Introduction to Digital Forensics
Module 10 discusses digital forensics and cybercrime investigations. The module explores the process used to preserve the verifiable integrity of digital evidence and considers the legal and ethical obligations of cybercrime investigators and digital forensics professionals, good practices in handling digital evidence, universal procedures for examining removable storage media, and the basic logical structures of the hard drive and related storage devices. Included in the module is a cursory review of established standards for reporting forensics results and the assessment of digital evidence.
Learning Objectives
After completing this module, you should be able to:
- discuss data and how the storage system works in the computer
- describe digital evidence
- illustrate the process used to preserve the verifiable integrity of digital evidence
- describe, in broad detail, how information is stored on hard drives
- identify hidden sources of information on a hard drive
- describe common storage media
- discuss the ways in which digital evidence is authenticated
- evaluate standards and best practices for digital evidence and digital forensics
Summary
Computer forensics is a branch of digital forensics that involves the investigation and analysis of digital devices and data to uncover evidence for legal purposes. It focuses on preserving, recovering, and examining electronic information, such as files, emails, and system logs, to support legal investigations and proceedings. Computer forensics experts use various techniques and tools to identify, extract, and interpret digital evidence, often in cases related to cybercrime, data breaches, intellectual property theft, and more. The ultimate goal is to maintain the integrity of evidence to ensure its admissibility in a court of law.
Key Terms/Concepts
Commercial forensic packages
Computer forensics
Computer storage system
Continuity of evidence
Defragmenting a disk
DoD wipe
Evidence drive
File systems
Forensic analysis
Forensic analyst
Hash value
MD5 hash algorithm
Storage device
Read, Review, Watch and Listen
- Read Recovering and Examining Computer Forensic Evidence – United States Department of Justice (USDOJ), Federal Bureau of Investigation (FBI, Oct. 2000, Vol 2 No. 4)
- Read Martin Novak’s Improving the Collection of Digital Evidence by Martin Novak [NIJ, Dec. 16 2021]. Download available: IMPROVING THE COLLECTION OF DIGITAL EVIDENCE
- Read about storage and watch How data storage works (TechTarget, 2021)
- Read the United States Computer Emergency Response Team’s (CERT) overview of computer forensics
- Watch What is Computer Forensics and How is it Used? – also embedded below
- Watch Overview of Digital Forensics – also embedded below
- Review SEARCH’s Investigative Toolbar resource
Activity
Students should review the course syllabus to determine the assignment of this activity.
This is a copy of the module’s activity that students find within Blackboard. For that reason, refer to the Activities page to submit your work for review.
Purpose
The purpose of the activity is to explore the functionality of ACCESSDATA’s FTK Imager tool as a commercial software that enables investigators to retrieve information physically found on a device even when the user/suspect has deleted the evidence.
Overview
FTK Imager allows you to:
- Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual files from various places within the media.
- Preview the contents of forensic images stored on the local machine or on a network drive.
- Create hashes of files to check the integrity of the data by using either of the two hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1).
- And so much more!
Instructions
- Go to ACCESSDATA’s product download page: https://accessdata.com/product-download
- From the list of Digital Forensics tools, download the FTK Imager tool. Note that you will have to complete a registration page by Exterro Legal GRC Software; however, you do not need to provide authenticated information.
- Attach a USB drive to your machine, and then watch How to Recover a Deleted File (https://youtu.be/sAF1XxNb0nw). This step will teach you how to add ‘evidence’ and review the device for deleted files.
- FTK Imager A Look Inside the Product video: https://www.exterro.com/ftk-imager
- Make note of your observations and result before answering assignment related questions.
Answer the following questions:
- Were you able to successfully use the Data FTK file and view deleted files?
- Estimate and describe the number of deleted files that you were able to find?
- What advantages are offered by commercial forensic packages? Explain.
- What are possible disadvantages to using commercial forensic packages? Explain.
If you experience any technical challenges and are unable to use the FTK Imager tool, then you can answer the following questions as an alternative.
- Were you able to successfully use the Data FTK file and view deleted files? If not, describe the technical challenge.
- What advantages are offered by commercial forensic packages? Explain
- What are possible disadvantages to using commercial forensic packages? Explain.
- Why are deleted files of particular interest to the digital forensic analyst? Explain.
Key Terms/Concepts
Volatile storage systems is a type of computer memory that needs power to preserve stored data. If the computer is switched off, anything stored in the volatile memory is removed or deleted. For example, all random access memory (RAM) other than the CMOS RAM used in the BIOS is volatile.
Nonvolatile storage systems (NVS) refers to a computer memory that is able to hold saved data even if there is no power, and does not require periodic refreshes of its memory data. Non-volatile storage is commonly useful for secondary storage or long-term consistent storage.
File systems or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved.
File allocation table (FAT) is a file system developed for hard drives that originally used 12 or 16 bits for each cluster entry into the file allocation table. It is used by the operating system (OS) to manage files on hard drives and other computer systems. It is often also found on in flash memory, digital cameras and portable devices. It is used to store file information and extend the life of a hard drive.
Deleted electronic files or an emptied Recycle Bin, it’s removing the reference to the file on the hard drive. Once the file header, or reference, is removed, the computer can no longer see the file. The space the file took up is no longer reserved for that file, and any new file can be stored in that location. Meaning, the file is no longer readable by the computer. However, the file remains on the hard drive until another file or part of another file is saved to the same location.
Refer to the course learning management system (LMS); that is Blackboard (BB), for the correct due date. In addition, submit your work via BB for grading.
Discussion Questions
- Explain how the principles of digital forensics ensure the verifiable integrity of digital evidence throughout the cybercrime investigation process?
- Discuss how the verifiable integrity of digital evidence impacts the outcome of investigations.
- Discuss the legal and ethical obligations that digital forensics professionals and cybercrime investigators must adhere to and focus on how those obligations influence their approach to collecting, analyzing, and presenting digital evidence?
- In the context of handling digital evidence, what are considered best practices? Discuss how these practices contribute to the reliability and admissibility of evidence in legal proceedings.
- Describe the universal procedures for examining removable storage media within digital forensics investigations and how do these procedures account for the different logical structures of hard drives and related storage devices?
- Discuss the importance of established standards for reporting forensic results and the assessment of digital evidence. How do these standards affect the credibility of the forensic investigation in the eyes of the law?
Supplemental Resources
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Click HERE to report any needed updates, e.g., broken links.
Commercial forensic packages such as EnCase can help an investigator to conduct everything they need to do for a successful investigation. There are notable advantages and disadvantages to using commercial software.
The application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.
A technology consisting of computer components and recording media that are used to retain digital data. It is a core function and fundamental component of computers.
Continuity of evidence or custody of evidence and its movement and location from the point of discovery and recovery (at the scene of a crime or from a person) to its transport to the laboratory for examination and until the time it is allowed and admitted in the court, is known as the chain of custody or chain of evidence.
The process of consolidating fragmented files on the user's hard drive. The process of defragmentation moves the data blocks on the hard drive around to bring all the parts of a file together. Defragmentation reduces file system fragmentation, increasing the efficiency of data retrieval and thereby improving the overall performance of the computer. At the same time, it cleans the storage and provides additional storage capacity.
DoD wipe means overwriting all the addressable locations on a hard drive as per the steps specified in the DoD 5220.22-M algorithm. Professional data erasure software – BitRaser Drive Eraser can perform wiping using DoD 5220.22-M standard.
The original storage device from which a forensic investigator will make a mirrored copy. The original evidence hard drive(s), should be stored in a physically secure location, such as a safe in a secured storage facility.
File systems or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved.
Refers to a detailed investigation for detecting and documenting the course, reasons, culprits, and consequences of a security incident or violation of rules of the organization or state laws.
Forensic analysts are tasked with collecting and/or examining crime scene evidence to learn more about the person who committed the offense or to include or eliminate a specific person as a potential suspect.
A numeric value of a fixed length that uniquely identifies data. Hash values represent large amounts of data as much smaller numeric values, so they are used with digital signatures.
MD5 hash algorithm (message-digest algorithm) is a cryptographic protocol used for authenticating messages as well as content verification and digital signatures. MD5 is based on a hash function that verifies that a file you sent matches the file received by the person you sent it to.
A piece of computer equipment on which information can be stored.
