CYB 420 Digital Forensics

Digital Forensics

Application of computer science and investigative procedures for legal purposes involving digital evidence.

Key Concepts of Digital Forensics

Requires search authority, chain of custody, validation, and reporting.

Federal Rules of Evidence (FRE)

Governs the admissibility of digital evidence.

Fourth Amendment

Protects against unreasonable searches and seizures.

ISO Standard (2012)

Defines personnel qualifications and methods for acquiring and preserving digital evidence.

Public-Sector Investigations

Focus on criminal cases and are governed by the Fourth Amendment and DOJ guidelines.

Private-Sector Investigations

Focus on policy violations and civil disputes, governed by Acceptable Use Policy (AUP) and corporate policy.

Digital Evidence First Responder (DEFR)

Collects and preserves evidence.

Digital Evidence Specialist (DES)

Analyzes evidence.

Professional Conduct in Digital Forensics

Maintain objectivity, confidentiality, and credibility.

Five Steps of an Investigation

Acquire the evidence, Examine the evidence, Analyze the evidence, Report findings, Critique the case.

Chain of Custody

Tracks evidence from collection to courtroom.

Bit-Stream Copy

Exact sector-by-sector copy of a drive.

Bit-Stream Image

File containing the copy of a drive.

Forensic Tools

Tools used to recover deleted or hidden data, e.g., Autopsy.

Final Forensic Report

Documents the process and findings of an investigation.

Digital Forensics Workstations

Must have a data acquisition tool and a write-blocker.

Employee Termination Cases

Often involve asset misuse or hostile workplace behavior.

Internet Abuse Investigation

Compare web history with firewall/proxy logs.

Email Abuse Investigation

Analyze server, local, or web-based email data and headers.

Attorney-Client Privilege (ACP)

Confidential investigations; must document all steps and use hash verification.

Industrial Espionage

Gather logs, surveillance, and coordinate with management and legal counsel.

Knowledge Check - Digital Forensics

Digital forensics differs from data recovery because in data recovery, you typically know what you're looking for.

Knowledge Check - Workstations

Digital forensics workstations must have a data acquisition tool and a write-blocker.

Jurisdiction

The official power to make legal decisions and judgments.

Case name

The title of a legal case, typically including the parties involved.

Cause number

A unique number assigned to a legal case for identification.

Deposition date & location

The specific date and place where a deposition is conducted.

Job mission or goal

The primary objective of a report, such as finding information or recovering data.

Verbal Reports

Preliminary updates that cover unfinished tests, interrogatories, document requests, and deposition plans.

Written Reports

Reports that include affidavits or declarations.

Examination Plans

Documents that outline expected testimony questions and help attorneys understand technical terms.

Expert Witness Requirements

Criteria that an expert witness must meet, including specialized skill and reasonable certainty in testimony.

Preliminary Reports

Reports that are part of discovery between opposing attorneys and should be avoided if unnecessary.

Report Structure

The organized components of a report, including Abstract, Table of Contents, Body, Conclusion, Appendices, Glossary, References, and Acknowledgements.

Writing Clearly and Objectively

Guidelines for writing that emphasize logical order, active voice, and conciseness.

Layout and Presentation

Elements that should be included in a report, such as evidence, consistent formatting, methods, hash values, limitations, results, and references.

Writing the Digital Forensics Report

The process of creating a digital forensics report, including analyzing data and writing drafts.

Fact Witness

A witness who provides only facts and explains how evidence was obtained without drawing conclusions.

Expert Witness

A witness who offers opinions based on experience and analysis, connecting them to case theory.

Documenting and Preparing Evidence

The process of recording all steps for repeatability and maintaining the chain of custody.

Curriculum Vitae (CV)

A document used to qualify testimony in court, including education, experience, publications, and testimony history.

Preparing Definitions

The process of having personal definitions ready for key terms in digital forensics.

Dealing with the News Media

Guidelines for avoiding direct contact with the press to prevent harm to the case.

Trial Process

The sequence of events in a trial, including motions, jury selection, and closing arguments.

General Testimony Guidelines

Best practices for giving testimony, including being polite, maintaining eye contact, and answering only what's asked.

Graphics and Exhibits

Visual aids that must be clear and simple, reviewed with an attorney before presentation.

Cross-Examination

Maintain eye contact with jury.

Depositions

No jury or judge; part of discovery.

Hearings

Similar to trials but no jury present.

Knowledge Check 2-1

Verbal reports cover: Unfinished testing, Interrogatories, Document production, Deposition planning.

Knowledge Check 2-2

During cross-examination: Maintain eye contact with jury, Watch attorney objections, Pay attention to opposing counsel, Keep answers short.

Self-Assessment

Be able to explain: What topics are covered in verbal reports between expert and hiring attorney?

Module Objectives

By the end of this module, you should be able to: Describe certification requirements for digital forensics labs, List physical lab requirements, Explain criteria for selecting a forensic workstation, Build a business case for a forensics lab, Evaluate digital forensics tools, Identify software and hardware tools used in forensics, Explain validation and testing methods for tools.

Lab Accreditation

A digital forensics lab is a secure facility for investigations, evidence storage, and analysis.

Lab Manager & Staff Duties

Manage case workflow and scheduling.

Lab Budget Planning

Expenses Include: Hardware, software, facilities, travel, and training.

Certifications & Training

Common forensics certifications: CFCE - Certified Forensic Computer Examiner (IACIS), HTCN - Certified Computer Crime Investigator / Forensic Technician, EnCE - EnCase Certified Examiner, Exterro Ace - Formerly AccessData Certified Examiner.

Physical Requirements of a Lab

Security Requirements: Secure room (floor-to-ceiling walls, locking door).

Evidence Storage Containers

Best Practices: Use steel containers or safes.

Facility Maintenance

Immediately repair damages.

Auditing the Lab

Audit checks include: Walls, ceiling, floor, doors, and locks.

Lab Floor Plans

Common Layouts: Small/home-based lab - limited workstations.

Regional lab

Full-scale, multi-room setup.

Ideal setup

Two forensic workstations + one non-forensic Internet workstation.

Law Enforcement Workstations

May need legacy systems & diverse tools.

Private Sector Workstations

Tailored to company systems & investigation type.

Small Departments Workstations

Use portable or multipurpose stations.

Mobile labs

Laptops with USB 3.0/4.0, SATA, or SSD drives.

Hardware Peripherals

Stock essentials: Digital cameras, antistatic bags, IDE/SATA cables, FireWire and USB adapters, Hard drives, external drives, Hand tools and adapters.

Software Inventory

Maintain licensed and current copies of: Windows, macOS, and Linux, Office suites (Microsoft, LibreOffice, WPS), Hex editors, programming tools (Python, C++), Specialized viewers (ACDSee, IrfanView), Accounting software (QuickBooks, Quicken).

Disaster Recovery Plan

Purpose: Restore systems and files after a failure. Includes: Backup software (e.g., Paragon Backup & Recovery), Track software updates and OS changes, RAID servers or private clouds must have large-scale backup systems.

Equipment Upgrades

Replace critical hardware every 18-36 months (preferably every 12). Plan for risk management and equipment dependency.

Building a Business Case

Purpose: Justify lab setup or upgrades. Components: Justification - show need and purpose, Budget Development - detail facility, hardware, software, and other costs, Approval - submit proposal to management, Implementation - include delivery/installation timeline, Acceptance Testing - inspect security, test hardware/software, Production - finalize corrections and begin operations.

Evaluating Digital Forensics Tools

Ask: Which OS does it support? Can it analyze multiple file systems? Can it be scripted or automated? Does the vendor provide strong support? Is it open-source or commercial?

Types of Tools

Hardware Tools: Devices and equipment for data acquisition or analysis, Software Tools: Command-line or GUI-based applications.

Common Tasks

Acquisition: Copy drives (physical or logical), Validation & Verification: Confirm accuracy using hash values, Extraction: Recover deleted/encrypted data, Reconstruction: Rebuild drives or files, Reporting: Document findings (logs, bookmarks, timelines).

Command-Line vs GUI Tools

Command-Line: Lightweight, minimal system resources, fast; GUI Tools: User-friendly, easier for beginners.

Common Tools

Linux Tools: Sleuth Kit, Autopsy, Kali Linux; Windows Tools: EnCase, FTK, Magnet Axiom; Write-Blockers: Tableau, WiebeTech, Logicube Talon; Editors: WinHex, HxD, Hex Workshop.

Validation & Testing Standards

NIST (CFTT Project): Tests & validates forensic tools; ISO 17025 / ISO 5725: Require repeatable and reproducible results.

Validation Steps

Use at least two tools to verify findings, Compare hash values, Test new releases and patches before use, Report bugs to vendors and use test drives for validation.

Digital Evidence Image

A bit-for-bit copy of a storage device used for forensic analysis.

Physical acquisition

Complete disk copy (bit-for-bit)

Logical acquisition

Captures specific files/folders

Sparse acquisition

Collects fragments of unallocated (deleted) data

Partition-to-partition / disk-to-disk

Copies partitions or entire drives directly

Raw (dd)

Fast, compatible, but large in size

Advanced Forensic Format (AFF)

Open source, supports compression, includes metadata

Proprietary formats

Tool-specific, may include metadata, but not shareable across platforms

Planning an Acquisition

Create an action plan: List required resources, Define acquisition steps, Detail evidence preservation and security, Review technical specs of target drives before imaging.

Determining the Best Method

Consider: Size of suspect drive, Whether original media must be preserved, Time available, Location and system type

Windows Tools

FTK Imager, EnCase, X-Ways

Linux Tools

Guymager, dd, dc3dd

Bootable Environments

Mini-WinFE (Windows Forensics Environment), Linux Live CDs: CAINE, Kali, SIFT, Knoppix

Validation Techniques

Use hashing algorithms to verify integrity: CRC-32, MD5, SHA-1 to SHA-512

Linux Hashing Tools

md5sum, sha1sum, dcfldd, dc3dd

Windows Hashing Tool

PowerShell Get-FileHash

RAID Acquisition

Understand RAID levels (0, 1, 2, 3, 5)

RAID 0

Striping - fast, no redundancy

RAID 1

Mirroring - data recovery