Computer Forensics: Data Acquisition Report

Introduction

Data acquisition is a branch of computer forensics concerned with the retrieval of data originally located on a suspect medium such as a hard drive. These data could be images or files. The types of data acquisition are either live or static. This acquisition can fall in any one of the four methods highlighted below:

• The bitstream disk to image, which can be used to create copies, which are bit for bit replicas. This method can enable one to make more than one copy during the process.
• The bitstream disk to disk is used where bitstream disk to the image is not possible.
• While considering the files of interest only, the logical or sparse acquisition will suffice. However, this option remains suitable for large disks and can collect pieces of deleted data.

For the 2GB hard disk in question, a lossless compression may be suitable. However, for effectiveness, this will be combined with a digital signature verification process. For such a case, the contents will be copied as an accurate image to a file preferably to another disk using third-party tools such as ProDiscover or EnCase. However, this depends on other factors that would otherwise disqualify the bitstream disk to the image file method.

Another hard disk is used as the target medium onto which a copy of the suspect hard disk is made. EnCase and SnapCopy is examples of software that can be employed for this process. The acquisition precedes validation of the data. Windows has no inbuilt validation algorithms that are typically hashing algorithms. Third-party utilities are used for such validation processes. Alternatively, Linux validation can be used with the dcfldd with a verify file option to compare the image to the original.

Computer forensics training

CYber DEfense Trainer (CYDEST) describes a virtual environment addressing computer forensics as well as network defense. Considering that training on an actual platform may be costly and remote, CYDEST provides an opportunity for network administrators as well as digital forensics investigators to run real-life scenarios in a virtual environment. This setup achieves realism through “support for highly realistic ‘invasive’ training scenarios which include ongoing attacks and live forensics as well as an automated evaluation of student’s performance” (Brueckner et al., 2008, p.105). CYDEST relies on virtualization.

Virtualization for this case is capable of achieving rich scenarios at random, which are suitable for training purposes. This virtualization is hosted with Xen, which is a hypervisor “running directly on the hardware as an operating system control program” (Brueckner et al., 2008, p.105). Xen will support one or more machines as specially privileged guests. This platform also supports the Linux operating system as a privileged guest. In a CYDEST session, the hosts seen by the student are unprivileged. Xen can also allow other architectures to enable hosts on the network to run licensed software such as windows.

CYDEST in its assessment employs passive and active observation. The former will cover reports involving a student’s responses to direct queries. Active observation on the other hand is whereby a student’s actions are monitored and both the direct and indirect results are analyzed. “CYDEST is web-based and can be accessed over the internet or locally” (Brueckner et al., 2008, p.106). Some shortcomings as far as CYDEST is concerned to relate to the complexity of some of its components. It is not uncommon that a virtual host may unexpectedly crash in which case the system reverts to a predefined baseline. It can be also noted that the student exercises are not repeatable.

Return on investment (ROI)

Determining the return on investment (ROI) is the single most important aspect of any investment today. This stands true for real estate, stocks, or new business ventures just to mention a few. Estimating a return on investment (ROI) helps the business planner to choose from among several investment options. During an IT project, training remains one of the relevant aspects for successful project delivery. This could be team training for those directly involved in the project or user training for the eventual beneficiaries of the project deliverable. User or staff training will result in improved performance and productivity.

It will be noted though that there are no cash flows representing training and therefore net present value as an ROI method is unsuitable to use here. While considering employees as organizational assets, their work can be determined by their remuneration package. Their salaries would translate to how much worth the employee is to the organization. However, this cannot be directly measured in terms of cash flows for the net present value method in determining the return on investment. A return based on their salaries would be a more appropriate method to determine the return on investment as the use of the net present value (NPV) method is unsuitable.

An alternative to NPV would be the use of the annual percentage yield (APY). For such a method, the cost associated with the investment will first be determined; the returns will then be calculated or estimated. The next undertaking would be to define a timeline for the returns and based on this calculation of the annualized return of investment or the annual percentage yield.

Reference

Brueckner, S, Guaspari, D, Adelstein, F, & Weeks, J. (2008). Automated computer forensics training in a virtualized environment. Digital investigation, 5(1), 105- 111.