Week_6 - Computer Forensics Basics Lecture 9 Evidence...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon
© 2008 Purdue University Marcus K. Rogers CIT 1 Computer Forensics: Basics Lecture 9 Evidence Acquisition
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2008 Purdue University Marcus K. Rogers CIT 2 Learning Objectives • At the end of this module, you will be able to: – Describe the difference between a forensic copy and a backup; – Explain the importance of capturing the “truest” state of the media as possible with today’s technology; – Describe the accepted procedure to ensure integrity of the images; – Discuss the issues surrounding data acquisition; and – Compare and contrast software & Hardware write blockers.
Background image of page 2
© 2008 Purdue University Marcus K. Rogers CIT 3 Forensic Imaging “Cloning gone wild!”
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2008 Purdue University Marcus K. Rogers CIT 4 Why use images In keeping with the second IOCE principle, care must be taken not to change the evidence. Most media are “magnetic based” and the data is volatile: Registers & Cache Process tables, ARP Cache, Kernel stats Contents of system memory Temporary File systems Data on the disk Examining a live file system changes the state of the evidence (MAC times) The computer/media is the “crime scene” Protecting the crime scene is paramount as once evidence is contaminated it cannot be decontaminated. Really only one chance to do it right!
Background image of page 4
© 2008 Purdue University Marcus K. Rogers CIT 5 Why Create a Duplicate Image? Computer evidence is fragile
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2008 Purdue University Marcus K. Rogers CIT 6 •A file copy does not recover all data areas of the device for examination •Working from a duplicate image – Preserves the original evidence – Prevents inadvertent alteration of original evidence during examination – Allows recreation of the duplicate image if necessary Why Create a Duplicate Image?
Background image of page 6
© 2008 Purdue University Marcus K. Rogers CIT 7 Why Create a Duplicate Image?
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 8
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/29/2012 for the course CNIT 420 taught by Professor Dr.marcrogers during the Spring '12 term at Purdue.

Page1 / 26

Week_6 - Computer Forensics Basics Lecture 9 Evidence...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online