Introduction to Digital Forensics
Module 10 aims to teach students about the principles and methods of collecting and preserving digital evidence. Students will learn how computer systems store and organize data, how to identify and secure digital evidence, and the techniques used to keep its authenticity for legal cases. This helps students understand the important role digital forensics plays in modern criminal investigations and court procedures.
Learning Objectives
After completing this module, you should be able to:
- explain how data is stored, organized, and managed within computer storage systems.
- define and describe the concept of digital evidence and its role in criminal investigations.
- describe the techniques used to maintain the verifiable integrity of digital evidence.
- explain how data is written, read, and retrieved from hard drives and other storage media.
- identify hidden or leftover data sources like deleted files, metadata, and unallocated space.
- differentiate among common types of storage media, including hard drives and solid-state drives. drives, and removable devices.
- explain methods for authenticating digital evidence and guaranteeing its acceptance in court.
- assess professional standards and best practices related to digital evidence management and forensic procedures.
Summary
Module 10 introduces students to the basics of data storage, digital evidence, and forensic analysis within the wider field of digital forensics. Knowing how data is created, stored, and retrieved is crucial for investigating and interpreting digital evidence in both criminal and civil cases. This module explains that computers organize and handle data through storage systems made up of sectors, clusters, and file systems that determine how information is written and found. This technical knowledge helps investigators locate evidence, including deleted or hidden files, on various storage media like hard drives, solid-state drives, USB devices, and optical disks.
A key idea in this module is ensuring the verifiable integrity of digital evidence. Because digital data can be easily altered, deleted, or overwritten, forensic examiners use hashing algorithms like MD5 or SHA-1 to create unique digital fingerprints that verify data authenticity. Maintaining an unbroken chain of custody and utilizing forensic tools such as write blockers or commercial software like EnCase or FTK help ensure that evidence stays reliable and admissible in court. These methods follow the ethical and procedural standards required under U.S. legal guidelines for digital forensics.
The Read, Review, Watch, and Listen materials reinforce these concepts through a mix of technical, procedural, and professional viewpoints. The FBI’s “Recovering and Examining Computer Forensic Evidence” article provides a historical basis for evidence recovery and outlines best practices for maintaining data integrity during investigations. Martin Novak’s “Improving the Collection of Digital Evidence” from the National Institute of Justice offers a more modern perspective, highlighting how forensic examiners balance efficiency with legal compliance when collecting evidence from today’s devices and cloud environments. Together, these readings demonstrate the evolution of forensic techniques and emphasize the ongoing importance of accuracy, authentication, and professionalism in the field.
The TechTarget video “How Data Storage Works” complements these readings by visually explaining how information is written to and retrieved from digital media, clarifying why different file systems affect evidence recovery. Similarly, the United States Computer Emergency Response Team overview introduces the broader role of cybersecurity and digital forensics in responding to computer crimes and data breaches. The SEARCH Investigative Toolbar resource acts as a practical tool for analysts, helping them locate and cross-reference online data during investigations.
The embedded videos “What is Computer Forensics and How is it Used,” “Overview of Digital Forensics,” and “Working as a Digital Forensics Analyst” connect theory with practice. They demonstrate how forensic specialists apply these principles in real-world investigations, highlighting chain of custody, proper evidence documentation, and adherence to professional standards. Finally, the Digital Forensics Now podcast lets students hear directly from experts in the field, offering insights into emerging technologies, new legal challenges, and professional experiences that enhance understanding beyond the textbook.
Collectively, these resources and concepts emphasize that computer forensics is both a technical and a legal and ethical discipline. Investigators must ensure that digital evidence is collected, preserved, analyzed, and presented in a way that maintains scientific reliability and judicial integrity. In doing so, digital forensics supports the broader goals of the criminal justice system to uncover the truth, protect individual rights, and ensure fair justice in an increasingly digital world.
Key Takeaways
Key Terms/Concepts
Commercial forensic packages
Computer forensics
Computer storage system
Continuity of evidence
Defragmenting a disk
DoD wipe
Evidence drive
File systems
Forensic analysis
Forensic analyst
Hash value
MD5 hash algorithm
Storage device
Read, Review, Watch and Listen
- Read Recovering and Examining Computer Forensic Evidence – United States Department of Justice (USDOJ), Federal Bureau of Investigation (FBI, Oct. 2000, Vol 2 No. 4)
- Read Martin Novak’s Improving the Collection of Digital Evidence by Martin Novak [NIJ, Dec. 16 2021]. Download the full document HERE
- Read about storage and watch How data storage works (TechTarget, 2021)
- Review the United States Computer Emergency Response Team’s (CERT) overview of computer forensics
- Review SEARCH’s Investigative Toolbar resource
- Watch What is Computer Forensics and How is it Used? – also embedded below
- Watch Overview of Digital Forensics – also embedded below
- Watch Working as a digital forensics analyst | Cybersecurity Career Series – also embedded below
- Listen to a podcast of your choice on Digital Forensics Now
Activity
STOP!!
Students should review the course syllabus to determine the assignment of this activity.
This is a copy of the module’s activity that students find within Blackboard. For that reason, refer to the Activities page to submit your work for review.
Purpose
The purpose of the activity is to explore the functionality of ACCESSDATA’s FTK Imager tool as a commercial software that enables investigators to retrieve information physically found on a device even when the user/suspect has deleted the evidence.
Overview
FTK Imager allows you to:
- Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual files from various places within the media.
- Preview the contents of forensic images stored on the local machine or on a network drive.
- Create hashes of files to check the integrity of the data by using either of the two hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1).
- And so much more!
Instructions
- Go to ACCESSDATA’s click on the Products menu, then from the SUITES menu select Digital Forensics, and then select FTK Imager from within the PRODUCTS.
- Before downloading the file, watch the provided video.
- From the list of Digital Forensics tools, download the FTK Imager tool. Note that you will have to complete a registration page by Exterro Legal GRC Software; however, you do not need to provide authenticated information.
- Attach a USB drive to your machine, and then watch How to Recover a Deleted File (https://youtu.be/sAF1XxNb0nw). This step will teach you how to add ‘evidence’ and review the device for deleted files.
- FTK Imager A Look Inside the Product video: https://www.exterro.com/ftk-imager
- Make note of your observations and results before answering any of the following assignment questions.
Answer the following questions:
- Were you able to successfully use the Data FTK file and view deleted files?
- Estimate and describe the number of deleted files that you were able to find?
- What advantages are offered by commercial forensic packages? Explain.
- What are possible disadvantages to using commercial forensic packages? Explain.
Don’t get frustrated, if you experience any technical challenges and are unable to use the FTK Imager tool, then you can answer the following questions as an alternative.
- Were you able to successfully use the Data FTK file and view deleted files? If not, describe the technical challenge.
- What advantages are offered by commercial forensic packages? Explain
- What are possible disadvantages to using commercial forensic packages? Explain.
- Why are deleted files of particular interest to the digital forensic analyst? Explain.
Key Terms/Concepts
Volatile storage systems is a type of computer memory that needs power to preserve stored data. If the computer is switched off, anything stored in the volatile memory is removed or deleted. For example, all random access memory (RAM) other than the CMOS RAM used in the BIOS is volatile.
Nonvolatile storage systems (NVS) refers to a computer memory that is able to hold saved data even if there is no power, and does not require periodic refreshes of its memory data. Non-volatile storage is commonly useful for secondary storage or long-term consistent storage.
File systems or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved.
File allocation table (FAT) is a file system developed for hard drives that originally used 12 or 16 bits for each cluster entry into the file allocation table. It is used by the operating system (OS) to manage files on hard drives and other computer systems. It is often also found on in flash memory, digital cameras and portable devices. It is used to store file information and extend the life of a hard drive.
Deleted electronic files or an emptied Recycle Bin, it’s removing the reference to the file on the hard drive. Once the file header, or reference, is removed, the computer can no longer see the file. The space the file took up is no longer reserved for that file, and any new file can be stored in that location. Meaning, the file is no longer readable by the computer. However, the file remains on the hard drive until another file or part of another file is saved to the same location.
Refer to the course learning management system (LMS); that is Blackboard (BB), for the correct due date. In addition, submit your work via BB for grading.
Discussion Questions
- Explain how the principles of digital forensics ensure the verifiable integrity of digital evidence throughout the cybercrime investigation process?
- Discuss how the verifiable integrity of digital evidence impacts the outcome of investigations.
- Discuss the legal and ethical obligations that digital forensics professionals and cybercrime investigators must adhere to and focus on how those obligations influence their approach to collecting, analyzing, and presenting digital evidence?
- In the context of handling digital evidence, what are considered best practices? Discuss how these practices contribute to the reliability and admissibility of evidence in legal proceedings.
- Describe the universal procedures for examining removable storage media within digital forensics investigations and how do these procedures account for the different logical structures of hard drives and related storage devices?
- Discuss the importance of established standards for reporting forensic results and the assessment of digital evidence. How do these standards affect the credibility of the forensic investigation in the eyes of the law?
Supplemental Resources
- INFOSEC
- We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home.
- RAND, Digital Evidence and the U.S. Criminal Justice System Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Click HERE to report any needed updates, e.g., broken links.
Commercial forensic packages such as EnCase can help an investigator to conduct everything they need to do for a successful investigation. There are notable advantages and disadvantages to using commercial software.
The application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.
A technology consisting of computer components and recording media that are used to retain digital data. It is a core function and fundamental component of computers.
Continuity of evidence or custody of evidence and its movement and location from the point of discovery and recovery (at the scene of a crime or from a person) to its transport to the laboratory for examination and until the time it is allowed and admitted in the court, is known as the chain of custody or chain of evidence.
The process of consolidating fragmented files on the user's hard drive. The process of defragmentation moves the data blocks on the hard drive around to bring all the parts of a file together. Defragmentation reduces file system fragmentation, increasing the efficiency of data retrieval and thereby improving the overall performance of the computer. At the same time, it cleans the storage and provides additional storage capacity.
DoD wipe means overwriting all the addressable locations on a hard drive as per the steps specified in the DoD 5220.22-M algorithm. Professional data erasure software – BitRaser Drive Eraser can perform wiping using DoD 5220.22-M standard.
The original storage device from which a forensic investigator will make a mirrored copy. The original evidence hard drive(s), should be stored in a physically secure location, such as a safe in a secured storage facility.
File systems or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved.
Refers to a detailed investigation for detecting and documenting the course, reasons, culprits, and consequences of a security incident or violation of rules of the organization or state laws.
Forensic analysts are tasked with collecting and/or examining crime scene evidence to learn more about the person who committed the offense or to include or eliminate a specific person as a potential suspect.
A numeric value of a fixed length that uniquely identifies data. Hash values represent large amounts of data as much smaller numeric values, so they are used with digital signatures.
MD5 hash algorithm (message-digest algorithm) is a cryptographic protocol used for authenticating messages as well as content verification and digital signatures. MD5 is based on a hash function that verifies that a file you sent matches the file received by the person you sent it to.
A piece of computer equipment on which information can be stored.
