Task 14, Day 08, Disk forensics Have a Holly, Jolly Byte!

Forensic lab analysts mount usb drives to a write blocker to prevent accidental data tampering during analysis.

FTK Imager allows specialists to acquire computer data and perform analysis without affecting the original evidence, preserving its authenticity, integrity, and validity as evidence during trial in a court of law. Can also view and recover deleted files by selecting Export files in the context menu of a file or directory. Integrity of a drive or image can be verified byt selecting it in the Evidence Tree pane and selecting File > Verify Drive/Image to obtain its MD5 and SHA1 hashes.

The task

Use FTK Imager to reveal details about the plot.

Digital Forensics Case B4DM755