Exercise 1: The Scene of the Crime + Exercise 2: Creating a Disk Image… …were done when tutor prepared the ‘Rogue.vhdx’ hard disk image file.
Exercise 3: Mounting the Disk Image and Creating a Disk Signature Mounted virtual disk file ‘Rogue.vhdx’ on laptop hard drive, drive letter (F:) with ‘read-only’ permissions
Installed and started the ‘OSForensics’ program. Opening a new case, in order to investigate a disk from another machine
Calculated hash, created ‘Initial hash’ note and pasted the value into it
Exercise 4: Analysing the Image
In ‘Recent Activity’ – selected ‘Scan Drive’ button and drive letter ‘F:\’, then executed scan
Entered ‘new case item detail’ in list of selected items
Then entered ‘new case item detail’ in ‘list of all items’
Didn’t find file ‘Gamenet.rtf’ in ‘Deleted File Search’
Applied Filter, but no deleted executable files were found
Results of deleted files, when sorted by ‘folder’ didn’t show any evidence of files from ‘GTSLABS’ folder having been deleted
Searching in the ‘mismatched file’ search, discovered that the ‘gamenet.txt’ file actually is identified as a ZIP archive…
Reviewed the case notes before closing down the ‘OSForensics’ program
Exercise 5: Completing the Lab