The International Society of Forensic Computer Examiners ®
Certified Computer Examiner ®

    Sample Practical Exercise Explanation

    Your report should indicate:

    • You checked the system clock and found it accurate
    • You write protected the diskette
    • You physically examined the diskette and noted any markings
    • You started and maintained a physical chain of custody - Explain your procedures
    • You ran a hash or checksum on the original media and noted the value
    • You wiped and verified the wipe of the target media
    • You made an exact copy of the original media to the wiped and verified media.
    • You ran a hash or checksum on the original media again and the value matched the original value
    • You ran a hash or checksum on the target media and the value matched the original value
    • You provided a logical description of the media
    • The diskette appeared to have been formatted - give your reasons
    • You used a carving utility and "carved" out 3 documents from unallocated space
      • An MS Word Document - "DOC1"
      • An MS Word Document - "DOC2"
      • An Excel Spreadsheet - "DOC3"
    • DOC1
      • You established through the document metadata that the document was originally called "Magna Carta.DOC"
      • The document appeared to contain the Magna Carta
      • You established through the document metadata that the document indicated the Author was "Emma Crook" of the "Really Big Company"
      • You established through the document metadata that the document was last saved on 9/15/04 at 2:22 PM
    • DOC2
      • You established through the document metadata that the document was originally called "Gettysburg Address.DOC"
      • The document appeared to contain the Gettysburg Address
      • You established through the document metadata that the document indicated the Author was "Emma Crook" of the "Really Big Company"
      • You established through the document metadata that the document was last saved on 9/15/04 at 2:25 PM
    • DOC3
      • The document was password protected.
      • You defeated the password "crook" and opened the document
      • The document appeared to contain data that confirmed Mr. Boss's suspicions
      • You established through the document metadata that the document indicated the Author was "Emma Crook" of the "Really Big Company"
      • You established through the document metadata that the document was last saved on 9/15/04 at 2:28 PM
    • Based on Mr. Boss's time line statements and the date and time stamps within the metadata, the apparent formatting of the diskette occurred on 9/15/04 between 2:28 PM and 3:00 PM.
    • Exhibits were provided to Mr. Boss

        •  

Copyright © 2006 ISFCE Corp.

image
image
 image