Order ID:89JHGSJE83839 | Style:APA/MLA/Harvard/Chicago | Pages:5-10 |
Instructions:
Analysis And Verification of Volatile Nonvolatile Data
Module 5.
Analysis and verification of volatile nonvolatile data
Analysis and verification of volatile nonvolatile data. When we talk about examining and analyzing a target computer, what we do is going to depend upon the nature of the investigation. If it is a fraud case, certainly we’re going to be looking for
e-mails, spreadsheets, and documents. However, if it is a child exploitation case, we’re certainly going to be looking for mounds of pictures and video. Nonetheless, we’re going to prepare our target drive, where we’re going to store the
acquisitions, we’re going to prepare them in a forensic manner; wipe them and clean them in a forensic way. We’re going to document all the hardware components that are attached to the suspect suspects computer. And here we should take note of what’s connected to the suspects computer. When you serve a search warrant, you want to look at the wireless router to determine how many devices are connected to it and see which ones might be speaking to the target computer.
We’re also going to look at the date and time on the CMOS of the target computer to determine in which time zone it is recording data. Regarding metadata, we’re going to look at documents and folders and files and we’re going to know which ones are important to our investigation. We’re going to try to open password protected files as well. Most software suites will prompt you for the password and, if you don’t know it, you’re going to have to find out what it is. This could be very
difficult in some situations. What I typically do in a non-custodial situation (of course again there is no compulsion involved here) and I’m not forcing anyone to divulge something. But in the noncustodial situation, I might ask the suspect “hey,
could I have the number of one of your loved ones a phone number.” And they’ll pull out their phone and they won’t know the number and try to bring it up. They’ll type in a password to bring up the home screen and when they do that then, if I
have probable cause to seize the phone, I’ll just take it from them and that’s a good way to get the information without having to go through retrieving passwords. These are some advanced items you might want to consider. Indexing.
Advanced digital forensic tools have features such as indexing and what that means is, because of the voluminous nature of all the words and key words that are on a on a computer (again we’re talking about 1 or 2 or maybe even 3 terabytes
of data), To search for those words puts a strain on the computing power of the computer that you’re using for your workstation. So what we do is we index all of that to begin with and the computer stores that information so can be retrieved
easily. So what I would just do is set the entire acquisition to be indexed and probably turn that on and let it run for 4 or 5 hours and maybe do it overnight and come back in next day. And every word on that acquisition will be indexed and I can
search it. When I type in a search term, the word comes up within 2 to 3 seconds. A critical aspect of digital forensics is validating the digital acquisition. As I say this every time, validate all of your data; all of your acquisitions; validate them. There are commonly 3 ways to recover passwords. If we have to do that and we spend time doing that, it takes a great deal of time. We can do it through dictionary attacks; in other words, favorite words stored up in a dictionary file that we can
we can attack the the device that way using various favorite passwords. Or there’s a brute force attack where we just attack it using a different combination of letters and numbers until it guesses the password correctly. Or we can use the
rainbow tables, which are a collection of hash files of passwords or favorite passwords that users have used throughout history. Virtual analysis is somewhat complicated and it’s very intimidating to people who don’t understand much about it.
And to police executives, they sometimes don’t even want to know about it and trust their forensic examiner to deal with it. For knowledge sake, virtual machines are just simply operating systems that can be booted up virtually from a host
operator system that resides on a hard drive. This is basically what it is and these are used extensively in organizations now, especially in the private sector. Most companies will have all of their proprietary data on a server and virtual machines
at employee’s desktops will accept that data and the forensic procedures for retrieving these virtual machines start by creating a regular image and acquisition of the target computer. And then you would export those virtual machine files from the target machine while you’re doing your exam. Memory and network analysis. Most forensic examiners or police departments don’t do this. But if you are called upon to do this, you might want to understand little bit about it. Live
acquisitions are necessary to retrieve volatile items such as RAM and running processes. If you walk into a house during a search warrant and the computer is powered up, there is an opportunity there for you to not only image the hard drive of
the computer but also image the RAM. In other words, that volatile memory that’s floating around in there contains passwords, chats, encryption keys. This is very important information. Because once that machine is turned off or shut down, all of that information goes away and the RAM is wiped clean. Network forensics is the process of collecting and analyzing network data over a network and systematically tracking that network traffic to determine how the attack took place. If
there was an attack and you do this through open source software such as Wire Shark, you can spot variations in network traffic and it will help you track these intrusions. For example, we can record our network traffic and capture it as a
packet and save it as a file. And then we can look at that through Wire Shark and have time to analyze. We can go through line by line and see what the network traffic there is and if any irregularities exist. We can identify them. For example, I
once attended a class where we were able to carve out a picture that was sent over a network and able to carve that picture out as an image file and catch it going over a network. If you want to learn more about this, check out The Honey net
Project website. It may help you learn the latest intrusion techniques that attackers are using. We have a difficult job and many times people look to us as the people who can solve eternal problems in 10 minutes and that’s not rightly so. But people trust us to do a good job. They trust us to be honorable and well meaning. At the end of our careers, many of us, we look back and at one point when we said we just want to help people… we simply look back now with a greater
perspective and say that we simply just didn’t trust anyone else to do it. And that’s why the Lord put his hand on us to do that. Nehemiah says that I told him of the hand of my God which was good upon me as also the king’s words that he had
spoken under me and they said Let us rise up and build so they strengthen their hands for this good work Nehemiah 2:18. May the Lord bless you as you seek to do His will.
Analysis And Verification of Volatile Nonvolatile Data
RUBRIC |
||||||
Excellent Quality 95-100%
|
Introduction
45-41 points The background and significance of the problem and a clear statement of the research purpose is provided. The search history is mentioned. |
Literature Support 91-84 points The background and significance of the problem and a clear statement of the research purpose is provided. The search history is mentioned. |
Methodology 58-53 points Content is well-organized with headings for each slide and bulleted lists to group related material as needed. Use of font, color, graphics, effects, etc. to enhance readability and presentation content is excellent. Length requirements of 10 slides/pages or less is met. |
|||
Average Score 50-85% |
40-38 points More depth/detail for the background and significance is needed, or the research detail is not clear. No search history information is provided. |
83-76 points Review of relevant theoretical literature is evident, but there is little integration of studies into concepts related to problem. Review is partially focused and organized. Supporting and opposing research are included. Summary of information presented is included. Conclusion may not contain a biblical integration. |
52-49 points Content is somewhat organized, but no structure is apparent. The use of font, color, graphics, effects, etc. is occasionally detracting to the presentation content. Length requirements may not be met. |
|||
Poor Quality 0-45% |
37-1 points The background and/or significance are missing. No search history information is provided. |
75-1 points Review of relevant theoretical literature is evident, but there is no integration of studies into concepts related to problem. Review is partially focused and organized. Supporting and opposing research are not included in the summary of information presented. Conclusion does not contain a biblical integration. |
48-1 points There is no clear or logical organizational structure. No logical sequence is apparent. The use of font, color, graphics, effects etc. is often detracting to the presentation content. Length requirements may not be met |
|||
You Can Also Place the Order at www.collegepaper.us/orders/ordernow or www.crucialessay.com/orders/ordernow |
Analysis And Verification of Volatile Nonvolatile Data