W2 Mon 06082018

First step in computer forensics is seize

Running sheet: chain custody is the keeping the record of evidence to keep from tempering

The analysis shouldn't change the evidence during process.

Write background, objectives, strategies from assessment document

Things to see when seize the computer: any volotile memory content, virtual machine, network device.

step and strategies are different.

Answer from lecture 06082018 2.30

    Background

Clack has allegedly accessed clown images. Clack accepts being the owner of the physical device, but denies ownership of the clown content. He blames malware for the clown content on his device. The original device has been forensically wiped after a logical acquisition has been performed on the device.

    Objectives

Find the clown images, if any.

Link the images of the clown with Clack.

Prove intent.

    Strategies

Carve out files from the forensic image to determine if any of the files are linked to clowns.

Find personally identifiable content with Clark in relation to the clown images.

The duration of access of the clown images and the actions performed on them.