Computer Architecture and Imaging

Boss [on telephone with vice president]: So you’re telling me an exact replica of Zerobit’s concept drawing has shown up on the cover of APEX’s product development brochure? What are the chances of that? Unless somebody here at Zerobit is leaking information. I’ll get my best investigator on it.

Boss [in person, to you]: Thanks for coming by. I wanted to talk with you face-to-face.

I just spoke with our VP for external relations and it looks like we may have a major security breach on our hands.

How quickly can you image this USB stick? Our suspect has access to a live system here at headquarters, as well as a networked computer at our remote location. We’ll need to examine both of them.

You should be able to slip into his office and acquire his RAM and swap space while he’s at training this afternoon. But while you’re waiting, check your email for a message from legal

Narrator: Back at your desk, when you open up the message from the Zerobit counsel, you see four questions that need to be answered in preparation for any possible legal challenge.

As you’re answering the fourth one, a notification pops up, reminding you that the suspects training session is about to start. That’s your cue that it will soon be safe to log into the suspect’s computer.

You run your program, acquiring the RAM and swap space from the live system. Then you log out, leaving the suspect’s office and computer as you found them.

Your colleagues have left for the day, but you’ve stayed behind to image the suspect’s remote computer after hours. You log onto the system and have no problem using NETCAT to transfer a copy of his remote hard drive to your workstation at headquarters.

You lean back in your chair and smile. You’ve imaged all of the suspect’s known devices. Tomorrow you’ll compile your analyses into a final forensic report.

Who knows? You may even be asked to present your report in court. Digital forensics involves processing data from many different types of devices, ranging from desktops to laptops, tablets to smartphones, servers to cloud storage, and even devices embedded in automobiles and aircraft. In this project, you will focus on the architecture and imaging of desktop and laptop computers. You will be working in a virtual machine (VM) to image and verify the contents of the following:

• a USB stick
• the random access memory (RAM) and swap space of a live computer
• a networked computer hard drive

There are seven steps in this project. In the first step, you will review a technical manual containing information about where data of forensic value is typically found inside digital devices. The next two steps will guide you through the process of imaging a USB stick with both Linux and Windows tools. The next step will pose several questions that frequently come up in cases similar to this scenario. In the next step, you will be back to collecting forensic evidence; this time you will be imaging the RAM (memory) and swap space of a live, running computer. In the next step, you will image a computer’s hard drive over the network. In the final step, you will compile all lab notes and reports into one comprehensive report. The final assignment in this project is a forensic imaging lab report that can be presented in a court of law.

Before you can begin imaging the USB drive provided by your supervisor, you need to review your technical manual in order to prepare a memo to give to your company’s legal team.

Step 1: Brief the Legal Team on Forensics

Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization’s legal team has been asking questions about types, sources, and collection of digital information. Team members have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department’s technical manual to compose your memo on finding valuable forensic information and storing digital evidence. You also review image verification using hashing, an important component of digital forensics.

For the first step in this project, prepare a memo (one to two pages in length following this format) in plain language that summarizes where valuable digital forensic information resides in the device, as well as collection and storage options. The devices to be addressed are USB sticks, RAM and swap space, and operating system hard disks. You will need to research and cite reference sources for each answer contained your memo (e.g., NIST) For each electronic media device described, include a short description of the following:

• identify the digital media device examined
• types of data that can be found there
• reasons why the data has potential value to an investigation in general, and for this case in particular
• list the possible digital evidence storage formats (raw, E01 (ewf), and AFF) and describe the advantages and disadvantages of each format, and
• how digital forensic images are collected (local and remote, memory and disk) and verified.

Your memo will be included in the final forensic imaging lab report.

Step 2: Image a USB Drive Using Linux Tools

In the first step in this project, you reviewed technical information and imaging procedures and briefed your legal team on digital forensic basics. Now, it’s time to move forward with the investigation.

The USB stick may contain intellectual property that you can use to prove the suspect’s guilt, or at least establish intent. Security personnel recovered the stick from the suspect’s desk drawer the night before. You take possession of the stick, recording the physical exchange on the chain-of-custody document prepared by the security officers.

Your team’s policy is, when practical, to use multiple tools when conducting digital forensic investigations, so you decide to image the USB stick using both Linux and Windows tools.

To get started, review the lab instructions in the box below, as well as methods of acquisition. Then go to the virtual lab to set up your evidence drive and proceed to enable write protection, sterilize the target media, perform a static acquisition of Linux data, and verify the USB stick on the sterilized media using Linux tools in preparation for the report and notes requested by your supervisor.

Step 3: Image a USB Drive Using Windows Tools

After imaging the USB drive with Linux in the previous step, your next step is to image the USB drive again, this time using Windows tools. Review the lab instructions in the box below, and then go to the virtual lab. When you complete the activity, review your lab notes and report for accuracy and completeness; they will be included in your final forensic imaging lab report in the final step.

Step 4: Respond to Questions from the Legal Team

In previous steps, you imaged the USB drive using Linux and Windows tools. In this step, you will create a legal memorandum that responds to pointed questions from your organization’s legal team. The legal team has been involved in cybercrime cases before, but team members want to make sure they are prepared for possible legal challenges. They have requested very specific information about imaging procedures based upon your review of reference sources in the field.

Research sources on digital forensics imaging and mounting procedures before writing your response. Then review Set Up Your Evidence Drive, Hash Functions, Imaging Programs, and Image Verification With Hashing as needed.

Questions from the legal team:

1. Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?
2. What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?
3. What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?
4. How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?

The legal team would like you to respond in the form of a brief memo (one to two pages following this format) written in plain, simple English. The memo will be included as an attachment to your final forensic imaging lab report in the final step, so review it carefully for accuracy and completeness.

You are hoping that you will be able to access the suspect’s local computer next.

Step 5: Acquire RAM and Swap Space

In the previous step, you addressed the concerns of your company’s legal team. While you were doing so, the suspect’s afternoon training session started, so now you can move to the next stage of your investigation.

Your organization’s IT department backs up the hard drives of HQ computers on a regular basis, so you are interested only in the suspect’s RAM (referred to as volatile data storage) and swap space. The RAM and swap space may reveal programs used to hide or transmit intellectual property, in addition to the intellectual property itself (past or current). You have a four-hour window to acquire the RAM and swap space of his live computer. When you arrive at the suspect’s office, the computer is running, but locked. Fortunately, the company IT department has provided you with the administrator password, so you log on to the system. Review the lab instructions in the box below, and then go to the virtual lab. Follow the steps required to acquire and analyze the RAM and swap space and perform imaging of a live computer.

Step 6: Perform Forensic Imaging Over a Network

In the previous step, you acquired and analyzed the RAM and swap space from the suspect’s live, local computer. In this step, you perform a similar analysis on his networked, off-site computer. Take a minute to conside forensic evidence in networks.

Your supervisor confirms that the suspect’s remote office is closed for the weekend, so you are free to image his computer via the network to store the digital evidence. The remote computer is locked, but the company IT department has provided an administrator password for your investigation. Using your forensic workstation at headquarters, you log on to the remote system.

If the image were going to pass unencrypted over an untrusted network (such as the internet), you’d would want to conduct the transfer over SSH, but since you’re on the company network and connecting to the remote office via a VPN, you can use the dd command to transfer a copy of the remote hard drive to your local workstation using the netcat tool.

Review the lab instructions in the box below, and then go to the virtual lab. Follow the steps required to image the computer over the network.

Step 7: Submit Final Forensic Imaging Lab Report

Now that you’ve completed the necessary acquisition and imaging tasks, you’re ready to compile all your reports and lab notes into a single forensic imaging lab report that you will submit to your supervisor. Your supervisor reminds you that your report may be presented in a court case, so it needs to meet legal requirements. The report should include the following sections:

1. One- to two-page memo addressing the types, sources, collection of digital information, as well as file formats
2. Imaging of a USB drive using Linux tools (lab notes, report)
3. Imaging of a USB drive using Windows tools (lab notes, report)
4. One- to two-page memo responding to questions about imaging procedures
5. RAM and swap acquisition—live, local computer (lab notes, report)
6. Forensic imaging over a network (lab notes, report)