Dr. Bill Pugh
IS 3513 Information Assurance & Security
Lab Assignment Instruction Set
Image retrieved from: medium.com
Lab created by Naveen Bommu, Graduate Student, UTSA MSIT
OVERVIEW
This lab exercise will introduce you to digital forensics and how it helped solve the infamous
“BTK Case.” There are many digital forensics tools, but in this exercise, you will be using
Autopsy to investigate a “floppy image file” collected from the perpetrator known as “BTK.”
American serial killer Dennis Rader, known as the BTK killer, murdered 10 people, including two
children, over a 17-year period. The BTK killer was active from 1974 to 2005. In 2005, BTK
provided the police a floppy disk with a “test” note, and from there the police later discovered
hidden metadata revealing the eventual identity of the “BTK” killer. This lab is a walkthrough of
the steps law enforcement used to capture this notorious serial killer.
More info:
OBJECTIVE
Given the following instructions, complete the deliverables and submit your results for credit.
RESOURCES
• Computer, or laptop computer meeting College of Business, Information Systems & Cyber
Security Majors specifications:
• Autopsy Software (Available for Windows, OS X)
• Internet access for uploading assignment to Blackboard
EVALUATION
Your grade will be based on meeting the following criteria within the scheduled deadline:
• Downloading and installing the Autopsy software with screenshots (10%)
• Answering ALL the questions contained in the “Instructions” AND provide screenshots
showing your work (30%)
• Provide feedback on the lab exercise with a minimum of a 500-word, single spaced, 12 pt.
font report on your experience, highlights, and suggested improvements for the lab (60%)
INSTRUCTIONS
• Download the latest Autopsy Software version (Available for Windows, OS X) from the
website: download/
• Download the image file named “btkcase.ima”.
• Once you have downloaded the files, follow the instructions below:
Autopsy download page.
Click “Download” (Current version is now 4.20.0)
Select “Next”
Select “Next” then select “Install.”
Select “Finish.”
Now open the autopsy software and select “New Case.”
Provide the case name of your choice and the directory you want. Click “Next.”
You can ignore the below information and select “Finish.”
Select “Next” here.
Select “Disk Image or VM File” to input the image file, then select “Next.”
Select “Browse,” then in the “Files of type:” field, select “All Files” then click “Next.”
Keep the selected “ingest modules” and select “Next,” then “Finish.”
At the home page of Autopsy, you can see the image file is successfully loaded. Now, expand
the “Deleted Files” section, then click on “File System,” then click on the “Agenda Church
Council Meeting.docx” file.
Then below, select “Data Artifacts.”
QUESTION 1: Whose name appears next to “Owner?”
Next, expand “Data Sources,” then “btkcase.ima_1 Host,” then btkcase.ima,” then
“$CarvedFiles,” then click on “f0000000.docx.” Click on the right-side frame, click on
“image1.png.”
QUESTION 2: What does the image show?
Next, as you are discovering important clues from this floppy disk, you quickly go to the
internet and search for the organization shown in the picture . . .
But . . . it isn’t 2005 so you now must go “back in time” to the web page as it was in February of
2005 here:
QUESTION 3: Do you see anyone on the page with the first name found above in “Data
Artifacts” and “Owner?” What is his name?
