Computer Forensics CCIC Training
Computer Forensics CCIC Training Chapter 2: Starting Phase 1
Lauren Pixley and Cassidy Elwell May 2017 (Version 1)
This work by California Cyber Training Complex is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Introduction When you are first given a forensic image to conduct analysis on, you need to use forensic software and create a case. For this training, you will use Autopsy and other third-party tools. Creating your case while using forensic software like Autopsy is the very first step, and it involves adding your forensic images, setting the case information, and adjusting the time zone for your case. While you search through the evidence in the software, your work will be saved. This allows you to reopen the case later to look through the evidence again if necessary. Therefore, the following are steps you MUST do if you are doing analysis of a Windows system.
Creating Your Case This section assumes you have already properly installed Autopsy on your forensic computer. Start Autopsy and click on Create New Case.
Figure 2-1 – Create New Case
Copyright © 2017. All rights reserved.
Page 2-1
Chapter 2 A New Case Information window will open and you need to set the Case Name. Set it to Craig Tucker since that is the first case you are going to work on. Set the Base Directory to where you want your case saved on the computer and then click Next (see Figure 2-2).
Figure 2-2 – Set Case Name and Base Directory
On the next New Case Information window, set a case number and your name. Click Finish.
Figure 2-3 – Set Case Number and Name
An Add Data Source window will open and you need to select Disk Image or VM File as the data source type. Click on the Browse button and then navigate to the Tucker.E01 file you have downloaded and click Open. For now, set the time zone to (GMT + 0:00) GMT. We will later cover how to determine the time zone that the computer was set to. Leave Ignore orphan files in FAT file systems unchecked and then click Finish (see Figure 2-4).
Copyright © 2014. All rights reserved.
Page 2-2
Starting Phase 1
Figure 2-4 – Set Data Source to Disk Image and Navigate to Tucker.E01
On the next Add Data Source window, click the Deselect All button and leave Process Unallocated Space checked. When you are working on a case, you may not have time to wait for all of these modules to process, and they may not always be helpful with the evidence you are trying to look for. You can always run these modules later during your investigation if necessary as well. Click Next.
Figure 2-5 – Click Deselect All Button and Click Next
On the last Add Data Source window just click Finish and then wait for Autopsy to finish processing the evidence.
Copyright © 2017. All rights reserved.
Page 2-3
Lauren Pixley and Cassidy Elwell May 2017 (Version 1)
This work by California Cyber Training Complex is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Introduction When you are first given a forensic image to conduct analysis on, you need to use forensic software and create a case. For this training, you will use Autopsy and other third-party tools. Creating your case while using forensic software like Autopsy is the very first step, and it involves adding your forensic images, setting the case information, and adjusting the time zone for your case. While you search through the evidence in the software, your work will be saved. This allows you to reopen the case later to look through the evidence again if necessary. Therefore, the following are steps you MUST do if you are doing analysis of a Windows system.
Creating Your Case This section assumes you have already properly installed Autopsy on your forensic computer. Start Autopsy and click on Create New Case.
Figure 2-1 – Create New Case
Copyright © 2017. All rights reserved.
Page 2-1
Chapter 2 A New Case Information window will open and you need to set the Case Name. Set it to Craig Tucker since that is the first case you are going to work on. Set the Base Directory to where you want your case saved on the computer and then click Next (see Figure 2-2).
Figure 2-2 – Set Case Name and Base Directory
On the next New Case Information window, set a case number and your name. Click Finish.
Figure 2-3 – Set Case Number and Name
An Add Data Source window will open and you need to select Disk Image or VM File as the data source type. Click on the Browse button and then navigate to the Tucker.E01 file you have downloaded and click Open. For now, set the time zone to (GMT + 0:00) GMT. We will later cover how to determine the time zone that the computer was set to. Leave Ignore orphan files in FAT file systems unchecked and then click Finish (see Figure 2-4).
Copyright © 2014. All rights reserved.
Page 2-2
Starting Phase 1
Figure 2-4 – Set Data Source to Disk Image and Navigate to Tucker.E01
On the next Add Data Source window, click the Deselect All button and leave Process Unallocated Space checked. When you are working on a case, you may not have time to wait for all of these modules to process, and they may not always be helpful with the evidence you are trying to look for. You can always run these modules later during your investigation if necessary as well. Click Next.
Figure 2-5 – Click Deselect All Button and Click Next
On the last Add Data Source window just click Finish and then wait for Autopsy to finish processing the evidence.
Copyright © 2017. All rights reserved.
Page 2-3
