Data Acquisition and Analysis - Lab Assignment #1 (Data Acquisition): Each student uses software tools to create a forensic image of a suspect’s hard drive. Using the chain of custody and audit trail, they should create a baseline of what has occurred prior to the device being passed on to the forensic analyst. Students will prepare a complete forensic investigation report.
Lab #1 Instructions
Lab #1: Due by Sunday of Week 4
Please see the PDF documents attached for details on Lab #1 directions, questions, grading criteria, and step-by-step illustrations.
Additional Material - Advanced Forensic Handbook
The attached 169-page document describes several advanced techniques first responders can use to further support the incident handling process. Topics include Log File Analysis with SWATCH and Log Parser, Building a Forensic Toolkit, persistent and volatile data collection, and identifying and tracing spoofed email.
General Directions: Preview the lab deliverables in Part I and the questions in Part II below first before starting your lab work. Then, log into UMUC Virtual Lab and perform steps 1 through 25 sequentially using the step-by-step instructions and illustrations given on pages 2-23 of the PDF file named: CSEC 650 Lab1-Write-up.pdf (Lab1-Write-up). During the lab process, you should capture and save the five screenshots listed under Part I, A. and take necessary notes for other deliverables under Part I and for answering the lab questions under Part II below which you have previewed. Create ONE Word or PDF answer file named as Lab1-YourFirstInitial-LastName. Include all your deliverables and answers for Part I and Part II below in this ONE file. Submit this ONE file under WebTycho Lab1 Assignment by the due date.
Part I: Lab Deliverables (30 points):
A. Screenshots (10 points): Capture and paste the following five screenshots you captured during your lab work in this order. Give a one-sentence short description at the beginning of each screenshot to describe what it is about. 1. A screenshot of Device Info similar to (may not be exactly the same as) the illustration in Step 10 of the Lab1-Write-up.
2. A screenshot of Imaging in Progress similar to (may not be exactly the same as) the illustration in Step 16 of the Lab1-Write-up.
3. A screenshot of Verification Success similar to (may not be exactly the same as) the illustration in Step 18 of the Lab1-Write-up with a "Verify Successful" message.
4. A screenshot of Chain of Custody with Hash value similar to (may not be exactly the same as) the illustration in Step 19 of the Lab1-Write-up.
5. A screenshot of creating Chain of Custody PDF form similar to (may not be exactly the same as) the illustration in Step 20 of the Lab1-Write-up.
B. Log of Forensic Analysis (10 points): Create a numbered list or table to document the important step-by-step actions taken by the examiner sequentially for the digital forensic work in this case. Include date, time, devices, tools, data files, and any logs generated. You only need to describe the data files and logs; no need to attach them.
C. Report Letter to the Professor (10 points): Write a letter to the Professor listing and explaining clearly and concisely what was attempted, what failed, what was successful, and what was learned through the lab work. Note: For the Report Letter to the Professor, you can use the major action information from the Log of Forensic Analysis deliverable but should focus on the forensic objectives, attempts, and results of accomplishment or failure, followed by a reflection on what you have learned through the lab. Use a business letter format with at least four or five paragraphs related to the forensic work.
Part II: Lab Questions (70 points): Give your answer to each of the following questions based on your lab work and relevant readings. The original question must be visible. Each answer should be within one or two paragraphs and should be clear and correct in grammar. Any citations of sources should follow proper APA format with a reference section at the end of your Part II answers.
1. What types of forensic image formats does Adepto support?
2. What kind of write blocking does Helix provide?
3. Explain the advantages and disadvantages of different write-blocking techniques for forensic imaging.
4. Why would a forensic examiner possibly select a different cryptographic hash type from MD5?
5. What is the MD5 hash value of your image in Lab 1?
6. What are some reasons that make Helix a forensically sound method for forensic collection of digital evidence?
7. What is the significance of the Chain of Custody PDF form from Adpeto? Why is it needed?
8. What is the significance of the Adepto logs? Why are they needed?
9. What is the significance of the forensic investigator’s individual reports and logs?
10. Why are cryptographic hashes such as MD5 and SHA1 needed? Why would an investigator not use a CRC or some other value?