Please see detial instructions in the attachments
Before you begin your analysis of Internet and network activity, you should review the following readings about tools and techniques that can be used to reconstruct Internet activity.
- Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigations, 8, S62–S70. Read the original paper and review the DFRWS 2011 conference presentation.
- FTK User Guide (access the PDF file from the FTK help menu)
- Chapter 19: Examining Email
- Chapter 22: Examining Miscellaneous Evidence: Examining Internet Artifact Data
- Chapter 25: Searching with Indexed Search
- Wireshark User Guide (access the help file from the Wireshark help menu)
- Chapter 6: Working with Captured Packets
Note: The version of FTK that has been licensed for student use in the VDA does not include the Visualization component. You may, however, find useful pointers, charts, and techniques for generating activity charts and timelines in the FTK User Guide's chapters on visualization.
Lab 6 Overview
In this lab you will search for and recover Internet usage information from
one or more forensic images and one or more packet capture (PCAP) files as
provided by your instructor. Your focus should be upon finding and documenting
answers to the case questions as provided in the lab scenario. Your
presentation of your findings should be succinct. This means that you will need
to apply your best judgment as to which information should be included in your
report and which information should be omitted.
Note: in your reports and tables you
should clearly identify which items were found in which evidence files.