This project looked at carrying out a forensic investigation, based on suspected malicious activity. In particular, this looked at using a range of tools and methods to create an accurate picture of what happened during the incident, simulating the process of a digital forensic investigator. Due to this project focusing on being a simulation of this event, unlike Capture The Flag style situations I've dealt with before, the solutions was less obvious and required a broad analysis of all available evidence.

Investigation of a Windows Disk Image:

• Carried out integrity checks through hashing to ensure that the image remained unchanged.
• Investigated using Autopsy to identify any files of interest within the image.
• Carried out manual file carving of hidden files within the disc image.
• Documented investigation through contemporaneous notes.

Investigation MFT Records:

• Identified accounts of interest regarding the investigation.
• Followed timelines of events carried out, including the deletion of files.
• Identify the use of tools attempting to manipulate evidence, such as modifying the files creation time.

Investigation of image file:

• Identify information. from metadata that assists with the investigation, such as location data.
• Identify evidence of manipulation of image data and hiding of information.
• Recovering data hidden through steganography.

Investigation of Windows Registry Files:

• Follow a timeline of behaviours by the user in the time of the incident.
• Identify what external devices and network connections were used within the incident.