Subject code: ITC597 Student name: Jaya Chandra Tummala Subject name: Digital Forensics Student ID:11630248 THE WORK IN THE ASSIGNMENT IS DONE BY MY OWN AND HAS NOT BEEN PLAGIARISED. TASK-1 HANDS ON 1-3: DESCRIPTION: .Add project name and project number in pro discover as C1Prj03. .Add image file by clicking action in the menu , the image file is C1Prj03.dd. .In the tree view click content view for images to check graphic view for further investigation. For expansion of file click the images. .Now checking the cluster view for checking the content. .In menu click gallery view to check graphic image files and click the checkbox of interested file and add description in comment dialog box. These will add to pro discover report. Evidence Report for Project: C1Prj03 Project Number: 001 Project Description: Image Files: File Name: F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd Image File Type: DD Image Time Zone Information: Time Zone: (GMT+10:00) Canberra, Melbourne, Sydney (AUS Eastern Standard Time) Daylight savings (summertime) was in effect: Yes Time Zone information obtained from preferences settings. Hard Disk: F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd Volume Name: NO NAME Volume Serial Number : FC6E-155B File System: FAT32 Bytes Per Sector: 512 Total Clusters: 125972 Sectors per cluster: 2 Total Sectors: 253952 Hidden Sectors: 0 Total Capacity: 126976 KB Start Sector: 0 End Sector: 253951 Disks: Evidence of Interest: Total Evidence Items of Interest: 26 Hard Disk: Unknown List of Files: F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\Tracking Bluebirds.xls MD5 Checksum: 204F20C0923AA5AF10CC8E3CB775D3A6 Deleted: Deleted: 07/29/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: sheet ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\note to TR.txt MD5 Checksum: D9975E2AB963F827FE224579803634B3 Deleted: Deleted: 07/29/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: linearized ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\Interview.xls MD5 Checksum: 25B1D07E4F2BC93ACD48B7F6295E550B Deleted: Deleted: 07/29/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: book ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\åAWK.TXT MD5 Checksum: C1D6F82D7CA3CF66009A89C2797CB35F Deleted: Deleted: 07/29/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: pdf ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\bluebirds.mdb MD5 Checksum: 884051E83CFABB08F76BCC579583CAFB Deleted: Deleted: 07/29/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: jet ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\xSVCRT.DLL MD5 Checksum: 88DC8EA7C3DA39ECCF822D6012D4677A Deleted: Deleted: 07/29/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: f ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\DESKTOP.INI MD5 Checksum: AD0B0B4416F06AF436328A3C12DC491B Created:07/30/2006 18:02Modified:04/16/2006 16:29Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 2014 (7DE) 2015 (7DF) 2 Investigator's comments: shell ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg10.doc MD5 Checksum: EC52224A28CF442662574A2369104750 Created:07/30/2006 18:02Modified:04/16/2006 16:31Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Fragmented File Start Cluster End Cluster Total Clusters 2764 (ACC) 4811 (12CB) 2048 4812 (12CC) 6859 (1ACB) 2048 6860 (1ACC) 8907 (22CB) 2048 8908 (22CC) 10955 (2ACB) 2048 10956 (2ACC) 13003 (32CB) 2048 13004 (32CC) 13475 (34A3) 472 Investigator's comments: muse ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\INFO2 MD5 Checksum: A98035C736AD82AF08FF7D54F600D676 Created:07/30/2006 18:02Modified:07/30/2006 18:02Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 2016 (7E0) 2023 (7E7) 8 Investigator's comments: greek ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg13\EEEEE MD5 Checksum: 7D4F650E1AC73BF3E6EA0720D6CAA312 Created:07/30/2006 18:02Modified:04/12/2006 20:21Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 2026 (7EA) 2143 (85F) 118 Investigator's comments: name ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg13\PlatosRepublic.doc MD5 Checksum: 61BBBBE284CC3C99CDE5EA56194926DC Created:07/30/2006 18:02Modified:04/12/2006 20:18Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 2144 (860) 2481 (9B1) 338 Investigator's comments: root ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg13\SocratesApology.doc MD5 Checksum: E8B8268102624C93E4BE4A8F6829CB53 Created:07/30/2006 18:02Modified:04/12/2006 20:19Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 13476 (34A4) 13729 (35A1) 254 Investigator's comments: entry ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg12\BenFranklinAutobio.doc MD5 Checksum: EF7214A07DE52F04097EB70446F0DCF3 Created:07/30/2006 18:02Modified:04/12/2006 21:33Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 13730 (35A2) 14489 (3899) 760 Investigator's comments: ms ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg12\BenFranklinAutobio.html MD5 Checksum: B04269E7CA3BD34ECD33540A305216F6 Created:07/30/2006 18:02Modified:04/12/2006 21:33Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 14490 (389A) 15309 (3BCD) 820 Investigator's comments: type ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg12\CommonSenseThomPain.doc MD5 Checksum: 85B4283D1AEB5C1E5937FDA06EE37EE4 Created:07/30/2006 18:02Modified:04/12/2006 20:23Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 15310 (3BCE) 15769 (3D99) 460 Investigator's comments: procure ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg12\CommonSenseThomPain.txt MD5 Checksum: 846ED9324BC5969F19E8CE8FDFE23D58 Created:07/30/2006 18:02Modified:04/12/2006 07:59Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 15770 (3D9A) 15983 (3E6F) 214 Investigator's comments: public ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg11\Vacations\DSCF0264.JPG MD5 Checksum: 22F070053B8DF40B11C72A5457490AC9 Created:07/30/2006 18:02Modified:09/19/2004 15:53Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 15984 (3E70) 16943 (422F) 960 Investigator's comments: camera ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg11\Vacations\DSCF0266.JPG MD5 Checksum: C9D3954445A1571644D81D1899EBDF7A Created:07/30/2006 18:02Modified:09/19/2004 15:56Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 16944 (4230) 17925 (4605) 982 Investigator's comments: digital ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg11\Vacations\DSCF0271.JPG MD5 Checksum: 75509E0FBCF0ABA05C45126D113901EE Created:07/30/2006 18:02Modified:09/19/2004 16:04Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 17926 (4606) 18857 (49A9) 932 Investigator's comments: fine ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg11\Vacations\DSCF0272.JPG MD5 Checksum: F159FE541355A9A06EEB45AA01FA14F4 Created:07/30/2006 18:02Modified:09/19/2004 16:09Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 18858 (49AA) 19811 (4D63) 954 Investigator's comments: pix ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\RECYCLER\S-1-5-21-746137067-1580818891-854245398-1000\Dg11\Vacations\DSCF0274.JPG MD5 Checksum: 7F6933FA4D9F0920F578D0E43DEA77FF Created:07/30/2006 18:02Modified:09/19/2004 16:15Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 19812 (4D64) 20751 (510F) 940 Investigator's comments: normal ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\English\AntonandCleopatra.doc MD5 Checksum: 8F0B59369BD796325F652B4E283CDBA8 Deleted: Deleted: 07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: document ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\English\AntonandCleopatra.html MD5 Checksum: F2E8E48066C35BDDF5C9111F3F5AC3F5 Created:07/30/2006 18:02Modified:04/12/2006 21:06Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 20960 (51E0) 21347 (5363) 388 Investigator's comments: changed ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\English\BBBB.DAT MD5 Checksum: C6A3E6C7EC766780EA746A7B3DDF3CCD Created:07/30/2006 18:02Modified:04/12/2006 20:19Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Fragmented File Start Cluster End Cluster Total Clusters 21348 (5364) 23395 (5B63) 2048 23396 (5B64) 25443 (6363) 2048 25444 (6364) 27491 (6B63) 2048 27492 (6B64) 29539 (7363) 2048 29540 (7364) 31587 (7B63) 2048 31588 (7B64) 31701 (7BD5) 114 Investigator's comments: word ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\English\cccc.data MD5 Checksum: F2E8E48066C35BDDF5C9111F3F5AC3F5 Deleted: Deleted: 07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: created ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd\English\DDD.DAT MD5 Checksum: DF5C0134EB29B045E9EC70F238159453 Created:07/30/2006 18:02Modified:04/12/2006 20:22Last Accessed:07/30/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Fragmented File Start Cluster End Cluster Total Clusters 32090 (7D5A) 34137 (8559) 2048 34138 (855A) 35629 (8B2D) 1492 Investigator's comments: meta ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj03.dd Hard Disk Unknown : Evidence of Interest: 26 Clusters of Interest: File Signature Mismatch: Registry Keys of Interest: Event Log Entries of Interest: Internet Activity Information: Search Results: Project Notes: This Report was created by ProDiscover HANDS ON PROJECT 1-5: Description: .Open C1Prj04.dft in pro discover ,sort the files by clicking on Deleted column header ,click content view in tree view ,click cluster view to recheck the images ,in the work folder click the necessary image files ,add description in the dialog box ,which will add evidence to the report. .File is deleted and the file type is indicated in investigator comments text box. .Click the report in tree view and click export,in that the project is saved as C1Prj05. Evidence Report for Project: C1prj05 Project Number: 002 Project Description: Image Files: File Name: F:\jayachandra CSU\9781285060088\Chap01\InChp01-prac.eve Image File Type: DFT Image File Number: InChap02 Technician Name: Joe Friday Date: 07/29/2006 Time: 12:09:05 MD5 Checksum: a117773bcf1fc88ec0ab8e0a349fbbcb Checksum Validated: No Compressed image: No Time Zone Information: Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana (Pacific Standard Time) Daylight savings (summertime) was in effect: Yes Time Zone information obtained automatically from remote system/image. Hard Disk: F:\jayachandra CSU\9781285060088\Chap01\InChp01-prac.eve Volume Name: File System: FAT12 Bytes Per Sector: 512 Total Clusters: 2847 Sectors per cluster: 1 Total Sectors: 2880 Hidden Sectors: 0 Total Capacity: 1440 KB Start Sector: 0 End Sector: 2879 File Name: F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve Image File Type: DFT Image File Number: Proj-2-4 Technician Name: Joe Friday Date: 09/24/2006 Time: 19:02:46 MD5 Checksum: 1fa439988039bfe87667d82cdebf8e1a Checksum Validated: No Compressed image: No Time Zone Information: Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana (Pacific Standard Time) Daylight savings (summertime) was in effect: Yes Time Zone information obtained automatically from remote system/image. Hard Disk: F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve Volume Name: File System: FAT12 Bytes Per Sector: 512 Total Clusters: 2847 Sectors per cluster: 1 Total Sectors: 2880 Hidden Sectors: 0 Total Capacity: 1440 KB Start Sector: 0 End Sector: 2879 Disks: Evidence of Interest: Total Evidence Items of Interest: 7 Hard Disk: A:\ List of Files: F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve\Botany.doc MD5 Checksum: 8417C6EBACAB535C640194A1E401B3D9 Created:06/23/2004 22:38Modified:06/23/2004 22:29Last Accessed:06/23/2004 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 712 (2C8) 750 (2EE) 39 Investigator's comments: great ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve\USAmmend.doc MD5 Checksum: A57FF86D6C2226031CF7813341199E82 Deleted: Deleted: 06/23/2004 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: articles ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve\USDeclar.doc MD5 Checksum: A25EA61AC70E568B827D99AD7EE0F003 Created:06/23/2004 22:36Modified:06/23/2004 21:17Last Accessed:06/23/2004 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 340 (154) 397 (18D) 58 Investigator's comments: prevent ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve\USConst.doc MD5 Checksum: AB8DE645BB5D36FFBF4BB4A7ECB330B4 Created:06/23/2004 22:36Modified:06/23/2004 21:22Last Accessed:09/24/2006 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 398 (18E) 541 (21D) 144 Investigator's comments: we ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve\MagnaCt.doc MD5 Checksum: CF8B6D906B8003716A4FE4B2E3EB0112 Created:06/23/2004 22:36Modified:06/23/2004 21:19Last Accessed:06/23/2004 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters 242 (F2) 339 (153) 98 Investigator's comments: translation ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve\Amendments to the Constitution.doc MD5 Checksum: A57FF86D6C2226031CF7813341199E82 Deleted: Deleted: 06/23/2004 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: addition ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve\THE UNITED STATES CONSTITUTION.doc MD5 Checksum: AB8DE645BB5D36FFBF4BB4A7ECB330B4 Deleted: Deleted: 06/23/2004 00:00 MFT &STANDARD_INFO entry modified: Not available MFT $FILE_NAME entry modified:Not available Cluster Chain: Start Cluster End Cluster Total Clusters Investigator's comments: order ________________________________________________________________________________________________ F:\jayachandra CSU\9781285060088\Chap01\Projects\C1Prj04.eve Hard Disk A:\ : Evidence of Interest: 7 Clusters of Interest: File Signature Mismatch: Registry Keys of Interest: Event Log Entries of Interest: Internet Activity Information: Search Results: Project Notes: This Report was created by ProDiscover HANDS ON PROJECT 3-1: DESCRIPTION: .The GCFI-datacrave-FAT.eve is extracted ,now USB drive(target drive) is connected ,click tools then copy disk from the menu ,click the image to disk tab in the copy source disk. .By clicking the browse next to the image file text to add and open the GCFI-datacrave-FAT.eve ,now click space under disk name column at copy source disk. . By clicking the target drive as ok in disk name list ,now clicking the “writing all 0” option and click ok for downloading ,in the copy dialog box . . By clicking the ok in copy successful message box. HANDS-ON 3-2 PROJECT: DESCRIPTION: .After making sure the suspect drive containing the data load from “hands on project 3-1”,protect the suspect drive by write blocking hardware device and turn acquisition workstation. .Now click, the unix style dd format in the image format drop-down list box and ok in the capture image dialog box. . Now after the aqusition secure the evidence. HANDS ON PROJECT 4-5: DESCRIPTION: .Create C1Prj05 folder in the USB drive ,now open the notepad and type “this project shows that the file ,not the filename ,has to change from hash value to change” save the file as test hash.txt in the C1Prj05 folder in the USB. . In the FTK imager ,add evidence item and click logical drive option in source dialog box to USB drive and click finish. .Click the USB option right panel until testhash.txt appear on workfolder ,now export hash list file to the C1Prj05 folder in the USB and save it as “orginal hash value”. .Evidence items must remove and exit the FTK imager ,now open the C1Prj05 folder in the USB ,change the testhash.txt totesthash.doc. .Now open the FTK imager ,do the same process but save it as “changed hash value” C1Prj05 folder in the USB. Now compare the orginal and changed hash values in spread sheet program. TASK2 Question: A distressed employee calls you because she has accidentally deleted crucial files from her hard drive and can’t retrieve them from the Recycle Bin. Describe the options or methods that you believe might be used to recover the files. Your solution may contain a list of questions to ask her about her system before you carry out your methods. Answer: Questions asked to the employee: .You write anything onto the drive containing your important data that you deleted accidentally? Ans: No ,I didn’t right anything onto the drive, after I delete the data. .You try to save another data onto the same drive data that you found and trying to recover? Ans: No ,I didn’t try to save anything onto the same drive data. .What is your OS out lining? Ans: WINDOWS. There are many possible methods to recover the deleted data from the hard drive, some of them as following: 1-NTFS data recovery method: To find the deleted entries in Master File Table (MFT) by drive scanning and find the deleted entry that is particular, then cluster chain is to be defined for recovery and the identified cluster content is to be copy for newly created file. Even though each file system maintain their own specific logical data structures ,basically each file system has a list of file entries, so we can iterate through this list and entries marked as deleted and keeps for each entry a list of data clusters ,so to find out set of clusters composing the file. After finding the deleted file entry and assembling set of clusters, composing the files, read and copy the clusters to another location. 2-RECUVA-ADVANCED recovery method: It is better to go for RECUVA-ADVANCED recovery method than wizard mode for recovery of complex files and folders. In this method one can go through scanning process much more effectively by much more fast searching of files which has name ,location and type which you had previously. The process is: After opening the software click on “do not show wizard” to disable the wizard ,then close the application and re-open it for advanced mode. Now mention the details of the file, for better results mention the ,drive in which you want to perform the application, type of file. Then click on scan to start the process which will then display the results in a window, now you have to check and identify the deleted files for recovery. You can also recover multiple files at a time. After identifying, select the destination for file transfer. If you didn’t find any files of yours ,then run the “deep scan” and repeat the process. .