Lab I: Disk Imaging and Cloning - Linux: Digital Forensics

Anonymous
timer Asked: Mar 6th, 2019
account_balance_wallet $9.99

Question Description

Follow the questions in the word document please.

Attachment preview

Lab I: Disk Imaging and Cloning 

Objectives 

 - Use VMWare and modify device configuration in a VMWare system
- Image a drive to a file
- Extract individual partitions from an image file
- Mount the image as a loopback device and read only for analysis
- Properly sanitize a disk for cloning  
- Clone a drive versus imaging the drive
- Verify disk and file integrity with hashing  

Procedures  
Adding Virtual Disks in VMWare  

Step 1 

On your lab machines launch VMWare. A virtual operating system running Linux and containing the forensics tools you will need can be found in the favorites panel.    

Select “Linux – Forensics” and click edit virtual machines settings. 

Unformatted Attachment Preview

Unmount the compromised system and your image drive. ...
Purchase answer to see full attachment

Tutor Answer

onesmasd
School: University of Virginia

Hey am through. The attached file contains all the correct answers. Thank you

Lab I: Disk Imaging and Cloning
Objectives
- Use VMWare and modify device configuration in a VMWare system
- Image a drive to a file
- Extract individual partitions from an image file
- Mount the image as a loopback device and read only for analysis
- Properly sanitize a disk for cloning
- Clone a drive versus imaging the drive
- Verify disk and file integrity with hashing

Procedures
Adding Virtual Disks in VMWare

Step 1
On your lab machines launch VMWare. A virtual operating system running Linux
and containing the forensics tools you will need can be found in the favorites
panel.
Select “Linux – Forensics” and click edit virtual machines settings.
In the Hardware tab you will see a listing of the virtual devices that have been
configured with this virtual machine. Devices can be added and removed from
this panel as if you were adding and removing actual devices on a physical
machine.
Select the Network Adapter > choose Remove.
Question 1: Why might it be a good idea to disconnect your
forensics machine from the network before performing digital
analysis on a drive?
By being on a network, your forensics system may be at risk of
being compromised. The evidence in your custody should be
well protected from unauthorized access. Also, if you are
analysing a system that has been compromised you want to
take precautions that malicious code does not escape out onto
a network.
Prepared by Regis Cassidy Sandia National Laboratories

Page 1

Step 2
In a real world situation you would have seized or collected the computer under
investigation and may choose to pull out the hard disk and add it to your own
system for performing digital analysis. In VMWare you can simulate this
procedure by editing the virtual machine settings and adding another disk.
In the Hardware tab click the Add... button > Choose Hard Disk > click Next.
The compromised disk has already been set up for you as a VMWare image.
Choose Use an existing virtual disk > click Next.
Make sure you are browsing in the “c:\vmware-images\Linux - Forensics”
directory.
Select the “Linux – Hacked.vmdk file”. This file represents the virtual disk that
you will be analyzing. Click OK > Finish.

Step 3
In the event that the evidence you find will be needed in court, you need to make
sure that no modifications are made to the original drive. Therefore, a copy or
image of the compromised drive is needed to perform your analysis. You will
need to add an additional disk for storing the image you are about to make and
any evidence that will be extracted from that image. A general rule of thumb is to
add a drive that is at least 3 times the size of the original drive. The original
compromised drive is 1GB.
Question 2: Why would it be a good idea to use a separate blank
drive that contains all the extracted evidence and reports you
obtained from the image? Why should this drive be significantly
larger then the original drive?
The images and evidence you collect can potentially be huge amounts
of data. It would be a good idea to avoid fragmenting your own system
with these large files. Having all the files related to your investigation
on its own disk helps to be organized and makes portability of the
evidence easier in case you need to use multiple computer systems to
do your analysis. This drive would need to be significantly larger then
the original drive under investigation because you may be extracting
Prepared by Regis Cassidy Sandia National Laboratories

Page 2

large amounts of data from the image. For example, you may extract
individual partitions from the image, unallocated space, slack space,
etc. You also may be recovering deleted files and will have logs and
reports from the results of your investigation.

Using the procedure described in Step 2, add another virtual disk. This time
choose the option Create a new virtual disk.
Choose IDE and a disk size that is 3 times the size of the original drive.
Make sure that Allocate all disk space now is NOT selected and that Split
disk into 2GB files is selected. This nice feature in VMWare helps to
conserve physical disk space on your computer if the virtual disks are not
being fully utilized.
Name the v...

flag Report DMCA
Review

Anonymous
Good stuff. Would use again.

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors