Project 2: “Computer Architecture and Imaging” is a seven-step process, which includes the following steps:
(1) review the technical manual, (2) image a USB stick with Linux and Windows tools, (3) answer
investigative questions, (4) collect forensic evidence from RAM and swap space, (5) image a computer’s
hard drive, and (6) compile lab notes and reports into one comprehensive report.
Here is some context, help, and my expectations to help fill in the gaps for the scenario tied to this project.
You are the lead digital forensic examiner in the cybersecurity division of a public corporation. Your Director
calls you into her office and informs you that the Corporate Security Office has been investigating the loss of
sensitive company intellectual property. The lead suspect is a current employee working at one of the
corporation’s remote research and development facilities. She informs you that the corporate security team
has just briefed the legal affairs office that they intend to have the employees assigned corporate digital
assets forensically examined.
Assignment 1 in this project is pretty straight forward. Since the legal affairs team deals mostly with
contractual issues and disputes, they have questions about types, sources, and the collection of digital
information. Your Director asks you to prepare a simple memorandum (1-2 pages in length, 12pt Arial font,
single space, 1″ margins) that summarizes possible locations of forensically recoverable digital information,
as well as collection and storage options in laymen’s language. The locations to be addressed are: USB
sticks, RAM and swap space, and operating system hard disks. For each location include the following: (1)
Identify and provide a short description of the location; (2) Types of data that can be found there; and (3)
Reasons why the data has potential value to an investigation. Additionally, the memorandum will also (1)
describe possible digital evidence storage formats (raw, E01 (ewf), and AFF) and the advantages /
disadvantages of each, and (2) how digital forensic images are collected (local / remote) and verified. Please
keep in mind this memorandum will be attached to the Affidavit you will prepare and submit at the end of this
project.
For assignments 2-3 and 5-6 (see attached)
For assignment 4, during the course of your imaging of the suspect’s corporate digital assets, the legal affairs
team reached out with a series of additional questions. As in the first assignment, complete a brief
memorandum (1-2 pages in length, 12pt Arial font, single space, 1″ margins) for their review that answers the
questions they have put forward to you. As before, use simple plain English as much as you can. Remember,
this may be read or recounted to a jury. One of the greatest skills you can have as a forensic examiner is
being able to recount highly technical terms and procedures into layman terms. Please keep in mind this
memorandum will be attached to the Affidavit you will prepare and submit at the end of this project.
Assignment 7 in this project is to pull all of the work you have completed into a final document. Since this
matter looks like it may be heading to litigation, the legal affairs team has asked that you complete an
affidavit documenting the work you have done, as well as, address the questions they put forward to you.
This is exactly as it happens in real life. Your technical reports will NEVER be admitted into any legal
proceeding standing on their own. Your work product (forensic examination reports, lab notes, etc.) will
ALWAYS be attached to an affidavit in which you will swear to the truth and validity of the documents
contents, forensic procedures executed, results generated, findings you have determined therefrom, and, if
called for, your expert opinions. What I expect in your affidavit is that you will provide a summary of the
imaging done and to the questions that were put forth to you by the legal affairs team. You can choose to
present the material either in a chronological or narrative style. As you address the work done for each
assignment in the affidavit please make sure you reference the actual reports and memorandums which will
be attached to the affidavit.
Before you submit your affidavit, review the competencies below, which I will use to evaluate your
submission:
- two-page memo addressing the types, sources, collection of digital information, as well as file formats
- one-page Imaging of a USB drive using Linux tools (lab notes, report) see attached
- one-page Imaging of a USB drive using Windows tools (lab notes, report) see attached
- two-page memo responding to questions about imaging procedures
- one-page RAM and swap acquisition–live, local computer (lab notes, report) see attached
- one-page Forensic imaging over a network (lab notes, report) see attached
- one-page Affidavit see attached template
1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the
1.4: Tailor communications to the audience.
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the
problem.
10.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging and
verification.
10.4: Demonstrate an understanding of the different parts of a computer.
11.1: Perform report creation, affidavit creation, and preparation to testify.
Preferred language style Simple US English(Easy vocabulary, simple grammar construction
Sample Solution
