Please look at the attachments for instructions.
Project 2: Computer Architecture and Imaging Step 1: Brief the Legal Team on Forensics Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization's legal team has been asking questions about types, sources, and collection of digital information. Team members have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department's technical manual to compose your memo on finding valuable forensic information and storing digital evidence. You also review image verification using hashing, an important component of digital forensics. For the first step in this project, prepare a memo (one to two pages in length following this format) in plain language that summarizes where valuable digital forensic information resides in the device, as well as collection and storage options. The devices to be addressed are USB sticks, RAM and swap space, and operating system hard disks. You will need to research and cite reference sources for each answer contained your memo (e.g., NIST) For each electronic media device described, include a short description of the following: · identify the digital media device examined · types of data that can be found there · reasons why the data has potential value to an investigation in general, and for this case in particular · list the possible digital evidence storage formats (raw, E01 (ewf), and AFF) and describe the advantages and disadvantages of each format, and · how digital forensic images are collected (local and remote, memory and disk) and verified. Your memo will be included in the final forensic imaging lab report. Project 2: Computer Architecture and Imaging Step 2: Image a USB Drive Using Linux Tools In the first step in this project, you reviewed technical information and imaging procedures and briefed your legal team on digital forensic basics. Now, it's time to move forward with the investigation. The USB stick may contain intellectual property that you can use to prove the suspect's guilt, or at least establish intent. Security personnel recovered the stick from the suspect's desk drawer the night before. You take possession of the stick, recording the physical exchange on the chain-of-custody document prepared by the security officers. Your team's policy is, when practical, to use multiple tools when conducting digital forensic investigations, so you decide to image the USB stick using both Linux and Windows tools. To get started, review the lab instructions in the box below, as well as methods of acquisition. Then go to the virtual lab to set up your evidence drive and proceed to enable write protection, sterilize the target media, perform a static acquisition of Linux data, and verify the USB stick on the sterilized media using Linux tools in preparation for the report and notes requested by your supervisor. Complete This Lab Resources · Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup · Self-Help Guide (Workspace): Getting Started and Troubleshooting · Link to the Virtual Lab Environment: https://vdi.umgc.edu/ Lab Instructions · Linux Forensics Imaging Getting Help To obtain lab assistance, fill out the support request form. Make sure you fill out the fields on the form as shown below: · Case Type: UMGC Virtual Labs Support · Customer Type: Student (Note: faculty should choose Staff/Faculty) · SubType: ELM-Cyber (CST/DFC/CBR/CYB) · SubType Detail: Pick the category that best fits the issue you are experiencing · Email: The email that you currently use for classroom communications In the form's description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents. Submit your lab notes and report to your supervisor (instructor) for ungraded feedback and incorporate any suggested changes. This material will be included in the final forensic imaging lab report in the last step of this project. In the next step, you will conduct the same procedures using Windows tools. Project 2: Computer Architecture and Imaging Step 3: Image a USB Drive Using Windows Tools After imaging the USB drive with Linux in the previous step, your next step is to image the USB drive again, this time using Windows tools. Review the lab instructions in the box below, and then go to the virtual lab. When you complete the activity, review your lab notes and report for accuracy and completeness; they will be included in your final forensic imaging lab report in the final step. Complete This Lab Resources · Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup · Self-Help Guide (Workspace): Getting Started and Troubleshooting · Link to the Virtual Lab Environment: https://vdi.umgc.edu/ Lab Instructions · Windows Forensic Imaging Getting Help To obtain lab assistance, fill out the support request form. Make sure you fill out the fields on the form as shown below: · Case Type: UMGC Virtual Labs Support · Customer Type: Student (Note: faculty should choose Staff/Faculty) · SubType: ELM-Cyber (CST/DFC/CBR/CYB) · SubType Detail: Pick the category that best fits the issue you are experiencing · Email: The email that you currently use for classroom communications In the form's description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents. Your organization's legal team has some questions for you in Step 4. Project 2: Computer Architecture and Imaging Step 4: Respond to Questions from the Legal Team In previous steps, you imaged the USB drive using Linux and Windows tools. In this step, you will create a legal memorandum that responds to pointed questions from your organization's legal team. The legal team has been involved in cybercrime cases before, but team members want to make sure they are prepared for possible legal challenges. They have requested very specific information about imaging procedures based upon your review of reference sources in the field. Research sources on digital forensics imaging and mounting procedures before writing your response. Then review Set Up Your Evidence Drive, Hash Functions, Imaging Programs, and Image Verification With Hashing as needed. Questions from the legal team: 1. Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why? 2. What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation? 3. What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create? 4. How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy? The legal team would like you to respond in the form of a brief memo (one to two pages following this format) written in plain, simple English. The memo will be included as an attachment to your final forensic imaging lab report in the final step, so review it carefully for accuracy and completeness. You are hoping that you will be able to access the suspect's local computer next. Project 2: Computer Architecture and Imaging Step 5: Acquire RAM and Swap Space In the previous step, you addressed the concerns of your company's legal team. While you were doing so, the suspect's afternoon training session started, so now you can move to the next stage of your investigation. Your organization's IT department backs up the hard drives of HQ computers on a regular basis, so you are interested only in the suspect's RAM (referred to as volatile data storage) and swap space. The RAM and swap space may reveal programs used to hide or transmit intellectual property, in addition to the intellectual property itself (past or current). You have a four-hour window to acquire the RAM and swap space of his live computer. When you arrive at the suspect's office, the computer is running, but locked. Fortunately, the company IT department has provided you with the administrator password, so you log on to the system. Review the lab instructions in the box below, and then go to the virtual lab. Follow the steps required to acquire and analyze the RAM and swap space and perform imaging of a live computer. Complete This Lab Resources · Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup · Self-Help Guide (Workspace): Getting Started and Troubleshooting · Link to the Virtual Lab Environment: https://vdi.umgc.edu/ Lab Instructions · RAM and Swap Acquisition Getting Help To obtain lab assistance, fill out the support request form. Make sure you fill out the fields on the form as shown below: · Case Type: UMGC Virtual Labs Support · Customer Type: Student (Note: faculty should choose Staff/Faculty) · SubType: ELM-Cyber (CST/DFC/CBR/CYB) · SubType Detail: Pick the category that best fits the issue you are experiencing · Email: The email that you currently use for classroom communications In the form's description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents. Your lab notes and report will be included in your final forensic imaging lab report (Step 7) so make sure you review them carefully for accuracy and completeness. Now that you've imaged the suspect's local computer, there is only one task that remains. You need to use the company network to access his remote computer. Project 2: Computer Architecture and Imaging Step 6: Perform Forensic Imaging Over a Network In the previous step, you acquired and analyzed the RAM and swap space from the suspect's live, local computer. In this step, you perform a similar analysis on his networked, off-site computer. Take a minute to consider forensic evidence in networks. Your supervisor confirms that the suspect's remote office is closed for the weekend, so you are free to image his computer via the network to store the digital evidence. The remote computer is locked, but the company IT department has provided an administrator password for your investigation. Using your forensic workstation at headquarters, you log on to the remote system. If the image were going to pass unencrypted over an untrusted network (such as the internet), you'd would want to conduct the transfer over SSH, but since you're on the company network and connecting to the remote office via a VPN, you can use the dd command to transfer a copy of the remote hard drive to your local workstation using the netcat tool. Review the lab instructions in the box below, and then go to the virtual lab. Follow the steps required to image the computer over the network. Complete This Lab Resources · Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup · Self-Help Guide (Workspace): Getting Started and Troubleshooting · Link to the Virtual Lab Environment: https://vdi.umgc.edu/ Lab Instructions · Imaging Over a Network Getting Help To obtain lab assistance, fill out the support request form. Make sure you fill out the fields on the form as shown below: · Case Type: UMGC Virtual Labs Support · Customer Type: Student (Note: faculty should choose Staff/Faculty) · SubType: ELM-Cyber (CST/DFC/CBR/CYB) · SubType Detail: Pick the category that best fits the issue you are experiencing · Email: The email that you currently use for classroom communications In the form's description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents. Review your lab notes