Reference no: EM132060315

Project: Computer Architecture and Imaging

"So you're telling me an exact replica of ZeroBit's concept drawing has shown up on the cover of Apex's product development brochure? What are the chances of that? ... Unless somebody here at ZeroBit is leaking information.... I'll get my best investigator on it." "Thanks for coming by. I wanted to talk with you face to face. I just spoke with our VP for External Relations, and it looks like we may have a major security breach on our hands. How quickly can you image this USB stick?" "Our suspect has access to a live system here at Headquarters, as well as a networked computer at our remote location. We'll need to examine both of them. You should be able to slip into his office and acquire his RAM and swap space while he's at training this afternoon. But while you're waiting, check your email for a message from Legal." When you open the message from the ZeroBit Counsel, you see four questions that need to be answered in preparation for any possible legal challenge. As you're answering the fourth one, a notification pops up reminding you that the suspect's training session is about to start...that's your cue that it will soon be safe to log in to the suspect's computer. You run your program, acquiring the RAM and swap space from the live system. Then you log out, leaving the suspect's office and computer as you found them. Your colleagues have left for the day, but you've stayed behind to image the suspect's remote computer after hours. You log on to the system and have no problem using netcat to transfer a copy of his remote hard drive to your workstation at Headquarters. You lean back in your chair and smile. You've imaged all of the suspect's known devices. Tomorrow you'll compile your analyses into a final forensic report. Who knows? You may even be asked to present your report in court!

Digital forensics involves processing data from many different types of devices, ranging from desktops to laptops, tablets to smartphones, servers to cloud storage, and even devices embedded in automobiles, aircraft, and other technologies. In this project you will focus on the architecture and imaging of desktop and laptop computers. You will be working in the VM to image and verify the contents of the following:

1. a USB stick

2. the RAM and swap space of a live computer

3. a networked computer hard drive

There are seven steps in this project. In the first step you review a technical manual containing information about the various locations where we typically find data of forensic value. The next two steps guide you through the process of imaging a USB stick with both Linux and Windows tools. The next step poses several questions that frequently come up in cases similar to this scenario. In the next step, you're back to collecting forensic evidence; this time you're imaging the RAM (memory) and swap space of a live, running computer. In the next step, you image a computer's hard drive over the network. In the final step, you compile all of the previous lab notes and reports into one comprehensive report. The final assignment in this project is a forensic imaging lab report that can be presented in a court of law.

Before you can begin imaging the USB drive provided by your supervisor, you need to review your technical manual in order to prepare a statement of work to give to your company's legal team. Are you ready to get started?

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
1.4: Tailor communications to the audience.
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
10.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging and verification.
10.4: Demonstrate an understanding of the different parts of a computer.
11.1: Perform report creation, affidavit creation, and preparation to testify.

Step 1: Conduct a Background Review

Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization's legal team has been asking questions about types, sources, and collection of digital information. They have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department's technical manual to compose your memo on locations of valuable forensic information and formats in which digital evidence can be stored. You also review imaging and verification procedures.

For the first step in this project, prepare a memo (1-2 pages in length) that summarizes possible locations of valuable digital forensic information, as well as collection and storage options in laymen's language. For each location described, include a short description of the following:
1. Area
2. Types of data that can be found there
3. Reasons why the data has potential value to an investigation in general, and for this case in particular

The locations to be addressed are: USB sticks, RAM and swap space, and operating system hard disks.

Also describe possible digital evidence storage formats (raw, E01 (ewf), and AFF), the advantages and disadvantages of each, and how digital forensic images are collected (local and remote, memory and disk) and verified. Your memo will be included in the final forensic imaging lab report.

Step 2: Imaging of a USB drive using Linux tools

In the first step in this project, you reviewed technical information and imaging procedures and briefed your legal team on digital forensic "basics". Now it's time to move forward with the investigation.

The USB stick may contain intellectual property that you can use to prove the suspect's guilt, or at least establish intent. Security personnel recovered the stick from the suspect's desk drawer the night before. You take possession of the stick, recording the physical exchange on the chain-of-custody document prepared by the security officers. Your team's policy is, when practical, to use multiple tools when conducting digital forensic investigations, so you decide to image the USB stick using both Linux and Windows tools.

To get started, you review your "Resources and Procedures Notes", as well asmethods of acquisition. Then go to the virtual lab to set up your evidence driveand proceed to enable write protection, sterilize the target media, perform a static acquisition of Linux data, and verify the USB stick on the sterilized media using Linux tools in preparation for the report and notes requested by your supervisor.

Submit your lab notes and report to your supervisor (instructor) for ungraded feedback and incorporate any suggested changes. This material will be included in the final forensic imaging lab report (Step 7). In the next step, you will conduct the same procedures using Windows tools.

Step 3: Image a USB Drive Using Windows Tools

After imaging the USB drive with Linux in Step 2, your next step is to image the USB drive again, this time using Windows tools. Review your "Resources and Procedures Notes" first, then go to the virtual lab. When you complete the activity, review your lab notes and report for accuracy and completeness; they will be included in your final forensic imaging lab report (Step 7).

Your organization's legal team has some questions for you in Step 4.

Step 4: Respond to Questions from the Legal Team

In previous steps, you imaged the USB drive using Linux and Windows tools. In this step, you respond to pointed questions from your organization's legal team. The legal team has been involved in cybercrime cases before, but they want to make sure they are prepared for possible legal challenges. They have requested very specific information about your imaging procedures.

Questions from the legal team:

1. Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?

2. What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?

3. What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?

4. How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?

The legal team would like you to respond in the form of a brief memo (1-2 pages) written in plain, simple English. The memo will be included in your final forensic imaging lab report (Step 7) so review it carefully for accuracy and completeness.

You are hoping that you will be able to access the suspect's local computer next!

Step 5: RAM and Swap Acquisition

In the previous step, you addressed the concerns of your company's legal team. While you were doing so, the suspect's afternoon training session started so now you are able to move on to the next stage of your investigation.

Your organization's IT department backs up the hard drives of HQ computers on a regular basis so you are interested only in the suspect's RAM and swap space. The RAM and swap space may reveal programs used to hide or transmit intellectual property, in addition to the intellectual property itself (past or current). You have a four-hour window to acquire the RAM and swap space of his live computer. When you arrive at the suspect's office, the computer is running, but locked. Fortunately, the company IT department has provided you with the administrator password so you log on to the system. You review your "Resources and Procedure Notes", access the virtual lab, and follow the steps required to acquire and analyze the RAM and swap space from the live system.

Your lab notes and report will be included in your final forensic imaging lab report (Step 7) so make sure you review them carefully for accuracy and completeness.

Now that you've imaged the suspect's local computer, there is only one task that remains. You need to use the company network to access his remote computer.

Step 6: Perform Forensic Imaging over a Network

In the previous step, you acquired and analyzed the RAM and swap space from the suspect's live, local computer. In this step, you perform a similar analysis on his networked, off-site computer.

Your supervisor confirms that the suspect's remote office is closed for the weekend so you are free to image his computer via the network. The remote computer is locked, but the company IT department has provided an administrator password for your investigation. Using your forensic workstation at headquarters, you log on to the remote system. If the image were going to pass unencrypted over an untrusted network (such as the Internet), you'd would want to conduct the transfer over SSH, but since you're on the company network and connecting to the remote office via a VPN, you can use the "dd" command to transfer a copy of the remote hard drive to your local workstation using the "netcat" tool. You review your "Resources and Procedure Notes", go to the virtual lab, and proceed to image the computer over the network.

Review your lab notes and report carefully for accuracy and completeness; they will be included in your final forensic imaging lab report (Step 7).

Phew! You have conducted an exhaustive investigation of all of the suspect's computer devices in this possible "insider cyber-crime". In the process, you have written up lab notes and four reports, as well as providing responses to questions from your legal team. The last step in the investigative process is to combine all of the information that you've gathered in Steps 1-6 into a single forensic report that can be presented in a court of law. That is what you will do in the final step in this project.

Step 7: Submit Final Forensic Imaging Lab Report

Now that you've completed the necessary acquisition and imaging tasks, you're ready to compile all of your reports and lab notes into a single forensic imaging lab report that you will submit to your supervisor. Your supervisor reminds you that your report may be presented in a court case so it needs to meet all legal requirements. The report should include the following sections:

1. One to two-page memo addressing the types, sources, collection of digital information, as well as file formats

2. Imaging of a USB drive using Linux tools (lab notes, report)

3. Imaging of a USB drive using Windows tools (lab notes, report)

4. One to two-page memo responding to questions about imaging procedures

5. RAM and swap acquisition--live, local computer (lab notes, report)

6. Forensic imaging over a network (lab notes, report)

Final Forensic Imaging Lab Report

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.

1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
1.4: Tailor communications to the audience.
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
10.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging and verification.
10.4: Demonstrate an understanding of the different parts of a computer.
11.1: Perform report creation, affidavit creation, and preparation to testify.

Attachment:- Assignment.rar