Forensic Imaging with Adepto Copyright UMUC 2015 Page 2 of 12

Introduction

Students’ Role: Special Agent and Forensic First Responder for the FBI Cyber Division

assigned to a Cyber Action Team (CAT).

General Scenario: Late yesterday evening a suspected member of organized crime was

arrested for racketeering, money laundering, and potential cyber-crimes. As part of the seizure,

a computer tower was found in the suspect’s residence. The tower was in a powered down

state. It has been seized and needs to be imaged by you using dcfldd via Adepto on the Helix

platform.

Items Provided:

1. Digital Evidence – Drive of Suspect’s Computer Tower Hard Drive

Task: Complete the forensic imaging of the seized suspect media following the steps below.

Deliverables & Lab Questions to be answered:

General Directions: Preview the lab deliverables in Part I and the questions in Part II before

starting your lab work. Then, log into UMUC Virtual Lab and follow the step by step instructions

and illustrations.

Create ONE Word or PDF answer file named as Lab1-YourFirstInitial-LastName. Include all

deliverables and answers for Part I and Part II below in this ONE file. Submit this in your LEO

Classroom Lab1 Assignment by the due date.

Part I: Lab Deliverables (30 points):

A. Screenshots (10 points): Capture and paste the following five screenshots. Give a one-

sentence short description at the beginning of each screenshot.

1. A screenshot of Device Info similar to (may not be exactly the same as) the illustration in Step

8 of the Lab1 instructions.

2. A screenshot of Imaging in Progress similar to (may not be exactly the same as) the

illustration in Step 10 of the Lab1 instructions.

3. A screenshot of Verification Success similar to (may not be exactly the same as) the

illustration in Step 11 of the Lab1 Instructions with a “Verify Successful” message.

Forensic Imaging with Adepto Copyright UMUC 2015 Page 3 of 12

4. A screenshot of Chain of Custody with Hash value similar to (may not be exactly the same as)

the illustration in Step 12 of the Lab1 instructions.

5. A screenshot of creating Chain of Custody PDF form similar to (may not be exactly the same

as) the illustration in Step 13 of the Lab1 instructions.

B. Log of Forensic Analysis (10 points): Create a numbered list or table to document the step-by-

step actions taken as the examiner. Include date, time, devices, tools, data files, and logs

generated. You only need to describe the data files and logs; no need to attach them.

C. Report Letter to the Professor (10 points): Write a letter to the Professor sharing your

experience of what you learned by performing this analysis. Why this work is valuable? What

was attempted, what succeeded, what failed? Note: For the Report Letter to the Professor, you

can use the major action information from the Log of Forensic Analysis deliverable but should

focus on the forensic objectives, attempts, and results of accomplishment or failure, followed by

a reflection on what you have learned through the lab. Use a business letter format with at least

four or five paragraphs related to the forensic work.

Part II: Lab Questions (70 points): Answer these questions as if the defense attorney is asking you these questions while you are testifying in court: Any citations of sources should follow proper APA format with a reference section at the end of your Part II answers:

1. There are many hashing algorithms to use. If you were working on a case for a law enforcement agency, which two algorithms would you choose to use? Why?

2. What is the MD5 hash value of your image? Did the hash values match?

3. What are the possible issues/causes if the hash of your original does not match your forensic copy?

4. What is the significance of the Chain of Custody PDF form from Adepto? Why is it

needed?

5. What are the possible issues if your OS automatically mounts your drive prior to creating your forensic duplicate?

6. How do you know that your OS did not automatically mount your drive, and subsequently change the contents of the flash drive prior to you creating the forensic copy?

7. Explain the advantages and disadvantages of different write-blocking techniques for

forensic imaging.

8. Hardware blockers have historically been the main choice in digital forensics, however

the industry seems to be shifting to software based alternatives. What are the main

issues to take into consideration for the shift?

Forensic Imaging with Adepto Copyright UMUC 2015 Page 4 of 12

Step by Step Instructions for Performing the Lab

Activity

** Warning this activity is designed to be completed in a single session, if you leave the VM you

may need to follow the instructions from step 1**

1) Connect to the lab environment by following the instructions posted in your LEO

Classroom: http://learn.umuc.edu > content > Virtual Lab Access Instructions

2) Your virtual desktop should look like this:

Forensic Imaging with Adepto Copyright UMUC 2015 Page 5 of 12

3) Open Root Terminal: Applications > Forensics & IR > Root Terminal

4) Password: cseclabuser click OK

Forensic Imaging with Adepto Copyright UMUC 2015 Page 6 of 12

The number one

5) In Root Terminal type the following command (do not copy and paste from instructions)

mount -t ntfs-3g -o rw /dev/sdb1 /media/sdb1

Press Enter/Return on your Keyboard

(If the drive icon appears on the desktop, you know that your command was correct)

Forensic Imaging with Adepto Copyright UMUC 2015 Page 7 of 12

6) Applications > Forensics & IR > Adepto

7) Username is the first initial of your first name and your last name Example jkarlan

Case number is lab1_csec650, select Go

Forensic Imaging with Adepto Copyright UMUC 2015 Page 8 of 12

8) Click Device Info tab > Click device pulldown and select sda

(Take screenshot of VM window and paste into your report on your local computer for

deliverable Part 1A1) http://www.take-a-screenshot.org/

Forensic Imaging with Adepto Copyright UMUC 2015 Page 9 of 12

9) Select the Acquire tab

Image Name: lab1_CSEC650.dd

Image Notes: Your Name

Mount Point: /media/sdb1

Type: DCFLDD Hash: MD5 Segment:1024

Forensic Imaging with Adepto Copyright UMUC 2015 Page 10 of 12

10) Imaging progress will be shown at the bottom of the window (Take screenshot of VM

window and paste into your report on your local computer for deliverable Part 1A2)

http://www.take-a-screenshot.org/

11) When acquiring completes you should see “Verify Successful” in the progress screen.

(Take screenshot of VM window and paste into your report on your local computer for

deliverable Part 1A3) http://www.take-a-screenshot.org/

Forensic Imaging with Adepto Copyright UMUC 2015 Page 11 of 12

12) Select the Chain of Custody tab does your md5 hash values match?

6ab2cde075528764e3b17b789d62f1ac

(Take screenshot of VM window and paste into your report on your local computer for

deliverable Part 1A4) http://www.take-a-screenshot.org/

Forensic Imaging with Adepto Copyright UMUC 2015 Page 12 of 12

13) Select “Create PDF” The PDF does not need to be exported form the VM it is not a

deliverable. (Take screenshot of VM window and paste into your report on your local

computer for deliverable Part 1A5) http://www.take-a-screenshot.org/

14) Click Power button and Shut Down