STUDENT NAME KUZIVA CELFIN MAGADU

STUDENT NUMBER N0161340W

DEPARTMENT COMPUTER SCIENCE

LECTURER MR D.MUSUNDIRE

COURSE DIGITAL FORENSICS

COURSE CODE SCI 4201

The Linux Operating system
An important factor to note when dealing with operating systems is their in-built functions
and file systems they use. The windows operating systems recently operates on NTFS which
is quite different from the Linux operating system which uses Ext4 hence it is really
important to note the type of file system you might be dealing with. Linux is somewhat
special because most of its distros come with pre-defined inbuilt features which can be used
as forensics tools for the data acquisition. Apart from these features it allows me to access
an unmounted drive which can be said to be offline in windows terms.

Remember collection and analysis procedures of evidence must not cast doubt on the
evidence’s authenticity and veracity, with that in my mind options for acquiring the image
are based on two system factors which will guide me on how to create the image:

If the computer is switched on:

This is my favourite condition; it means I gets the opportunity to collect volatile data which
include information on the current activities of the device. Above all before I turn the victim
computer off, I can examine if any of the active hard drives are encrypted and collect
unencrypted data from them. Checking of the active hard drive prepares me for any
surprises such as dead man switches and other malicious programs which will attempt to
alter data once they are evoked, if some drives are encrypted then I create a logical image of
the hard drives for data preserved and later analysis.

However, in the event that the system is on and it is not wise to remove the drive then I will
use the Linux OS features for disk imaging thus performing a Linux based the data
acquisition from the victim computer using the following software and hardware tool:

The special feature of Linux Live CD is that it can read and mount most of the drivers. To
perform the data acquisition, few tools are required:

a. A forensic Live CD.

b. A USB, SATA external drives with cables.
c. Knowledge of alters the BIOS of suspect computer to run the Linux Live CD.
d. Knowledge of shell command for data acquisition.
The computer is switched off:

Appropriate measures should be followed taken to eliminate any chances of altering the
actual evidence. The traditional copy paste is an absolute no besides it won’t copy the
essential metadata, rather I would do a bit-bit copy using disk imaging software and
hardware to which I will elaborate shortly. In this case where the computer is switched off, I
can remove the hard drive from the computer and use the following tools and procedures
mentioned below to create an image. The reason for this is that switching the machine on
might trigger a dead man switch and other malicious processes or programs which will end
up altering data on the drive therefore tempering with the authenticity of the investigation
results.

Creating an image using ProDiscover base:

ProDiscover will automate many acquisition functions, unlike current Linux tools. Because
USB drives are typically small, a single image file can be acquired with no need to segment
it, while ProDiscover allows you to make an image of a larger drive and use the Split function
in ProDiscover Basic to create segmented files of 650 MB each that can be archived to CDs.
Before acquiring data directly from a suspect drive with ProDiscover Basic, always use a
hardware write-blocker device or the write protection method for USB-connected drives.
The following activity assumes you have removed the suspect drive and connected it to a
USB or FireWire write-blocker device connected to your forensic workstation. The
acquisition is written to a work folder on your C drive, assuming it has enough free space for
the acquired data. These steps are followed to perform the first task of connecting the
suspect’s drive to your workstation:

a. Document the chain of evidence for the drive you plan to acquire.
b. Remove the drive from the suspect’s computer.
c. Configure the suspect drive’s jumpers as needed, if it’s a PATA (IDE) disk. (Note: This
step doesn’t apply to SATA drives.)
d. Connect the suspect drive to the USB or FireWire write-blocker device.
e. Create a storage folder on the target drive. For this activity, you use your work folder

(C:\Work\Chap04\Chapter), but in real life, you’d use a folder name such as

C:\Evidence