Evidence Collection Cases 1. In this case the first thing that first responders need to recognize is that the computer was on when the suspect was arrested and there may be evidence that they need to collect right away. If data of apparent evidentiary value is in plain view onscreen. The first responder should seek out personnel who have experience and training in capturing and preserving volatile data before proceeding. First responders should also be alert to the crime scene environment. They should look out for pieces of paper with handwritten notes, passwords, usernames, and software and hardware manuals. These forms of evidence also should be documented and preserved in compliance with departmental policies. In this case the computer should also be checked for DNA so investigators can match the suspects DNA to the arson crime scenes. Also TimeFrame Analysis can be used to link any files of interest to the timeframes of the investigation. All these things can help link the suspect to the crimes, and in doing so can help tell the insurance company whether the claims are valid. 2. Case 4-4 (bomb threat)
A list of what items should be included in an initial response field kit to ensure preservation if digital evidence.

The initial response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. * Small computer toolkit * Large-capacity drive * IDE ribbon cable * SATA cables * Forensic boot media containing an acquisition utility * Laptop IDE 40 to 44-pin adapter, other adapter cables * Laptop or tablet computer * FireWire or USB dual write-protect external bay * Flashlight * Digital Camera with extra batteries * Evidence log forms * Notebook or digital dictation recorder * Computer evidence bags (antistatic bags) * Evidence labels, tape, and tags * Permanent marker * External USB devices or a portable hard drive
With the home and IP address located these tools should be all the first responder needs to collect the digital evidence needed to bring criminal charges against the suspect. 3. With the field of digital forensics growing rapidly there are many issues out there that can disrupt and discredit even the most experienced forensic examiner. One of the issues that continues to be of utmost importance is the validation of the technology and software associated with performing a digital forensic examination. Knowing how to design and properly maintain a good validation process is a key requirement for any digital forensic examiner. According to NSIT test results must be repeatable and reproducible to be considered admissible as electronic evidence. Digital forensics test results are repeatable when the same results are obtained using the same methods in the same testing environment. Digital forensics test results are reproducible when the same test results are obtained using the same method in a different testing environment. There are four steps involved with validating a new forensics software package. Those four steps include: Develop the plan, develop a controlled data set, conduct tests in a controlled environment, and validate the test results.
Developing the plan: Developing the scope of the plan may involve background and defining what the software or tool should do in a detailed fashion. Developing the scope of the plan also involves creating a protocol for testing by outlining the steps, tools, and requirements of such tools to be used during the test. This may include evaluation of multiple test scenarios for the same software or tool. To illustrate, if validating a particular forensic software imaging tool, that tool could be tested to determine whether or not it successfully creates, hashes, and verifies a particular baseline image that has been previously setup.
Develop a controlled data set: this is the most involved step in the process. This is because it involves setting-up specific devices and baseline images and then adding data to the specific areas of the media or device. Acquisitions would then need to be performed and documented after each addition to validate the primary baseline. This baseline may include a dummy mobile phone, USB thumb drive, or hard drive depending on the software or hardware tool you are testing.
Conduct tests in a controlled environment : Outside all the recommendations and standards set forth by NIST and the legal community, it only makes sense that a digital forensics examiner would perform an internal validation of the software and tools being used in the laboratory. In some cases these validations are arbitrary and can occur either in a controlled or uncontrolled environment.
Validate test results: testing is conducted against the requirements set for the software or tool in the previous steps. The results generated through the experimentation and validation stage must be repeatable. Validation should go beyond a simple surface scan when it comes to the use of those technologies in a scientific process. Each requirement should be tested at least three times. If there are any variables that may affect the outcome of the validation (e.g. failure to write-block, software bugs) they should be determined after three test runs

After going through these steps you should have validated a new forensic software package, with no worries that it might fail.

4. Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors. With the hash value in hand, you can use a forensics tool to search for a suspicious file that might have had its name changed to look like an innocuous file. Using the hexadecimal editors can be faster and easier that with a digital forensic tool. The advantage of recording hash values is that you can determine whether data has changed, which can be important in an investigation. Password recovery is becoming more common in digital forensics analysis. Several password cracking tools are available for handling password-protected data or systems. Some of these products are integrated into a digital forensics tool, such as OSforensics. Others, are stand-alone tools that typically require extracting password files or accessing a suspects disk or image file directly. Some of these tools are as follows: * Last Bit * AccessData PRTK * Ophcrack * John the Ripper * Passware
Most of these tools use a dictionary attack or brute-force attack to crack passwords. Brute-force attacks use every possible letter, number, and special character found on the keyboard, eventually cracking any password. However this method can require a lot of time, and processing power. In a dictionary attack, the program uses common words found in the dictionary and tries them as passwords. With many of these programs, you can build profiles of a suspect to help determine his or her password. These programs consider names of relatives or pets, favorite colors, and schools attended. The principle behind these programs is that people have a habit of using things their comfortable with, especially when it comes to memorization. Many password- protected OS and applications store passwords in the form of MD5 or SHA hash values. A brute-force attack requires converting a dictionary password from plaintext to a hash value. Because of the hash values a Rainbow Table has been developed. This table is a file containing the hash values for every possible password that can be generated from a computers keyboard. This method is much faster than the dictionary or brute-force methods. For the drive that is being investigated there are many options for cracking the passwords associated with the drive.