Step 1: Conduct a Background Review

Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization's legal team has been asking questions about types, sources, and collection of digital information. They have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department's technical manual to compose your memo on locations of valuable forensic information and formats in which digital evidence can be stored. You also review imaging and verification procedures.

For the first step in this project, prepare a memo (1-2 pages in length) that summarizes possible locations of valuable digital forensic information, as well as collection and storage options in laymen's language. For each location described, include a short description of the following:

1. Area
2. Types of data that can be found there
3. Reasons why the data has potential value to an investigation in general, and for this case in particular

The locations to be addressed are: USB sticks, RAM and swap space, and operating system hard disks.

Also describe possible digital evidence storage formats (raw, E01 (ewf), and AFF), the advantages and disadvantages of each, and how digital forensic images are collected (local and remote, memory and disk) and verified. Your memo will be included in the final forensic imaging lab report.

In this step, you respond to pointed questions from your organization's legal team. The legal team has been involved in cybercrime cases before, but they want to make sure they are prepared for possible legal challenges. They have requested very specific information about your imaging procedures.

Questions from the legal team:

1. Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?
2. What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?
3. What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?
4. How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?

The legal team would like you to respond in the form of a brief memo (1-2 pages) written in plain, simple English. The memo will be included in your final forensic imaging lab report (Step 7) so review it carefully for accuracy and completeness.

You are hoping that you will be able to access the suspect's local computer ne