ISYS 377: Cyber Forensics - This is a fundamental required course as part of an interdisciplinary curriculum that is very much in demand in today's society. This course covers cyber forensics as part of one of the    three academic areas in the interdisciplinary curriculum. The three areas covered are cyber security, cyber forensics, and cyber policy and law. This class covers methods and tools for gaining forensic information from computer systems and networks.  It includes case studies of cyber crimes as well as the application and management of cyber forensics.  The course introduces students to forensics tools using hands-on experience and the Internet. 

Description of the Class:

This class has been very interesting because we learn about the inside and out of a computer. We use different software, such as Pro Discover Basic, to recover data and much more. I have leaned about how to take image of a USB drive, and the hash values of things. I have also learned in detail what is required in a forensic laboratory, as well as processing crimes and incident reports. We have also gone in detail about the Macintosh system and Linux operating system. This class has given me an extensive amount of knowledge about the computer and how to do data acquisition.

A project that I found to be extremely interesting is how to do a system restore. A system restore is very important because if for some reason you mess with your registry, you may need to go back and start over my setting you compute back to a restore point. I really loved being able to capture an Inage of a jump drive with AccessData FTK Imager. This is where we can capture an image of a USB drive and be able to look through anything that may have been deleted to find any illegal activity that may have taken place, for example someone may have had child pornography photos and deleted them to hide any evidence. We can go in a find this doing this. The last thing I really enjoyed was being able to identify Metadata using FTK Demo. This is where we add any evidence and be able to look at the files differently. 

Below are directions on how to do this project as explained above, and these directions are written by Dr. Lau.

Assignment:

1) System Restore:

        - Click START, point to ALL PROGRAMS, point to ACCESSORIES, point to SYSTEM TOOLS, and click SYSTEM RESTORE, When the UAC message box opens, click CONTINUE.

        - In the first window of the system restore wizard, click the OPEN SYSTEM PROTECTION link to create a restore point.

        - In the system properties dialog box, click the CREATE button. In the Create a restore point window, enter a name for the restore point, click CREATE, and then click OK twice.

2) Capture an Image of a jump drive with AccessData FTK Imager

        - Boot your forensic workstation to Windows, using an installed write-blocker or the USB write protection Registry method.

        - Connect the evidence drive to a write-blocking device or USB device

        - Connect the target drive to a USB external device, if your using a write blocker

        - START FTK Imager

        - In the FTK imager main window, click FILE, CREATE DISK IMAGE from the menu.

        - In the Select Source dialog box, click the PHYSICAL DRIVE option button, and then click NEXT.

        - In the select drive dialog box, click the DRIVE SELECTION list arrow, click the subject drive, and then click FINISH.

        - In the create image dialog box, click to select the VERIFY IMAGES AFTER THEY ARE CREATED check box, and then click ADD. In the select image type dialog box that opens, click the RAW (dd) option button, and then click NEXT.

        - In the select image destination dialog box, click BROWSE, navigate to the location for the image file, and then click OK.

        - In the image filename text box, type InChp04-ftk, and then click FINISH. 

        - Next, in the create image dialog box, click START to initiate the acquisition. 

        - When FTK imager finishes the acquisition, click CLOSE in the drive/image verify results dialog box, and then click CLOSE again in the creating image dialog box.

        - Exit FTK imager by clicking FILE, EXIT from the menu.

3) Identity File Metadata using FTK Demo

         - Start Microsoft Word, and in the new document, type Student's Full Name (On line 1); Instructor's Full Name (On line 2); insert a reasonably sized photo of yourself (below the 2nd line); type, By creating a file, you can identify the author with file metadata (Below the picture).

         - Hide the instructor's full name and your photo.

         - Save the file as InChp05-01.docx to your work folder. Close the word file.

         - Open FTK

         - Click GO DIRECTLY TO WORKING IN PROGRAM, and then click OK. Click FILE, ADD EVIDENCE from the menu.

         - In the add evidence dialog box, enter your name as the investigator, and then click NEXT. In the evidence processing options dialog box, accept the default sting, and then click NEXT.

         - In the main add evidence to case dialog box, click the ADD EVIDENCE button. In the next add evidence to case dialog box, click the INDIVIDUAL FILE option button, and then click CONTINUE.

         - In the browse for folder dialog box, navigate to your work folder, click InChp05-01.docx, click OPEN, and then click OK. Click NEXT, and then click FINISH.

         - In the main window, click the OVERVIEW tab, if necessary. Under the file category heading, click the DOCUMENTS button. Click to select the InChp05-01.docx file in the bottom pane; its contents are then displayed in the upper-right pane.

         - On the file list toolbar at the upper right, click the VIEW FILES IN NATIVE FORMAT button, if the button isn’t already selected.

         - Next, click the VIEW FILES IN FILTERED TEXT FORMAT button. If you entered your username and organization when you installed word, that information is displayed. 

         - Exit FTK.