During a criminal case investigation, a computer was taken as part of the evidence. The computer was found with a flash drive connected to one of the USB ports. It is suspected that this flash drive contains image files relevant to the case. Preliminary investigation revealed that the owner of the computer had the chance to delete some of image files. Other files were renamed so that they do not look like image files. It is also suspected that steganography was used with some of the files to conceal important information. The passphrase used for this purpose is hidden in the device slack space.

List the general steps and tools required to begin investigation. In addition, because it is a high level profile case, processes must be carefully documented.

Perform and document the following so that the findings are court ready:

  • Acquire a bit-stream copy from the flash drive
  • Recover deleted files
  • Analyze all files (including recovered) using WinHex and look for image files analyzing the file headers
  • Try to identify image files concealing information (steganography)
  • Look for the passphrase for steghide stored in the device’s slack space (look for: “steghide passphrase”)
  • Recover information with steghide

two pages excluding title page and reference page