbert Singh, reported that Mr. Dean left a voice mail tendering his resignation effective immediately.Mr. Singh also reported that Mr. Dean’s supervisor (Ms. Betty Mayne, the Chief Security Officer) had opened Mr. Dean’s locked office, at Mr. Singh’s request, and noted that it was unusually tidy and that the computer workstation and a company issued laptop were both missing. Mr. Randell asked Mr. Singh and Ms. Maynes to investigate further and report back to him. During the second meeting, Mr. Randell was informed of the following:
• Mr. Dean’s workstation was one of three company computers taken to the IT Service Center earlier in the week to be wiped and reimaged due to infection by a particularly nasty rootkit.The computers are due back in the office next Friday by 10:00 AM.
• Ms. Mayne contacted the IT service center and requested that they stop all work and immediately return the three computer systems to the company.
• Mr. Dean was using a company issued laptop in the office as a temporary replacement for his workstation. The company issued laptop was not found in the office but, an empty laptop case was found under the desk.
• During their search of the office, Mr. Singh and Ms. Mayne found single 2GB USB drive that had been left in the laptop case. Ms. Mayne and her staff examined the contents of the USB Drive and reported to Mr. Randell that it contained files pertaining to Mr. Dean’s duties as Assistant Chief Security Officer. There were no indications of any involvement in activities contrary to the company’s best interests.Note: This paragraph provides you with the “previous examination” results that you will address in the “Assessment of Previous Investigation” section in your Assessment Report.
Request for Forensic Services (Tasking)
Mr. Randell has requested that you examine the recovered USB drive and tell him what you find. He also asked that you provide an assessment as to the accuracy and validity of the findings from the PAGS CSO’s staff examination of the contents of the USB (“equivocal assessment”). Your deliverables will include an assessment report and an annotated inventory listing all files and information of forensic interest which were recovered from the drive.
The burning questions of the moment are:
1. What was George Dean up to before he resigned?
2. Why did he resign so suddenly?
Notes for the Student:
1. You may encounter contraband, e.g. images depicting adult or child pornography, during your examination of the provided forensic image. If this occurs, you are to proceed as though you had legally authorized permission to continue your examination and prepare a report which includes information about the contraband. For training purposes, Adult pornography is depicted using images of canines (dogs or puppies). Child pornography is depicted using images of felines (cats or kittens). Images of child pornography (cats or kittens) should not be included in a forensic report and should not be extracted from the forensic image.
2. For training purposes, pictures of flowers are used to denote narcotics and related contraband.
3. The referenced employment agreement is understood to include prohibitions against participating in any/all illegal activities on company premises or while using company IT resources. This prohibition includes receipt and transmission of illegal forms of pornography (as defined by the State of Maryland and the US Federal Government) and engaging in any/all forms of drug trafficking.
4. For the purposes of this assignment, you (the student) are acting in the role of “forensic examiner.” In the grading rubric, actions attributed to “the examiner” are actions that you should (or should not) have taken.

Acquisition / Forensic Imaging Report (USB)
Forensically sterile media was created using Sumuri Paladin and then used for the imaging operation as the target media. The sterile state was verified using DCFLDD’s verify file command (sudo dcfldd vf=/dev/sdx pattern=00 where sdx is the drive designator for the USB).
Imaging operation was performed using FTK Imager.
Image: PAGS01_06132014.E01
Created By AccessData® FTK® Imager 2.6.0.49 090505

Case Information: Forensic Report #1 CMIT 424 Fall 2014
Case Number: PAGS01
Evidence Number: PAGS01
Unique description: Lexar Jump Drive
Examiner: Instructor
————————————————————–
Information for PAGS01_06132014:

Physical Evidentiary Item (Source) Information:
[Drive Geometry]
Cylinders: 63
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 1,014,784
[Physical Drive Information]
Drive Model: LEXAR JUMPDRIVE USB Device
Drive Serial Number: 8KRZ24B
Drive Interface Type: USB
Source data size: 495 MB
Sector count: 1014784
[Computed Hashes]
MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e
SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1

Image Information:
Acquisition started: Fri Jun 13 21:59:00 2014
Acquisition finished: Fri Jun 13 22:00:53 2014
Segment list: PAGS01_06132014.E01

Image Verification Results:
Verification started: Fri Jun 13 22:00:53 2014
Verification finished: Fri Jun 13 22:00:56 2014
MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e : verified
SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1 : verified

Examination of the Evidence (Procedure) for Forensic Report #1