Digital Forensics Comprehensive Notes

Forensic Science & Digital Forensics

  • Definition & Scope
    • Forensic science = application of science to legal problems; digital forensics = application of computer science & investigative procedures to analyse digital evidence.
    • Beyond laptops/desktops: includes smartphones, tablets, GPS, networks, cloud, images, audio, video.
  • Key Uses
    • Criminal investigations (child-porn, identity theft, homicide, robbery, etc.)
    • Civil litigation / eDiscovery (multi-million-dollar exchanges of ESI)
    • Intelligence / military (DOMEX, battlefield exploitation, terrorism)
    • Administrative & corporate matters (SEC porn scandal, misuse of gov devices).
  • Locard’s Exchange Principle (Digital)
    • Digital footprints (registry keys, logfiles) remain; examiner’s job is to recognise & preserve.
  • Organisations of Note
    • SWGDE, AAFS/FEPAC, ASCLD/LAB, NIST (CFTT, NSRL, NICE), ASTM (E30.12), HTCC, RCFL program.

Key Technical Concepts

  • Bits, Bytes & Numbering Schemes
    • Bit = 0 or 1.
    • Byte = 8 bits.
    • Binary (base 2), Decimal (base 10), Hex (base 16; uses 0–9 & A–F).
    • ASCII (128 chars) & Unicode (multi-language) map bytes → glyphs.
  • File Identification
    • Extensions easily altered ⇒ rely on headers/footers (file signature analysis).
  • Storage Media
    • Magnetic (platters, actuator, 512-byte sectors), Flash, SSD, Optical.
    • Volatile vs Non-volatile memory.
  • File Systems & Data Types
    • FAT12/16/32/FATX, NTFS, HFS(+/X).
    • Active, Latent (deleted), Archival (back-ups/legacy tapes).
    • Allocated vs Unallocated; Slack; HPA/DCO.
  • Basic Computer Function
    • Filing cabinet (HDD) ↔ Desk (RAM) ↔ Worker (CPU).
    • Pagefile/swap & hibernation files store artifacts.
  • Computing Environments
    • Stand-alone, Networked, Mainframe, Cloud (IaaS/PaaS/SaaS).

Labs & Tools

  • Laboratory Models: Agency labs, FBI RCFLs, Virtual/Distributed labs.
  • Security & Evidence Storage
    • Controlled access, audit trails, data safes, antistatic bags, malware scans.
  • Policies, SOPs, QA
    • Technical & administrative peer review; proficiency tests (open/blind/internal/external).
    • Tool validation per NIST CFTT.
  • Digital Forensic Tools
    • Multipurpose: FTK, EnCase, SMART, X-Ways, Helix, SIFT.
    • Mobile/GPS: Cellebrite UFED, AccessData MPE+, Paraben DS.
    • Hardware: Write-blockers (Tableau, Wiebetech), cloning imagers, bridges.
  • Accreditation vs Certification
    • Labs: ASCLD/LAB Legacy & International (ISO/IEC 17025).
    • Individuals: competency + SWGDE core domains.

Collecting Evidence

  • Scene Priorities
    • Safety → Secure evidence (physical & network isolation) → Document → Collect.
    • Order of Volatility: CPU/cache → routing/ARP/process → RAM → swap/TMP → disk → off-site/backup.
  • Documentation
    • Photos (overall → mid → close), notes (chronological), sketches, labels.
  • Chain of Custody: every transfer logged; seals initialed & dated.
  • Cloning/Imaging
    • Bit-stream with validated write-block; hash \text{MD5}/\text{SHA1}/ etc. for source & image.
    • Forensically clean media (multi-pass overwrite). Formats: E01, 001/dd, AD1.
  • Live vs Dead Acq
    • Live: preserve RAM, decrypt volumes, but risk alteration – require minimal, documented interaction.
  • Hashing Uses
    • Verify images, filter known files (NSRL), integrity checks, identify duplicates.
  • Reporting
    • Plain-English summary, detailed findings, methodology, hashes, glossary, appendices (tool logs).

Windows System Artifacts

  • Deleted Data: reside in unallocated; recover via carving.
  • Hibernation (hiberfil.sys): captures RAM → disk; source of deleted artifacts.
  • Registry
    • Tracks USB (USBStor), recent docs, Run keys, user SIDs.
  • Recycle Bin: $INFO + $I/$R records, time stamps, bypass with Shift+Del or NukeOnDelete.
  • Metadata (file & app): MAC times, authors, GPS EXIF; caution clock skew.
  • Thumbnail Cache (thumbs.db, thumbcache_*): survives deletion.
  • MRU Lists, Prefetch (.pf), Link (.lnk): corroborate usage & execution times.
  • Restore Points & Shadow Copies: historical Registry & files; great for timeline & deleted evidence.

Antiforensics

  • Goals: hide, destroy, or confuse.
  • Encryption
    • Symmetric vs Asymmetric; keyspace 2^{128} etc.
    • Tools: EFS, BitLocker+TPM, FileVault2, TrueCrypt; full-disk vs container; password attacks (brute-force, dictionary, reset, exploit).
  • Steganography: carrier (image/audio/video) + payload, difficult detection; tools catalogued by SARC.
  • Data Destruction
    • Wipers (DBAN, Evidence Eliminator) → look for patterns/logs.
    • Defrag, format, SD card secure erase.
  • SSD Challenges
    • Wear-levelling, TRIM/Garbage Collection overwrite blocks → hashes change → evidence loss.

Legal Foundations

  • Fourth Amendment: governmental search + REP; warrant or exception.
    • Consent, exigency, plain view, private-search doctrine, border, probation.
  • Search Warrants
    • Probable cause, particularity, need for off-site imaging, describe hardware vs info.
  • ECPA / SCA
    • Govern provider disclosures; ECS vs RCS; subscriber vs content; timing & court orders.
  • eDiscovery
    • FRCP 2006 amendments; duty to preserve once litigation reasonably anticipated; Zubulake factors; cost-shifting; sampling.
  • Expert Witness / Daubert
    • Test methodology, validation, error rate; ability to explain to lay fact-finders (CSI effect).

Internet & E-Mail Forensics

  • Internet Basics: URL (protocol+host+TLD), DNS resolution, HTTP GET, static vs dynamic pages, client vs server side (JavaScript, PHP).
  • Browser Artifacts (IE focus)
    • INDEX.DAT tracks Cache, History, Cookies; TIF; TypedURLs; cache paths; no cache for HTTPS.
  • P2P (Gnutella): shared dirs, hash searches, botnets; child-porn & piracy.
  • Chat & Social Media
    • AIM, ICQ (UIN), IRC (DCC, private chans); log files/manual save; artifacts ↔ Registry.
  • E-Mail
    • Protocols SMTP/POP3/IMAP; headers (Message-ID, Received); spoofing, anonymous remailers; webmail artifacts (getmsg, Msglist).

Network Forensics

  • Network Types: LAN, WAN, MAN, CAN, PAN, GAN; client/server vs P2P.
  • Core Components: IP addressing (IPv4 \rightarrow IPv6), routers, switches, gateways, logs.
  • Packets: Header (src/dst IP, seq), Payload, Trailer (CRC).
  • Security Tools: Firewalls, IDS/IPS (Snort), SIEM, router ACLs.
  • Attacks: DDoS, IP spoofing, MITM, brute-force, exploit, social engineering, insider threats.
  • Incident Response Life-cycle (NIST 800-61)
    • Preparation, Detection/Analysis, Containment, Eradication, Recovery, Post-incident.
  • Evidence Sources: Sys/app/auth logs, router/firewall logs, PCAPs; volatility & jurisdiction issues.

Mobile Device Forensics

  • Cellular Architecture
    • Cells⇢BTS⇢BSC⇢MSC⇢PSTN; handoff; GSM (TDMA+SIM+IMEI), CDMA (ESN), iDEN (PTT).
  • Artifacts
    • Call logs, SMS/MMS, contacts, e-mail, app data, GPS, browser, photos, deleted.
  • SIM Forensics: ICCID, IMSI, last tower, SMS, PIN/PUK.
  • Acquisition
    • Physical vs Logical; isolation (Faraday bag), power concerns; UFED, MPE+, Oxygen, viaExtract, flasher boxes; manual triage/photos.
  • Carrier Records
    • CDRs show date/time/duration, dialed #, tower IDs; need subpoena; retention varies (\approx 7–30 days for SMS).
  • GPS Devices
    • Trackpoints, Waypoints, Tracklogs; simple→connected; evidence of routes & intent.

Future Challenges & Concerns

  • Standards & Controls Debate
    • Traditional sciences require known controls; SWGDE argues false-positive impossible, prefers validation + hashing.
  • Cloud Forensics
    • Virtualised, multi-tenant, cross-border; lack of tools; rapid deletion (no slack); SLA & legal process essential.
  • Solid State Drives
    • Wear-levelling/TRIM destroy data quickly; acquisition hashes unstable; research ongoing.
  • Velocity of Change
    • New OS versions, apps, devices ⇒ backlog; importance of community (SANS, Twitter, SWGs) & continuous education.