digital forensics input

cellebrite

contacts, media, deleted images and other things, locations, usernames and passwords

what is a device image?

essentially a digital replica of the device

so when investigating you never actually use the device

why is image copied?

multiple copies of same image mean multiple people can work on it at once

because not working on actual device, any slip ups are less costly

actual device safely stored away

because you don’t actually want to make any changes to data on phone

what to do when phone is seized?

cut signal to phone to/from phone- to stop changes being made to phone from remote place

faraday bag/box- blocks signal to/from phone

keep phone on- passwords move from deep storage to shallow storage

can use a wireless charger to keep it powered on, as you don’t want to open faraday until you get to station

when at station the whole room becomes a faraday box

keep chain of custody- never let phone out of eyesight

local imaging

active files and folders only, doesn’t include deleted data (pretty much copy and paste

physical imaging

every sector of the drive, includes deleted data

forensic imaging

same as physical, but includes metadata and hash verification, includes deleted data

sparse/targeted imaging

selected files, folders or partitions, includes some deleted data

deleted data

only permanently deleted when the space they occupied has been written over

so computers with big hard-drives composed of small files are more likely to be able to be recovered because the space they occupied is less likely to have been written over already

hash value

64 letters and numbers unique to each file

any change to said file will change the hash value

if hash value is the same at start and finish of investigation it means no changes have been made

if any changes have been made to file-hash value it will be picked upon in court

digital fingerprint that belongs to the file