WK 2 Lab 2 Comparative Tool Testing

docx

School

SUNY Buffalo State College *

*We aren’t endorsed by this school

Course

COMPUTER F

Subject

Computer Science

Date

Dec 6, 2023

Type

docx

Pages

17

Uploaded by DeanField4049

Report
DIGITAL FORENSIC SCIENCE (DFS-501-85A) WEEK 2: Comparative Tool Testing CLIFFORD KWAME ATTAGLO AKETTE COWART NOVEMBER 9, 2023
Week 2 Lab #2: Comparative Tool Testing FTK Imager and Magnet Acquire. Executive Summary Non-Technical Overview This report seeks to show the accuracy and effectiveness of FTK Imager and Magnet Acquire software’s to produce an exact copy of an image drive without making any changes in comparison to the original drive hash value. This describes the process used to test and verify that each software creates an exact copy of the original source evidence drive by producing the same hash values. The three main objective of this validation process includes: To validate that FTK Image software produces the same copies of the original source evidence without any changes. To validate that Magnet Acquire software creates exact copies of the original source drive without any changes. To validate that the two-acquisition software produces the same exact copies of the original source drive by producing the same hash values. The procedure to accomplish this objective. Run a write-blocker software or hardware on the workstation. Write Blocker is a software program that allows the user to either enable write protection for all USB devices that are connected to the computer or block USB devices completely or in simple terms prevent a user from making modification to the source evidence drive.
Each tool creates an image of the original source drive. These tools generate hash values, and these would be compared against each other. Result of the Validation Process between the FTK Imager and Magnet Acquire. Each software, FTK Imager and Magnet Acquire was able to create exact copies of the original source evidence drive without making any changes to it. The hash values produced by both software were compared to each other and the result hash values came out to be the same. From the outcome of FTK Imager and Magnet Acquire, both software produced a forensically sound image of the original evidence drive and produced hash values that are the same proving that there was no modification to the produced images for both software. Technical Section Test Plan 1. Purpose and Scope. This plan will verify the accuracy and effectiveness of FTK Imager and Magnet Acquire in producing the exact copies of a source evidence drive without making any modifications to it. 2. Requirements: FTK Image should create a forensically sound image of the source evidence drive without making any modifications. Magnet Acquire should produce forensically sound images of the source evidence drive without making any modifications.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Both FTK Imager and Magnet Acquire should be able to produce the same hash values (MD5 and SHA1) same as the source evidence drive. 3. Description of Methodology: Windows OS was used for this exercise on a VMware platform. Source evidence was created, labelled X. Three files were added and one deleted. I then ran a write blocker software called Safe Block. I used FTK Imager and Magnet Acquire each to obtain a physical disk image of the source evidence drive. The hash values produced by each software would be compared against the original source evidence drive. 4. Expected results: Magnet Acquire should create a forensically sound physical image of the source drive without making any modifications. FTK Image should create a forensic image of the original source drive without making any modifications. That the hash values produced for each of the software should be exact copy of the original source drive hash values. 5. Test Scenarios for each: Test No. Environment Action Assigned Requirement Expected Results 50185A Windows, Source Drive, FTK Imager, Magnet Acquire Retrieve original hases, created images, generated hashes, All Hashes retrieved from both software
compared hashes 6. Description of test data. a. 32MB Source Evidence Drive (X) MD5 checksum: 493e22264dd9c0a53f58044ff580b23c SHA1 checksum: 0247916b14095c9301808203c5c7d89888170ab8 Test Result 1. Test Number: 50185A 2. Test Title: Using FTK Imager and Magnet Acquire create a Physical Disk Image. 3. Test Date: November 9, 2023 4. Test Person: Clifford Attaglo 5. Test Description: This is to verify the accuracy and efficacy of FTK Imager and Magnet Acquire in creating a physical disk image of the source evidence disk. A write blocker named SAFEBLOCK would be installed and run on the workstation. Write Blocker is a software program that allows the user to either enable write protection for all USB devices that are connected to the computer. The hash values generated during the acquisition would be compared to the original source evidence hash value. 6. Test Result: FTK Imager and Magnet Acquire Software’s passed the test. FTK Imager and Magnet Acquire generated hashes that were the same at the source evidence drive. 7. Configuration of test platform: Platform: VMware Esxi
OS Name/Version: Windows 10 Enterprise 2016 LTSB 10.0.14393 N/A Build 14293 System Type: x64-base PC Processor: Intel® Xeon® Gold 6148 CPU @2.40GHz 2.39GHz (2 Processors) BIOS Version: Phoenix Technologies LTD 8. Tools being tested: Title: FTK Imager (Software) o Manufacturer: Exterro o Version: 4.7.1.2 Title: Magnet Acquire (Software) o Manufacturer: Magnet Forensics o Version: 2.26.0.20671 9. Test Date Note: Original Source Information o MD5 checksum: 493e22264dd9c0a53f58044ff580b23c o SHA1 checksum: 0247916b14095c9301808203c5c7d89888170ab8 10. Test Note: All software’s SafeBlock, Magnet Acquire and FTK Imager were all preinstalled on the workstation before the test was run. The source evidence disk was created from the same workstation drive. 11. Procedures: Right-click the Windows menu and choose “Disk Management”.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Select Disk 1 to simulate the source drive. Wipe the Disk 1 using eraser. Right-click the newly wiped Disk 1 and choose “Initialize Disk” with default settings. Right-click the “Unallocated Space” on Disk 1 and format the partition space and label with letter X.
Format the volume using the NTFS file system and label it as “Source Evidence”.
Transfer or copy three files to it and delete one. Run SafeBlock GUI on the workstation. Make physical disk image of the drive labelled “Source Evidence” using both FTK Imager and Magnet Acquire.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Compare the two hash values generated with these software’s. 12. Observation: It was observed that both the FTK Imager and the Magnet Acquire produced the same hash values as the original source drive. Source Evidence hash value: o MD5 checksum: 493e22264dd9c0a53f58044ff580b23c o SHA1 checksum: 0247916b14095c9301808203c5c7d89888170ab8 FTK Imager hash value: o MD5 checksum: 493e22264dd9c0a53f58044ff580b23c : verified o SHA1 checksum: 0247916b14095c9301808203c5c7d89888170ab8 : verified Magnet Acquire: o Acquisition Results
o Acquisition Started: 2023-11-10 01:51:06 o Acquisition Finished: 2023-11-10 01:51:11 o MD5 Acquisition Hash: 493e22264dd9c0a53f58044ff580b23c o Image Verification Results o Verification Started: 2023-11-10 01:51:10 o Verification Finished: 2023-11-10 01:51:10 o MD5 Verification Hash: 493e22264dd9c0a53f58044ff580b23c o Outcome: MATCH 13. Results: Expected Results:
o Expected FTK Imager to create an exact physical disk image of the original source evidence drive without any changes. o Expect Magnet Acquire to make an exact physical disk image of the original source drive without any modifications. o Expect both software’s to generate the same exact hash values of the original source drive. Actual Results: Source Evidence FTK Imager Magnet Acquire MD5 checksum: 493e22264dd9c0a53f5804 4ff580b23c MD5 checksum: 493e22264dd9c0a53f5804 4ff580b23c : verified MD5 Verification Hash: 493e22264dd9c0a53 f58044ff580b23c SHA1 checksum: 0247916b14095c9301808 203c5c7d89888170ab8 SHA1 checksum: 0247916b14095c9301808 203c5c7d89888170ab8 : verified o The actual results came out the same as expected as both FTK Imager and Magnet Acquire were able to produce the same results though Magnet Acquire does not generate SHA1 hash. This is because the write-blocker (SafeBlock) prevents any write commands from reaching the storage device. It ensures that the original data remains untouched during the examination of the evidence drive. 14. Validation Results:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Install and run a validated software write-blocker to the workstation and boot the test machine. Right-click Magnet Acquire to run it. Select your source evidence drive and click next. Select Full or the default setting and click next. Fill out the next window with “Create Evidence Folder”. Click Acquire and wait for it to finish. Open the folder and then the attached file. o Magnet Acquire provides the original MD5 and SHA1 hashes. Segment 1 MD5 Hash: 493e22264dd9c0a53f58044ff580b23c Segment 1 SHA1 Hash: 0247916b14095c9301808203c5c7d89888170ab8 o Magnet Acquire provides the verified MD5 hash value and not the SHA1. Image Verification Results Verification Started: 2023-11-10 01:51:10 Verification Finished: 2023-11-10 01:51:10 MD5 Verification Hash: 493e22264dd9c0a53f58044ff580b23c Outcome: MATCH Install and run a validated software write-blocker to the workstation and boot the test machine. Double-click FTK Imager and open it. Click file and select “Create image disk”. “Select Source” window opens.
Select “Physical Drive”. “Select Drive” window open, select your source evidence disk from the drop- down menu and click finish. “Create Image” window opens and click Add. “Select Image Type” window opens and select your type from the selection. Fill out the “Evidence Item Information”. “Select Image Destination” opens, select your destination and fill out the Image Filename portion and click “Finish” button. Open the folder and open the attached file. o FTK Imager provides the original MD5 and SHA1 hashes. MD5 checksum: 493e22264dd9c0a53f58044ff580b23c SHA1 checksum: 0247916b14095c9301808203c5c7d89888170ab8 o FTK Imager provides verified MD5 and SHA1 hashes. Verification finished: Thu Nov 9 20:55:02 2023 MD5 checksum: 493e22264dd9c0a53f58044ff580b23c : verified SHA1 checksum: 0247916b14095c9301808203c5c7d89888170ab8 : verified Note: Summary Report The test procedure used proves the test for FTK Imager and Magnet Acquire software’s. The criteria and validation statement are as follows:
FTK Imager should create an exact forensic image of the source drive without any modifications. o FTK Imager actually created an exact copy of the source drive without any modifications. This was done by generating hash values same as the original source evidence drive and thereby proving to be a valid authenticated tool for acquiring forensically sound image. Magnet Acquire should create an exact copy of the source drive without any changes. o Magnet Acquire proved to be authentic software by creating an exact copy of the source drive without altering it. The MD5 and SHA1 hashes generated during acquisition should be the same as the hash value for the original source drive. Source Evidence FTK Imager Magnet Acquire MD5 checksum: 493e22264dd9c0a53f5804 4ff580b23c MD5 checksum: 493e22264dd9c0a53f5804 4ff580b23c : verified MD5 Verification Hash: 493e22264dd9c0a53 f58044ff580b23c SHA1 checksum: 0247916b14095c9301808 203c5c7d89888170ab8 SHA1 checksum: 0247916b14095c9301808 203c5c7d89888170ab8 : verified Both FTK Imager and Magnet Acquire were able to create a consistent result. This is because the write-blocker (SafeBlock) prevents any write commands from reaching the storage device. It ensures that the original data remains untouched during the examination of the evidence drive.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The reason why there were discrepancies between the two examiners forensic report to the court could be because of several reasons and these includes: Bias: This is when one forensic examiner takes sides in the case and tends to twist forensic examination to favor his pay masters. Lack of write-blocker: By using write blockers, prevent any write commands from reaching the storage device. It ensures that the original data remains untouched during the examination of the evidence drive. Write-blockers have become pivotal for ensuring that data acquired during forensic investigations are permissible in court. Without write-blockers the acquisition drive can be contaminated, and the opposing counsel can argue that the evidence was tempered with. Bugs in Forensic Tools: A software bug is a weakness in a computer program either by code or design that produces an incorrect or unexpected result or causes it to behave in unintended way (Garfinkel, 2007). Therefore, is very essential to check for updates from the vendor’s website or to keep in contact with the vendor to get the latest information or updates. References Exterro (n.d.). Exterro . Retrieved November 10, 2023, from https://www.exterro.com/ftk-imager
Homewood, A., & Cusack, B. (2013). Identifying Bugs In Digital Forensic Tools. ECU . https://doi.org/10.4225/75/57b3c3befb86c SWGDE (n.d.). SWGDE Recommended Guidelines for Validation Testing . Retrieved November 10, 2023, from www.swgde.org Orion (n.d.). Orion USB Write Blocker . Retrieved November 10, 2023, from http://www.orionforensics.com/forensics-tools/orion-usb-write-blocker/ Forensicsoft (n.d.). Safe Block . Retrieved November 10, 2023, from https://www.forensicsoft.com/products/safe-block

Related Documents

Lab 8 Instructions.docx
data-wrangling-1.html
BD7.pdf
CSE 230 Final Exam Muddiest Points.pdf
CIS 142 4.9.docx
Lab 03.pdf
WK 3 Forensic Imaging with Linux Tools.docx
Module 1 Lab 1.25.JPG
5.1.9 Packet Tracer - Investigate STP Loop Prevention.docx
Akshit01467237_HW2.pdf
Practice 04-32 Dos herm....pdf
Nayini01467237_HW3.pdf
Recommended textbooks for you
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS