Respond to Questions from the Legal Team


In previous steps, you imaged the USB drive using Linux and Windows tools. In this step, you will create a legal memorandum that responds to pointed questions from your organization’s legal team. The legal team has been involved in cybercrime cases before, but team members want to make sure they are prepared for possible legal challenges. They have requested very specific information about imaging procedures based upon your review of reference sources in the field.

Questions from the legal team:

Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why? (I chose MD5 algorithm)

What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?
What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?
How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?

The legal team would like you to respond in the form of a brief memo (one to two pages following this format) written in plain, simple English. The memo will be included as an attachment to your final forensic imaging lab report in the final step, so review it carefully for accuracy and completeness.
You are hoping that you will be able to access the suspect’s local computer next.