C

Computer Forensics Summary Sheet (Lecture 1-4)

1. Order of Volatility & Evidence Handling

  • Order of Volatility (what to collect first)

    1. Registers and cache

    2. Routing tables, ARP cache

    3. Process table, kernel statistics

    4. Main memory

    5. Temporary filesystems

    6. Secondary storage (hard drives, SSD)

    7. Router configuration

    8. Network topology

  • Evidence Collection (RFC 3227):

    • Volatile data → file slack → file system → registry → memory dumps → system state backup → internet traces

  • Key Procedures:

    • Handle original data as little as possible

    • Maintain chain of custody

    • Use secure transport and storage

    • Document hardware and configs

    • Hash all data for authenticity

2. Forensic Tools

  • Common Software: EnCase, FTK, OSForensics, Sleuth Kit, Autopsy, Kali Linux

  • Command-line tools: Compact, low-resource, good for initial acquisition

  • GUI tools: User-friendly, comprehensive, can use more system resources

3. Lab & Workstation Setup

  • Physical Requirements: Secure room, evidence locker, visitor log

  • Forensic Workstation Must-Haves:

    • Write-blocker

    • Imaging tool (e.g., FTK Imager)

    • Analysis software

    • Sufficient storage

  • RAID Recommended: For data redundancy and fault tolerance

4. File Systems and Data Recovery

  • Key Concepts:

    • File Slack: Unused space in file system cluster, may contain leftover data

    • Volume Slack: Gap at the end of logical volume

    • Unallocated Space: Not currently assigned to any file but may hold deleted data

5. Forensic Imaging and Authentication

  • Imaging: Bit-for-bit copy of entire disk (avoid working directly on originals)

  • Hashing: Use MD5, SHA1, SHA256, etc. to verify integrity

  • Comparison: Hash of original and image must match

6. Hiding/Scrambling Data: Steganography & Encryption

  • Steganography: Hides information (often in LSB of images, audio)

    • Tools: Invisible Secrets, MP3Stego, DeepSound

  • Encryption:

    • Symmetric: Same key for encryption/decryption (DES, 3DES, AES)

    • Asymmetric: Public/private key pairs (RSA, Diffie-Hellman)

    • Hashing: One-way fixed-length output, collision-resistant

7. Cryptanalysis/Breaching Crypto

  • Classic Attacks: Frequency analysis, Kasiski examination (for ciphers like Vigenère)

  • Modern Attacks: Rainbow tables (Ophcrack), brute-force (John the Ripper)

  • Quantum Threat: Breaks RSA/Diffie-Hellman via integer factorization/log problem