Interview question I had difficulty answering..help!

If you can't answer those questions, then the correct answer to give is I don't know, but I'm sure I could rapidly acquire the appropriate skills and knowledge based on <insert other experience/qualifications here>. If you are going for an entry level CF job (which you should be doing with no experience) then they don't necessarily expect you to have CF specific expertise.

If you come here seeking the answer, you're going to look really bad when they ask you to elaborate on the answer you give, and because you don't have the underlying skill and knowledge, you fall flat on your face.

Perhaps what you need to do is undertake some entry level computer forensics training.

Tony raises a very valid point for you to consider ref your experience & training.

Having said that- My answers to these questions would have been 'along the lines of' ….

Ref item 1, assuming that the question is who made (and therefore copied) the encase image and assuming that during the imaging using the Encase Linen tool - then the examiner would have been prompted to enter information about the case number, description, and examiner name. Entering data here is not mandatory & therefore assuming the examiner was diligent about record keeping - you would be able to tell who created which Encase image when loading the image into Encase.

Other information about which examiners were on the scene at the time & working (timestamps, visitor log books, asking concerned examiners, etc ) on which systems may help you address possible answers for item 2. This info may be found in the 'evidence seizure records', etc that would normally accompany such images when the arrive in the lab; again this assumes that such processes are actually used & followed by the examiners.

Good luck!

OR.. we could give helpful answers! (Pay no attention to someone who says you'll fall flat on your face. Science is about getting up and finding answers. And you can't do that without falling down!) )

Here's a few examples to help you out (keep in mind that in computer forensics, there's rarely a time when there's only one single way to reach the correct conclusion - hopefully a couple more voices will chime in and give additional approaches - or correct mine as I'm tired ) )…. Also, I'm going to restate the questions in my own voice - my interpretation of your situation; and in an interview, it's key to do this yourself. Make sure you show the interviewer that you grasp the situation and can work the problem out from the beginning to the end. This is quite helpful because it shows your train of thought, and even when that endpoint eludes you, you can show the interviewer the process you take. It's one thing to say "I don't know, but I'm sure I could rapidly acquire the appropriate skills and knowledge," and it's entirely another thing to show that you can and will make that effort. (And restating the question gives you a little extra time to formulate your answer if you're stuck ;).)

Q 1.

Restatement You have 6 physical drives (5 HDD, 1 thumb) that may contain the target evidence and you know who moved the evidence onto 1 of these drives. Knowing who moved this file, how do I go about finding its location among the 6 drives?

Answer That means there's a known user account (or accounts) to begin our search in. And the question is ambiguous - do we have the originating machine? Just the user's name? Any account information? I'll assume we have access to the original drive and we know what evidence files we're looking for.

We can simply read the registry hive of the known user and note the Volume GUIDs of all mounted drives. We then mount each of the 6 drives in question, read the GUIDs, and rule out those drives that have not been mounted on the original machine (note this is a fast answer … there are caveats & we could play devil's advocate for days). I should be able to rule out a good portion of physical devices as well as logical drives on the remaining HDD by now, and I can run a filter on name, file size, hash, etc. …It now all comes down to *how large is my remaining dataset versus how much time can I let the computer work away for*.

Also, since you've mentioned *a specific person*, you may want to check Recent & Local Settings profile folders for link files and correlate the file's creation time with that of the evidence file on the targeted drive. …Bonus points for being thorough (but not guaranteed to give any results).

Q 2.

Restatement By and large, the question seems very similar to the first question, just removing EnCase and the known user. I'd assume you mean that there is a known HHD as a point of origin, an unknown user who moved a file, and an undetermined HDD where the evidence file now resides. How do I find the user and the target drive?

Answer If we have the original drive, we have a listing of all active profiles. We can reference the last log-on timestamp for Active Directory. Build a timeline of usage. Hash the evidence file. Hash all non-system files on the target drive or drives (non-system files just to speed things up). Show a match; match the user by showing the MAC timestamp (creation time, not modified nor accessed time) of the target drive's matching file to who we pinpointed as being logged on to the original computer at that time. And if hashing is out of the question, then search files on likely creation times (ie laptop-to-laptop copying times), and further, on the known file size. …Might want to note that by taking EnCase explicitly out of the arsenal, it seems that the focus here is on finding the file without relying on hash analysis (and hash analysis is very easy automated, simple, and painstakingly slow to build), so it seems to be a question of resourcefulness.

Case in point on restating the question in the interview, MindSmith used the proper/correct definition of "custodian" (in the EnCase world) whereas I interpreted it as *the person who moved the file in question* … restating the question can keep you on track and remove ambiguities.

1. You have a custodian and they copied some information to an external drive but you are not sure which external drive it is on and they gave you 5 ext drive and 1 thumb drive…in Encase how can you tell which drive the data was copied too by a specific person?

Given the question solely as it's presented, *if* the person asking the question tells you what the target data is (ie, a Word document 32,665 bytes in size, etc.), then you can locate it on the devices. However, without the original drive (where the data was stored originally) you won't be able to even tell if it was copied.

Logg's response to this question is correct, as you'll need the media where the data was originally stored, and you'll need to know the various file systems of the devices. I think some may have made the assumption that the original media may have been Windows…if that's the case, then you may be able to find indications of which user account may have been logged in and used to access the external media, through Registry analysis.

However, keep in mind that there will likely be no artifacts of a copy operation on the original media. Some folks mention the existence of Windows shortcut/LNK files, but those will only exist and be of use *if* the person copying the file then opens the file from the destination media.

2. You are doing a copy from laptop to laptop and you need to find exactly what ext drive the data was copied too but without Encase how can you tell where the data was copied too and by whom?

Where can this information be found?? Encase?

Based solely on how the question is presented, I'd have to say…WTF? You're "doing a copy from laptop to laptop", so where does an external drive come in?

If the question is meant to be a repeat of the first question, only without EnCase, then the answer remains the same.

Where can this information be found?? Encase?

Is this an interview for a position which requires experience with Encase because
Encase won't tell you any of these things. It isn't some kind of oracle to which you refer for puzzling questions, it is a tool for organizing a forensic examination.

The answers come from the evidence, itself, and your ability to analyze it, formulate a hypothesis and support your hypothesis with data.

A simple answer to both questions is that there is nothing in Windows that any tool could use to say that a file or files had been copied from one device to another (with the exception of CD burning and backup programs). Establishing a likelihood that copying occurred is a matter of circumstantial evidence. You may be able to show that a specific device was attached (Windows registry and, possibly, LNK files) and you may be able to determine that files on both devices are identical (if you possess both). You may also be able to determine who was logged in, when, but there is no way to say, with certainty, that the file on the external device was copied from the computer and, with certainty, who copied it, Encase or not.

You could get just as far with a hex editor or a hex editor and a registry viewer if you knew what to look for. If you don't Encase won't make it any easier for you.

You are the forensic examiner, not the tool. If you couldn't get the same answers without Encase (or FTK or ProDiscover or X-Ways), it suggests that you don't know where to look. Some other posters have suggested approaches and an approach to answer the questions that you pose can be found in either edition of Harlan Carvey's Windows Forensic Analysis or, if you need an Encase centric approach, try Steve Bunting's EnCE Study Guide.

You can even test some of this for yourself. Get a USB device, make a copy of your registry, insert the USB device, copy some files to it, then eject it, make another copy of the registry and use REGDIFF to see the differences.