Scenario:
You are a computer forensic examiner working for the Department of Homeland Security (DHS).DHS has been investigating the possible threat of an attack within the U.S. by members of the Chechen mujahideen.
Your team has been conducting surveillance of suspected terrorist Anwar Tsarni, a Chechen native, currently working as a graduate teaching assistant at George Mason University.Anwar Tsarni is a known associate of accused Boston Marathon bombers Dzhokhar Tsarnaev and Tamerlan Tsarnaev has traveled to a region with a known Chechen terrorist training camp in the past year.
After a six-month investigation including surveillance and wiretaps of the suspect, a search was conducted of an office located at: 10900 University Blvd. Manassas, VA 20110
You will be investigating a forensic image of a flash drive found during this search.Investigators suspect it may have critical evidence on it that will lead them to break up a terrorist cell and thwart an attempted attack on the U.S. Your job is to conduct a forensic analysis of the disk and write a forensic report of your findings.
Tools:
- You may use any FORENSIC tools available to you.
- At the very least you should use:
- FTK Imager (to verify the image and hash values)
- FTK Toolkit (to conduct the majority of your investigation) or Autopsy (https://www.sleuthkit.org/autopsy/)
- ExifPro (to examine JPEG files)
- At the very least you should use:
You must use the template provided and include the information listed.DO NOT LEAVE PLACEHOLDER TEXT, REPLACE WITH YOUR ACTUAL INFORMATION.
You will include the “best” evidence items and full analysis from the following categories in your report. Only include the number of items listed.Do not include more.
- Documents (3 items)
- PDF (2 items)
- Graphics (3 items, minimum 1 must be jpg)
- Deleted Files (3 items that are not discussed in other categories)
- HTML or Web-based Files (3 items)
- OLE Subitems (1 item)
- All other relevant background information, image verification, etc listed in the template