Computer architecture and imaging project

00
On November 1, 2020November 1, 2020By In To Get Answers: WhatsApp/Text +16469781313

Here’s the scenario: You are conducting doing imaging work for an organization. Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization’s legal team has been asking questions about types, sources, and collection of digital information. Team members have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department’s technical manual to compose your memo on finding valuable forensic information and storing digital evidence. You also review image verification using hashing, an important component of digital forensics.

I am attaching some of the steps. You will see screenshots I have included for clarity and to make the process easy for you. I will provide everything you need to complete the project once the tutor is selected.

Step 2: Image a USB Drive Using Linux Tools

In the first step in this project, you reviewed technical information and imaging procedures and briefed your legal team on digital forensic basics. Now, it’s time to move forward with the investigation. 

The USB stick may contain intellectual property that you can use to prove the suspect’s guilt, or at least establish intent. Security personnel recovered the stick from the suspect’s desk drawer the night before. You take possession of the stick, recording the physical exchange on the chain-of-custody document prepared by the security officers.  

Your team’s policy is, when practical, to use multiple tools when conducting digital forensic investigations, so you decide to image the USB stick using both Linux and Windows tools. 

To get started, review the lab instructions in the box below, as well as methods of acquisition. Then go to the virtual lab to set up your evidence drive and proceed to enable write protectionsterilize the target mediaperform a static acquisition of Linux data, and verify the USB stick on the sterilized media using Linux tools in preparation for the report and notes requested by your supervisor. 

Linux Forensics Imaging Resources

 1. Linux forensic virtual machine (VM), NIXFOR01

2. A forensic image file: LD2-Step1.dd

3. A flash drive image file: “FlashDrive.img” (provided).

Once connected to Workspace, follow the instructions below to launch the Lab Broker application to connect to the lab VMs

  • 3. Connect to the NIXFOR01 lab VM. a. Click the Connect button to initiate a remote connection to NIXFOR01 lab VM. Note: The exercise steps that follow are all completed by you inside of the NIXFOR01 lab VM, unless otherwise indicated.

2. When prompted, click Open Windows PowerShell

Setting Up the Evidence Drive

Steps

1. Access resources via the Lab Resources folder on the desktop of the VM.

2. From the Projects folder, double-click the Download Project Resources shortcut to take you to the DFC 620 or CST 640 Project Resources page. Download the “LD2-Step1.dd” and “FlashDrive.img” files under Project 2.

3. Confirm that the project files illustrated below have been successfully downloaded in the Downloads folder.

  • Simulate inserting a flash drive using the following commands in Terminal: a. To attach the flash drive image “FlashDrive.img” to a loopback device, type: sudolosetup –find –show -P ~/Downloads/FlashDrive.img
    • c. To list loopback devices allocated (for verification purposes), type: losetup –l (where the ” l” is a lowercase L)
  •  
    • d. To show loopback and partition in /dev, type: ls -l /dev/loop0
  •  
    • 6. Mounting the USB Device a. Use the gnome-disks command from Terminal to launch the disk utility. Type: gnome-disks
  • Note: The graphical user interface (GUI) disk utility window above will display.
  • • Click and highlight the 1.5 MB Loop Device.
  • • Click the Play button to mount the 1.5 MB Loop Device.
  • 8. Launch a new Terminal window if one isn’t already open. a. Note: Locate and open Terminal from the Applications menu if no Terminal window is already open.
    • 9. Determine the device location assigned to the flash drive: a. Type the following command in Terminal: sudo mount
    • You can also use the following command to filter through the multiple lines of text produced by the mount command: mount | grep /dev/loop
  •  
    • 10. Zero out the clusters on your flash drive: a. This step writes zeroes to all memory locations on the flash drive. i. If prompted for a password, enter Cyb3rl@b.
  • Be sure to use the correct destination device, or you will wipe/delete important files if a mistake is made.
  •  
    • 1. This is not a file copy, but rather a raw image copy that should include all directories and system files.
    • 2. Before executing the following commands, make sure that you are working in the directory that the dd file is located in. In this example, it is the Downloads directory.
    •  a. Navigate to the Downloads directory by using the following command (if you are not already in Downloads). Type: cd Downloads

                b. Make sure the folder contains the “LD2-Step1.dd” file by using the ls command to list directory files. Type ls and hit enter.

  • c. Then, type the following command to copy the image to the flash drive. sudo dd if=./LD2-Step1.dd of=/dev/loop0 bs=1024
  • d. Type the following to make sure that the copy process has successfully completed: sync

11. Confirm that contents of the image you copied unto the flash drive in the previous step matches the original image file by producing and comparing the hash values of the “LD2-Step1.dd” file with that of the dev/loop0 simulated flash drive hash value.

Sudo sha1sum LD2-Step1.dd /dev/loop0

  1. 12. Next, simulate removing the flash drive from the VM. a. Unmount the 1.5 MB Volume by first using the gnome-disks command in Terminal to open the disk utility. Type: gnome-disks
  • b. Click on the stop button highlighted in the picture above to unmount the volume (make sure that you click to highlight the 1.5 MB Loop Device before doing this).
    • 13. To destroy loop devices and simulate unplugging a flash drive, type the following command: sudolosetup –D
    • To verify that no loop devices are connected to the VM before continuing, type:
    • sudolosetup –l
  • Static Imaging and Verification (Linux)
  • Steps
  • 1. Simulate plugging in a flash drive without mounting any volume with the following commands as follows: a. Attach the flash drive image “FlashDrive.img” to the loopback device by typing the following commands: sudolosetup –find –show -P ~/Downloads/FlashDrive.img
  • b. To list loopback devices allocated for verification purposes, type: losetup –l
    • c. To show loopback and partition in /dev, type: ls -l /dev/loop0
    • d. To verify that no device is automounted, type: mount | grep /dev/loop (Results: Nothing should be listed in window
    •  
  • 2. Now, create a forensic copy of the flash drive with the following command: sudo dd if=/dev/loop0 of=forensic_copy_LD2-Step1.dd bs=1024
  • 3. Check the hash value of the forensic copy and compare to the hash of original image file (“LD2-Step1.dd”).
  • Note: If the hashes don’t match, repeat these steps. (The two hashes might match for this exercise. If this happens, you may continue).
  • sudo sha1sum forensic_copy_LD2-Step1.dd /dev/loop0
  • You have now reached the end of the lab. Close all applications, exit the virtual lab, and ensure that you compile findings and incorporate them into your final deliverable for submission

Project 2: Computer Architecture and Imaging
Step 1: Brief the Legal Team on Forensics

Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization’s legal team has been asking questions about types, sources, and collection of digital information. Team members have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department’s technical manual to compose your memo on finding valuable forensic information and storing digital evidence. You also review image verification using hashing, an important component of digital forensics. 

For the first step in this project, prepare a memo (one to two pages in length following this format) in plain language that summarizes where valuable digital forensic information resides in the device, as well as collection and storage options. The devices to be addressed are USB sticks, RAM and swap space, and operating system hard disks. You will need to research and cite reference sources for each answer contained your memo (e.g., NIST) For each electronic media device described, include a short description of the following:  

  • identify the digital media device examined 
  • types of data that can be found there 
  • reasons why the data has potential value to an investigation in general, and for this case in particular 
  • list the possible digital evidence storage formats (raw, E01 (ewf), and AFF) and describe the advantages and disadvantages of each format, and  
  • how digital forensic images are collected (local and remote, memory and disk) and verified.  

Your memo will be included in the final forensic imaging lab report. 


If you need answers to this assignment, WhatsApp/Text to +1 646 978 1313  

or send us an email to admin@shrewdwriters.com and we will reply instantly. We provide original answers that are not plagiarized. Please, try our service. Thanks

Leave a Reply

Your email address will not be published.