Know and understand scanning the storage media used to transfer data

4 Networks and the effects of using them

Objective: Scanning the storage media used to transfer data

Scanning is the process of creating a bit‑by‑bit copy of a storage device (like a USB stick, SD card, or hard drive) so that the data can be examined without altering the original. Think of it as making a photocopy of a book before you start highlighting – the copy stays safe, and you can read, analyze, or share it freely. 📁🔍

Why Scan?

- Preserve evidence for legal or academic purposes. - Avoid accidental data loss. - Enable detailed analysis of file structures, hidden files, and deleted data. - Ensure the integrity of the original media for future use.

Steps to Scan Storage Media

  1. Identify the media: Check the device type (USB, SD, HDD) and its capacity. 📦
  2. Prepare the environment: Use a clean, secure workstation and ensure you have the necessary permissions. 🔒
  3. Choose a forensic tool: Popular options include FTK Imager, dd, and EnCase. 🛠️
  4. Capture an image: Create a sector‑by‑sector copy. Example command for dd: dd if=/dev/sdb of=~/images/sdb.img bs=4M
  5. Verify the hash: Calculate a checksum (MD5, SHA‑1) of the original and the image to confirm they match. sha256sum /dev/sdb > original.sha256 sha256sum ~/images/sdb.img > image.sha256
  6. Analyse the image: Use forensic software to explore files, recover deleted data, and search for keywords. 🔎
  7. Document everything: Keep a log of steps, tools, and findings for exam or report purposes. 📓

Common Forensic Tools

Tool Key Feature Free/Paid
FTK Imager GUI, supports many file systems Free for basic use
dd (Linux) Command‑line, very fast Free
EnCase Advanced analysis, case management Paid

Key Terms

Image: A bit‑exact copy of a storage device.

Checksum: A value (e.g., SHA‑256) that verifies data integrity.

Chain of Custody: Documentation that records who handled the evidence and when.

Sector: The smallest unit of data on a disk (usually 512 bytes).

Exam Tips

📝 Tip 1: When answering questions, start with a brief definition of scanning, then outline the step‑by‑step process, and finish with a short example.

📝 Tip 2: Use the formula for data transfer rate to show understanding of speed: $R = \frac{D}{t}$, where $D$ is data size and $t$ is time.

📝 Tip 3: Remember to mention the importance of hashing (e.g., SHA‑256) to prove the image hasn't been altered.

📝 Tip 4: Include a short analogy (like photocopying a book) to demonstrate the concept clearly.

Revision

Log in to practice.

3 views 0 suggestions