 |
Create a new case
|
Going to use images from NIST's Computer Forensics Data Sets site:
Personal Computer (PC) – 'EnCase' Image
Download Links | pc.E01, pc.E02, pc.E03, pc.E04 (total 7.28 GB compressed by EnCase) - hash |
Imaging S/W | EnCase Imager 7.10.00.103 |
Image Format | E01 (Expert Witness Compression Format) converted from VMDK |
cfreds_2015_data_leakage_pc.E01 | 72432916933F5A309A8C456B40C9601D1F8D2A4F |
cfreds_2015_data_leakage_pc.E02 | 0CAF4261ED8432A8B3BAA019B1B28FDF96F79130 |
cfreds_2015_data_leakage_pc.E03 | BE836C891736C4C0C2253C6803399BF0F2A599BA |
cfreds_2015_data_leakage_pc.E04 | 9159BFFD56097495F73FBBF967B75EB288B1E3DE |
Using Powershell to retrieve the image files from the site to desktop:
run these two commands, 2nd one will need to be for each .E01 file
- $client = new-object System.Net.WebClient
- $client.DownloadFile("https://www.cfreds.nist.gov/data_leakage_case/images/pc/cfreds_2015_data_leakage_pc.E01", C:\Users\bryan\Desktop\Data_Leakage_pc.E01")
*needs to be done for E01 - E04
Open Magnet's Axiom Process
 |
Filling in case details |
 |
Selecting Evidence source. In this case it is a Windows Computer image |
 |
Load the evidence image file |
 |
Select the image option |
 |
Evidence Sources Added |
 |
Sources on the disk image from where artifacts are processed from. |
 |
Options for further processing. Can choose to find keywords from artifact type. |
 |
Select Analyze. Magnet Examine will open and a percentage circle with time elapsed bar will count the process time |
 |
Currently processing progress percentage shown |
Next post will be showing the examination piece of this evidence image, once done processing.
Reference:
NIST.(2019). Data Leakage Case. Retrieved from https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html
No comments:
Post a Comment