Digital Forensics 1

Introduction to Digital Forensics and Security Context

Digital forensics is a critical component within the broader landscape of information security and incident response. To understand its role, it is necessary to examine where it sits in relation to other security disciplines. Administrative Security focuses on understanding legal concepts, judging the appropriateness of security controls, and building a security culture; this is covered in courses such as IN2120 (Information Security), IN5540 (Privacy by Design), and IN5080 (Security and Risk Management). The Blue Team is responsible for defending against threats and building cyber threat intelligence, as seen in IN3210 (Network and Communications Security) and IN4180 (Cyber Operations). The Red Team utilizes offensive security techniques to identify, demonstrate, and report vulnerabilities, which is the focus of IN5290 (Ethical Hacking). Incident Response involves responding to threats and breaches to mitigate or reduce the impact on confidentiality, integrity, and availability. Digital forensics follows the incident, involving the application of scientific investigation techniques to identify, seize, acquire, analyze, preserve, and present electronic data in a way that remains admissible as evidence in a court of law. This field is specifically covered in IN4180 (Cyber Operations).

Origins and Modern Applications of Forensics

The term "forensics" is derived from the Latin terms "forum" and "ensis," meaning "for the public." Its origins trace back to Roman criminal procedures where cases were presented in front of a public group. In these ancient settings, both the accused and the accuser would deliver speeches based on their side of the story, and the case was decided in favor of the individual who provided the most compelling argument and delivery. Today, forensics spans many diverse fields, including DNA analysis, firearms, fire and explosion debris, controlled substances, and engineering and materials. These techniques are applied in civil and corporate environments (such as Incident Response) as well as criminal investigations conducted by law enforcement. Examples of forensic applications include investigating the streaming of child sexual abuse, tracking cryptocurrency in organized crime, and managing DNA registries. Forensic investigators also deal with threat letters, counterfeit money, fake passports, and the use of crime search dogs. Specialized units, such as homicide investigators and drug laboratory identification groups, work to provide clarity in criminal cases and bring resolution to relatives.

Defining Digital Forensics and Standards

Digital forensics is defined by NIST (National Institute of Standards and Technology) as the field concerned with retrieving, storing, and analyzing electronic data that can be useful in criminal investigations. A more technical definition describes it as the application of computer science and investigative procedures for a legal purpose, involving proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, and reporting. The working interpretation used in this curriculum defines it as the application of scientific investigation techniques to identify, seize, acquire, analyze, preserve, and present electronic data in a way that would be admissible as evidence in a court of law. Legal standards, such as the Daubert Standard (1993, USA), dictate that forensic evidence must be based on scientific methodology, must be relevant to the case, must be consistent and objective, and must be presented by a qualified expert. Standards like ISO/IEC 27037:2012 provide guidelines for the identification, collection, acquisition, and preservation of digital evidence, while NIST SP 800-101 Rev. 1 focuses specifically on mobile device forensics.

Identify: The First Phase of Investigation

The identification phase involves determining what objects or locations may store digital evidence. This is increasingly complex due to the drastic reduction in the cost of computer memory and storage over time. According to historical data, the cost of memory and storage has dropped on a logarithmic scale from approximately 100\,trillion\/TB in the mid-1950s to roughly 100\/TB or less by 2022. For instance, a modern 2TB2\,TB memory card can store approximately 9 days of continuous 4K (UHD) video at a bitrate of 20Mbps20\,Mbps. Common devices that may contain evidence include PCs (laptops, desktops, servers), external storage (HDDs, SD cards), mobile devices (smartphones, watches, tablets), network infrastructure (switches, routers), peripherals (printers), GPS trackers, cars, and smart home appliances like TVs or set-top-boxes. Identification requires recognizing both the physical device and the potential artifacts it contains, such as file system metadata (Created, Modified, Accessed), event logs (power cycles, USB insertions, WiFi connections), and application-specific data.

Seizure and Acquisition Phases

Seizure is the process of physically or logically isolating electronic devices to prevent data loss and taking control of the device so it can be safely examined with minimal risk of tampering. This involves critical decisions, such as whether to shut down a computer or keep it powered on to maintain access to an unlocked state. Acquisition is the subsequent process of extracting stored data from the seized device. Ideally, investigators aim for an exact image that includes deleted files and file system metadata to preserve integrity. The "Order of Volatility" is a core principle in acquisition, prioritizing data that disappears the fastest: 1. Cache, 2. RAM, 3. Page files, 4. Disk, 5. Logs on remote systems, 6. Online accounts, 7. Archive media. If RAM acquisition is known to crash a failing system, the investigator may prioritize the disk. This phase must also account for anti-forensics techniques intended to obstruct investigations, such as encryption, remote wiping, obfuscation, malware, hardware tampering, and steganography (hiding data within other data).

Analyze: The Core of Investigative Inquiry

Analysis involves examining acquired data to identify potential evidence, reconstruct events, and interpret context. Investigators utilize the 5W1H method: What, Who, Where, When, Why, and How. The process is divided into four sub-steps: Identification (isolating relevant data), Reconstruction (establishing the sequence of events), Interpretation (determining meaning and context), and Validation (using cross-referencing and dual-tool verification). To be an expert in analysis, one must be proficient in various file formats, databases, network protocols, and file systems such as NTFS, ext4, reiser, and FAT16. Knowledge of diverse operating systems (macOS, Windows, GNU/Linux) is also essential. Dual-tool verification ensures that the results obtained from one tool—whether it be an expensive proprietary box or a random script from GitHub—can be replicated by another, ensuring the accuracy of the findings.

Preserve and Present: Evidence Integrity and Reporting

Preservation ensures that digital evidence remains intact and uncontaminated throughout the lifecycle of the investigation. Key actions include disconnecting networks to avoid remote wiping, using physical or software write-blockers during acquisition, creating digital fingerprints (hash digests), moving images to fault-tolerant storage, and working exclusively on read-only copies of the evidence. Presentation involves reporting the findings to colleagues, legal teams (defense and prosecution), or company management. A professional forensic report should include: the analyst's name and date, a Table of Contents, the goal of the investigation, an overview of the case and seized materials, the location and condition of evidence (including photos), serial numbers or unique identifiers, and the specific methods and tools (including version numbers) used. It should conclude with findings, artifacts, results, and a summary. Text-based reports are preferred over images for reproducibility, searchability, collaboration, and compression.

Scientific Principles and Professional Qualifications

Scientific investigation techniques are rooted in well-established guidelines, such as RFC 3227 (Guidelines for Evidence Collection and Archiving). A fundamental concept is the Chain of Custody, a rigorous paper trail that documents every action performed on a system, ensures only authorized personnel handle evidence, and records any deviations from standard procedure. Another cornerstone is the Locard Exchange Principle, formulated by Edmond Locard in 1904, which states that "every contact leaves a trace." In digital terms, it is recognized that it is impossible to acquire memory without altering it in some way. Career success in digital forensics requires deep technical expertise in hardware, software, and networks, alongside veracity, attention to detail, and strong communication skills. As technology evolves quickly, the fundamental understanding of how computers work remains the most valuable asset for a digital investigator.

Workshop Scenarios: "It Depends"

Real-world forensics often relies on the "it depends" principle, meaning the approach changes based on the specific circumstances of the case and available resources. For a laptop, identification involves looking for document content, metadata (EXIF for photos, MS Office properties), and event logs. For a network router, investigators look for the Address Resolution Protocol (ARP) table (MAC to IP mapping) and DHCP logs (IP assignments). Seizing a router is sensitive because logs are often lost upon power loss; therefore, live forensics may be required before disconnection. For the laptop, seizure considerations include whether the device is on battery, if it is locked, if credentials are available, and if the drive or specific volumes are encrypted. Even smart devices, like a watch, provide artifacts such as heart rate (active/passive states), skin temperature, and accelerometer data (walking vs. sleeping), all of which must be documented with make, model, and serial number during the seizure process.