Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

The legal team has been involved in cybercrime cases before, but they want to ma

ID: 3606282 • Letter: T

Question

The legal team has been involved in cybercrime cases before, but they want to make sure they are prepared for possible legal challenges. They have requested very specific information about your imaging procedures.

Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?

What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?

What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?

How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?

Explanation / Answer

1. The algorithm that I would use is SHA-1(Secure Hash Algorithm). These value are used to verify a forensic image has not been changed. During verification of the forensic image (duplicate of the evidence), and again at the end of the examination to ensure the integrity of the data and forensic processing. It’s important to understand that both of these algorithms have been accepted by the scientific community.

2. It’s very important that the hash value is the same throughout the exanimation. Hash value is used to ensure that the examined copy has not been altered. A hash value will be taken of the original hard drive. The image is used during the forensic examination to preserve the integrity of the original. A hash value is taken of the imaged copy before any examination. If the values are the same, then the copy is treated the same as the original. If the values are different, then the integrity of the copy is called into question. At the end of the forensic examination, a third value is commonly taken. The three hash values (original hard drive, imaged hard drive before the examination, and imaged hard drive after the examination) must match. There are many ways to change the hash value. Accessing files prior to the imaging could change the value. Opening the files if stored on a flash drive would change the values. If you are attempting to image a hard drive and you turn the seized computer on. You will change the values as well.

3. When the OS automatically mounts the drive, it shows that the OS do reorganize the drive. At times, this goes a long way to determine the chances of some data been altered.

4. A very simple way to determine this is comparing the hash values prior and after.

Related Questions

The left end of a long glass rod 6.00 c m in diameter has a convex hemispherical
Question #2117986
The left end of a long glass rod 6.00 c m in diameter has a convex hemispherical
Question #2118150
The left end of a long glass rod 6.20 cm in diameter has a convex hemispherical
Question #1904092
The left end of a long glass rod 6.64cm in diameter and with an index of refract
Question #1383350
The left end of a long glass rod 6.95cm in diameter and with an index of refract
Question #1298016
The left end of a long glass rod 7.00 c m in diameter has a convex hemispherical
Question #2122020
The left end of a long glass rod 8.00 c m in diameter and with an index of refra
Question #2141538
The left end of a long glass rod 8.00 c m in diameter and with an index of refra
Question #2240905
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
The legal team and public affairs office would like to speak with you regarding
Next
The legend of Wyatt Earp lives on largely based on his exploits as a gunfighter

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.