Lab 1: Applying the Daubert Standard to Forensic Evidence

This lab is looking into Beverly Gates, a senior HR manager who was suspended by the firm for her involvement in a drug trafficking scheme. I take the role in a local police department as a computer forensics specialist. Reviewing the hard disk image that was seized and using forensic software to look into and record evidence is my task. I use three different programs:  Autopsy, Paraben's Electronic Evidence Examiner (E3), and FTK Imager. I made a hash file for each program I used. The hash files are meant to satisfy the Daubert Standard, a legal test used by trial judges to determine whether or not forensic expert testimony is reasonable and supported by science.

Section 1:

Reviewed a search warrant and completed a chain of custody form to protect evidence. The next part I used FTK Imager software to extract evidence from a seized drive, meeting the Daubert standard. The Windows NTFS file system retained deleted files in unallocated space, making it an evidence-rich area. FTK Imager was used to review deleted emails and documents, save suspicious documents as evidence, and create hashtags. The recycle bin was also investigated. Paraben's Electronic Evidence Examiner (E3) was used to verify MD5 hashes generated by FTK Imager.

Section 2:

I explored the suspects drive image in order to find more evidence. I examined hash codes by altering a sample evidence file, then adding the altered file back into FTK Imager, and the exported new hash codes. I also used Autopsy which is an open source colection of Windows and Unix-based command line designed to extract and analyze data from drive images. I used Autopsy to validate hash codes for a suspicious email that I extracted from the first part of this section. I then used Paraben's E3 to validate the hash codes that were found using FTK and Autopsy.