Before starting with memory forensics, it is essential to determine the of the system from which the memory dump was taken.
Added by Lynn E.
Step 1
g., Windows, Linux, macOS) as this will influence the tools and techniques used for analysis. Show more…
Show all steps
Your feedback will help us improve your experience
Akash M and 63 other AP CS educators are ready to help you.
Ask a new question
Labs
Want to see this concept in action?
Explore this concept interactively to see how it behaves as you change inputs.
Key Concepts
Recommended Videos
Akash M.
Lab Questions: ANSWERS MUST BE IN COMPLETE SENTENCES FOR FULL CREDIT. 1. What is a forensic image? Record your MD5 and SHA hashes. Include a screenshot from your overview tab showing the breakdown of evidence types. 2. What indicates a file has been deleted in FTK? (Besides showing up in the "deleted files" section of the overview tab.) Record your MD5 and SHA hashes. 3. What is the difference (if any) between the computed hash and the report hash calculated in your lab? (Were the hashes in Question 2 and Question 5 the same? What does this indicate?) 4. What information did you learn about the practice case.001 dd image you downloaded from Blackboard? What kind of file system and operating system was used to create this disk? (Hint: If you can identify the file system, look up the associated operating system.) Why is it important to run WinHex or other forensic tools in Write Protect mode? 5. Why is it important to securely wipe (erase) a disk before saving evidence to it? 6. What is Safe Mode and how do you get into it? Where would you go to find out which device the machine is set to boot from? 7. What is the System Restore tool used for? How do you set a system restore point? Why is the System Restore tool of interest to a forensic examiner?
If necessary, create a Work and Chap09 Projects folder on your system before starting the projects; it's referred to as your "work folder" in steps. Then extract all files from the Chap09 Projects folder on the DVD to your work folder. Hands-On Project 9-2 Before conducting a forensic analysis, you should validate image files you've acquired. In this project, you validate the files analyzed in Hands-On Projects 9-3 and 9-4 to verify that they aren't corrupt. Chris Murphy, a Superior Bicycles employee suspected of industrial espionage, had a Windows drive formatted in NTFS that was seized as part of the investigation. For this project, you use the gcfi-ntfs.dd image file that was used earlier in this chapter. Start Microsoft Word and open the GCFI-NTFS hash values.doc file from your work folder. Print the file so that you can compare it with your results later in this project, and then exit Word. Start WinHex, if necessary, and open gcfi-ntfs.dd from your work folder. Click Tools, Compute Hash from the menu. In the Compute hash dialog box, click the list arrow, click MD5 (128-bit), if necessary, and then click OK. When the checksum process is finished, check the MD5 hash value in WinHex and compare it with the value in the document you printed in Step 1. After you have verified all the files, make a note in your log listing the file you examined and its hash value, and then exit WinHex.
Recommended Textbooks
Computer Science and Information Technology
Introduction to Programming Using Python
Computer Science - An Overview
Transcript
18,000,000+
Students on Numerade
Trusted by students at 8,000+ universities
Watch the video solution with this free unlock.
EMAIL
PASSWORD