As with any other forensics effort, there are hundreds of software choices in order to perform the requisite steps of acquiring, analyzing and presenting the results of a forensics investigation. Function and cost determined the software used for this investigation, with free software winning out over software with a license whenever possible. Microsoft Word Professional 2010. The examiner already owned a license of MS Office 2010, installed for related coursework, and Word used to compose this paper (Microsoft Word, 2013). VMWare Workstation 10.0.3 – build 1895310. For the section below using VMs, VMWare workstation was used as it was already available on the examination laptop from previous efforts and provided free of charge for educational purposes by Utica College to students for the term of their degree of study at Utica College (VMware Workstation 10.0, 2014). Microsoft Windows XP Professional SP 3. This is the version of Windows installed into the VM used for acquiring and processing the data on the SSD as well as to log into the Google Gmail account using the installed Google Chrome Browser (Windows XP, 2014). Google Chrome browser version 38.0.2125.111 m. This is the Google Chrome browser
installed into the Windows XP VM and used to connect to the Gmail account under examination for browser artifacts later in this paper (Google Chrome Browser, 2014). Google Chrome Operating System v38. This is the version of the Google Chrome
Operating System running on the Acer c720 Chromebook used in this examination (Chromebook Help Center, 2014).
AccessData FTK Imager 220.127.116.114. This is the software used to acquire the image of the SSD removed from the Chromebook (FTK Imager, 2014). AccessData Forensic Toolkit 1.81.6. This is the Forensic Toolkit used to carve out the
contents of the image file captured from the SSD and later to process logical copy of user files copied off Chromebook in Crosh shell onto external HDD (FTK, 2014). ChromeAnalysis Plus 1.4.1 Trial for Windows. This tool was used within the Windows XP VM to process the Chrome browser to identify the artifacts of the Chrome Browser running on Windows provides when it is logged into the test subjects Gmail account. (Foxton Software, 2014) Google Gmail Account. In order to perform the investigation, a Google Gmail account was required to seed an account in order to analyze it and identify the artifacts found in the Chromebook data files.
Evaluation Foundation The Acer c720 is in Developer Mode and a Gmail account created for the fictitious email
[email protected] Some data was generated, files downloaded to Google Drive and bookmarks created along with a brief browsing and search history. In preparation for analysis: a drive image was captured from the Acer c720 SSD, a Windows XP VM was created and Chrome Browser installed, user files were logically copied from Crosh to an external USB HDD and dd was run to capture the SSD contents from Crosh onto the external USB HDD.