Part I: Lab Deliverables (30 points):
A. Screenshots (10 points): Capture and paste the following five screenshots you captured during your lab work in this order. Give a one-sentence short description at the beginning of each screenshot to describe what it is about.
1. A screenshot of Device Info similar to (may not be exactly the same as) the illustration in Step 10 of the Lab1-Write-up.
2. A screenshot of Imaging in Progress similar to (may not be exactly the same as) the illustration in Step 16 of the Lab1-Write-up.
3. A screenshot of Verification Success similar to (may not be exactly the same as) the illustration in Step 18 of the Lab1-Write-up with a “Verify Successful” message.
4. A screenshot of Chain of Custody with Hash value similar to (may not be exactly the same as) the illustration in Step 19 of the Lab1-Write-up.
5. A screenshot of creating Chain of Custody PDF form similar to (may not be exactly the same as) the illustration in Step 20 of the Lab1-Write-up.
B. Log of Forensic Analysis (10 points): Create a numbered list or table to document
To the processor
Following the forensic lap requirement, this report is written in response to the lab requirements. The entire process was smooth the java runtime environment download and installation of the any connect deployment kit. It is the process of image acquisition that initially failed but after numerous try, the process was smooth. It is also important to not that i mused the rag ripper and clean the file system of temporary files. The date of the forensic work was Sunday march 02: 2014,and time of the lab exercise is 10.50 pm. The devices used was a USB storage and the log generated are also provided. The process was useful for learning all the intricacies of the lab exercise. For example, the making of an extra image o the original media for the lab exercise and the acquisition of the image for the la exercise
Part II: Lab Questions (70 points):
1. What types of forensic image formats does Adepto support?
Raw images such as dd are the open standard scriptable thumbnail. It can support an image on a Linux PC, Macintosh image (MacOS9, OSX), Windows images, X86 OS image (Linux) such as pearpc, VMWare]
2. What kind of write blocking does Helix provide?
Helix province software write blocking as it is predominantly distributed with the Linux distribution
3. Explain the advantages and disadvantages of different write-blocking techniques for forensic imaging.
Advantages of software write blocking
Software write blocking is much easier to design and implement as compared to hardware write blocking. Software write blocking is also easy to install or example, there is no need to open a computer case. It is also very easy to test
The key disadvantages include
In most cases, there are other computer programs that can subvert the software write blocker attempt. There are also instances when the other computer programs use the lower level access and end up writing to the hardware ports directly. This way, they avoid the software write blocking. There are also instances when the program accidentally end up disabling the software write blocking protection. Finally, the software write blocking can be incorrectly used thereby making the acquisition process slow. Hardware write blocking has many disadvantages. For example: hardware write blocking are expensive and hard to design. Nevertheless, the main advantages include hardware write locking being more effective even offline
4. Why would a forensic examiner possibly select a different cryptographic hash type from MD5?
A forensic examines would most likely other cryptographic hash types from md5 because Md5 hash type has a number of known vulnerabilities as well as security flows. Therefore, in most cases, people prefer the SHAH-1 algorithm to the md5. Never the less, it is also important to note that md5 has a 128-bit hash value. It can also be used to check the file’s integrity. However, it is its overall importance in verifying the integrity of the files as well as the content that makes it more important. It is highly reliable because even the slightest change in bit value changes the entire md5 value (Jones, 2005).
5. What is the MD5 hash value of your image in Lab 1?
The md5 harsh value of the image in lab 1 was f71625daed269ba714586e6b
6. What are some reasons that make Helix a forensically sound method for forensic collection of digital evidence?
Helix can create an exact duplicate to the images or other media to be modified that can be analyzed therefore saving the original media from irrecoverable changes. Helix is much preferred because it is easy to make a bitsream image. With helix, it is easy to divide the large images or data into bits of data. It is also easy to use with dd program which is relatively ubiquitous (Carrier, 2005).
7. What is the significance of the Chain of Custody PDF form from Adpeto? Why is it needed?
Adepto chain of custody is very important because it helps in verifying the authenticity. For example, it is used to verify the evidence to determine if it is the same size as the original file (data). It can also be used to verify the data without changing or modifying the data. It is also important to trace changes to data, liabilities, and obligation in relations to an evidence as it acts as a warranty. It indicates the sample, data sampled, the analysis conducted and any changes in features, quality, quantity etc
8. What is the significance of the Adepto logs? Why are they needed?
Adepto logs are used for logs analysis. These logs can provide information about the hacker actions and the data that were left without modifications. It is therefore easy to determine the action taken, harm done, the time the modification was done and if possible the people in whose custody the data was at the time of the modification (Solomon, Barrett, & Broom, 2005).
9. What is the significance of the forensic investigator’s individual reports and logs?
With each individual forensic report, it is easy to make objectives, unbiased and independent analysis of evidences as compared to a group report. With may be biased because o hidden special interest.
10. Why are cryptographic hashes such as MD5 and SHA1 needed? Why would an investigator not use a CRC or some other value?
Cryptographic hash functions are mainly useful when guarding data or files against a number of malicious programs including software, internet malware or other security application that can compromise quality of data. These twp are important because they can calculate all time checksum values, and validate the value. They also check the checksums against a number of values for the protected data. CRC or other values may not be used because it is less complex and should permeably used for detecting only random errors but it might not detect a large spectrum of errors as compared to MD5, and SHA1
Carrier, B. (2005). File system forensic analysis. Boston, Mass. ; London: Addison-Wesley
Jones, K. J. (2005).Real digital forensics : computer security and incident response. Indianapolis,IN: Addison Wesley Professional
Solomon, M., Barrett, D., & Broom, N. (2005).Computer forensics jumpstart. San Francisco:Sybex