Computer Forensics
During my computer forensics class at Cal Poly Pomona we learned a great deal upon how to securely acquire evidence to build a case through hard disk data without damaging or modifying the device itself. A large part of the class was learning how to find hidden data within the file structures of the hard disk drive that was intentionally kept encrypted, modified, or deleted.
Within the class we learned to use a write-blocking device to prevent any change of the perpetrators hard disk drive while making virtual images of the disk for further research. With these compressed hard disk images we were able to look deeper in to the file structures of the disks without ruining evidence and provide a more solid case against the culprits to the case we were attempting to solve. After finding incriminating evidence with Access Data Forensic Tool Kit, and OS Forensics we created a report including the destination of the incriminating evidence on the drive. Our team searched the active directory file structures, registry, deleted content folders, changed file extensions, and were even able to decrypt incriminating emails within temporary files. After all research was completed in the lab we were responsible for signing a chain of custody form and locking up the evidence until we were able to continue research further. When we were done finding enough incriminating evidence toward the case we provided hash values for the drive and the drive image we were using for investigation to prove that nothing had been modified during our search.
After all investigations and data collection was complete a mock trial was held and the investigators were held for questioning by the trial. Those who compelled the jury that the individual being investigated was guilty passed the class. Our group had more than enough evidence to incriminate the perpetrator and passed the class with a variety of hidden images found, emails, registry history, and a solid chain of custody compliance.