Forensics Exam 4

Cellular Network

Network of short-distance transceivers that allow low-power phones to connect to towers by hopping from one to another.

1G (Analog)

First generation mobile networks using modulated radio signals for voice calls.

2G (Digital)

Introduced handheld form, digital circuit-switched communication, and practical data communication (SMS).

3G (Broadband)

Phones could transfer data at Internet speeds using packet-switching, making them miniature computers.

4G (Native IP)

Accesses the Internet directly using IP protocols and Wi-Fi for faster speeds and more bandwidth.

Mobile Operating System (OS)

Custom-designed program that controls mobile hardware and user interaction, like Android or iOS.

Geolocation in Mobile Forensics

Determining a device's location using GPS data to place a suspect near a crime scene.

Data Extraction from Mobile Devices

Physical extraction (full bit-by-bit copy) and logical extraction (copy of visible user data).

Role of SD Cards in Mobile Devices

Provide nonvolatile memory expansion, where stored data remains even when powered off.

Information Stored on SIM Cards

IMSI number (user ID) and ICCID (SIM card ID) linking the phone to the mobile network.

File System on a Mobile Device

Software that organizes and tracks file names, storage, and access using databases.

Causal and Temporal Chains in Digital Evidence

Causal Chain: cause-effect link of evidence; Temporal Chain: chronological timeline of events.

Cross-Drive Analysis

Technique that ties together evidence from multiple digital devices to physical crime scenes.

Computer Forensics

Preservation, acquisition, extraction, and interpretation of computer data for legal evidence.

Digital Forensics (DFIR)

Digital Forensics (analyzing devices) and Incident Response (responding to cyberattacks).

Difference between Hardware and Software

Hardware: physical components. Software: instructions that tell hardware what to do.

Key Hardware Components Inside a Computer

Case, motherboard, CPU, RAM, ROM, storage drives (HDD/SSD).

RAM

Temporary volatile memory storing active data; lost when the computer powers off.

ROM

Nonvolatile memory storing firmware to start the boot process.

Computer Boot Process

BIOS starts, POST checks components, boot drive is loaded, OS appears on login screen.

Data Storage on Storage Devices

Stored in binary (1s and 0s); requires partitioning and formatting to organize data access.

Tracks, Sectors, Clusters, and Cylinders

Tracks: concentric circles. Sectors: smallest storage unit. Clusters: groups of sectors. Cylinders: aligned tracks vertically.

File Allocation Table (FAT)

System tracking file locations on drives.

Master File Table (MFT)

Used in NTFS file systems to organize files and metadata.

Forensic Image

Bit-for-bit copy of a storage device preserving every piece of data.

Hash Values (MD5/SHA)

Unique fingerprints verifying forensic image integrity matches original data.

Visible and Latent Data

Visible: data the OS sees (e.g., documents). Latent: hidden data like deleted files or slack space.

RAM Slack and File Slack

RAM slack: empty space in a sector after a file ends. File slack: space from end of last sector to end of cluster.

Latent Data Locations

In unallocated space, swap files, and deleted file areas.

Application Data Evidence

Emails, chat logs, videos, financial transactions, web history, usernames.

Investigating Internet Activity

Common places include internet cache, cookies, history files, bookmarks.

IP Address

Numeric address allowing devices to send/receive data across networks.

Questioned Document

Any object with handwriting or print whose authenticity or source is in doubt.

Handwriting Uniqueness

Handwriting becomes unconscious and impossible to exactly replicate between individuals.

Angularity

The characteristic angle of letters in handwriting.

Slope

The angle at which letters are written, indicating the direction of the handwriting.

Speed

The rate at which handwriting is produced.

Pressure

The amount of force applied to the writing instrument during writing.

Letter/word spacing

The distance between individual letters and words in handwriting.

Letter size

The height of the letters in handwriting.

Connections

The way letters are linked together in handwriting.

Pen movement

The motion of the pen during writing.

Skill

The level of proficiency in handwriting.

Dexterity

The physical ability to manipulate the writing instrument.

Margins

The space around the written text on a page.

Crowding

The density of letters and words in a given space.

Insertions

Additional letters or words added into the text.

Alignment

The positioning of text in relation to the margins.

Spelling

The correct arrangement of letters in words.

Punctuation

The use of symbols to clarify meaning in writing.

Phraseology

The choice and arrangement of words in phrases.

Grammar

The set of rules governing the structure of sentences.

Handwriting exemplars

Known writing samples used for comparison with questioned documents.

Transmitting Terminal Identifier (TTI)

Fax machine header helping link documents to a specific device.

Signs of document alterations

Erasures, infrared luminescence revealing hidden text, obliterations (blotting out writing).

Indented writing

Impressions left on sheets underneath written-on pages, revealed using electrostatic detection.

Digital imaging processing in document examination

Scanning and digitally enhancing documents to reveal obscured or altered information.

Ink comparison in forensic document analysis

Using visible light microspectrophotometry or thin-layer chromatography.

Features revealed by paper analysis

Fiber type, fiber length, fiber orientation, thickness, density, color, additives.

Oxidation

Chemical reaction combining oxygen with another substance, producing energy (heat, light).

Combustion

Rapid oxidation accompanied by heat and light (exothermic chain reaction).

Three elements needed to sustain fire

Fuel, oxygen, and heat.

Pyrolysis

Decomposition of solid fuels into gases through heat.

Flammable range

The gas-air mixture concentrations within which combustion can occur (e.g., gasoline: 1.3-6%).

Glowing combustion

Smoldering at fuel-air interface.

Spontaneous combustion

Fire caused without external ignition.

Three methods of heat transfer in fires

Conduction, radiation, convection.

Indicators of arson

Multiple separate fires, use of streamers, irregular burn patterns, severe burns on floors.

Flashover

Simultaneous ignition of all combustibles, making fire behavior abnormal and confusing the point of origin.

Common ignition devices

Matches, cigarettes, firearms, electrical devices, Molotov cocktails.

Flammable residues recovery

Heating sealed debris containers and analyzing vapors using gas chromatography.

Vapor concentration technique

Charcoal strip absorbs vapors from debris container, later analyzed by GC.

Gas Chromatograph (GC)

The most reliable instrument for detecting flammable residues.

Explosion

Rapid oxidation creating sudden gas and pressure buildup.

Low explosives

Black powder, smokeless powder; undergo deflagration (subsonic combustion).

High explosives

Primary explosives (detonators) and secondary explosives (dynamite, TNT, PETN, RDX).

Detonation

Extremely rapid decomposition causing an outward rush of gases (~7,000 mph).

TATP

Homemade explosive made from acetone and peroxide, linked to terrorist attacks.

RDX

Popular military explosive found as pliable plastic C-4.

Debris processing at explosion scenes

Systematic collection of detonator parts and foreign materials in airtight containers.

Lab analysis for explosives

Microscopic analysis, solvent rinses, spot tests, thin-layer chromatography, GCMS, IR spectrophotometry.