A third party forensic firm, Grouppunch, was brought in to image the hard drive of Mr. Howard’s computer. A copy of that image has been provided for your investigation.
Along with the EWF files in your Case Evidence folder is a text file (verification_hashes.txt) that contains the SHA256 hashes for the individual files. This is NOT the hash for the acquisition of the entire hard drive image, that is contained in the 2022FALL340-440.E01.txt file.
Remember when you drag and drop the first E01 image file into EnCase, it will automatically load the other EWF/E0* files in the directory.
You are being tasked with examining the evidence, and providing a forensic report on your findings based on the following questions:
1) What is the Disk Signature?
2) Parse out the Master Boot Record and provide the following data for the valid partitions:
a. Partition Type
b. Starting sector
c. Partition Size
3) Find out the following information about the machine:
a. Computer Name
b. Time Zone of Computer
c. Last Shutdown Time
4) When did the unknown individual get access to Mr. Howard’s laptop?
5) How did the unknown individual get access to Mr. Howard’s laptop?
6) Is there any evidence the unknown individual placed malware on Mr Howard’s laptop?
7) Was any information potentially stolen off of Mr. Howard’s laptop?
8) Is there any possible indication that Mr. Howard was in on the scheme?
9) Is there any evidence that the unknown individual accessed any other systems on the network?
10) Put a timeline together that shows the activity of the unknown individual on Mr. Howard’s machine.
