Computer Science Assignment
Narcos-1 C:/ Image Analysis Using Autopsy Forensic Toolkit
Introduction:
This is a basic introduction to using Autopsy to examine the contents of a criminal suspect’s
computer. While this is not a real criminal case, but a training tool, there are examples of
paraphernalia and other nefarious dealings throughout the disk image. The situation is that there is
a gang smuggling crystal methamphetamine between Australia and New Zealand. As the new intern
at a computer forensics lab, you have been tasked with finding out some basic information about the
suspect, and the data on their computer’s C: drive.
Assignment:
Before beginning you must download (3) items from here:
https://1drv.ms/u/s!AhucZmhY8LVWgrtSJrsadgbSDK9u-A?e=SXrWxJ
• Narcos_1.aut
• autopsy.db
• Narcos-1.zip
o Unzip this file (30GB)
o Open the “Image” folder within this file
o Drag both Narcos_1.aut and autopsy.db into the “Image” folder
Load the Narcos-1 image into Autopsy and examine the contents. Do this by running Autopsy and
clicking on “Open Case”. If you point the Autopsy software at the “Image” folder in the Narcos-1 folder
that you just unzipped, you should now see the Narcos_1.aut file. Double click on it and the case will
load.
After reviewing the case files, you will answer the questions below. There is a multiple choice test
that has been posted in this lesson where you will answer the questions (1-15) below.
1. What operating system is running on the disk?
2. What was the encryption software used on the encrypted files?
3. What method of obfuscation was used to hide files?
4. When was the obfuscation software downloaded?
5. What is the name of the gang that you discovered for Narcos-1?
6. What application was used to delete files?
7. Where can you find the flight information for the owner of the computer?
8. Where would you find the most information about the owner’s personal interests?
9. How do you find deleted content in Autopsy?
10. What is the difference between Recycling bin files and deleted files?
11. How do you verify the integrity of a file on the machine image compared to the original file on
a suspect’s computer?
12. What email service was used?
13. What is the name of the user on the computer?
14. What kind of storage file maintains a history of Web searches?
15. How many image/picture files can be found in the computer?