Professional Documents
Culture Documents
LECTURER MR D.MUSUNDIRE
Remember collection and analysis procedures of evidence must not cast doubt on the
evidence’s authenticity and veracity, with that in my mind options for acquiring the image
are based on two system factors which will guide me on how to create the image:
This is my favourite condition; it means I gets the opportunity to collect volatile data which
include information on the current activities of the device. Above all before I turn the victim
computer off, I can examine if any of the active hard drives are encrypted and collect
unencrypted data from them. Checking of the active hard drive prepares me for any
surprises such as dead man switches and other malicious programs which will attempt to
alter data once they are evoked, if some drives are encrypted then I create a logical image of
the hard drives for data preserved and later analysis.
However, in the event that the system is on and it is not wise to remove the drive then I will
use the Linux OS features for disk imaging thus performing a Linux based the data
acquisition from the victim computer using the following software and hardware tool:
The special feature of Linux Live CD is that it can read and mount most of the drivers. To
perform the data acquisition, few tools are required:
Appropriate measures should be followed taken to eliminate any chances of altering the
actual evidence. The traditional copy paste is an absolute no besides it won’t copy the
essential metadata, rather I would do a bit-bit copy using disk imaging software and
hardware to which I will elaborate shortly. In this case where the computer is switched off, I
can remove the hard drive from the computer and use the following tools and procedures
mentioned below to create an image. The reason for this is that switching the machine on
might trigger a dead man switch and other malicious processes or programs which will end
up altering data on the drive therefore tempering with the authenticity of the investigation
results.
ProDiscover will automate many acquisition functions, unlike current Linux tools. Because
USB drives are typically small, a single image file can be acquired with no need to segment
it, while ProDiscover allows you to make an image of a larger drive and use the Split function
in ProDiscover Basic to create segmented files of 650 MB each that can be archived to CDs.
Before acquiring data directly from a suspect drive with ProDiscover Basic, always use a
hardware write-blocker device or the write protection method for USB-connected drives.
The following activity assumes you have removed the suspect drive and connected it to a
USB or FireWire write-blocker device connected to your forensic workstation. The
acquisition is written to a work folder on your C drive, assuming it has enough free space for
the acquired data. These steps are followed to perform the first task of connecting the
suspect’s drive to your workstation:
a. Document the chain of evidence for the drive you plan to acquire.
b. Remove the drive from the suspect’s computer.
c. Configure the suspect drive’s jumpers as needed, if it’s a PATA (IDE) disk. (Note: This
step doesn’t apply to SATA drives.)
d. Connect the suspect drive to the USB or FireWire write-blocker device.
e. Create a storage folder on the target drive. For this activity, you use your work folder