• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.


Assignment 4

Page history last edited by Philip Craiger 5 years, 8 months ago


Your task is to use a commercial forensic tool to gather evidence of a crime.  This assignment is setup in two parts.  In the first part of the assignment you will use FTK demo to gather information about a crime (read below). You will create a 'report' in FTK and upload to dropbox.  No analysis is required.  The next and final assignment will require you to perform an analysis of what occurred. Essentially, based on the evidence you found, tell a story.



On the evening of Wednesday, April 1st, 2015, Playtronics (located in Daytona Beach, FL) discovered a breach that had occurred on one of their secure workstations. This particular workstation was only connected to the internal network and was not able to reach outside networks; attached devices such as USB flash drives were allowed to be read from, but not written to.


It was discovered that on Tuesday, March 31st, 2015, an unauthorized program was installed one on of the secure workstations. This program facilitated a remote copy of 12 files from the secure workstation to an unsecured workstation in the building; according to logs, the 12 files were then moved to a USB flash drive attached to the unsecured workstation.


Interviews with Playtronics employees were conducted the morning of April 2nd where it was discovered the only employee who could not be reached for questioning was Steven Holt. When Mr. Holt could not be reached, Officers spoke briefly with Mr. Holt’s sister before traveling to Holt’s residence. As the officers approached Holt’s residence, Mr. Holt was seen leaving the residence via car. On his way outside of the neighborhood, Mr. Holt ignored posted stop signs and speed limits, prompting officers to follow to the final destination of a local landfill.


Mr. Holt was seen entering the premise with a desktop computer, but leaving empty-handed. Upon leaving the landfill, Holt was detained for questioning and the computer retrieved. Mr. Holt was found to be in possession of $10,000 cash and a USB flash drive was found inside the vehicle; a computer was also recovered from the landfill. Bank records later showed a $50,000 incoming transfer on the morning of April 2nd which was all withdrawn and phone records found one outgoing call the morning of April 2nd to 386-555-4183.


The USB drive found in Mr. Holt’s vehicle contained a password protected zip file and what appears to be 12 files containing computer code. The Hardware ID of the flash drive has been determined to be VID_ABCD&PID_1234&REV_0100; Playtronics has confirmed this flash drive was attached to the unsecured workstation on March 31st and has supplied a list of MD5 hashes for the 12 copied files:

















Your deliverable is an FTK report that contains evidence.  You should have headings in your FTK report that correspond to the items below.  Make sure that you include ONLY information of a relevant nature, DO NOT include files randomly. 


Find evidence related to the following:

  • 386-555-4183
  • Money transfers
  • Playtronics files
  • Any correspondence and with whom
  • Recovered USB flash drive
  • Attempts to destroy evidence
  • Any relevant web traffic


Videos related to FTK


Additional Resources



Assignment files:






2. To export registry files (to look for the USB information), do the following:

  1. In FTK, use the "Explore" menu tab to go to: \\Windows\system32\config 
  2. select the hive you want to export (security/software/system)
  3. right click and select "Export file"
  4. save the file, and open in FTK registry viewer. Note that registry viewer expects a dongle and will try to 'phone home.'  Just use it in Demo mode, it will work fine for the current purposes.



How to Analyze USB Device History in Windows: http://www.magnetforensics.com/how-to-analyze-usb-device-history-in-windows/


5 Key Artifacts That Need to be Found When Investigating USB Device History:

  1. The USBSTOR located in the SYSTEM hive (SYSTEM\CurrentControlSet\Enum\USBSTORUSBSTOR contains details on the vendor and brand of USB device connected, along with the serial number of the device that can be used to match the mounted drive letter, user, and the first and last connected times of the device.
  2. The MountedDevices key (SYSTEM\MountedDevices)  Allows investigators to match the serial number to a given drive letter or volume that was mounted when the USB device was inserted. It’s possible that the investigator won’t be able to identify the drive letter if several USB devices have been added, since the mapped drive letter only shows the serial number for the most recently mounted device for each letter assigned.
  3. The MountPoints2 key found in a user’s NTUSER.dat hive (NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2This information will reveal which user was logged in and active when the USB device was connected. MountPoints2 lists all of the device GUIDs that a particular user connected, so you might need to search through each NTUSER.dat hive on the system to identify which user connected a particular device.
  4. The USB key in the SYSTEM hive (SYSTEM\CurrentControlSet\Enum\USB)  This key provides investigators with vendor and product ID for a given device, but also provides the last time the USB device was connected to the system. Using the last write time for the key of the device serial number, investigators can identify the last time it was connected.
  5. The setupapi log (ROOT\Windows\inf\setupapi.dev.log  for Windows Vista/7/8)(ROOT\Windows\setupapi.log for Windows XP)  Searching for the serial number in this file will provide investigators with information on when the device was first connected to the system in local time. Examiners must exercise caution, as unlike the other timestamps mentioned in this article which are stored in UTC, the setupapi.log stores its data in the system’s local time and must be converted to UTC to correctly match any timeline analysis being performed by the investigator.



Comments (0)

You don't have permission to comment on this page.