Analyzing Images to Identify Suspicious or Modified Files

Lab #5 - Assessment Worksheet

Analyzing Images to Identify Suspicious or Modified Files

1. Why might it be important to confiscate and identify the websites and kinds of images found on a suspect’s computer?

Confiscating and identifying the websites and images in the suspect’s computer is helpful in establishing concrete evidence against the suspect. 

2. Explain what the P2 Commander Image Analyzer does and what it looks for.

The P2 Commander Image Analyzer scans the images and it looks pornographic contents.

3. How do you decrease the amount of false positives in the Highly Suspect or Suspect categories?

By changing the search sensitivity.

4. Into how many different categories does P2 Commander’s Sorted Files feature categorize all of the identified files? What are these categories?

There are 15 different categories and they include emails, documents, graphics, spreadsheets, databases, multimedia, compressed, executable, text, encrypted, xml, and chats amongst others.

5. How many files did the Sorted Files feature identify on the evidence drive?

3022

6. Where would you look to identify a rogue application, malicious spyware application, or keyboard logger application on the target evidence drive?

Under the executables

7. Where would you look to identify ZIP files and compressed files that may actually contain embedded malicious software?

They are found in the compressed categories

8. Where must you also look to examine possible image files on the evidence drive under investigation?

Under the graphic and Recover from Unallocated Space.

9. Why is it also important to look under the Graphics folder directly under the Sorted tree as well as the Image Analyzer Results category?

It is of importance in instances where the program may not have recognized the image as a threat.

Summary

An investigator can keep the suspect’s images and websites so as to establish concrete evidence. The P2 Commander Image Analyzer scans images and looks for pornographic content. The amount of false positives in the Highly Suspect can be decreased by changing the sensitivity. There are 15 different categories of P2 Commander’s Sorted Files including encrypted, xml, and chats amongst others. There are 3022 Sorted Files in evidence drive. The rogue application, malicious spyware application, or keyboard logger application on the target evidence drive are identified under the executables. ZIP files and compressed files are found under compressed categories. The possible image files on the evidence drive can be looked under the graphic and Recover from Unallocated Space. If an image is not recognized as threat, it can be looked under the Graphics folder.