Laboratory Notes
Laboratory Number: 1 Examiner Name:

Date & Time Activity

2-2-2015
1:03pm

1:19pm

1:21pm

1:22pm

1:23pm

1:24pm

1:25pm

1:26pm

1:28

All steps performed on linux mint-17 32-bit, kernel 3.13.0-37 generic

Tools used: dd (coreutils) 8.21, sha1sum (GNU coreutils) 8.21, xxd version 1.10, Eye of mate Image Viewer 1.8.1, Script version 2.20.1

Received the USB device from officer Linda Mood of the USSS Cyber forensics Team in an antistatic bag with tamper resistant tape. Her initials were written over the tape.

I removed the USB flash drive from the bag. It was a 2GB black and green retractable Sony flash drive with the serial number of D33021.

Using the mount command I confirmed that the USB had not mounted.
Command: mount

Using the date command I showed when I began the forensic work on the USB device. Sun Feb 1 13:21:34 EST 2015
Command: date

Using the command fdisk I looked to see what the size of the device was and how much data was on the USB. It was shown to have 1MB or 1474560 bytes of information.
Command: sudo fdisk -l

Using the hash command sha1sum on the device I obtained the hash for the USB. 32b9fcb741aab43a4f80393d3df67c32c726924f /dev/sdb
Command: sudo sha1sum /dev/sdb

Using dd I was able to image the information from the USB device to another file named Ailes.case01.dd.
Command: Sudo dd if=/dev/sdb of=Ailes/case01.dd bs=8192

Using the date command I showed when the copy was made.
Sun Feb 1 13:25:55 EST 2015
Command: date

Using the sha1sum command again I compared the original USB hash to the new image Ailes.case01.dd.
32b9fcb741aab43a4f80393d3df67c32c726924f /dev/sdb
32b9fcb741aab43a4f80393d3df67c32c726924f Ailes.case01.dd
Command: sudo sha1sum /dev/sdb case01.dd

After comparing the hashes from the Original USB information and the copy Ailes.Case01.dd, the hashes are the same which means it was a successful forensic image of the evidence that was retrieved.

Laboratory Report
COURSE NUMBER AND TERM

Laboratory Number:__1__ Date______

Examiner’s Name: ___________

Number: ______________

Examination or Validation Tasking:

On Feb, 2 2015, Officer Linda Mood of the USSS Cyberforensics team delivered to me a standard 2GB Sony flash drive. She asked that I made a forensic copy of the USB drive and verifies the image. She wants me to report my results afterwards.

Forensic Question(s):

1. Identify the hash of the information on the USB.
2. Create an image of the Information on the USB.
3. Compare the hash of the USB original to the image.
4. Confirm the hashes are the same to verify the contents were not corrupted.

Steps Taken:

1. I checked to see if there was any content on the flash drive.
2. I checked the hash of the content on the flash drive for a base line for the data.
3. I imaged the content that was found on the flash drive into a separate file on my hard drive.
4. I confirmed that the image was made on my hard drive.
5. I compared the original hash from the flash drive to the hash of the image on my hard drive.
6. The hashes matched so the investigation ended.

Results:

The forensic image that was made has a matching hash to the original USB flash drive meaning the image was successful. This information and the image have since been reported back to Officer Linda Mood of the USSS Cyberforensic team.

Conclusions:

I was able to copy the USB drive that was provided to me by Officer Linda Mood as instructed. The hashes of the original and the copy I captured matched which indicates the information was copied safely and completely.

Opinions:

Officer Linda Mood asked that I make a forensic copy of the USB drive. I was not asked to confirm nor deny any information, so I ended my investigation there. However, I believe that more investigation will be required to discover if data that was captured holds any content malicious or not.

Certification:

I hereby certify that the work presented above was personally performed by me and the opinions and conclusions stated are my own and based upon the work that I performed.

________ Signature

Questions

1) There are many hashing algorithms to use. If you were working on a case for a law enforcement agency, which would you use? Why?

I would use Secure Hash Algorithm version 1(sha1sum) because it has slowly started to replace the past hashing algorithm Message Digest 5(MD5). It generates the hashes very fast while keeping its integrity having minimal collisions.

2) What are the possible issue/causes if the hash of your original does not match your forensic copy?

The issues that could have occurred to make the original hash not match the forensic copy is if the device is auto mounting because it will be set so that it can be written to. That means the data on the device can be changed. If the device is not auto mounting then it will not be set to write and no data can be added to change what is on the device.

3) What are the possible issues if your OS automatically mounts your flash drive prior to creating your forensic duplicate?

The original data on the device could be corrupted from the device if it automatically mounts because of it being set to write. Data can be added on accident permanently changing the hash because anytime something is changed a new hash is computed even if you were able to find a way to remove anything that was added the hash will not be the same.

4) How do you know that your OS did not automatically mount your flash drive, and subsequently change the contents of the flash drive prior to you creating the forensic copy?

To check if the device is mounted you use a linux command called ‘mount’ to show what devices are mounted to your OS in linux.The command will list all devices that are mounted to the OS. If the Device that you are trying to make a copy of is not listed, then it is not mounted.

5) Name your homework . .1.{doc/pdf}
6) Upload by the due date/time. No points for late assignments.