search

Which of the following software tools would an investigator use to acquire evidence from a hard disk drive?

1 Jahrs vor
Kommentare: 0
Ansichten: 103

Determine hardware and software tools that can be used to conduct digital Forensic Investigation.

Show

Answer & Explanation

Solved by verified expert

<p>ce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat</p> Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet

Unlock full access to Course Hero

Explore over 16 million step-by-step answers from our library

Subscribe to view answer

gue

  • sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque d
  • lestie consequat, ultctum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit

lxongue vel laoceicitur laoree

itur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magn

gue

at, ultrices ac ma
sus ante, dapibufacilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec fa
gue

itur laoreet. Nam risus ante, dapi

ipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus ef

gue

consectetur adipiicongue vel laoreet ac, dictum vitae odio
gue

leicitur laoreet. Nam

, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac m

  • molestie consequat, ultrices ac magna. Fusce dui lectus,
  • ec aliquet. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia p
  • , dictum vitae odio. Donec aliquet. Lorem ip
  • ur laoreet. Nam risus ante, dapibus a molestie consequat, u

ec aliquet. Lorem ipsum

consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus

  • icitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magn
  • ctum vitae odio. Donec aliquet. Lorem ipsum dolor sit amet, co
  • consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facil
  • ipsum dolor sit amet, consectetur adipiscing
  • or nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risu
  • inia pulvinar tortor nec facilisis. Pellentesque dapibus
  • congue vel laoreet ac, dictum vitae odio. Don
    squ

rem ipsum dolor sit

ecipis

Dec fac

sumlestie

itongue vel

gue


gue

Step-by-step explanation

facilisis. Pellente

rem ipsum dolor sit amet, consectetur adipiscing elit. Nam lacinia pulvinar tortor nec facilisis. Pellentesque dapibus efficitur laoreet. Nam risus ante, dapibus a molestie consequat, ultrices ac magna. Fusce dui lectus, congue vel laoreet ac, dictum vitae odio. Donec aliquet. Lorem ipsum dolor sit ame

This set of questions was prepared for a death penalty trial. However, the case never went to trial and the defendant received 17 years as part of a plea bargain.

Q. Mr Examiner, can you tell us what physical evidence you received in order to conduct an examination of the computer evidence in this case?

A. I received three hard drives.

Q. When you say you received three hard drives, does that mean that you did not receive the actual computers?

A. Yes.

Q. Mr Examiner, did you ever have an occasion to examine the computers themselves?

A. No.

Q. So you conducted your entire examination on the hard drives and not the computers?

A. Yes.

Q. Mr Examiner, do you know who removed the hard drives from the computers?

A. No.

Q. Mr Examiner, do you know if the person who removed the hard drives from the computers examined the computers in any way?

A. No, I do not.

Q. Moving on to the analysis of the hard drives. When you examined the hard drives in this case, did you locate and examine the user accounts for each of the computers?

A. No. (See below.)

Q. If Yes, then: Mr Examiner, you say that you did locate the user accounts on each of the computers?

A. Yes.

Q. Did you include this listing in any of your reports?

A. No.

Q. Mr Examiner, in regard to user accounts on the hard drive evidence, did you check to see if any of the computers were password protected?

A. No. (See below.)

Q. Did you include this information in any of your reports?

A. No.

Q. Optional question: Mr Examiner, if a computer is password protected, but the password is known by several people, and those people are authorized to all use the same password, would this be the equivalent of no password protection for that group of people?

A. Yes.

Q. Optional question: Mr Examiner, if a computer has a blank password, in other words, you just press Enter to log on, would that be the same as no password?

A. Yes.

Q. Mr Examiner, I would like to go back for a moment to the physical evidence you examined in this case. You stated that you only received the hard drives, and not the computers. Is that correct?

A. Yes.

Q. Mr Examiner, would you consider examining the computer itself to determine such things as the current setting of the computer clock time to be a normal part of a forensic analysis?

A. Yes.

Q. In this case, Mr Examiner, are you aware of anyone examining the computers to determine the accuracy of the clocks on the computers?

A. No.

Q. Mr Examiner, in your experience, when you receive a complete computer as evidence, do you examine the computer to get the computer clock time?

A. Yes.

Q. Can you walk us through how that process should go?

A. (Correct Answer): First, you disconnect any hard drives in the computer to prevent them from accidentally being written to during this part of the examination. Then you start the computer up into BIOS. (This is the part of the computer that contains information about the computer itself, including the real-time clock information.) Then you record the time from the computer’s real-time clock and check it against an external time source for accuracy.

Q. Mr Examiner, would you consider this to be an important step in a complete computer forensics examination?

A. Yes.

Q. Can you explain to the jury why this is an important part of a complete computer forensics examination?

A. (Correct Answer): It is important to know the time from the computer to make sure that when you review items on the computer hard drive, the time recorded for each of those items is accurate.

Q. And why is it important to know if the times that items are recorded are accurate?

A. (Correct Answer): If you are trying to say that someone did something on the computer on a certain date at a specific time, you must have this information. If the computer clock is wrong and you don’t have a comparison to an external time source, you cannot say for certain when something happened.

Q. Would it be fair to say that you don’t know if the clocks on the computers in this case are accurate?

A. Yes.

Q. Mr Examiner, I’d like to ask you about Item 17. This is the hard drive from a computer that was located at my client’s business. Is that correct?

A. Yes.

Q. When you examined the hard drive for evidence, did you determine if more than one person used this computer on a regular basis?

A. No. (See below.)

Q. How did you determine that more than one person used this computer on a regular basis?

A. (Correct Answer): By examining the folders and e-mail accounts on the hard drive. Several folders had names such as …. Also, several e-mail accounts were present with different identities.

Q. Is it possible that more than one person used this computer on the same account?

A. Yes.

Q. Mr Examiner, in your report you stated that “the computer user logged in to Item 17 under my client’s user account.” Can you explain what that means exactly?

A. (Correct Answer): Someone logged in to the computer using the defendant’s account rather than a user account of their own.

Q. Does that mean that the user was my client and could only have been my client?

A. No.

Q. So it could have been anyone with access to the computer?

A. Yes.

Q. You stated that someone logged in to the computer under my client’s user account and visited the website www.mapquest.com on 12/4/06 from 11:23AM EST until 11:42AM EST. Is that an accurate account of what you stated in your report?

A. Yes.

Q. But you cannot say that the user logged in to the computer was in fact my client. Is that correct?

A. Yes, that is correct.

Q. As part of the statement I just read, you gave the exact date and times for the www.mapquest.com website. Now Mr Examiner, without knowing what the actual time was on the computer, can you say without a doubt that the times stated in your report are accurate?

A. No.

Q. So it could have been some other time than the time you stated in your report?

A. Yes.

Q. Mr Examiner, let’s talk about Item 15. This is the hard drive from the laptop computer from my client’s home. Is that correct?

A. Yes.

Q. Was the real-time clock information for this computer checked and recorded as part of the forensic analysis for the computer?

A. No.

Q. So you don’t know if the computer clock was accurate on the computer taken from my client’s home?

A. No, I do not.

Q. Is that because you only received the hard drive from the computer and not the whole computer?

A. Yes.

Q. And do you know if this computer was password protected?

A. No, I do not.

Q. Do you know if access to this computer was restricted in some other way? Locked in an office in his home, for instance?

A. No, it was not.

Q. Would be fair to say that someone other than my client could have used this computer?

A. (The correct answer could be “Yes,” or “I don’t know,” or “It is possible.”)

Q. But you cannot say if there was anything that would prevent someone other than my client from using this computer, correct?

A. Yes.

Q. In your report you stated that several Internet searches were made on this computer for keywords such as death, murder, and accidental deaths, as well as searches for videos and images based on the search term “death.” Is that correct?

A. Yes.

Q. But you cannot say with certainty that my client was the person who made these searches, can you?

A. No.

Q. It could have been someone he allowed to use his computer. Is that correct?

A. Yes.

Q. The actual web pages returned by these searches were not recovered. Is that correct?

A. They were not.

Q. Did you attempt to find out what kind of results would have been returned by these searches?

A. No.

Q. So you don’t know what the user saw once these search terms were entered into the computer. Is that correct?

A. Yes.

Q. Did you locate any web pages or other information from the computer hard drives related to committing a murder?

A. No.

Q. Did you locate any web pages or other information on the computers related to disposing of a body?

A. No.

Q. Item 16 is a hard drive from one of the computers at my client’s place of business. Is that correct?

A. Yes.

Q. You stated in your report that a text fragment was recovered from that computer hard drive that contained references to “death, murder, and revenge through guns.” Is that correct?

A. Yes.

Q. Mr Examiner, I have a printout of that text fragment here. Would you classify this as a document that has any meaning, or would you say it is just a bunch of words typed over and over?

A. Yes, it is words typed over and over.

Q. Would it be fair to say that someone reading this document would not receive any useful information about death, murder, and revenge through guns?

A. Yes.

Q. Mr Examiner, fax machines were also collected by police in this case. Were you or anyone at your agency ever asked to examine these fax machines?

A. No.

What software do forensic investigators use?

Best Digital Forensic Software.

What software is used in computer investigation?

Digital forensics software is used to investigate and examine IT systems after security incidents or for security-related preventive maintenance.

Which tool is used for forensic imaging of disk?

Disk analysis: Autopsy/the Sleuth Kit Autopsy and the Sleuth Kit are likely the most well-known forensics toolkits in existence. The Sleuth Kit is a command-line tool that performs forensic analysis of forensic images of hard drives and smartphones.

What software tools may be of use to a forensic investigator seeking to prepare a hard drive for analysis of its contents?

What software tools may be of use to a forensic investigator seeking to prepare a hard drive for analysis of its contents? Disk imaging software to make a copy of the drive (including boot sectors and free space) plus cryptographic software to make a hash of the drive contents.

software tools investigator acquire evidence hard disk drive Digital evidence Cyber forensics Forensic tool Computer forensics Digital forensics Forensic software download Forensics software

zusammenhängende Posts

A key ethical question related specifically to safety-critical software development is
A key ethical question related specifically to safety-critical software development is

Is a model of software deployment where an application is hosted as a service provided?
Is a model of software deployment where an application is hosted as a service provided?

The __________ the gdp is, the __________ the government can typically afford to spend.
The __________ the gdp is, the __________ the government can typically afford to spend.

Which device are the hardware components which are used to get output from the computer?
Which device are the hardware components which are used to get output from the computer?

Was bedeuter dvd writer
Was bedeuter dvd writer

Wie kann man den PC beschleunigen?
Wie kann man den PC beschleunigen?

Windows 7 nicht identifiziertes Netzwerk ändern Registry
Windows 7 nicht identifiziertes Netzwerk ändern Registry

Which of the following tools can help prevent damage when working with computer components
Which of the following tools can help prevent damage when working with computer components

What is license that is paid for by number of machines or number of people using the software?
What is license that is paid for by number of machines or number of people using the software?

Which of the following assessment tools explores individuals personalities by asking them to examine a series of ink blots and describe what they see in the ink blot?
Which of the following assessment tools explores individuals personalities by asking them to examine a series of ink blots and describe what they see in the ink blot?

Werbung

NEUESTEN NACHRICHTEN

Borderline wer ist schuld
1 Jahrs vor . durch LunarLine-up
Wer hat mich auf Instagram blockiert
1 Jahrs vor . durch IncipientHeader
Wie geht es dir was soll ich antworten?
1 Jahrs vor . durch SolubleAuthority
Kind 1 Jahr wie oft Fleisch
1 Jahrs vor . durch ThirstyRepublic
Was müssen Sie bei der Beladung von Fahrzeugen zu beachten?
1 Jahrs vor . durch WaxedHeadquarters
Schütz Die Himmel erzählen die Ehre Gottes
1 Jahrs vor . durch ExtrinsicSaucer
In planning an IS audit, the MOST critical step is the identification of the
1 Jahrs vor . durch SteepPanther
Wie lange darf eine Kaution einbehalten werden?
1 Jahrs vor . durch SeasonalBanjo
Sarah connor nicht bei voice of germany
1 Jahrs vor . durch FloridIceberg
Kann man mit dem Fachabitur Jura studieren?
1 Jahrs vor . durch PolarIndecency

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrjpkoptzhhiitthtr
Urheberrechte © © 2024 ketiadaan Inc.