Overview

Introduction

The Forensics - Understanding the Digital Forensics Profession and Investigations lab provides you with the instructions and devices to develop your hands on skills in the following topics.

  • Acquiring an Image of Evidence Media
  • Analyzing Your Digital Evidence
  • Analysis Example
  • Report Example
  • Keyword Search Example

Lab time:It will take approximately 1 hour to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

  • CS0-001 3.2 Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation.
  • CS0-001 4.2 Given a scenario, use data to recommend remediation of security issues related to identity and access management.

Exercise 1 - Acquiring an Image of Evidence Media

After you retrieve and secure the evidence, you’re ready to copy the evidence media and analyse the data. The first rule of digital forensics is to preserve the original evidence. Then conduct your analysis only on a copy of the data—the image of the original medium. Several vendors provide MS-DOS, Linux, and Windows acquisition tools. Windows tools, however, require a write-blocking device (discussed in Chapter 3) when acquiring data from FAT or NTFS file systems.

In this exercise you will complete the following tasks.

  • Using ProDiscover Basic to Acquire a Drive Image

Exercise 2 - Analyzing Your Digital Evidence

When you analyze digital evidence, your job is to recover the data. If users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. Remember that as files are deleted, the space they occupied becomes free space—meaning it can be used for new files that are saved or files that expand as data is added to them.

The files that were deleted are still on the disk until a new file is saved to the same physical location, overwriting the original file. In the meantime, those files can still be retrieved. Forensics tools such as ProDiscover Basic can retrieve deleted files for use as evidence.

In this exercise you will complete the following tasks.

  • Using ProDiscovery to Analyze Evidence
  • Analyzing Data
  • Creating a Report
  • View the Report
  • Export the Report

Exercise 3 - Analysis Example

Performing analysis on the images is used to extract out evidence that an activity has taken place by correlating key piece of information such as times, dates and names to the process or function being performed by the device at the time of question.

In this exercise you will complete the following tasks.

  • Image Examination
  • Examine Key Words
  • Allocated Data

Exercise 4 - Report Example

Reports are key to any investigation and are a very important part of the process with confirming the actions that took place during an investigation.

In this exercise you will complete the following tasks.

  • Report listing for unallocated files.

Exercise 5 - Keyword Search Example

This exercise will rely on previous learnt skills to examine some media from a drive and perform a string search, form a report and save it.

In this exercise you will learn:

  • Keyword Examination

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.