Friday, November 15, 2019
About notebook
About notebook A. Describe what would the police investigator do to the notebook after the parents have passed the notebook to them? There are several procedures a police investigator would do when he receives the laptop. The investigator then has to take down the details of the laptop such as the number of disk drives, any plugged in removable media, time and date of the laptop from the bios and the current time and date from the investigators clock and such. The laptops make and model, and any significant information of it at that time will have to be taken down to. Photos will have to be taken of the original state of the laptop, including the current screen, if it was on. The next step would be to do a hard reset to the system if it is running an operating system. This prevents any further changes to data or any scripts to run. The removable slots of the laptop would also have to be sealed to prevent tampering. Any removable media will have to be documented and securely kept and tagged, or more commonly known as the bag and tag process. All these would be necessary in court to prove proper procedures, integrit y and help in the documentation and recreation of the scene, helping the investigators to visualize the state of which the laptop was in. As computer components are in question, they should be kept in anti static bags to prevent any damage to them during transit or handling by static electricity. The laptop will then be sent to the lab where images of the different data sources will be created and worked upon. The original will not be touched. B. What hardware resources are needed to analyze a notebook? The hardware resources needed to analyze a notebook would depend on the situation. A laptop or desktop can be used on site or in the lab. The laptop or desktop would have to be equipped with a hard disk that is large enough to contain the exact image of the laptops drives and removable media. A write blocker would also be needed to ensure no writing is done to the data during image creation. To assist in the creation, a Live CD can be used to boot up the suspects laptop, typically a small sized Linux distribution. IDE cables, adapters, crossover cables, fire-wire cables and bays are all common hardware for data connection. Additional tools would be torchlight for use in dark areas, gloves to prevent physical evidence tampering and a log form to log all activities done. C. Compare the architectural hardware differences between a notebook and a desktop computer, along with the different tools or equipment that might be needed to perform a forensic image acquisition. There are several architectural differences between a notebook and a desktop computer. The most significant would be the IDE interface. A laptop would use a small IDE connectors than a desktop, although more recent laptops could be using the SATA connections which would be similar. However, laptops could also have soldered on connections, especially if it is using a solid state drive(SSD). Certain laptops which are smaller in size, such as net-books might not have certain ports or means of data storage such as fire-wire ports, USB ports or even CD-ROM drives. In fact, most modern day laptops do not even have a floppy drive. The forensic investigator would then have to plug in an external drive to the IDE ports or USB ports externally. Although with recent technology, it would be possible to boot from a boot-able USB drive, eliminating the need for a CD-ROM drive or floppy drive. D. Base on the scenario, decide whether you want to use more than one tool to create the image, write a brief outline on the choice of tool. I can use a Live CD such as Backtrack 2, SANS Forensic Workstation or even any Linux distribution to create the image with the dd command. # dd if=/dev/hda conv=sync,noerror bs=64K | gzip -c > /mnt/sda1/hda.img.gz I can then restore the image into any disks by unzipping and using dd to restore. # gunzip -c /mnt/sda1/hda.img.gz | dd of=/dev/hda conv=sync,noerror bs=64K The disk information should also be stored by using fdisk command and piping to a text or info file. # fdisk -l /dev/hda > /mnt/sda1/hda_fdisk.info The advantage of using DD in forensics is that it will create an image of the whole disk, including the unused blocks. It is error free, and easy to do with any Linux distribution. E. What additional evidence could you look for at the victims home or school to obtain clues about her whereabouts? The victims room would be the most important place to search. Additional evidence such as her diary, hand phone, if available, and any books or paper that she wrote in. Her email and any personal sites which hold data online such as Facebook can help in the case. F. Explain what method would be used to preserve the integrity of the evidence obtain, and why the importance of obtaining the data from this method. A hash of the original image from the laptop and any file used should be created. Using an MD5 or SHA1 hash would be advised and recognized in court. The concept of hashing is that no two data objects can have the same hash, and thus if the hash is changed, the data has been compromised. By doing hashing on the original data, the forensic investigator can tell the court that the evidence was not tampered with and anything found was there from the start. Typically, hashing would be done before and after duplication of the disk image to ensure that the disk is exactly the same. G. Determine which file(s) have bad extension and further examine the file headers of these file(s) using a hex editor. Why is it important to carry out such procedure that it may help the team in solving the case? The file headers contain information that help the operating system to identify what kind of file it is. File headers are often corrupted or changed on purpose to hide the true identity of the file. If this is overlooked, crucial documents could be missed and identified as other types of unrelated documents. Secondly, the file headers could be corrupted to prevent reading of the file and will have to be further examined to find out the content.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.