Name: ________________________________ Class: ____________Date: __________
Severe & Hazardous Weather Active Learning Exercises – Ed 4
Exercise 17.3 Features of a Downslope Windstorm
The diagram above is a cross section through a mountain range looking west to east. The
contours shown are streamlines of wind flow. A downslope windstorm is occurring. The gray
shaded region indicates the location of clouds. On the diagram, place letters where the features
listed below are located:
A. Chinook Wall
B. Rotor
C. Hydraulic Jump
D. Breaking waves
E. Inversion
F. Most severe winds at surface
G. Shooting flow
H. Snowstorm
Name: Class: Date:
Chapter 7
Data Acquisition
1
Never Work on the Original
Make forensically sound copies
Keep a master copy and make several working copies
Calculate a hash value of each copy and make sure they match
Each copy must have a unique identifier
Order of Volatility
RAM
Temporary files
Local disks
External storage media
Network attached storage (NAS or SAN)
Archival backups
Memory and Running Processes
Memory can hold passwords
Can be difficult to extract, but in a pinch may be all you have
Running processes can identify malware running on the system
Routing tables can be extracted from memory
Network connections reside in RAM
Capturing Memory
Memory is a device
Memory can be dumped into a file
The amount of memory capture may be different from the amount of installed RAM
Some utilities capture device cache memory
Some utilities don’t capture installed RAM devoted as a device cache
Memory Capture Utilities
Most commercial forensic suites offer memory capture capability
DD utility (both Windows and Linux)
Dumpit
Memoryze
Memory Capture Tips
Keep your memory footprint to a minimum
Run from a flash drive if possible
Copy memory image to an external device
Make sure device capturing image can handle large files
Computers today have large amounts of RAM
Many USB drives continue to be formatted to FAT32 (4GB maximum file size)
Memory Capture Procedures
Start the documentation process
Run a batch file that collects user information, network connections, time/date, and open files
Collect a memory dump
Copy the paging file
Copy any hibernation files
Media Capture
Document everything
Use a forensic write-blocker when copying any data
Do NOT use standard copy utilities to make copies
Store all images on forensically sound media
Disk Image File Formats
DD Images (bit-for-bit)
Expert Witness Format (EWF)
Advanced Forensic Format (AFF)
Safeback (by NTI)
ILook Imager
ProDiscover File Format
Chapter 6
First Response and The Digital Investigator
1
Forensics and Computer Science
Just what does “forensics” mean?
Suitable for presentation in court
Digital forensics combines legal process with technology
The job of the digital forensic investigator
NEVER do harm to the investigation
Acquire evidence from computer devices that can be used as evidenc ...
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Name ________________________________ Class ____________Dat.docx
1. Name: ________________________________ Class: ________
____Date: __________
Severe & Hazardous Weather Active Learning Exercises –
Ed 4
Exercise 17.3 Features of a Downslope Windstorm
The diagram above is a cross section through a mountain range l
ooking west to east. The
contours shown are streamlines of wind flow. A downslope win
dstorm is occurring. The gray
shaded region indicates the location of clouds. On the diagram,
place letters where the features
listed below are located:
A. Chinook Wall
B. Rotor
C. Hydraulic Jump
D. Breaking waves
E. Inversion
F. Most severe winds at surface
2. G. Shooting flow
H. Snowstorm
Name: Class: Date:
Chapter 7
Data Acquisition
1
Never Work on the Original
Make forensically sound copies
Keep a master copy and make several working copies
Calculate a hash value of each copy and make sure they match
Each copy must have a unique identifier
Order of Volatility
RAM
Temporary files
Local disks
External storage media
Network attached storage (NAS or SAN)
Archival backups
Memory and Running Processes
Memory can hold passwords
3. Can be difficult to extract, but in a pinch may be all you have
Running processes can identify malware running on the system
Routing tables can be extracted from memory
Network connections reside in RAM
Capturing Memory
Memory is a device
Memory can be dumped into a file
The amount of memory capture may be different from the
amount of installed RAM
Some utilities capture device cache memory
Some utilities don’t capture installed RAM devoted as a device
cache
Memory Capture Utilities
Most commercial forensic suites offer memory capture
capability
DD utility (both Windows and Linux)
Dumpit
Memoryze
Memory Capture Tips
Keep your memory footprint to a minimum
Run from a flash drive if possible
Copy memory image to an external device
Make sure device capturing image can handle large files
Computers today have large amounts of RAM
Many USB drives continue to be formatted to FAT32 (4GB
maximum file size)
Memory Capture Procedures
4. Start the documentation process
Run a batch file that collects user information, network
connections, time/date, and open files
Collect a memory dump
Copy the paging file
Copy any hibernation files
Media Capture
Document everything
Use a forensic write-blocker when copying any data
Do NOT use standard copy utilities to make copies
Store all images on forensically sound media
Disk Image File Formats
DD Images (bit-for-bit)
Expert Witness Format (EWF)
Advanced Forensic Format (AFF)
Safeback (by NTI)
ILook Imager
ProDiscover File Format
Chapter 6
First Response and The Digital Investigator
1
Forensics and Computer Science
5. Just what does “forensics” mean?
Suitable for presentation in court
Digital forensics combines legal process with technology
The job of the digital forensic investigator
NEVER do harm to the investigation
Acquire evidence from computer devices that can be used as
evidence
Locard’s Principle
If you touch it, you change it
Whatever a criminal touches, there is evidence to be found
Whatever an investigator touches, there is evidence to be
destroyed
BUT… changing the evidence does not necessarily render it
unusable
Characteristics of Evidence
Class characteristics
A large group can share the same characteristic
Used to narrow the search pattern
Individual characteristics
A descriptive element that is unique to a sample
Colors are not unique—but serial numbers are
Digital Versus Physical Evidence
A paper document is physical
May carry fingerprints or chemical elements to analyze
Will not prove who created it
Will not carry metadata for further analysis
A digital document has the metadata and can be traced to the
owner
They are not the same piece of evidence
6. Digital Media
A paper document that is burned is gone for good
A digital document that is deleted can be restored
Digital sources carry evidence of the document other than the
document itself
File system metadata
Registry entries
Temporary files
First on the Scene
Always find out who is in charge before you begin
It will never be you
There might be multiple “owners” of the scene
Secure the scene
People’s safety first
Integrity of the evidence next
Identify potential sources of evidence
Document the Scene
Take a LOT of photographs
Always carry a digital camera
Try to make it a point to also carry a video camera
Make an inventory of all potential devices that might contain
evidence (start a chain of custody)
Make notes on your observations (and remember that they can
be subpoenaed)
Identifying Data Sources
Obvious sources
Computers
PDAs
Cell phones
7. External drives
CDs
Other media
Less obvious sources
Less Obvious Sources
Digital cameras and video recorders
Game machines
Digital audio recorders
Printer/Fax machines
Answering machines
Owner’s manuals may point to sources not present
Handling Evidence
Identify and photograph the evidence
Document the evidence (make, model, S/N, etc.)
Package the evidence for transport
Should you block signals?
Should power be maintained?
Transport the evidence safely and securely
Store the evidence safely and securely
Chain of Custody
Must identify the material in a way unique to that individual
item
One of the most critical pieces of documentation
Follows each piece of evidence around everywhere it goes
Must be updated each time it moves or changes hands
Documenting Evidence
Where was it found?
8. What state was it in?
What time and on what date was it collected?
Give a physical description of the evidence
Type of device
Capacity, condition, etc.
Identify make, model, S/N if applicable
Packaging Evidence
Protect from impact
Protect from electro-magnetic radiation
Protect from extreme temperature and moisture
Protect from tampering
Make sure it is clearly labeled
Transporting Evidence
Never assume that a computer is stand-alone
Determine if it should remain powered up
If it must be shut down, document the state of the computer
before breaking it down
What application was active?
Running processes (if possible)
Network connections (if possible)
Protect portable devices and media from external corruption
Storing Evidence
Chain of custody rules apply to storage
Log in/log out must include who, what, when, where, and why
Rules of protection during transport apply equally to storage
Access to storage must be limited and monitored
Disposition of Evidence
9. When the job is done, evidence must be destroyed or returned
All contraband must be destroyed, regardless of provenance
Private or intellectual property may be either returned or
destroyed, depending on the courts
If destroyed, the material must be rendered completely
unrecoverable
Name: ________________________________ Class: ________
____Date: __________
Severe & Hazardous Weather Active Learning Exercises –
Ed 4
Exercise 16.2 Pressure Patterns, Wind Flow, and Mountain Sn
ows
The four surface maps below each show the sea
level pressure distribution across the western
United States on different days in January.
1. Draw arrows around the pressure systems to
indicate wind direction. (The first one is done
for you.)
2. Shade in the regions on each map where the wind direction is
favorable for the development
of snow in the mountains of the western United States.
3. If the snow would fall on the east slope of the Rockies, label
it “upslope snow.”
10. Name: Class: Date: Text 1: Text 2: Text 3:
1.2 – Case Study
Case studies are accident accounts that can provide valuable
insight into how people make decisions that lead to
accidents. Read the following case study (or one supplied by
the instructor) and consider how the components of the
AIARE DMF apply to the decisions that were made. These are
not “Darwin Award” candidates. They are regular
backcountry recreationists who’s decisions led to unwanted
consequences. Note that while this incident affected
recreational backcountry users, professionals have made similar
mistakes. This story underscores the fact that all
humans are capable of making poor decisions. Following the
case study there is an exercise to complete. While reading,
make a note of any factors outlined in the DMF that in
retrospect could have alerted the group about the risk to which
they
were exposing themselves. How could the team have created
and chosen better options for the day? How could they
have increased their margin of safety and still accomplished
their goals?
ACCIDENT REPORT: OHIO PASS, COLORADO
Date: February 25, 2001
Location: East Bowl in the Anthracite Range, 7 miles west of
11. Crested Butte, CO.
The account below is condensed from a report written by Dale
Atkins, who investigated the accident for the CAIC:
The day dawned clear and cold after a 10” snowfall the day
before. A group of 5 friends - two men and three women - met
at the Kebler Pass trailhead and snowmobiled into the
Anthracite Range, approximately 7 miles from Crested Butte,
for a
day of powder skiing in the backcountry. All of the group were
experienced backcountry travellers familiar with the terrain,
most having lived and skied in the area for 15 plus years. One
member of the party was former ski patroller. Everyone
had formal avalanche training and carried a transceiver, shovel
and probe.
The public avalanche bulletin that day reported a danger level
of
“moderate with pockets of considerable at or near treeline.”
The
bulletin also noted that backcountry skiers in the Crested Butte
area had reported triggering avalanches recently but had no
information about where or when the avalanches had occurred.
That day, the group left early and did not access the bulletin.
The day was going well as the group skied laps on 30+ degree
slopes in treed and open runs generally on northern facing
aspects. The snow was perfect and they experienced no
cracking and saw no avalanches. There were two other groups
skiing in the same area.
On their last run they decided to ski “East Bowl” one of the
available routes down to the snowmobiles. East Bowl, as the
name implies, faces east and is a mix of treed and open slopes
with a variety of terrain features such as convexities, wind rolls,
small cliffs and many small trees. In general it is steeper than
the terrain the group had been skiing that day with slope angles
12. between 25-45 degrees. At the top, the group saw two
ski tracks leading into the bowl. All was progressing fine when
part way down the group split up into one group of 2 and
one group of 3 with the plan to meet on a shelf in the trees
above the last pitch. The group of 2 (Mitch and Sue) split up
with Mitch skiing to the bottom beyond the meeting point and
the other, Sue, meeting the group of 3, above the last pitch,
insight of the snowmobiles at the bottom. The group had voice
contact with Mitch at the bottom of the run a short distance
away and Sue decided to traverse over to where he had skied
down. On the traverse to the slope that Mitch had
descended she intersected with a steep rollover, triggered and
was caught in an avalanche. Sue remained on the surface
but sustained a fatal head injury and died at the scene. Crested
Butte lost a cherished member of the community that
day.
11
ACTIVITY:
Discuss the case study and the accident summary with your
group. Assume the role of an accident
investigator. Using both the case study story and the accident
summary, seek clues to causes of the accident.
List the clues in the appropriate categories below.
Choose Terrain
Travel Wisely
Observe