Procedure for Computer Forensic Investigation
First of all, the forensic investigator should prepare a basic investigation plan. First off I, the forensic investigator have already acquired the evidence of the assumed kidnapped victim, Amy Capri from her parents. I would also make the effort to fasten the investigation phase by asking the parents for her passwords to gain access to her notebook (if she has set any) and notable folders that has been encrypted. The second most important thing to do is to obtain & complete an evidence form and to establish a chain of custody. The main purpose of this completing this evidence form is basically to document what has been done to the original evidence and its forensic copies and to keep a log of whoever who accesses the evidence. The evidence forms are catatoriged in 2 forms, which are single-evidence form and multi-evidence forms respectively. The difference between the both is that the single-evidence form is only used for one evidence, while the multi-evidence form is to cover up to 10 evidence objects. After the required evidence form has been filled, the next step is to secure the evidence, in which in this case, is the notebook.
We must first take the necessary precautions to prevent the data to be accidentally destroyed. Taking heat into consideration, I should never let the evidence ever lie in a hot car as severe heat such as sunlight warps the hard drives and makes the data evidence unreadable. The next factor to take note is static electricity, as vehicle carpets and low humidity generates static electricity in which it results in undesirable damage to any electrical evidence, therefore rubber mats should be used instead. Momentum also plays a part in securing and transporting evidence securely. As all moving transportation has brakes by default, we shouldn't excessively brake as the contents of the notebook have momentum and by braking unnecessarily, without the proper evidence storage equipment, data evidence may be compromised. Lastly, I must be certain that nothing in my vehicle that generates energy either magnetically or by radio waves have the potential to harm computer devices.
In order to prevent all the mention evidence-destroying environmental hazards possibilities as stated above, I must use approved secure evidence bag to store the evidence, the store the bag into a secure container to store the notebook in it. For the evidence bag, I will use computer safe bag (antistatic) and for the container used to store the evidence bag, I would use a well padded container so as to cushion the evidence from being roughly thrown about during transportation. When the evidence bag is being stored in the secure container, a typical investigator will use evidence tape to seal all the openings. Next, I will write my initials onto the tape so as to prove that the evidence has not been tampered with.
Once the evidence has safely reached the designated forensic lab, first and foremost, a forensic workstation should be prepared. An example of a forensic workstation is FRED (Forensic Recovery of Evidence Device) as it has many pre-loaded forensic software and hardware suitable for the forensic investigation. We next obtain the evidence bag from the secure container and attempt to make a forensic copy of the evidence by using bit-stream transfer. The difference of a bit-stream transfer compared to a simple backup copy is that the backup software only copy known files and that it cannot copy deleted files or email message or to recover file fragments from the hard drive. Whereas the bit stream copy makes an exact copy of the entire hard drive. In order not to alter the original evidence, forensic boot floppy disk and write blocker devices will be used to prevent writing of data to hard disk from happening. After a forensic copy has been made, the evidence will be securely returned to its container. Lastly, the copied evidence will be processed using computer forensic tools.
Hardware resources needed to analyze a notebook
Regarding the hardware resources that are needed to analyze the notebook; I would utilize the initial-response field kit as it has all the bare necessity for a forensics investigation. Inside the tool kit is a small computer toolkit that is used to dismantle the notebook apart to analyze its physical structure. A large capacity external hard disk is recommended as it is used to store all vital data and evidences that are found at the crime scene. The cables that I will use for data transfer would be the IDE ribbon cable (ATA-33 or ATA-100), the SATA cable and fire wire. I would also require a Digital 35mm camera with film and flash to capture pictures of the crime scene and to take shots of different angles of the notebook or other evidences. For the storage and sealing I would be bring along computer evidence bags which are antistatic to protect them from any undesirable static electricity. Evidence labels, tape, tags and permanent market would also be brought along to seal and label my initials for data integrity. Evidence log forms would be also brought along to establish a chain of custody. As for my laptop, I would need one with forensic software and, adapter for charging and an extra battery (fully charged) for emergencies. For recording and logging purposes, a dicitation recorder would be used to keep tracks of my progress throughout my forensic investigation. This recording can also be used as and evidence in court to state the various findings that I spotting doing my investigation.
Architectural hardware differences between a notebook and a desktop computer
The architectural hardware difference between a notebook and desktop computer is its mobility, performance, structure and ability to perform in emergencies. The laptop is a mobile personal computer possessing most if not all of what a desktop computer possesses, while the desktop computer come separate parts such as speakers, monitor and the CPU. In terms of performance, the desktop computer surpasses the laptop (but now it's not the case as the laptop now can be closely compared). In the case of a fire or blackout the desktop computer would have a high probability of being destroyed due to the weight of the CPU, while on the other hand the laptop can runs alternatively on battery power and with its light weight, it can be swiftly carried to safety unharmed. Lastly, the desktop and laptop structure is built different, the desktop hardware is stored in a CPU casing whereas the laptop hardware is all combined and compacted inside its casing. If dismantling is required for a forensic investigation, the laptop would take a long time to perform an investigation.
Tools or equipment that might be needed to perform a forensic image acquisition.
As for the tools needed to perform a forensic image acquisition, the laptop would require a different set of ATA ribbon connector as the IDE hard drive uses lesser pins than the typical 40-pin ribbon connector. Most laptop does not allow the use of one hard disk at any given time and it also does not allow the use of a cd-rom and floppy disk at the same time. The laptop also does not come with a built in floppy drive so we cannot use a bootable floppy drive to boot up the notebook, instead we need to use a bootable CD-Rom to make a bit-stream copy of the target's hard drive as compared to the desktop who has the capability to boot from the floppy drive and able to work together with a cd-rom.
Tools needed to create image based on scenario
Based on the scenario given, I am going to only one tool to create the image and will be following stringent guidelines. I would have to ensure that this forensic tool be able to make bit-stream copies or image of a chosen partition, make sure that this tool will not alter the original evidence disk, that this tool be able to verify the integrity of the disk image file, should be able to log prominent details and that the documentation that came with it matches what it says. The tool I will be using will be HELIX 2.0, reason being that HELIX 2.0 is forensics software that is able to run as a windows application and as a standalone bootable disk in Linux in named kinds of operating systems. HELIX consists of renowned forensic software such as FTK IMAGER, adepto, AIR 1.2.5, Netcat and many more. Helix 2.0 is also a freeware and is used by many forensic investigators.
Additional Evidence or clues
In the lookout for additional evidence, the first things that I would look out for is data storage devices or books such as mp3 players, USB thumb drives, external hard drives, cd-roms(CD-R, CD-RW, DVD) , floppy disks, mobile devices( hand phones, PDAs, Blackberry), cameras, recorders, camcorder, diaries, picture albums, pamphlets, brochures, magazines. Finding these would be a tedious job so I would first ask the parents for any known hiding spots in the house so I can spark off my search from there. After doing a thorough search of her house, I would next proceed to her school and approach her teachers to ask for any change in her academic studies or attitude close to her time of disappearance. Her friends would be my next targets as they would have been close to her in school or in any extra-currilicular actives after school. I would ask them if she had mentioned any topics of traveling overseas or of someone in particular and the local hangouts they would venture to.
Method used to preserve the integrity of the evidence
In regards to preserving data integrity, I would use a MD5 hash to preserve data integrity. Hashing is deemed important in the forensic field as it ensure that a particular file, folder or partition has not been modified in anyway, for when it has been, the MD5 hash would be different. It is safe to say that using MD5 to preserve data integrity as the chance of a modified file having the same hash as the original file or another file is one in a billion times. Therefore hashing is a very importing component in data preservation.
Bad extensions and why it is important to fix it
Bad file extensions may be directly or indirectly due the hex values in a file or picture. Normally it's the first 10 bytes of the file header that has been changed. So by changing it to the correct values, I will be able to revert the file to its original state. Most of the times, files that have bad extension have hidden messages or pictures hidden in them not visible until further probing, so by knowing how to revert the bad extension, I will be able to find more clues that lead me closer to closing the case.