Case Management Lab Image result for case management Objective: Using a case management tool to perform, analysis, and store artifacts during an investigation. Setup: You will need the SIFT Toolkit VM running Autopsy case management system. You will need the following evidence files also found in the labfiles finalproject folder. Jo’s computer image files by date acquired can be found by downloading the following: http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/drives-redacted/jo-2009-11-12start.E01 http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/drives-redacted/jo-2009-11-16.E01 http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/drives-redacted/jo-2009-11-18.E01 http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/drives-redacted/jo-2009-11-20-newComputer.E01 m57_detectivereport_Case314159 m57_affidavit_warrant_Case314159 m57_evidence_custody_forms_Case314159.pdf m57_hash_file_Case314159 Walk Through: M57.biz is a new company that researches patent information for clients. Facts of the case: 1 president / CEO 3 additional employees The firm is planning to hire more employees, so they have a lot of inventory on hand (computers, printers, etc). Current employees: President: Pat McGoo Information Technology: Terry Patent Researchers: Jo, Charlie Employees work onsite, and conduct most business exchanges over email. All of the employees work in Windows environments, although each employee prefers different software (e.g. Outlook vs. Thunderbird). DOMEX network configuration Note: In the above figure “DOMEX” is the local server managing external network access and email. The case: illegal digital materials A functioning workstation originally belonging to m57.biz was purchased on the secondary market. The buyer (Aaron Greene) realizes that the previous owner of the computer had not erased the drive, and finds illegal digital images and videos on it. Aaron reports this to the police, who take possession of the computer. Police forensics investigators determine the following: The computer originally belonged to m57.biz The computer was used by Jo, an M57 employee, as a work machine. Police contact Pat McGoo (the CEO). Pat authorizes imaging of all other computer equipment onsite at M57 to support additional investigation. Police further pursue a warrant to seize a personal thumb drive belonging to Jo. The preliminary case: illegal digital materials You are given disk images from all of the computers found onsite at M57 belonging to Jo. You are also provided with a detective report, a search warrant and affidavit associated with seizure of the devices, evidence custody forms, and a list of the image hashes taken at the scene. For the purposes of the scenario, illegal images have been simulated with pictures and videos of cats produced exclusively for this corpus. Your assignment You have been given: A copy of all of the materials obtained by the police during their visit to M57. A copy of the detective reports, along with the search warrant and affidavit. You are tasked with determining the following: Question 1: Is Jo responsible for the files found on the purchased machine? What evidence is there to support this? Question 2: Is Jo the owner of these files? What evidence is there to confirm or reject this? Question 3: Were any attempts made to hide these activities? How can you prove this? In addition to answering the above questions you must properly document the investigation.
