Identification of device evidence
For identification device we need to know about that device from global view, that all about device like brand, type and function, in identification after know about device and function we need to identify device from software view or internal device.
In identification as phase introduction device we can use few tools in this case I recommend use md5sum, this tools for generate file fingerprint hashing, with this tools we can indentify validation of file, this phase is chain of custody.
After generate hash of file we can imaging or clone file with dd. this tools is copy byte per byte, but before use dd. we need to mount device with special treat mount with noatime for no update time and no exec for execution restriction and -ro for read only mode.
When finish clone with dd. check again result of dd. file output with md5sum that must be same result of hashing to verify clone and master is same or identic file, and after we have clone of file we can seal master device for safe evidence, this phase is chain custody.
Then now we can move to analisys evidence treat.
Now I'll try to practical this phase
File is :
practical.floppy.dd
After clone evidence and make sure hashing is same that mean the evidence is identic with source or master.
Show detail of file to know owned and file detail
To be continued...
No comments:
Post a Comment