Sample Practical Exercise Problem

There is a link to a self extracting (DOS based) image file of a floppy diskette below.  The file is called CCE-SAMP.ZIP. Copy this file to your hard drive and unzip it.  To extract this file, format a 3 1/2 inch 1.44 MB diskette and execute the CCE-SAMP.EXE file.  This will create an exact image of our original floppy diskette.  Treat the extracted floppy diskette as the original in this case.  Conduct your examination, document your findings and compare your findings with what we expect you to report and find.

Case Scenario

Today is September 15, 2004.  The time is 3:15 PM. Mr. Jim Boss, the owner of the Really Big Company called and you responded to his office.  Mr. Boss advised that he suspected that his assistant, Emma Crook, was providing company sensitive material to some of his competitors. At 2:00 PM today he confronted Ms. Crook with his suspicions. He told her that he would be back at 3:00 PM for an explanation. When Mr. Boss arrived back at Ms. Crook's office at 3:00 PM, she was gone.  Her office was completely cleaned out of all of her belongings. Mr. Boss tried to turn on Ms. Crook's computer, but it would not boot. Mr. Boss found a floppy diskette in the trash can.  Mr. Boss wants you to examine the computer and the floppy diskette and to tell him exactly what Ms. Crook was up to.  He is willing to pay for a 100% thorough examination.  "Leave no stone unturned" as he said.

You examined the computer and found that the hard drive was missing.  The computer was not networked.  Your only evidence, if any, will be on the floppy diskette.  You checked the system clock and it was accurate to within one minute.

You may download a RAW format (.001) version of the evidence media:  CCE_Sample_PE_RAW.zip

You may also open this within a virtual machine (Virtual PC): CCE_Sample_VirtualPC.zip

If you have an older machine, you may download the floppy diskette self-extracting executable:  cce-samp.zip

Click here to see what we expected from your examination.