Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?

Image a USB Drive Using Windows Tools
After imaging the USB drive with Linux in Step 2, your next step is to image the USB drive again, this time using Windows tools. Review your “Resources and Procedures Notes” first, then go to the virtual lab. When you complete the activity, review your lab notes and report for accuracy and completeness; they will be included in your final forensic imaging lab report (Step 7).

Your organization’s legal team has some questions for you in Step 4.

Step 4: Respond to Questions from the Legal Team

In previous steps, you imaged the USB drive using Linux and Windows tools. In this step, you respond to pointed questions from your organization’s legal team. The legal team has been involved in cybercrime cases before, but they want to make sure they are prepared for possible legal challenges. They have requested very specific information about your imaging procedures.

Questions from the legal team:

1. Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?

2. What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?

3. What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?

4. How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?

The legal team would like you to respond in the form of a brief memo (1-2 pages) written in plain, simple English. The memo will be included in your final forensic imaging lab report (Step 7) so review it carefully for accuracy and completeness.

You are hoping that you will be able to access the suspect’s local computer next!