COMP9721 - Enterprise Information Security GE

    Flinders University College of Science &  Engineering 
    EIS and EIS(GE) Assignment 2
    Forensic Analysis

Software used for it "BEViewer with Bulk Extractor 1.5.5"

Tip - See the "Understanding Bulk Extractor Scanners" https://confluence.educopia.org/ display/BC/Understanding+Bulk+Extractor+Scanners. 

I can provide you data which used for this report. Because This assignment requires my own PC data.

Step One:

Create forensic reports of the user folder using bulk extractor. DO NOT EXAMINE YOUR WHOLE DISK

On a Windows system this is


Note that these paths may be different depending on your system’s configuration.

Step Two:

Analyse the information in the generated reports.

What information can you find? For example

  • who are the users?
  • what personal information is found?
  • which Internet sites have been visited?
  • which communication trails are found?
  • what are the users’ hobbies or interests?
  • what did you find that surprised you?
  • did you find potential threats?

For each step in your analysis make detailed notes for your forensic report.

Other tools may be used, such as grep (grepWin or greppie), Hex editor (HxD or 0xED), ExifTool, SleuthKit (Autopsy)

Step Three:

Write the Case Report which should contain these headings

The Case Summary In the case summary, the basic information about the situation is briefly described. What happened to lead to an investigation being launched? Remember you are role playing a digital forensic analyst.

Acquisition and Preparation The report goes into the steps taken in preparing the devices and media for examination and how the examination of the materials was conducted. This section of the final report summarises the details that are in the various examinations logs that were collected along the way. It is not necessary to be quite as detailed here, but it is important that no steps be left out. You should not include details of sensitive information in the report. Details that should be included are any actions taken prior to evidence acquisition (such as photographic records; how the media where forensic copies were stored was prepared, including what tools were used to protect and/or sanitise the media; before/after hash values of disk images examined; tools that were used for making images; individual steps that were taken during each process. Include times and dates that evidence items were handled.

Findings The findings section is not a place for coming to conclusions. This is only where the re- sults of the various tests, examinations, and procedures are reported. As with the preparation stage, it is necessary to document what tools were used and what steps were taken, but not a minutely detailed description.

The process used in any given file search should be described, including such details as search strings used, Boolean operators used, and so forth. Rather than list each and every file found during the search, a summary of findings, including the number and types of files found, is in order. The results of an Internet search would include a listing of any Web sites visited by users on the target system, organized by user. A histogram of Internet activity could be included to show where most activity occurred.

Conclusion The summary is where the investigator presents the interpretation of the facts. The “how” and “why” parts of the story are filled in.

At this point, the writer of the report may need to do more than present facts about what was found. As with all other sections in this report, the expression of opinions should be reserved. However, this is the one place in the report where a professional opinion might be required.

The conclusion should tie all other sections together. The final report should indicate that the investigation was thorough and complete.