Computer Forensics and Investigations
7th Edition by Bill Nelson
Complete Modules Solutions
Manual are included (Mod 1 to 15)
** Immediate Download
** Swift Response
** All Chapters included
** Practice Lab Answers
,Solution and Answer Guide
BILL NELSON, AMELIA PHILLIPS, CHRIS STEUART, ROBERT S. WILSON,
GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS, 7TH EDITION, ISBN: 9780357672884;
MODULE 1: UNDERSTANDING THE DIGITAL FORENSICS PROFESSION AND INVESTIGATIONS
Table of Contents
Activities - Solutions ................................................................................................................................... 2
Activity 1-1 ............................................................................................................................................... 2
Review Questions - Answers ...................................................................................................................... 3
Hands-On Projects - Solutions ................................................................................................................... 7
Project 1-1 ................................................................................................................................................. 7
Project 1-2 ................................................................................................................................................. 9
Project 1-3 ............................................................................................................................................... 10
Project 1-4 ............................................................................................................................................... 13
Case Projects - Solutions .......................................................................................................................... 15
Case Project 1-1 ...................................................................................................................................... 15
Case Project 1-2 ...................................................................................................................................... 15
Case Project 1-3 ...................................................................................................................................... 16
Case Project 1-4 ...................................................................................................................................... 17
,Activities - Solutions
ACTIVITY 1-1
Estimated Time: 30 minutes
Objective: Configure Autopsy for a new case and analyze the image file of George Montgomery’s USB drive.
Before You Begin:
• Download and install Autopsy as described in Note 15.
• Create Work folder C:\Work\Module_01\Activity_01-1 (referred to as your Work folder in the steps).
• Download to your Work folder the following files provided with the module:
• Activity_01-1.001
To perform the analysis, complete the following steps:
1. Start Autopsy for Windows.
2. In Autopsy’s Welcome window, click the New Case button. In the New Case Information window, enter
Activity_01-1 in the Case Name text box (see Figure 1-15), and click Browse next to the Base Directory text box.
Navigate to and click your Work folder. Make sure the Single-User option button is selected for Case Type, and
then click Next.
[Figure 1-15 New Case Information window of Autopsy]
3. On the Optional Information pane, type Activity_01-1 in the Case Number text box and your full name in the
Name text box in the Examiner section (see Figure 1-16), and then click Finish to start the Add Data Source
Wizard.
4. In the Select Type of Data Source to Add area of the Add Data Source window, click the Disk Image or VM
File button (see Figure 1-17), and then click Next.
5. In the Select Data Source pane of the next window, click the Browse button next to the Path text box, navigate to
and click your Work folder, click the Activity_01-1.001 file, and then click Open. Click Next.
6. Keep the default settings in the Configure Ingest Modules window. Click Next and then click Finish.
[Figure 1-16 Optional Information pane of Autopsy]
[Figure 1-17 Add Data Source window of Autopsy]
Next, complete these steps to display the contents of the acquired data:
1. In the Tree Viewer pane on the left, expand Views, File Types, By Extension, and Documents by clicking the
plus sign next to each folder (see Figure 1-18).
2. Under Documents, click Office. In the Result Viewer (upper-right pane), click the last file, Contract with
Martha.docx, to display its contents in the Content Viewer (lower-right pane).
3. Right-click Contract with Martha.docx, select Add File Tag, and click Tag and Comment.
4. In the Select Tag dialog box, click the New Tag button. In the New Tag section of the Create Tag dialog box,
type Recovered Office Documents in the Tag Name text box (see Figure 1-19), click OK, and then click OK again.
5. Right-click Contract with Martha.docx again, and then click Extract File(s). In the Save window, click Save,
and then click OK.
, [Figure 1-18 Expanded tree view of files in Autopsy]
[Figure 1-19 Create Tag dialog box in Autopsy]
6. In the Tree Viewer pane, click the plus sign to expand the Deleted Files folder, and then click the All (2) folder.
Next, you will select the files and explore what is there.
7. In the Result Viewer pane, click ~$George Presentation.pptx. In the Content Viewer pane, make note of
George’s last name, then click File, and then click Exit to close Autopsy.
8. Open Notepad, and type George’s first and last names as they appeared in the Content Viewer pane in step 7.
Save this file as Activity_01-1_George to your Work folder and exit Notepad.
9. Start File Explorer and navigate to subfolder Activity_01-1\Export in your Work folder and copy the file
Contract with Martha.docx to your Work folder.
10. Submit to your instructor the following files:
• Activity_01-1_George.txt
• Contract_with_Martha.docx
Solution Guidance: This activity is a brief introduction to Autopsy for Windows. By completing the steps
in this activity, students should learn how to initiate a digital forensics examination and how to navigate
and use some of the features available in Autopsy. To show successful completion of this activity, students
should submit the two documents listed in the final step. For examples of the contents of these documents,
see the following solution files:
• Solution_Activity_01-1_George.pdf
• Solution_Contract with Martha.pdf
Review Questions - Answers
1. Digital forensics and data recovery refer to the same activities. True or False?
Answer: False
Explanation: In data recovery, you typically know what you’re looking for. Digital forensics is the
task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered
data is valid so it can be used as evidence.
