Forensics, RAID, and Privacy: Lecture Notes (Disk/RAID, Acquisition, Media Artifacts, and Legal Basics)

Water balloon activity and class participation

• Instructor proposes a Civil War history reenactment in class next week to recruit students

• Activity: water balloon fight to capture the flag; participants protect their own flag and attempt to capture the other side’s flag

• Some students will write a report on what happens in the activity

• Logistics: break time will be extended to roughly 10:15 and last about a half hour; students should bring clothes to change into after the wet activity; dry clothes will be provided time to change

• Participation is voluntary; non-participants can stay in class, work in labs, or go to lunch

• Handling of the day’s disruption: planning and scheduling considerations for active learning experiences vs. standard lectures

Linux disk utilities and partitioning (fdisk) basics demonstrated in class

• fdisk is a fixed-disk utility; running it without sudo is restricted due to its destructive capabilities

• To inspect drives, use sudo fdisk -l to list drives and partitions

• Partition layout concepts shown:

• Primary partition, extended partition, and swap partition in Linux

• Linux swap is a dedicated partition (swap space)

• A partition can contain another partition (nested partitions) within an extended partition

• Destructive potential of fdisk:

• Choosing to delete a partition (e.g., on /dev/sd[a-z]1) can delete the operating system

• Example: a class exercise in a colleague’s lab wiping a desktop OS

• Partition type identifiers (illustrative, non-exhaustive):

• Linux native: $0x83$

• Linux swap: $0x82$

• Linux extended: $0x85$

• NTFS: $0x07$

• FAT32: $0x0B$

• FAT with LBA: $0x0C$

• Making a filesystem requires knowing the partition type; wrong type can render a drive unusable

• Practical note: partitioning knowledge is essential in forensics because drive structures determine how data is stored and how it can be recovered

Windows server and RAID concepts for data redundancy and forensic relevance

• Demonstration of a Windows server with a primary drive plus three physical drives acting as a single volume for redundancy

• Redundancy concept: protecting data against drive failure; importance in servers

• RAID overview (as described in the lecture):

• RAID 0 (striping): data split across two or more drives for performance

  • Minimum drives: 2

  • Usable capacity: $ext{usable} = n imes S$ where S is drive size and n is number of drives

• RAID 1 (mirroring): data is duplicated on two drives for redundancy

  • Minimum drives: 2

  • Usable capacity: $ext{usable} = S$ (single drive capacity equivalent)

• RAID 5: block-level striping with distributed parity across drives

  • Minimum drives: 3

  • Usable capacity: $ext{usable} = (n-1) imes S$

• RAID 6: striping with double parity across drives

  • Minimum drives: 4

  • Usable capacity: $ext{usable} = (n-2) imes S$

• RAID 10 (RAID 1+0): combination of mirroring and striping; typically requires 4 drives

  • Usable capacity: depends on configuration; with 4 drives, effectively 2 × S (two mirrored stripes)

• Note: No RAID 2, 3, 4 in common practice; RAID 5 and RAID 6 are common for servers; RAID 10 is widely used for performance+redundancy

• Forensics perspective on RAID:

• Static acquisition: must know the RAID layout (which drive is drive zero, drive one, etc.) to preserve order; if drives are removed out of order, data integrity can be compromised

• Dynamic/logical acquisition: can copy data from the RAID while it’s active; the forensic tool (e.g., EnCase) can reconstruct the array if properly configured (specify RAID level and drive order)

• For static acquisition, order matters because the operating system mirror/stripe relationships are tied to drive identities

• If a drive is missing, reconstructing the RAID requires careful configuration (drives labeled as drive0, drive1, drive2, etc.)

• Forensics workflow implications:

• Always verify RAID configuration and order before imaging

• Decide between static vs logical acquisition based on case constraints and available budget/tools

Forensics data handling: artifacts, RAM, and data access considerations

• Static acquisition vs. logical acquisition differences summarized

• Static: image whole drives, preserve physical order and RAID structure; requires knowledge of drive order and RAID configuration

• Logical: copy data as presented by the running system; may mask RAID structure but captures data as accessible by the OS

• In EnCase, you can specify RAID level and drive mappings to reconstruct data even if one drive is missing, but you must know order and configuration

• Emphasis on order and careful documentation to preserve evidentiary integrity

• RAM and data in memory:

• When a USB device or file is opened, copies can be loaded into RAM; decrypted data may exist in RAM even if encrypted on disk

• Multiple copies can exist in memory (the document mentions Word creating multiple copies when opening a document)

Media evidence, USBs, printers, smart devices, and data sources in forensic scope

• Potential sources of digital evidence:

• Thumb drives, hard drives, external USBs

• Printers (may retain memory of last jobs)

• RAM-containing devices (smart devices with memory)

• Car electronics (GPS, OnStar, built-in entertainment systems)

• Smart devices and appliances (devices with data logging)

• USB thumb drives: handling, risk, and safety considerations

• Don’t plug unknown USB drives into systems unless in a sandbox environment; risk of malware

• Sandbox concept: a sandbox computer isolates execution to a protected area; prevents the malware from affecting the host

• Cuckoo Sandbox (Linux distribution) can sandbox devices and report what a program attempts to do at the process/memory level

• Security by obscurity example: a LEGO brick thumb drive disguised as a toy; threats include hidden devices in plain sight

• Encryption and access controls on USB drives:

• Some drives are AES-encrypted with biometrics readers; data remains inaccessible without proper biometric unlock

• Warrant scope: access to encrypted drives may require proper legal authority; plain sight does not grant access to encrypted content

• Artifacts on devices:

• If a drive is plugged into a computer, OS-level artifacts may exist in RAM or on the drive (system logs, prefetch data, caches, etc.)

• Even if a drive is encrypted on disk, data can exist in RAM when accessed

• Forensic planning around media: consider which artifacts will exist if the drive is wiped, damaged, or otherwise destroyed; budgets constrain the ability to recover damaged drives

• Example anecdotes illustrate that physical tampering or damage (burning, shredding) can prevent data recovery; some devices may be irrecoverable even with significant investment

Generated reports vs stored reports; time stamps and forensic timelines

• Transcript examples and reporting concepts:

• Generated reports: content produced on demand by software (e.g., a transcript generator or real-time report); may not be saved with a timestamp historically

• Stored reports: a saved copy (e.g., a PDF transcript) that is time-stamped and stored for future reference

• Time stamps and file metadata:

• FAT32: four time-related fields often discussed as Create, Modify, Access (and potentially Write/change metadata)

• NTFS: similar timestamps plus more detailed metadata (e.g., MFT-based tracking)

• Four timestamps exist for a file: Create, Modify, Access, and Write (the textbook uses these terms; practical interpretation may vary by filesystem)

• Why time stamps matter in forensics:

• Helps build a timeline of events and determine when data was created, accessed, or modified

• Inconsistencies (e.g., last access earlier than creation) may indicate tampering or improper handling

• Timeline reconstruction goal:

• Determine what occurred when, to support a forensic narrative and legal conclusions

Privacy, plain sight doctrine, and search/seizure fundamentals in forensics context

• Legal framework overview discussed in class:

• To obtain data from a drive, law enforcement typically needs probable cause and a warrant, unless compelled by consent or an exception

• Plain sight doctrine: three-pronged test for lawful observation without a warrant

  • Lawfully present: officer must be there legally

  • Observed by chance: observation must be incidental and not the result of deliberate enhancement

  • No enhanced senses: does not rely on devices to amplify perception (e.g., binoculars, zoom lenses, or high-tech magnification) unless the senses are not enhanced

• If enhanced senses are used to observe (e.g., magnification, camera zoom) the plain sight doctrine may be violated

• If an object is revealed to the public or through lawful entry, it may be admissible under plain sight

• Door and entry strategies discussed for home safety and privacy:

• Do not let unknown individuals enter your home; keep doors closed and secure

• Storm doors and wooden doors: visibility and boundary considerations about entry and privacy

• General cautions about search authorities:

• Lawful presence, probable cause, and the correct procedures are essential

• Avoid triggering or relying on plain sight in ways that could be deemed unlawful if senses were enhanced

• Online and digital privacy complexity:

• Warrant requirements and plain sight apply differently to digital devices; data on a device may be accessible under lawful order and proper authentication

Real-world tech examples and ethical considerations in the forensic domain

• OnStar and vehicle connectivity:

• OnStar can locate a vehicle, communicate with the occupants, and call emergency services if needed; it can also be used to shut down a vehicle in certain contexts if lawfully authorized

• Vehicle cybersecurity and privacy implications:

• Modern cars with embedded computers can reveal GPS data, trip history, and other data through maintenance or law enforcement requests

• Apple Watch fall detection and emergency services:

• Falls trigger a notification and potential emergency call, sharing GPS coordinates if not responded to

• The evolution of car radios and VIN-locked components:

• Replacement radios may require VIN linkage; theft prevention and security tie-ins complicate simple hardware replacements

• Broader implications:

• The pervasiveness of data collection in everyday devices (cars, wearables, printers, home devices) raises ethical and legal questions about privacy, data control, and admissibility of digital evidence

Forensic best practices and practical takeaways

• Always document drive order and RAID configuration before imaging; preserve chain of custody

• Use sandboxing for unknown media to prevent contaminating forensic workstations

• Consider RAM as a source of volatile data; data may exist in memory even if encrypted on disk

• Distinguish between generated vs stored reports when presenting evidence; time-stamped stored artifacts are generally more reliable for court proceedings

• Understand that real-world devices can create many copies of data across memory, caches, and temporary files; expect data to exist in multiple layers

• Recognize that not all data will be recoverable; some devices may be destroyed or damaged beyond practical recovery given cost constraints

Personal/educational context and classroom dynamics

• Mixed topics reflect an introductory course blending hands-on labs (forensics) with broader IT concepts (RAID, disks, privacy law)

• The instructor uses humor and real-world anecdotes to illustrate complex topics and keep engagement high

• Students discuss travel, driving courses, and personal stories as a way to relate to the material and reduce stress around exams

Summary of key concepts to remember for the exam

• RAID types and usable capacity formulas:

• $ext{RAID0: usable} = n imes S$

• $ext{RAID1: usable} = S$

• $ext{RAID5: usable} = (n-1) imes S$

• $ext{RAID6: usable} = (n-2) imes S$

• RAID10: combination of RAID0 on mirrored pairs; usable approximately half the total raw capacity when using 4 drives with equal sizes

• Forensics imaging considerations:

• Static vs logical acquisitions; importance of drive order and RAID reconstruction

• EnCase capabilities for RAID configurations and the need to label drives correctly

• Data and memory concepts:

• RAM can contain decrypted data loaded from disks during access

• File system metadata:

• Create, Modify, Access, and Write timestamps and their importance for timelines

• Privacy and law basics:

• Probable cause and warrants; plain sight doctrine and its three prongs; lawful presence and non-enhancement of senses

• Evidence handling and media safety:

• Sandboxing unknown drives; encryption and biometrics; artifacts across devices (USBs, printers, cars, wearables)

Key formulas and numeric references to study

• RAID usable capacity generally depends on the number of drives (n) and drive size (S):

• $ext{RAID0 usable} = n imes S$

• $ext{RAID1 usable} = S$

• $ext{RAID5 usable} = (n-1) imes S$

• $ext{RAID6 usable} = (n-2) imes S$

• Time-related and procedural notes:

• Break duration: approximately 30 minutes (~0.5 hours)

• Break time shift: 10:15 AM

• Filesystem timestamps dimensions (Create, Modify, Access, Write) in a typical forensic scenario

Practical study tips

• Be comfortable with RAID configurations and how to reconstruct arrays in forensic tools

• Practice distinguishing between generated and stored reports and understand why time stamps matter for chain-of-custody documentation

• Memorize the three-prong plain sight test and the boundaries around search warrants and privacy expectations

• Review sandboxing concepts and why handling unknown media with sandboxing mitigates risk to the forensic workstation

• Understand how modern devices store data across memory, caches, and disks to anticipate where artifacts may exist