please see attached. You have to follow the instructions and solve the questions.
| Forensic Imaging and Windows | Lab 2 |
Name:
G#:
Lab Questions: ANSWERS MUST BE IN COMPLETE SENTENCES FOR FULL CREDIT.
What is a forensic image?
Record your MD5 and SHA hashes.
Include a screenshot from your overview tab showing the breakdown of evidence types.
What indicates a file has been deleted in FTK? (Besides showing up in the “deleted files” section of the overview tab.)
Record your MD5 and SHA hashes.
What is the difference (if any) between the computed hash and the report hash calculated in your lab? (Were the hashes in Question 2 and Question 5 the same? What does this indicate?)
What information did you learn about the practicecase.001 dd image you downloaded from Blackboard? What kind of file system and operating system was used to create this disk? (Hint: If you can identify the file system, look up the associated operating system.)
Why is it important to run WinHex or other forensic tools Write Protect mode?
Why is it important to securely wipe (erase) a disk before saving evidence to it?
What is Safe Mode and how do you get into it?
Where would you go to find out which device the machine is set to boot from?
What is the System Restore tool used for? How do you set a system restore point?
Why is the System Restore tool of interest to a forensic examiner?
| © 2006 Anne Marchant with contributions by Kristin Baldassaro & Rebecca Tenally, updated 2014 By submitting this assignment, I certify I have abided by all requirements of the GMU honor code. I certify that this is entirely my own work, no unauthorized sources have been used, and all sources used have been properly cited. |
