I started my internship early. My supervisor and I went over certain forms that I should know for our work. We then went over some online tutorials regarding the Encase Forensic Program. While watching these tutorials it showed me how hard drives really work. I also learned what it truly means to wipe a hard drive and what physically happens when a hard drive is wiped. The tutorial also went over what exactly a file allocation table is and how that works. Later we performed a data extraction on a phone. Here we extracted messages and were able to view what messages were sent with the phone. After the data extraction we were able to view the messages in an html file on the computer. During the first week at work I didn’t face any hardships. The first week was just introducing me into the office and to learn how certain things work that I need for my internship. I learned a lot during my first week. Before my first week of work I never truly understood how a hard drive worked or how it is wiped. It is interesting how the computer writes information on to certain sections on the hard drive and it stays there until you write over. Which in terms is what “wiping” is. When wiping a hard drive completely clean you have to reassign each byte of memory to a new character. This whole interaction between hard drives and data, how data is written out to hard drive, and how it is wiped is very interesting to me. After my first couple days working, I was totally looking forward to my next week working. I learned a lot in the first week. This job is something I can honestly see myself looking into for the future.
Week ending January 8th:
During this week we again began to sterilize hard drives for future use. I was able to sterilize numerous drives using the WipeMaster device. This device allows the wiping of 9 hard drives at one time. With my supervisor, I was able to verify the wiping process by viewing the contents of the disk using the Encase Software. Having sterilized drives is a very important part of computer forensics.
Also, during this week we did a lot of rack work on our local SAN system. My supervisor and I went over to the server room and looked at the location of everything on the rack. After looking over everything on the rack we came up with a new way to re-organize the rack in order to make more room for our new storage additions. After we reconfigured the rack we put in a new server and three new storage units. When reconfiguring the servers one hardship we faced was keeping track of all the wires and where they were plugged into. To help deal with this hardship we used tags and marked every wire before we removed them. After we tagged each wire and plug the rest was easy. It was very interesting looking at a server for the first time. I learned that, when moving certain units and adding new ones, it is very important to keep track of everything that you do and such things as tags are there to help prevent you from making a mistake when reconnecting all the items in the rack. One mistake when working with any server can be the difference between a working server and a nonworking server. It was a good feeling knowing that after all our work, the SAN booted up normally and we had full function of the SAN system.
Also that week I was required to complete some online tutorials for work that went over specific rules and regulations. This training was mandatory for all employees and illustrated how important it is for employees to keep their information safe with the use of full disk encryption and effective passwords.
Week ending January 22nd:
Week ending January 22nd:
During this week, I continued to sterilize hard drives for future use. I was also required to update the offices Mac book. Which this was a hardship for me because like I said earlier I never really used a Mac book so there are certain things that I am unsure of. However, I really enjoy using a Mac book because it is allowing to learn how the Mac OS works beyond my iPhone and my iPod. When looking at the Mac OS it is kind of similar to the Windows OS, so understanding the Mac OS is not very difficult. I believe that it is better getting experience with an Mac now then it would be in the future. After the successful update of the Mac book's OS. I was required to use a dongle to renew one of our works licenses. A dongle is a piece of hardware that is connected to another device that provides a copy protection mechanism for certain commercial software.
My supervisor and I headed back into the SAN room and to do some more work. While in the SAN room we had to disconnect the switch and the monitor. In order to add new ones in their place. While performing the upgrade we faced one minor hardship. The items that were ordered did not come with the correct screws for our SAN rack. This was a rather interesting experience. This experience taught me that it is very important to make sure that you have everything necessary for any project you are going to take on no matter if you think that supplies will be supplied with the new piece of hardware or not. It is a very great experience for me to work with servers. Maybe one day I could use this knowledge for a future career or maybe if i decide to build my own server.
Week ending January 15th:
During this week, I began to maintain the computers on the office network. I had to make sure that all computers were up-to-date with their operating system updates and virus program updates. I was able to set the network IP addresses on various machines in the office and understand how to check if one computer can talk with the other. I learned how to access the SAN and other computers on our network from any other computer in the lab. I learned about the Remote Desktop Program.
Also this week, we had to perform our annual inventory check. I was required to head over to the server room and write down a description of each piece of equipment and find out their services tags so we know which servers and storage units we have. We had to make sure that all the items that we have were listed on our inventory list stored within the OIG system.
My supervisor and I headed back into the SAN room and to do some more work. While in the SAN room we had to disconnect the switch and the monitor. In order to add new ones in their place. While performing the upgrade we faced one minor hardship. The items that were ordered did not come with the correct screws for our SAN rack. This was a rather interesting experience. This experience taught me that it is very important to make sure that you have everything necessary for any project you are going to take on no matter if you think that supplies will be supplied with the new piece of hardware or not. It is a very great experience for me to work with servers. Maybe one day I could use this knowledge for a future career or maybe if i decide to build my own server.
Week ending January 15th:
During this week, I began to maintain the computers on the office network. I had to make sure that all computers were up-to-date with their operating system updates and virus program updates. I was able to set the network IP addresses on various machines in the office and understand how to check if one computer can talk with the other. I learned how to access the SAN and other computers on our network from any other computer in the lab. I learned about the Remote Desktop Program.
Also this week, we had to perform our annual inventory check. I was required to head over to the server room and write down a description of each piece of equipment and find out their services tags so we know which servers and storage units we have. We had to make sure that all the items that we have were listed on our inventory list stored within the OIG system.
I also learned about the structure of a case file and all the required forms within it. I learned about each form and what it represents and when it was needed to be completed. I learned about the Chain of Custody and how important it is to maintain this chain with proper documentation. If this Chain is not properly documented, the evidence could be lost or seriously questioned at the time of the trial.
Week Ending January 29th:
Week Ending January 29th:
During this week I took the hard drives out of the Si Force X desktop in the office and started to sterilize numerous hard drives. While sterilizing these hard drives one of the machines in the office was not wiping them correctly. So to fix this my supervisor told me to stop the “wiping” process and to disconnect the hard drives and use another machine for the sterilization of these hard drives. The machine that I switched to was a Tableau. Unlike the WipeMaster the Tableau can only two drives at a time compared to the nine the WipeMaster could wipe. The Tableau model that we used is the TD2 model.
We went back into the SAN room, my supervisor and I and we continued to upgrade our server rack. While upgrading our server rack my supervisor and I disconnected the old switch and the old monitor. After we disconnected the old monitor and switch we put the new monitor and switch in the same area as the old ones were located. Once the new monitor and switch were placed on the rack we plugged in the necessary plugs to connect the monitor and the switch to the rest of the server we checked to make sure that everything was working correctly. Once you make any upgrades to any server no matter how small you think it is, it is always important to make sure that everything works the way it is supposed to work. If something is not working correctly then you must recheck you connections and make sure all wires are plugged in. After we finished making the upgrades we took the old switch and monitor back to our office. Just in case we have to ship these two pieces of equipment anywhere I boxed them up back and made sure that the items where nice and snug in the box to help prevent damage in the shipping process.
During this week I did not face any hardships. I am use to the “wiping” process of the hard drives. I am starting to learn more about servers and which kind of wires are used and where they go.
During this week I did not face any hardships. I am use to the “wiping” process of the hard drives. I am starting to learn more about servers and which kind of wires are used and where they go.
Week Ending February 5th:
This week I continued sterilizing hard drives. However, this week we started to sterilize old evidence that we did not need anymore. It is the same process as “wiping” all of the other drives. However, once the sterilization of these drives is done it is important to make sure that the drive is completely wiped. In order to check if the drive was completely wiped we had to connect the drive to the computer and used a computer forensics software to make sure the drive is wiped. After looking through the drive it was clear to see that it was completely wiped. The reason why it is important to check if these drives are completely clean is so if we use these drive again for a future case it is important that we don’t want to harm the integrity of any future cases that use these drives. It is important as a Computer Forensics examiner to not do anything that can damage the integrity of your case or evidence. If these files are not properly wiped and you use the same drive to image evidence and there are old files on that drive than your evidence will be questionable in the court. Since you evidence will be considered questionable it would not have the same integrity as other evidence that is being used.
Later that week my supervisor started to walk me through the steps of looking through images for evidence. The images we used were for an old case. When looking through these images it is very important that you take it slow. If you look through these images fast you could possibly miss something or you can damage the integrity of the evidence. While using the Encase software you are able to locate deleted folders. You are also able to remove files that are known to not contain any evidence such as operating system files that the computer needs to run.
I also learned that even though you change file extension you cannot change the file signature. A file signature is a unique to that type of file.
Later that week my supervisor started to walk me through the steps of looking through images for evidence. The images we used were for an old case. When looking through these images it is very important that you take it slow. If you look through these images fast you could possibly miss something or you can damage the integrity of the evidence. While using the Encase software you are able to locate deleted folders. You are also able to remove files that are known to not contain any evidence such as operating system files that the computer needs to run.
I also learned that even though you change file extension you cannot change the file signature. A file signature is a unique to that type of file.
Week Ending February 12th:
We used Encase to process evidence. We loaded four hard drive images into Encase. Once the images were loaded into Encase we noticed that there were over a million files. To help decrease the number of files on these images we ran a hash on all the files on the images. The process of hashing is when the computer gives a random chain of letters and numbers to a specific file. Once each file is given a hash value we run that hash value against our hash set. Our hash set is a list of known hash values that the operating system needs to run. Once we had a match of hash values and our hash set we removed those files that we did not need to look at for evidence. After we removed the files that we did not need we re-imaged the images of the hard drives.
With these new images we looked over the remaining files using Encase. You can sort the files by name, size, type, and, etc. If you are unsure of what is in a specific file you can click it and in the bottom right corner it will give you a view of what is inside that file. So for example, if you are looking some evidence and you see a picture, you can click on that picture and it will show you the image in the bottom right corner and if you think it is evidence you check it off and move on to the next file. However, it is very important in between the selection of files that you save often. The reason you save often is to prevent any loss of data because time is precious when viewing evidence for a case. While scrolling through the files it is important to not move too slow or too fast. If you move too fast then you might crash the program and you will lose you progress or you might miss evidence that could be very important to the case. You also don’t want to move to slow because like I said before time is precious and you want to get this evidence in the agent’s hands as fast as possible.
Later that week I continued sterilizing hard drives. I finished “wiping” the old evidence files. After each “wipe” it is important to make sure each drive is completely “wiped”. The way you check if these hard drives are completely “wiped” is you hook the hard drive up to a computer then you load up Encase and looked over every byte of data on the drive and make sure that all the data is set to the given hex value we choose. Once I saw that each drive was “wiped” I labeled and wrapped them up, then placed them in the “wiped” drives cabinet. There were some hard drives that we did not want to keep after they were “wiped” so I was given the task of taking it apart and damaging the hard drive so the information on the drive could not be recovered. This was the first time I have ever taken apart a hard drive and it was interesting to look at what actually is inside a hard drive and to actually see the inside of the hard drive in person. We also had flash drives that we did not want to keep so I took the same steps as I did in taken apart the hard drive. It is important when throwing old evidence to make sure that the data is not recoverable at all. Breaking these devices apart prevents data from being recovered.
We used Encase to process evidence. We loaded four hard drive images into Encase. Once the images were loaded into Encase we noticed that there were over a million files. To help decrease the number of files on these images we ran a hash on all the files on the images. The process of hashing is when the computer gives a random chain of letters and numbers to a specific file. Once each file is given a hash value we run that hash value against our hash set. Our hash set is a list of known hash values that the operating system needs to run. Once we had a match of hash values and our hash set we removed those files that we did not need to look at for evidence. After we removed the files that we did not need we re-imaged the images of the hard drives.
With these new images we looked over the remaining files using Encase. You can sort the files by name, size, type, and, etc. If you are unsure of what is in a specific file you can click it and in the bottom right corner it will give you a view of what is inside that file. So for example, if you are looking some evidence and you see a picture, you can click on that picture and it will show you the image in the bottom right corner and if you think it is evidence you check it off and move on to the next file. However, it is very important in between the selection of files that you save often. The reason you save often is to prevent any loss of data because time is precious when viewing evidence for a case. While scrolling through the files it is important to not move too slow or too fast. If you move too fast then you might crash the program and you will lose you progress or you might miss evidence that could be very important to the case. You also don’t want to move to slow because like I said before time is precious and you want to get this evidence in the agent’s hands as fast as possible.
Later that week I continued sterilizing hard drives. I finished “wiping” the old evidence files. After each “wipe” it is important to make sure each drive is completely “wiped”. The way you check if these hard drives are completely “wiped” is you hook the hard drive up to a computer then you load up Encase and looked over every byte of data on the drive and make sure that all the data is set to the given hex value we choose. Once I saw that each drive was “wiped” I labeled and wrapped them up, then placed them in the “wiped” drives cabinet. There were some hard drives that we did not want to keep after they were “wiped” so I was given the task of taking it apart and damaging the hard drive so the information on the drive could not be recovered. This was the first time I have ever taken apart a hard drive and it was interesting to look at what actually is inside a hard drive and to actually see the inside of the hard drive in person. We also had flash drives that we did not want to keep so I took the same steps as I did in taken apart the hard drive. It is important when throwing old evidence to make sure that the data is not recoverable at all. Breaking these devices apart prevents data from being recovered.
I also went over all the old case files and made sure that they were all in order and I also added a Document list to the files that did not have one. This document list is a check list for us to make sure we have all the right paper work in each file. It is for us to make sure we have the correct paper work just in case if any questions come up on old cases we have that information and the correct paperwork right in front of us.
Week Ending February 19th:
This week my supervisor gave me a little exam to test my knowledge on what I have learned during my internship so far. After I completed the test my supervisor and I went over some tutorial videos on the Encase program. The videos we looked at show me ways to search for evidence using possible keywords, showed me how to look at a single file in Encase, and how to run executable files on computers that could possible hold passwords that we may need to acquire certain information. The examiner can use the keyword search feature to look for a specific person or can link keywords together to for a person’s name, medical provider, and dates. This feature can help cut down evidence search time if you have a specific keyword or list of keywords that are crucial in the case. The examiner can use the single file view feature in Encase if he or she has a specific file that is in question instead of a whole hard drive of data. If you know what specific file you need you can save time by just viewing the one file versus viewing thousands of files and searching for that specific file. Allowing the examiner to run executable off of an image is very delicate thing. Before running the executable it is required that the examine runs a virus scan on the executable just to make sure it is malicious or contains a virus. In the videos I was shown the executable the examiner was trying to run was a password database. This password database holds different passwords that could be crucial to view certain files. Without these passwords you could possibly miss key evidence. So allowing the examiner to run executable can be very crucial if the evidence has certain passwords protecting certain files that could be in question.
Later that week my supervisor and I started processing evidence that was recently submitted. We imaged a couple hard drives. In order to image these hard drives I was given the task of removing the hard drives from the laptops. During this process it is important to remove all necessary screws and wires. When removing the hard drives it is important that you handle them with care and if the hard drive is stuck don’t pull it out until you check and see if all screws are removed and all wires are unplugged. Once the hard drives were removed we have to image the data that is on that hard drive to a new and wiped drive. Before that data is imaged the examiner must format the hard drive. Without the hard drive being formatted you will not be able to use it and the computer will not recognize it.
We also extracted some data from a couple of cell phones using a piece of computer software. When extracting data from a cell phone it is important to make sure the cell phone is in airplane mode, Wi-Fi is turned off, and you disable any auto lock features on the phone. It is important to turn off the phone's Wi-Fi and to put it into airplane mode so the phone stops receiving calls, messages, emails, or any type of notifications. It is also important to disable any auto lock feature because during the data extraction if the phone auto locks then it could possibly mess up the data extraction and we could not extract certain data or information.
It is important during both cell phone extraction and hard drive imaging that you the examiner do not make any mistakes. If the examiner makes a mistake it could harm the evidence on the device, this evidence could then become damaged or questionable in the court, which we don’t want either to happen. If you damage or skew the evidence on the original drives or phones before the extraction or imaging is complete you can lose data that could be crucial to the case. It is also important to make sure you don’t damage or skew the data after the extraction or imaging because if you lose the images of the data or need to make a new copy it is best to have the original drive intact.
Week Ending February 26th:
This week my supervisor gave me the job to see why our one computer program was crashing while we were using it. Encase would crash while looking through an image gallery. My supervisor emailed Encases tech support for help. We followed what Encase said to in the email we received. They suggested that we look at the options and alter them to their specifics. After following all of their steps the program will still crash at the same spot. One way to get around this issue is for us to click in the side scroll passed the images that crashed the program. We are still waiting for an actually way to fix this issue. By clicking and scrolling passed numerous images you could possibly miss any image that could contain any evidence. This highlights my earlier point that when reviewing evidence it is important that you take your time so you don’t skip any possible evidence.
After looking at Encase and trying different options to fix the issue, my supervisor wanted me to pull out an old case file and to take notes on the hard drives that were imaged and devices we seized. The reason why I had to take notes is because someone wanted copies of these images so I had to write down the item identifier, a description of the item, and the size of the item. This is so they know what size hard drives they would need for the copy of these images. I had to look through the examination report and list all of the items that were imaged and the size of each image. During this process it is important to make sure you calculate the total drive size correctly. This way they don’t by too many drives or not enough drives. If they buy too many drives then they wasted money, however if they don’t have enough drives then we would not be able to copy all of the images for them and miss any data that they want. So it is important to make sure you look through the list of items carefully and make sure you don’t skip an item.
Later that week my supervisor and I started to review data that was extracted from a mobile device. We were given the task of finding messages from specific phone number. We exported the file to a word document and looked over the table and highlighted the messages involved with the number in question. During this task it is important that you pay attention to everything you are doing and make sure you highlight all messages from the numbers in question. If you as an examiner miss a message from one of the numbers it can alter the data given to the agent. You as an examiner don’t want to alter any data because that can damage the integrity of the evidence and could affect the case in the long run.
Week ending March 4th:
This week my supervisor gave me the task of reviewing an
extraction review sheet from a witness phone. The review sheet is original an
html file. In order for me to review it and edit it easily we were able to
convert the html file into a word document. From there I was given the task to
make the key messages from phone numbers in question stand out and then delete
those there were not needed. Some of the numbers not needed could include
family relatives that have nothing to do with the case. So to help protect the witness’s
privacy we are required to remove their messages before giving the review sheet
to the secret agent.
When thinking about how to make these key messages stand out
we decided it was best to highlight them. I scrolled through the table and
looked for key phone numbers and highlighted the rows that were affiliated with
the phone numbers in question. During this process it is important to be very
care and diligent. You do not want to give the secret agent any messages the
witness does not want them to see that are deemed private.
In order to make sure I highlighted each message in question
I did a simple find on Microsoft on the phone numbers in question. After each
instance of the number was found I had to write the number of matches down on
the sheet of paper with the list on numbers. This is to make sure that if the
agent gets the form that no messages were deleted. Once the matches were all
shown on the left hand view screen I jumped from match to match using the
navigation buttons and highlighted the numbers in question.
After highlighting all messages from a phone number it is
important to make sure you did not miss any messages. The best way to prevent
that from happening to start from page one of the review sheet and with the
first match and go from match to match and highlight what needs to be
highlighted. Once I was done highlighting all messages from the numbers in
question I had to go through and remove the messages from the numbers that we
did not need or were deemed private. This week I did not face any hardships at
work. When highlighting what we needed from the review sheet it is important to
be very careful and to pay attention.
Week Ending March 11th:
This week my supervisor had me write up a report summarizing
what we did with the evidence from our previous case. On this form it requires
to write down some key identifiers to the case such as case number, case name,
the special agents involved in the case, and the computer forensic examiner who
processed the evidence. The form also requires you to given information on the
items seized and what hard drive you can find these images on. For example, if
you took an image of laptop X and placed the image on hard drive Y you are
required to list all the details about both laptop X and hard drive Y including
description and serial number of both the laptop and the hard drive. It is also
important to list the name of the image so it is easy for someone to find and
they know which image belongs to what item. Once you are done listing the
images and the information about the images you are also required to give a
summary of you findings in the images. When giving a summary of your findings
you must list what type of files were found, how these files were indexed, and
finally how these images were given to the special agent. This report is
important because it outlines every step that you as a Computer Forensics
Examiner took. This way the court can question your actions because it is
written on the require form.
While still working on the report I was given that task of
making a working copy of these images and placing them on an encrypted drive to
be sent to the special agent. The way we extract the needed files from the
images that were needed is we ran a script on these image and this script
extracts the file types that you as the examiner selected. This script allows
you to check off the file types that you want and even alter the list of those
files type to only include what you need. Here it is important to not extract
to much or not enough. If you extract more than you as the examiner needs it
will take a lot of time and timing is important when dealing with evidence. You
want to give the agent as much time as you can to review the information extracted.
However, if you don’t extract enough information than the agent can miss a key
part of evidence in the case. Once these images are extracted it is important
that these images are placed on an encrypted drive just in case if the hard
drive gets lost that no one has access to this information unless those who are
meant to have access to it. If you as a Computer Forensic Examiner allow this
data to get out it could reveal personal identifying information and it can
also effect the integrity of your case.
Once all that was complete I was given the task of making
sure all computers in our office are up to date. In order to do that I had to
run windows updater. Once that was completed I had to update the virus software
on the computers. It is important to make sure all computers and virus software
is up to date in an office environment. This way there are no technical issues
and that your computers are protected from the latest viruses.
Week Ending March 18th:
This week my supervisor gave me the task of breaking down old cell phones and beepers. My supervisor was using these phones as tests for data extraction and he no longer needed them. During this process it is important that you get inside every phone and beeper and break up the motherboard so no one could possible extract data from them. During this process I used every day normal tools such as screwdrivers and pliers. Me personally I have never looked at the inside of a cell phone and even though all of these phones were old it was still interesting looking at the components on the inside. This process made me wonder if today’s phones have the same components inside them as these old phones. Eventually I hope to break down one of today’s newer phones and compare what I saw in the old phones and what is currently inside our phones today.
Later that week my supervisor gave me the task of helping him prepare for a search he will be a part of this coming Monday. When preparing for the case it is crucial to make sure you have all the appropriate forms with you and to also make sure you have all your forensics equipment. The first thing I did to help my supervisor prepare was I had to fill out and print a few forms for him. I had to print out three different forms. Those forms were the inventory collection worksheet, the mobile phone evidence collection worksheet, and the digital evidence collection worksheet. All of these forms are supposed to be completed by the computer forensic examiner on site. The first worksheet was the inventory collection worksheet is used to show all the items that were imaged on the search. The second worksheet was the mobile phone collection worksheet is a more detailed breakdown of information that is used when the forensics examiner extracts data or seizes a mobile device. The third and final worksheet was the digital evidence collection worksheet. The worksheet it so be filled out by the computer examiner on site when he or she images or seizes an electronic device that is not considered a mobile device.
Once I was done filling out the necessary information about the search and printed them out my supervisor gave me the task of making sure that all of his equipment was in his computer forensic examiner kit. It is important that the examiner comes to work prepared so he or she does not have any issues that could have easily been avoided. For example, if the examiner come on to the site and tries to image a desktop and he or she is missing the power cable for the imaging device than he or she will have to ask around for an extra wire or wait until another imaging device is done. This problem can cost time and time is a very important thing when dealing with any type of work. This issue can cause the search to go on longer than expected. So as an examiner it is crucial that you are prepared for a search so no last minutes issues come up that could have easily been avoided.
Finally, my supervisor gave me a small test. This test was to make sure that I know what I am doing in the office and how to explain to someone who has no clue what computer examiners do. It is important for me as an intern to know exactly what I am doing in the office so I know how to explain to someone outside of my job that wants to know what it is I am exactly doing. For example, one of the questions was “Why do examiner's use write blockers?” The reason why we use write blockers it to prevent computers from writing data to a drive that is evidence. If a computer writes data to a piece of evidence than that evidence is changed and will not hold much if any merit in the court of law.
Week Ending March 25th:
This week my supervisor gave me the task of filling out the
Report of Investigative Activity based off a search that he was a part of this
week. This form is used to explain where the search was, when the search took
place, and what items were seized or imaged during the search. When filling out
this report it is important that you take your time and make sure all the
information matches. On this report the examiner is required to give the
location and the examiners involved in the imaging or the seizing of the items
listed on this report. When describing the hard drives and the images involved in
that case it is crucial that all information matches such as serial numbers. If
the serial numbers on this report does not match the serial number of the hard
drive where the image is located in the case you will have some serious
problems. If the case is revisited they might not be able to find the hard
drive that image is located on because it does not exist or it will take them a
while locating the right file. Just think these problems can be avoided if you
take caution when filling out the information and double checking the
information as well.
After the completion of the Investigative Activity I was
given the task of filling out a Data Extraction report. This data extraction
report is use to describe what the special agent wanted to be done and what us
as computer forensics examiners have done. On this form you are required to
describe the case. Here you give the key identifiers for the case. After you describe
the case you are required to explain what type of examination was requested by
the special agent involved in this case. Once you are done explaining what the
special agent requested to be done you are required to list the items that you
examined and key information about those items. After you list the items you
are required to list what information was found on the above listed items.
Finally, you are required to explain your results from the examination and how
those results were given back to the special agent involved.
Later that week my
supervisor gave the task of replacing the ink cartridges in his mobile printer.
In order to this I had to install the printers drive on a computer in the
office. This drive allows the user access to the printer. Once the ink
cartridges were replaced I printed out a test sheet to see if the cartridges
are aligned and that the printer works. Usually when you replace old ink
cartridges you should test and see if the cartridges are aligned and if the
cartridges work. After I replaced the ink cartridges my supervisor gave me the
task of taking inventory on all hard drives in the office. When taking
inventory he wanted to list the hard drives size and its type of interface to
connect the storage device. The two interfaces that we deal with in the office
is IDE and SATA. The interface determines what kind of connection the user
needs to connect to that specific hard drive.
Week Ending April 1st:
Today my supervisor and I started to image hard drives and
other electronic devices involved in the corresponding case. Before you image
these hard drive you are required to make a digital collection worksheet for
each hard drive. On this worksheet you have to write specific information
corresponding to the case the images are for, once you have that information
filled out then you have to record the devices serial drive and model and also
the hard drives serial number, maker, and size. Here you remove the hard drive
from the computer and write down the information about that drive. That
information consists of serial number, manufacture of the drive, model of the
drive and the size. When removing the drive you have to be very careful if you
are not careful you can possible rip or damage one of the wires of that
computer and it will no longer be useable. Once you have the information down
and make sure they match, you can then image the hard drive onto a wiped drive
in the office. Here is it important that you are using a wiped drive. If you
are not using a wiped drive that could damage the evidence. This whole process is interesting to me. I
personally have never took a part a computer and looked inside. It was
interesting looking at the components inside the computer. While the drives are
being imaged my supervisor wanted me to check the CMOS date and time. CMOS
stands for complementary metal-oxide-semiconductor. The CMOS is an on-board
battery that stores information such as system time and date. You can access the CMOS even with the hard
drive out. Each computer has their own unique way to access the CMOS. Some
computers take you right to the CMOS and other require the user to press a
function key on their keyboard. This week I faced no hardships and learned a
lot about the internal components of a computer.
Week Ending April 8th:
This week my supervisor and I imaged more drives pertaining
to the current case we are working on.
Before we image a drive it important that you get down all the
information about the computer. Such as make, model, and serial number. After
you get down all this information down the next step is to take photos of the
device. These pictures can be used to link the item to the identifier we use
and to show which form matches which device. Now once you have the all the
information and the pictures it is time to remove the hard drive. During this
process you have to be very careful and make sure you don’t remove any extra
screws that are not needed. It is interesting to see how the hard drive
location changes from device to device. Some drives have the normal SATA
connection while others were IDE. Some drives were sitting horizontal others
were sitting vertical. During this whole imaging process like I said before it
is important for you to be careful and pay attention to what you are doing. One
simple mistake and it could damage the integrity of your case. Some hardships I
faced this last couple weeks working on imaging drives was actually removing
them from the devices. Like I said earlier each computer has a hard drive in a
different location. Some devices we imaged were really old. Some devices we
imaged had more than one hard drive. My personally I never took a part a
computer or a laptop. I believe these last two weeks taught me how to take
apart computers for any future problems I may face rather the problems be at
home or at work.
Week Ending April 16th:
This week my supervisor and I started to wrap up the case we
have been working on for the past two weeks. In order to wrap up a case you
need to make sure that all evidence that could be imaged was imaged and make
sure you can view these images using a computer program. Upon checking an image
for this case we discovered that it was not imaged properly. To help fix this
problem my supervisor and I re-imaged the drives and double checked that they
still work. If we would not have checked and just submitted the images and
returned the seized items back to their rightful owner then we would have to
get another search warrant for one computer. While working in the computer
forensic department it is important to double check work. Even if it is
something as simple as imaging a device. After we finished checking and
re-imaging that one device my supervisor gave me the job of creating a
spreadsheet breaking down what images were on what drive. I made a simple table
that they use in our work for other forms and starting writing down all the
information about the drive the images were on and information about the image.
Here it is important that you don’t make any mistakes. If you write down the
wrong image on the wrong drive than it will take the agents and even you a longer
time to find the appropriate image. Also if you forget to write an image down
from the drive in the table than you or the agent can miss valuable information
that the image could contain. We also started to copy the images from our
working copies drives to our shared drive. This way the agent can view all the
images in one place and does not have to connect each hard drive to his or her
computers. This also prevents any information getting written to our working
drives. If any information is written on the drive it can damage the integrity
of the evidence and it would like we alter data on the drive when we didn’t.
Week ending April 22nd:
During this week my supervisor gave me the task of editing
an audio file. In order to edit the file we needed to download a free editor
from online. The editor we decided to use was WavePad. Before using WavePad I
watched a tutorial on how you would use their program. Editing the audio file
was an interesting experience. I have never messed with audio files at all in
my life. It was easy editing the file after watching the tutorial. I believe
that if you download a program that you have never used before it is a smart
idea to either watch a tutorial video or get help from someone that has used
the program before. Whenever I start using a new program I either watch a video
or ask for advice from someone that I know. Doing this can be very helpful in
the workplace. If you are using a new program you never used before I believe
it is smart to first look for some sort of online tutorial. If there is no
online tutorial then it is okay to ask someone you know for advice. Editing
audio files can be useful in the workplace depending on where you work and what
kind of job you have. Personally since WavePad is free I might download it when
I get home and mess around with some song files I have on my computer. The best
to learn a new program is also by using it. Since it was first time using
WavePad my boss recommended that we create a copy of the original audio file
and work on that one. This way if I make any mistakes we still have the
original copy.
After editing an audio file my super visor then gave me the
task of creating more data collection worksheets for another case. I was also
given the task of creating mobile collection evidence worksheets. At our office
we have a different form from data collection of a mobile devices then that of
any other device. Some differences between the two forms is that on the mobile
device form we are required to write in the mobile devices number.
One hardship I faced this week was learning how to edit that
audio file. The tutorial video helped me learn what steps I have to take to
edit that audio clip. It is important when editing an audio clip that is
evidence that you don’t cut out too much or not enough. The whole Computer
Forensic field circles around being careful with every step you take and to
make sure you work mistake free. Us as humans however make mistakes we are supposed
to. That is why at our job we make copies and work with our copies so we don’t contaminate
the actual evidence.
