What does Rasco's vehicle look like? Provide a description. Who might Rasco bring with him?

One of the most common commercial digital forensic tools is EnCase, an integrated tool used in many types of digital forensic investigations, with a focus on computers and servers.

Additional Access Data tools that are commonly used include Password Recovery Toolkit (PRTK) and Registry Viewer.

There are three steps in this project. In those steps, you will use EnCase and other tools to image two computers and a thumb drive or USB stick. Each step in the project requires you to respond to detectives’ questions based on computer images.
The final assignment is a paper that helps detectives better understand the use of EnCase to access and image computers and thumb drives. In Step 1, you introduce detectives to the basics of forensic digital investigation by creating an image using EnCase.

Step 1: Create an Image in FTK Imager

One of the first steps in conducting digital forensic investigations involves creating a forensic image of the digital evidence disk or drive. Digital forensics evidence can be found in operating systems, disk drives, network traffic, emails, and in software applications. To help the detectives in your department to better understand the digital forensics investigation process, you have offered to show them how you create an image using FTK Imager. Media investigations of digital storage devices can include audio files, pictures, videos, words, portions of files, graphic files, and information about a file. Graphics files can be a rich source of forensic evidence.

Because you are pressed for time, you go to the virtual lab and decide to create an image of the “My Pictures” directory on your computer. This process is similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (DFC620_Lab1_Name.ad1) that document your imaging process with information such as hash values.

Complete This Lab
Resources
Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup
Self-Help Guide (Workspace): Getting Started and Troubleshooting
Link to the Virtual Lab Environment: https://vdi.umgc.edu/
Lab Instructions
Forensic Imaging Lab
Getting Help
To obtain lab assistance, fill out the support request form.

Make sure you fill out the fields on the form as shown below:

Case Type: UMGC Virtual Labs Support
Customer Type: Student (Note: faculty should choose Staff/Faculty)
SubType: ELM-Cyber (CST/DFC/CBR/CYB)
SubType Detail: Pick the category that best fits the issue you are experiencing
Email: The email that you currently use for classroom communications
In the form’s description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents.

Step 2: Process an Image From the Suspect Mantooth’s Computer

In the previous step, you imaged a directory for a forensic report using FTK Imager. Now the detectives have requested additional analysis, so you decide to go to the virtual lab and use EnCase to access user account information for the image from a computer owned by a suspect named Mantooth. Detectives don’t yet have the suspect’s first name and are seeking more information.

Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering.
Complete This Lab
Resources
Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup
Self-Help Guide (Workspace): Getting Started and Troubleshooting
Link to the Virtual Lab Environment: https://vdi.umgc.edu/
Lab Instructions
Mantooth Image Processing and Analysis Lab
Getting Help
To obtain lab assistance, fill out the support request form.

Make sure you fill out the fields on the form as shown below:

In the form’s description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents.

The image you will be viewing, Mantooth, is a subset of a full computer image. While it is rich in artifacts, it is small enough to process in minutes rather than hours. EnCase provides the ability to view the contents of various types of registry files so it will help to answer some of the questions posed by detectives. You can also investigate the suspect Mantooth’s email activity and picture files.

The detectives have requested specific information that you will detail in the lab, including Mantooth’s first name, email information, and other material that can be gleaned from the computer hard drive. See the lab instructions for specific questions to answer.

The detectives have requested the following information:

Mantooth’s first name and a screenshot of a picture
number of jpg files in the Mantooth evidence file
names of the email domains from the email in this image, plus the number of sent and received messages and the dates of the oldest and newest sent and received email message for each domain
names of people who have sent email to or received email from Mantooth, and the number of emails sent or received to and from each person
information on encryption—whether it was used for any of the email, and if so, what type
evidence of potential criminal activity within this image
information on how PINs were captured
vehicle identification number of the ’92 Dodge
identity of Sean and his role in this case
information on password(s)—where you found it/them, whether it/they are usable, what it/they are used for
The detectives are also asking for:
summary of findings
case documentation, such as tools used, version, and image hashes
screenshots or other forensic artifacts supporting your responses to the questions
Review your responses and summary information carefully for accuracy and completeness, and save them in a single file to be included in your final paper on Using EnCase tools.
Just when you think that the detectives are satisfied with the information that you’ve provided, they request even more information on the suspects and the crime. You can’t say no, so you turn to EnCase to help you access that data.

Step 3: Process an Image From the Suspect Washer’s Computer

The Mantooth image has provided a lot of new information, but the detectives want more. EnCase is the tool that can uncover it. An image has been taken of the hard drive in a computer belonging to a suspect named Washer.
Key words: examining metadata, file systems, hexadecimal, ASCII, operating systems, report writing, file system information gathering.

Complete This Lab
Resources

Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup
Self-Help Guide (Workspace): Getting Started and Troubleshooting
Link to the Virtual Lab Environment: https://vdi.umgc.edu/
Lab Instructions
Washer Image Processing and Analysis Lab
Getting Help
To obtain lab assistance, fill out the support request form.

Make sure you fill out the fields on the form as shown below:

Email: The email that you currently use for classroom communications
In the form’s description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents.

The Washer image is a subset of a full computer image (like the Mantooth image), so processing time is reduced. While it is rich in artifacts, it is small enough to process in minutes rather than hours. You have full confidence that an investigation of the Washer image will approximate the investigation of a full computer image. EnCase allows you to view the contents of registry files. Passwords for certain files may be recoverable from other artifacts on the image as well.
The detectives have asked you to analyze the Washer and thumb drive images within EnCase to ferret out facts, including a list of detailed questions on Washer, including associates and other information from the computer and its files. You will include your answers to these questions in your final paper on the Use of EnCase tools.

What are the AIM usernames for Rasco Badguy and John Washer?
What is the current zip code for the AOL IM account registered to Washer?
When was AOL IM installed?