ITE-473-101_ Digital Forensic Analysis Final Exam Review

Digital (Computer) Forensics

Scientific methods to identify, preserve, analyze, and present digital evidence for court use.

Expert Testimony Modes

Deposition: sworn, out-of-court Q&A recorded for later use. Live in Court: sworn, direct & cross exams; explain methods, tools, conclusions in plain language.

Eyewitness testimony

Testimony given by a witness who personally observed the event.

Physical Evidence

Tangible evidence that can be physically handled.

Digital Evidence

Evidence in the form of bits & bytes.

Lay vs. Expert witnesses

A lay witness testifies about what they personally observed or experienced, while an expert witness provides opinions and analysis based on their specialized knowledge and expertise.

Material Evidence

Relevant and significant evidence that directly impacts the outcome of a case.

Immaterial Evidence

Evidence that is not relevant or important to the matter at hand in a legal case.

Common AntiForensics

Techniques used to hinder forensic investigations, including secure wiping, encryption, steganography, file/metadata obfuscation, and hidden partitions.

Daubert Standard

An admissibility test requiring that digital forensics tools & processes must be testable, peer-reviewed, have a known error rate, and be generally accepted.

Chain of Custody

Continuous log of who, when, why an item of evidence changed hands; protects evidence integrity.

Typical Computer Crimes

Crimes including hacking, ID theft, cyberstalking, online fraud, DoS, malware distribution, and cyberterrorism.

Order of Volatility

The sequence of data collection from most to least volatile: CPU/cache, routing tables & process list, RAM, temp FS, disk, remote logs physical configs.

Three Evidence-Handling Tasks

1. Identify/collect 2. Preserve (image, hash, store) 3. Analyze/examine.

Before Shutting a Live System

Take pictures and document everything then grab running processes, network sessions, open files, RAM image, photos/time stamps—then power down.

No PizzaHut Stops

Unattended evidence can be stolen or tampered with, breaking chain of custody and court admissibility.

Pre-Examination Workflow (Drives)

Seize & log, wipe target media, copy bit-level image, hash & verify, secure original, work only on the copy.

Hashes

One-way, fixed-length 'digital fingerprints' supposed to be collision proof (e.g., SHA256) to prove data integrity and identify files.

Swap File

A temporary storage space on a hard drive that's used when a computer's physical memory (RAM) is full.

Host Protected Area (HPA)

Hidden drive region invisible to OS; handy for diagnostics or for hiding data.

File Slack (NTFS)

Unused space within a file that exists between the end of the actual file data and the end of the last allocated cluster.

Unallocated Space

Filesystem-marked 'free' areas that still store remnants of deleted data until overwritten.

Steganography

Concealing data inside carrier files so the very existence of a message is hidden.

LSB Method

Embed bits by flipping the least-significant bit of pixel/byte values—imperceptible visual change.

Stego Terms

Payload = hidden data, Carrier = cover file, Channel = medium/route used to deliver carrier.

Detecting Stego

Look for anomalies in the carrier file, such as unusual color patterns, file size discrepancies, or the presence of known steganography signatures.

Detecting Stego Tools

Use specialized tools like StegExpose or StegAlyze to automate the detection process. These tools employ algorithms and statistical models to analyze files for signs of steganography.

Encryption vs Stego

Encryption hides content (obvious ciphertext); stego hides existence of the message.

Kerckhoffs' Principle

Security rests on secrecy of the key, not the algorithm—designs should remain secure if algorithm is public.

Symmetric Crypto

One shared key (fast, key exchange problem).

Asymmetric Crypto

Public/private pair (secure exchange, slower).

Good Hash Algorithm Traits

Oneway, Collision resistant, Fixed length output.

Frequency Analysis

A method used to measure and analyze the occurrence or frequency of different events, items, or characteristics within a dataset or population.

Ophcrack

Uses rainbow tables to reverse hashes and reveal Windows passwords rapidly.

Investigation

Structured fact‑finding process to determine what happened and who is responsible.

Forensics

Use of scientific methods to analyze evidence for legal purposes.

Felony

Serious crime punishable by > 1 year in prison or larger fines.

Misdemeanor

Less‑serious crime punishable by ≤ 1 year in jail or smaller fines.

Evidence (physical)

Tangible items (e.g., weapon, hard drive) that support or refute a fact.

Evidence (digital)

Electronic data (e.g., logs, emails) that support or refute a fact.

Testimony

Sworn statement or account given by a witness.

Inculpatory

Supports guilt.

Exculpatory

Supports innocence.

Circumstantial

Indirect.

Hearsay

Second hand.

dd Extraction Command

dd if= of= bs=512 skip= count=<#sectors>

dd Extraction Example

Example: pull a 200 sector file starting at sector 1000.

Master File Table (MFT)

Stores information about every file on the volume.

MFT Entries

Each file has at least one entry storing metadata.

Attributes

Metadata stored within MFT.

Resident Files

Small files stored directly in the MFT.

Non-Resident Files

Larger files stored in clusters outside the MFT.

Clusters

Smallest unit of storage in NTFS.

Bitmaps

Keeps track of used and free clusters.

File Slack

Unused space in the last cluster of a file.

Forensically Scrubbing a Drive

Overwriting data using tools like DBAN.

Degaussing

Magnetic erasure.

Physical destruction

Shredding, drilling, incineration.

Secure erase commands

Built into SSD firmware.

Super Block

Stores metadata about the file system.

Block Groups

Divides the file system for efficient management.

Inodes

Stores information about files (permissions, size, timestamps).

Data Blocks

Contains actual file data.

Physical Damage

Hardware failure (e.g., head crash, water damage).

Logical Damage

Corrupt file system (e.g., accidental formatting, malware).

Zero-Knowledge Analysis

Recovering data without prior knowledge of the system.

File Carving

Extracting files from raw disk images using header/footer analysis.

File Carving Tools

Scalpel, carver-recovery.exe.

Business Continuity Plan (BCP)

Ensures business functions continue after a disaster.

Disaster Recovery Plan (DRP)

Focuses on restoring IT operations.

Full Backup

Copies all data.

Differential Backup

Copies changes since last full backup.

Incremental Backup

Copies changes since last backup of any type.

Hierarchical Storage Management (HSM)

Continuous backup.

Stack Memory

Stores local variables, function calls; managed automatically.

Heap Memory

Stores dynamically allocated memory; managed manually.

Windows Swap File

Acts as virtual memory, stores temporarily swapped-out RAM pages.

Windows Swap File Location

pagefile.sys in root directory.

Event Viewer

Access system logs.

Log Files

Security logs, application logs, system logs.

MAC Properties in Windows

Modified, Accessed, Created timestamps used in forensic timeline analysis.

Windows Registry

Stores system and user settings.

Important Registry Files

HKCU: Current user settings; HKLM: System-wide settings; HKCR: File associations.

Linux Shell

Command-line interface (e.g., Bash, Zsh).

Basic Linux Commands

ls (list files), cp (copy files), dd (disk imaging), cd (change directory), rm (delete files), fdisk (manage disk partitions).

Run Levels in Linux

Defines system state: 0: Halt system, 1: Single-user mode, 3: Multi-user mode (no GUI), 5: Multi-user mode with GUI, 6: Reboot.

Linux Log Files

/var/log/ important logs: auth.log (authentication attempts), syslog (system events), dmesg (kernel messages).

Important Mac File System Directories

/Users: Home directories; /Applications: Installed applications; /Network: Network settings; /etc: System configuration files.

Target Disk Mode in Mac Forensics

Allows a Mac to be accessed as an external drive for forensic imaging.

Email Protocols

SMTP: Sends email between clients and servers (port 25 or 465 secure); POP3: Downloads email and typically deletes it from the server (port 110 or 995 secure); IMAP: Views and stores email on the server (port 143 or 993 secure).

Email Headers

Show the true source, path, timestamps, and can detect spoofing or tampering.

Common Email File Types

.pst (Outlook archive file), .ost (Outlook offline storage), .mbx (Mailbox file for older clients), .eml (Individual saved email messages).

Difficulties in Mobile Forensics

Encryption, frequent updates and new OS versions, locked devices and remote wipe capability, cloud synchronizing and distributed data, changing phone technology.

Types of Evidence from Mobile Devices

Messages (SMS, MMS, emails), call logs, photos, videos, GPS/location history, app data and browser history, contacts and calendar entries.

Mobile Forensics Pyramid

Represents levels of access: Manual extraction, Logical extraction, File-system extraction, Physical - non-invasive, Chip-off, Micro-read.

Important Parts of Network Packets

Header: Source IP, destination IP, protocol info.

Mobile Forensics Pyramid

Represents levels of access: Manual extraction, Logical extraction, File‑system extraction, Physical - non‑invasive, Chip‑off, Micro‑read.

Network Packet Header

Source IP, destination IP, protocol info.

Network Packet Payload

Actual data transmitted.

Network Packet Trailer

End-of-packet markers, error checking.