1/132
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
---|
No study sessions yet.
Digital (Computer) Forensics
Scientific methods to identify, preserve, analyze, and present digital evidence for court use.
Expert Testimony Modes
Deposition: sworn, out-of-court Q&A recorded for later use. Live in Court: sworn, direct & cross exams; explain methods, tools, conclusions in plain language.
Eyewitness testimony
Testimony given by a witness who personally observed the event.
Physical Evidence
Tangible evidence that can be physically handled.
Digital Evidence
Evidence in the form of bits & bytes.
Lay vs. Expert witnesses
A lay witness testifies about what they personally observed or experienced, while an expert witness provides opinions and analysis based on their specialized knowledge and expertise.
Material Evidence
Relevant and significant evidence that directly impacts the outcome of a case.
Immaterial Evidence
Evidence that is not relevant or important to the matter at hand in a legal case.
Common AntiForensics
Techniques used to hinder forensic investigations, including secure wiping, encryption, steganography, file/metadata obfuscation, and hidden partitions.
Daubert Standard
An admissibility test requiring that digital forensics tools & processes must be testable, peer-reviewed, have a known error rate, and be generally accepted.
Chain of Custody
Continuous log of who, when, why an item of evidence changed hands; protects evidence integrity.
Typical Computer Crimes
Crimes including hacking, ID theft, cyberstalking, online fraud, DoS, malware distribution, and cyberterrorism.
Order of Volatility
The sequence of data collection from most to least volatile: CPU/cache, routing tables & process list, RAM, temp FS, disk, remote logs physical configs.
Three Evidence-Handling Tasks
1. Identify/collect 2. Preserve (image, hash, store) 3. Analyze/examine.
Before Shutting a Live System
Take pictures and document everything then grab running processes, network sessions, open files, RAM image, photos/time stamps—then power down.
No PizzaHut Stops
Unattended evidence can be stolen or tampered with, breaking chain of custody and court admissibility.
Pre-Examination Workflow (Drives)
Seize & log, wipe target media, copy bit-level image, hash & verify, secure original, work only on the copy.
Hashes
One-way, fixed-length 'digital fingerprints' supposed to be collision proof (e.g., SHA256) to prove data integrity and identify files.
Swap File
A temporary storage space on a hard drive that's used when a computer's physical memory (RAM) is full.
Host Protected Area (HPA)
Hidden drive region invisible to OS; handy for diagnostics or for hiding data.
File Slack (NTFS)
Unused space within a file that exists between the end of the actual file data and the end of the last allocated cluster.
Unallocated Space
Filesystem-marked 'free' areas that still store remnants of deleted data until overwritten.
Steganography
Concealing data inside carrier files so the very existence of a message is hidden.
LSB Method
Embed bits by flipping the least-significant bit of pixel/byte values—imperceptible visual change.
Stego Terms
Payload = hidden data, Carrier = cover file, Channel = medium/route used to deliver carrier.
Detecting Stego
Look for anomalies in the carrier file, such as unusual color patterns, file size discrepancies, or the presence of known steganography signatures.
Detecting Stego Tools
Use specialized tools like StegExpose or StegAlyze to automate the detection process. These tools employ algorithms and statistical models to analyze files for signs of steganography.
Encryption vs Stego
Encryption hides content (obvious ciphertext); stego hides existence of the message.
Kerckhoffs' Principle
Security rests on secrecy of the key, not the algorithm—designs should remain secure if algorithm is public.
Symmetric Crypto
One shared key (fast, key exchange problem).
Asymmetric Crypto
Public/private pair (secure exchange, slower).
Good Hash Algorithm Traits
Oneway, Collision resistant, Fixed length output.
Frequency Analysis
A method used to measure and analyze the occurrence or frequency of different events, items, or characteristics within a dataset or population.
Ophcrack
Uses rainbow tables to reverse hashes and reveal Windows passwords rapidly.
Investigation
Structured fact‑finding process to determine what happened and who is responsible.
Forensics
Use of scientific methods to analyze evidence for legal purposes.
Felony
Serious crime punishable by > 1 year in prison or larger fines.
Misdemeanor
Less‑serious crime punishable by ≤ 1 year in jail or smaller fines.
Evidence (physical)
Tangible items (e.g., weapon, hard drive) that support or refute a fact.
Evidence (digital)
Electronic data (e.g., logs, emails) that support or refute a fact.
Testimony
Sworn statement or account given by a witness.
Inculpatory
Supports guilt.
Exculpatory
Supports innocence.
Circumstantial
Indirect.
Hearsay
Second hand.
dd Extraction Command
dd if=
dd Extraction Example
Example: pull a 200 sector file starting at sector 1000.
Master File Table (MFT)
Stores information about every file on the volume.
MFT Entries
Each file has at least one entry storing metadata.
Attributes
Metadata stored within MFT.
Resident Files
Small files stored directly in the MFT.
Non-Resident Files
Larger files stored in clusters outside the MFT.
Clusters
Smallest unit of storage in NTFS.
Bitmaps
Keeps track of used and free clusters.
File Slack
Unused space in the last cluster of a file.
Forensically Scrubbing a Drive
Overwriting data using tools like DBAN.
Degaussing
Magnetic erasure.
Physical destruction
Shredding, drilling, incineration.
Secure erase commands
Built into SSD firmware.
Super Block
Stores metadata about the file system.
Block Groups
Divides the file system for efficient management.
Inodes
Stores information about files (permissions, size, timestamps).
Data Blocks
Contains actual file data.
Physical Damage
Hardware failure (e.g., head crash, water damage).
Logical Damage
Corrupt file system (e.g., accidental formatting, malware).
Zero-Knowledge Analysis
Recovering data without prior knowledge of the system.
File Carving
Extracting files from raw disk images using header/footer analysis.
File Carving Tools
Scalpel, carver-recovery.exe.
Business Continuity Plan (BCP)
Ensures business functions continue after a disaster.
Disaster Recovery Plan (DRP)
Focuses on restoring IT operations.
Full Backup
Copies all data.
Differential Backup
Copies changes since last full backup.
Incremental Backup
Copies changes since last backup of any type.
Hierarchical Storage Management (HSM)
Continuous backup.
Stack Memory
Stores local variables, function calls; managed automatically.
Heap Memory
Stores dynamically allocated memory; managed manually.
Windows Swap File
Acts as virtual memory, stores temporarily swapped-out RAM pages.
Windows Swap File Location
pagefile.sys in root directory.
Event Viewer
Access system logs.
Log Files
Security logs, application logs, system logs.
MAC Properties in Windows
Modified, Accessed, Created timestamps used in forensic timeline analysis.
Windows Registry
Stores system and user settings.
Important Registry Files
HKCU: Current user settings; HKLM: System-wide settings; HKCR: File associations.
Linux Shell
Command-line interface (e.g., Bash, Zsh).
Basic Linux Commands
ls (list files), cp (copy files), dd (disk imaging), cd (change directory), rm (delete files), fdisk (manage disk partitions).
Run Levels in Linux
Defines system state: 0: Halt system, 1: Single-user mode, 3: Multi-user mode (no GUI), 5: Multi-user mode with GUI, 6: Reboot.
Linux Log Files
/var/log/ important logs: auth.log (authentication attempts), syslog (system events), dmesg (kernel messages).
Important Mac File System Directories
/Users: Home directories; /Applications: Installed applications; /Network: Network settings; /etc: System configuration files.
Target Disk Mode in Mac Forensics
Allows a Mac to be accessed as an external drive for forensic imaging.
Email Protocols
SMTP: Sends email between clients and servers (port 25 or 465 secure); POP3: Downloads email and typically deletes it from the server (port 110 or 995 secure); IMAP: Views and stores email on the server (port 143 or 993 secure).
Email Headers
Show the true source, path, timestamps, and can detect spoofing or tampering.
Common Email File Types
.pst (Outlook archive file), .ost (Outlook offline storage), .mbx (Mailbox file for older clients), .eml (Individual saved email messages).
Difficulties in Mobile Forensics
Encryption, frequent updates and new OS versions, locked devices and remote wipe capability, cloud synchronizing and distributed data, changing phone technology.
Types of Evidence from Mobile Devices
Messages (SMS, MMS, emails), call logs, photos, videos, GPS/location history, app data and browser history, contacts and calendar entries.
Mobile Forensics Pyramid
Represents levels of access: Manual extraction, Logical extraction, File-system extraction, Physical - non-invasive, Chip-off, Micro-read.
Important Parts of Network Packets
Header: Source IP, destination IP, protocol info.
Mobile Forensics Pyramid
Represents levels of access: Manual extraction, Logical extraction, File‑system extraction, Physical - non‑invasive, Chip‑off, Micro‑read.
Network Packet Header
Source IP, destination IP, protocol info.
Network Packet Payload
Actual data transmitted.
Network Packet Trailer
End-of-packet markers, error checking.