Need help with a Forensic report project

Need help with this project. Please take some time to carefully review the supporting documents and see if you will be able to assist.
Requirements: n/a
Forensic Examination and Forensic Report
Scenario: 
You are a computer forensic examiner working for the Federal Bureau of Investigation (FBI). The FBI is investigating a series of threats posted on social media by Franklin B. Saunders.  
Saunders is:
an undergraduate student at George Mason University
a sophomore majoring in Chemistry with a concentration in Materials Chemistry
currently a resident on campus at GMU
During the course of the investigation, the FBI has been in contact with the George Mason University police department and Violence Prevention Committee (VPC). Saunders has been reported to the VPC on two previous occasions. 
After evaluating the social media posts, the FBI has probable cause to believe that Franklin B. Saunders is a credible threat to the students and faculty at George Mason University. 
A search of Saunder’s residence was conducted by the FBI. During this search, a flash drive was located. The flash drive was taken to the FBI labs, at which time a forensic image was created. 
You are being provided the forensic image of the flash drive and the associated hash file. Your assignment is to conduct a forensic examination of the flash drive and document any findings of relevant files in a professional forensic report. 
You are to only document the steps of your investigation, analyze the technical content and metadata, and explain the technical information. 
You are not analyzing, interpreting, or summarizing the content of the files. 
You will include the content of the files in the appendix of the report. 
Your report should include an analysis of the metadata, such as, MAC times, usernames, users associated with file properties, and dates/times of file activity. 
All technical information should be explained in a way a jury would understand and include what the metadata means or why it is relevant. 
For this report, you are including: 3 documents, 2 PDFs, 3 graphics, 3 deleted files (any type), 3 HTML or web-based files, and 1 OLE subitem. 
For tips and example language, see the “” document. 
Tools: 
You may use any FORENSIC tools available to you. 
At the very least you should use:
FTK Imager (to verify the image and hash values)
FTK Toolkit or Autopsy (to conduct the majority of your investigation)
An EXIF viewer tool (to examine JPEG files)
You must use the template provided and include the information listed.  DO NOT LEAVE PLACEHOLDER TEXT, REPLACE WITH YOUR ACTUAL INFORMATION. 
You will include the “best” evidence items and full analysis from the following categories in your report. Only include the number of items listed.  Do not include more.
Documents (3 items)
PDF (2 items)
Graphics (3 items, minimum 1 must be jpg)
Deleted Files (3 items that are not discussed in other categories)
HTML or Web-based Files (3 items)
OLE Subitems (1 item)
OLE = Object Linking and Embedding.
OLE Sub-Items are items embedded in a file, such as text, graphics, or entire file.
They are called sub-items because they are not actual files, they exist in an actual file.
For example: A chart or graphic embedded into a word document. 
All other relevant background information, image verification, etc listed in the template
The Report: 
Your report will be approximately 5-10 pages OF TEXT (not including your screenshots, lists of evidence, content of evidence files, etc.) 
You should give a detailed (step by step) explanation of what you did, what you found, and how and where you found it.
You may use screen shots and file content as an appendix.
Do not include screenshots in the body of your report!!
Do not include the content of the evidence files in the body of your report!!
Crop your screenshots so only relevant information is showing… I shouldn’t be able to see your desktop or other open files.
Follow the “Forensic Report Guidelines” you have been given during lecture. 
Do not try to analyze the content of files.
Stick to the FACTS!
Your report should explain the technical aspects (e.x. what is a link file, why is this important, explain it so a non-technical person can understand.)
Just giving a list of evidence with no explanation of how you found it and what it means (as far as the technical aspect) is insufficient.  Don’t just say you found it using FTK – explain! 
Analyze the metadata! 
You have more than enough evidence on the disk to write this much text EASILY.  If you are having a hard time, you probably missed a significant amount of evidence. 
Formatting: 
Use the template provided
Include a title page
Text should be single spaced, 0 spacing before & after 
Font should be set to Arial or Calibri
Font should be set to 12 point
Margins should be set to 1 inch
Paragraphs should be set to Justify (not left, right, or center aligned)
You should include headings and subheadings
Your report should be in complete sentences, free of grammatical/spelling errors, easy to read, and professional.
If you use any outside sources, you must cite them using APA citations
Your report must have a red watermark on every page stating: “THIS IS AN EDUCATIONAL PROJECT”.  Any project that does not have this will be a zero. 
Page Layout – Watermark – Custom Watermark – Text Watermark 
Change the text to “THIS IS AN EDUCATIONAL PROJECT” 
Change the color to RED, transparency to 75%
Your file must be less than 10MB to be submitted to SafeAssign.  
Compress your graphics by using the “Compress Pictures” option in Word.  
Choose the smallest file size possible. 
Hints: 
Remember:  your report should read like a story.  A list of evidence is not sufficient for a report… you need to explain how/where you found the evidence.  
You are not a content analyst, so do not try to interpret the evidence… present the facts as you find them.  Remember… you can’t say a specific person did something. 
This is an individual project.  The GMU honor code will be strictly enforced.   You will submit your assignment through SafeAssign on Blackboard.  Only work submitted through SafeAssign will be accepted.
File paths – you should use the file path from the root of actual evidence drive, not from the image file. The file path would be any text after the name of your image file. 

Checklist: 
***Also review the rubric for the project
Content:
I included the case background, my name, who I work for, etc. 
I verified the hash value before anything else.
I included the given hashes and calculated hashed.
My report only includes FACTS, no opinions or interpretations.
I did not analyze the file content.
My report includes the file names of evidence items.
My report includes the file paths of evidence items.
My report includes the MAC dates and times of evidence items.
My report explains if the evidence is a file, deleted file, etc. and explains what this means.
Someone could read my report and follow my steps exactly step by step.  (I explain what I did.)
Any technical term includes an explanation of what it is, in layman’s terms. (I explain what everything means.)
All evidence mentioned in the report is in the appendix. 
I don’t say a specific person did something. (Usernames are differentiated from a person’s name.)
All evidence is documented in the report. 
I do not have any inaccurate information in my report. 
Formatting:
I included my watermark. 
I compressed my graphics and my project is less than 10MB. 
I followed formatting guidelines for font, line spacing, etc. 
I do not have screenshots in the body of my report.
I do not have file content in the body of my report.
My appendix has labels for each evidence item.
I spell-checked and proofread my report.
My report is well formatted and easy to read. 
I use headings and subheadings.
I do not have long paragraphs.
Only one evidence item is discussed per paragraph. 

Rubric: 
Investigator Information
Include your name, who you work for, qualifications to conduct this analysis
Case Background
Include the background of the case, search warrant authorization, where, when, and how the evidence was found, type of evidence, how/where evidence was obtained, how/when/who created image and how you obtained it
Evidence Analyzed
Give details about the evidence – i.e. what type of evidence are you examining? Give an explanation of how the evidence was acquired and steps taken. Hint: You were given the image file, who created this, how did you obtain this?
Verification of Evidence Integrity
Explain the hash process, and what tools were used. Explain what a hash is and why it is important. Show the hash value given with the evidence and compare it to the hash value you calculated with the image verification. Hint: You were given an image file, do not create an image of the image, just verify it.
Forensic Tools
Explain what tools and systems you are using to conduct the analysis, include versions of the tools and additional information about the tools or any details to give credibility.
Overview
Give an overview explaining your approach to the forensic investigation and analysis of the evidence.
Give an overview of the structure of the drive, number of files, folders and folder organization, etc.
Documents
Explain the steps you have taken to get here
Explain relevance and other details
Evidence File Name #1
Give all of the details about this evidence item in a way a non-technical person would understand
Explain exactly HOW you found it using the tools (not just “I found this using FTK”)
Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)
Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?
Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)
Reference the appendix # with the content of the file.
Notes:
No file content goes here.
No screenshots go here.
No analysis of the file content.
No interpretations or opinions.
Differentiate between a username and person – don’t say a person did something.
Don’t use long paragraphs, break them up so it is easy to read.
Don’t use vague language like several or many, be specific
Write in first person
Write like this is a professional report
If you include technical information it MUST be explained.
Don’t include lists of technical info without an explanation.
Evidence File Name #2
Include relevant info listed above
Evidence File Name #3
Include relevant info listed above
PDF
Explain the steps you have taken to get here
Explain relevance and other details
Evidence File Name #1
Give all of the details about this evidence item in a way a non-technical person would understand
Explain exactly HOW you found it using the tools (not just “I found this using FTK”)
Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)
Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?
Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)
Reference the appendix # with the content of the file.
Notes:
No file content goes here.
No screenshots go here.
No analysis of the file content.
No interpretations or opinions.
Differentiate between a username and person – don’t say a person did something.
Don’t use long paragraphs, break them up so it is easy to read.
Don’t use vague language like several or many, be specific
Write in first person
Write like this is a professional report
If you include technical information it MUST be explained.
Don’t include lists of technical info without an explanation.
Evidence File Name #2
Include relevant info listed above
Graphics
Explain the steps you have taken to get here
Explain relevance and other details
Evidence File Name #1
Give all of the details about this evidence item in a way a non-technical person would understand
Explain exactly HOW you found it using the tools (not just “I found this using FTK”)
Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)
Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?
Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)
Reference the appendix # with the content of the file.
Notes:
No file content goes here.
No screenshots go here.
No analysis of the file content.
No interpretations or opinions.
Differentiate between a username and person – don’t say a person did something.
Don’t use long paragraphs, break them up so it is easy to read.
Don’t use vague language like several or many, be specific
Write in first person
Write like this is a professional report
If you include technical information it MUST be explained.
Don’t include lists of technical info without an explanation.
Evidence File Name #2
Include relevant info listed above
Evidence File Name #3
Include relevant info listed above
Deleted Files
Explain the steps you have taken to get here
Explain relevance and other details
Evidence File Name #1
Give all of the details about this evidence item in a way a non-technical person would understand
Explain exactly HOW you found it using the tools (not just “I found this using FTK”)
Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)
Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?
Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)
Reference the appendix # with the content of the file.
Notes:
No file content goes here.
No screenshots go here.
No analysis of the file content.
No interpretations or opinions.
Differentiate between a username and person – don’t say a person did something.
Don’t use long paragraphs, break them up so it is easy to read.
Don’t use vague language like several or many, be specific
Write in first person
Write like this is a professional report
If you include technical information it MUST be explained.
Don’t include lists of technical info without an explanation.
Evidence File Name #2
Include relevant info listed above
Evidence File Name #3
Include relevant info listed above
HTML or Web-based Files
Explain the steps you have taken to get here
Explain relevance and other details
Evidence File Name #1
Give all of the details about this evidence item in a way a non-technical person would understand
Explain exactly HOW you found it using the tools (not just “I found this using FTK”)
Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)
Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?
Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)
Reference the appendix # with the content of the file.
Notes:
No file content goes here.
No screenshots go here.
No analysis of the file content.
No interpretations or opinions.
Differentiate between a username and person – don’t say a person did something.
Don’t use long paragraphs, break them up so it is easy to read.
Don’t use vague language like several or many, be specific
Write in first person
Write like this is a professional report
If you include technical information it MUST be explained.
Don’t include lists of technical info without an explanation.
Evidence File Name #2
Include relevant info listed above
Evidence File Name #3
Include relevant info listed above
OLE Subitems
Explain the steps you have taken to get here
Explain relevance and other details
Evidence File Name #1
Give all of the details about this evidence item in a way a non-technical person would understand
Explain exactly HOW you found it using the tools (not just “I found this using FTK”)
Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)
Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?
Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)
Reference the appendix # with the content of the file.
Notes:
No file content goes here.
No screenshots go here.
No analysis of the file content.
No interpretations or opinions.
Differentiate between a username and person – don’t say a person did something.
Don’t use long paragraphs, break them up so it is easy to read.
Don’t use vague language like several or many, be specific
Write in first person
Write like this is a professional report
If you include technical information it MUST be explained.
Don’t include lists of technical info without an explanation.
Summary
Summarize technical findings as necessary. Stick to the FACTS, not your interpretation.
Appendix
Appendix Item 1:
Include screenshot/file content here.
NOTE:
Do not include interpretations, opinions, or discussion of file content.
Appendix Item 2:
Include screenshot/file content here.
Appendix Item 3:
Include screenshot/file content here.
Appendix Item 4:
Include screenshot/file content here.
Appendix Item 5:
Include screenshot/file content here.
Appendix Item 6:
Include screenshot/file content here.
Appendix Item 7:
Include screenshot/file content here.
Appendix Item 8:
Include screenshot/file content here.
Appendix Item 9:
Include screenshot/file content here.
Appendix Item 10:
Include screenshot/file content here.
Appendix Item 11:
Include screenshot/file content here.
Appendix Item 12:
Include screenshot/file content here.
Appendix Item 13:
Include screenshot/file content here.
Appendix Item 14:
Include screenshot/file content here.
Appendix Item 15:
Include screenshot/file content here.
How to get started: 
Review Lecture 5 – report writing guidelines
Review the assignment and expectations
Make sure FTK and Imager (the versions that are posted on Blackboard) or Autopsy ()  are installed
Download project image and hash values from blackboard
Open the image with FTK Imager – verify it to make sure the hash values match what was given
Open the image in FTK/Autopsy to start your analysis 
Document each step!! 
Hints/reminders for the project: 
Your report should document each step in your analysis and explain what you did, what you found, how, where, what the technical aspects mean
Don’t interpret the file content – that is out of the scope of your job!
You can’t say a specific person did something – make sure you differentiate between PEOPLE and USERNAMES
Stick to the facts
Write in first person
Include LOTS of screenshots – but these go in the appendix, not the body of your report! 
Don’t forget to include the basics in your report – who are you? Your authority? What case is this? Background?
Need help?
HELP! Folder on blackboard
Labs 2 and 3
Lecture 5, 6, and 7
Ask! 
Tips:
The report is investigating the image file I posted on Blackboard. This is a forensic image of a flashdrive.

You will want to load the image file into FTK Imager and verify the hash. DO NOT create an image of the image file – this will give you a different hash. You just want to “add evidence item” and “Verify drive/image.”

For the analysis of the image file, I suggest using Autopsy or the demo version of FTK (if it works on your system)

Your report should document step by step what you do in the investigation

You must use the template provided – remove the placeholder text and replace with what the sections tell you to include

You should be documenting file properties and metadata, NOT content of the files

DO NOT discuss the contents of the files or make assumptions.
 
Example of a “good” statement:

“In FTK, I navigated to the documents category by clicking on the documents button in the ____ screen on the tool. From here, I navigated to the view panel at the bottom of the screen and scrolled through the document files detected by the tool. I located a file named maps.doc located at the filepath E:\maps.doc. This file is deleted. _______ indicates that the file was deleted. Deleted files can be recovered and restored by FTK because ________. By analyzing the file extension, the file indicates that it is a Microsoft Word document.  The modified time is ____. This indicates ____. The accessed time is ___. This indicates ___. The creation date of the file is ____. This indicates ___. When analyzing the file properties by following these steps ______, I located the username ____. The file indicates that the username that created the file was ____. The other properties located in this document are (possibly include author, last printed date, EXIF data, etc.) _____. These properties indicate ____.”

Documents step by step what you did. Gave file name, file path, properties, explains the metadata. Does not say a person did something, only refers to usernames. Does not try to interpret (or misinterpret) file content. Sticks to the facts of what you did and what you found.

Example of a “bad” statement:

“Using FTK I found a document called maps.doc by scrolling through the image file. The file looked suspicious, so I included it. The document contains maps. The maps that show the suspect is planning to blow up the locations marked on the map. This file was created by the suspect Adolph Heineken. This file was created on _____, which is after the access date so the properties must have been changed by the suspect.”

Doesn’t explain steps, just that you “found it”. Is biased – says the file looks “suspicious” – that is an opinion,not fact. Talks about the file content – do not do this! Makes accusations about the suspect and doesn’t differentiate between a username (that is easily altered by a user) and an actual person. It doesn’t explain the metadata and file properties. Makes a misstatement about the file properties being altered, which is not a true statement. 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *