STUDENT NAME KUZIVA CELFIN MAGADU

STUDENT NUMBER N0161340W

DEPARTMENT COMPUTER SCIENCE

LECTURER MR D.MUSUNDIRE

COURSE DIGITAL FORENSICS

COURSE CODE SCI 4201

Case Project 1
It is important to note that for this type of forensic examination it is important to take note
of the different data acquisitions options which I can explore to if I am to have a successful
acquisition. These options are Static Acquisition which is the preferred way to collect a
digital evidence when a computer seized during police raid and Live Acquisition which is a
way to collect digital evidence when a computer is powered on and the suspect has been
logged on to. This type is preferred when the hard disk is encrypted with a password.

To determine the appropriate acquisition method, I must consider the following:

a. The size of the source disk.

b. Can I retain the source disk as an evident or must you return it to the owner?
c. Time to do perform the acquisition.
d. Location of the evidence

At this very instance there is a fire starting at the same site with the victim computer which
is the source of evidence, it is highly likely that the fire will spread quickly before I can
complete making the disk image therefore the acquisition option I will use first is governed
by all these above factors.

A problem investigators face is the order of volatility (OOV), meaning how long a piece of
information lasts on a system. Data such as RAM and running processes might exist for only
milliseconds; other data, such as files stored on the hard drive, might last for years. Since a
fire has started after have already started making an image, it is then assumed that I have
acquired all the data from the victim computer in the proper order of volatility. If the victim
computer was turned on upon arrival, then it means I would have had a bit of time to do a
live examination, which gets me the opportunity to collect volatile data that includes
information on what the device is currently up to. The captured data might be altered
during the acquisition because it’s not write-protected. Live acquisitions aren’t repeatable
because data is continually being altered by the suspect computer’s OS, so it is best to log
activities I am doing so that the data collected remains authentic.

But since in the case of a murder scene, I am making already making an image of the
computer’s drive then I would have collected the data from volatile to non-volatile and a fire
is starting then can do either of these following tasks:
 a. Cancel the image making task then act as if I am about to do a cold boot by removing
the computer from the power directly without evoking any shut down process
because it can change a lot the data on the computer and then carry the computer
with me to the laboratories where I can continue with acquisition starting with the
cold boot which allows me to collected data that was dumped when the computer
was turned off then I can do continue with making an image of the victim computer.

b. Cancel the image making and then perform quick sparse acquisition just like in
logical acquisitions, this data acquisition method captures only specific files of
interest to the case, but it also collects fragments of unallocated (deleted) data,

But the most important issue would be to collect more volatile data first and to not use the
shut down process to switch off the victim computer because the it alters the data on the
machine hence tempering with the authenticity of the data and finally not to forget to carry
the computer while I run for my life. At the laboratory, since the fire forced me to turn off
the victim computer then I am limited to using static acquisition methods to collect the
evidence from the machine because with static acquisitions, if you have preserved the
original media, making a second static acquisition should produce the same results.