Introduction to Digital Forensics
Module 10 introduces the fundamentals of data storage and digital evidence in the context of digital forensics. It begins by explaining how computers store data, detailing the structure and operation of storage systems like hard drives, which use sectors, clusters, and file systems to organize information. The lesson emphasizes the concept of digital evidence, which includes any data stored or transmitted in binary form that may be used in legal proceedings.
A key focus of the module is on preserving the verifiable integrity of digital evidence. This process ensures that data remains unchanged from the moment it is collected to its presentation in court, typically achieved through hashing techniques that generate a unique digital fingerprint for the data. The module also discusses hidden sources of information, such as deleted files, metadata, and unallocated disk space, which can provide crucial evidence.
In addition, a cursory review of the common types of storage media, including hard drives, solid-state drives, USB devices, and optical disks, explaining how data is written, read, and potentially hidden across these platforms. Finally, it highlights the standards and best practices for digital evidence handling, stressing authentication methods to confirm evidence integrity and discussing established protocols in digital forensics to ensure compliance with legal and ethical guidelines.
Learning Objectives
After completing this module, you should be able to:
- discuss data and how the storage system works in the computer.
- describe digital evidence.
- illustrate the process used to preserve the verifiable integrity of digital evidence.
- describe, in broad detail, how information is stored on hard drives.
- identify hidden sources of information on a hard drive.
- describe common storage media.
- discuss the ways in which digital evidence is authenticated.
- evaluate standards and best practices for digital evidence and digital forensics.
Summary
Computer forensics is a branch of digital forensics that involves the investigation and analysis of digital devices and data to uncover evidence for legal purposes. It focuses on preserving, recovering, and examining electronic information, such as files, emails, and system logs, to support legal investigations and proceedings. Computer forensics experts use various techniques and tools to identify, extract, and interpret digital evidence, often in cases related to cybercrime, data breaches, intellectual property theft, and more. The ultimate goal is to maintain the integrity of evidence to ensure its admissibility in a court of law.
The application of computer forensics techniques is a crucial part of modern criminal justice investigations process, deals with the recovery and analysis of digital evidence found on electronic devices like computers and smartphones. Essentially, the examination of digital evidence is about uncovering the truth hidden in data to solve crimes. Whether it’s a case of cybercrime, fraud, child exploitation, or even just piecing together clues from a suspect’s digital trail in a more conventional crime, computer forensics helps bring critical information to light and makes sure it’s authentic and follows accepted standards of examination instituted by the American legal system.
The computer forensic process isn’t as simple as just looking through a hard drive, though. It starts with finding and securing the evidence, which is important because digital data can be easily altered or erased. Specially trained experts then make a bit-by-bit copy of the storage, allowing them to work with the data without touching the original. Establishing a chain-of-custody and preserving the integrity of the evidence is an indispensable part of the evidence examination and production process.
Once the data is secure, investigators being the digital analysis, which might involve recovering deleted files, tracking internet history, or uncovering hidden communication records. Finally, the findings are compiled into a report that clearly lays out the evidence and explains its significance for legal proceedings.
On the technical side, computer forensics relies on some specialized tools and techniques. Tools like write blockers prevent any accidental changes to the data, while forensic software such as EnCase or FTK helps sift through files, recover lost data, or analyze log entries. Hashing algorithms like MD5 or SHA-1 act like digital fingerprints, verifying that no evidence has been altered throughout the investigation.
In the end, computer forensics isn’t just about cracking codes and finding data—it’s about the identification of evidence that is authenticated and used in either criminal or civil cases and ensuring an accurate administration of justice.
Key Takeaways
Key Terms/Concepts
Commercial forensic packages
Computer forensics
Computer storage system
Continuity of evidence
Defragmenting a disk
DoD wipe
Evidence drive
File systems
Forensic analysis
Forensic analyst
Hash value
MD5 hash algorithm
Storage device
Read, Review, Watch and Listen
- Read Recovering and Examining Computer Forensic Evidence – United States Department of Justice (USDOJ), Federal Bureau of Investigation (FBI, Oct. 2000, Vol 2 No. 4)
- Read Martin Novak’s Improving the Collection of Digital Evidence by Martin Novak [NIJ, Dec. 16 2021]. Download the full document HERE
- Read about storage and watch How data storage works (TechTarget, 2021)
- Review the United States Computer Emergency Response Team’s (CERT) overview of computer forensics
- Review SEARCH’s Investigative Toolbar resource
- Watch What is Computer Forensics and How is it Used? – also embedded below
- Watch Overview of Digital Forensics – also embedded below
- Watch Working as a digital forensics analyst | Cybersecurity Career Series – also embedded below
- Listen to a podcast of your choice on Digital Forensics Now
Activity
STOP!!
Students should review the course syllabus to determine the assignment of this activity.
This is a copy of the module’s activity that students find within Blackboard. For that reason, refer to the Activities page to submit your work for review.
Purpose
The purpose of the activity is to explore the functionality of ACCESSDATA’s FTK Imager tool as a commercial software that enables investigators to retrieve information physically found on a device even when the user/suspect has deleted the evidence.
Overview
FTK Imager allows you to:
- Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual files from various places within the media.
- Preview the contents of forensic images stored on the local machine or on a network drive.
- Create hashes of files to check the integrity of the data by using either of the two hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1).
- And so much more!
Instructions
- Go to ACCESSDATA’s click on the Products menu, then from the SUITES menu select Digital Forensics, and then select FTK Imager from within the PRODUCTS.
- Before downloading the file, watch the provided video.
- From the list of Digital Forensics tools, download the FTK Imager tool. Note that you will have to complete a registration page by Exterro Legal GRC Software; however, you do not need to provide authenticated information.
- Attach a USB drive to your machine, and then watch How to Recover a Deleted File (https://youtu.be/sAF1XxNb0nw). This step will teach you how to add ‘evidence’ and review the device for deleted files.
- FTK Imager A Look Inside the Product video: https://www.exterro.com/ftk-imager
- Make note of your observations and results before answering any of the following assignment questions.
Answer the following questions:
- Were you able to successfully use the Data FTK file and view deleted files?
- Estimate and describe the number of deleted files that you were able to find?
- What advantages are offered by commercial forensic packages? Explain.
- What are possible disadvantages to using commercial forensic packages? Explain.
Don’t get frustrated, if you experience any technical challenges and are unable to use the FTK Imager tool, then you can answer the following questions as an alternative.
- Were you able to successfully use the Data FTK file and view deleted files? If not, describe the technical challenge.
- What advantages are offered by commercial forensic packages? Explain
- What are possible disadvantages to using commercial forensic packages? Explain.
- Why are deleted files of particular interest to the digital forensic analyst? Explain.
Key Terms/Concepts
Volatile storage systems is a type of computer memory that needs power to preserve stored data. If the computer is switched off, anything stored in the volatile memory is removed or deleted. For example, all random access memory (RAM) other than the CMOS RAM used in the BIOS is volatile.
Nonvolatile storage systems (NVS) refers to a computer memory that is able to hold saved data even if there is no power, and does not require periodic refreshes of its memory data. Non-volatile storage is commonly useful for secondary storage or long-term consistent storage.
File systems or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved.
File allocation table (FAT) is a file system developed for hard drives that originally used 12 or 16 bits for each cluster entry into the file allocation table. It is used by the operating system (OS) to manage files on hard drives and other computer systems. It is often also found on in flash memory, digital cameras and portable devices. It is used to store file information and extend the life of a hard drive.
Deleted electronic files or an emptied Recycle Bin, it’s removing the reference to the file on the hard drive. Once the file header, or reference, is removed, the computer can no longer see the file. The space the file took up is no longer reserved for that file, and any new file can be stored in that location. Meaning, the file is no longer readable by the computer. However, the file remains on the hard drive until another file or part of another file is saved to the same location.
Refer to the course learning management system (LMS); that is Blackboard (BB), for the correct due date. In addition, submit your work via BB for grading.
Discussion Questions
- Explain how the principles of digital forensics ensure the verifiable integrity of digital evidence throughout the cybercrime investigation process?
- Discuss how the verifiable integrity of digital evidence impacts the outcome of investigations.
- Discuss the legal and ethical obligations that digital forensics professionals and cybercrime investigators must adhere to and focus on how those obligations influence their approach to collecting, analyzing, and presenting digital evidence?
- In the context of handling digital evidence, what are considered best practices? Discuss how these practices contribute to the reliability and admissibility of evidence in legal proceedings.
- Describe the universal procedures for examining removable storage media within digital forensics investigations and how do these procedures account for the different logical structures of hard drives and related storage devices?
- Discuss the importance of established standards for reporting forensic results and the assessment of digital evidence. How do these standards affect the credibility of the forensic investigation in the eyes of the law?
Supplemental Resources
- INFOSEC
- We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home.
- RAND, Digital Evidence and the U.S. Criminal Justice System Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Click HERE to report any needed updates, e.g., broken links.
Commercial forensic packages such as EnCase can help an investigator to conduct everything they need to do for a successful investigation. There are notable advantages and disadvantages to using commercial software.
The application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.
A technology consisting of computer components and recording media that are used to retain digital data. It is a core function and fundamental component of computers.
Continuity of evidence or custody of evidence and its movement and location from the point of discovery and recovery (at the scene of a crime or from a person) to its transport to the laboratory for examination and until the time it is allowed and admitted in the court, is known as the chain of custody or chain of evidence.
The process of consolidating fragmented files on the user's hard drive. The process of defragmentation moves the data blocks on the hard drive around to bring all the parts of a file together. Defragmentation reduces file system fragmentation, increasing the efficiency of data retrieval and thereby improving the overall performance of the computer. At the same time, it cleans the storage and provides additional storage capacity.
DoD wipe means overwriting all the addressable locations on a hard drive as per the steps specified in the DoD 5220.22-M algorithm. Professional data erasure software – BitRaser Drive Eraser can perform wiping using DoD 5220.22-M standard.
The original storage device from which a forensic investigator will make a mirrored copy. The original evidence hard drive(s), should be stored in a physically secure location, such as a safe in a secured storage facility.
File systems or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved.
Refers to a detailed investigation for detecting and documenting the course, reasons, culprits, and consequences of a security incident or violation of rules of the organization or state laws.
Forensic analysts are tasked with collecting and/or examining crime scene evidence to learn more about the person who committed the offense or to include or eliminate a specific person as a potential suspect.
A numeric value of a fixed length that uniquely identifies data. Hash values represent large amounts of data as much smaller numeric values, so they are used with digital signatures.
MD5 hash algorithm (message-digest algorithm) is a cryptographic protocol used for authenticating messages as well as content verification and digital signatures. MD5 is based on a hash function that verifies that a file you sent matches the file received by the person you sent it to.
A piece of computer equipment on which information can be stored.
