support@essaywritingexpert.orgLab: Battlefield Forensics & Data Acquisition
Instructions:
The vast majority of data collected in a data forensics investigation is useless to the investigation, and yet it still much be imaged and parsed through to determine which data is relevant to the case and which is not. The size of hard drives and the data that needs to be collected only increases each day, making the job of a data forensics analyst to seize and analyze data that much more challenging.
In this assignment, you will watch a webinar with SANS faculty member Kevin Ripa discussing ways on collecting as much relevant data in a forensic investigation in the shortest amount of time.
Complete the assignment requirements listed below in your own words. Submit a copy of this entire document, including your answers and screenshots included inline as required. Complete the following individual requirements. Conduct additional research as needed.
Prelab Research:
To complete this assignment, you will need to watch the video entitled ‘Crime Scene Processing and Evidence Collection’. The video length is just under one hour.
This video can be viewed in three locations:
- Embedded within the Unit folder in Blackboard (beneath the lab assignment)
- YouTube: https://youtu.be/5wZlNt_GwrA
- SANS: https://www.sans.org/cyber-security-courses/battlefield-forensics-and-data-acquisition/ (Do not register for course; scroll down to embedded video
Answer Set:
Use the information provided to answer the following questions.
- Provide a brief overview of the difference between live response collection and triage.
(3-4 sentences minimally)
- What percentage of data collected during an investigation is relevant to the case?
- What is an example of an orthodox location to find data to be collected and analyzed as part of an investigation?
- What is a specific rule that you should follow around collecting BIOS / UEFI images from a suspect system?
- What is an .E01 file?
- What tool can you use to boot an .E01 file into a virtual machine you can interact with?
- What is one example provided by the presenter on why it is important on booting an image into a VM and interacting with it (rather than just analyzing it with a tool such as Autopsy)?
- The presenter does not explain how to obtain the password for the VM image created from the .E01 file and “jokes” you need to take the class. Yet, we have already learned how to obtain user passwords from a Windows image.
What tool and full command would you use to do this if the forensic image of a Windows host is named holcomb.img
- What Tool would you use?
- Write the full command:
- Why would data written in sectors that are 520 bytes be considered unique and present a forensic challenge? (2-3 sentences minimally)
- What is one tool described that can be used to prevent changes from being written to an image while forensic analysis is being performed?
- What tool was created by Eric Zimmeran to streamline the data forensics analysis process?
- Tool name: (note: include, then expand acronym)
- How does the tool help analyst with their investigations?
- What are seven areas in an image file that can be searched for “quick wins” by an analyst?
| 1: | |
| 2: | |
| 3: | |
| 4: | |
| 5: | |
| 6: | |
| 7: |
- What is important about prefetch items? (2-3 sentences minimally)
- ‘Flush’ Kape feature:
- What does the ‘flush’ feature in Kape do?
- Why is it important to performing analysis?
- What are two examples of specialty media?
| 1: | |
| 2: |
- What are two examples of systems that you cannot physically remove storage media from?
| 1: | |
| 2: |
- What is Google Takeout?
- What are three issues that exist when performing forensic analysis of an Apple system or device?
| 1: | |
| 2: | |
| 3: |
- What does the hex string of ’25 25 45 4F 46′ represent in a document?
Submission
- Upload this completed WORD document for assignment completion (no other file is required)
IST293_Assignment_8.1_rev4 IST293_Assignment_8.2_rev2 IST293_Assignment_8.3_rev2