Topic: Storage Media: USB, CD/DVD, Floppy disks and SD Cards

Objectives: Create a disk-to-image file of a USB thumb drive using Linux commands
Examine a forensic image of a digital media (CD, Floppy, SD card) using FTK Imager
Identify storage media file systems
Identify storage media directory structure

Lab Resources:
• FTK Imager
• SIFT Workstation VM
• Norm’s USB image
• Norm’s CD/DVD image
• Norm’s image

Activity #1: The Peterson USB

Overview: In this activity you will begin your investigation of the Peterson USB drive by acquiring the data using Linux commands.

Part 1: Making a disk-to-file image of a USB Drive using Linux Commands
In this activity you will make an image of the Peterson USB drive using the dc3dd command. dc3dd is an enhanced version of dd (known as the disk-dump command in Linux). Developed by the U.S. Department of Defense Computer Forensics Lab, dc3dd provides built-in forensic integrity safeguards.

  1. Launch your SIFT Workstation VM.
  2. Mount the Peterson USB image to your workstation using the steps shown in the module video.
    Note the path to your new device here: ____________
  3. At the terminal prompt, as shown in the video, type the following compound command:
    sudo dc3dd if=/dev/ of=/home//Desktop/PetersonUSB.img
    Where is the assigned path of the disk and is your user name on the Linux box.
  4. Wait for the forensic image to finish.
  5. Very that the original USB device and PetersonUSB.img have matching MD5 hashes. See module video for a reminder on using md5sum.

Part 2: Answer the following questions

  1. Look back at the compound Linux command used in Step 3. Break this compound command down.
    What does each individual command mean?

In layperson works, what is the overall instruction you have written for Linux to execute?

  1. Prove your hashes matched. Paste a screenshot here:

Activity #2: The CD/DVD and Floppy
Overview: CDs and Floppy Disks are quite different from hard drives and USB devices. Before you can examine the CDs and Floppy Disks recovered from the Peterson home, you must first understand how the file systems differ and how artifacts are created when a user saves data to a CD or Floppy. In this activity will document the file systems and storage structures of a CD/DVD and floppy disk.
Supplies: FTK Imager
Norm’s CDs/DVD images
Norm’s floppy disk image

Part 1: Examine a CD/DVD that was created two different ways.
Intro to CD/DVD #1: This is a standard format writable disk. The evidence files were copied onto this disk and can’t be changed or deleted. Each time a disk is put into the drive and a file is added, this is called a “session.”
Directions (CD/DVD #1):

  1. Load the image into FTK Imager and expand the entire storage structure.
    Note: In this case, your image will be in the form of a .CUE file.
    TAKE A SNIP OR SCREEN SHOT of your expanded image and paste it here:

ANSWER THESE QUESTIONS:

  1. What three files are produced by FTK Imager when you image the CD?
  2. Why do we produce three files, instead of the usual two, when we image a CD?
  3. Which two file systems are present?
  4. How many recording sessions are evident?

Intro to CD/DVD #2: This is a re-writable disk. This means we can change the name of the disk as well as “delete” old data. The evidence files were burned onto this disk, not just copied. Each time a disk is put into the drive, this is called a “session.”
Directions (CD/DVD #2):

  1. Load the image into FTK Imager and expand the entire storage structure.
    TAKE A SNIP OR SCREEN SHOT of your expanded image and paste it here:

ANSWER THESE QUESTIONS:

  1. Which four file systems are present?
  2. Explain the relationship between these four file systems. Perform a web search for help with this answer.
  3. What is a “session?” How many recording sessions are evident?
  4. What is a “track?” How many tracks are evident?
  5. Click on an ISO 9660 or Joliet directory. Can you discover the recording time and date? (Hint – right click in the bottom, right pane. Select “Go to offset.” Enter “800” and choose “decimal.”) What date and time was this session burned? You may need to do some research to decode this information.

Part 2: Examine the “forensic view” of a floppy disk structure.
Intro to floppy disks: Floppy disks were the first storage media to use the FAT file system. We still encounter floppy disks in the forensics profession. Floppy disks have built-in write protections tabs. Normally, a Windows PC will register a floppy as an A: drive mounted device.
Directions (Floppy disk):

  1. Load the floppy image into FTK Imager and expand the entire storage structure.
    TAKE A SNIP OR SCREEN SHOT OF YOUR EXPANDED IMAGE AND PASTE IT HERE:

ANSWER THESE QUESTIONS:

  1. Which file system is present?
  2. Are there any deleted files on the floppy? If so, how can you tell the difference between the resident and deleted files?

Activity #3: SD Cards

Perform follow-up research:

  1. What is an SD Card?
  2. Explain the file system structure of a standard SD card.
  3. How would you create a forensic image of a SD card?

Type of service-Academic paper writing
Type of assignment-Coursework
Subject-IT & Technology
Pages / words-4 / 1100
Number of sources-0
Academic level-Freshman (College 1st year)
Paper format-MLA
Line spacing-Double
Language style-US English

get essaywriters

Related Post