cyber investigations

What are the three ways computers relate to crime?

Mere evidence, instrumentality, and contraband.

 Why is cybercrime harder to investigate?

Anonymity, automation, global reach, and legal challenges (encryption, jurisdiction).

What four questions do investigators ask in cases involving digital evidence?

Was a crime committed? What happened? Who did it? Why did they do it?

Do most cases today involve digital evidence?

Yes—nearly all investigations involve digital elements.

What does the processor do?

Executes instructions and calculations.

What is RAM?

Volatile memory used for running programs.

What is long-term storage?

Devices like HDDs, SSDs, USB drives.

What is the difference between programs and data?

Programs instruct; data is information processed.

What is an OS?

A program that controls hardware and manages other programs.

What is a bit?

 The smallest unit of digital data (0 or 1).

What is a file system?

Method of organizing data on a disk.

Do deleted files disappear immediately?

No—they move to unallocated space until overwritten.

What is a virtual machine?

A software-simulated computer.

In networking, what is the server?

Device providing resources.

What is a MAC address?

A unique hardware identifier for a network interface.

What is an IP address?

Numerical address identifying a device on a network.

What is a packet?

A chunk of data sent across a network.

What does a router do?

Connects networks and routes traffic.

What are ports?

Numbers that identify which program handles incoming data.

What does “whois” do?

Displays domain and IP ownership information.

What do logs show?

Connections, authentication, processes, errors, and activity history.

Why is cloud computing challenging for investigators?

Data may be stored in other countries, raising jurisdiction issues.

What is a VPN?

Encrypted tunnel that hides a user’s IP.

What does a proxy server do?

Forwards traffic on behalf of a user; may log activity.

What is Tor?

Network using onion routing for anonymity.

What are hidden services?

Tor-hosted sites ending in .onion.

What is the dark web?

Internet content accessible only through special software.

What is the blockchain?

Public ledger of all Bitcoin transactions.

What is a public key?

Address to receive cryptocurrency.

What is a private key?

Secret needed to authorize transactions.

Are Bitcoin transactions anonymous?

Pseudonymous—identities can be uncovered with analysis.

What is CCIPS?

DOJ Cybercrime & Intellectual Property Section.

What determines 4th Amendment protection?

Reasonable expectation of privacy (Katz test).

What is the foregone conclusion doctrine?

Government can compel acts if it already knows the evidence exists.

Are passwords protected under the 5th Amendment?

Often yes—password entry is considered testimonial.

What can a subpoena obtain?

Subscriber information.

What can a court order obtain?

Transactional records.

What requires a warrant?

Content of communications.

What is a Title III order used for?

Live interception (wiretaps).

Are border searches usually warrantless?

Yes, but courts are increasing scrutiny for digital devices.

What is the number one rule in digital forensics?

Change nothing.

What is chain of custody?

Documentation of who handled evidence and when.

What is a write-blocker?

Device that prevents data from being modified during forensic imaging.

What is hashing used for?

Verifying evidence integrity.

What is the difference between physical and logical imaging?

Physical = full disk copy; logical = accessible files only.

 What do MAC times represent?

Modified, accessed, created timestamps.

What does metadata reveal?

Info about a file (author, creation, location).

What is EXIF data?

Metadata embedded in photos (GPS, camera model, timestamps).

What are Windows Prefetch files?

Artifacts showing program execution history.

What is the goal of attribution?

Prove who operated the device.

What evidence helps attribute activity?

Accounts, logs, timestamps, unique user data, location data.

Why are phone extractions challenging?

Encryption, rapid connectivity, ability to wipe remotely.

How can phones be isolated?

Airplane mode, removing SIM, Faraday bags.

What is a physical extraction?

Copy of all data including deleted contents.

What is JTAG/chip-off?

Hardware-level extraction methods.

Why is IoT forensics challenging?

Data is often stored in the cloud, not on the device.

Examples of IoT devices?

Smart speakers, wearables, home cameras, connected vehicles.

Why is child exploitation common online?

Easy anonymous distribution and global connectivity.

What is CSAM?

Child s*xual abuse material.

What does NCMEC do?

Central hub for reporting/extending child exploitation cases.

What federal act allows civil commitment of predators?

Adam Walsh Act.

Digital Evidence

Any data stored or transmitted using a computer or electronic device.

Forensic Image

A bit-for-bit copy of a digital device.

Write-Blocker

A device that prevents modification of evidence during collection.

Hash Value

A unique digital fingerprint used to verify file integrity.

Chain of Custody

Documentation of every person who handled evidence.

Unallocated Space

Disk space not currently used by files, often containing deleted data.

Metadata

Information describing a file (timestamps, creator, device info).

 MAC Times

File timestamps—Modified, Accessed, Created.

RAM (Random Access Memory)

Temporary, volatile memory for active processes.

HDD/SSD

Long-term storage devices (SSDs use flash memory).

File System

Method an operating system uses to organize data (e.g., NTFS, FAT).

Virtual Machine (VM)

A software-based computer environment.

IP Address

Numerical label identifying a device on a network.

MAC Address

Hardware identifier unique to a network card.

Packet

Small chunk of data sent across a network.

Router

Device that connects networks and routes traffic.

Port Number

Numeric identifier specifying a program/network service.

Client/Server Model

A system where clients request resources and servers provide them.

VPN (Virtual Private Network)

Encrypted tunnel hiding a user’s IP address.

Proxy Server

Intermediary server forwarding client requests.

Tor (The Onion Router)

Network that anonymizes traffic through layered relays.

Onion Routing

Technique of encrypting traffic multiple times through different nodes

Hidden Service (.onion)

Tor-accessible site keeping server location anonymous.

Dark Web

Internet content accessible only with specialized software like Tor.

Blockchain

Public, immutable ledger of cryptocurrency transactions.

Public Key

Cryptocurrency address used to receive funds.

Private Key

Secret key required to spend cryptocurrency.

Pseudonymity

Being identified by a digital alias rather than a real identity.

Contraband (Digital)

Illegal data stored on a device (e.g., CSAM).

Instrumentality

When a computer is used to commit a crime.

 ECPA (Electronic Communications Privacy Act)

Governs access to electronic communications by law enforcement.

SCA (Stored Communications Act)

Regulates access to stored electronic data.

Title III Order

Court order permitting real-time interception (wiretap).

Foregone Conclusion Doctrine

Government can compel evidence if it already knows it exists.

Attribution

Linking a digital action to a specific individual.

Log File

Recorded data showing system and user activity.

Keyword Search

Searching large data sets for specified terms.

JTAG / Chip-Off

Hardware extraction methods for mobile device data.