hasstickers.blogg.se - Prodiscover basic file formats

#PRODISCOVER BASIC FILE FORMATS PRO#
#PRODISCOVER BASIC FILE FORMATS WINDOWS#

Make sure you turn off 'automount' as it may change the evidence. Using that image above is a completely extraneous step it's only there as an option.ģ. Make sure to remove the drive and reinsert it so Linux will reread the partition table since you're overwriting the previous table. If your USB drive is assigned as /dev/sdb, you can overwrite 1GB worth of your drive with: This is the current image I am using in 4860: If you'd like to overwrite a larger drive with a smaller partition, you can use this image from Spring's CET4860: Using this image below is a completely extraneous step it's only there as an option.

You're not trying to make hashes match to the evidence, so it doesn't matter what you use. The goal is to validate the tools and do they each produce the same or different results. Get a small thumb drive, the smaller the better, and place a few files on the drive of varying file types e.g., a JPG, PDF, DOC, TXT, etc.

Put your resulting SHA1 hashes of original evidence and forensic copies in a tableġ.

C ompare your results regarding consistency.

Use FTK Imager, ProDiscover Basic, and Linux utilities to create a forensic copy of the USB, and hash it.

Populate the drive with files of your choosing.

You are to use one of your own USB flash drives for this assignment.

If not, explain any discrepancies that may have occurred.

Do the three tools produce consistent results with respect to forensic copy and the original evidence?.

The primary forensic question you are to answer is:.

From your experience in Linux, I decided for you, that you want to add a third tool, dd, since you have used dd and sha1sum in the past to create forensic duplicates.

Your task is to validate the tools used by the forensic examiners and to report back to the Judge your findings.

#PRODISCOVER BASIC FILE FORMATS WINDOWS#

FTK Imager and ProDiscover (tried under Windows XP, 7, and 10).

You will use both Windows and Linux for this assignment.

Kanellis, Digital Crime and Forensic Science in Cyber Space. al., Validation of Digital Forensics Tools. Judge Stone is perplexed by the conflicting results and has brought you in as an independent and neutral third party to provide your opinion on the tools used.

#PRODISCOVER BASIC FILE FORMATS PRO#

Upon examination, the two forensic examiners reported producing different SHA1 hashes for the same evidence the prosecution used FTK Imager while the defense used Pro Discover. Each examiner was provided verified forensic duplicates of the original evidence. There are two forensic examiners working as expert witnesses on a case in which Judge Stone is presiding - one for the prosecution and one for the defense.