2. broken her silence, and acknowledged that the most incendiary
parts of the story she and others told about Emmett — claims
that
seem tame today but were more than enough to get a black
person
killed in Jim Crow-era Mississippi — were false.
The woman, Carolyn Bryant Donham, spoke to Timothy B.
Tyson, a
Duke University professor — possibly the only interview she
has
given to a historian or journalist since shortly after the episode
—
who has written a book, “The Blood of Emmett Till,” to be
published next week.
In it, he wrote that she said of her long-ago allegations that
Emmett grabbed her and was menacing and sexually crude
toward
her, “that part is not true.”
ADVERTISEMENT
The revelations were first reported on Friday by Vanity Fair.
As a matter of narrow justice, it makes little difference; true or
3. not,
her claims did not justify any serious penalty, much less death.
The two white men who were accused of murdering Emmett in
1955 — and later admitted it in a Look Magazine interview —
were
acquitted that year by an all-white, all-male jury, and so could
not
be retried.
They and others suspected of involvement in the killing died
long
ago.
But among thousands of lynchings of black people, this one
looms
large in the country’s tortured racial history, taught in history
classes to schoolchildren, and often cited as one of the catalysts
for
the civil rights movement.
Photographs in Jet Magazine of Emmett’s gruesomely mutilated
body — at a funeral that his mother insisted have an open
coffin, to
show the world what his killers had done — had a galvanizing
4. effect on black America.
ADVERTISEMENT
The case has refused to fade, revived in a long list of writings
and
works of art, including, recently, “Writing to Save a Life: The
Louis
Till File,” a book that unearths the case of Emmett’s father, a
soldier who was executed by the Army on charges of murder
and
rape.
The Justice Department began an investigation into the Emmett
Till lynching in 2004, Emmett’s body was exhumed for an
autopsy,
and the F.B.I. rediscovered the long-missing trial transcript. But
in
2007, a grand jury decided not to indict Ms. Donham, or anyone
else, as an accomplice in the murder.
“I was hoping that one day she would admit it, so it matters to
me
that she did, and it gives me some satisfaction,” said Wheeler
Parker, 77, a cousin of Emmett’s who lives near Chicago. “It’s
5. important to people understanding how the word of a white
person
against a black person was law, and a lot of black people lost
their
lives because of it. It really speaks to history, it shows what
black
people went through in those days.”
Patrick Weems, project coordinator at the Emmett Till
Interpretive
Center, a museum in Sumner, Miss., said, “I think until you
break
the silence, there is still that implied consent to the false
narrative
set forth in 1955.”
“It matters that she recanted,” he added.
Emmett, who lived in Chicago, was visiting relatives in Money,
a
tiny hamlet in the Mississippi Delta region when, on Aug. 24,
1955,
he went into a store owned by Roy and Carolyn Bryant, a
married
couple, and had his fateful encounter with Ms. Bryant, then 21.
Four days later, he was kidnapped from his uncle’s house,
6. beaten
and tortured beyond recognition, and shot in the head. His body
was tied with barbed wire to a cotton gin fan and thrown into
the
Tallahatchie River.
ADVERTISEMENT
Roy Bryant and his half brother, J. W. Milam, were arrested and
charged with murder.
What happened in that store is unclear, but it has usually been
portrayed as an example of a black boy from up North
unwittingly
defying the strict racial mores of the South at the time.
Witnesses
said that Emmett wolf-whistled at Ms. Bryant, though even that
has been called into doubt.
Days after the arrest, Ms. Bryant told her husband’s lawyer that
Emmett had insulted her, but said nothing about physical
contact,
Dr. Tyson said. Five decades later, she told the F.B.I. that he
had
touched her hand.
7. But at the trial, she testified — without the jury present — that
Emmett had grabbed her hand, she pulled away, and he followed
her behind the counter, clasped her waist, and, using vulgar
language, told her that he had been with white women before.
“She said that wasn’t true, but that she honestly doesn’t
remember
exactly what did happen,” Dr. Tyson said in an interview on
Friday.
Ms. Donham, now 82, could not be reached for comment.
Dr. Tyson said that in 2008, he got a call from Ms. Donham’s
daughter-in-law, who said they had liked another book of his,
and
wanted to meet him.
It was in that meeting that she spoke to him about the Till case,
saying, “Nothing that boy did could ever justify what happened
to
him.”
Dr. Tyson said that motivated him to write about the case.
Ms. Donham told him that soon after the killing, her husband’s
family hid her away, moving her from place to place for days,
8. to
keep her from talking to law enforcement.
ADVERTISEMENT
She has said that Roy Bryant, whom she later divorced, was
physically abusive to her.
“The circumstances under which she told the story were
coercive,”
Dr. Tyson said. “She’s horrified by it. There’s clearly a great
burden
of guilt and sorrow.
Devery S. Anderson, author of a 2015 history, “Emmett Till:
The
Murder That Shocked the World and Propelled the Civil Rights
Movement,” said, “I’ve encountered so many people who want
someone be punished for the crime, to have anyone still
breathing
held responsible, and at this point, that’s just her.”
But what matters now, he said, is the truth. It has been clear for
decades that she lied in court, he said, “to get it from her own
mouth after so many years of silence is important.”
9. For his part, Mr. Parker, a pastor, said he harbors no ill will
toward
Ms. Donham, and hopes that her admission brings her peace.
“I can’t hate,” he said. “Hate destroys the hater, too. That’s a
heavy
burden to carry.”
ADVERTISEMENT
Woman Linked to 1955 Emmett Till
Murder Tells Historian Her Claims
Were False
Carolyn Bryant Donham in 1955. Gene Herrick/Associated
Press
Emmett Till was 14 when he was killed in 1955. Associated
Press
Emmett Till’s mother at his funeral in 1955. She had insisted
that the coffin be open, to
show the world what his killers had done. Chicago-Sun Times,
via Associated Press
U.S. PLAY THE CROSSWORD Account
https://help.nytimes.com/hc/en-us/articles/115014792127-
Copyright-notice
https://www.nytco.com/
https://help.nytimes.com/hc/en-us/articles/115015385887-
Contact-Us
https://www.nytco.com/careers/
https://nytmediakit.com/
12. folder, and then click Next.
In the Additional Information window, type C08InChp for the
case number, enter
your name for the examiner, and then click Finish.
2. In the Add Data Source window, leave the default selection
Disk Image or VM
file in the Type of Data Source to Add section, and then click
Next.
3. In the Select Data Source window, click the Browse button,
navigate to your
work folder, click C08InChp.dd, and click Open. Then click
Next.
4. In the Configure Ingest Modules window, you can select what
type of processing
you want, such as a hash lookup or an Exif parser (see Figure 8-
7). Leave the
default selections, click Next, and then click Finish.
5. In the left pane of Autopsy’s main window, click to expand
Extracted Content,
if necessary, and then click EXIF Metadata. Examine the files
displayed in the
upper-right pane (see Figure 8-8). As you scroll through these
files, notice that
the hexadecimal codes haven’t been altered. (In the e-mail Tom
Johnson sent,
the JFIF code was supposedly altered.)
Note
Before starting this activity, create the
C:WorkChap08Chapter folder on your system
(referred to as your “work folder” in steps). Then download the
17. Note
In Figure 8-10, the header for this JPEG file has been
overwritten with zzzz. This unique
header information might give you additional search values that
could minimize false-positive
hits in subsequent searches.
6. Click the Keyword Search down arrow at the upper right. To
verify that no other
codes have been altered, you should check whether a change has
been made to
the FIF format. In the text box, type FIF (all uppercase letters),
click the Exact
Match option, and then click Search. There are no results. Next,
type fif (all
lowercase letters), click the Substring Search option, and then
click Search. Your
results should be similar to what’s shown in Figure 8-9.
7. To view the changes made to the file header, you need to see
the hexadecimal
code. To do this, click the Hex tab in the lower-right pane, if
necessary, and
scroll down through the files until you see “zzzz” in the file
header, as shown in
Figure 8-10. You should be viewing the gametour2.exe file.
8. Click the File Metadata tab to view the written, accessed, and
created dates and
times along with the sectors used by the file (see Figure 8-11).
9. In the search results, right-click the gametour2.exe file and
click Extract File(s).
In the Save As dialog box, navigate to your work folder, type
22. The next section shows you how to rebuild header data from
this recovered file
by using WinHex, although any hexadecimal editor has the
capability to examine
and repair damaged file headers. From a digital forensics view,
this procedure can
be considered corrupting the evidence, but knowing how to
reconstruct data, as in
the preceding example, is part of an investigator’s job. When
you change data as part
of the recovery and analysis process, make sure you document
each step as part of
your reporting procedures. Your documentation should be
detailed enough that other
investigators could repeat the steps, which increases the
credibility of your findings.
When you’re rebuilding a corrupted evidence image file, create
a new file and leave the
original file in its initial corrupt condition.
Rebuilding File Headers
Before attempting to edit a graphics file you have recovered, try
to open it with an
image viewer, such as the default Microsoft tool. To test
whether you can view the
image, double-click the recovered file in its current location in
File Explorer. If you
can open and view the image, you have recovered the graphics
file successfully.
If the image isn’t displayed, you have to inspect and correct the
header values
manually.
If some of the data you recovered from the graphics file header
is corrupt, you
25. CHAPTER 8 Recovering Graphics Files 357
If you can’t open a graphics file in an image viewer, the next
step is to examine
the file’s header data to see whether it matches the header in a
good JPEG file. If the
header doesn’t match, you must insert the correct hexadecimal
values manually with a
hexadecimal editor. To inspect a file with WinHex, follow these
steps:
1. Start WinHex, and click File, Open from the menu. Navigate
to your work folder, and
then double-click Recover1.jpg. If necessary, click OK. Figure
8-13 shows this file
open in WinHex.
Figure 8-13 Recover1.jpg open in WinHex
Source: X-Ways AG, www.x-ways.net
Offset position 0 Offset position 6
2. At the top of the WinHex window, notice that the
hexadecimal values starting at
the first byte position (offset 0) are 7A 7A 7A 7A, and the sixth
position (offset 6)
is also 7A. Leave WinHex open for the next activity.
As mentioned, a standard JFIF JPEG file has a header value of
FF D8 FF E0 from
offset 0 and the label name JFIF starting at offset 6. Using
WinHex, you can correct this
file header manually by following these steps:
28. CHAPTER 8 Recovering Graphics Files 358
3. Click File, Save As from the menu. In the Save File As
dialog box, navigate to
your work folder, type Fixed1.jpg as the filename, and then
click Save. If
you’re using the demo version of WinHex, you get an error
message because of
the file size. Exit WinHex.
Figure 8-14 Inserting correct hexadecimal values for a JPEG
file
Source: X-Ways AG, www.x-ways.net
Inserting FF D8 FF E0 starting at offset 0 After changing z to
an uppercase J
Tip
In WinHex, when you type a keyboard character in the right
pane, the corresponding
hexadecimal value appears in the center pane. So, for example,
when you type J in the right
pane, the hexadecimal value 4A appears in the center pane.
Note
In WinHex Demo, you can save only up to 200 KB of data in a
file.
68944_ch08_hr_339-376.indd 358 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part. Due
to electronic rights, some third party content may be suppressed
from the eBook and/or eChapter(s).
30. U
S
. A
ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 359
Every two hexadecimal values you entered in the previous steps
are equivalent to
one ASCII character. For example, an uppercase “A” has the
hexadecimal value 41, and
a lowercase “a” has the hexadecimal value 61. Most disk editors
have a reference chart
for converting hexadecimal values to ASCII characters, such as
in Figure 8-15.
Figure 8-15 ASCII equivalents of hexadecimal values
Second hexadecimal
number
31. First hexadecimal number
After you repair a graphics file header, you can test the updated
file by opening
it in an image viewer, such as Windows Photo Viewer,
IrfanView, ThumbsPlus,
QuickView, or ACDSee. If the file displays the image, as shown
in Figure 8-16, you have
performed the recovery correctly.
Figure 8-16 Fixed1.jpg open in an image viewer
The process of repairing file headers isn’t limited to JPEG files.
You can apply the
same technique to any file you can determine the header value
for, including Microsoft
Word, Excel, and PowerPoint documents and other image
formats. You need to know
only the correct header format for the type of file you’re
attempting to repair.
68944_ch08_hr_339-376.indd 359 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part. Due
to electronic rights, some third party content may be suppressed
from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does
not materially affect the overall learning experience. Cengage
Learning reserves the right to remove additional content at any
time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to
computer forensics and investigations. Retrieved from
http://ebookcentral.proquest.com
33. ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 373
Hands-On Projects
Create the C:WorkChap08Projects folder on your system
before starting these projects.
If necessary, copy all data files from the downloads section for
this chapter (on the student
companion site for this book) to your work folder.
Hands-On Project 8-1
In this project, you use Autopsy for Windows to locate and
extract JPEG files with altered
extensions. Some of these files are embedded in files with non-
JPEG extensions. Find the
C08frag.dd file in your work folder, and then follow these
steps:
1. Start Autopsy for Windows, and click the Create New Case
button. In the New Case
Information window, type C08frag in the Case Name text box,
and click Next. Enter
34. C08Frag for the case number and your name as the examiner,
and then click Finish.
2. In Add Data Source window, click Disk Image or VM file in
the Select Type of Data
Source to Add section, if necessary, and then click Next. In the
Select Data Source
window, click the Browse button. In the Open dialog box,
navigate to your work folder,
and click C08frag.dd. Click Open, and then click Next. Accept
all the default selections
in the Configure Ingest Modules window, and click Next and
then Finish.
3. Click the Keyword Search down arrow at the upper right.
Type jfif in the text box, click
the Substring Match option, and then click Search.
4. Click each file in the search results that doesn’t have a .jpg
extension. Then examine
the contents of each file to find any occurrences of a JFIF label.
Right-click a file with a
JFIF label, point to Tag Files, and click Tag and Comment. In
the Comment text box,
type Recovered hidden .jpg file, and then click OK. Repeat this
procedure for each file
with a JFIF label.
5. Click Generate Report. Click the Results - HTML option
button for the report format,
and then click Next. Click All Results, and then click Finish.
Click the report link, and
examine your report in the browser window that opens.
6. Exit Autopsy for Windows, saving your project when
prompted.
35. Hands-On Project 8-2
In this project, you continue examining the files found by IT
staff at Superior Bicycles. In
the in-chapter activity, you recovered three files containing zzzz
for the first 4 bytes of
altered JPEG files. These altered files had different extensions
to hide the fact that they’re
graphics files.
Find the C08carve.dd file in your work folder. This image file is
a new drive acquisition
the IT staff made. The CEO wants to know whether any similar
files on this drive match the
files you recovered from the first USB drive. Because you know
that the files you recovered
earlier have zzzz for the first 4 bytes, you can use it as your
search string to see whether
similar files are on this drive.
1. Start Autopsy for Windows, and click the Create New Case
button. In the New Case
Information window, type C08carve in the Case Name text box,
and click Next. In the
68944_ch08_hr_339-376.indd 373 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part. Due
to electronic rights, some third party content may be suppressed
from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does
not materially affect the overall learning experience. Cengage
Learning reserves the right to remove additional content at any
time if subsequent rights restrictions require it.
37. ll
rig
ht
s
re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 374
Additional Information window, type the date in the Case
Number text box and your
name in the Examiner text box. Click Finish.
2. In the Select Data Source window, click the Browse button,
navigate to your work
folder, click c08carve.dd, and then click Open. Then click Next.
3. Next, click the Keyword Search down arrow. In the text box,
type zzzz, click the Exact
Match option button, and then click Search.
4. Click each file in the search results to display its contents. If
the file contains zzzz at
the beginning of the sector, right-click the file, point to Tag
Files, and click Tag and
Comment. In the Comment text box, type Similar file, and then
click OK.
38. 5. Click the gametour5.exe file. Ctrl+click to select
gametour1.exe, gametour2.exe,
gametour3.exe, gametour4.exe, and gametour6.exe. Right-click
the selection, point
to Tag Files, and click Tag and Comment. In the Comment text
box, type Additional
similar files, and then click OK.
6. Click Generate Report. Click the Results - HTML option
button, and then click Next.
Click All Results, and then click Finish. Examine the results in
the browser window, and
then exit Autopsy.
Hands-On Project 8-3
In this project, you use IrfanView to open graphics files and
save them in a compressed
graphics format different from the original format. You should
note any changes in
image quality after converting files to a different format.
Download IrfanView from
www.irfanview.com and install it, and then follow these steps:
1. Start IrfanView. Click File, Open from the menu. In the Open
dialog box, navigate to
your work folder, and then double-click SPIDER.bmp to open
the file.
2. Click File, Save as from the menu. Change the file type to
JPG and save the file as
Spider.jpg in the same location.
3. Save Spider.jpg as Spider2.bmp in the same location.
4. Open these three graphics files in new sessions of IrfanView
and compare the files.
39. Document any changes you notice.
5. Open FLOWER.gif from your work folder, and save it as
Flower.jpg in the same
location.
Tip
If your screen is cluttered with too many open IrfanView
windows, close a few that
you’re no longer working with.
6. Save Flower.jpg as Flower2.gif in the same location.
7. Open these three graphics files in new sessions of IrfanView,
and document any
changes you see when comparing the files.
68944_ch08_hr_339-376.indd 374 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part. Due
to electronic rights, some third party content may be suppressed
from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does
not materially affect the overall learning experience. Cengage
Learning reserves the right to remove additional content at any
time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to
computer forensics and investigations. Retrieved from
http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:55:22.
C
41. re
se
rv
ed
.
CHAPTER 8 Recovering Graphics Files 375
8. Open Cartoon.bmp from your work folder, and save it as
Cartoon.gif in the same
location.
9. Save Cartoon.gif as Cartoon2.bmp in the same location.
10. Open these three graphics files in new sessions of
IrfanView, and document any
changes you see when comparing the files.
11. Exit all instances of IrfanView. Summarize your conclusions
in a brief report and submit
it to your instructor.
Hands-On Project 8-4
In this project, you use S-Tools4 to create a steganography file
for hiding an image. Download
S-Tools4 from http://packetstormsecurity.com/files/21688/s-
tools4.zip.html or www.4shared.com/
zip/q764vcPu/s-tools4.htm, install the program, and then follow
these steps:
1. In File Explorer, navigate to where you installed S-Tools4,
and start the program by
42. double-clicking S-Tools.exe. If necessary, click Run, and then
click Continue, if
necessary.
2. Drag RUSHMORE.bmp from your work folder to the S-Tools
window.
3. To hide text in the RUSHMORE.bmp file, drag Findme.txt
from your work folder to the
RUSHMORE.bmp image.
4. In the Hiding dialog box, type FREEDOM in the Passphrase
and Verify passphrase text
boxes, and then click OK. A hidden data window opens in the S-
Tools window.
5. Right-click the hidden data window and click Save as. Save
the image as Steg.bmp in
your work folder.
6. Close the Steg.bmp and RUSHMORE.bmp windows, but
leave S-Tools open for the next
project.
Hands-On Project 8-5
In this project, you use S-Tools4 to create a secret message in a
bitmap file and compare this
steganography file with the original file by using the DOS comp
command. You need S-Tools4
and the Mission.bmp and USDECINP.rtf files in your work
folder. First, follow these steps
to create a steganography file:
1. If you have exited S-Tools4, start it by double-clicking S-
Tools.exe in File Explorer.
2. Drag Mission.bmp from your work folder to the S-Tools
43. window.
3. Next, drag USDECINP.rtf from your work folder to the
Mission.bmp image.
4. Type hop08-5 in the Passphrase and Verify passphrase text
boxes, and then click OK.
A hidden data window opens in the S-Tools window.
5. Right-click the hidden data window and click Save as. Save
the image as
Mission-steg.bmp in your work folder. Exit S-Tools.
Next, you use the DOS comp command to compare these two
files and redirect the
output to a text file for further analysis:
1. To open a command prompt window in Windows, click the
Search icon, type cmd, and
then press Enter. (In earlier Windows versions, you can click
Start, type cmd in the
“Search for programs and files” text box, and then press Enter.)
68944_ch08_hr_339-376.indd 375 3/15/18 2:37 PM
Copyright 2019 Cengage Learning. All Rights Reserved. May
not be copied, scanned, or duplicated, in whole or in part. Due
to electronic rights, some third party content may be suppressed
from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does
not materially affect the overall learning experience. Cengage
Learning reserves the right to remove additional content at any
time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to
computer forensics and investigations. Retrieved from
http://ebookcentral.proquest.com
45. ht
s
re
se
rv
ed
.
www.4shared.com/zip/q764vcPu/s-tools4.htm
www.4shared.com/zip/q764vcPu/s-tools4.htm
Assessment item 3 - Tasks and Forensics Report
Value: 25%
TASK
Task 1: Recovering scrambled bits (5%) (5 marks)
For this task I will upload a text file with scrambled bits on the
subject interact2 site closer to the assignment due date. You
will be required to restore the scrambled bits to their original
order and copy the plain text in your assignment.
Deliverable: Describe the process used in restoring the
scrambled bits and insert plain text in the assignment.
Task 2: Digital Forensics Report (20%) (20 marks)
In this major task you are asked to prepare a digital forensic
report for the following scenario after carefully reading the
scenario and looking at textbook figures as referred below: You
are investigating a possible intellectual property theft by a new
employee of Superior Bicycles, Inc. This employee, Tom
Johnson, is the cousin of Jim Shu, an employee who had been
terminated. Bob Aspen is an external contractor and investor
who gets a strange e mail from Terry Sadler about Jim Shu's
new project (shown in Figure 8-5 of the textbook on p. 350).
Bob forwards the e-mail to Chris Robinson (the president of
46. Superior Bicycles) to inquire about any special projects that
might need capital investments. Chris forwards the e-mail to the
general counsel, Ralph Benson, asking him to look into it. He
also forwards it to Bob Swartz, asking him to have IT look for
any e-mails with attachments. After a little investigation, Bob
Swartz forwards an e-mail IT found to Chris Robinson (shown
in Figure 8 - 6 of the textbook on p. 350).
Chris also found a USB drive on the desk Tom Johnson was
assigned to. Your task is to search for and determine whether
the drive contains any proprietary Superior Bicycles, Inc. data
in the form of any digital photograph as an evidence. In
particular, you may look for graphic files such as JPEG on the
USB drive hidden with different format. Note for the USB drive
image, you need to download the "C08InChp.exe" file from the
download section of Chapter 8 on the student companion site of
the textbook (Nelson, Phillips, & Steuart, 6/e, 2019).
Your task is to search all possible places data might be hidden
(e-mails and USB drive) and recover and present any digital
evidence in the report.
Deliverable: For this forensic examination, you need to provide
a report of 1800-2000 words (approximately 5 A4 pages) in the
format described in presentation section below.
RATIONALE
This assessment task will assess the following learning
outcome/s:
be able to determine and explain the legal and ethical
considerations for investigating
and prosecuting digital crimes.
• be able to formulate a digital forensics process.
• be able to evaluate the technology in digital forensics to
detect, prevent and recover
from digital crimes.
• be able to analyse data on storage media and various file
systems.
• be able to collect electronic evidence without compromising
the original data.
47. • be able to critique and compose technical tactics in digital
crimes and assess the steps
involved in a digital forensics investigation.
• be able to prepare and defend reports on the results of an
investigation.
PRESENTATION
The following should be included as minimum requirements in
the report structure:
Executive Summary or Abstract
This section provides a brief overview of the case, your
involvement as an examiner, authorisation, major findings and
conclusion
• Table of Contents
• Introduction
Background, scope of engagement, forensics tools used and
summary of potential findings
• Analysis Conducted
o Description of relevant programs on the examined items
o Techniques used to hide or mask data, such as encryption,
steganography, hidden
attributes, hidden partitions etc
o Graphic image analysis
• Findings
This section should describe in greater detail the results of the
examinations and may include:
o Specific files related to the request
o Other files, including any deleted files that support the
findings
o String searches, keyword searches, and text string searches
o Internet-related evidence, such as Web site traffic analysis,
chat logs, cache files, e-mail, and news group activity
o Indicators of ownership, which could include program
48. registration data.
• Conclusion
Summary of the report and results obtained
• References
You must cite references to all material you have used as
sources for the content of your work