Assessment Worksheet
Applying the Daubert Standard to Forensic Evidence
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you acted as a forensic specialist assisting the lead forensics investigator at the Cyber
Crimes Division (CCD) for the Fremont Police Department. You were given a hard drive image
taken from a seized computer suspected of containing stolen credit card numbers. You reviewed
the search warrant and completed the Chain of Custody form that accompanied the evidence
drive. You prepared the contents of the seized hard drive using a variety of forensic tools as
evidence in accordance with the Daubert standard. You used FTK Imager to create hashes for
key evidence files. You then validated the hash code using EnCase Imager and P2 Commander,
two common forensic analysis tools.
Lab Assessment Questions & Answers
1. Why is the unallocated space of a Windows system so important to a forensic
investigator?
Because it is space that is open for them to document their findings
2. From where were the badnotes1.txt and badnotes2.txt files recovered?
AccessData FTK Manager 3.1.4.6 in the Desktop tab
3. What is the INFO2 file used for?
To access basic info of the case
4. How do you generate a hash file in FTK Imager?
From the File menu, select Create a Disk Image and choose the source of your image
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
�5. What was the MD5 hash value in 043458.csv, the deleted e-mail file?
326
6. What is the Daubert standard?
The present standard by which Federal Courts and, by precedent, State and Local courts...