Assignment:
There is no limit on response length. Make your answers long enough to answer the question. You don't get bonus points for droning on.
Question 1
What are the challenges when conducting data acquisition from a network? Give three examples and at least one common tool used to combat the challenge.
Question 2
You perform an acquisition of a live computer system, which is infected with malware. You find a malicious file named malware.exe and you hash it. VirusTotal confirmed that the file is indeed malicious. Two minutes later the file is renamed to secret_malware.exe.
You re-hash the file after the name has changed.
Do you expect the hash to be different or the same? Why or why not?
Question 3.
Write a detailed response explaining these steps and procedures.
Identify a specific type of cybercrime and provide answers to the subsequent questions using the crime you selected.
1. Identify the likely digital items that need to be collected and then properly secure them. (The digital items can be external storage devices such as USB thumb drives, CDs, cell phones, hand-held game system play stations, Sony game systems, paper with passwords on them hidden under a mouse pad and in a desk, butterfly, etc.)
2. Document the steps taken to properly secure digital evidence that you have chosen to take into custody.
3. Describe what "triage" of digital evidence means with regard to cyber investigations.
4. Explain chain of custody and how to secure and preserve digital evidence.
5. Finally, ensure that the steps to secure evidence are completed, including identifying how the items will then be transported to the evidence technician's station/office.
As you answer the questions above, make sure you consider:
- The importance of demonstrating that a forensic process was followed to a criminal or civil case. Address the impact on the case of using tools that are not vetted by the community.
- How you will use write blockers to protect against inadvertently tainting evidence. Provide a brief discussion of the different ways that these can be implemented and an example of a specific vendor technology.
- Discuss how a hashing algorithm is used in a forensic investigation to prove evidence integrity and discuss how using a tool shown to cause collisions could be detrimental to the case. Provide an example of an algorithm used to authenticate the data.
You may cite external references to complete this section. If you use external sources to support your answer, you must cite them. please remember to use quality references. In academic circles, wikipedia is not considered an authoritative source.