nour taher huwio - section 1 - 20200619

FTK Imager was downloaded and installed on the system, followed by the acquisition of Drive2.E01
from eLearning, with the image subsequently placed on the desktop. Upon completion, FTK Imager
was launched to facilitate further actions.

FTK Imager was downloaded and installed on the system. Following this, Drive2.E01 was obtained
from eLearning and placed onto the desktop. Once completed, FTK Imager was launched. From the
main menu, "File" was selected, and "Add Evidence Item" was chosen. When prompted to select a
source type, "Image File" was chosen, and upon changing the selection, the "Next" button was
clicked. It's important to note that FTK Imager offers the option to view live local hard drives of the
system it's installed on by selecting either Physical Drive or Logical Drive.

After browsing to the desktop, drive2.E01 was selected, and the "Finish" button was clicked. The
evidence file was mounted by FTK Imager.
Next, the plus (+) symbol next to the drive was clicked to expand the directory structure.
In the expanded tree structure, the volume name and file system were displayed.
Upon navigating down the file structure, the path\root\Windows\system32 was accessed.
To extract a file (in this example, the file named ndadmin.exe was chosen), the file was right-
clicked, and "Export Files…" was selected from the pop-up menu.
A destination was chosen for saving the file, and the "OK" button was clicked.
After the file was exported, the results of the extraction along with the file’s size were displayed.

Multiple files were highlighted simultaneously by SHIFT-clicking them.

One of the highlighted files was right-clicked, and "Export Files…" was chosen from the pop-up
menu to recover them.
Autopsy was downloaded and installed. Drive2.E01 was downloaded from eLearning and placed on
your desktop. Autopsy was then launched. In the "Welcome" window, the button named "Create New
Case" was clicked.

In the "New Case Information" window, a case name was added, where it was mandatory.
The directory in which the case data would be saved was populated automatically based on the case
name. After the name was entered, the "Next" button was clicked.

The "Finish" button was clicked, prompting the appearance of the "Add Data Source" window, which
might have taken a moment to launch. Within this window, drive2.E01 was browsed to, and upon
selecting it, the "Next" button was clicked.
The user was presented with a list of Ingest Modules, which would automatically run once the
evidence file was loaded. Due to the small size of this evidence file, the default options could be
left selected, and the “Next” button was clicked.
Then, the "Finish" button was clicked.

The main window of Autopsy is divided into three panes or viewers: the Tree Viewer, the Result
Viewer, and the Content Viewer. The status of the processing of the Ingest Modules will be
displayed in the lower right corner of the window.
In the Tree Viewer, the plus (+) symbol next to Data Sources was clicked, allowing for drilling down
into drive02.E01.
Subsequently, navigation was conducted down to C:\Windows\system32.
The file named nsadmin.exe was right-clicked, and "Extract File(s)" was selected from the pop-up
menu.
A location to save the file was identified, and the "Save" button was clicked.

It is possible to extract multiple files simultaneously in Autopsy by SHIFT-clicking files, after which
one of the highlighted files is right-clicked. From the pop-up menu, "Extract File(s)" can be chosen.
*(Note): Assignment 2 was not submitted but I solved it to complete this assignment.
The recovery process for the specified files was completed using the Image.E01 file, which had been
created in Lab 2 and saved on the desktop.
All Microsoft Word documents from C:\Users\User1\My Documents\ were successfully retrieved.
How many Microsoft Word documents were recovered?
1

What were the names and sizes of the Microsoft Word documents?
Document 1

All executables from the C:\Users\User1\Downloads\.

How many executables were recovered?
0

What were the names and sizes of the executables?

N/A

All Excel spreadsheets from C:\Users\User1\Desktop\.

How many Microsoft Excel spreadsheets were recovered?
1

What were the names and sizes of the Excel spreadsheets?

excel 1
cv