Chapter 1 - Digital Forensics
Types of Hard Drives
1) Small Computer System Interface (SCSI) 2) Integrated Drive Electronics (IDE) 3) Enhanced Integrated Drive Electronics (EIDE) 4) Parallel Advanced Technology Attachment (PATA) 5) Serial Advanced Technology Attachment (SATA) 6) Serial SCSI 7) Solid-state drives (SSDs) - Use microchips to ratain data in non-volatile memory chips and contain no moving parts.
In completing an analysis, forensic specialists face variations in the following:
1) Volume of data to be analyzed 2) Complexity of the computer system 3) The size and character of the crime scene, which might involve a network that crosses U.S. and foreign jurisdictions 4) The size of the caseload and resource limitations
Foreign Intelligence Surveillance Act of 1978
A U.S. law that prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include U.S. citizens and permanent residents
The Foreign Intelligence Surveillance Act of 1978 (FISA)
A U.S. law the prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include U.S. citizens and permanent residents suspected of espionage or terrorism.
Page (for computers)
A data structure that maps virtual addresses to physical addresses
The Communications Assistance to Law Enforcement Act of 1994
A federal wiretap law for traditional wire telephony. Expanded in 2004 to include wireless, Voice over packets, and etc.
Expert report
A formal document prepared by a forensics specialist to a document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV). Anything the specialist plans to testify about at a trail must be included in the expert report. The expert cannot directly testify about anything not in their expert report. Must have a specific subject or same rule applies. Must include everything/be thorough
HDD data is organized by:
A sector; the basic unit of data storage on a hard disk, which is usually 512 or 4096 bytes A cluster; logical grouping of sectors; 1 to 128 sectors in a size Sectors are in turn organized by tracks Drive geometry; refers to the functional dimensions of a drive in terms of the number of heads, cylinders, and sectors per track
What is Asynchronous Dynamic RAM (ADRAM)?
ADRAM is not synchronized to the CPU clock.
Rule 703: Bases of an Expert
An expert may base an opinion on facts or data in the case that the expert has been made aware of or personally observed. If experts in the particular field would reasonably rely on those kinds of facts or data in forming an opinion on the subject, they need not be admissible for the opinion to be admitted. But if the facts or data would otherwise be inadmissible, the proponent of the opinion may disclose them to the jury only if their probative value in helping the jury evaluate the opinion substantially outweighs their prejudicial effect.
Curriculum Vitae (CV)
An extensive document expounding one's experience and qualification for a position similar to a resume but with more detail. In academia and expert work, a CV is usually used rather than a resume
Rule 704: Opinion on ultimate issue
An opinion is not objectionable just because it embraces an ultimate issue. In other words an expert witness can, in many cases, offer an opinion as to the ultimate issue in a case
What is Burst EDO (BEDO) DRAM?
BEDO DRAM can process four memory addresses in one burst.
Programmable read-only memory (PROM)
Can be programmed only once; data is not lost when power is removed.
Steps of Computer Forensics
Collecting evidence Analyzing Evidence Presenting Evidence
Digital forensics
Computer forensics expanded to include smartphones, smart watches, and other current and forthcoming digital media and devices
Volatile memory
Computer memory that requires power to maintain the data it holds, and can be changed. RAM is highly volatile; EEPROM is very nonvolatile
Unlawful Access to Stored Communications: 18 U.S.C. & 2701
Covers access to a facility through which electronic communication is provided or exceeding the access that was authorized
What is Double Data Rate (DDR) SDRAM?
DDR SDRAM is a later development of SDRAM that has evolved all the way up to DDR5.
Types of anti-forensic techniques
Data Destruction Data Hiding Data Transformation File System Alteration
Metadata
Data about the data, including information about when a file or directory was created, when it was last modified, and etc.
Erasable programmable ROM (EPROM)
Data not lost when power is removed; EPROM is a technique for storing instructions on chips.
U.S. Federal Rule 702
Defines what an expert is and what expert testimony is: "A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if: a) expert's knowledge will help the trier of fact to understand the evidence or determine fact b) testimony is based on sufficient facts or data c) the testimony is the product of reliable principles and methods d) the expert has reliably applied the principles and methods to the facts of the case
Communication over a Network
Depends on an IP address and a port number
Types of Digital System Forensics Analysis
Disk, Email, Network, Internet, Software, Live system, and cell-phone forensics
Document Trail
Document everything What was present when the device was seized? What was connected to the device or showing on the screen when seized? What tools/techniques did you use? Who had access to the evidence from the time of seizure until the time of trail?
What is Extended Data Out Dynamic Random Access Memory (EDO DRAM)?
EDO DRAM has the ability to carry out a complete memory transaction in one clock cycle.
When working with large volumes of data, a forensic specialist must:
Ensure that his or her equipment is capable of manipulating large volumes of information quickly Provide for duplicate storage so that the original media and its resident information are preserved and protected against tampering and other corruption Create backups early and often to avoid losing actual information and its associated metadata Document everything that is done in an investigation and maintain the chain of custody Work within budget
Rule 401: Test for relevant evidence
Evidence is relevant if (a) it has any tendency to make a fact more or less probable than it would be without the evidence and (b) the fact is of consequence in determining the action.
Distributed Crime Scenes
Evidence often in a different language Crime scenes that span the globe Requires cooperation of local, state, and tribal governments
Popular file systems
File Allocation Table (FAT), New Technology File Systems (NTFS), ReFS, Apple File System (APFS), Extended file system, ReiserFS, The Berkeley Fast File System,
Facts about files
File headers start at the first byte of a file In Graphic file formats, header might give info about an image's details The Executable and Linkable Format (ELF) is a common standard file format in UNIX-based systems Portable Executable (PE) used in Windows Area density is the data per area of disk Windows Office files have a globally unique identifier (GUID)
Secure the Evidence
For the integrity of your investigation as well as maintaining the chain of custody, its crucial to secure the evidence. If anyone tampers with the evidence, the integrity is ruined.
Volatility
How easily the data can be changed, either intentionally or unintentionally
Collecting Evidence
How you collect the evidence determines if that evidence is admissible in a court
Telecommunications Act of 1996
Includes provisions relative to the privacy and disclosure of information in motion through and access telephony and computer networks
Testimonial Evidence
Information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual
Digital evidence
Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination
Random Access Memory (RAM)
It is easy to write to and read from. RAM is very volatile; as soon as power is continued, the data is gone.
Obscured Information
May be scrambled by encryption, hidden using stenographic software, compressed, or in a proprietary format
Analyzing
Most time-consuming part of a forensic investigation Figure out what does the collected data mean?
Read-Only Memory (ROM)
Not at all volatile; cant be changed. Used for instructions embedded in chips and controls how the computer, option cards, peripherals, and etc. operate
Physical Ports
Ports you can touch; operate at OSI Layer 1, the physical layer
Four types of evidence in court
Real, Documentary, Testimonial, Demonstrative
Federal Privacy Act of 1974
Regulates what personal information the Federal government can collect, maintain, use, and disseminate about private individuals
What is Synchronous DRAM (SDRAM)?
SDRAM is a replacement for EDO DRAM.
The Child Protection and Sexual Predator Punishment Act of 1998, COPA, The Communications Decency Act of 1996
Several acts that were created to protect children on the internet; COPA was deemed unconstitutional
Legal guidelines on expert report writing
Start with the expert's qualifications (CV) Thorough and include every detail you wish to talk about Reputable sources Completeness.
The Wireless Communications and Public Safety Act of 1999
The Wireless Communications and Public Safety Act of 1999 allows for collection and use of "empty" communications, which means nonverbal and nontext communications, such as GPA info
Anti-forensics
The actions that perpetrators take to conceal their locations, activities, or identities
Basic Input/Output System (BIOS)
The basic instructions stored on a chip for booting up the computer
Chain Of Custody
The continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered If a forensic specialist can't demonstrate that they have maintained the chain of custody, then the court may consider all their conclusions invalid.
Disk Forensics
The process of acquiring an analyzing information stored on physical storage media, such as computer hard drives or smartphones Includes both the recovery of hidden and deleted information and the process of identifying who created a file or message
Software forensics / malware forensics
The process of examining malicious computer code
Cell-phone forensics
The process of search the contents of cell phones
Journaling
The process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered Physical and logical journaling
Daubert Standard
The standard holding that only methods and tools widely accepted in the scientific community can be used in court
Email forensics
The study of the source and content of email as evidence, including the identification of the sender, recipient, data, time, and origination location of an email message
Expert testimony
The testimony of an expert witness, one who testifies on the basis of scientific or technical knowledge relevant to a case, rather than personal experience
Slack space
The unused space between the logical end of file and the physical end of file; can be used to hide data AKA file slack
Computer Forensics
The use of analytical and investigative techniques to identify, collect, examine, and preserve computer-based material for presentation as evidence in a court of law Any device that can store data is potentially the subject of computer forensics
ipconfig
The utility used to display TCP/IP addressing and domain name information in the Windows client operating systems.
probative value
The value of evidence in helping determine the facts in a case
Electronically erasable PROM (EEPROM)
This form is how the instructions in your computer's basic input/output systems (BIOS) are stored
Rule 706: Court-appointed expert witness
This rule covers the appointment of neutral experts used to advise the court. Such experts are working for neither the plaintiff nor the defendant; they work for the court
Corroborating Information
To reach a conclusion and turn raw info into supportable, actionable evidence, a forensic specialist must identify and analyzing corroborating information; must have multiple pieces of information or tools each the same conclusion.
Authenticate
To verify the identity of a person, or to verify evidence
Rule 705: Disclosing the facts or data underlying an expert
Unless the court orders otherwise, an expert may state an opinion - and give the reasons for it - without first testifying to the underlying facts or data. But the expert may be required to disclose those facts or data on cross-examination. Essentially, the expert can state his or her opinion without first giving the underlying facts, but he or she should expect to be questioned on those facts at some point
Don't Touch the Suspect Drive
Very important to touch the system as little as possible Make a forensic copy and work with that copy. Tools like AccessData's Forensic Toolkit. Will need to do live forensics when first interacting with the computer or cloud computing
Platters HDD
Where magnetic data is stored; organized on a spindle with a read/write head reading and writing data to and from the platters
System Complexity
Wide array of data and formats; PDF, DOC and DOCx, XLS, MP4, MOV, JPEG, GIF, BMP. Data in Motion using things like Voice over IP (VoIP)
Media Access Control (MAC) Addresses
a 6-byte (48-bit) address used to identify a network interface card first 3 identify the vendor and second 3 identify the specific card
Latent Evidence
can take many forms, from finger-prints left on a window to DNA evidence recovered from bloodstains to the files on a hard drive. U.S. Computer Emergency Response Team (US-CERT)
Low-level format
creates a structure of sectors, tracks, and clusters
Sarbanes-Oxley Act of 2002
established requirements for proper financial record keeping for public companies and penalties of as much as 25 years in prison for noncompliance
Academia using digital forensics
for forensic research and education.
Insurance companies using digital forensics
for possible fraud in accident, arson, and workers' compensation cases
Individuals using digital forensics
hire forensic specialists in support of possible claims. These cases may include wrongful termination, sexual harassment, or age discrimination
Information
includes raw numbers, pictures, and a vast array of other data that may or may not have relevance to a particular event or incident under investigation
Demonstrative evidence
information that helps explain other evidence - ANY OTHER EVIDENCE.
Real evidence
is a physical object that someone can touch, hold, or directly observe. Examples: laptop with a suspect's fingerprints, a hard drive, a universal serial bus (USB) drive, and a handwritten note
Documentary evidence
is data stored as written matter, on paper, or in electronic files, such as email messages and telephone call-detail records. Investigators must authenticate documentary evidence
Network forensics
is the process of examining network traffic, including transaction logs and re-time monitoring using sniffers and tracing
Internet forensics
is the process of piecing together where and when a user has been on the internet
Live system forensics
is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse. Each of these types of forensic analysis requires specialized skills and training.
The USA PATRIOT act
law passed due to 9/11 attacks; sought to prevent further terrorist attacks by allowing greater government access to electronic communications and other information; criticized by some as violating civil liberties
Law firms using digital forensics
need experienced system forensics professionals to conduct investigations and testify as expert witnesses. For example, civil cases can use records found on computer systems that bear on cases involving fraud, divorce, discrimination, and harassment.
The Computer Security Act of 1987
one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
Computer Fraud and Abuse Act
person is liable if he accesses a computer online, without authority, to obtain classified, private, or protected information
High-level format
process of setting up an empty file system and installing a boot sector in a drive. AKA quick format
Electronic Communications Privacy Act of 1986
prohibits the interception of information communicated by electronic means
The Privacy Protection Act of 1980
protects journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public.
Objective of computer/digital forensics
recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law Emphasis must be on the integrity and security of evidence
Deposition
testimony taken from a witness or party to a case before a trial - less formal
Corporations using digital forensics
to assist in employee termination and prosecution. For example, corporations sometimes need to gather information concerning theft of intellectual property or trade secrets, fraud, embezzlement, sexual harassment, and network and computer intrusions. They also need to find evidence of unauthorized use of equipment, such as computers, fax machines, answering machines, and mobile phones.
Military using digital forensics
to gather intelligence information from computers captured during military actions
Government agencies using digital forensics
to investigate crimes involving computers. These agencies include the Federal Bureau of Investigation (FBI), the U.S. Postal Inspection Service, the Federal Trade Commission (FTC), the U.S. Food and Drug Administration (FDA), and the U.S. Secret Service. They also include the U.S. Department of Justice's National Institute of Justice (NIJ), the National Institute of Standards and Technology (NIST) Office of Law Enforcement Standards (OLES), the Department of Homeland Security, and foreign government agencies, among others.
Data recovery firms using digital forensics
to recover data after hardware or software failures and when data has been lost
ping
used to send a test packet; aka echo packet, to a machine to find out if the machine is reachable and how long the packet takes to reach the machine
Criminal prosecutors using digital forensics
when working with incriminating documents. They try to link these documents to crimes such as drug trafficking, embezzlement, financial fraud, homicide, and child pornography.
