SlideShare a Scribd company logo

© 2020 The New York Times CompanyNYTCo Contact Us Work wit.docx

Download as DOCX, PDF
G
gerardkortney

© 2020 The New York Times Company NYTCo Contact Us Work with us Advertise T Brand Studio Your Ad Choices Privacy Terms of Service Terms of Sale Site Map Help Subscriptions Do Not Sell My Personal Information ADVERTISEMENT 20 Ingenious Inventions 2020 They're selling like crazy.Everybody wants them OPEN TECHGADGETSTRENDS.COMAD By Richard Pérez-Peña Jan. 27, 2017 For six decades, she has been the silent woman linked to one of the most notorious crimes in the nation’s history, the lynching of Emmett Till, a 14-year-old black boy, keeping her thoughts and memories to herself as millions of strangers idealized or vilified her. But all these years later, a historian says that the woman has broken her silence, and acknowledged that the most incendiary parts of the story she and others told about Emmett — claims that seem tame today but were more than enough to get a black person killed in Jim Crow-era Mississippi — were false. The woman, Carolyn Bryant Donham, spoke to Timothy B. Tyson, a Duke University professor — possibly the only interview she has given to a historian or journalist since shortly after the episode — who has written a book, “The Blood of Emmett Till,” to be published next week. In it, he wrote that she said of her long-ago allegations that Emmett grabbed her and was menacing and sexually crude toward her, “that part is not true.” ADVERTISEMENT The revelations were first reported on Friday by Vanity Fair. As a matter of narrow justice, it makes little difference; true or not, her claims did not justify any serious penalty, much less death. The two white men who were accused of murdering Emmett in 1955 — and later admitted it in a Look Magazine interview — were acquitted that year by an all-white, all-male jury, and so could not be retried. They and others suspected of involvement in the killing died long ago. But among thousands of lynchings of black people, this one looms large in the country’s tortured racial history, taught in history classes to schoolchildren, and often cited as one of the catalysts for the civil rights movement. Photographs in Jet Magazine of Emmett’s gruesomely mutilated body — at a funeral that his mother insisted have an open coffin, to show the world what his killers had done — had a galvanizing effect on black America. ADVERTISEMENT The case has refused to fade, revived in a long list of writings and works of art, including, recently, “Writing to Save a Life: The Louis Till File,” a book that unearths the case of Emmett’s father, a soldier who was executed by the Army on charges of murder and rape. The Justice Department began an investigation into the Emmett Till lynching in 2004, Emmett’s body was exhumed for an autopsy, and the F.B.I. rediscovered the long-missing trial transcript. But in 2007, a grand jury decided not to indict Ms. Donham, or anyone else, as an accomplice in the murder. “I was hoping that one day she would admit it, so it matters .

Education
1 of 48
© 2020 The New York Times Company NYTCo Contact Us Work with us Advertise T Brand Studio Your Ad Choices Privacy Terms of Service Terms of Sale Site Map Help Subscriptions Do Not Sell My Personal Information ADVERTISEMENT 20 Ingenious Inventions 2020 They're selling like crazy.Everybody wants them OPEN TECHGADGETSTRENDS.COMAD By Richard Pérez-Peña Jan. 27, 2017 For six decades, she has been the silent woman linked to one of the most notorious crimes in the nation’s history, the lynching of Emmett Till, a 14-year-old black boy, keeping her thoughts and memories to herself as millions of strangers idealized or vilified her. But all these years later, a historian says that the woman has
broken her silence, and acknowledged that the most incendiary parts of the story she and others told about Emmett — claims that seem tame today but were more than enough to get a black person killed in Jim Crow-era Mississippi — were false. The woman, Carolyn Bryant Donham, spoke to Timothy B. Tyson, a Duke University professor — possibly the only interview she has given to a historian or journalist since shortly after the episode — who has written a book, “The Blood of Emmett Till,” to be published next week. In it, he wrote that she said of her long-ago allegations that Emmett grabbed her and was menacing and sexually crude toward her, “that part is not true.” ADVERTISEMENT The revelations were first reported on Friday by Vanity Fair. As a matter of narrow justice, it makes little difference; true or
not, her claims did not justify any serious penalty, much less death. The two white men who were accused of murdering Emmett in 1955 — and later admitted it in a Look Magazine interview — were acquitted that year by an all-white, all-male jury, and so could not be retried. They and others suspected of involvement in the killing died long ago. But among thousands of lynchings of black people, this one looms large in the country’s tortured racial history, taught in history classes to schoolchildren, and often cited as one of the catalysts for the civil rights movement. Photographs in Jet Magazine of Emmett’s gruesomely mutilated body — at a funeral that his mother insisted have an open coffin, to show the world what his killers had done — had a galvanizing
effect on black America. ADVERTISEMENT The case has refused to fade, revived in a long list of writings and works of art, including, recently, “Writing to Save a Life: The Louis Till File,” a book that unearths the case of Emmett’s father, a soldier who was executed by the Army on charges of murder and rape. The Justice Department began an investigation into the Emmett Till lynching in 2004, Emmett’s body was exhumed for an autopsy, and the F.B.I. rediscovered the long-missing trial transcript. But in 2007, a grand jury decided not to indict Ms. Donham, or anyone else, as an accomplice in the murder. “I was hoping that one day she would admit it, so it matters to me that she did, and it gives me some satisfaction,” said Wheeler Parker, 77, a cousin of Emmett’s who lives near Chicago. “It’s
important to people understanding how the word of a white person against a black person was law, and a lot of black people lost their lives because of it. It really speaks to history, it shows what black people went through in those days.” Patrick Weems, project coordinator at the Emmett Till Interpretive Center, a museum in Sumner, Miss., said, “I think until you break the silence, there is still that implied consent to the false narrative set forth in 1955.” “It matters that she recanted,” he added. Emmett, who lived in Chicago, was visiting relatives in Money, a tiny hamlet in the Mississippi Delta region when, on Aug. 24, 1955, he went into a store owned by Roy and Carolyn Bryant, a married couple, and had his fateful encounter with Ms. Bryant, then 21. Four days later, he was kidnapped from his uncle’s house,
beaten and tortured beyond recognition, and shot in the head. His body was tied with barbed wire to a cotton gin fan and thrown into the Tallahatchie River. ADVERTISEMENT Roy Bryant and his half brother, J. W. Milam, were arrested and charged with murder. What happened in that store is unclear, but it has usually been portrayed as an example of a black boy from up North unwittingly defying the strict racial mores of the South at the time. Witnesses said that Emmett wolf-whistled at Ms. Bryant, though even that has been called into doubt. Days after the arrest, Ms. Bryant told her husband’s lawyer that Emmett had insulted her, but said nothing about physical contact, Dr. Tyson said. Five decades later, she told the F.B.I. that he had touched her hand.
But at the trial, she testified — without the jury present — that Emmett had grabbed her hand, she pulled away, and he followed her behind the counter, clasped her waist, and, using vulgar language, told her that he had been with white women before. “She said that wasn’t true, but that she honestly doesn’t remember exactly what did happen,” Dr. Tyson said in an interview on Friday. Ms. Donham, now 82, could not be reached for comment. Dr. Tyson said that in 2008, he got a call from Ms. Donham’s daughter-in-law, who said they had liked another book of his, and wanted to meet him. It was in that meeting that she spoke to him about the Till case, saying, “Nothing that boy did could ever justify what happened to him.” Dr. Tyson said that motivated him to write about the case. Ms. Donham told him that soon after the killing, her husband’s family hid her away, moving her from place to place for days,
to keep her from talking to law enforcement. ADVERTISEMENT She has said that Roy Bryant, whom she later divorced, was physically abusive to her. “The circumstances under which she told the story were coercive,” Dr. Tyson said. “She’s horrified by it. There’s clearly a great burden of guilt and sorrow. Devery S. Anderson, author of a 2015 history, “Emmett Till: The Murder That Shocked the World and Propelled the Civil Rights Movement,” said, “I’ve encountered so many people who want someone be punished for the crime, to have anyone still breathing held responsible, and at this point, that’s just her.” But what matters now, he said, is the truth. It has been clear for decades that she lied in court, he said, “to get it from her own mouth after so many years of silence is important.”
For his part, Mr. Parker, a pastor, said he harbors no ill will toward Ms. Donham, and hopes that her admission brings her peace. “I can’t hate,” he said. “Hate destroys the hater, too. That’s a heavy burden to carry.” ADVERTISEMENT Woman Linked to 1955 Emmett Till Murder Tells Historian Her Claims Were False Carolyn Bryant Donham in 1955. Gene Herrick/Associated Press Emmett Till was 14 when he was killed in 1955. Associated Press Emmett Till’s mother at his funeral in 1955. She had insisted that the coffin be open, to show the world what his killers had done. Chicago-Sun Times, via Associated Press U.S. PLAY THE CROSSWORD Account https://help.nytimes.com/hc/en-us/articles/115014792127- Copyright-notice https://www.nytco.com/ https://help.nytimes.com/hc/en-us/articles/115015385887- Contact-Us https://www.nytco.com/careers/ https://nytmediakit.com/
http://www.tbrandstudio.com/ https://help.nytimes.com/hc/en-us/articles/115014892108- Privacy-policy https://help.nytimes.com/hc/en-us/articles/115014892108- Privacy-policy https://help.nytimes.com/hc/en-us/articles/115014893428- Terms-of-service https://help.nytimes.com/hc/en-us/articles/115014893968- Terms-of-sale https://spiderbites.nytimes.com/ https://help.nytimes.com/hc/en-us https://www.nytimes.com/subscription?campaignId=37WXW https://www.facebook.com/dialog/feed?app_id=9869919170&lin k=https%3A%2F%2Fwww.nytimes.com%2F2017%2F01%2F27 %2Fus%2Femmett-till-lynching-carolyn-bryant- donham.html%3Fsmid%3Dfb- share&name=Woman%20Linked%20to%201955%20Emmett%20 Till%20Murder%20Tells%20Historian%20Her%20Claims%20W ere%20False&redirect_uri=https%3A%2F%2Fwww.facebook.co m%2F https://twitter.com/intent/tweet?url=https%3A%2F%2Fwww.nyt imes.com%2F2017%2F01%2F27%2Fus%2Femmett-till- lynching-carolyn-bryant-donham.html%3Fsmid%3Dtw- share&text=Woman%20Linked%20to%201955%20Emmett%20T ill%20Murder%20Tells%20Historian%20Her%20Claims%20We re%20False mailto:?subject=NYTimes.com%3A%20Woman%20Linked%20t o%201955%20Emmett%20Till%20Murder%20Tells%20Historia n%20Her%20Claims%20Were%20False&body=From%20The%2 0New%20York%20Times%3A%0A%0AWoman%20Linked%20t o%201955%20Emmett%20Till%20Murder%20Tells%20Historia n%20Her%20Claims%20Were%20False%0A%0ACarolyn%20Br yant%20Donham%20is%20quoted%20in%20a%20new%20book %20as%20admitting%20her%20long- ago%20allegations%20that%20Emmett%20grabbed%20her%20a nd%20was%20menacing%20and%20sexually%20crude%20towa
rd%20her%2C%20%E2%80%9Cis%20not%20true.%E2%80%9D %0A%0Ahttps%3A%2F%2Fwww.nytimes.com%2F2017%2F01 %2F27%2Fus%2Femmett-till-lynching-carolyn-bryant- donham.html%3Fsmid%3Dem-share https://www.nytimes.com/ https://www.nytimes.com/section/us https://www.nytimes.com/subscription/games/lp8J6KQ?campaig nId=6F88R CHAPTER 8 Recovering Graphics Files 352 Searching for and Recovering Digital Photograph Evidence In this section, you learn how to use Autopsy for Windows to search for and extract (recover) possible evidence of JPEG files from the USB drive the EMTS manager gave you. The search string to use for this examination is “FIF.” Because it’s part of the label name of the JFIF JPEG format, you might have several false hits if the USB drive contains several other JPEG files. These false hits, referred to as false positives, require examining each search hit to verify whether it’s what you are looking for. In this activity, you see that Autopsy has an Exif parser. To begin the examination, follow these steps to load the image file: 1. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, type C08InChp for the case name, and click Browse next to the Base Directory text box. Navigate to and click your work
folder, and then click Next. In the Additional Information window, type C08InChp for the case number, enter your name for the examiner, and then click Finish. 2. In the Add Data Source window, leave the default selection Disk Image or VM file in the Type of Data Source to Add section, and then click Next. 3. In the Select Data Source window, click the Browse button, navigate to your work folder, click C08InChp.dd, and click Open. Then click Next. 4. In the Configure Ingest Modules window, you can select what type of processing you want, such as a hash lookup or an Exif parser (see Figure 8- 7). Leave the default selections, click Next, and then click Finish. 5. In the left pane of Autopsy’s main window, click to expand Extracted Content, if necessary, and then click EXIF Metadata. Examine the files displayed in the upper-right pane (see Figure 8-8). As you scroll through these files, notice that the hexadecimal codes haven’t been altered. (In the e-mail Tom Johnson sent, the JFIF code was supposedly altered.) Note Before starting this activity, create the C:WorkChap08Chapter folder on your system (referred to as your “work folder” in steps). Then download the
C08InChp.exe file in the downloads section for this chapter on the student companion site for this book. You should extract this file to your work folder. 68944_ch08_hr_339-376.indd 352 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C
en ga ge L ea rn in g U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 353 Figure 8-7 Processing options in the Configure Ingest Modules window
Source: www.sleuthkit.org Figure 8-8 Parsing Exif metadata in Autopsy Source: www.sleuthkit.org 68944_ch08_hr_339-376.indd 353 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C
en ga ge L ea rn in g U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 354 Figure 8-9 The results of searching for “fif” Source: www.sleuthkit.org
Note In Figure 8-10, the header for this JPEG file has been overwritten with zzzz. This unique header information might give you additional search values that could minimize false-positive hits in subsequent searches. 6. Click the Keyword Search down arrow at the upper right. To verify that no other codes have been altered, you should check whether a change has been made to the FIF format. In the text box, type FIF (all uppercase letters), click the Exact Match option, and then click Search. There are no results. Next, type fif (all lowercase letters), click the Substring Search option, and then click Search. Your results should be similar to what’s shown in Figure 8-9. 7. To view the changes made to the file header, you need to see the hexadecimal code. To do this, click the Hex tab in the lower-right pane, if necessary, and scroll down through the files until you see “zzzz” in the file header, as shown in Figure 8-10. You should be viewing the gametour2.exe file. 8. Click the File Metadata tab to view the written, accessed, and created dates and times along with the sectors used by the file (see Figure 8-11). 9. In the search results, right-click the gametour2.exe file and click Extract File(s). In the Save As dialog box, navigate to your work folder, type
Recover1.jpg for the filename, and then click Save. Autopsy then creates an Export subfolder of your work folder to store this file. In the confirmation message box, click OK, and then exit Autopsy. 68944_ch08_hr_339-376.indd 354 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8.
C en ga ge L ea rn in g U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 355
Figure 8-10 The altered file header Source: www.sleuthkit.org File header overwritten with zzzz Figure 8-11 Viewing all sectors used by the gametour2.exe file Source: www.sleuthkit.org 68944_ch08_hr_339-376.indd 355 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01
8. C en ga ge L ea rn in g U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 356
The next section shows you how to rebuild header data from this recovered file by using WinHex, although any hexadecimal editor has the capability to examine and repair damaged file headers. From a digital forensics view, this procedure can be considered corrupting the evidence, but knowing how to reconstruct data, as in the preceding example, is part of an investigator’s job. When you change data as part of the recovery and analysis process, make sure you document each step as part of your reporting procedures. Your documentation should be detailed enough that other investigators could repeat the steps, which increases the credibility of your findings. When you’re rebuilding a corrupted evidence image file, create a new file and leave the original file in its initial corrupt condition. Rebuilding File Headers Before attempting to edit a graphics file you have recovered, try to open it with an image viewer, such as the default Microsoft tool. To test whether you can view the image, double-click the recovered file in its current location in File Explorer. If you can open and view the image, you have recovered the graphics file successfully. If the image isn’t displayed, you have to inspect and correct the header values manually. If some of the data you recovered from the graphics file header is corrupt, you
might need to recover more pieces of the file before you can view the image, as you’ll see in the next section. Because the deleted file you recovered in the previous activity, Recoverl.jpg, was altered intentionally, you might see an error message similar to the one in Figure 8-12 when you attempt to open the file. Figure 8-12 Error message indicating a damaged or an altered graphics file 68944_ch08_hr_339-376.indd 356 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht ©
2 01 8. C en ga ge L ea rn in g U S . A ll rig ht s re se rv ed .
CHAPTER 8 Recovering Graphics Files 357 If you can’t open a graphics file in an image viewer, the next step is to examine the file’s header data to see whether it matches the header in a good JPEG file. If the header doesn’t match, you must insert the correct hexadecimal values manually with a hexadecimal editor. To inspect a file with WinHex, follow these steps: 1. Start WinHex, and click File, Open from the menu. Navigate to your work folder, and then double-click Recover1.jpg. If necessary, click OK. Figure 8-13 shows this file open in WinHex. Figure 8-13 Recover1.jpg open in WinHex Source: X-Ways AG, www.x-ways.net Offset position 0 Offset position 6 2. At the top of the WinHex window, notice that the hexadecimal values starting at the first byte position (offset 0) are 7A 7A 7A 7A, and the sixth position (offset 6) is also 7A. Leave WinHex open for the next activity. As mentioned, a standard JFIF JPEG file has a header value of FF D8 FF E0 from offset 0 and the label name JFIF starting at offset 6. Using WinHex, you can correct this file header manually by following these steps:
1. In the center pane, click to the left of the first 7A hexadecimal value. Then type FF D8 FF E0, which are the correct hexadecimal values for the first 4 bytes of a JPEG file. 2. In the right pane at offset 6, click the z, and then type J, as shown in Figure 8-14. 68944_ch08_hr_339-376.indd 357 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01
8. C en ga ge L ea rn in g U S . A ll rig ht s re se rv ed .
CHAPTER 8 Recovering Graphics Files 358 3. Click File, Save As from the menu. In the Save File As dialog box, navigate to your work folder, type Fixed1.jpg as the filename, and then click Save. If you’re using the demo version of WinHex, you get an error message because of the file size. Exit WinHex. Figure 8-14 Inserting correct hexadecimal values for a JPEG file Source: X-Ways AG, www.x-ways.net Inserting FF D8 FF E0 starting at offset 0 After changing z to an uppercase J Tip In WinHex, when you type a keyboard character in the right pane, the corresponding hexadecimal value appears in the center pane. So, for example, when you type J in the right pane, the hexadecimal value 4A appears in the center pane. Note In WinHex Demo, you can save only up to 200 KB of data in a file. 68944_ch08_hr_339-376.indd 358 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g
U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 359 Every two hexadecimal values you entered in the previous steps are equivalent to one ASCII character. For example, an uppercase “A” has the hexadecimal value 41, and a lowercase “a” has the hexadecimal value 61. Most disk editors have a reference chart for converting hexadecimal values to ASCII characters, such as in Figure 8-15. Figure 8-15 ASCII equivalents of hexadecimal values Second hexadecimal number
First hexadecimal number After you repair a graphics file header, you can test the updated file by opening it in an image viewer, such as Windows Photo Viewer, IrfanView, ThumbsPlus, QuickView, or ACDSee. If the file displays the image, as shown in Figure 8-16, you have performed the recovery correctly. Figure 8-16 Fixed1.jpg open in an image viewer The process of repairing file headers isn’t limited to JPEG files. You can apply the same technique to any file you can determine the header value for, including Microsoft Word, Excel, and PowerPoint documents and other image formats. You need to know only the correct header format for the type of file you’re attempting to repair. 68944_ch08_hr_339-376.indd 359 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g U S . A ll rig
ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 373 Hands-On Projects Create the C:WorkChap08Projects folder on your system before starting these projects. If necessary, copy all data files from the downloads section for this chapter (on the student companion site for this book) to your work folder. Hands-On Project 8-1 In this project, you use Autopsy for Windows to locate and extract JPEG files with altered extensions. Some of these files are embedded in files with non- JPEG extensions. Find the C08frag.dd file in your work folder, and then follow these steps: 1. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, type C08frag in the Case Name text box, and click Next. Enter
C08Frag for the case number and your name as the examiner, and then click Finish. 2. In Add Data Source window, click Disk Image or VM file in the Select Type of Data Source to Add section, if necessary, and then click Next. In the Select Data Source window, click the Browse button. In the Open dialog box, navigate to your work folder, and click C08frag.dd. Click Open, and then click Next. Accept all the default selections in the Configure Ingest Modules window, and click Next and then Finish. 3. Click the Keyword Search down arrow at the upper right. Type jfif in the text box, click the Substring Match option, and then click Search. 4. Click each file in the search results that doesn’t have a .jpg extension. Then examine the contents of each file to find any occurrences of a JFIF label. Right-click a file with a JFIF label, point to Tag Files, and click Tag and Comment. In the Comment text box, type Recovered hidden .jpg file, and then click OK. Repeat this procedure for each file with a JFIF label. 5. Click Generate Report. Click the Results - HTML option button for the report format, and then click Next. Click All Results, and then click Finish. Click the report link, and examine your report in the browser window that opens. 6. Exit Autopsy for Windows, saving your project when prompted.
Hands-On Project 8-2 In this project, you continue examining the files found by IT staff at Superior Bicycles. In the in-chapter activity, you recovered three files containing zzzz for the first 4 bytes of altered JPEG files. These altered files had different extensions to hide the fact that they’re graphics files. Find the C08carve.dd file in your work folder. This image file is a new drive acquisition the IT staff made. The CEO wants to know whether any similar files on this drive match the files you recovered from the first USB drive. Because you know that the files you recovered earlier have zzzz for the first 4 bytes, you can use it as your search string to see whether similar files are on this drive. 1. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, type C08carve in the Case Name text box, and click Next. In the 68944_ch08_hr_339-376.indd 373 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:55:22. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g U S . A
ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 374 Additional Information window, type the date in the Case Number text box and your name in the Examiner text box. Click Finish. 2. In the Select Data Source window, click the Browse button, navigate to your work folder, click c08carve.dd, and then click Open. Then click Next. 3. Next, click the Keyword Search down arrow. In the text box, type zzzz, click the Exact Match option button, and then click Search. 4. Click each file in the search results to display its contents. If the file contains zzzz at the beginning of the sector, right-click the file, point to Tag Files, and click Tag and Comment. In the Comment text box, type Similar file, and then click OK.
5. Click the gametour5.exe file. Ctrl+click to select gametour1.exe, gametour2.exe, gametour3.exe, gametour4.exe, and gametour6.exe. Right-click the selection, point to Tag Files, and click Tag and Comment. In the Comment text box, type Additional similar files, and then click OK. 6. Click Generate Report. Click the Results - HTML option button, and then click Next. Click All Results, and then click Finish. Examine the results in the browser window, and then exit Autopsy. Hands-On Project 8-3 In this project, you use IrfanView to open graphics files and save them in a compressed graphics format different from the original format. You should note any changes in image quality after converting files to a different format. Download IrfanView from www.irfanview.com and install it, and then follow these steps: 1. Start IrfanView. Click File, Open from the menu. In the Open dialog box, navigate to your work folder, and then double-click SPIDER.bmp to open the file. 2. Click File, Save as from the menu. Change the file type to JPG and save the file as Spider.jpg in the same location. 3. Save Spider.jpg as Spider2.bmp in the same location. 4. Open these three graphics files in new sessions of IrfanView and compare the files.
Document any changes you notice. 5. Open FLOWER.gif from your work folder, and save it as Flower.jpg in the same location. Tip If your screen is cluttered with too many open IrfanView windows, close a few that you’re no longer working with. 6. Save Flower.jpg as Flower2.gif in the same location. 7. Open these three graphics files in new sessions of IrfanView, and document any changes you see when comparing the files. 68944_ch08_hr_339-376.indd 374 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:55:22. C
op yr ig ht © 2 01 8. C en ga ge L ea rn in g U S . A ll rig ht s
re se rv ed . CHAPTER 8 Recovering Graphics Files 375 8. Open Cartoon.bmp from your work folder, and save it as Cartoon.gif in the same location. 9. Save Cartoon.gif as Cartoon2.bmp in the same location. 10. Open these three graphics files in new sessions of IrfanView, and document any changes you see when comparing the files. 11. Exit all instances of IrfanView. Summarize your conclusions in a brief report and submit it to your instructor. Hands-On Project 8-4 In this project, you use S-Tools4 to create a steganography file for hiding an image. Download S-Tools4 from http://packetstormsecurity.com/files/21688/s- tools4.zip.html or www.4shared.com/ zip/q764vcPu/s-tools4.htm, install the program, and then follow these steps: 1. In File Explorer, navigate to where you installed S-Tools4, and start the program by
double-clicking S-Tools.exe. If necessary, click Run, and then click Continue, if necessary. 2. Drag RUSHMORE.bmp from your work folder to the S-Tools window. 3. To hide text in the RUSHMORE.bmp file, drag Findme.txt from your work folder to the RUSHMORE.bmp image. 4. In the Hiding dialog box, type FREEDOM in the Passphrase and Verify passphrase text boxes, and then click OK. A hidden data window opens in the S- Tools window. 5. Right-click the hidden data window and click Save as. Save the image as Steg.bmp in your work folder. 6. Close the Steg.bmp and RUSHMORE.bmp windows, but leave S-Tools open for the next project. Hands-On Project 8-5 In this project, you use S-Tools4 to create a secret message in a bitmap file and compare this steganography file with the original file by using the DOS comp command. You need S-Tools4 and the Mission.bmp and USDECINP.rtf files in your work folder. First, follow these steps to create a steganography file: 1. If you have exited S-Tools4, start it by double-clicking S- Tools.exe in File Explorer. 2. Drag Mission.bmp from your work folder to the S-Tools
window. 3. Next, drag USDECINP.rtf from your work folder to the Mission.bmp image. 4. Type hop08-5 in the Passphrase and Verify passphrase text boxes, and then click OK. A hidden data window opens in the S-Tools window. 5. Right-click the hidden data window and click Save as. Save the image as Mission-steg.bmp in your work folder. Exit S-Tools. Next, you use the DOS comp command to compare these two files and redirect the output to a text file for further analysis: 1. To open a command prompt window in Windows, click the Search icon, type cmd, and then press Enter. (In earlier Windows versions, you can click Start, type cmd in the “Search for programs and files” text box, and then press Enter.) 68944_ch08_hr_339-376.indd 375 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
Created from csuau on 2020-05-06 16:55:22. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g U S . A ll rig
ht s re se rv ed . www.4shared.com/zip/q764vcPu/s-tools4.htm www.4shared.com/zip/q764vcPu/s-tools4.htm Assessment item 3 - Tasks and Forensics Report Value: 25% TASK Task 1: Recovering scrambled bits (5%) (5 marks) For this task I will upload a text file with scrambled bits on the subject interact2 site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment. Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment. Task 2: Digital Forensics Report (20%) (20 marks) In this major task you are asked to prepare a digital forensic report for the following scenario after carefully reading the scenario and looking at textbook figures as referred below: You are investigating a possible intellectual property theft by a new employee of Superior Bicycles, Inc. This employee, Tom Johnson, is the cousin of Jim Shu, an employee who had been terminated. Bob Aspen is an external contractor and investor who gets a strange e mail from Terry Sadler about Jim Shu's new project (shown in Figure 8-5 of the textbook on p. 350). Bob forwards the e-mail to Chris Robinson (the president of
Superior Bicycles) to inquire about any special projects that might need capital investments. Chris forwards the e-mail to the general counsel, Ralph Benson, asking him to look into it. He also forwards it to Bob Swartz, asking him to have IT look for any e-mails with attachments. After a little investigation, Bob Swartz forwards an e-mail IT found to Chris Robinson (shown in Figure 8 - 6 of the textbook on p. 350). Chris also found a USB drive on the desk Tom Johnson was assigned to. Your task is to search for and determine whether the drive contains any proprietary Superior Bicycles, Inc. data in the form of any digital photograph as an evidence. In particular, you may look for graphic files such as JPEG on the USB drive hidden with different format. Note for the USB drive image, you need to download the "C08InChp.exe" file from the download section of Chapter 8 on the student companion site of the textbook (Nelson, Phillips, & Steuart, 6/e, 2019). Your task is to search all possible places data might be hidden (e-mails and USB drive) and recover and present any digital evidence in the report. Deliverable: For this forensic examination, you need to provide a report of 1800-2000 words (approximately 5 A4 pages) in the format described in presentation section below. RATIONALE This assessment task will assess the following learning outcome/s: be able to determine and explain the legal and ethical considerations for investigating and prosecuting digital crimes. • be able to formulate a digital forensics process. • be able to evaluate the technology in digital forensics to detect, prevent and recover from digital crimes. • be able to analyse data on storage media and various file systems. • be able to collect electronic evidence without compromising the original data.
• be able to critique and compose technical tactics in digital crimes and assess the steps involved in a digital forensics investigation. • be able to prepare and defend reports on the results of an investigation. PRESENTATION The following should be included as minimum requirements in the report structure: Executive Summary or Abstract This section provides a brief overview of the case, your involvement as an examiner, authorisation, major findings and conclusion • Table of Contents • Introduction Background, scope of engagement, forensics tools used and summary of potential findings • Analysis Conducted o Description of relevant programs on the examined items o Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions etc o Graphic image analysis • Findings This section should describe in greater detail the results of the examinations and may include: o Specific files related to the request o Other files, including any deleted files that support the findings o String searches, keyword searches, and text string searches o Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity o Indicators of ownership, which could include program
registration data. • Conclusion Summary of the report and results obtained • References You must cite references to all material you have used as sources for the content of your work

Recommended

Emmett till case powerpoint
Emmett till case powerpointEmmett till case powerpoint
Emmett till case powerpointkirkcody
 
Lynching PowerPoint
Lynching PowerPointLynching PowerPoint
Lynching PowerPointKateWigley
 
Edu 290 emmett till
Edu 290 emmett tillEdu 290 emmett till
Edu 290 emmett tillcampb1mn
 
Government
GovernmentGovernment
Governmentjayantmo
 
Black Lives Matter
Black Lives MatterBlack Lives Matter
Black Lives MatterImani Harris
 
BaltimoreDetroitChicago
BaltimoreDetroitChicagoBaltimoreDetroitChicago
BaltimoreDetroitChicagoAshley Weaver
 
PBS: The Murder of Emmett Till
PBS: The Murder of Emmett TillPBS: The Murder of Emmett Till
PBS: The Murder of Emmett Tillbkind2animals
 
Black history
Black historyBlack history
Black historyharriettboom
 

Recommended

Emmett till case powerpoint
Emmett till case powerpointEmmett till case powerpoint
Emmett till case powerpointkirkcody
 
Lynching PowerPoint
Lynching PowerPointLynching PowerPoint
Lynching PowerPointKateWigley
 
Edu 290 emmett till
Edu 290 emmett tillEdu 290 emmett till
Edu 290 emmett tillcampb1mn
 
Government
GovernmentGovernment
Governmentjayantmo
 
Black Lives Matter
Black Lives MatterBlack Lives Matter
Black Lives MatterImani Harris
 
BaltimoreDetroitChicago
BaltimoreDetroitChicagoBaltimoreDetroitChicago
BaltimoreDetroitChicagoAshley Weaver
 
PBS: The Murder of Emmett Till
PBS: The Murder of Emmett TillPBS: The Murder of Emmett Till
PBS: The Murder of Emmett Tillbkind2animals
 
Black history
Black historyBlack history
Black historyharriettboom
 
· Describe strategies to build rapport with inmates and offenders .docx
· Describe strategies to build rapport with inmates and offenders .docx· Describe strategies to build rapport with inmates and offenders .docx
· Describe strategies to build rapport with inmates and offenders .docxgerardkortney
 
· Debates continue regarding what constitutes an appropriate rol.docx
· Debates continue regarding what constitutes an appropriate rol.docx· Debates continue regarding what constitutes an appropriate rol.docx
· Debates continue regarding what constitutes an appropriate rol.docxgerardkortney
 
· Critical thinking paper ·  ·  · 1. A case study..docx
· Critical thinking paper ·  ·  · 1. A case study..docx· Critical thinking paper ·  ·  · 1. A case study..docx
· Critical thinking paper ·  ·  · 1. A case study..docxgerardkortney
 
· Create a Press Release for your event - refer to slide 24 in thi.docx
· Create a Press Release for your event - refer to slide 24 in thi.docx· Create a Press Release for your event - refer to slide 24 in thi.docx
· Create a Press Release for your event - refer to slide 24 in thi.docxgerardkortney
 
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docxgerardkortney
 
· Complete the following problems from your textbook· Pages 378.docx
· Complete the following problems from your textbook· Pages 378.docx· Complete the following problems from your textbook· Pages 378.docx
· Complete the following problems from your textbook· Pages 378.docxgerardkortney
 
· Consider how different countries approach aging. As you consid.docx
· Consider how different countries approach aging. As you consid.docx· Consider how different countries approach aging. As you consid.docx
· Consider how different countries approach aging. As you consid.docxgerardkortney
 
· Clarifying some things on the Revolution I am going to say som.docx
· Clarifying some things on the Revolution I am going to say som.docx· Clarifying some things on the Revolution I am going to say som.docx
· Clarifying some things on the Revolution I am going to say som.docxgerardkortney
 
· Chapter 9 – Review the section on Establishing a Security Cultur.docx
· Chapter 9 – Review the section on Establishing a Security Cultur.docx· Chapter 9 – Review the section on Establishing a Security Cultur.docx
· Chapter 9 – Review the section on Establishing a Security Cultur.docxgerardkortney
 
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docxgerardkortney
 
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docxgerardkortney
 
· Chap 2 and 3· what barriers are there in terms of the inter.docx
· Chap 2 and 3· what barriers are there in terms of the inter.docx· Chap 2 and 3· what barriers are there in terms of the inter.docx
· Chap 2 and 3· what barriers are there in terms of the inter.docxgerardkortney
 
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docxgerardkortney
 
· Briefly describe the technologies that are leading businesses in.docx
· Briefly describe the technologies that are leading businesses in.docx· Briefly describe the technologies that are leading businesses in.docx
· Briefly describe the technologies that are leading businesses in.docxgerardkortney
 
· Assignment List· My Personality Theory Paper (Week Four)My.docx
· Assignment List· My Personality Theory Paper (Week Four)My.docx· Assignment List· My Personality Theory Paper (Week Four)My.docx
· Assignment List· My Personality Theory Paper (Week Four)My.docxgerardkortney
 
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docxgerardkortney
 
· Assignment 3 Creating a Compelling VisionLeaders today must be .docx
· Assignment 3 Creating a Compelling VisionLeaders today must be .docx· Assignment 3 Creating a Compelling VisionLeaders today must be .docx
· Assignment 3 Creating a Compelling VisionLeaders today must be .docxgerardkortney
 
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docxgerardkortney
 
· Assignment 2 Leader ProfileMany argue that the single largest v.docx
· Assignment 2 Leader ProfileMany argue that the single largest v.docx· Assignment 2 Leader ProfileMany argue that the single largest v.docx
· Assignment 2 Leader ProfileMany argue that the single largest v.docxgerardkortney
 
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docxgerardkortney
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Maestría en Comunicación Digital Interactiva - UNR
 

More Related Content

More from gerardkortney

· Describe strategies to build rapport with inmates and offenders .docx
· Describe strategies to build rapport with inmates and offenders .docx· Describe strategies to build rapport with inmates and offenders .docx
· Describe strategies to build rapport with inmates and offenders .docxgerardkortney
 
· Debates continue regarding what constitutes an appropriate rol.docx
· Debates continue regarding what constitutes an appropriate rol.docx· Debates continue regarding what constitutes an appropriate rol.docx
· Debates continue regarding what constitutes an appropriate rol.docxgerardkortney
 
· Critical thinking paper ·  ·  · 1. A case study..docx
· Critical thinking paper ·  ·  · 1. A case study..docx· Critical thinking paper ·  ·  · 1. A case study..docx
· Critical thinking paper ·  ·  · 1. A case study..docxgerardkortney
 
· Create a Press Release for your event - refer to slide 24 in thi.docx
· Create a Press Release for your event - refer to slide 24 in thi.docx· Create a Press Release for your event - refer to slide 24 in thi.docx
· Create a Press Release for your event - refer to slide 24 in thi.docxgerardkortney
 
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docxgerardkortney
 
· Complete the following problems from your textbook· Pages 378.docx
· Complete the following problems from your textbook· Pages 378.docx· Complete the following problems from your textbook· Pages 378.docx
· Complete the following problems from your textbook· Pages 378.docxgerardkortney
 
· Consider how different countries approach aging. As you consid.docx
· Consider how different countries approach aging. As you consid.docx· Consider how different countries approach aging. As you consid.docx
· Consider how different countries approach aging. As you consid.docxgerardkortney
 
· Clarifying some things on the Revolution I am going to say som.docx
· Clarifying some things on the Revolution I am going to say som.docx· Clarifying some things on the Revolution I am going to say som.docx
· Clarifying some things on the Revolution I am going to say som.docxgerardkortney
 
· Chapter 9 – Review the section on Establishing a Security Cultur.docx
· Chapter 9 – Review the section on Establishing a Security Cultur.docx· Chapter 9 – Review the section on Establishing a Security Cultur.docx
· Chapter 9 – Review the section on Establishing a Security Cultur.docxgerardkortney
 
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docxgerardkortney
 
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docxgerardkortney
 
· Chap 2 and 3· what barriers are there in terms of the inter.docx
· Chap 2 and 3· what barriers are there in terms of the inter.docx· Chap 2 and 3· what barriers are there in terms of the inter.docx
· Chap 2 and 3· what barriers are there in terms of the inter.docxgerardkortney
 
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docxgerardkortney
 
· Briefly describe the technologies that are leading businesses in.docx
· Briefly describe the technologies that are leading businesses in.docx· Briefly describe the technologies that are leading businesses in.docx
· Briefly describe the technologies that are leading businesses in.docxgerardkortney
 
· Assignment List· My Personality Theory Paper (Week Four)My.docx
· Assignment List· My Personality Theory Paper (Week Four)My.docx· Assignment List· My Personality Theory Paper (Week Four)My.docx
· Assignment List· My Personality Theory Paper (Week Four)My.docxgerardkortney
 
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docxgerardkortney
 
· Assignment 3 Creating a Compelling VisionLeaders today must be .docx
· Assignment 3 Creating a Compelling VisionLeaders today must be .docx· Assignment 3 Creating a Compelling VisionLeaders today must be .docx
· Assignment 3 Creating a Compelling VisionLeaders today must be .docxgerardkortney
 
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docxgerardkortney
 
· Assignment 2 Leader ProfileMany argue that the single largest v.docx
· Assignment 2 Leader ProfileMany argue that the single largest v.docx· Assignment 2 Leader ProfileMany argue that the single largest v.docx
· Assignment 2 Leader ProfileMany argue that the single largest v.docxgerardkortney
 
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docxgerardkortney
 

More from gerardkortney (20)

· Describe strategies to build rapport with inmates and offenders .docx
· Describe strategies to build rapport with inmates and offenders .docx· Describe strategies to build rapport with inmates and offenders .docx
· Describe strategies to build rapport with inmates and offenders .docx
 
· Debates continue regarding what constitutes an appropriate rol.docx
· Debates continue regarding what constitutes an appropriate rol.docx· Debates continue regarding what constitutes an appropriate rol.docx
· Debates continue regarding what constitutes an appropriate rol.docx
 
· Critical thinking paper ·  ·  · 1. A case study..docx
· Critical thinking paper ·  ·  · 1. A case study..docx· Critical thinking paper ·  ·  · 1. A case study..docx
· Critical thinking paper ·  ·  · 1. A case study..docx
 
· Create a Press Release for your event - refer to slide 24 in thi.docx
· Create a Press Release for your event - refer to slide 24 in thi.docx· Create a Press Release for your event - refer to slide 24 in thi.docx
· Create a Press Release for your event - refer to slide 24 in thi.docx
 
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx
· Coronel & Morris Chapter 7, Problems 1, 2 and 3.docx
 
· Complete the following problems from your textbook· Pages 378.docx
· Complete the following problems from your textbook· Pages 378.docx· Complete the following problems from your textbook· Pages 378.docx
· Complete the following problems from your textbook· Pages 378.docx
 
· Consider how different countries approach aging. As you consid.docx
· Consider how different countries approach aging. As you consid.docx· Consider how different countries approach aging. As you consid.docx
· Consider how different countries approach aging. As you consid.docx
 
· Clarifying some things on the Revolution I am going to say som.docx
· Clarifying some things on the Revolution I am going to say som.docx· Clarifying some things on the Revolution I am going to say som.docx
· Clarifying some things on the Revolution I am going to say som.docx
 
· Chapter 9 – Review the section on Establishing a Security Cultur.docx
· Chapter 9 – Review the section on Establishing a Security Cultur.docx· Chapter 9 – Review the section on Establishing a Security Cultur.docx
· Chapter 9 – Review the section on Establishing a Security Cultur.docx
 
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx
· Chapter 10 The Early Elementary Grades 1-3The primary grades.docx
 
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx
· Chapter 5, Formulating the Research Design”· Section 5.2, Ch.docx
 
· Chap 2 and 3· what barriers are there in terms of the inter.docx
· Chap 2 and 3· what barriers are there in terms of the inter.docx· Chap 2 and 3· what barriers are there in terms of the inter.docx
· Chap 2 and 3· what barriers are there in terms of the inter.docx
 
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx
· Case Study 2 Improving E-Mail Marketing ResponseDue Week 8 an.docx
 
· Briefly describe the technologies that are leading businesses in.docx
· Briefly describe the technologies that are leading businesses in.docx· Briefly describe the technologies that are leading businesses in.docx
· Briefly describe the technologies that are leading businesses in.docx
 
· Assignment List· My Personality Theory Paper (Week Four)My.docx
· Assignment List· My Personality Theory Paper (Week Four)My.docx· Assignment List· My Personality Theory Paper (Week Four)My.docx
· Assignment List· My Personality Theory Paper (Week Four)My.docx
 
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx
· Assignment List· Week 7 - Philosophical EssayWeek 7 - Philos.docx
 
· Assignment 3 Creating a Compelling VisionLeaders today must be .docx
· Assignment 3 Creating a Compelling VisionLeaders today must be .docx· Assignment 3 Creating a Compelling VisionLeaders today must be .docx
· Assignment 3 Creating a Compelling VisionLeaders today must be .docx
 
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx
· Assignment 4· Week 4 – Assignment Explain Theoretical Perspec.docx
 
· Assignment 2 Leader ProfileMany argue that the single largest v.docx
· Assignment 2 Leader ProfileMany argue that the single largest v.docx· Assignment 2 Leader ProfileMany argue that the single largest v.docx
· Assignment 2 Leader ProfileMany argue that the single largest v.docx
 
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx
· Assignment 1 Diversity Issues in Treating AddictionThe comple.docx
 

Recently uploaded

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 

Recently uploaded (20)

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 

© 2020 The New York Times CompanyNYTCo Contact Us Work wit.docx

  • 1. © 2020 The New York Times Company NYTCo Contact Us Work with us Advertise T Brand Studio Your Ad Choices Privacy Terms of Service Terms of Sale Site Map Help Subscriptions Do Not Sell My Personal Information ADVERTISEMENT 20 Ingenious Inventions 2020 They're selling like crazy.Everybody wants them OPEN TECHGADGETSTRENDS.COMAD By Richard Pérez-Peña Jan. 27, 2017 For six decades, she has been the silent woman linked to one of the most notorious crimes in the nation’s history, the lynching of Emmett Till, a 14-year-old black boy, keeping her thoughts and memories to herself as millions of strangers idealized or vilified her. But all these years later, a historian says that the woman has
  • 2. broken her silence, and acknowledged that the most incendiary parts of the story she and others told about Emmett — claims that seem tame today but were more than enough to get a black person killed in Jim Crow-era Mississippi — were false. The woman, Carolyn Bryant Donham, spoke to Timothy B. Tyson, a Duke University professor — possibly the only interview she has given to a historian or journalist since shortly after the episode — who has written a book, “The Blood of Emmett Till,” to be published next week. In it, he wrote that she said of her long-ago allegations that Emmett grabbed her and was menacing and sexually crude toward her, “that part is not true.” ADVERTISEMENT The revelations were first reported on Friday by Vanity Fair. As a matter of narrow justice, it makes little difference; true or
  • 3. not, her claims did not justify any serious penalty, much less death. The two white men who were accused of murdering Emmett in 1955 — and later admitted it in a Look Magazine interview — were acquitted that year by an all-white, all-male jury, and so could not be retried. They and others suspected of involvement in the killing died long ago. But among thousands of lynchings of black people, this one looms large in the country’s tortured racial history, taught in history classes to schoolchildren, and often cited as one of the catalysts for the civil rights movement. Photographs in Jet Magazine of Emmett’s gruesomely mutilated body — at a funeral that his mother insisted have an open coffin, to show the world what his killers had done — had a galvanizing
  • 4. effect on black America. ADVERTISEMENT The case has refused to fade, revived in a long list of writings and works of art, including, recently, “Writing to Save a Life: The Louis Till File,” a book that unearths the case of Emmett’s father, a soldier who was executed by the Army on charges of murder and rape. The Justice Department began an investigation into the Emmett Till lynching in 2004, Emmett’s body was exhumed for an autopsy, and the F.B.I. rediscovered the long-missing trial transcript. But in 2007, a grand jury decided not to indict Ms. Donham, or anyone else, as an accomplice in the murder. “I was hoping that one day she would admit it, so it matters to me that she did, and it gives me some satisfaction,” said Wheeler Parker, 77, a cousin of Emmett’s who lives near Chicago. “It’s
  • 5. important to people understanding how the word of a white person against a black person was law, and a lot of black people lost their lives because of it. It really speaks to history, it shows what black people went through in those days.” Patrick Weems, project coordinator at the Emmett Till Interpretive Center, a museum in Sumner, Miss., said, “I think until you break the silence, there is still that implied consent to the false narrative set forth in 1955.” “It matters that she recanted,” he added. Emmett, who lived in Chicago, was visiting relatives in Money, a tiny hamlet in the Mississippi Delta region when, on Aug. 24, 1955, he went into a store owned by Roy and Carolyn Bryant, a married couple, and had his fateful encounter with Ms. Bryant, then 21. Four days later, he was kidnapped from his uncle’s house,
  • 6. beaten and tortured beyond recognition, and shot in the head. His body was tied with barbed wire to a cotton gin fan and thrown into the Tallahatchie River. ADVERTISEMENT Roy Bryant and his half brother, J. W. Milam, were arrested and charged with murder. What happened in that store is unclear, but it has usually been portrayed as an example of a black boy from up North unwittingly defying the strict racial mores of the South at the time. Witnesses said that Emmett wolf-whistled at Ms. Bryant, though even that has been called into doubt. Days after the arrest, Ms. Bryant told her husband’s lawyer that Emmett had insulted her, but said nothing about physical contact, Dr. Tyson said. Five decades later, she told the F.B.I. that he had touched her hand.
  • 7. But at the trial, she testified — without the jury present — that Emmett had grabbed her hand, she pulled away, and he followed her behind the counter, clasped her waist, and, using vulgar language, told her that he had been with white women before. “She said that wasn’t true, but that she honestly doesn’t remember exactly what did happen,” Dr. Tyson said in an interview on Friday. Ms. Donham, now 82, could not be reached for comment. Dr. Tyson said that in 2008, he got a call from Ms. Donham’s daughter-in-law, who said they had liked another book of his, and wanted to meet him. It was in that meeting that she spoke to him about the Till case, saying, “Nothing that boy did could ever justify what happened to him.” Dr. Tyson said that motivated him to write about the case. Ms. Donham told him that soon after the killing, her husband’s family hid her away, moving her from place to place for days,
  • 8. to keep her from talking to law enforcement. ADVERTISEMENT She has said that Roy Bryant, whom she later divorced, was physically abusive to her. “The circumstances under which she told the story were coercive,” Dr. Tyson said. “She’s horrified by it. There’s clearly a great burden of guilt and sorrow. Devery S. Anderson, author of a 2015 history, “Emmett Till: The Murder That Shocked the World and Propelled the Civil Rights Movement,” said, “I’ve encountered so many people who want someone be punished for the crime, to have anyone still breathing held responsible, and at this point, that’s just her.” But what matters now, he said, is the truth. It has been clear for decades that she lied in court, he said, “to get it from her own mouth after so many years of silence is important.”
  • 9. For his part, Mr. Parker, a pastor, said he harbors no ill will toward Ms. Donham, and hopes that her admission brings her peace. “I can’t hate,” he said. “Hate destroys the hater, too. That’s a heavy burden to carry.” ADVERTISEMENT Woman Linked to 1955 Emmett Till Murder Tells Historian Her Claims Were False Carolyn Bryant Donham in 1955. Gene Herrick/Associated Press Emmett Till was 14 when he was killed in 1955. Associated Press Emmett Till’s mother at his funeral in 1955. She had insisted that the coffin be open, to show the world what his killers had done. Chicago-Sun Times, via Associated Press U.S. PLAY THE CROSSWORD Account https://help.nytimes.com/hc/en-us/articles/115014792127- Copyright-notice https://www.nytco.com/ https://help.nytimes.com/hc/en-us/articles/115015385887- Contact-Us https://www.nytco.com/careers/ https://nytmediakit.com/
  • 10. http://www.tbrandstudio.com/ https://help.nytimes.com/hc/en-us/articles/115014892108- Privacy-policy https://help.nytimes.com/hc/en-us/articles/115014892108- Privacy-policy https://help.nytimes.com/hc/en-us/articles/115014893428- Terms-of-service https://help.nytimes.com/hc/en-us/articles/115014893968- Terms-of-sale https://spiderbites.nytimes.com/ https://help.nytimes.com/hc/en-us https://www.nytimes.com/subscription?campaignId=37WXW https://www.facebook.com/dialog/feed?app_id=9869919170&lin k=https%3A%2F%2Fwww.nytimes.com%2F2017%2F01%2F27 %2Fus%2Femmett-till-lynching-carolyn-bryant- donham.html%3Fsmid%3Dfb- share&name=Woman%20Linked%20to%201955%20Emmett%20 Till%20Murder%20Tells%20Historian%20Her%20Claims%20W ere%20False&redirect_uri=https%3A%2F%2Fwww.facebook.co m%2F https://twitter.com/intent/tweet?url=https%3A%2F%2Fwww.nyt imes.com%2F2017%2F01%2F27%2Fus%2Femmett-till- lynching-carolyn-bryant-donham.html%3Fsmid%3Dtw- share&text=Woman%20Linked%20to%201955%20Emmett%20T ill%20Murder%20Tells%20Historian%20Her%20Claims%20We re%20False mailto:?subject=NYTimes.com%3A%20Woman%20Linked%20t o%201955%20Emmett%20Till%20Murder%20Tells%20Historia n%20Her%20Claims%20Were%20False&body=From%20The%2 0New%20York%20Times%3A%0A%0AWoman%20Linked%20t o%201955%20Emmett%20Till%20Murder%20Tells%20Historia n%20Her%20Claims%20Were%20False%0A%0ACarolyn%20Br yant%20Donham%20is%20quoted%20in%20a%20new%20book %20as%20admitting%20her%20long- ago%20allegations%20that%20Emmett%20grabbed%20her%20a nd%20was%20menacing%20and%20sexually%20crude%20towa
  • 11. rd%20her%2C%20%E2%80%9Cis%20not%20true.%E2%80%9D %0A%0Ahttps%3A%2F%2Fwww.nytimes.com%2F2017%2F01 %2F27%2Fus%2Femmett-till-lynching-carolyn-bryant- donham.html%3Fsmid%3Dem-share https://www.nytimes.com/ https://www.nytimes.com/section/us https://www.nytimes.com/subscription/games/lp8J6KQ?campaig nId=6F88R CHAPTER 8 Recovering Graphics Files 352 Searching for and Recovering Digital Photograph Evidence In this section, you learn how to use Autopsy for Windows to search for and extract (recover) possible evidence of JPEG files from the USB drive the EMTS manager gave you. The search string to use for this examination is “FIF.” Because it’s part of the label name of the JFIF JPEG format, you might have several false hits if the USB drive contains several other JPEG files. These false hits, referred to as false positives, require examining each search hit to verify whether it’s what you are looking for. In this activity, you see that Autopsy has an Exif parser. To begin the examination, follow these steps to load the image file: 1. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, type C08InChp for the case name, and click Browse next to the Base Directory text box. Navigate to and click your work
  • 12. folder, and then click Next. In the Additional Information window, type C08InChp for the case number, enter your name for the examiner, and then click Finish. 2. In the Add Data Source window, leave the default selection Disk Image or VM file in the Type of Data Source to Add section, and then click Next. 3. In the Select Data Source window, click the Browse button, navigate to your work folder, click C08InChp.dd, and click Open. Then click Next. 4. In the Configure Ingest Modules window, you can select what type of processing you want, such as a hash lookup or an Exif parser (see Figure 8- 7). Leave the default selections, click Next, and then click Finish. 5. In the left pane of Autopsy’s main window, click to expand Extracted Content, if necessary, and then click EXIF Metadata. Examine the files displayed in the upper-right pane (see Figure 8-8). As you scroll through these files, notice that the hexadecimal codes haven’t been altered. (In the e-mail Tom Johnson sent, the JFIF code was supposedly altered.) Note Before starting this activity, create the C:WorkChap08Chapter folder on your system (referred to as your “work folder” in steps). Then download the
  • 13. C08InChp.exe file in the downloads section for this chapter on the student companion site for this book. You should extract this file to your work folder. 68944_ch08_hr_339-376.indd 352 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C
  • 14. en ga ge L ea rn in g U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 353 Figure 8-7 Processing options in the Configure Ingest Modules window
  • 15. Source: www.sleuthkit.org Figure 8-8 Parsing Exif metadata in Autopsy Source: www.sleuthkit.org 68944_ch08_hr_339-376.indd 353 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C
  • 16. en ga ge L ea rn in g U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 354 Figure 8-9 The results of searching for “fif” Source: www.sleuthkit.org
  • 17. Note In Figure 8-10, the header for this JPEG file has been overwritten with zzzz. This unique header information might give you additional search values that could minimize false-positive hits in subsequent searches. 6. Click the Keyword Search down arrow at the upper right. To verify that no other codes have been altered, you should check whether a change has been made to the FIF format. In the text box, type FIF (all uppercase letters), click the Exact Match option, and then click Search. There are no results. Next, type fif (all lowercase letters), click the Substring Search option, and then click Search. Your results should be similar to what’s shown in Figure 8-9. 7. To view the changes made to the file header, you need to see the hexadecimal code. To do this, click the Hex tab in the lower-right pane, if necessary, and scroll down through the files until you see “zzzz” in the file header, as shown in Figure 8-10. You should be viewing the gametour2.exe file. 8. Click the File Metadata tab to view the written, accessed, and created dates and times along with the sectors used by the file (see Figure 8-11). 9. In the search results, right-click the gametour2.exe file and click Extract File(s). In the Save As dialog box, navigate to your work folder, type
  • 18. Recover1.jpg for the filename, and then click Save. Autopsy then creates an Export subfolder of your work folder to store this file. In the confirmation message box, click OK, and then exit Autopsy. 68944_ch08_hr_339-376.indd 354 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8.
  • 20. Figure 8-10 The altered file header Source: www.sleuthkit.org File header overwritten with zzzz Figure 8-11 Viewing all sectors used by the gametour2.exe file Source: www.sleuthkit.org 68944_ch08_hr_339-376.indd 355 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01
  • 22. The next section shows you how to rebuild header data from this recovered file by using WinHex, although any hexadecimal editor has the capability to examine and repair damaged file headers. From a digital forensics view, this procedure can be considered corrupting the evidence, but knowing how to reconstruct data, as in the preceding example, is part of an investigator’s job. When you change data as part of the recovery and analysis process, make sure you document each step as part of your reporting procedures. Your documentation should be detailed enough that other investigators could repeat the steps, which increases the credibility of your findings. When you’re rebuilding a corrupted evidence image file, create a new file and leave the original file in its initial corrupt condition. Rebuilding File Headers Before attempting to edit a graphics file you have recovered, try to open it with an image viewer, such as the default Microsoft tool. To test whether you can view the image, double-click the recovered file in its current location in File Explorer. If you can open and view the image, you have recovered the graphics file successfully. If the image isn’t displayed, you have to inspect and correct the header values manually. If some of the data you recovered from the graphics file header is corrupt, you
  • 23. might need to recover more pieces of the file before you can view the image, as you’ll see in the next section. Because the deleted file you recovered in the previous activity, Recoverl.jpg, was altered intentionally, you might see an error message similar to the one in Figure 8-12 when you attempt to open the file. Figure 8-12 Error message indicating a damaged or an altered graphics file 68944_ch08_hr_339-376.indd 356 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht ©
  • 25. CHAPTER 8 Recovering Graphics Files 357 If you can’t open a graphics file in an image viewer, the next step is to examine the file’s header data to see whether it matches the header in a good JPEG file. If the header doesn’t match, you must insert the correct hexadecimal values manually with a hexadecimal editor. To inspect a file with WinHex, follow these steps: 1. Start WinHex, and click File, Open from the menu. Navigate to your work folder, and then double-click Recover1.jpg. If necessary, click OK. Figure 8-13 shows this file open in WinHex. Figure 8-13 Recover1.jpg open in WinHex Source: X-Ways AG, www.x-ways.net Offset position 0 Offset position 6 2. At the top of the WinHex window, notice that the hexadecimal values starting at the first byte position (offset 0) are 7A 7A 7A 7A, and the sixth position (offset 6) is also 7A. Leave WinHex open for the next activity. As mentioned, a standard JFIF JPEG file has a header value of FF D8 FF E0 from offset 0 and the label name JFIF starting at offset 6. Using WinHex, you can correct this file header manually by following these steps:
  • 26. 1. In the center pane, click to the left of the first 7A hexadecimal value. Then type FF D8 FF E0, which are the correct hexadecimal values for the first 4 bytes of a JPEG file. 2. In the right pane at offset 6, click the z, and then type J, as shown in Figure 8-14. 68944_ch08_hr_339-376.indd 357 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01
  • 28. CHAPTER 8 Recovering Graphics Files 358 3. Click File, Save As from the menu. In the Save File As dialog box, navigate to your work folder, type Fixed1.jpg as the filename, and then click Save. If you’re using the demo version of WinHex, you get an error message because of the file size. Exit WinHex. Figure 8-14 Inserting correct hexadecimal values for a JPEG file Source: X-Ways AG, www.x-ways.net Inserting FF D8 FF E0 starting at offset 0 After changing z to an uppercase J Tip In WinHex, when you type a keyboard character in the right pane, the corresponding hexadecimal value appears in the center pane. So, for example, when you type J in the right pane, the hexadecimal value 4A appears in the center pane. Note In WinHex Demo, you can save only up to 200 KB of data in a file. 68944_ch08_hr_339-376.indd 358 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  • 29. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g
  • 30. U S . A ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 359 Every two hexadecimal values you entered in the previous steps are equivalent to one ASCII character. For example, an uppercase “A” has the hexadecimal value 41, and a lowercase “a” has the hexadecimal value 61. Most disk editors have a reference chart for converting hexadecimal values to ASCII characters, such as in Figure 8-15. Figure 8-15 ASCII equivalents of hexadecimal values Second hexadecimal number
  • 31. First hexadecimal number After you repair a graphics file header, you can test the updated file by opening it in an image viewer, such as Windows Photo Viewer, IrfanView, ThumbsPlus, QuickView, or ACDSee. If the file displays the image, as shown in Figure 8-16, you have performed the recovery correctly. Figure 8-16 Fixed1.jpg open in an image viewer The process of repairing file headers isn’t limited to JPEG files. You can apply the same technique to any file you can determine the header value for, including Microsoft Word, Excel, and PowerPoint documents and other image formats. You need to know only the correct header format for the type of file you’re attempting to repair. 68944_ch08_hr_339-376.indd 359 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
  • 32. Created from csuau on 2020-05-06 16:52:35. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g U S . A ll rig
  • 33. ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 373 Hands-On Projects Create the C:WorkChap08Projects folder on your system before starting these projects. If necessary, copy all data files from the downloads section for this chapter (on the student companion site for this book) to your work folder. Hands-On Project 8-1 In this project, you use Autopsy for Windows to locate and extract JPEG files with altered extensions. Some of these files are embedded in files with non- JPEG extensions. Find the C08frag.dd file in your work folder, and then follow these steps: 1. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, type C08frag in the Case Name text box, and click Next. Enter
  • 34. C08Frag for the case number and your name as the examiner, and then click Finish. 2. In Add Data Source window, click Disk Image or VM file in the Select Type of Data Source to Add section, if necessary, and then click Next. In the Select Data Source window, click the Browse button. In the Open dialog box, navigate to your work folder, and click C08frag.dd. Click Open, and then click Next. Accept all the default selections in the Configure Ingest Modules window, and click Next and then Finish. 3. Click the Keyword Search down arrow at the upper right. Type jfif in the text box, click the Substring Match option, and then click Search. 4. Click each file in the search results that doesn’t have a .jpg extension. Then examine the contents of each file to find any occurrences of a JFIF label. Right-click a file with a JFIF label, point to Tag Files, and click Tag and Comment. In the Comment text box, type Recovered hidden .jpg file, and then click OK. Repeat this procedure for each file with a JFIF label. 5. Click Generate Report. Click the Results - HTML option button for the report format, and then click Next. Click All Results, and then click Finish. Click the report link, and examine your report in the browser window that opens. 6. Exit Autopsy for Windows, saving your project when prompted.
  • 35. Hands-On Project 8-2 In this project, you continue examining the files found by IT staff at Superior Bicycles. In the in-chapter activity, you recovered three files containing zzzz for the first 4 bytes of altered JPEG files. These altered files had different extensions to hide the fact that they’re graphics files. Find the C08carve.dd file in your work folder. This image file is a new drive acquisition the IT staff made. The CEO wants to know whether any similar files on this drive match the files you recovered from the first USB drive. Because you know that the files you recovered earlier have zzzz for the first 4 bytes, you can use it as your search string to see whether similar files are on this drive. 1. Start Autopsy for Windows, and click the Create New Case button. In the New Case Information window, type C08carve in the Case Name text box, and click Next. In the 68944_ch08_hr_339-376.indd 373 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  • 36. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:55:22. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g U S . A
  • 37. ll rig ht s re se rv ed . CHAPTER 8 Recovering Graphics Files 374 Additional Information window, type the date in the Case Number text box and your name in the Examiner text box. Click Finish. 2. In the Select Data Source window, click the Browse button, navigate to your work folder, click c08carve.dd, and then click Open. Then click Next. 3. Next, click the Keyword Search down arrow. In the text box, type zzzz, click the Exact Match option button, and then click Search. 4. Click each file in the search results to display its contents. If the file contains zzzz at the beginning of the sector, right-click the file, point to Tag Files, and click Tag and Comment. In the Comment text box, type Similar file, and then click OK.
  • 38. 5. Click the gametour5.exe file. Ctrl+click to select gametour1.exe, gametour2.exe, gametour3.exe, gametour4.exe, and gametour6.exe. Right-click the selection, point to Tag Files, and click Tag and Comment. In the Comment text box, type Additional similar files, and then click OK. 6. Click Generate Report. Click the Results - HTML option button, and then click Next. Click All Results, and then click Finish. Examine the results in the browser window, and then exit Autopsy. Hands-On Project 8-3 In this project, you use IrfanView to open graphics files and save them in a compressed graphics format different from the original format. You should note any changes in image quality after converting files to a different format. Download IrfanView from www.irfanview.com and install it, and then follow these steps: 1. Start IrfanView. Click File, Open from the menu. In the Open dialog box, navigate to your work folder, and then double-click SPIDER.bmp to open the file. 2. Click File, Save as from the menu. Change the file type to JPG and save the file as Spider.jpg in the same location. 3. Save Spider.jpg as Spider2.bmp in the same location. 4. Open these three graphics files in new sessions of IrfanView and compare the files.
  • 39. Document any changes you notice. 5. Open FLOWER.gif from your work folder, and save it as Flower.jpg in the same location. Tip If your screen is cluttered with too many open IrfanView windows, close a few that you’re no longer working with. 6. Save Flower.jpg as Flower2.gif in the same location. 7. Open these three graphics files in new sessions of IrfanView, and document any changes you see when comparing the files. 68944_ch08_hr_339-376.indd 374 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com Created from csuau on 2020-05-06 16:55:22. C
  • 41. re se rv ed . CHAPTER 8 Recovering Graphics Files 375 8. Open Cartoon.bmp from your work folder, and save it as Cartoon.gif in the same location. 9. Save Cartoon.gif as Cartoon2.bmp in the same location. 10. Open these three graphics files in new sessions of IrfanView, and document any changes you see when comparing the files. 11. Exit all instances of IrfanView. Summarize your conclusions in a brief report and submit it to your instructor. Hands-On Project 8-4 In this project, you use S-Tools4 to create a steganography file for hiding an image. Download S-Tools4 from http://packetstormsecurity.com/files/21688/s- tools4.zip.html or www.4shared.com/ zip/q764vcPu/s-tools4.htm, install the program, and then follow these steps: 1. In File Explorer, navigate to where you installed S-Tools4, and start the program by
  • 42. double-clicking S-Tools.exe. If necessary, click Run, and then click Continue, if necessary. 2. Drag RUSHMORE.bmp from your work folder to the S-Tools window. 3. To hide text in the RUSHMORE.bmp file, drag Findme.txt from your work folder to the RUSHMORE.bmp image. 4. In the Hiding dialog box, type FREEDOM in the Passphrase and Verify passphrase text boxes, and then click OK. A hidden data window opens in the S- Tools window. 5. Right-click the hidden data window and click Save as. Save the image as Steg.bmp in your work folder. 6. Close the Steg.bmp and RUSHMORE.bmp windows, but leave S-Tools open for the next project. Hands-On Project 8-5 In this project, you use S-Tools4 to create a secret message in a bitmap file and compare this steganography file with the original file by using the DOS comp command. You need S-Tools4 and the Mission.bmp and USDECINP.rtf files in your work folder. First, follow these steps to create a steganography file: 1. If you have exited S-Tools4, start it by double-clicking S- Tools.exe in File Explorer. 2. Drag Mission.bmp from your work folder to the S-Tools
  • 43. window. 3. Next, drag USDECINP.rtf from your work folder to the Mission.bmp image. 4. Type hop08-5 in the Passphrase and Verify passphrase text boxes, and then click OK. A hidden data window opens in the S-Tools window. 5. Right-click the hidden data window and click Save as. Save the image as Mission-steg.bmp in your work folder. Exit S-Tools. Next, you use the DOS comp command to compare these two files and redirect the output to a text file for further analysis: 1. To open a command prompt window in Windows, click the Search icon, type cmd, and then press Enter. (In earlier Windows versions, you can click Start, type cmd in the “Search for programs and files” text box, and then press Enter.) 68944_ch08_hr_339-376.indd 375 3/15/18 2:37 PM Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations. Retrieved from http://ebookcentral.proquest.com
  • 44. Created from csuau on 2020-05-06 16:55:22. C op yr ig ht © 2 01 8. C en ga ge L ea rn in g U S . A ll rig
  • 45. ht s re se rv ed . www.4shared.com/zip/q764vcPu/s-tools4.htm www.4shared.com/zip/q764vcPu/s-tools4.htm Assessment item 3 - Tasks and Forensics Report Value: 25% TASK Task 1: Recovering scrambled bits (5%) (5 marks) For this task I will upload a text file with scrambled bits on the subject interact2 site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment. Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment. Task 2: Digital Forensics Report (20%) (20 marks) In this major task you are asked to prepare a digital forensic report for the following scenario after carefully reading the scenario and looking at textbook figures as referred below: You are investigating a possible intellectual property theft by a new employee of Superior Bicycles, Inc. This employee, Tom Johnson, is the cousin of Jim Shu, an employee who had been terminated. Bob Aspen is an external contractor and investor who gets a strange e mail from Terry Sadler about Jim Shu's new project (shown in Figure 8-5 of the textbook on p. 350). Bob forwards the e-mail to Chris Robinson (the president of
  • 46. Superior Bicycles) to inquire about any special projects that might need capital investments. Chris forwards the e-mail to the general counsel, Ralph Benson, asking him to look into it. He also forwards it to Bob Swartz, asking him to have IT look for any e-mails with attachments. After a little investigation, Bob Swartz forwards an e-mail IT found to Chris Robinson (shown in Figure 8 - 6 of the textbook on p. 350). Chris also found a USB drive on the desk Tom Johnson was assigned to. Your task is to search for and determine whether the drive contains any proprietary Superior Bicycles, Inc. data in the form of any digital photograph as an evidence. In particular, you may look for graphic files such as JPEG on the USB drive hidden with different format. Note for the USB drive image, you need to download the "C08InChp.exe" file from the download section of Chapter 8 on the student companion site of the textbook (Nelson, Phillips, & Steuart, 6/e, 2019). Your task is to search all possible places data might be hidden (e-mails and USB drive) and recover and present any digital evidence in the report. Deliverable: For this forensic examination, you need to provide a report of 1800-2000 words (approximately 5 A4 pages) in the format described in presentation section below. RATIONALE This assessment task will assess the following learning outcome/s: be able to determine and explain the legal and ethical considerations for investigating and prosecuting digital crimes. • be able to formulate a digital forensics process. • be able to evaluate the technology in digital forensics to detect, prevent and recover from digital crimes. • be able to analyse data on storage media and various file systems. • be able to collect electronic evidence without compromising the original data.
  • 47. • be able to critique and compose technical tactics in digital crimes and assess the steps involved in a digital forensics investigation. • be able to prepare and defend reports on the results of an investigation. PRESENTATION The following should be included as minimum requirements in the report structure: Executive Summary or Abstract This section provides a brief overview of the case, your involvement as an examiner, authorisation, major findings and conclusion • Table of Contents • Introduction Background, scope of engagement, forensics tools used and summary of potential findings • Analysis Conducted o Description of relevant programs on the examined items o Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions etc o Graphic image analysis • Findings This section should describe in greater detail the results of the examinations and may include: o Specific files related to the request o Other files, including any deleted files that support the findings o String searches, keyword searches, and text string searches o Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity o Indicators of ownership, which could include program
  • 48. registration data. • Conclusion Summary of the report and results obtained • References You must cite references to all material you have used as sources for the content of your work