Week 3 - Evidence Collection

Question 1

What is the acquisition stage of an investigation?

Answer 1

It involves capture and seizure of digital devices, hardware and data that is to be investigated.

Question 2

What happens during acquisition of digital evidence?

Answer 2

It begins when information and/or physical items are collected for investigation purposes. Preserving (Imaging) and processing the content and data of the device is the next stage.

Question 3

When acquiring digital devices/disks it is important to?

Answer 3

Where gloves when appropriate
Store in sealed backs
Sign by each person who the device with in possession of (Include name, and date obtained, and date passed on)

Question 4

What does a device need to be connected to to faciliate imaging?

Answer 4

The analysts device.

Question 5

What are the steps involved in imaging?

Answer 5

1. Remove the storage media from suspect’s device
2. Connect to imagin workstation
3. Assess size and contents (Use mmls command in sleuthkit to display the partition layout of disk, DO NOT to change contents)
4. Make a bit for bit copy of the disk (Using dd, dcfldd command or similar)
5. Verify the integrity of copy using checksums
6. Return the original disk to an evidence locker

Question 6

How might you connect a disk to analysts machine?

Answer 6

Insert as an additional internal disk in the PC.

Add as an external drive (Using external connectors, disk caddy etc..).

Question 7

What should be considered when storing an image copy?

Answer 7

Should you store the copy on a disk the same size as the original or bigger.
Should you use an identical disk
Should you use an local imaging fileserver.

Question 8

What must you do to a target disk for an image before it is used?

Answer 8

It must be forensic-ly cleaned/wiped as to not tamper with the new data being copied to it.

Question 9

What commands are used to make a bit for bit iamge copy of a disk?

Answer 9

The dd command in linux

The dcfldd command in sleuthkit