A Case Study of Digital Forensics Investigation

Document Type


Lead Author Type

CIS Masters Student


Dr. Xinli Wang; wangx@gvsu.edu

Embargo Period



A hard drive of an employee, who was under suspicion from their employer, was imaged in this case study to assess multiple software tools in terms of usefulness and ease of use for a digital forensics’ investigation. At the same time, interesting evidence was recovered through further examination.

Each studied tool was examined for search function, special features, organization of data and cost to own it. Autopsy and OS Forensics were comparable to identify indicators of compromise and evidence of illegal activity. FTK Imager was good to image a disk, it was not designed for in-depth examination without previous knowledge of operating system structure. With the consideration of cost, Autopsy was considered as the first-choice forensics tool for this case study because it was free of charge, easy to use, and well organized.

Interesting evidence was recovered through further examination of this disk. Pornography was detected within the web history; however, a final conclusion could not be reached due to the presence of malware and the lack of other corroborating evidence. The results of the timeline analysis, usage of USB devices examination, image investigation and document inspection indicated a high possibility of illegal transfer of proprietary information by the suspect.

This document is currently not available here.