: Lab 2: Creating a Clone

CCSI 410 Forensic Lab Report

1) Investigator’s Name: Rebecca Collins

2) Date of Investigation: 5/15/2014

3) Lab Number and Title: Lab 2: Creating a Clone

4) Summary of Findings:

Created a bit stream copy of the suspects drive located on drive E: and copied it to the target drive located on F: this will be used for the examination. Compared the MD5 has codes, and answered the questions in regards to identifying drives , preparing and wiping drives, the importance of hashing, alternative ways to create a bit-stream copy of a drive, and a command line way to obtain has values on a drive.

5) Details of Investigation

The following events occurred on Thursday, May 15, 2014 at Acquisition Site – Computer Forensics class, Urbana, IL.

1. 3:34 pm – Opened FTK

2. 3:35 pm – Opened FTK Imager

3. 3:37 pm – Created disk image of suspects drive

4. 3:39 pm – Took screenshot of the drive image results and summary

5. 3:41 pm – Closed FTK and ended Lab

6) Please type the answers to the questions found throughout the lab here.

1. Your forensics station should be something you are familiar with already so you should already know which drives belong to that system and the letters of each one. If the evidence drive and the target drive are connected to the computer you would be able to tell which one is which by clicking on the drive under the “my computer” option and checking to see which one is empty. Your target drive should be empty and the evidence drive will not be.

2. The drive needs to be prepared to make sure there is no information stored on it from previous cases.

You cannot just delete the files on a disk drive, this does not truly delete the file, it just removes the file allocation and changes the filename. The information then becomes located in unallocated space. This is an issue when copying information from the suspects drive to the target drive because your hash values will not match on the...