Forensic Analysis of Volatile Data
Uploaded by
Seth KumiForensic Analysis of Volatile Data
Uploaded by
Seth Kumi48436/32309 Week 02 Lab Forensics Case Report
Upload this document as a pdf.
Name: Seth Kumi Student ID: 13630532
Q1) The Order of Volatility
How does the effect of time on volatile data cause problems for the forensics process?
The veracity of the data and the ability to recall or validate the data decreases as time goes on.
Therefore, when looking at the stored information it is extremely difficult to verify that it has not
been subverted or changed.
The forensics process emphasises the importance of perserving digital evidence however, when such
volatile data is preserved, other crucial evidence is lost. Compromises must therefore be made to
ensure the evidence can be used in court.
Why does the first responder consider volatility before executing any command?
This is because the most volatile pieces of data should be preserved first because they are the most
rapidly changing pieces of evidence. If they are not preserved initially, crucial evidence may be lost.
Even executing a command can change the important data and destroys the contents of registers,
MMUs, physical memory and time stamps in the file system.
Q2) Live or Post Mortem?
Indicate what is the worry with the effect of a live analysis on disk based evidence.
Live analysis can permanently change digital evidence such as timestamps, registry keys, swap files
and memory files by writing to the hard drive. These changes can not be reversed.
What is the advantage of a remote live analysis when you are not sure if an intrusion has happened?
This conserves resources as IT personnel do not have to respond at the physical location.
Investigators can identify remotely whether the computer should be be imaged remotely or removed
from the network by looking at the running process and other data.
Why is a Live Analysis the best option when you suspect the files on disk may be encrypted?
On a live computer, where encryption is used (on files or the disk), the encrypted file is likely to be
open and therefore probably loaded in the physical memory. The encrypted disk is also probably
already mounted since it is in use by the suspect. Imaging the physical memory will provide
information about the encrypted file and or disk which would otherwise be difficult to access in a
postmortem.
48436/32309 Week 02 Lab Forensics Case Report
Q3) Capturing an image using ProDiscover
C) Analysis
1) Search for a keyword in text files.
The search results appear.
Click the matching file in the work area.
The matching pattern will be shown in the data area.
Inset here your screen shot showing the work area and the data area result.
48436/32309 Week 02 Lab Forensics Case Report
2) Search for a deleted file on disk.
Note the red cross indicating the file has been deleted.
Click the matching file
The matching pattern will be shown in the data area.
Insert your work area and data area screen shot here.
3) Search for a cluster on disk.
When finished, the Cluster Search Results will list any matches.
Insert your screen shot showing the word MSDOS here.
48436/32309 Week 02 Lab Forensics Case Report
What does FAT16 (or FAT32) mean? How does it relate to clusters? Add your answer here.
Q4) Analysing an image using ProDiscover
B) Acquisition
Select Letter1.
Note its contents in
the data area.
Insert your screen shot of the letter 1 contents here.
48436/32309 Week 02 Lab Forensics Case Report
C) Analysis
Insert here a screen shot of the spreadsheet.
Examine enough files to determine if the allegation is proven or not.
Upon examining a few more files such as client info, billing letter and regrets, it is clearly evident that
the allegations are proven.
D) ProDiscover Report
When finished, right click the ProDiscover report, and copy only the useful items here.
Indicate here why the allegation is proven or not.
Evidence Report for Project: week2
Project Number: week2
Project Description: Acquiring image
Image Files:
File Name: C:\Seth - DF\Week 2\[Link]
Image File Type: DFT Image
File Number: week2
Technician Name: Seth
Date: 09/01/2024
Time: [Link]
MD5 Checksum: 268d45d7023dfefba8e810b7d6678e9c
Checksum Validated: No
Compressed image: No
Time Zone Information:
Time Zone: (GMT-07:00) Mountain Time (US & Canada) (Mountain Standard Time)
48436/32309 Week 02 Lab Forensics Case Report
Daylight savings (summertime) was in effect: Yes
Time Zone information obtained automatically from remote system/image.
Hard Disk: C:\Seth - DF\Week 2\[Link]
File Name: C:\Seth - DF\Week 2\Chapter [Link]
Image File Type: DFT Image
File Number: InChap02
Technician Name: Joe Friday
Date: 07/29/2006
Time: [Link]
MD5 Checksum: a117773bcf1fc88ec0ab8e0a349fbbcb
Checksum Validated: No
Compressed image: No
Time Zone Information:
Hard Disk: C:\Seth - DF\Week 2\Chapter [Link]
Volume Name:
File System: FAT12
Bytes Per Sector: 512
Total Clusters: 2847
Sectors per cluster: 1
Total Sectors: 2880
Hidden Sectors: 0
Total Capacity: 1440 KB
Start Sector: 0
End Sector: 287
For all Questions - Report Submission.
Save this report as a single pdf.
