MN623

Read the enclosed case studies below and discuss following points in each case:

Case 1

At murder scene, you have started making an image of computer’s drive. You’re in the back
bedroom of the house, and a small fire has started in the kitchen. If the fire can’t be
extinguished, you have only a few minutes to acquire data from a 10GB hard disk. Write on to
two pages outlining your options for preserving the data.

In this case, there is less time for the acquisition thus static acquisition can be used if its possible to carry
device to the lab. However, if that is not possible, sparse acquisition can be performed as this method
captures only specific files of interest as well as collects unallocated or deleted data.

Case 2

You need to acquire an image of a disk on a computer that can’t be removed from the scene,
and you discover that it’s a Linux computer. What are your options for acquiring the image?
Write a brief paper specifying the hardware and software you would use.

In this case, OS is Linux, thus Linux based acquisition techniques should be used. The Linux OS has
unique feature that is applicable to computer forensics, especially data acquisitions. Linux can access a
drive that is not mounted. Physical access for the purpose of reading data can be done on a connected
media device, such as a disk drive, a USB drive, or other storage devices.
In static acquisitions, this automatic access corrupts the integrity of evidence. When acquiring data with
Windows, a write-blocking device or Registry utility must be used. With a correctly configured Linux OS,
such as a forensic Linux Live CD, media are not accessed automatically eliminating the need for a write-
blocker. to acquire a USB drive that doesn’t have a write-lock switch, following forensic Linux Live CDs
can be used.
• Helix
• Penguin Sleuth
 FCCU (www.d-fence.be; French interface)

Case 3

Prepared by: Dr Ammar Alazab Moderated by July 2019

MN613 PBL 11 Page 2 of 2

A bank has hired your firm to investigate employee fraud. The bank sues four 20TB servers on
a LAN. You are permitted to talk to the network administrator; who is familiar with where the
data is stored. What diplomatic strategies should you use? Which acquisition method should
you use? Write a two-page report outlining the problems you except to encounter, explaining
how to rectify them, and describing your solution. Be sure to address any customer privacy
issues.

First the information regarding time and date when fraud was occurred. The network administrator can
determine which employee computer were used. Then logical acquisition could be done without
violating privacy of the customer data.

Case 4

You’re investing a case involving a 2 GB drive that you need to copy at the scene. Write one to
two pages designing three options you have to copy the drive accurately. Be sure to include
your software and media choices.

Live acquisition method using disk to image or disk to disk copy can be used. Software such as
ProDiscover, OSforensics, FTP imager can be used

Prepared by: Dr Ammar Alazab 2017