ISYS 377-01 Cyber Forensics with Dr. Lau

Course Description(taken directly from the syllabus) - This is a fundamental required course as part of an interdisciplinary curriculum that is very much in demand in today’s society. This course covers cyber forensics as part of one of the three academic areas in the interdisciplinary curriculum. The three areas covered are cyber security, cyber forensics, and cyber policy and law. This class covers methods and tools for gaining forensic information from computer systems and networks. It includes case studies of cybercrimes as well as the application and management of cyber forensics. The course introduces students to forensics tools using hands-on experience and the Internet.

In this class, I have learned how to use tha basic tools of cyber forensics.

This includes ProDiscover, FTK Image Tools, Autopsy, HexWorkshop, and more.

I have learned how to use these tools to make image files and find hidden files.

Some of the labs in which I participated in, used the forensics tools to image a usb drive and examine the contents for pictures and text and assign a report for the investigation process.

One of the labs in which we completed was that of Hands on Project #2:

(Written by Dr. Lau)

HANDS-ON PROJECT 2

Task 1: Use AccessData FTK to Recover E-mail, p. 476-81 [60 points]

You will look for an email from Terry Sadler in the Jim_Shu’s.pst file.

1. Create a new subfolder under your working folder and named it HOP2.
2. Start AccessData FTK as administrator.
3. Start a new case.
4. In the New Case dialog box, type case number as InChp12-pst. Click Browse and navigate to your HOP2 work folder.
5. In the Case Information box, enter info.
6. In the Refine Case – Default box, click the Email Emphasis button.
7. In the Add Evidence to Case box, click the Individual File option button, and click continue.
8. In the Select File box, navigate to work folder, and click the Jim_shu’s.pst file.
9. In the Evidence Info box, click OK.
10. In the Add Evidence to Case box, click Next. In the Case summary box, click Finish.
11. In the main window, click the E-mail Message button, and click the Full Path column header to sort the records (see Fig 12-27).
12. Deliverable (# 1a): Capture a screenshot similar to Figure 12-27 (p. 479).
13. Click the E-Mail tab. In the tree view, click to expand all folders, click the Inbox folder. If necessary, to view all messages, click the List all descendants check box.
14. In the File List pane at the upper right, click Message0010 (see Fig 12-28); as shown in the pane at the bottom, it is from terrysadle and it is addressed to Martha.dax@superiorbiycles.biz.
15. Deliverable (# 1b): Capture a screenshot similar to Figure 12-28 (p. 480).
16. Right-click Message0010 in the File List pane, and click Export File. In the Export Files box, click OK. If you get a message box about exporting files with a filter applied, click the Do not remind me anymore check box, and then click OK. Click OK again in the Export Files message box. [p/s: the file is automatically saved to the InChp12-pst\Export subfolder in your HOP2 folder.]
17. From the menu, click File, Exit, and No in the Exit Backup Confirmation box.

Task 2: View the Exported Message0010 File, p. 481 [40 points]

1. Open Windows Explorer. Navigate to InChap12-pst\Export in your HOP2 work folder.
2. Right-click the Message0010 file and click Rename. Type Message0010.html and press Enter.
3. Double-click Message0010.html to view in a Web browser.
4. Print/Save the home page as a PDF file.
5. Deliverable (# 2a): the homepage PDF file.
6. Deliverable (# 2a): Zip the html files into one zipped file.
7. Exit your Web browser and Windows Explorer.

ProDiscover -

Source: https://samsclass.info/121/proj/RHINO4.png

HexWorkshop -

Source: http://screenshots.en.sftcdn.net/en/scrn/34000/34508/hex-workshop-1.jpg