Week_6b - Computer Forensics Basics L e c tu r e 9 b E v id e n c e A c q u is itio n 2007 Purdue University Marcus K Rogers CIT 1 A g en d a

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon
© 2007 Purdue University Marcus K. Rogers CIT 1 Computer Forensics: Basics Lecture 9b Evidence Acquisition
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2007 Purdue University Marcus K. Rogers CIT 2 Agenda • Objectives • Why use images? • Bitstream vs. backups • Forensic imaging setup • Forensic imaging methods (disk to disk, network) • Preserving volatile data • Lab: Evidence Acquisition
Background image of page 2
© 2007 Purdue University Marcus K. Rogers CIT 3 Learning Objectives • At the end of this module, you will be able to: – Describe the difference between a forensic copy and a backup; – Explain the importance of capturing the “truest” state of the media as possible with today’s technology; – Describe the accepted procedure to ensure integrity of the images; – Discuss the issues surrounding data acquisition; – Demonstrate mastery of the topic by actually acquiring a forensic image.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2007 Purdue University Marcus K. Rogers CIT 4 The imaging process “Look Ma no DNA”
Background image of page 4
© 2007 Purdue University Marcus K. Rogers CIT 5 Rules of Thumb • Make 2 copies of the original media – 1 copy becomes the working copy – 1 copy is a library/control copy – Verify the integrity of the copies to the original • The working copy is used for the analysis • The library copy is stored for disclosure purposes or in the event that the working copy becomes corrupted • If performing a drive to drive imaging (not an image file) use clean media to copy to! – Shrink wrapped new drives – REMEMBER TO CHECK – Next best, zero another drive • Verify the integrity of all images!
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2007 Purdue University Marcus K. Rogers CIT 6 Statistics • 69% of users use disk images rather than disk copies and 20% use partition images. • 48% of copies and images are made in the field and 36% are made in laboratories. • 57% of the drives imaged are larger than 8.4GB and 35% are less than that size. • 50% of the drives imaged require IDE BIOS/Extended BIOS access and 63% require direct (ASPI) SCSI access. • 25 to 33% of users sometimes mix IDE and SCSI drives in making images or copies, 25% often do so, and 13% always do. **Source NIST CFTT Project
Background image of page 6
© 2007 Purdue University Marcus K. Rogers CIT 7 Drive Imaging • We will consider the following 2 scenarios – System is off – System is live • What circumstances may require the system to remain live? – Hardware/Software RAID – Manually mounted volumes/filesystems – ??
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2007 Purdue University Marcus K. Rogers CIT 8 Part 1 - Hardware Setup “You can do it!”
Background image of page 8
© 2007 Purdue University Marcus K. Rogers CIT 9 Technology Overview Learning Objectives • At the end of Part 1, you will be able to: – Describe the different parts of the Write Blocker Ultra Kits – Explain the hardware setup necessary to create a forensic image – Describe how to verify the hardware write blocker is functioning correctly
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
© 2007 Purdue University Marcus K. Rogers CIT 10 Ultra Kit Write Blocker
Background image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/29/2012 for the course CNIT 420 taught by Professor Dr.marcrogers during the Spring '12 term at Purdue University-West Lafayette.

Page1 / 51

Week_6b - Computer Forensics Basics L e c tu r e 9 b E v id e n c e A c q u is itio n 2007 Purdue University Marcus K Rogers CIT 1 A g en d a

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online