C

Comprehensive Study Notes: Digital Forensics and Investigations (Modules 1–3; Hiding & Scrambling Information)

Module 1: Understanding the Digital Forensics Profession and Investigations

  • Module objectives (1 of 2): by the end you should be able to:

    • Describe the field of digital forensics

    • Explain how to prepare computer investigations and summarize the difference between public-sector and private-sector investigations

    • Explain the importance of maintaining professional conduct

    • Describe how to prepare a digital forensics investigation by taking a systematic approach

    • Describe procedures for private-sector digital investigations

  • Module objectives (2 of 2): (continued)

    • Explain requirements for data recovery workstations and software

    • Summarize how to conduct an investigation, including critiquing a case

  • An overview of digital forensics (definition and standards):

    • Digital forensics is the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation

    • An ISO standard for digital forensics was ratified in October 2012 defining personnel and methods for acquiring and preserving digital evidence

    • The Federal Rules of Evidence (FRE) promote consistency in federal proceedings; many states map to FRE

    • The Fourth Amendment protects the right to be secure from unreasonable search and seizure; separate search warrants may not be necessary for digital evidence in some cases

    • Every U.S. jurisdiction has case law on admissibility of digital evidence; context matters

  • Digital forensics and related disciplines (1 of 3):

    • Investigating digital devices includes: collecting data securely, examining suspect data for origin/content, presenting digital information to courts, applying laws to digital practices

    • Digital forensics vs data recovery:

    • Data recoveryRetrieves information deleted by mistake or lost in a failure; you typically know what you’re looking for

    • Digital forensics involves an investigation to uncover clues/evidence for a case

  • Digital forensics and related disciplines (2 of 3) and (3 of 3) – investigations triad and teamwork:

    • Investigations triad components include vulnerability/threat assessment and risk management, incident response, network intrusion detection, and digital investigations management/forensic analysis

    • Forensics investigators often work as part of a team (investigations triad)

    • Tests/verification focus: stand-alone workstations and network servers integrity verification; automated tools for intrusion detection; incident response workflows

  • A brief history of digital forensics tools:

    • Early 1990s: IACIS provided digital forensics training; IRS developed search-warrant programs; ASR Data created Expert Witness for Macintosh; ILook maintained by IRS CI; FTK is a popular commercial product

  • Understanding case law (1 of 2):

    • Law often lags behind technology; statutes may be absent, leading to reliance on case law to resolve ambiguity

    • Examiners must stay current on court rulings about electronic search/seizure

  • Understanding case law (2 of 2):

    • Case law helps apply prior cases to current scenarios; crucial for electronic search/seizure admissibility

  • Developing digital forensics resources:

    • Be familiar with Linux, macOS, and Windows platforms; build networks with computing, networking, and investigative professionals

    • Join user groups (public/private sectors) and consult outside experts as needed (example: Computer Technology Investigators Network – CTIN)

  • Preparing for digital investigations:

    • Public-sector investigations: government agencies handle criminal investigations and prosecutions; the Fourth Amendment restricts government search/seizure; DOJ updates guidance regularly

    • Private-sector investigations: focus on policy violations; examples include email harassment, discrimination, embezzlement, sabotage, industrial espionage

  • Understanding public-sector investigations (1 of 2):

    • Laws on computer-related crimes include standard legal processes, search/seizure guidelines, and building criminal cases

    • A Digital Evidence First Responder (DEFR) arrives to assess and preserve evidence; a Digital Evidence Specialist (DES) analyzes data and recommends when to involve others

    • An affidavit is a sworn statement with supporting exhibits

  • Understanding public-sector investigations (2 of 2):

    • The private sector uses an “Acceptable Use Policy” and a line of authority to authorize investigations, determine evidence possession, and grant access

    • Many organizations display a warning banner on computer screens to deter misuse

    • BYOD environments complicate ownership of devices; some companies treat connected personal devices as company property

  • Understanding private-sector investigations (1 of 5):

    • Private-sector investigations address policy violations and litigation disputes (e.g., wrongful termination)

    • Crimes can include email harassment, gender/age discrimination, white-collar crimes (falsification of data, embezzlement, sabotage, industrial espionage)

  • Understanding private-sector investigations (2 of 5):

    • Policies define acceptable computer/network use; authority lines specify who can initiate investigations and access evidence

    • Warning banners are used to deter or warn extension of policy violations

  • Understanding private-sector investigations (3 of 5):

    • Use Agreement example (Department of Homeland Security system) highlights terms: no expectation of privacy, monitoring, handling classified data restrictions

    • Acknowledges government-style notices for internal/private usage contexts

  • Understanding private-sector investigations (4 of 5):

    • Authorized requester should be designated for initiating investigations; investigations focus on evidence to support policy violations or asset attacks

    • Common scenarios: abuse/misuse of computing assets, email abuse, internet abuse; goal is risk minimization

  • Understanding private-sector investigations (5 of 5):

    • BYOD issues; personal devices connected to corporate networks may fall under company rules

  • Knowledge Check Activity 1-1 and Answer:

    • Question: Digital forensics differs from data recovery because

    • Answer: b) in data recovery, you typically know what you are looking for

    • Explanation: Digital forensics is an investigation seeking clues/evidence; data recovery is about recovering known targets

  • Maintaining professional conduct:

    • Professional conduct includes ethics, morals, and standards of behavior; emphasize objectivity and credibility

    • Maintain confidentiality and seek ongoing training to stay current with hardware, software, networks, and forensic tools

  • Maintaining a digital forensics investigation:

    • Role: gather evidence to prove a crime/policy violation; evidence may be used in court or corporate inquiries

    • Actions: investigate suspect’s computer; preserve evidence on a separate system; maintain chain of custody

  • Five steps of an investigation (Fig. 1-9):
    1) Form a hypothesis
    2) Identify objects that may contain evidence
    3) Collect and extract evidence
    4) Does evidence support the original hypothesis? (Yes/No)
    5) Create/present final report; critique the case

  • Acknowledging the field’s ethical and practical implications:

    • Admissibility of digital evidence in court; need for proper search authorities, chain-of-custody, validation, and repeatability

    • Maintain integrity of evidence and avoid bias; ensure professional conduct throughout investigation lifecycle

  • Important practical notes:

    • Digital forensics emphasizes validation with mathematics and repeatable tool usage; report writing and expert testimony are essential components

    • Data recovery and forensics require careful handling of storage media, write-blockers, and validated tools

  • Summary of Module 1 takeaways:

    • Digital forensics is a legally grounded practice combining computer science and investigative procedures

    • Legal frameworks (FRE, Fourth Amendment) shape how evidence is collected/admitted

    • Public vs private investigations differ in authority, scope, and policy considerations

    • A systematic, documented approach with professional conduct underpins credible investigations

    • Ongoing resource development, professional networks, and continuing education are essential

Module 2: Report Writing and Testimony for Digital Investigations

  • Module objectives (UNT):

    • Explain the importance of reports and testimony and preparing to testify

    • Describe guidelines for writing reports

    • Describe procedures for generating report findings and writing a digital forensics report

    • Explain the preparation necessary for testifying as a fact witness or an expert witness

    • Describe guidelines for testifying in court and in depositions

  • The importance and purpose of forensic reports and testimony:

    • Reports provide justification for further evidence collection, support probable cause considerations, and communicate expert opinion

    • Depositions: prepare to preserve testimony; document jurisdiction, case style, and deposition details

    • Testimony types:

    • Fact witness: provides facts about what was found and how it was obtained (no conclusions)

    • Expert witness: offers opinions derived from expertise and data; must meet conditions for admissibility

  • Report-writing guidelines (structure and clarity):

    • Reports should start with job mission/goals and identify audience

    • Written preliminary reports are high-risk documents; avoid if possible; ensure transparency, avoid bias, state areas needing further investigation

    • Complex reports typically include: Abstract, Table of Contents, Body, Conclusion, Appendices, Glossary, References, Acknowledgments

    • Use consistent formatting; include hash calculations for verification; provide explanation of examination methods

  • Writing clearly and style considerations:

    • Use natural language, active voice, and avoid excessive personal observations

    • Be objective; signpost arguments; structure paragraphs logically

    • Include explanations of methodology, limitations of knowledge, and uncertainties

  • Report components and calculations:

    • Hash values for verification: common algorithms include

    • CRC-32, MD5, SHA-1, SHA-256, etc.

    • If using a hashing algorithm, specify the algorithm and display computed values

    • When presenting results, use subheadings to segment discussions

  • Reporting formats and delivering the final product:

    • Reports may be in Word, HTML, or spreadsheet formats; include an Autopsy-derived report when applicable

    • Include an executive summary for non-technical readers and detailed appendices with raw data, hash results, and methodological notes

  • The digital forensics report audience worksheet (example):

    • Case information, readers, client details, preferred format, transmission method, and potential biases

    • Document access controls and approvals required before report release

  • Testimony preparation: fact vs expert witness

    • Fact witness: presents facts and evidence of the case; not opinions

    • Expert witness: provides opinions based on expertise; must be qualified and testify to reasonable certainty

    • Voir dire: qualification process to establish expertise; expect possible objections

    • General guidelines for testifying:

    • Be professional and polite; use language within expertise; avoid overstating opinions

    • Prepare answers for common questions about data storage, imaging, deleted data, Windows temp files, log files, etc.

    • Use graphics to illustrate findings; ensure graphics are clear, large, and legible

  • Preparing for deposition and hearings (high-level):

    • Stay calm and professional; address attorneys by name; maintain eye contact; provide factual descriptions and avoid overstatements

    • During cross-examination: use own words, avoid guessing, avoid being overly technical, and manage stress

    • Discovery/deposition context: knowledge of case scope, anticipated questions, and limitations of testimony

  • CVs, professional definitions, and media handling:

    • Maintain an up-to-date CV detailing education, training, and testifying experience

    • Prepare technical definitions ahead of time (digital forensics, hashing, image/bit-stream copies, file slack, file timestamps, log files)

    • If dealing with media, avoid commenting to media that could prejudice the case; consider court-approved channels and protective orders

  • Evidence handling and reporting ethics:

    • Ensure repeatability and verifiability of findings

    • Document examiner notes and maintain chain-of-custody integrity

    • Do not reveal sensitive client information or improperly disclose privileged communications

  • Summary of Module 2 takeaways:

    • Forensic reports must be well-structured, transparent, and reproducible; hash verification and tool validation are central

    • Testimony requires careful preparation, understanding of the distinction between fact and expert opinions, and adherence to professional ethics

    • Audience awareness and organizational policies shape report style and delivery methods

Module 3: The Investigator’s Laboratory and Digital Forensics Tools

  • Module objectives (UNT):

    • Describe certification requirements for digital forensics labs

    • List physical requirements for a digital forensics lab

    • Explain criteria for selecting a basic forensic workstation

    • Describe components used to build a business case for developing a forensics lab

    • Explain how to evaluate needs for digital forensics tools

    • Describe available digital forensics software tools

    • List considerations for digital forensics hardware tools

    • Describe methods for validating and testing forensics tools

  • Forensics lab accreditation and management:

    • ANAB (ANSI-ASQ National Accreditation Board) provides accreditation for forensics labs; audits cover lab functions and procedures

    • Lab managers handle case processes, budgeting, quality assurance, ethics, and staffing

  • Lab duties and budget planning:

    • Set up case management processes; maintain fiscal responsibility; enforce ethical standards; plan lab updates

    • Establish quality-assurance processes; set realistic production schedules; estimate capacity for investigators

    • Use lab statistics (e.g., Uniform Crime Report trends) to forecast needs for hardware/software purchases

  • Certification and training options:

    • IACIS CFCE (Certified Forensic Computer Examiner)

    • HTCN (High-Tech Crime Network) certifications

    • EnCase Certified Examiner (EnCE)

    • Exterro Forensic Certification (Exterro Ace)

    • Other certifications exist across commercial and open-source ecosystems

  • Physical requirements for a lab:

    • Secure room with floor-to-ceiling walls; locking doors; secure containers (cabinets/safes)

    • Visitor logs; controlled access; evidence storage areas

    • TEMPEST considerations for high-risk environments (EMR-proofed labs) and alternative low-emanation workstations to reduce cost

  • Evidence storage and handling:

    • Evidence lockers: locate in restricted areas, maintain logs of access, lock when not in use; use steel containers with internal/external locks; build an evidence room if possible

    • Lab maintenance: fix damages promptly; antistatic measures; separate trash for sensitive materials; proper disposal services

  • Floor plans and lab configuration:

    • Floor plans show multiple configurations (small/home-based; mid-size; regional labs) with a mix of forensic workstations and non-forensic workstations

    • Ideal: two forensic workstations plus one non-forensic workstation with Internet access; sizing depends on budget and space

  • Forensic workstation selection and stocking hardware:

    • For police labs: diverse requirements; must accommodate legacy systems; multiple configurations; mobile workstations via laptops with USB3.0/4.0 or SATA/SAS interfaces

    • For private-sector labs: multipurpose workstations; support for Windows and Mac disk drives; cross-platform analysis

    • Essential peripherals: write-blockers, external drives, SATA adapters, various cables, FireWire/USB adapters, memory viewers, hex editors, and graphic viewers

  • Keeping forensics software up to date and validated:

    • Maintain software licenses and inventories; use both GUI and command-line tools; validate upgrades with documented protocols

    • NIST CFTT and NSRL: labs should adopt validated tools and reference data sets to filter known-good/bad files

    • Validation protocol guidelines: use at least two tools; verify results with a disk editor; document test results and tool upgrade outcomes

  • Tools: types and workflow (across disciplines):

    • Hardware tools range from single-purpose components to full systems; software tools include command-line and GUI applications

    • Acquisition: physical/logical copies; image formats range from raw to vendor-specific; ensure data copied is a bit-stream image when possible

    • Validation/verification: confirm tool works as intended (hash-based verification, comparisons)

    • Extraction: data viewing, keyword searching, decoding/decompression, carving, decryption, bookmarking

    • Reconstruction: disk-to-disk, partition-to-partition, image-to-disk/partition, disk-to-image, image-to-partition, rebuild via data runs

    • Reporting: bookmarking, log reports, timelines; generate final reports

  • Common forensics software programs (examples):

    • EnCase, FTK, OSForensics, Helix, Kali Linux, The Sleuth Kit, Autopsy, DiskDigger, WinUndelete, Paraben’s Email Examiner, OSForensics, etc.

    • GUI vs command-line tools; some tools support remote acquisitions and cross-platform data handling

  • Validation and testing for forensics tools:

    • ISO 27037 framework and DEFR guidelines require validated tools; perform cross-tool validation using disk editors (e.g., WinHex, HxD)

    • NIST CFTT criteria: establish tool categories, test assertions, test cases, test methods, and document results

    • NSRL provides a repository of known-good/signed software signatures to filter known software files

  • Email forensics and data sources:

    • Email servers/clients; RFC 2822 (email header standard); headers reveal routes, IPs, and relay information

    • Understanding email protocol basics (SMTP for sending, POP3/IMAP for retrieval) and the importance of header fields (From, Date, Message-ID, etc.)

    • Tools available for examining email artifacts (e.g., Paraben’s Email Examiner, EnCase/FTK capabilities, OSForensics, etc.)

  • File systems and disk structures (overview):

    • FAT32, FAT16: older Windows file systems; File Allocation Table stores cluster data; directories map to clusters

    • NTFS: modern Windows file system; uses MFT ($MFT), Unicode support, journaling; reduced file slack; better metadata support

    • GPT vs MBR: partitioning systems; GPT supports larger disks; MBR era with CHS addressing; GPT uses LBA and boot sectors

    • Clusters/sectors: clusters (allocation units) are groups of sectors; sectors are typically 512 bytes (or 4096 bytes in newer drives)

    • Slack space: RAM slack (erased before write in modern Windows); file slack (unused within a cluster after file data)

    • Inodes and hard links (Linux); ext3/ext4; soft/hard links; deletion semantics; extundelete/Scalpel for Linux recovery

  • Forensic imaging and data integrity:

    • Forensics imaging: bit-by-bit copies (bit-stream images); use write-blockers to prevent writes; image formats: raw or vendor-specific

    • Hash verification: compute and compare hash values for original and copy to ensure integrity

    • Disk-to-image copy: common method; can copy to a disk image and mount for analysis

  • Hiding and scrambling information (Chapter 5): Steganography and cryptography

  • Steganography overview:

    • Hidden messages technique; goal is to conceal presence of data within a carrier file

    • Common technique: Least Significant Bit (LSB) embedding; modify the least significant bit of pixel values or other data units

    • Basic terms: Payload (hidden data), Carrier (container file), Channel (data path)

    • Historical steganography examples: ancient wax-wrapped notes, shaved-head messages, invisible ink, etc.

  • Steganography cont. and examples:

    • Web/graphics: altering pixel values to store data; examples include color palette changes and bit-level manipulations

    • Variants: Steganophony (hiding data in sound), video steganography, Bit-Plane Complexity Segmentation (BPCS)

    • Steganalysis: detecting hidden content by analyzing file statistics, color pairs, and anomalies

    • Tools and demos: Invisible Secrets, MP3Stego, DeepSound, and other stego utilities used to hide data in images, audio, and other carriers

  • Cryptography and encryption (Chapter 5 cont.):

    • Encryption basics: c = E(k, m), m = D(k, c); E and D are inverse with respect to key k; for a given key k, D(k, E(k, m)) = m

    • Hashing: cryptographic hashes are one-way, fixed-length outputs; collision resistance is required; example: SHA-512 with output length 512 bits

    • Symmetric vs asymmetrical cryptography

    • Symmetric: same key for encryption/decryption (e.g., AES); E(k, m) = c, D(k, c) = m

    • Asymmetric: public key for encryption, private key for decryption; e.g., RSA (public key (n, e), private key d) with c = m^e mod n and m = c^d mod n; Diffie-Hellman for key exchange: K = g^{ab} mod p

    • Key goals: CIA triad – Confidentiality, Integrity, Authenticity; Non-repudiation also important

  • Encryption history and methods (highlights):

    • Caesar cipher (substitution, simple; shift k in 0..25); weaknesses exploited by frequency analysis

    • Vigenère cipher: polyalphabetic substitution with repeating keyword; Kasiski examination to determine keyword length; after alignment, frequency analysis on columns

    • Modern cryptography: RSA (asymmetric), Diffie-Hellman (key exchange), AES (symmetric block cipher), DES/3DES historical context; AES uses 128-bit blocks with 128/192/256-bit keys

    • Hashes and cryptanalysis concepts: frequency analysis, known-plaintext, chosen-plaintext, ciphertext-only; Rainbow tables and Ophcrack for password recovery

  • Practical notes on encryption and forensics:

    • Full-disk encryption (FDE) like BitLocker requires pre-boot authentication and TPM support; to analyze encrypted drives, decryption is needed

    • EFS (Encrypting File System) uses public/private keys with possible recovery certificates managed by administrators

    • For encrypted data, forensic analysis often starts with credential guessing, password attacks (dictionary and brute force), and verifying hashes after decryption

  • Forensic considerations in cryptography and steganography:

    • Be prepared to explain how to detect steganography within images/audio (LSB patterns, payload indicators)

    • Document cryptographic methods used by suspects, including algorithms, key lengths, and potential weaknesses

  • Key references and standards (summary):

    • NIST CFTT, ISO 17025 criteria for testing forensic items, and ISO 27037 guidance on DEFRs

    • NSRL: National Software Reference Library provides reference data sets to filter known software signatures

    • RFC 3227 guidelines for evidence collection and archiving

    • Rules of Evidence (FRE), Fourth Amendment, and admissibility considerations in digital forensics

  • Summary of Module 3/Chapter materials:

    • Lab setup and accreditation are essential for credible digital forensics work

    • Validation/testing of tools through standard protocols ensures repeatable results

    • A practical forensics lab requires careful planning of space, hardware, and software, including imaging workflows, hash verification, and secure evidence storage

    • Email, file systems, and disk structures require specialized approaches for data recovery, evidence collection, and artifact interpretation

  • Key formulas and concepts (LaTeX):

    • Symmetric encryption/decryption and inversion:

    • c = E(k, m),

    • m = D(k, c),

    • D(k, E(k, m)) = m

    • RSA encryption/decryption:

    • c \,=\, m^e \bmod n,

    • m \,=\, c^d \bmod n

    • Diffie-Hellman shared key:

    • K \,=\, g^{ab} \bmod p

    • AES block cipher operations (conceptual): AddRoundKey, SubBytes, ShiftRows, MixColumns, repeated over rounds

    • Hash function (generic): H: M \to {0,1}^n; properties: one-way, fixed-length, collision-resistant

    • Feistel network (conceptual):

    • Li = R{i-1},

    • Ri = L{i-1} \oplus F(R{i-1}, Ki)

  • Connections to prior and real-world relevance:

    • Forensic lab accreditation aligns with quality assurance practices seen in other high-assurance disciplines

    • Understanding file systems (FAT/NTFS/Ext) is critical for locating hidden data, recovering deleted content, and interpreting artifacts

    • Knowledge of email protocols and headers supports chain-of-custody and tracing cyber communications

    • Encryption and steganography knowledge is essential for recognizing concealed data and potential misuses in investigations

  • Ethical, philosophical, and practical implications:

    • Balancing investigative needs with privacy rights and legal constraints (e.g., Fourth Amendment, ACP/privilege rules)

    • Maintaining objectivity and avoiding bias; ensuring transparency in methodologies and reporting

    • Handling sensitive data with care; ensuring chain of custody and proper storage toprevent data tampering

  • Key takeaways and study cues:

    • Grasp the five major investigation stages: hypothesis, evidence identification, collection/extraction, analysis, reporting/critique

    • Distinguish public vs private sector contexts (authorities, warrants, policies, and governance)

    • Know the major lab components: certification options, physical lab setup, equipment, and validation processes

    • Understand core forensics tools, imaging, validation, reconstruction, and reporting workflows; recognize both GUI and command-line tool tradeoffs

    • Be able to discuss and explain foundational cryptographic concepts (E/D, RSA, DH, AES, hash functions) and how they relate to forensic investigations

  • Final note on cross-cutting themes across modules:

    • A methodical, documented, repeatable approach underpins credible digital investigations

    • Legal and ethical considerations are inseparable from technical procedures

    • Continuous professional development, resource networks, and tool validation are necessary for effective practice

Appendices: Selected Concepts and Quick References

  • Key acronyms and standards:

    • ANAB: ANSI-ASQ National Accreditation Board

    • CFTT: Computer Forensics Tool Testing (NIST)

    • NSRL: National Software Reference Library

    • DEFR: Digital Evidence First Responder

    • DES: Data Encryption Standard; AES: Advanced Encryption Standard (Rijndael)

    • EnCase, FTK, Autopsy, Sleuth Kit, OSForensics, Kali Linux, Helix

  • Formal definitions to memorize:

    • Digital forensics: ext{Forensics} = ext{application of computer science and investigative procedures for a legal purpose}

    • Hash verification: H( ext{original}) = H( ext{copy}) for integrity checks

    • Public-key cryptography: c = m^e \bmod n,
      ightarrow m = c^d \bmod n where (n, e) is the public key and d is the private key

  • Practical actions to remember:

    • Always perform bit-stream imaging with write-blockers

    • Validate tools and perform cross-tool verification when possible

    • Document chain of custody and maintain robust evidence storage and security controls