The typical approach to creating an examination disk for exercises and projects in a course on computer forensics is for the instructor to populate a piece of media with evidence to be retrieved. While such an approach supports the simple use of forensic tools, in many cases the use of an instructor-developed examination disk avoids utilizing some key aspects of a digital investigation by overly focusing on the mechanics of retrieval. We recently developed a course on computer forensics that utilized a large-scale, team-based term project involving the forensics examination of a computer system. In this article we describe an approach for providing examination disks for student use in a term project that reinforces the investigative aspect of the process.
Available at: http://works.bepress.com/warren_harrison/12/