Forensic-scenarios

As a forensic examiner your communication skills are as equally important as your technical skills. Your ability to explain technical topics to non-technical people, will be essential in taking the results of an investigation and forming good written reports and well prepared expert testimony. Answer the following questions keeping this in mind. Each answer should be one well written paragrah or prefable more.

1) Scenario: Your supervisor is complaining that when you are in the field taking images, that the process takes twice as long because after you take the image you verify it. Explain to your supervisor why it is so important to verify an image on site, and what the consequences could be for not doing this.

2) Scenario: Your company policy is to use FTK Imager to create .E01 files when imaging. If you make copies of the image or move the image to another drive, you are required to 1) keep the corresponding text file with it and 2) to re-validate the image before working with it. You are also required to re-validate the image every two-weeks throughout an investigation and immediately before testifying. Your supervisor approaches you because he suspects that a new hire is not doing this. Your supervisor (who has little knowledge of the forensic process) asks if there is a way to see if this other employee is following company policy. Explain to your supervisor how this may be determined. Make sure to include what files you will need to determine this, what you will be looking for in those files, and how any relevant technologies work.

3) Scenario: Your company has hired an intern who is relatively new to the field. He is working with you for the day and asks you the difference between RBS and E01 image files. Explain to the intern what the difference is between these. Make sure to include details on the structures of these files as well as details on the differences in verifying these files (with and without accompanying text files).