Computer Architecture and Imaging
Memo
Date:
To: Legal Team on Forensics
From:
The recovery and investigation of the data found on various storage devices are some of the main activities that are performed during digital forensics. Some of the storage devices can include USB sticks, operating system hard disks, RAM, and swap space. The differences in the storage devices result in differences in the type of digital evidence that can be retrieved from the devices. Similarly, recovering digital evidence from the devices also depends on the type of storage device. Is your assignment devastating you ? Get in touch with us at eminencepapers.com. Our homework help will save you tons of time and energy required for your assignment papers.
USB Sticks
USB sticks refer to flash memory drives, which are storage devices that are integrated with Universal Serial Bus (USB) connectors (Harris & Harris, 2010). Apart from being used as storage devices, USB sticks can also be used to transfer data from one computer to another and can also be used as Live USB, which allows a computer to boot from the USB (Hoffman & Mckay, 2020). Over the years, the use of USB sticks has increased due to their user-friendliness and storage capacities. The data stored on USB drives is referred to as non-volatile memory, which means that the data is not lost once there is no more power to the drive, and the data loss can only be achieved by deleting the data or formatting the drive. The USB sticks use electrically erasable programmable read-only memory (EEPROM) based on the NAND-type flash memory (DHAM, 2012). USB drives allow the storage of various types of data. This includes video files, audio files, documents, and images. One of the areas in a USB drive that can be useful in digital forensics is the slack space. The slack space, which refers to the unused space in the drive, can be used to hide illegal files. The slack space can also contain deleted files, and their retrieval can be useful in digital forensics (Thampy, Praveen, & Mohan, 2018). The ease of transport and the small sizes of USBs make them easy to hide and suitable for transporting illegal files. The USB image is created using various tools that allow the imaging of the slack spaces and other parts of the USB drive, such as the Master Boot Record (MBR). The image of the USB drive can be stored in the EnCase Evidence File format (E01). An advantage of storing data in this format is that the image would also include the metadata of the image. In addition, the E01 files are compressed, which can address issues with the image size (Vandeven, 2014).
RAM and Swap Space
Random Access Memory (RAM) refers to a system’s storage component that stores the information being used by the computer at a specific moment. Unlike the storage capabilities of USB sticks, the RAM is considered a volatile storage device. Swap space, which is also referred to as swap file, refers to the part of the computer’s disk that is used to extend the RAM used in the computer. Swap space is important because it extends the storage of information when the RAM is fully utilized. Various information about the activities performed on a computer can be derived from analyzing RAM and swap spaces. Hausknecht, Foit, and Burić (2015) note that the various data used in a computer has to interact with the RAM at some point and is recorded in the memory blocks of the RAM. Some common data that can be located in the RAM include the various processes running in the computer, files, which include opened files, read files, and modified files, and network traffic (Hausknecht, Foit, & Burić, 2015). Parasram (2017) also notes that the passwords and cryptographic keys used to encrypt areas of the disk and information from the internet can be located in the RAM. Obtaining the RAM and swap space from a computer can be achieved through the use of hardware to gain Direct Memory Access as well as through software methods, which involve making use of various tools such as FTK imager (Hausknecht, Foit, & Burić, 2015). When collecting digital evidence, the use of the raw file format is recommended when creating the RAM image. An advantage of this is that the raw images can easily be used due to the large availability of forensic tools that can work with raw images (Garfinkel, Malan, Dubec, Stevens, & Pham, 2006).
Operating System Hard Disks
The hard disk drives refer to the storage devices that use magnetic recording to store data. Unlike the RAM, the hard disks are non-volatile, meaning they retain the data they store even when powered off. A computer’s hard disk drive is used to store various data, including the computer’s operating system, the various programs installed in the computer, and various files. Examples of file systems used in hard disks include NTFS, FAT, and ext4. Various information can be obtained from an operating system hard disk for use during digital forensics. One piece of information obtained from the hard disk is the system information, accessed through the BIOS. The computer’s BIOS provides information about the hard disk, such as the disk’s serial number. The operating system hard disk also provides information about the various components of the computer. This can include the devices installed in the system, the drivers, and even the removable media used in the system. Additionally, the computer’s device manager can provide more insight into the hardware devices connected to the computer. (Kumar, Sofat, & Aggarwal, 2011). The analysis of an operating system hard disk can also include retrieving deleted files using the various available data recovery tools. The OS hard disk also records various logs that can be useful in the analysis process. The various digital evidence that can be obtained from a hard disk make it essential to ensure that the correct procedures are followed when creating an image of the disk. The storage of the created hard disk image in the Advanced Forensic Format (AFF) is recommended. This is because the hard disk might contain a large amount of data, and while in the raw format, the image is not compressed. In addition, the Advanced Forensic Format makes it easier to store the metadata of the drive (Garfinkel et al., 2006).
Imaging a USB Drive using Linux Tools
In this section of the lab, I will be using Linux tools to produce forensic copies for a USB flash drive partition. The essential project files were downloaded. Clusters on the flash drive were zero out, and copies of forensic image LD2.dd were made. Once I was done creating the forensic image, I did a comparison of the original file and newly created file hash values to confirm they were the same. This shows that the integrity of the file has not been tampered with. Step by step screenshots are outlined below for the entire process.
Fig.2.1 Accessing my Resources
Fig. 2.2 Downloading project resources
Fig. 2.3 Confirming both have been downloaded
Fig. 2.4 Entering the StudentFirst password
Fig. 2.5 /dev/loop0 terminal
Fig. 2.6 Loopback devices allocated
Fig. 2.7 Loopback and partition in /dev
Fig. 2.8 Mounting the USB device using gnome-disks
Fig. 2.9 Loop Device is mounted
Fig. 2.10 Checking the name of the examination flash drive
/dev/loop0 on /run/media/StudentFirst/B6CB-F7AD type vfat
(rw, nosuid, nodev, relatime, uid=1001, gid=1001, fmask=0022, dmask=0077, codepage=437, iocharest=ascii, shortname=mixed, showexec, utf8, flush, errors=remount -ro, uhelper=udisks2)
Fig. 2.11 Using mount | grep /dev/loop
Note. All two mount commands gave the same output.
/dev/loop0 on /run/media/StudentFirst/B6CB-F7AD type vfat
(rw, nosuid, nodev, relatime, uid=1001, gid=1001, fmask=0022, dmask=0077, codepage=437, iocharest=ascii, shortname=mixed, showexec, utf8, flush, errors=remount -ro, uhelper=udisks2)
Fig. 2.12 Checking Download files
Fig. 2.13 Sha1sum hash values
Fig. 2.14 Unmounting the 1.5 MB volume
Static Imaging and Verification using Linux Tools
Fig. 2.15 Verifying the partition
Fig. 2.16 Hashes are a match
Imaging a USB Drive using Windows Tools
In this section of the lab, I will be using a Windows tool, Forensic Toolkit (FTK) imager, to produce forensic copies for a USB flash drive partition. Once I was done creating the forensic image, I compared the original file and newly created file hash values to confirm they were the same. This shows that the integrity of the file has not been tampered with. Step-by-step screenshots for the entire process are outlined below.
Fig. 3.1 Verifying that both files have been downloaded
Fig.3.2 Automatic mounting of new volumes disabled
Fig. 3.3 Automount of volumes enabled
Fig. 3.4 Mounting the Flash Drive
Fig. 3.5 Selecting the options for the new device
Fig. 3.6 Mounted E drive
Fig. 3.7 Selecting a logical drive for the new file that is to be created
Fig. 3.8 Drive selection E:\- [FAT}
Fig. 3.9 Adding evidence files
Fig. 3.10 Selectin a destination for the FTKFlash
Fig.3.11 Two hash values for the newly created files
Fig. 3.12 Local Drive € has been unmounted
Memo in Response to Legal Team
Date:
To:
From:
Opening
Q1:
The main use of a hashing algorithm in forensics is to confirm the integrity of the data. By confirming the integrity of the data, the hashing algorithm ensures that the data has not been modified and that the captured image of the storage devices is similar to the image being used in forensics. The hashing algorithm can also be used to identify the data objects of the image. In this case, the recommended hashing algorithms include the Secure Hash Algorithm (SHA) and the MD5 algorithm. While the SHA and MD5 hash algorithms can be affected by the collisions, they are some of the widely used hashing algorithms, and their importance is seen in the preservation of digital evidence as well as in maintaining the integrity of the evidence (Schmitt & Jordaan, 2013).
Q2:
The importance of using hashing algorithms is to preserve the integrity of the data used in the forensics process. When the hash of the original data is not the same as the hash value of the forensic copy, then the integrity of the forensic copy is lost. The hash value of a file can change in various instances, such as when the file has been modified. The file modification can occur during the various stages of the forensics process. Therefore, the difference in the hash values of the original data and the forensic copy shows that the forensic copy was modified. Modifying the forensics copy could raise legal issues and even affect the individuals involved in the forensics process. One of the requirements of the forensics team during the forensics process is ensuring that the collected digital evidence is not tampered with. The loss of data integrity can mean that the forensics team did not follow the required guidelines, and someone outside the authorized individuals was able to modify the files, or someone from the forensics team is responsible for modifying the data.
Q3:
A forensic image aims to create an exact duplicate of the information found on the flash drive. To enable the flash drive to be used in the computer, the operating system has to mount the flash drive. In most cases, the operating system automatically mounts the flash drives and, by doing so, incorporates the flash disk into the computer’s file system. Incorporating the flash drive into the computer’s file system means that some of the information about the computer also changes. Therefore, mounting a flash drive before the creation of the forensic duplicate results in the modification of the data in the flash drive. Since the data required for use as digital evidence has been modified, it loses its integrity when used in a case.
Q4:
To prove that the OS did not automatically mount a flash drive and change the contents of the drive before the creation of the forensic duplicate, two methods can be used. These methods include analysis of the metadata of the flash drive as well as checking the hash values of the original and the duplicated files. When the hash values of the original and the duplicated files are the same, then the flash drive’s contents are not changed. Therefore, the OS did not automatically mount the flash drive. Analyzing the metadata of the flash drive can provide various information about the drive. Some of the data that can be obtained from the metadata include the date and time of the evidence modification. (Buchholz & Spafford, 2004). Additionally, the logs created by the operating system can provide data that can show whether the flash drive’s contents were changed if the OS mounted the flash drive.
RAM and Swap Space Acquisition
This section of the lab comes after Linux and Windows tools have been deployed to image the devices. Here, an FTK imager was used to get the RAM and swap space of the targeted computer. Getting this information can give inside into what programs are used for concealment by the suspects. After capturing the memory, a hash value was obtained. See screenshots below. .
Fig. 5.1 Initiating a memory capture
Fig. 5.2 File capture in process
Fig. 5.3 Memory capture finished successfully.
Fig. 5.4 Four new files created and added to the desktop
Fig. 5.5 Hash values of the created AD! File.
Fig. 5.6 System Information
Forensic Imaging Over a Network
In this step, I accessed a suspected computer in the company location, and the computer’s hard drives were copied. This was done with the implementation of a remote connection using the company’s VPN. Linux dd command was used in copying the required files. A Netcat listener was used to establish a remote connection, and the Linux dd command was used to transfer the hard drive files onto the forensic workstation. Hash values were computed for the files.
Fig. 6.1 IP address
Fig. 6.2 ping -c 20 172.21.30.25
Fig. 6.3 Ping results. 20 packages received 0% lost.
Fig. 6.4 Confirming the existence of an additional storage device on NIXFOR01
Fig. 6.5 zeroing out the drive using: Sudo dd if=/dev/zero of=/dev/xvdb bs=8196
Fig. 6.6 Checking to see the wiping process on the 17GB drive using: sudo pkill -USR1 -n -x dd
Fig. 6.7 Both terminals side by side
Fig. 6.8 Changing the ownership of the additional storage (“/dev/xvdb”)
Fig. 6.9 Hash values
References
Buchholz, F., & Spafford, E. (2004). On the role of file system metadata in digital forensics. Digital Investigation, 1(4), 298-309.
DHAM, V. (2012). VLSI electrically erasable programmable read only memory. VLSI handbook, 167.
Garfinkel, S., Malan, D., Dubec, K. A., Stevens, C., & Pham, C. (2006, January). Advanced forensic format: an open extensible format for disk imaging. In IFIP International Conference on Digital Forensics (pp. 13-27). Springer, Boston, MA.
Harris, D., & Harris, S. (2010). Digital design and computer architecture. Morgan Kaufmann.
Hausknecht, K., Foit, D., & Burić, J. (2015, May). RAM data significance in digital forensics. In 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (pp. 1372-1375). IEEE.
Hoffman, C., & Mckay, D. (2020, February 06). How to Create a Live Ubuntu USB Drive With Persistent Storage. Retrieved August 11, 2020, from https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/
Kumar, K., Sofat, S., & Aggarwal, N. (2011). Identification and Analysis of hard disk drive in digital forensic. International Journal of Computer Technology and Applications, 2(5).
Parasram, S. V. (2017). Digital Forensics with Kali Linux: Perform data acquisition, digital investigation, and threat analysis using Kali Linux tools. Packt Publishing Ltd.
Schmitt, V., & Jordaan, J. (2013). Establishing the validity of MD5 and SHA-1 hashing in digital forensic practice in light of recent research demonstrating cryptographic weaknesses in these algorithms. International Journal of Computer Applications, 68(23).
Thampy, R. V., Praveen, K., & Mohan, A. K. (2018). Data Hiding in Slack Space Revisited. International Journal of Pure and Applied Mathematics, 118(18), 3017-3025.
Vandeven, S. (2014). Forensic images: for your viewing pleasure. SAD: The SANS Institute.
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
Computer Architecture and Imaging
Project 2 Instructions
Project 2: Computer Architecture and Imaging
Start Here
Digital forensics involves processing data from many different types of devices, ranging from desktops to laptops, tablets to smartphones, servers to cloud storage, and even devices embedded in automobiles and aircraft. In this project, you will focus on the architecture and imaging of desktop and laptop computers. You will be working in a virtual machine (VM) to image and verify the contents of the following:
- a USB stick
- the random access memory (RAM) and swap space of a live computer
- a networked computer hard drive
There are seven steps in this project. In the first step, you will review a technical manual containing information about where data of forensic value is typically found inside digital devices. The next two steps will guide you through the process of imaging a USB stick with both Linux and Windows tools. The next step will pose several questions that frequently come up in cases similar to this scenario. In the next step, you will be back to collecting forensic evidence; this time you will be imaging the RAM (memory) and swap space of a live, running computer. In the next step, you will image a computer’s hard drive over the network. In the final step, you will compile all lab notes and reports into one comprehensive report. The final assignment in this project is a forensic imaging lab report that can be presented in a court of law.
Before you can begin imaging the USB drive provided by your supervisor, you need to review your technical manual in order to prepare a memo to give to your company’s legal team. Are you ready to get started?
Your work will be evaluated using the competencies listed below.
- 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.4: Tailor communications to the audience.
- 1.5: Use sentence structure appropriate to the task, message and audience.
- 1.6: Follow conventions of Standard Written English.
- 2.2: Locate and access sufficient information to investigate the issue or problem.
- 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
- 4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
- 5.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging.
- 5.4: Demonstrate an understanding of the different parts of a computer.
- 6.1: Perform report creation, affidavit creation, and preparation to testify.
Step 1: Brief the Legal Team on Forensics
Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization’s legal team has been asking questions about types, sources, and collection of digital information. Team members have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department’s technical manual to compose your memo on finding valuable forensic information and storing digital evidence. You also review image verification using hashing, an important component of digital forensics.
For the first step in this project, prepare a memo (one to two pages in length following this format) in plain language that summarizes where valuable digital forensic information resides in the device, as well as collection and storage options. The devices to be addressed are USB sticks, RAM and swap space, and operating system hard disks. You will need to research and cite reference sources for each answer contained your memo (e.g., NIST) For each electronic media device described, include a short description of the following:
- identify the digital media device examined
- types of data that can be found there
- reasons why the data has potential value to an investigation in general, and for this case in particular
- list the possible digital evidence storage formats (raw, E01 (ewf), and AFF) and describe the advantages and disadvantages of each format, and
- how digital forensic images are collected (local and remote, memory and disk) and verified.
Your memo will be included in the final forensic imaging lab report.
Step 2: Image a USB Drive Using Linux Tools (this step has been completed already just use the attached lab report to update the final paper accordingly)
In the first step in this project, you reviewed technical information and imaging procedures and briefed your legal team on digital forensic basics. Now, it’s time to move forward with the investigation.
The USB stick may contain intellectual property that you can use to prove the suspect’s guilt, or at least establish intent. Security personnel recovered the stick from the suspect’s desk drawer the night before. You take possession of the stick, recording the physical exchange on the chain-of-custody document prepared by the security officers.
Your team’s policy is, when practical, to use multiple tools when conducting digital forensic investigations, so you decide to image the USB stick using both Linux and Windows tools.
To get started, review the lab instructions in the box below, as well as methods of acquisition. Then go to the virtual lab to set up your evidence drive and proceed to enable write protection, sterilize the target media, perform a static acquisition of Linux data, and verify the USB stick on the sterilized media using Linux tools in preparation for the report and notes requested by your supervisor.
Step 3: Image a USB Drive Using Windows Tools (this step has been completed already just use the attached lab report to update the final paper accordingly)
After imaging the USB drive with Linux in the previous step, your next step is to image the USB drive again, this time using Windows tools. Review the lab instructions in the box below, and then go to the virtual lab. When you complete the activity, review your lab notes and report for accuracy and completeness; they will be included in your final forensic imaging lab report in the final step.
Step 4: Respond to Questions from the Legal Team
In previous steps, you imaged the USB drive using Linux and Windows tools. In this step, you will create a legal memorandum that responds to pointed questions from your organization’s legal team. The legal team has been involved in cybercrime cases before, but team members want to make sure they are prepared for possible legal challenges. They have requested very specific information about imaging procedures based upon your review of reference sources in the field.
Research sources on digital forensics imaging and mounting procedures before writing your response. Then review Set Up Your Evidence Drive, Hash Functions, Imaging Programs, and Image Verification With Hashing as needed.
Questions from the legal team:
- Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?
- What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?
- What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?
- How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?
The legal team would like you to respond in the form of a brief memo (one to two pages following this format) written in plain, simple English. The memo will be included as an attachment to your final forensic imaging lab report in the final step, so review it carefully for accuracy and completeness.
You are hoping that you will be able to access the suspect’s local computer next.
Step 5: Acquire RAM and Swap Space (this step has been completed already just use the attached lab report to update the final paper accordingly)
In the previous step, you addressed the concerns of your company’s legal team. While you were doing so, the suspect’s afternoon training session started, so now you can move to the next stage of your investigation.
Your organization’s IT department backs up the hard drives of HQ computers on a regular basis, so you are interested only in the suspect’s RAM (referred to as volatile data storage) and swap space. The RAM and swap space may reveal programs used to hide or transmit intellectual property, in addition to the intellectual property itself (past or current). You have a four-hour window to acquire the RAM and swap space of his live computer. When you arrive at the suspect’s office, the computer is running, but locked. Fortunately, the company IT department has provided you with the administrator password, so you log on to the system. Review the lab instructions in the box below, and then go to the virtual lab. Follow the steps required to acquire and analyze the RAM and swap space and perform imaging of a live computer.
Step 6: Perform Forensic Imaging Over a Network (this step has been completed already just use the attached lab report to update the final paper accordingly)
In the previous step, you acquired and analyzed the RAM and swap space from the suspect’s live, local computer. In this step, you perform a similar analysis on his networked, off-site computer. Take a minute to consider forensic evidence in networks.
Your supervisor confirms that the suspect’s remote office is closed for the weekend, so you are free to image his computer via the network to store the digital evidence. The remote computer is locked, but the company IT department has provided an administrator password for your investigation. Using your forensic workstation at headquarters, you log on to the remote system.
If the image were going to pass unencrypted over an untrusted network (such as the internet), you’d would want to conduct the transfer over SSH, but since you’re on the company network and connecting to the remote office via a VPN, you can use the dd command to transfer a copy of the remote hard drive to your local workstation using the netcat tool.
Review the lab instructions in the box below, and then go to the virtual lab. Follow the steps required to image the computer over the network.
Step 7: Submit Final Forensic Imaging Lab Report
Now that you’ve completed the necessary acquisition and imaging tasks, you’re ready to compile all your reports and lab notes into a single forensic imaging lab report that you will submit to your supervisor. Your supervisor reminds you that your report may be presented in a court case, so it needs to meet legal requirements. The report should include the following sections:
- One- to two-page memo addressing the types, sources, collection of digital information, as well as file formats
- Imaging of a USB drive using Linux tools (lab notes, report)
- Imaging of a USB drive using Windows tools (lab notes, report)
- One- to two-page memo responding to questions about imaging procedures
- RAM and swap acquisition—live, local computer (lab notes, report)
- Forensic imaging over a network (lab notes, report)
Submit your forensic imaging lab report to your supervisor (instructor) for evaluation.
Check Your Evaluation Criteria
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title.
- 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.4: Tailor communications to the audience.
- 1.5: Use sentence structure appropriate to the task, message and audience.
- 1.6: Follow conventions of Standard Written English.
- 2.2: Locate and access sufficient information to investigate the issue or problem.
- 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
- 4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
- 5.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging.
- 5.4: Demonstrate an understanding of the different parts of a computer.
- 6.1: Perform report creation, affidavit creation, and preparation to testify.