please see attached

GMU IT 357 Forensic Report

Name

This is an educational project for a George Mason University course. Contents of this report are part of a fictional scenario.

By submitting this assignment, I certify I have abided by all requirements of the GMU honor code. I certify that this is entirely my own work, no unauthorized sources have been used, and all sources used have been properly cited.

Include your name, who you work for, qualifications to conduct this analysis

Include the background of the case, search warrant authorization, where, when, and how the evidence was found

Give details about the evidence – i.e. what type of evidence are you examining? Give an explanation of how the evidence was acquired and steps taken. Hint: You were given the image file, who created this, how did you obtain this?

Explain the hash process, and what tools were used. Explain what a hash is and why it is important. Show the hash value given with the evidence and compare it to the hash value you calculated with the image verification. Hint: You were given an image file, do not create an image of the image, just verify it.

Explain what tools and systems you are using to conduct the analysis, include versions of the tools and additional information about the tools or any details to give credibility.

Give an overview explaining your approach to the forensic investigation and analysis of the evidence.

Give an overview of the structure of the drive, number of files, folders and folder organization, etc.

Explain the steps you have taken to get here

Explain relevance and other details

Give all of the details about this evidence item in a way a non-technical person would understand

Explain exactly HOW you found it using the tools (not just “I found this using FTK”)

Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)

Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?

Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)

Reference the appendix # with the content of the file.

Notes:

No file content goes here.

No screenshots go here.

No analysis of the file content.

No interpretations or opinions.

Differentiate between a username and person – don't say a person did something.

Don’t use long paragraphs, break them up so it is easy to read.

Don’t use vague language like several or many, be specific

Write in first person

Write like this is a professional report

If you include technical information it MUST be explained.

Don’t include lists of technical info without an explanation.

Include relevant info listed above

Include relevant info listed above

Explain the steps you have taken to get here

Explain relevance and other details

Give all of the details about this evidence item in a way a non-technical person would understand

Explain exactly HOW you found it using the tools (not just “I found this using FTK”)

Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)

Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?

Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)

Reference the appendix # with the content of the file.

Notes:

No file content goes here.

No screenshots go here.

No analysis of the file content.

No interpretations or opinions.

Differentiate between a username and person – don't say a person did something.

Don’t use long paragraphs, break them up so it is easy to read.

Don’t use vague language like several or many, be specific

Write in first person

Write like this is a professional report

If you include technical information it MUST be explained.

Don’t include lists of technical info without an explanation.

Include relevant info listed above

Explain the steps you have taken to get here

Explain relevance and other details

Give all of the details about this evidence item in a way a non-technical person would understand

Explain exactly HOW you found it using the tools (not just “I found this using FTK”)

Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)

Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?

Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)

Reference the appendix # with the content of the file.

Notes:

No file content goes here.

No screenshots go here.

No analysis of the file content.

No interpretations or opinions.

Differentiate between a username and person – don't say a person did something.

Don’t use long paragraphs, break them up so it is easy to read.

Don’t use vague language like several or many, be specific

Write in first person

Write like this is a professional report

If you include technical information it MUST be explained.

Don’t include lists of technical info without an explanation.

Include relevant info listed above

Include relevant info listed above

Explain the steps you have taken to get here

Explain relevance and other details

Give all of the details about this evidence item in a way a non-technical person would understand

Explain exactly HOW you found it using the tools (not just “I found this using FTK”)

Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)

Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?

Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)

Reference the appendix # with the content of the file.

Notes:

No file content goes here.

No screenshots go here.

No analysis of the file content.

No interpretations or opinions.

Differentiate between a username and person – don't say a person did something.

Don’t use long paragraphs, break them up so it is easy to read.

Don’t use vague language like several or many, be specific

Write in first person

Write like this is a professional report

If you include technical information it MUST be explained.

Don’t include lists of technical info without an explanation.

Include relevant info listed above

Include relevant info listed above

Explain the steps you have taken to get here

Explain relevance and other details

Give all of the details about this evidence item in a way a non-technical person would understand

Explain exactly HOW you found it using the tools (not just “I found this using FTK”)

Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)

Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?

Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)

Reference the appendix # with the content of the file.

Notes:

No file content goes here.

No screenshots go here.

No analysis of the file content.

No interpretations or opinions.

Differentiate between a username and person – don't say a person did something.

Don’t use long paragraphs, break them up so it is easy to read.

Don’t use vague language like several or many, be specific

Write in first person

Write like this is a professional report

If you include technical information it MUST be explained.

Don’t include lists of technical info without an explanation.

Include relevant info listed above

Include relevant info listed above

Explain the steps you have taken to get here

Explain relevance and other details

Give all of the details about this evidence item in a way a non-technical person would understand

Explain exactly HOW you found it using the tools (not just “I found this using FTK”)

Give the file path (full file path from the root of the EVIDENCE drive, not of your image you are working off)

Explain information about the file properties, metadata, and any relevant technical information, including the file type. Is it a file or a deleted file? How can you tell? How can you recover this if it’s “deleted”?

Explain the technical significance of this (e.x. Link files are created when a file is opened in Windows Explorer. They contain information specific to the underlying file and are a reliable indicator that a particular file was opened. Link files were found on this computer that are consistent with File A being opened on March 1st, 2006 at 2:44 am.)

Reference the appendix # with the content of the file.

Notes:

No file content goes here.

No screenshots go here.

No analysis of the file content.

No interpretations or opinions.

Differentiate between a username and person – don't say a person did something.

Don’t use long paragraphs, break them up so it is easy to read.

Don’t use vague language like several or many, be specific

Write in first person

Write like this is a professional report

If you include technical information it MUST be explained.

Don’t include lists of technical info without an explanation.

Summarize technical findings as necessary. Stick to the FACTS, not your interpretation.

Include screenshot/file content here.

NOTE:

Do not include interpretations, opinions, or discussion of file content.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.

Include screenshot/file content here.