LAB5_Digital Forensics Technology and Practices_Kwadwo Antwi

docx

School

University of Maryland, University College *

*We aren’t endorsed by this school

Course

640

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

17

Uploaded by joespady4u25

Report
Name: XXXXX Semester: Summer Year: 2023 Section Number: 7621 Lab 5 Worksheet Digital Forensics Technology and Practices Table of Contents Introduction ............................................................................................................................................................... 2 Screenshot 1 – Yourname-OS as the Volume Label for the C: Drive ........................................................................... 3 Screenshot 2 – Volume Label of Yourfirstname-NTFS for the H: Drive ....................................................................... 4 Screenshot 3 – Volume Label of Yourfirstname-FAT32 for the I: Drive ....................................................................... 5 Screenshot 4 – Evidence Item Information for the NTFS Drive .................................................................................. 6 Screenshot 5 – MD5 and SHA1 hashes of your NTFS Image ....................................................................................... 7 Screenshot 6 – Evidence Item Information for the FAT32 Drive ................................................................................. 8 Screenshot 7 – MD5 and SHA1 hashes of your FAT32 Image ..................................................................................... 9 Screenshot 8 – Evidence Item Information for Autospy ........................................................................................... 10 Screenshot 9– Master File Table, or $MFT within the NTFS Image in Autopsy ......................................................... 11 Screenshot 10– Yourname Volume Label within the FAT32 Image in Autopsy ......................................................... 12 Conclusion ............................................................................................................................................................... 13 APA References ........................................................................................................................................................ 14 1
Introduction Students: In the box below, please explain the purpose of Imaging and explain how it is relevant to Digital Forensics Technology and Practices. Introduction An exact replica of a physical storage device is a forensic image copy. All folders, files, unallocated space, free space, and slack space are included in this. All deleted files and fragments of deleted files that are still in slack or free space are also included in forensic photographs. Images of files that the operating system can see are not the only ones that fall under this. One aspect of computer forensic imaging is using methods in computer crime investigations and evaluating obtained evidence for legal court processes. Backup and imaging applications don't always provide forensic pictures. Windows backup can produce images, which are incomplete copies of the real device. Other than what is found in an operating system, other evidence might be found in the cybercrime investigation. Usually, this is evidence that has been removed to prevent detection. The creation and backup of a forensic image can stop data loss brought on by original disk failures. If the original drive is lost, or a drive fails, this will guarantee that forensic investigators may still present their arguments in court. Because having a lot of data or evidence might scuttle legal proceedings, critical fires watched for evidence should be photographed for security ("Forensic image," 2017). The first and most important guideline for managing digital evidence is to keep it safe. A technique used to record all a digital storage device’s content is called "forensic imaging." The logical structure as well as the metadata of its contents are recorded. The forensic image includes the file slack space as well as the unallocated space. DD and e01 (Encase) formats are the most widely used software applications for forensic photos (Berryhill, 2019). 2
3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Screenshot 1 – Yourname-OS as the Volume Label for the C: Drive 1. Take a screenshot of yourname-OS as the DRIVE LABEL for C:. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of the Your Name-OS as the Drive Label for the C: Drive. Image 1: My name - OS as the Volume Label for the C: Drive 4
Screenshot 2 – Volume Label of Yourfirstname-NTFS for the H: Drive 2. Take a screenshot of yourname-NTFS as the DRIVE LABEL for H:. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of the Your Name-NTFS as the Drive Label for the H: Drive. Image 2: My name - -NTFS as the Drive Label for the H: Drive. 5
Screenshot 3 – Volume Label of Yourfirstname-FAT32 for the I: Drive 3. Take a screenshot of yourname-FAT32 as the DRIVE LABEL for I:. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of the Your Name-FAT32 as the Drive Label for the H: Drive. Image 3: My name - -FAT32 as the Drive Label for the H: Drive 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Screenshot 4 – Evidence Item Information for the NTFS Drive. 4. Take a screenshot of Your First Name and Your Last Name as the Examiner along with the other items you are required to fill out for the Evidence Items. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of Your First Name and Your Last Name as the Examiner Image 4: My name as the Examiner 7
Screenshot 5 – MD5 and SHA1 hashes of your NTFS Image 5. Provide the MD5 and SHA1 hashes of your NTFS file. Paste two screenshots, side by side. The MD5 and SHA1 hash of your Image file from the FTK Drive/Image Verify Results Screen The MD5 and SHA1 hash of your Image file from hashtab Label your screenshot. It is mathematically possible that you and another student could have the same MD5 hash for your Disk. But the chance of that is 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456. For that reason, the hash should be unique or there may be an academic integrity review by your professor. Image 5: MD5 and SHA1 hashes of your NTFS Image 8
Screenshot 6 – Evidence Item Information for the FAT32 Drive. 6. Take a screenshot of Your First Name and Your Last Name as the Examiner along with the other items you are required to fill out for the Evidence Items. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of Your First Name and Your Last Name as the Examiner Image 6 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Screenshot 7 – MD5 and SHA1 hashes of your FAT32 Image 7. Provide the MD5 and SHA1 hashes of your NFAT32 image file. Paste two screenshots, side by side. The MD5 and SHA1 hash of your Image file from the FTK Drive/Image Verify Results Screen The MD5 and SHA1 hash of your Image file from hashtab Label your screenshot. It is mathematically possible that you and another student could have the same MD5 hash for your Disk. But the chance of that is 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456. For that reason, the hash should be unique or there may be an academic integrity review by your professor. Image 7 10
Screenshot 8 – Evidence Item Information for Autopsy 8. Take a screenshot of Your First Name and Your Last Name as the Examiner along with the other items you are required to fill out for the New Case Information for Autopsy. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of Your First Name and Your Last Name as the Examiner Image 8 11
Screenshot 9– Master File Table, or $MFT within the NTFS Image in Autopsy 9. Provide a screenshot of the Master File Table, or $MFT within the NTFS Image in Autopsy. Take a screenshot of the Master File Table, or $MFT within the NTFS Image in Autopsy 12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Image 9: $MFT within the NTFS Image in Autopsy Screenshot 10– Yourname Volume Label within the FAT32 Image in Autopsy 10. Provide a screenshot of the Yourname Volume Label within the FAT32 Image in Autopsy. The use of anyone else’s name may result in an academic integrity review by your professor. Please label your screenshot to receive full credit. Take a screenshot of the Yourname Volume Label within the FAT32 Image in Autopsy 13
Image 10: Volume Label within the FAT32 Image in Autopsy Conclusion Students: In the box below, please explain the purpose of doing this lab below and explain how in is relevant to Digital Forensics Technology and Practices. Highlight any new learning that occurred while doing this lab. Hint: Discuss tools and commands used in the lab. 14
Conclusion The objective of the lab in digital forensic technology is to introduce the students to the field of forensic imaging technology. The lab gives forensic imaging students practical practice. It is crucial to comprehend how forensic imaging functions because if it is carried out improperly, evidence may be excluded from consideration in court. Cybercrime investigators can utilize forensic imaging of a drive to identify and pinpoint when, when, and how a user of a computer device conducts operations or actions on a particular device. In cybercrime investigations, forensic imaging is crucial because it may show if a suspect attempted to hide or destroy data. A suspect's conduct or purpose can be examined and determined via forensic imaging (Johnson, 2022). In this lab, we built our own operating system as a drive level for the desktop's C disk. On the H disk, a volume level of our first name NTFS file was produced. On the I drive, FAT32 was formed. We carried out each step to discover how to format drive photos. On the Windows command line, the mkdir C: backup command was used to establish a C backup directory. To make a file disk image, the Windows command line was used to run the FTK imager. The lab taught the students how to use the FTK imager to create C-backed- up NTFS.DD files. The picture files' MD5 and SHA1 hashes were computed, and they all agreed. Data preview is made possible by FTK imager, which also aids in evaluating potential forensic evidence. To exclude any possibility of tampering with the original, the FTK imager copies every piece of data on a computing device and makes a forensic image of the data (Shinder & Cross, 2008). The master table containing the NTFS image was created and retrieved using the autopsy tool, and our name volume hash was created using the FAT32 image. On computers or external storage media like USB drives, the autopsy can locate and recover lost files. The autopsy tool can be used by forensic investigators to retrieve deleted data from suspects in a cybercrime investigation (Davis, 2022). 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
16
APA References Berryhill, J. (2019, January 19). What is a "forensic image"? Bay Area Computer Forensics Expert, Investigator & Witness. https://www.computerforensics.com/news/what-is-a-forensic-image Davis, P. (2022, April 18). Autopsy forensic tool review (How to use autopsy to recover deleted files). iMyFone® | Software to Recover Data, Unlock Password, Repair System, etc. https://www.imyfone.com/data- recovery/autopsy-forensic-tool-review/ Forensic image. (2017, August 30). Purchase Intent Data for Enterprise Tech Sales and Marketing. TechTarget. https://www.techtarget.com/whatis/definition/forensic-image?vgnextfmt=print Johnson, W. (2022, May 23). Full forensic imaging vs. targeted data collections: Which one do I need? BIA. https://www.biaprotect.com/blog/full-forensic-imaging-vs-targeted-data-collections-which-one-do-i- need Shinder, L., & Cross, M. (2008). Acquiring Data, Duplicating Data, and Recovering Deleted Files. Science Direct. https://www.sciencedirect.com/topics/computer-science/forensic-image 17

Related Documents

Practicing Linux Commands.pdf
LAB11_Digital Forensics Technology and Practices_WORKSHEET1 Kwadwo Antwi.docx
LAB9_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
LAB10_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
LAB8_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
LAB1_Digital Forensics Technology and Practices_WORKSHEET Kwadwo Antwi.docx
LAB2_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
Problem 11-5.docx
LAB6_Digital Forensics Technology and Practices_WORKSHEET2 Kwadwo Antwi.docx
LAB4_Digital Forensics Technology and Practices_WORKSHEET3 Kwadwo Antwi.docx
LAB3_Digital Forensics Technology and Practices_WORKSHEET2.docx
Lab 8 Snort_Student22-1.docx