HomeLogical/Partitioned Acquisition (Dynamic)"), not the entire physical disk. Useful when a full physical copy is impractical or when only specific partitions are relevant. - Dynamic (live) acquisitions may involve logical acquisitions rather than full physical copies, potentially leaving some data on unmounted partitions inaccessible until remounted in a controlled environment. - Static (physical offline) acquisition yields the entire physical rock (the drive) and is typically preferred for court-admissible, chain-of-custody-compliant images. - Evidence collection tool and format reference - Primary tool discussed: EnCase (forensic software suite) and the proprietary evidence container format often used: $$E01$$ (commonly pronounced E-01 or

Logical/Partitioned Acquisition (Dynamic)"), not the entire physical disk. Useful when a full physical copy is impractical or when only specific partitions are relevant. - Dynamic (live) acquisitions may involve logical acquisitions rather than full physical copies, potentially leaving some data on unmounted partitions inaccessible until remounted in a controlled environment. - Static (physical offline) acquisition yields the entire physical rock (the drive) and is typically preferred for court-admissible, chain-of-custody-compliant images. - Evidence collection tool and format reference - Primary tool discussed: EnCase (forensic software suite) and the proprietary evidence container format often used: $$E01$$ (commonly pronounced E-01 or

Forensic Soundness, Anti-Forensics, and Acquisition Practices

Forensic soundness principle
- Core rule: if a system was ever connected to the Internet, it may have been altered, which compromises its forensic integrity.
- Forensic soundness means we have created the evidence from scratch in a controlled way:
- Install the operating system
- Install the forensics tool(s)
- Apply licensing
- Configure the environment
- Key consequence: never allow the forensics workstation to touch the Internet. If it does, you must wipe, reinstall the OS, reinstall tools, and reconfigure from scratch because the data on that machine is considered tainted.
- Practical risk: if a workstation connected to the Internet, opposing counsel may move to dismiss active cases or reopen closed cases, arguing the evidence on that device is not trustworthy.
Lab and field workstation practices
- In the lab: the forensics workstation must remain isolated (no Internet) and inaccessible to unauthorized personnel.
- In the field: use mobile laptops dedicated to investigations; these are also not connected to the Internet. They are sandboxed on a separate host (the field notebook) and then used to acquire evidence.
- Sandboxing approach: take the target device to the field, disconnect it from networks, and perform a controlled acquisition via the notebook without letting the target system boot or touch the field notebook’s own OS.
- Acquisition flow in the field: isolate target hard drive, sandbox the field laptop, acquire evidence from the target drive using the field notebook’s tools rather than using the target’s own OS.
Anti-forensics techniques: overview
- Perpetrators may attempt to hide activity or corrupt evidence through several methods that complicate discovery.
- Common anti-forensic techniques covered here:
- Introducing a secondary operating system from external media (e.g., USB thumb drive) to run the target computer without touching its internal hard drive.
- MAC address spoofing to obscure the machine’s true network identity.
- Encrypting data to prevent access to plaintext evidence until decryption keys are obtained.
- Important caveat: these methods do not erase all traces; some artifacts may still exist in RAM, external media, or network metadata, but they significantly hinder analysis if not anticipated.
External OS boot and anti-forensics using removable media
- Scenario: boot the computer from a USB thumb drive containing an alternate OS (e.g., Linux).
- Result: the host’s internal hard drive is not booted; the external OS is used to operate the system.
- Artifact implications: once the external drive is removed and the system is shut down, the internal hard drive may retain fewer visible traces of activity; artifacts may reside on the external media instead, not on the internal drive.
- Important distinction: when the external OS is used, the internal hard drive remains untouched unless the anti-forensic action explicitly writes to it. Therefore, artifacts may be located on the external drive or in volatile memory rather than on the internal storage.
MAC address spoofing and network forensics implications
- Fact: even if a perp spoofs the MAC address, the same physical MAC address is associated with the hardware.
- In network forensics, the MAC address is visible when traffic leaves the device (Layer 2), so spoofing can mislead attribution but does not erase all network-origin evidence.
- IP address may differ if a different OS/kernel is used or if different network configurations are applied, but the underlying hardware MAC can still reveal hardware identity if properly traced.
- Spoofing MAC addresses is a known anti-forensic tactic; it is possible to hide the real MAC, which complicates attribution and traceability.
- Practical note: network forensics in a later module will cover how to handle MAC spoofing and correlate evidence across devices and times.
Encryption as a form of anti-forensics and its implications
- Encryption principle: encrypting a file, folder, or entire drive transforms plaintext into ciphertext, obstructing use without the key.
- BitLocker (Microsoft) example: can encrypt a file, a folder, or the entire drive.
- Encryption process: clear text P is transformed into ciphertext C via an encryptor using a key: $C = ext{Enc}_K(P)$
- Decryption process: to recover clear text from ciphertext, apply the decryption algorithm with the appropriate key: $P = ext{Dec}_K(C)$
- Keys: encryption keys may be symmetric (single key for encryption and decryption) or asymmetric (public/private key pair). In asymmetric schemes, encryption uses the public key and decryption uses the private key; in symmetric schemes, a single shared key is used for both directions.
- Practical implication: if the hard drive is encrypted, no forensic access is possible without the correct key(s). If the suspect is actively using the computer and the system is encrypted (e.g., BitLocker or another full-disk/encryption tool), a live collection may be preferable to capture clear text in memory, before encryption or later decryption steps.
Live vs. static (offline) acquisition concepts
- Live acquisition (dynamic acquisition): perform evidence collection while the system is powered on and running. Captures memory (RAM) in clear text, running processes, network connections, and potentially unencrypted data in use. There is a risk of altering data if the system is actively used.
- Static acquisition (offline/dynamic): also called physical/disk imaging, performed by removing the physical hard drive from the machine and copying it while the machine is off; this yields a complete physical copy of the drive’s contents.
- Static vs live trade-offs:
- Static acquisition yields the entire physical disk image, including unallocated space, slack space, and all partitions, regardless of current use.
- Live/dynamic acquisition may capture only portions of the drive (e.g., the currently mounted partitions) and RAM content, but it can preserve volatile data that would be lost if the machine were shut down.
Physical vs logical acquisitions and implications
- Physical (full disk): Imaging the entire physical drive from sector 0 to the end, capturing all partitions, boot sectors, and unallocated spaces. Provides a complete forensic image, preserving structure and metadata for later analysis.
- Logical acquisition (partition-level): Accesses only selected partitions (e.g., C:\