Comprehensive Study Notes from Forensics Lab Transcript

Course Platform and Access

  • Blackboard versus Brightspace: confusion over names; Brightspace shells are open; new outline vs last semester's outline referenced.

  • Course naming and sections: CFR 221 NE 1; ensure your shell says NE1; switching from another section to NE can cause minor access issues.

  • Tools for access: no VMware access today; no cluster creation today but will be set up; students in cybersecurity program will get dedicated infrastructure.

  • Desktop/software environment references:

    • VMware server not yet used by students.

    • Clusters and templates not created yet.

  • Anecdote about space and administration: extra mouse present; minor procedural humor.

Virtualization Lab and IaaS Concept

  • Description of the lab hardware: a little device with 315 GHz processing power, ~2 TB RAM, ~30 TB storage, effectively four IBM servers tethered to form a powerful system.

  • Current setup: running 1,166 virtual machines (VMs). Students will get their own networked environment.

  • Per-student infrastructure idea:

    • Each student receives an own router, unmanaged switch, Kali box, Ubuntu, Windows, and Windows Server.

    • This is presented as Infrastructure as a Service (IaaS). It follows the student across terms; it’s persistent until they graduate.

  • Comparison to other colleges: most provide VM-based machines per semester; here, students maintain a dedicated platform.

  • Flexibility: if more resources are needed, the instructor can provision additional servers.

  • Instructor’s example setup: own cluster contains various security-oriented images (Parrot, Kali, Mapix, Windows variants, CAD-oriented Windows).

  • Reliability approach: if a VM is damaged, it can be replaced easily by deleting and recreating it.

Forensics Tools and Licensing

  • Primary tool: EnCase (professional version), a respected forensics tool used in real judiciary and law enforcement contexts (e.g., NYPD computer forensics).

  • Licensing and licensing mechanics:

    • EnCase requires a license server and a USB dongle; without a valid license, it can run in Acquisition mode only (cannot process or view contents).

    • Licensing setup includes a server and a dongle that must be connected to use the full features.

  • Other tools mentioned: Autopsy (open-source) and FTK/FTK Imager (commercial) as alternatives.

  • Open-source caveat: Autopsy is open source; the concern is potential modifications; justify trust by hash verification of the executable.

  • The instructor’s real-world point: you must be able to explain how EnCase and other tools work to opposing counsel during voir dire; this includes understanding verification, hashing, and data integrity.

  • Acquisition versus processing modes:

    • Acquisition mode allows imaging and creation of the EXO1 file; processing mode allows analysis, bookmarking, and reporting.

  • FTK dongle as a secondary example: FTK license dongle used to authorize FTK in a similar fashion.

  • Hands-on licensing readiness: server-side licensing verification is required; if the server is offline, EnCase stays in Acquisition mode.

Acquisition Workflow and Data Integrity (EXO1, Hashing, CRC)

  • Original drive handling:

    • Drive is connected to an acquisition workstation with a hardware write blocker in place to ensure read-only access.

    • The data copy is a bit-by-bit (bitwise) copy of the entire drive, including unused areas and deleted data.

  • Verification steps:

    • First, hash the entire original drive to produce a verification hash H(drive).

    • Create an EXO1 file with a header that stores the verification hash H(drive).

    • Read the first 64 bytes of the drive, write them, and compute a CRC for that block; repeat for subsequent 64-byte blocks across the entire drive.

    • The process produces a complete bitwise image copy with integrity checks for every block.

  • Bit-by-bit copying (bitwise copy):

    • Copying every single bit (0/1) of the drive, including allocated, unallocated, and deleted data; no data is omitted.

    • Contrast with typical file-level copies (which would skip deleted or unallocated space).

  • EXO1 file governance:

    • The EXO1 file includes the original drive hash, case metadata (your name, case number, etc.), and a header.

    • This file cannot be modified after creation; it provides a trusted baseline for the case data.

  • Workspace and case management:

    • A separate workspace (case file) is created and linked to the EXO1 image via a link (EXL1? EXL1 file) to enable processing without altering the original EXO1.

    • Changes are recorded within the workspace; the EXO1 header remains immutable.

    • Undelete and other image manipulations occur within the workspace; the base image is preserved and considered unaltered.

  • Bookmarking and reporting:

    • As artifacts are found, bookmarks are added to the workspace; bookmarks feed into the final report.

    • nCase automatically generates a case report based on bookmarks and artifacts.

  • Verification and repeatability:

    • Each time the workspace is opened, the system rehashes the data and verifies it matches the stored header hash to confirm data integrity.

    • If verification fails, the data is considered compromised and unusable in court.

    • The verification happens for every data access, not just at opening time.

  • Legal and practical implications:

    • The process is designed to withstand challenges about data integrity; opposing counsel may question how change is prevented and verified.

    • The necessity to articulate how the tool (EnCase) ensures no alteration during processing is emphasized.

  • Conceptual overview of how this supports forensics testimony:

    • The combination of a header hash, CRC checks, and periodic re-verification creates a robust evidentiary chain of custody for digital evidence.

Key Concepts: Open Source, Autopsy, and Expert Testimony

  • Open-source concern: Autopsy is free/open-source; it can be modified, which raises questions about reproducibility and authenticity in court.

  • Verification strategy for Autopsy:

    • A known-good hash of the original Autopsy distribution is compared to the hash when opened; if they match, the edition hasn't been tampered with.

    • If the source code is modified, recompile would yield a new executable with a different hash; thus hash verification can demonstrate integrity.

  • Expert terminology in the new textbook:

    • Technical witness vs fact witness distinction; the new text uses “fact expert” and “technical expert” terminology.

    • The speaker emphasizes being able to articulate technical details to a voir dire panel to avoid disqualification as an expert.

  • Acquisition context in the textbook:

    • Textbook discusses image acquisition using SleuthKit (old textbook reference).

    • The current lab uses EnCase for acquisition and processing, rather than relying solely on SleuthKit-based workflows.

Lab Design, Budgeting, and Real-World Economics

  • Lab planning considerations:

    • Each forensic examiner needs a dedicated workstation; one or more resource PCs with Internet access for research; an acquisition PC is needed for imaging.

    • The acquisition PC is typically very powerful and expensive (illustrative figure around
      roughly: 12k–15k per unit, plus licenses).

    • A single lab with 10 examiners could require multiple workstations and several resource PCs; the cost scales quickly.

  • Cost estimates and examples:

    • Acquisition PC: approximately $12k–$15k (hardware plus licensing).

    • Regular workstation: ~2extk2 ext{k}3extk3 ext{k} each.

    • Resource PC (Internet-connected): ~5extk5 ext{k}.

    • Ten examiners could push equipment costs into the six-figure to seven-figure range for a fully equipped lab.

    • Licensing and software maintenance: EnCase licensing costs about 1,0001{,}000 per year per license; ongoing maintenance around 5,0005{,}000+ annually depending on scope.

  • Training and certification:

    • Forensics examiners require recertification every three years; failure to recertify forfeits certification.

    • Training budgeting includes both coursework and travel; typical classes cost around a few thousand dollars including travel and lodging; two to four training classes per person per year is normal in some plans.

    • A rough training budget example: 10 examiners × 2 classes/year × roughly 2,0002{,}000 per class plus travel could approach 40,00040{,}000 per year, escalating with more attendees and more events.

  • Staffing costs:

    • Principal Investigator (PI) salary discussion: experienced PI around $2.25 ext{-}2.5 ext{ hundred thousand} per year; less experienced around 1.5ext1.75exthundredthousand1.5 ext{-}1.75 ext{ hundred thousand}.

    • Typical investigators may range from 1.25extMto1.75extM1.25 ext{M to }1.75 ext{M} total payroll for a small team; example given with 10 staff could exceed a million in annual salaries.

  • Security and facilities:

    • Physical security: secure locker for media, locked room, restricted access; custodial personnel not allowed inside without escort; maintenance requires shutdown and escort.

    • Security infrastructure: man trap (two doors with controlled entry), cameras, and NDAs for external security personnel.

    • Digital security: closed network for evidence processing; a separate resource PC connected to the Internet for research; the forensics workstation remains offline.

    • Firewalls and network perimeter: a high-end firewall and a robust, properly configured perimeter are essential; replacing outdated hardware is costly and must be planned on a lifecycle basis.

  • Planning and approvals:

    • An appropriations process is required to obtain funding; the speaker shares an example of a five-page document that secured multi-million-dollar funding quickly by outlining needs and timelines.

    • The importance of upfront planning is stressed to avoid budget overruns and “oops” moments when needing to retrofit or replace critical security components.

    • Budget philosophy: prefer gradual replenishment cycles (e.g., replacing a third of equipment each year) to avoid large single-year spikes.

  • Security implications of outdated systems:

    • Windows 10 end-of-life implies lack of security updates; hardware and software must be refreshed to maintain security.

    • Firewalls and servers must be updated and properly configured to prevent unauthorized access; ACLs (access control lists) are metaphorically described as firewalls in some contexts.

  • Compliance and risk management rationale:

    • The Sarbanes-Oxley Act (SOX) example is used to illustrate how a breach that touches customer data triggers obligations to notify customers, track impact, and potentially incur substantial costs.

    • The real-world takeaway: cyber incidents have cascading financial implications (postage costs, customer notification, potential revenue loss); this motivates proactive security upgrades.

  • Real-world takeaways:

    • The lab design is intentionally comprehensive and costly because it aims to be a realistic, defensible environment for forensics work.

    • Recurrent expenses include salaries, licenses, hardware refresh, training, security, and facilities.

    • There is emphasis on continuous planning, governance, and risk management to secure funding and sustain operations over time.

File Systems and Evidence Handling Basics

  • File systems discussed:

    • FAT32 (File Allocation Table): one drive example shows FAT32 allocation; unallocated space present but not used by files.

    • NTFS (New Technology File System): another drive showing NTFS with many dollar signs indicating file allocation table structures and metadata.

  • Forensic implications of file systems:

    • Different file systems require different analysis approaches; knowledge of FAT32 and NTFS is essential.

    • Unallocated space and slack space can contain valuable evidence (or be ignored depending on scope).

  • Evidence workspace organization:

    • Operating system drive vs workspace drive vs evidence drive; best practice is to separate OS, workspace, and evidence onto separate drives for efficiency and to prevent OS paging from interfering with evidence processing.

    • Evidence drives may be networked to allow multiple examiners to work on the same case while preserving case integrity.

  • Practical Windows directory size awareness:

    • A Windows OS directory can contain well over 50,000+ files; large file reserves make it impractical to manually audit without proper tooling.

  • Key reminder:

    • Always ensure findings are repeatable and verifiable to withstand scrutiny in court; non-repeatable findings undermine credibility.

Open-Source Considerations and Practical Implications

  • Open-source tools can be modified; this raises questions about courtroom admissibility if modifications are not disclosed or verifiable.

  • Verification practices include hashing and checksum validation to demonstrate integrity of open-source tools used in the investigation.

  • The instructor emphasizes that students should be able to articulate how their chosen tools work and how integrity is maintained when presenting to a skeptical audience.

Real-World Takeaways and Important Anecdotes

  • Anecdote about server downtime and reboot demonstrates practical IT management and the need to verify systems before class sessions.

  • Side notes about personal experiences and humorous asides to illustrate the human side of lab management.

  • A recurring theme: the importance of planning, budgeting, and security in running a credible, defensible forensic lab.

Summary of Key Equations and Concepts (LaTeX-ready)

  • Hashing for verification: H(d)H(d) represents the cryptographic hash of the drive data. The EXO1 header stores the verification hash: H(d)H(d).

  • Bitwise copying: a bitwise copy copies every bit from the source to the destination, preserving exact bit-for-bit content.

  • CRC (cyclic redundancy check): per 64-bit data blocks, compute CRC(Bi)CRC(B_i) to verify data integrity across the drive. The overall process ensures data integrity across all blocks.

  • Parity concept (illustrative): parity checks can be used to illustrate error-detection concepts; a simple example checks if a parity bit makes a total even or odd.

  • File system identifiers observed in the lab:

    • FAT32 identified by primary/secondary FAT structures in the disk image; NTFS identified by dollar-sign markers in the file allocation tables.

  • Verification workflow: every time a workspace is opened, the system recomputes the hash of the data and verifies it against the stored header hash to ensure no tampering occurred.

Connections to Foundational Principles

  • Data integrity and chain of custody: hash-based verification and CRCs provide auditable evidence that data has not been altered.

  • Repeatability: forensic findings must be repeatable under the same conditions; the EXO1/workspace model enforces this.

  • Risk management and budgeting: large-scale forensic labs require careful lifecycle planning, recurring funding, and risk-based prioritization to stay secure and compliant.

  • Open-source versus commercial tools: trade-offs between accessibility, reproducibility, and courtroom scrutiny; verification strategies are essential regardless of the tool.