A desktop computer is being used to perpetrate a fraud, and data on the machine must be secured for evidence. Which of the following should be done FIRST?
A.
Encrypt the content of the hard drive using a strong algorithm.
B.
Obtain a hash of the desktop computer's internal hard drive.
C.
Copy the data on the computer to an external hard drive.
You obtain a hash value of a hard disk first before capturing an image. Capturing an image and hashing it after will not be the same hash after you restore the image. Hash first, image next, restore then, compare hash.
Basically you do the two in one go. You do not read the disk twice. You connect the drive to an external device in read only mode (hw and sw solutions both exist) and do a copy while calculating the hash. And in most cases you calculate many hashes (every n MB/GB) so if something changes you can tell if the imortant parts changed or something else. Because there can be a hw failure /read error later.
Phases in a cyber forensic procedure:
- Identification: Determining which evidence is required for the purpose.
- Preservation: Deciding how to maintain the integrity and security of extracted evidence.
- Analysis: Understanding the insights the information does (and does not) provide.
- Documentation. ...
- Presentation.
So apparently, you calculate the hash first, before you touch anything. In reality, imaging software usually does this (calculates hash value) in the process of creating a bit-for-bit copy of the source.
which one is frist is forensic image or generate the hash for data integrity
ChatGPT
In a typical digital forensic investigation or data integrity verification process, creating a forensic image is generally performed before generating a hash for data integrity.
Forensic Image Creation:
The first step often involves creating a forensic image of the original storage media or system. This image is an exact copy of the entire storage device, capturing not only the data but also the structure and metadata. Creating a forensic image is crucial to preserve the original evidence without altering or contaminating it during the investigation.
Generating Hash for Data Integrity:
Once the forensic image is created, the next step is often to generate a hash value (checksum) for the image file. A hash function processes the entire content of the file and produces a fixed-size hash value. This hash value serves as a digital fingerprint for the forensic image.
The proper checks and balances are necessary for successful image duplication, requiring the image-makers to perform a hash calculation before and after the creation of a forensic image. A hash calculation verifies that the image wasn’t altered or damaged during an imaging process. If the duplication is successful, then the hash of both the original copy and imaged copy should be the same.
D. Capture a forensic image of the computer. is the best answer here. You will need to obtain a hash of the desktop computer's internal hard drive for the purposes of integrity only after taking a forensic image. The hash will help monitor that nothing is changed or altered after the forensic image has been taken. So first you take a forensic image and then second you obtain a hash for integrity purposes. D. Capture a forensic image of the computer. is the correct answer for sure.
The first step should be to capture a forensic image of the computer. A forensic image is a bit-by-bit copy of the entire hard drive that preserves the original data and metadata. It is important to have an exact replica of the computer's hard drive to ensure the integrity of the evidence. Once the forensic image is captured, it can be analyzed and examined without altering the original data. This will allow investigators to identify and secure any incriminating evidence on the computer while maintaining its original state.
B. Obtain a hash of the desktop computer's internal hard drive.
Its best practice to obtain the hash (checksum) of a computer hard drive before making a forensic copy of the drive in digital forensics. "hashing before acquisition"
If you want the evidence to be admissible in court, then first hash the original, and take a copy, then hash the copy, and both hashes shall be the same.
So, B is the correct answer.
B Is correct answer here.
When gathering information from storage devices, analysts should never access hard
drives or other media from a live system. Instead, they should power off the system
(after collecting other evidence), remove the storage device, and then attach the storage
device to a dedicated forensic workstation, using a write blocker. Write blockers are
hardware adapters that physically sever the portion of the cable used to connect the
storage device that would write data to the device, reducing the likelihood of accidental
tampering with the device.
After connecting the device to a live workstation, the analyst should immediately calcu-
late a cryptographic hash of the device contents and then use forensic tools to create a
forensic image of the device: a bitwise copy of the data stored on the device. The analyst
should then compute the cryptographic hash of that image to ensure that it is identical
to the original media contents.
taking a forensic image of the computer does not only include the hard drives, it also includes data in RAM. it is a snapshot of the status of the computer. This should be done first.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
yottabyte
3 months, 3 weeks agod7a2ba6
3 weeks, 4 days agoyottabyte
3 months, 3 weeks agoAlexJacobson
5 months, 2 weeks agomaisarajarrah
6 months, 2 weeks agoPOWNED
6 months, 1 week agoPOWNED
6 months, 2 weeks agoPOWNED
6 months, 1 week agoSoleandheel
7 months, 3 weeks agokoala_lay
10 months ago6and0
10 months agooluchecpoint
10 months, 1 week agoAkam
10 months, 2 weeks agoVesta1807
11 months, 2 weeks agoVesta1807
11 months, 2 weeks agowickhaarry
11 months, 3 weeks agorichck102
1 year agokaranvp
1 year agowello
1 year agoEwunia
1 year, 1 month ago