Hands-On Project 4-3 In this project, you examine a USB drive belonging to Terry, the IT person for M57 Patents. Your job is to ascertain whether Terry is involved in anything illicit or against company policy. 1. Start OSForensics. If necessary, click OK or Yes in the UAC message box. In the OSForensics message box, click Continue Using Trial Version. 2. Click Start in the left pane, if necessary. In the right pane, click Create Case. 3. In the New Case dialog box, enter your name in the Investigator text box. In the Case Name text box, type M57-Terrys USB drive. Fill in the contact details and the organization, and then click Investigate Disk(s) from Another Machine. 4. Click Custom Location for the case folder. Click the Browse button on the lower right, navigate to and click your work folder, and then click OK twice. You should see the Manage Case window. 5. Click the Add Device button to open the “Select device to add” dialog box, and then click the Image File option button. Click the browse button, navigate to the folder you copied images to, and click terry-work-usb-2009-12-11.E01. Click Open. 6. In the message box asking which partition to use, leave the default setting for using the entire image file, and then click OK. Click OK to close the “Select device to add” dialog box. 7. Click the terry-work-usb-2009-12-11.E01 filename at the lower right, and then click the Open button to the left to open the File System Browser window. 8. Click the File Name Search icon in the File System Browser window or the left pane of the main window. In the Search String text box, type kitty*. On the far right, click the Search button. Notice that the “kitty porn” isn’t on his USB drive. 9. Click the Create Index button in the left pane. (Note: You might have to click New Index if the window is showing the results from the index of Charlie’s USB drive.) In the Step 1 of 5 window, click the Use Pre-defined File Types option button, click all the file types listed, and then click Next. 10. In the Step 2 of 5 window, click Charlie’s USB image and click Remove to delete it from the list box, if necessary. Click Add, click terry-work-usb-2009-12-11.E01, click OK, and then click Next. 11. In the Step 3 of 5 window, type Index all file types in the Index Title text box, and then click Start Indexing. When the indexing is finished, which might take up to an hour, click OK in the message box. 12. Click the Open Log button at the lower right, and examine the log. Notice whether any errors were reported and the number of files processed, and then close the log. 13. Click the Manage Case button in the left pane. In the lower-right pane, double-click Terrys USB under the Devices heading, open any text or picture files, and examine them. 14. Scroll to the bottom of the left pane, and click the Exit button. Write a one-to two-page paper explaining the importance of the files you examined. How might they affect a patent case? When you’re finished, exit OSForensics

