Interview question ...
 
Notifications
Clear all

Interview question about preserving metadata

3 Posts
3 Users
0 Likes
676 Views
(@smich)
Posts: 8
Active Member
Topic starter
 

Hi folks,

I have an interview for a data process role. The position involves using in house tools to process media to a database. I'm trying to second guess some questions i may be asked and am looking for some advice.

What's the best way to ensure that metadata stays intact to its original format?
What's the best way to ensure that i dont break the chain of custody?

I know the overall importance of metadata, it contains essential data about files, especially when reviewing a case with regard to a timeline. I think the best way to ensure that metadata stays intact would be to acquire an image using a specialist tool such as Encase and review the data from this rather than the original itself. Is this correct? I feel i may be over thinking things a bit but i really would like the job and i dont want to come across badly.

Any help will be greatly appreciated.

 
Posted : 08/04/2014 12:14 am
(@a-nham)
Posts: 32
Eminent Member
 

I am not sure what you mean by "in house tools," but I am assuming that you mean tools on site (forensic tools) and not tools literally in your actually house. I am also assuming by media, you mean physical media, like a physical spindle hard drive and not a local volume like the C drive in windows.

To your first question on preserving metadata, I am assuming all you mean is you don't want to alter the file or its contents. For that you usually use something called a write blocker, you connect that to your hard drive so that it is read only. That way nothing is ever written to it, preserving both the metadata and the content. I believe Encase does have a software module write blocker, but what you usually want is a hardware write block (reason being that the bios can still write to the drive when you use a software write blocker). If you are doing forensics work on the drive (this is to say you must interact and possibly change what is on the drive), it is just as you said you will probably be making a copy through a write blocked drive with thing like encase or dd_rescue, before processing it with encase, xways, ftk, or whatever the company uses.

Chain of custody, to my understanding is just a form you fill out so there is documentation on your evidence. You just want to document every move you make; however you company wants. That said I am still a student and a total noob i this topic, so take it with a grain of salt.

Also totally feel your eagerness, looking for jobs/internships myself. Hope this helps. Good luck with the interview.

 
Posted : 08/04/2014 3:59 am
Davies259
(@davies259)
Posts: 16
Active Member
 

To be honest mate, it doesn't sound like you have a background in forensics. The chain of custody is a big deal, as is the prevention of data being altered during the investigation. Both these areas for a fundamental part of Digital Forensics and are really considered to be quite basic / standard knowledge. Sorry if that sounds a bit harsh. Out of interest, how did you get on in the interview?

 
Posted : 14/08/2014 3:13 am
Share: