Computer Forensics – Assignment

   

download the .ova file. download and install the virtual box tool.

open virtual box and import the ova file .

In this assignment you will work on the first steps of seizing and imaging an evidence disk. And create a well-organized report that has documentation with Text and Pictures about your work. 

Objectives:

– Learning how to seize a digital evidence found on the scene of the incident

– Being aware of the Dos and Don’ts when handling the evidence

– Filling the chain of custody and Learning its importance.

– Identifying the tools, both hardware and software, required for imaging the evidence data

– Preforming the imaging process which can be cloning or just imaging

– Validating the created image of evidence data

Context: [Fictional]

Scenario: The XYZ security team received a notification that suspicious cyber activity is taking place in Wilson Building. Surveillance cameras showed that a person, who could be the suspect, was seen in room Wilson 106 and then he left. When the team arrived at the scene, they only found a USB drive that could have been used in implementing the suspicious activity. They decided to seize it so they can perform the needed analysis to identify its content. 

Scene Location: Wilson 106 

· [For pictures, you can use your own place if you cannot access Wilson 106] 

Evidence: A USB drive 

· [a please have/use your own USB blank flash drive for this work. For faster performance you can use 8GB or less drives. Also, you can use SAU machines in case your machine is not powerful enough.]

Please follow all the steps/guidelines/phases below, as much as possible, however points in green only will be considered while grading.

· Will a warrant be needed in this case? Justify your answer and Add legal references [ 5 pts] [Based on: Scientific Working Group on Digital Evidence.]

· General Instructions: [Seizing the Evidence] 

1- Ensure the safety of all individuals at the scene. [X]

2- Protect the integrity of evidence. [X]

3- Evaluate the scene and formulate a search plan. [X]

4- Identify potential evidence. [The USB drive given to you]

5- All potential evidence should be secured, documented, and photographed. [ 5 pts ]

a. For this assignment No need to secure; just document and photograph.

i. In the report, the caption for photos/figures is required.

6- Conduct interviews. [X]

7- Any item to be removed from the scene should be properly packaged and secured. [X]

 

· For Removable Drives: 

1- Document in writing the location and condition of all removable media [ 2 pts]

a. For this assignment: The only the USB drive.

2- Remove any connected external media (e.g. external drives or thumb drives) after the computer has been powered down. [X]

 

· Creating the image: 

1- Document the tools you plan to use. [ 5 pts ]

a. For this assignment: 

i. Hardware [X]

1. Tableau Forensic USB 3.0 Bridge

2. T8u: 

a. Firmware:1.5.0.1, Date: 10/31/2016 , Time: 11:47:27

b. Serial: 000ecc13 0008415f

ii. Software.

2- List clearly the steps/work plan for creating the disk image. [ 3 pts ]

3- Use snapshots for each step while creating the disk image using the Parrot Security Linux distribution. [10 pts]

a. Using hashing, Verifying the disk and the image are important [5 pts]

4- Use the Chain-Of-Custody (COC) document to describe the item and fill required information. [ 5 pts]

a. Assume that the evidence was released to another person on the team, and fill the necessary information.

Notes: 

· Deliver The above work in a very well formatted and organized report that you will submit, in PDF format. [5 pts]

o Poorly formatted report will badly affect your grade regardless of the accuracy of your work, i.e. > 50% of the grade.

§ Have to have: Title Page, TOC, Pictures with Captions, Divide text into Sections…etc. 

· The COC document should be the last page of the report.

EVIDENCE CHAIN OF CUSTODY TRACKING FORM

Case Number: ________________________ Offense: ______________________________

Submitting Officer: (Name/ID#) _______________________________________________

Victim: ______________________________________________________________________

Suspect: _____________________________________________________________________

Date/Time Seized: __________________Location of Seizure: ______________________

  

Description of   Evidence

 

Item   #

Quantity

Description of Item (Model, Serial #, Condition, Marks, Scratches) 

 

 

 

 

 

 

 

 

 

  

Chain of Custody

 

Item #

Date/Time

Released by
(Signature & ID#)

Received by
(Signature & ID#)

Comments/Location

 

 

 

 

 

 

 

 

 

APD_Form_#PE003_v.1 (12/2012) Page 1 of 2 pages (See back)

EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM
(Continued)

  

Chain of Custody

 

Item #

Date/Time

Released by
(Signature & ID#)

Received by
(Signature & ID#)

Comments/Location

 

 

 

 

 

 

 

 

 

 

 

  

Tags: No tags