Digital Forensics Data Analysis: Stage 1 – Preliminaries

Preliminaries in Digital Investigations

  • A scientific and structured stage.
  • Focuses on identifying and organizing core information early.
  • It is NOT analysis or drawing investigative conclusions.
  • Sets the groundwork for a defensible and logical case.

Case Folder Structure: Digital Housekeeping

  • Using folders to maintain organization.
  • Example structure:
    • /Original_Source
    • /Working_Copy
    • /Extraction
    • /Working
    • /Reports
    • /Notes
    • /Screenshots
  • Structure should be logical, repeatable, and documented.

Testing Tools

  • Tools need testing to ensure trustworthiness.
  • Two types of testing:
    • Tool Function: Does the tool work as expected?
    • Process Function: Is the method reliable?
  • Important to understand strengths, weaknesses, and limitations of tools.

Importance of Hardware Testing

  • Testing extends beyond software to hardware.
  • Examples:
    • Write blockers
    • Imaging devices
    • Power & data cables
    • Graphics card
    • Sound
    • Network
  • Ensuring compatibility and reliability of hardware.

Real Example: When Tools Go Rogue

  • An internet history tool placed synced data at column 100+.
  • Teachers were wrongly accused based on the misinterpreted data.
  • Lesson: Fully explore tool output; avoid assumptions.

Note Taking: Our Digital Diary

  • Contemporaneous notes are vital.
    • Record actions, reasons, and thoughts.
  • Supports reporting and expert testimony.

Imaging Report

  • Imaging involves a documented acquisition process.
  • Key elements to document: Time, hashes, method, hardware.

Hashing

  • Hash confirms integrity but doesn't prove:
    • Usefulness of the data
    • Correctness of the data
  • Hash = identical, not always valid.

Partition Maps: Layout Matters

  • Visualize disk layout to find:
    • Gaps
    • Suspicious partitions
    • Hidden zones
  • Further details were covered in a previous Disk Map Lecture.

Operating System Information

  • Provides context for the data.
  • Include the OS type, version, timezone, name, and drive letters.
  • Data may be outdated or user-modified.

Timestamps

  • Cross-check and contextualize timestamps.
  • Issues with timestamps:
    • Different sources and formats.
    • Timestamps can be altered.

Usernames and SIDs

  • Link actions to accounts, not people.
  • Example: 'Smith account' ≠ 'Smith did it'.
  • Usernames and SIDs are clues, not definitive conclusions.

Installed Applications Audit

  • Compare default apps vs. added software.
  • Check install dates and compatibility.
  • Example: Steam games may not run if not compatible.

Devices

  • Look for:
    • File transfer clues
    • Device ID
    • User presence
  • Supports timeline and activity reconstruction.

Activity Overview

  • Establish normal vs. suspicious patterns.
  • Consider program launches, file access, and web history.

Timelining

  • Consider surrounding activity.
  • Background noise and related artifacts.
  • Adds depth to the timeline.

Going Case-Driven

  • Mapping:
    • Artefacts of interest
    • Relationships
    • Timelines
  • Builds the story framework.

Identifying Artefacts of Interest

  • Use intel reports, interviews, and scene logs.
  • Map digital + non-digital for rich context.

Weighting Evidence

  • Artefacts need context, including timeline, motive, and source.
  • A single file ≠ proof.

Gaps in the Story

  • Spot what's missing:
    • Gaps in actions
    • Unanswered questions
  • Directs the next stage of investigation.

Hand-Checking the Nuggets of Gold

  • Key artefacts deserve a human review.
    1. Review Structure
    2. Confirm Logic
    3. Trust but Verify

Dual Tool Verification

  • Use two tools + manual check.
  • Confirms consistency.

System Experiments

  • Reproduce scenarios to test assumptions.
  • Rule out false positives.