About notebook

About notebookA. Describe what would the jurisprudence investigator do to the notebook aft(prenominal) the p arnts puzzle passed the notebook to them? in that location are several procedures a police investigator would do when he receives the laptop. The investigator thusly has to take down the details of the laptop much(prenominal)(prenominal) as the number of disk admits, each plugged in dismissible media, time and date of the laptop from the bios and the current time and date from the investigators measure and such. The laptops make and model, and any signifi pilet information of it at that time leave alone have to be taken down to. Photos will have to be taken of the original say of the laptop, including the current screen, if it was on. The next step would be to do a hard reset to the system if it is running an operational system. This prevents any further changes to selective information or any scripts to run. The removable slots of the laptop would also have to be sealed to prevent tampering. Any removable media will have to be documented and securely unplowed and tagged, or much commonly known as the bag and tag process. every(prenominal) these would be necessary in court to prove proper procedures, equity and help in the documentation and recreation of the scene, helping the investigators to visualize the state of which the laptop was in. As computer components are in question, they should be kept in anti static bags to prevent any damage to them during wipe or handling by static electricity. The laptop will then be sent to the lab where chassiss of the different data sources will be effectd and worked upon. The original will not be touched.B. What hardware resources are necessary to analyze a notebook?The hardware resources aimed to analyze a notebook would depend on the situation. A laptop or ground can be apply on site or in the lab. The laptop or desktop would have to be equipped with a hard disk that is large enough to c ontain the exact come across of the laptops drives and removable media. A write blocker would also be needed to ensure no writing is done to the data during image creation. To assistance in the creation, a Live CD can be used to boot up the suspects laptop, typically a small sized Linux distribution. IDE cables, adapters, interbreeding cables, fire-wire cables and bays are all common hardware for data connection. Additional tools would be torchlight for use in dark areas, gloves to prevent physical state tampering and a log form to log all activities done.C. Compare the architectural hardware differences amongst a notebook and a desktop computer, along with the different tools or equipment that might be needed to perform a forensic image acquisition.There are several architectural differences between a notebook and a desktop computer. The most significant would be the IDE interface. A laptop would use a small IDE connectors than a desktop, although more recent laptops could be use the SATA connections which would be similar. However, laptops could also have soldered on connections, especially if it is using a solid state drive(SSD).Certain laptops which are smaller in size, such as net-books might not have certain ports or means of data storage such as fire-wire ports, USB ports or even CD-ROM drives. In fact, most modern twenty-four hours laptops do not even have a floppy drive. The forensic investigator would then have to plug in an external drive to the IDE ports or USB ports externally. Although with recent technology, it would be possible to boot from a boot-able USB drive, eliminating the need for a CD-ROM drive or floppy drive.D. Base on the scenario, decide whether you want to use more than one tool to take a shit the image, write a brief outline on the choice of tool.I can use a Live CD such as Backtrack 2, SANS Forensic Workstation or even any Linux distribution to bring out the image with the dd command. dd if=/dev/hda conv=sync,noerror bs= 64K gzip -c /mnt/sda1/hda.img.gzI can then restore the image into any disks by unzipping and using dd to restore. gunzip -c /mnt/sda1/hda.img.gz dd of=/dev/hda conv=sync,noerror bs=64K The disk information should also be stored by using fdisk command and piping to a text or info turn on. fdisk -l /dev/hda /mnt/sda1/hda_fdisk.infoThe advantage of using DD in forensics is that it will create an image of the whole disk, including the unused blocks. It is error free, and easy to do with any Linux distribution.E. What additional evidence could you look for at the victims home or crop to obtain clues about her whereabouts?The victims room would be the most important perplex to search. Additional evidence such as her diary, hand phone, if available, and any books or paper that she wrote in. Her email and any personal sites which hold data online such as Facebook can help in the topic. F. Explain what method would be used to preserve the integrity of the evidence obtain, and why the importance of obtaining the data from this method.A hash of the original image from the laptop and any file used should be created. Using an MD5 or SHA1 hash would be talk over and recognized in court. The concept of hashing is that no two data objects can have the same hash, and thus if the hash is changed, the data has been compromised. By doing hashing on the original data, the forensic investigator can tell the court that the evidence was not tampered with and anything found was there from the start. Typically, hashing would be done before and after duplication of the disk image to ensure that the disk is exactly the same.G. get word which file(s) have bad extension and further examine the file headers of these file(s) using a hex editor. Why is it important to carry out such procedure that it may help the team in solving the case? The file headers contain information that help the operating system to list what kind of file it is. File headers are often corrupted or changed on purpose to hide the true identity of the file. If this is overlooked, crucial documents could be missed and identified as other types of unrelated documents. Secondly, the file headers could be corrupted to prevent reading of the file and will have to be further examined to find out the content.