Forensic Data Acquisition and Legal Principles

Linux Utility: fdisk

• fdisk is a fixed disk command for managing disk partitions in Linux.

• It requires root privileges (sudo fdisk) as it can be destructive to hard drives.

• sudo fdisk -l lists partitions on drives.

• Linux systems typically utilize primary, extended, and swap partitions.

• Inside fdisk's command line interface, m displays the menu, and d can delete a partition, which could destroy an operating system.

• Knowledge of partition ID types (e.g., Linux: $83$, Linux swap: $82$, NTFS: $07$, FAT$32$: $0B$) is essential for utilities like mkfs.

Redundant Array of Independent Disks (RAID)

• RAID $0$ (Striping):

  • Minimum $2$ drives.

  • Splits data across drives, improving performance (faster read/write).

  • Offers no redundancy; complete data loss if one drive fails.

• RAID $1$ (Mirroring):

  • Minimum $2$ drives.

  • Writes identical data to both drives, providing full redundancy.

  • Data is preserved if one drive fails. Incurs a performance hit due to double writes.

• RAID $2$, $3$, $4$: Largely obsolete, replaced by modern hardware/software solutions.

• RAID $5$ (Striping with Parity):

  • Minimum $3$ drives.

  • Distributes data blocks and parity information across all drives for both performance and fault tolerance (can withstand one drive failure).

  • Common in servers; supports hot-swappable drives for easy replacement.

• RAID $6$ (Striping with Double Parity):

  • Similar to RAID $5$ but includes an additional parity block per drive for higher redundancy.

  • Involves a greater write overhead due to extra parity calculation.

• RAID $10$ (Nested RAID):

  • A combination of RAID $0$ and RAID $1$ (striped mirrors).

  • Minimum $4$ drives.

  • Offers high performance from striping and high fault tolerance from mirroring.

• RAID $15$ (Nested RAID):

  • A combination of RAID $5$ and RAID $1$ (mirrored RAID $5$ arrays).

  • Minimum $6$ drives.

  • Provides enhanced redundancy and performance by mirroring RAID $5$ arrays.

• A standalone single drive is not considered a RAID configuration.

Forensic Acquisition and Evidence Identification

• RAID Acquisition:

  • Static Acquisition: Requires physically removing and acquiring all member drives in their original order. Forensic tools like EnCase can reconstruct some RAID arrays if drive order is known.

  • Logical Acquisition: Involves copying data from an active RAID volume, often without the examiner knowing it's a RAID system.

• Identifying Seizable Media:

  • Any device storing digital information is potential evidence (e.g., hard drives, floppy disks, USB drives, smart devices, vehicles with GPS/data, printers).

  • Severely damaged drives are typically not forensically recoverable due to prohibitive costs ($\sim$ $250,000$ for expert reconstruction).

  • Old media, such as $3.5$-inch floppy disks, can still contain critical data.

  • Printers may retain recent print jobs in internal memory.

  • Modern vehicles (with GPS, OnStar) collect and store extensive data, including travel history, and may have remote control capabilities.

  • Smartwatches can detect falls and automatically alert emergency services with location data.

• Security by Obscurity: Involves concealing media in plain sight by disguising it as an innocuous object (e.g., a Lego or poker chip thumb drive).

• Encrypted Drives:

  • Such drives (e.g., with biometric scanners) maintain an expectation of privacy, similar to a physical safe.

  • Access requires a warrant based on probable cause.

  • The user's physical input, like a fingerprint, serves as the decryption key.

Data Types and Timestamps

• Generated Reports: Data dynamically created from a database (e.g., an unofficial web transcript). It is not a fixed file and changes with real-time data, thus lacking a historical record.

• Stored Reports: A static, saved copy of data (e.g., a PDF transcript). It includes a timestamp, providing an unchangeable historical record.

• File Timestamps: Crucial for establishing forensic timelines.

  • FAT $32$ file system: Create, Modify, Read timestamps.

  • NTFS file system: Create, Modify, Access, Write timestamps.

  • Inconsistencies in timestamps (e.g., access date preceding creation) can indicate data manipulation.

  • Every time a USB drive is connected to a computer, its serial number is registered and logged by the operating system.

Legal Considerations

• Expectation of Privacy: Legitimate belief that personal data or spaces are private, requiring legal authorization (e.g., a warrant) for access.

• Warrants: Judicial orders required for accessing private data or property without consent, predicated on demonstrating probable cause.

• Plain Sight Doctrine: Allows law enforcement to seize evidence without a warrant if three conditions are met:

  1. Lawful Presence: Officer must be legally present at the location of the evidence.

  2. By Chance: Evidence must be discovered inadvertently, not as a result of an illegal search.

  3. No Enhanced Senses: Discovery must be made using unassisted natural senses (i.e., no use of binoculars, specialized listening devices).

• Consent: Voluntary permission granted by an individual (e.g., to search a trunk) allows plain sight doctrine to be invoked if evidence is then observed.

• Illegal Search: Any search conducted without a warrant, probable cause, or valid consent is unlawful.

• Attractive Nuisance: A legal doctrine where a property owner can be held liable for injuries to trespassers (often children) if the property contains a dangerous object or condition that is likely to attract them (e.g., a trampoline), regardless of