<p>molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Na</p> Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet
laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. F
iscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, di
s ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices a
gue v
ipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue v
molestie consequat, ultrices ac magna. Fusce dui lec
Donec aliquet. L
Donec aliquet. Lore
consectetur adipiscing e
ipsum dolor si
usce dui lectus, congue vel
First prepare an appropriate environment for analysis. Using "clean" or verified software tools with valid software licenses is an important first step. When new equipment is introduced, it's function should be verified and documented.
One important early step is to obtain a "hash" value (an electronic fingerprint) of the harddrive used for analysis (also called the bench drive). A program implementing the Message Digest 5 (MD5) is the most commonly used method of creating a hash. A "hash" is a unique numerical value calculated from the data in a digital file. No other naturally occuriring file can have the same hash value (much like a fingerprint). By comparing this hash wih a new fingerprint taken at each step of the analysis process, we can verify that the digital file being examined is a true and authentic copy of the original evidence.
Next it is important to create a working copy. The best method is to create a bit stream copy (called a mirror or image). A bit stream copy reproduces every bit of information found on the evidence drive. This method reproduces both active files and latent data. Active files are those files available to or created by the user. Unless the crime at hand is hacking related and highly technical, most evidence will be obtained from the active files. Latent files are files not recognized by the Operating System, thus they do not show up on a list of files. The most common source of latent files is deletion. When most computers delete files, they do not erase the bits in the file, the simply allow new files to be saved to that space when it is needed. Until then, it is left virtually intact. An image can be authenticated with an MD5 hash comparison and contains potential evidence that may be hidden from the operating system.
The analyst must ensure that the target area is free from contaminates of previous analyses. By wiping the analysis drive (DoD wipe) before restoring the image, the analyst will be able to refute any claim that the drive was contaminated by forensic tools. After wiping, the results can be verified by hashing the blank drive and comparing the results of the hash value to the blank drive.
Summary of Steps:
1. Verify mathematically the contents of the evidence drive. This value will prove that any future copies match the original exactly.
2. Create and exact "image" or bit stream copy of the evidence drive.
3. Verify that the image of the evidence
drive is a true copy of the evidence drive. Note that the hash value produced is the same as the hash from the evidence drive.
4. Wipe the bench drive to be used when analyzing the archival image.
5. Create a hash of the clean bench drive and compare the value to the value of the drive when it was known to be blank. Note that the hash value produced is the same as the hash value from the blank bench drive.
6. Restore the archival copy of the evidence drive to a blank bench drive.
7. Authenticate the restored image by calculating an MD5 hash and comparing that hash value to the hash of the evidence drive. Note that the hash value produced is the same as the hash from the evidence drive.