Introduction

The objective of computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law. However, whenever forensic investigators explore a machine in search of evidence, they risk changing the very data they seek, potentially invalidating evidence. For this reason, they use tools that incorporate write-blocking technologies and can be run without having to be installed on the target machine. These bootable tools provide ease of access within the imaged, virtualized, or write-blocked copy of the original system without compromising the workstation or user profiles.

These tools can collect valuable forensic data from a workstation as well as from a specific user without changing the workstation environment or user profiles. Potential data sources can include the following:

Current running processes
Popular Internet browsers, used such as Internet Explorer, Chrome, and Firefox
Browser cache, cookies, history, favorites, or bookmarks that have been created, used, or accessed
Search engine queries from sources such as Google, Bing, and Yahoo!
Social networking sites visited (Twitter, Facebook, and so on)

The data gathered can then be analyzed to identify evidence. The difference between data and evidence is that data is a collection of facts from which you can draw conclusions, while evidence is a specific type of data that proves or disproves a hypothesis or accusation.
In this lab, you will use a variety of forensic tools. These tools are independent executables, meaning they run locally on the workstation or server under investigation. You will document specific data from each tool.

In the first part of the lab, you will use a tool to identify system information and gather details about the images on the machine under investigation.

In the second part of the lab, you will explore different forensic utility tools to get additional data on running processes, favorites, cached items, cookies, and browser searches.

If assigned by your instructor, you will explore the virtual environment on your own to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

Learning Objectives

Upon completing this lab, you will be able to:

Gather potential forensic evidence from a running system.

Identify the system state and potential evidence in a forensically sound manner.

Explore a variety of bootable forensic utilities to uncover potential evidence and preserve forensic integrity.

Distinguish which forensic evidence or investigative tools can be used to collect specific data.

Create a report of the running processes and browser usage for a Windows workstation.

Using Helix, run a WinAudit report and save it as yourname_WinAuditChallenge.pdf, replacing yourname with your own name. Save the file to the Storage (E:) folder.

In your Challenge Questions file, describe the errors found in the error logs of the Helix WinAudit report.

What is the main advantage of a bootable forensic suite like Helix?

Describe five ways in which Process Explorer (procexp) can be used in computer forensics as part of an investigation.

Which forensics tool would you use to reveal recent searches via the Internet Explorer browser?

How would IECacheView help a forensic investigator?

All the tools used in this lab are intended to analyze data. What is the difference between data and evidence?