Lab: Evidence Acquisition and Analysis Lab
For this lab, you will practice acquiring a digital image of your own laptop or computer and setting up a forensic analysis workstation. You will NOT have to turn in the image of your own laptop (for privacy reasons), but you will have to turn in evidence that you have completed this task. For all the required information that needs to be turned in, a Word document is sufficient.
For this exercise, you will need to do the following:
Download a Linux-based forensics live CD.
Use this to acquire the harddrive on your own computer by booting into the LiveCD and then storing an image file on a portable hard drive. You can use any of the commandline-based acquisition tools you like (recommended to us: dcfldd for on-the-fly hashing).
Take an MD5 and SHA256 hash of the drive before AND after you do the acquisition; turn these in. If you use a program that has on-the-fly hashing, turn that in as well. Compare your results to the hash of the image file; ensure that they match.
Describe how you ensured that the drive you were acquiring was not modified during the acquisition.
During the running of the hashing algorithms, I made sure nothing was running in the background or open except for the hashing program itself. If I was in the field I would also use a write block to make sure there definitely was no modification and keep the data untouched.
On your laptop, install the virtualization software of your choice to create a forensics workstation. Ideally this would be dedicated hardware, but use your own device. It is recommended you install the SIFT Kit, but any other Forensic distro will do.
Using Autopsy, load the image into a new case and verify that the hashes still match.
Create a file-system-based timeline and turn in the first 10 and last 10 entries as well as the hash value of the file.
In Autopsy, perform a keyword search for the name of your university; how many files were returned that matched? (Just provide the count, not the filenames or their contents.)
Attachment:- Assignment File.rar