Forensics2E Lab02 AW
Assessment Worksheet
Applying the Daubert Standard to Forensic Evidence
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you acted as a forensic specialist assisting the lead forensics investigator at the Cyber
Crimes Division (CCD) for the Fremont Police Department. You were given a hard drive image taken from a seized computer suspected of containing stolen credit card numbers. You reviewed the search warrant and completed the Chain of Custody form that accompanied the evidence drive. You prepared the contents of the seized hard drive using a variety of forensic tools as evidence in accordance with the Daubert standard. You used FTK Imager to create hashes for key evidence files. You then validated the hash code using EnCase Imager and P2 Commander, two common forensic analysis tools.
Lab Assessment Questions & Answers
1. Why is the unallocated space of a Windows system so important to a forensic investigator? 2. From where were the badnotes1.txt and badnotes2.txt files recovered?
3. What is the INFO2 file used for?
4. How do you generate a hash file in FTK Imager?
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
5. What was the MD5 hash value in 043458.csv, the deleted e-mail file?
6. What is the Daubert standard?
7. Why must a forensic investigator be familiar with emerging technologies?
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
Applying the Daubert Standard to Forensic Evidence
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you acted as a forensic specialist assisting the lead forensics investigator at the Cyber
Crimes Division (CCD) for the Fremont Police Department. You were given a hard drive image taken from a seized computer suspected of containing stolen credit card numbers. You reviewed the search warrant and completed the Chain of Custody form that accompanied the evidence drive. You prepared the contents of the seized hard drive using a variety of forensic tools as evidence in accordance with the Daubert standard. You used FTK Imager to create hashes for key evidence files. You then validated the hash code using EnCase Imager and P2 Commander, two common forensic analysis tools.
Lab Assessment Questions & Answers
1. Why is the unallocated space of a Windows system so important to a forensic investigator? 2. From where were the badnotes1.txt and badnotes2.txt files recovered?
3. What is the INFO2 file used for?
4. How do you generate a hash file in FTK Imager?
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
5. What was the MD5 hash value in 043458.csv, the deleted e-mail file?
6. What is the Daubert standard?
7. Why must a forensic investigator be familiar with emerging technologies?
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual