Step 2: Imaging of a USB drive using Linux tools
In the first step in this project, you reviewed technical information and imaging procedures and briefed your legal team on digital forensic “basics”. Now it’s time to move forward with the investigation.
The USB stick may contain intellectual property that you can use to prove the suspect’s guilt, or at least establish intent. Security personnel recovered the stick from the suspect’s desk drawer the night before. You take possession of the stick, recording the physical exchange on the chain-of-custody document prepared by the security officers. Your team’s policy is, when practical, to use multiple tools when conducting digital forensic investigations, so you decide to image the USB stick using both Linux and Windows tools.
To get started, you review your “Resources and Procedures Notes“, as well as methods of acquisition. Then go to the virtual lab to set up your evidence drive and proceed to enable write protection, sterilize the target media, perform a static acquisition of Linux data, and verify the USB stick on the sterilized media using Linux tools in preparation for the report and notes requested by your supervisor.
Submit your lab notes and report to your supervisor (instructor) for ungraded feedback and incorporate any suggested changes. This material will be included in the final forensic imaging lab report (Step 7). In the next step, you will conduct the same procedures using Windows tools.
Step 3: Image a USB Drive Using Windows Tools
After imaging the USB drive with Linux in Step 2, your next step is to image the USB drive again, this time using Windows tools. Review your “Resources and Procedures Notes” first, then go to the virtual lab. When you complete the activity, review your lab notes and report for accuracy and completeness; they will be included in your final forensic imaging lab report (Step 7).
Your organization’s legal team has some questions for you in Step 4.
Step 4: Respond to Questions from the Legal Team
In previous steps, you imaged the USB drive using Linux and Windows tools. In this step, you respond to pointed questions from your organization’s legal team. The legal team has been involved in cybercrime cases before, but they want to make sure they are prepared for possible legal challenges. They have requested very specific information about your imaging procedures.
Questions from the legal team:
Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?
What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?
What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?
How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?
The legal team would like you to respond in the form of a brief memo (1-2 pages) written in plain, simple English. The memo will be included in your final forensic imaging lab report (Step 7) so review it carefully for accuracy and completeness.
You are hoping that you will be able to access the suspect’s local computer next!
Step 5: RAM and Swap Acquisition
In the previous step, you addressed the concerns of your company’s legal team. While you were doing so, the suspect’s afternoon training session started so now you are able to move on to the next stage of your investigation.
Your organization’s IT department backs up the hard drives of HQ computers on a regular basis so you are interested only in the suspect’s RAM and swap space. The RAM and swap space may reveal programs used to hide or transmit intellectual property, in addition to the intellectual property itself (past or current). You have a four-hour window to acquire the RAM and swap space of his live computer. When you arrive at the suspect’s office, the computer is running, but locked. Fortunately, the company IT department has provided you with the administrator password so you log on to the system. You review your “Resources and Procedure Notes“, access the virtual lab, and follow the steps required to acquire and analyze the RAM and swap space from the live system.
Your lab notes and report will be included in your final forensic imaging lab report (Step 7) so make sure you review them carefully for accuracy and completeness.
Now that you’ve imaged the suspect’s local computer, there is only one task that remains. You need to use the company network to access his remote computer.
Step 6: Perform Forensic Imaging over a Network
In the previous step, you acquired and analyzed the RAM and swap space from the suspect’s live, local computer. In this step, you perform a similar analysis on his networked, off-site computer.
Your supervisor confirms that the suspect’s remote office is closed for the weekend so you are free to image his computer via the network. The remote computer is locked, but the company IT department has provided an administrator password for your investigation. Using your forensic workstation at headquarters, you log on to the remote system. If the image were going to pass unencrypted over an untrusted network (such as the Internet), you’d would want to conduct the transfer over SSH, but since you’re on the company network and connecting to the remote office via a VPN, you can use the “dd” command to transfer a copy of the remote hard drive to your local workstation using the “netcat” tool. You review your “Resources and Procedure Notes”, go to the virtual lab, and proceed to image the computer over the network.
Review your lab notes and report carefully for accuracy and completeness; they will be included in your final forensic imaging lab report (Step 7).
Phew! You have conducted an exhaustive investigation of all of the suspectâ€s computer devices in this possible “insider cyber-crimeâ€. In the process, you have written up lab notes and four reports, as well as providing responses to questions from your legal team. The last step in the investigative process is to combine all of the information that you’ve gathered in Steps 1-6 into a single forensic report that can be presented in a court of law. That is what you will do in the final step in this project.
Step 7: Submit Final Forensic Imaging Lab Report
Now that you’ve completed the necessary acquisition and imaging tasks, you’re ready to compile all of your reports and lab notes into a single forensic imaging lab report that you will submit to your supervisor. Your supervisor reminds you that your report may be presented in a court case so it needs to meet all legal requirements. The report should include the following sections:
Imaging of a USB drive using Linux tools (lab notes, report)
Imaging of a USB drive using Windows tools (lab notes, report)
One to two-page memo responding to questions about imaging procedures
RAM and swap acquisition–live, local computer (lab notes, report)
Forensic imaging over a network (lab notes, report)
Do you need a similar assignment done for you from scratch? We have qualified writers to help you. We assure you an A+ quality paper that is free from plagiarism. Order now for an Amazing Discount! Use Discount Code “Newclient” for a 15% Discount!NB: We do not resell papers. Upon ordering, we do an original paper exclusively for you.
The post computer-architecture-and-imaging-1 appeared first on Essay Fount.
What Students Are Saying About Us.......... Customer ID: 12*** | Rating: ⭐⭐⭐⭐⭐
"Honestly, I was afraid to send my paper to you, but you proved you are a trustworthy service. My essay was done in less than a day, and I received a brilliant piece. I didn’t even believe it was my essay at first 🙂 Great job, thank you!"
.......... Customer ID: 11***| Rating: ⭐⭐⭐⭐⭐
"This company is the best there is. They saved me so many times, I cannot even keep count. Now I recommend it to all my friends, and none of them have complained about it. The writers here are excellent."