Creating a Forensic System Case File for Analyzing Forensic Evidence

Introduction

The goal of forensic analysis is to discover the who, what, when, where, why, and how of forensic evidence, while ensuring the digital evidence is preserved, defensible, and presentable in a court of law. But when forensic investigators explore a machine in search of evidence, they risk changing the very data they seek, potentially invalidating evidence. If evidence is to be presented in a court of law, it is important to follow chain-of-custody procedures. This ensures there is no evidence tampering, and that the original data source remains intact from the time it is collected until it is presented in court. This process includes the chronological documentation and collection of paper and digital information from when it was discovered, analyzed, and addressed or interpreted.

As part of the chain-of-custody documentation, it is a common practice to make a copy of the targeted image prior to performing the actual digital forensic investigation. This allows for a proper external digital forensic investigation that can be self-contained in a virtual machine (VM) environment. This ensures that no data is written to the drive and preserves the original forensic data.

In the case of digital forensic analysis, write-blocking technologies will ensure chain-of-custody procedures are maintained. Forensic investigating tools can analyze documents, e-mail messages, chat sessions, Registry and system files, installed programs, and the Internet browser history. In this lab, you will use a leading forensic application to investigate an image of a hard drive and find forensic evidence without affecting the integrity of the data on the image. You will create an electronic case file that contains the evidence file provided to you, and you will save the case file for later review. In this way, you will experience all the steps needed in a forensic investigation to preserve the source and ensure that the evidence is defensible and presentable in a court of law.

This lab has two parts, which you should complete in order:

In the first part of the lab, you will explore the P2 Commander tool in the virtual lab environment.

If assigned by your instructor, you will explore the virtual environment on your own to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

Create a new digital forensic case file using a forensic application.

Document a new digital forensic case with digital evidence submitted to the newly created case file.

Add forensic system image evidence to the case file.

Explain how to properly document and create a digital forensic case file as per the chain of custody.

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.
P2 Commander

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

Lab Report file, including screen captures of the following step: Part 1, Step 19;

Lab Assessment worksheet;

Optional: Challenge Questions file, if assigned by your instructor.