Its been a while since Ive written anything on here so I thought I would do a short update of what is going on with my project.
I have narrowed my scope down to 5 areas of investigation to make more effective use of my time: Timeline analysis, connected USB devices, email investigation, internet history artifacts, and changes made to the file structure when programs are installed. It is not a large list but I think it hits a lot of the major areas of forensics investigation.
I created a VM using vmware workstation and created 4 unique profiles, giving them specific interests and programs to use. I modeled it on a small family and generated around 13 pages of documentation including websites visited, programs downloaded, manipulating files, emails both from thunderbird and webmail, and transferring files. I will release the documentation soon along with the virtual machine and the images I created from it. My goal is to have to create a VM that can be used for testing tools for verification purposes. It is a well documented file and if the tool results are released as well they can be compared to other tests and see if the tools are working correctly.
My other side of the project is explaining how testing the tools is necessary when performing an investigation, especially if the results are going to be presented in court. I am using papers written by Cory Altheide and Brian Carrier as resources and interviewing forensics investigators on their views of both closed and open source products and the ways that they verify the tools.
If anyone would like a copy of my work or has any questions about what I am doing please just leave a message or email me. I am happy to help anyone that I can.