What if your OS automatically mounts your flash drive prior to creating your forensic duplicate?

What if your OS automatically mounts your flash drive prior to creating your forensic duplicate?.

Digital forensic images

For the first step in this project, prepare a memo (2 pages in length) that summarizes possible locations of valuable digital forensic information, as well as collection and storage options in laymen’s language. For each location described, include a short description of the following:

  1. Area
  2. Types of data that can be found there
  3. Reasons why the data has potential value to an investigation in general, and for this case in particular

The locations to be addressed are: USB sticks, RAM and swap space, and operating system hard disks.

Also describe possible digital evidence storage formats (raw, E01 (ewf), and AFF), the advantages and disadvantages of each, and how digital forensic images are collected (local and remote, memory and disk) and verified. Your memo will be included in the final forensic imaging lab report.

2-

 

The legal team has been involved in cybercrime cases before, but they want to make sure they are prepared for possible legal challenges. They have requested very specific information about your imaging procedures.

Questions from the legal team:

  1. Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?
  2. What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?
  3. What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?
  4. How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?

The legal team would like you to respond in the form of a brief memo (2 pages) written in plain, simple English.

You are hoping that you will be able to access the suspect’s local computer next!

What if your OS automatically mounts your flash drive prior to creating your forensic duplicate?