Dr. Bill Pugh IS 3513 Information Assurance & Security Lab Assignment Instruction Set Image retrieved from: medium.com Lab created by

Dr. Bill Pugh
IS 3513 Information Assurance & Security
Lab Assignment Instruction Set
Image retrieved from: medium.com
Lab created by Naveen Bommu, Graduate Student, UTSA MSIT

OVERVIEW

This lab exercise will introduce you to digital forensics and how it helped solve the infamous

“BTK Case.” There are many digital forensics tools, but in this exercise, you will be using

Autopsy to investigate a “floppy image file” collected from the perpetrator known as “BTK.”

American serial killer Dennis Rader, known as the BTK killer, murdered 10 people, including two

children, over a 17-year period. The BTK killer was active from 1974 to 2005. In 2005, BTK

provided the police a floppy disk with a “test” note, and from there the police later discovered

hidden metadata revealing the eventual identity of the “BTK” killer. This lab is a walkthrough of

the steps law enforcement used to capture this notorious serial killer.

More info:

OBJECTIVE

Given the following instructions, complete the deliverables and submit your results for credit.

RESOURCES

• Computer, or laptop computer meeting College of Business, Information Systems & Cyber

Security Majors specifications:

• Autopsy Software (Available for Windows, OS X)

• Internet access for uploading assignment to Blackboard

EVALUATION

Your grade will be based on meeting the following criteria within the scheduled deadline:

• Downloading and installing the Autopsy software with screenshots (10%)

• Answering ALL the questions contained in the “Instructions” AND provide screenshots

showing your work (30%)

• Provide feedback on the lab exercise with a minimum of a 500-word, single spaced, 12 pt.

font report on your experience, highlights, and suggested improvements for the lab (60%)

INSTRUCTIONS

• Download the latest Autopsy Software version (Available for Windows, OS X) from the

website: download/

• Download the image file named “btkcase.ima”.

• Once you have downloaded the files, follow the instructions below:

Autopsy download page.

Click “Download” (Current version is now 4.20.0)

Select “Next”

Select “Next” then select “Install.”

Select “Finish.”

Now open the autopsy software and select “New Case.”

Provide the case name of your choice and the directory you want. Click “Next.”

You can ignore the below information and select “Finish.”

Select “Next” here.

Select “Disk Image or VM File” to input the image file, then select “Next.”

Select “Browse,” then in the “Files of type:” field, select “All Files” then click “Next.”

Keep the selected “ingest modules” and select “Next,” then “Finish.”

At the home page of Autopsy, you can see the image file is successfully loaded. Now, expand

the “Deleted Files” section, then click on “File System,” then click on the “Agenda Church

Council Meeting.docx” file.

Then below, select “Data Artifacts.”

QUESTION 1: Whose name appears next to “Owner?”

Next, expand “Data Sources,” then “btkcase.ima_1 Host,” then btkcase.ima,” then

“$CarvedFiles,” then click on “f0000000.docx.” Click on the right-side frame, click on

“image1.png.”

QUESTION 2: What does the image show?

Next, as you are discovering important clues from this floppy disk, you quickly go to the

internet and search for the organization shown in the picture . . .

But . . . it isn’t 2005 so you now must go “back in time” to the web page as it was in February of

2005 here:

QUESTION 3: Do you see anyone on the page with the first name found above in “Data

Artifacts” and “Owner?” What is his name?