Unit 9 It411 Methods of Discovery

Unit 9 Project

Methods of Discovery, a Case of Abuse

Kyle Suplee

IT411: Digital Forensics

Professor Richardson

September 6th, 2011

This paper assumes an investigation into corporate computer abuse. An example might be an employee utilizing network bandwidth, email, and personal computers for a side business or other means of financial gain. Regardless the computers are private property of the corporation and the user has violated the company’s technology use policies. EnCase is a great evidence gathering tool in such a situation. Please read on to understand why EnCase is the tool for the job.

Items can be hidden within the partition table, this is a very sneaky method of concealing data or otherwise sabotaging a systems. In order to evaluate the partition table of the suspect’s computer I would use the Bookmark Data dialog box screen, (Bunting, 2007). This would be done from the Disk View in the Table Pane of the EnCase GUI. The partition table is basically a piece of disk space on a drive that is marked by an OS as an area the OS needs to read code to bring itself up. I would evaluate the partition table to figure out the starting sector for the systems partition. Partition tables are 64 bytes long and started on offset 1BEH of the master boot sector. Four primary partitions can be held within a single partition table, ("What is partition," ).

Utilizing EnCase an investigator can mount files for examination. Compound files, or files that contain data that is part of a hierarchical structure can be mounted as well. In order to mount a compound file within EnCase you must right click on the file a choose View File Structure, (Bunting, 2007). Next the software will mount the file for you. This allows you to investigate the files structure from the Tree Pane from the root, or beginning, of the selected file. EnCase can mount a variety of compound files which include those that are compressed, encrypted, and raw data along with temp files....