Introduction to Computer Forensics and

Investigations
Modes of Learning (in this module)
- Textbook readings (Weekly)
- Assignments (Individual)

Introduction (message for this module)

Welcome to Computer Forensics and Investigations.

In this first unit, we will discuss a brief history of computer forensics, what the profession is like,
how to prepare for an investigation, and professional conduct.

Learning Outcomes
Upon completion of this module, you will be able to:

 Explain computer forensics as a profession

 Demonstrate professional conduct within computer forensics
 Prepare for computer investigations

Key Terms & Concepts

List some important key terms and concepts within this module.

 Affidavit
 Bit stream copy
 Bit stream image
 Chain of Custody
 Data Recovery
 Digital Forensics
 Industrial Espionage
 Professional Conduct
 Repeatable Findings

INTRO
  Search and Seizure

Introduction to Forensics
Perhaps you have seen a television show, or a movie that depicts a bunch of “lab geeks” banging
on computers for a couple of minutes, coming up with all the required evidence to convict the
bad guys-well, this course will help you learn what of that is real, and what isn’t.

In reality, computer forensics is a long process. It requires precision, and strict compliance in
how evidence is handled. There are some interesting tools to help you along the way, and we’ll
be learning about those too.

You probably are aware (at some level) of law enforcement investigating crimes-some of them
are physical crimes, but in today’s society, many of these crimes are done on computers. With
computers being used for all aspects of our lives, it makes sense that the criminals would use
computers to track their crimes, much the same as we use email or Facebook to track our lives.

The one truism about computers and networking is that software developers like to keep a log of
what’s going on. All of the web sites that you visit have a log of IP addresses, pages visited,
how long you stayed on each page, and what links you clicked.

When you delete a file from a computer, it’s not necessarily gone. Most file systems merely flag
the file for deletion, and put the space the file uses into a pool of usable space. If the space has
not been used for another file, it’s still there.

Data recovery is a discipline that helps to recover data that was accidently lost due to user error
(deleting something they shouldn’t have), or a hardware error, such as hard drive crash.
Generally with data recovery, you know what you’re looking for.

In contrast to that, Digital Forensics deals with trying to recover data that has been purposefully
hidden. You don’t necessarily know what you’re looking for, or even what is on the drive or
image that you are analyzing.

Search and seizure is the process by which the government goes to a judge to ask for a warrant to
search for evidence of a particular crime. If any evidence is found, it is seized by the
government to allow prosecution at a later time.

In some cases, evidence seized could include computers, hard drives, thumb drives. The analysis
and collection, and processing of evidence from these devices is what constitutes Digital
Forensics.
A Brief History of Digital Forensics
By the 1970s, major corporations had mainframe computers that they used. They were heavily
used in the banking and insurance industries, and since much of crime is about financial gain,
computer crimes started to become more frequent.

At this time, they were perpetrated by well-trained individuals who understood the inner
workings of the computers and software that they were using to perform these crimes.

When the 1980s arrived, so did the popularization of the personal computer. At the time, there
were many different kinds of computers, from the Commodore 64 to the Apple ][ (that’s how
Apple drew a 2), to the TRS-80 (TRS stands for Tandy Radio Shack), to IBM-PCs, along with
many others.

When the IBM-PC first came out, IBM released DOS (Disk Operating System), which was
emulated by many other companies. IBM released PC-DOS, Microsoft MS-DOS, Digital
Research DR-DOS, along with some other flavors. As an aside, DOS was a very cut-down
subset of the Unix operating system that could run in the very limited memory (640K or less).

The forensic tools at the time were very limited, mostly written in Assembler language, or C, but
they were not available to the general public, and were written by government agencies, most
notably the RCMP, and the US IRS (Internal Revenue Service).

In the mid-1980s, several tools became publicly available to help people recover their lost files,
such as Xtree, and Norton. Peter Norton ran with the idea, and built a whole suite of tools that
became known as Norton Utilities (purchased eventually by Symantec). One of the tools in the
Norton Utilities was a hard drive sector editor. You could manipulate the data stored on a drive,
change pointers, and recover files. This was a first in the PC market.

By the early 1990s, there were more hard disk file formats, which necessitated the creation of
specific tools for forensic analysis. Some of these are available to use, but there are still a
number of government created and maintained tools for forensic analysis that are not legally
available to the public.

We will be exploring some of the tools that are commercially available during this course.

Building your Forensic Resources

It is possible that you may need to do forensic analysis on a number of different computer
systems. In order to perform forensic analysis an understanding of multiple computer systems,
file systems, and manufacturers is necessary. A thorough knowledge of various systems,
software is impossible for a single individual, building a network of trusted individuals and
organizations that are used as resources is critical to success as a digital forensics professional!
One of the reasons that the experienced people in the industry are (or should be) respected is that
everything that’s available today was built on something that they used in an earlier form. For
example, people who used DOS, inherently know how to use windows command line - it’s the
same commands, same command structure. If you know how the command line works, you can
easily pic up how to use a GUI version, but the reverse does not hold true.

Preparing for a Digital Investigation

There are two major categories for investigations, and they differ in the way that evidence is
collected. There is a private sector investigation (a company is investigating), and public sector
investigation (a government agency or law enforcement is investigating).

Government Agencies in Canada are required to adhere to Section 8 of the Charter of Rights in
Canada. Public investigations are usually criminal investigations, and the law enforcement
community collects evidence that the government lawyers use to charge a crime, and prosecute
(In the US, it’s referred to the 4th amendment of the Constitution).

Private sector investigations are more along policy violations, although industrial espionage is
not uncommon. Industrial espionage is when a corporation’s trade secrets are stolen. These
court cases start out as civil law suits, but if it can be shown that there was a criminal act, they
can be prosecuted as criminal cases as well.

The Legal Process

Usually, an investigation starts with the discovery of some evidence, or an individual making an
allegation to law enforcement.

Law enforcement looks at criminal activity and allegations from the past in order to help them
determine patterns of activity. This is very useful when looking for digital evidence.

A digital investigator needs to explain the importance of the evidence discovered to law
enforcement who may have limited technical ability. Additional training in digital forensics will
assist in documentation and ensure that the chain of custody adheres to legal requirements.
(Chain of custody is a list who has the evidence when, and how, when, and where it has been
stored. It shows that nobody has had the ability to change the evidence).
When a digital investigation is complete then the evidence is presented to law enforcement. This
includes providing an affidavit explaining what was found, and how that was done. Along with
the affidavit a report on the specifics of what was found may be necessary should the case go to
court.

Private Sector Investigations

Investigations in the private sector are more limited in scope and generally the same search
warrant process, and maintaining the chain of custody is not required. These are usually used to
investigate policy and procedure violations, such as mishandling of health data, or Social
Insurance Numbers. There can result in significant fines associated with these violations (such at
$1,000,000 per record violated in e-health), so it is in a company’s best interest to limit these
violations.

Investigations may also include workplace harassment, discrimination (based on either age or
sex), embezzlement, vandalism, sabotage, or industrial espionage. This could involve misuse of
computer assets, abusing email or the Internet (or in some cases all three).

Companies write and enforce policies to discourage or eliminate these threats. This creating and
enforcing these policies can result in significant amounts of time and money to educate their
employees on the policies.

Companies also have remind employees when they are entering a sensitive area. An example is
a warning banner when an employee logs on to a VPN. It generally contains a warning that you
are entering an area where your activities will be watched, and that if you violate company
policy you will be liable for the damage. Some government agencies also use banners when
logging on to their sites.

When a company decides to investigate, there will be a few people involved. The first one is the
authorized requestor. This is the person who asks for the investigation, and ultimately, the one
receiving the documentation on the investigation. From this point forward, the way that the
investigation is conducted is similar to a public sector investigation.

Abuse of company resources could include running a P2P sharing server on your company
computer, or spending 4 hours a day on Facebook, or sending harassing emails. It could involve
browsing inappropriate web sites, or just the length of time that is used for personal online
endeavors.

Policies become slightly cloudier when you include the BYOD (Bring your own device) devices.
Company policy may not allow the use of Facebook during company hours, but if a phone
connects automatically, is that a violation? If so, does this apply since the company does not
own this resource? When an employee leaves a company, they are required to return company
information, but if an employee owns a tablet, how can the removal of company information be
controlled?

In many cases, companies state that if you connect your personal device to their network, it falls
under the same policies as any other company owned device. These issues are what keeps IT
security people awake at night!

Professional Conduct
The rule is that you must conduct yourself with the highest standard of professional behavior.

This includes:

 Being respectful to everyone, regardless of any personal problems that you may have
with them.
 Protecting the information that you find. You can’t share information with anyone who
is not directly involved in the investigation.
 Maintaining Objectivity. You have to go where the evidence leads you. Don’t jump to
conclusions, and don’t make up your mind before the evidence is in. Avoid prejudice.
 Maintain Credibility. You need to show your expertise in every case to remain credible
for all past and future cases.
 Continuing Education. Continue to learn from other experts. This helps maintain
credibility, and increases your value to your employer (government or private sector)
 Maintain honesty and integrity. Again going to being credible, you must show that you
are honest in all cases, and that you can’t be swayed into doing something that isn’t
completely above board. This needs to be something that you maintain in every aspect of
your life.
Data Recovery Workstation
In order to acquire information from a system several techniques are utilized that may include
using any of a number of operating systems to get it intact.

Windows alters hard drives at boot time, so it may not be good procedure to collect evidence
using Windows. When windows recognizes a new hard drive, it writes a signature, along with
system information, which may destroy evidence.

Operating systems utilized during a forensic investigation include:

 MS-DOS
 Windows 95 or Windows ME (Based on DOS, so not so intrusive)
 Windows NT 3.5.1 or 4.0 (pre all the windows autodiscover that changes drive
information)
 Linux (including Kali, has many tools that lend themselves well to this)
 MacOS X – an older version of the Apple OS.

Some of the tools necessary to set up a forensic workstation include:

 Windows – not really ideal, but with a write-blocker, it will work. A write blocker device
– stops the OS from writing to the drive
 Drive imaging tool – tool to acquire a forensic disk image
 Forensic Analysis tool – tool to analyze the disk image.
 Target Drive – a place to put the image(s)
 Spare ports – USB and/or SATA, PATA, Firewire, SCSI, etc. This is the interface for the
device used to generate the source image.
 Data tools such as a disk editor are valuable to have available.

Gathering Data
It isn’t generally possible to get all of the data from a device using one methodology or a single
tool.

To start gathering evidence the following are required:

 The original storage media

 Evidence custody form (to maintain the chain of custody)
 Evidence container
 Drive imaging tool
 A forensic workstation to analyze the image
 Secure evidence storage
Creating the Digital Image
Copying a digital image requires using a bit-stream copy – that is copying as exact of an image
as possible. It differs from a traditional backup because this process includes blank and unused
space on the storage medium. This process is also called acquiring an image of a suspect drive.
The goal is to reproduce the original storage medium exactly.

For example, if you have a 780GB Western Digital Hard drive that you have imaged, you
should be able to do a bit-by-bit restore of the image file, and have every part of a brand new
780GB Wester Digital Hard drive be identical to the first.

You can use programs like Prodiscover to make a bit copy image of a thumb drive, and it has the
ability to access drive images without having to rewrite them to another device.

The Office and Lab

The forensics lab is where most of the work is done for the job. There are governing bodies, and
accreditations that are required to do some government work, and are beneficial to any digital
forensics lab.

The most widely recognized is the American Society of Crime Laboratory Directors (ASLCD),
which is widely recognized in Canada as well. This certification covers proficiency in all forms
of forensic science, not just digital forensics, including (among others) toxicology and
hematology.

Other Accreditations
International Association of Computer Specialists (IACS) has a certification called Certified
Forensic Computer Examiner (CFCE). This requires recertification every 3 years.

The International Information Systems Security Certification Consortium (ISC2) has a

certification called Certified Cyber Forensics Professional (CCFP). ISC2 is well known for other
certifications such as the CISSP (Certified Information System Security Professional), which is
widely regarded as a must in the information security world.

The High Tech Crime Network (HTCN) has a number of certifications that can be acquired for
basic or advanced, for investigator or technician.

There are a large number of other certifications for information security, ethical hacking,
network protection, and penetration and security testing.
Summary
In this module we have explored the following:

 What Digital Forensics is, and what it is used for.

 The history of Digital Forensics
 What you would need for a forensic computer
 The legal procedures to follow when doing the job.
 The difference between private sector and public sector investigations
 Professional Conduct
 Certifications

Knowledge Check
1) The triad of computing security includes which of the following?
a. Detection, response, and monitoring
b. Vulnerability, assessment, detection, and monitoring
c. Vulnerability/threat assessment and risk management, network intrusion detection and
incident response, and digital investigation
d. Vulnerability assessment, intrusion response, and monitoring

2) Policies can address rules for which of the following?

a. When you log on to a company network from home
b. The Internet sites you can or can’t access
c. The amount of personal email you can send
d. Any of the above

3) List two items that should appear on a warning banner

That the organization reserves the right inspect computers and network traffic at will and
that the end user has no expectation of privacy while connected to the system

4) For digital evidence, an evidence bag is typically made of antistatic material.

a. True
b. False
5) Why should digital evidence by write-protected?
Evidence cannot be changed and potentially compromise the investigation

End of Module
You have completed Module 1!
Please proceed to the next module.
Computer Forensics and Investigations:
Module 2 – Corporate Investigation
Procedures
Modes of Learning
 Assignments
 Textbook Readings

Introduction
In this module we will discuss a how to approach an investigation. The practices and procedures
involved. How to prepare for an investigation and the steps required to conduct an
investigation.

Learning Outcomes
Upon completion of this module, you will be able to:
 Describe the systematic approach to investigations
 Prepare for an investigation
 Analyze steps required to setup data recovery and conduct an investigation.

Key Terms and Concepts

Some important key terms and concepts within this module include:
 Evidence
 Evidence container
 Interview
 Interrogator
 Bit stream copy and bit stream image
 Assessment

Systematic Approach to Investigations

Preparing for a case involves a systematic approach or following a series of defined steps to
gather and analyze the steps to complete an investigation.

An initial assessment and defining the approach to the case are necessary to determine the
general steps to the case and what evidence is available and what still needs to be gathered.
This could include determining if all the computers and other devices have been seized by
authorities? Do the devices contain evidence of more than one crime?
Creating a checklist to refine the general steps in actionable items that need to be completed
and outlines the time allocated for each step will help the investigation stay on track.

Determine the resources needed based on the target devices, what operating systems and
forensics software, along with specialized personnel to complete the investigation.

Obtaining a copy of the evidence device and make a copy. This becomes the working copy to
reduce the risk of primary evidence being destroyed. You need to identify and minimize the
risks associated with the case and how to resolve the impact of those risks. For example, the
device could be setup to wipe the drive after so many failed logon attempts.

You should testing the design to ensure that nothing is missed or left to chance and a thorough
investigation is completed. Analyze and recover the evidence with the resources defined during
the planning stages of the investigation and address risks or obstacles.

You then investigate the data recovered by reviewing the devices collected, web history, email,
and files on the systems. From this you can create a case report that outlines the findings and
how the investigation was completed. Review the case using a self and peer review system to
identify successes and determine how the investigation can be done better in the future. As
with anything in the IT field an investigator is prepared for the unexpected and has the plans in
place to deal with issues as they arise.

Private Sector Investigations

Investigators need to develop formal procedures and checklists to cover all issues of an
investigation. Procedures for employee termination cases involve employee abuse of company
resources. These create a hostile work environment such as sending inappropriate emails, or
viewing inappropriate material.

Internet abuse investigations need access to specific information including:

 The logs from the firewall, servers, and other devices that record Internet usage.
 The suspects IP address.
 The suspect computer hard drive
 Forensic tools

The process for this type of case includes:

 Using forensic tools to analyze the hard drive
 Using a combination of forensic tools, keywords, to extract the URL history from the
computer
 Examine the network device logs
  Compare the discovered data to the network device logs
 Collect relevant information for data matches
 Create a findings report

Email abuse investigations usually include spam, inappropriate, offensive messages,

harassment, or threats. This type of investigation involves the following:

 An electronic copy of the offending message with the headers intact.

 Email server logs
 Access to email server if possible
 Access to the computer and the email files such as .pst or .ost.
 Digital forensics tools.

The email procedure includes:

 For local email, forensic software to analyze the storage media and the .pst or .ost files.
 For server based email obtain a copy of the suspects and victim’s email folder and data
from the server admin.
 For web-based email use tools to keyword search and extract related email.
 Examine the header data for all the messages associated with the investigation.

Industrial espionage cases are time consuming and the scope could creep, lose focus, as the
investigation discovers additional information. Industrial espionage cases may violate
International agreements and need careful consideration before proceeding. A team of
investigators, red team or purple team, is usually required for this type of investigation and may
include:
 One team member responsible for disk forensics
 A data specialist
 A network specialist
 A threat assessment or legal specialist familiar with these type of investigations and how
they may be impacted by international law.

Some guidelines to consider for these types of investigations include:

 Determine if the investigation involves industrial espionage and if it falls under
international law.
 Consult the appropriate legal and management teams when the investigation is
conducted discreetly.
 Determine what information needs to be gathered.
 Generate a list of keywords for storage forensics and network monitoring.
 Document and collect the resources needed for the investigation.
 Outline the goal and scope of the investigation.
  Initiate the investigation after receiving proper approval.

Some of the planning considerations for industrial espionage investigations include:

 Examine email of suspected employees.
 Search for suspect blog and social media postings.
 Determine if physical surveillance is required.
 Examine physical access log to sensitive areas.
 Study the suspect work habits.
 Collect related phone logs.

The basic steps to use when conducting an industrial espionage investigation include:
1. Review the investigation with the assigned personnel
2. Gather the resources needed
3. Initiate the investigation by implementing surveillance systems such as cameras if necessary
4. Discretely gather the evidence
5. Collect and review log data
6. Report on the investigation progress to management
7. Review the investigate scope and results with management

Interviews and Interrogations

Interviews are usually conducted to collect information from a witness related to an
investigation. An interrogation is the process of trying to get a suspect to confess to a specific
incident or crime.

Building the skillset to become an effective interviewer or interrogator takes significant time
and effort. Through this experience the interviewer or interrogator can easily determine the
credibility of the information provided by the suspect. As a digital investigator part of your role
is to instruct the interviewer on what questions to ask and how those questions should be
answered by the suspect.

To prepare for an interview, the interviewer should be able to answer these types of questions:
 What question do I need to ask the suspect that directly or indirectly affect the
investigation?
 Do I have the knowledge or background for this interview or is additional research
required?

Ultimately the interviewer needs to be prepared as well as patient when conducting

interviewer or interrogations
Data Recovery Workstation
In order to acquire information from a system several techniques are utilized that may include
using any of a number of operating systems to get it intact.

Windows alters hard drives at boot time, so it may not be good procedure to collect evidence
using Windows. When windows recognizes a new hard drive, it writes a signature, along with
system information, which may destroy evidence.

Operating systems utilized during a forensic investigation include:

 MS-DOS
 Windows 95 or Windows ME (Based on DOS, so not so intrusive)
 Windows NT 3.5.1 or 4.0 (pre all the windows autodiscover that changes drive
information)
 Linux (including Kali, has many tools that lend themselves well to this)
 MacOS X – an older version of the Apple OS.

Some of the tools necessary to set up a forensic workstation include:

 Windows – not really ideal, but with a write-blocker, it will work. A write blocker device
– stops the OS from writing to the drive
 Drive imaging tool – tool to acquire a forensic disk image
 Forensic Analysis tool – tool to analyze the disk image.
 Target Drive – a place to put the image(s)
 Spare ports – USB and/or SATA, PATA, Firewire, SCSI, etc. This is the interface for the
device used to generate the source image.
 Data tools such as a disk editor are valuable to have available.

Gathering Data
Once the preparation is complete the next step is to start gathering the evidence. The
investigator need to gather and secure the data following these basic steps:
 Meet the IT manager, conduct and interview and collect the appropriate storage media.
 Complete the appropriate evidence forms and have get signoff from both the IT
manager and investigator.
 Secure the storage media in an evidence bag and move to the forensic lab.
 Once at the forensic lab secure the evidence bag in the evidence container.
 Complete the appropriate evidence custody form store in the same location as the
evidence bag.
Conducting an Investigation
Now that the investigation plan is defined and the workstation setup now it’s time to examine
the evidence. No single method will retrieve and analyze all the data required for a complete
investigation.

The following items are needed:

 Original storage media
 Evidence custody form
 Evidence container for the storage media
 Bit-stream imaging tool
 Forensic workstation to copy and examine the evidence
 Secure evidence locker

Bit-stream copies is a bit-by-bit copy of the original device and creates an exact duplicate which
give the investigator a better chance of discovering something. This is different than a standard
backup that can copy only storage files, it does not backup deleted files. On some occasions
track and sector maps on the original and target do not match. This could be the result of
different drive models or sizes. Certain tools can perform a sector by sector copy to equal or
larger disks without effecting the target drive. While this is not a perfect solution it does allow
for the preservation of the original evidence by only analyzing the copy.

Analyzing the Evidence

When analyzing digital evidence one of the investigators main jobs is to recover data- if users
have deleted or overwritten files on a disk. Once files are deleted the space they occupied
becomes free space. The deleted files are still on the storage device until a new file is saved to
the same physical space, which overwrites the original file. Before this happens the files are still
retrievable.

Analyzing the discovered data can be time-consuming. Locating evidentiary artifact is the
search from known values. Data values can be unique words or nonprintable characters such as
hexadecimal code.

Completing a Case How questions arising are answered matters

While working on a case questions will arise and how those are answered could be the
difference between success and failure. As an investigator, or as an IT professional, one habit
that is a must is to document everything. One phase to remember is DOCUMENT, DOCUMENT,
and DOCUMENT.
The final report needs to be written for the audience, such as a lawyer or management and
answers the six Ws: who, what, when, where, why, and how. Along with the six Ws these
questions need to be answered that if not done correctly may affect the outcome of the case.

 Was the suspect using company property to perpetrate the infraction?

 What corporate policy applies to this issue?
 What time of day did the infraction occur? During or after business hours.
 Who reported the issue?
 How was the evidence obtained?

The final report - as part of the report should include computer and network processes.

Summary
In this module we have explored:
 Discussed the approaches for investigations including email, and industrial espionage
 Discussed the roles on investigators, interviewers, and interrogators
 Discussed the steps to an investigation
 Discussed the resources required for an investigation

Knowledge Check
1. What is a bit copy?
2. What email files are used gather evidence?
3. What is one item to create when assessing an investigation?
4. What does an interrogator do?
5. Where are logs gathered from for an investigation?

Answer Key
1. Bit copy makes an exact duplicate of the source media even hidden files and blank sectors.
2. .pst and .ost
3. Checklist
4. Tries to get the suspect to confess.
5. Firewalls, servers, and network devices.

End of Module
You have completed Module 2 – Corporate Investigation Procedures. Remember to check the
timeline before you proceed to the next module to ensure you have completed any
assignments as required. Check with your instructor if you have any questions.
ISN1803 Computer Forensics: Module 3 –
Data Acquisition and Computer Forensics
Modes of Learning
 Assignments
 Readings

Introduction
In this module, we will discuss computer forensics labs and workstation setup. We will also
discuss how to develop a business case for a forensics lab.

Learning Outcomes
Upon completion of this module, you will be able to:
 Examine requirements for certification of a forensic lab
 Outline physical requirements for a forensic lab
 Examine requirements of a basic forensic workstation
 Develop a business case for developing a forensics lab

Key Terms and Concepts

List some important key terms and concepts within this module.
 Business case
 Certifications
 Risk management
 Change management
 High Tech Crime Network (HTCN)

Forensic Lab Accreditation

A forensic lab is where the digital investigations are conducted and evidence is stored.
Forensics labs use a variety of hardware and software. A lab also requires a defined set of
policies, processes, procedures, and checklists.

Accreditation bodies provide guidelines for members for managing a forensics lab. One such
accreditation body if the American Society of Crime Laboratory Directors (ASCLD)which has
accredited forensic labs in the United States, Australia, Canada, Hong Kong, New Zealand and
Singapore and confirms to ISO/IEC:17025:2005.

The critical steps for forensics lab certification include:

1. Written procedures for evidence and reporting
  Procedures defining how evidence is identified, collected, preserved, stored,
sealed, secured, labeled, maintained, and transferred between people and
facilities.
 Procedures defining how reports are written to provide the results of an
investigation.

2. Testimony monitoring
 Procedures to define assessing testimony to support investigations.

3. Note taking
 Procedures to document everything associated with an investigation including
who did what and when, testing results, and conclusions.

4. Technical procedures
 Procedures that cover how the investigation is conducted include the case
approach, methodology, quality control, instrument, and equipment
maintenance.

5. Training program
 Written training manual that covers all aspects of an investigation

6. Proficiency testing
 Defines the ongoing testing of practitioners

7. Corrective and preventative action processes

 Procedures to find the root cause of non-conforming work and how this is
corrected.

These policies and procedures are typically created and maintained by the lab manager. Along
with the policies and procedures budgeting for the lab is a critical skill to ensure that the lab is
profitable.

A link to the procedures can be found here.

Certification and Training

Computer or digital forensics is a specialty within the IT and law enforcement fields that
requires specific certification and ongoing training. There are several specialized training
programs available. These programs required significant time and cost commitment to become
proficient within this area of expertise.

International Association of Computer Investigative Specialists (IACAS) was created by police

officers and is limited to sworn law enforcement officers. Once completed the successful
candidate will receive a Certified Forensic Computer Examiner (CFCE) certification.
ISC2 Certified Cyber Forensics Professional (CCFP) is a challenging certification and requires
knowledge in multiple areas including malware analysis and incidents response.

High Tech Crime Network (HTCN) offer several levels of certification that includes examination
of a candidates work history before becoming certified. They offer Certified Computer Crime
Investigator, Basic and Advanced levels and Certified Computer Forensic Technician, Basic and
Advanced.

EnCase developed EnCase software application used in forensic analysis. They have also
developed the Certified Examiner Certification (EnCE).

There are numerous other forensic certifications available.

Physical Requirements of a Digital Lab

Most digital investigations are usually conducted in a lab. A digital lab has specific physical
requirements that make the lab safe, secure, and productive. Physical requirements protect
evidence from being lost, corrupted, or destroyed.

A security lab needs a secure facility which usually consists of an enclosed space and forensic
workstation. The lab should consist of an enclosed room with secure access to the room such as
badge, or biometric access. It will require a secure containers and visitor log. Evidence
containers or evidence lockers and secured against unauthorized access.

Secure containers best practice recommendations include:

 Evidence container is located in a restricted area and made of steel

 Limit the number of people that have access to the container
 Evidence containers remain locked
 Only authorized personnel can change the lock combinations every six months.

Digital Lab Layout

A digital lab layout will depend on workload and the amount of space available. The smallest is
around 150 sq. ft. which will allow for a couple of workstations, evidence container, and
workbench. As the lab grows this often means moving the evidence containers to a separate
secure room. Bigger labs also need more forensic workstations which are connected to an
isolated LAN.
Small Lab Layout

Medium Lab Layout

Large Lab Layout

Forensic Workstation
When defining the technology requirements for a forensics lab multiple scenarios need
consideration. This includes working with both new and legacy systems running multiple
operating systems from Linux, to Windows and others. These multiple scenarios may require
multiple forensic workstation configurations. The workstations will need to be the best
equipment based on the budget available. This includes larger processors, more memory, and
storage.

Forensic Investigations in the private or corporate sector can be specialized to a specific

industry or corporate requirements. Even if the lab is specialized it will still need a variety of
peripherals, and cables such as USB, SATA, IDE, and SCSI. An inventory of operating systems is
also necessary including Microsoft Operating systems (DOS to Server), Linux, Microsoft Office
(new and old versions), LibreOffice, OpenOffice, and Accounting software.

Equipment upgrades need planning to determine the risk of replacing the equipment.
Depending on how the system is used this could only need RAM and storage upgrades but
should be planned on a 12 to 18 month cycle.
The Digital Lab Audit
When audit a forensic lab to ensure compliance with policies and procedures. An audit should
include the following items:
 Inspect the ceiling, floor, roof, and exterior walls looking for anything unusual.
 Inspect access doors and check locks
 Review the visitor logs
 Secure all evidence when not is use

Disaster Recovery Plan

A disaster is considered any event that has the potential to interrupt day-to-day activities. This
can include hard drive crash, lightning strike, power outages, floods, break-in, theft, cyber hack,
or malware infection. Disaster recovery planning defines the responses to recover from a
disaster. One of the main recover techniques is backing up and imaging the forensic
workstations. Backups written to either an external hard drive or USB and stored in a protected
area. Secure offsite backups may also be considered but need thorough research to ensure the
secure integrity of the remote service.

All changes and updates to the forensic workstations need to be documented using a process
This implies there
called configuration management. These are maintained to ensure compliance with lab policy.must be config
The disaster recover policy will cover how the workstation are restored and reconfigured to mgt in the lab
return the system to service. policy

Building a Forensic Lab Business Case

Setting up a forensic lab can be a costly endeavor to purchase the software, hardware, building
the policies, procedures, and personnel. To appropriately fund a forensics lab, a business case
should be built that will cover all aspects of the lab. A business case defines the planning and
ongoing maintenance of forensics lab and should be updated on at least an annual basis.

Creating a business case starts with the justification or reason for the forensics lab.

Justifying a lab should answer the following sample questions:

1. What type of computing investigation is needed for the organization?

2. Who are the potential customers and how is it budgeted, an internal or external service
(cost center or profit center)?
3. How is the service advertised?
4. What is the time-management process for the service?
5. Where does the initial budget come from to setup the forensics lab?

Creating the budget for a forensics lab must be exact in determining the true costs and
includes:
 Facility costs: includes how much floor space is needed, power consumed, security costs and
these can be determined by querying the facilities department.
To calculate a budget here some of the questions to consider:

1. How many digital examiners are needed?

2. How much training is needed annuals?
3. What are the costs to build the lab or can an existing space be converted? This includes
furniture, power, networking, heating and cooling.
4. IT support costs?

Hardware and software requirements is determined by the type of investigations that are the
primary focus of the forensics lab. An analysis of the organizational environment is a starting
point to determine the appropriate hardware and software suite.

Questions to consider include:

 What type of investigations and data recovery is performed?
 How many investigations are expected per month?
 Are the investigations time sensitive?
 What is the size and number of storage devices required to support the investigations?
 What type of backup will the lab use?
 What is use and how is the digital evidence stored and for how long?
 What types of operating systems will be examined and what ones are need for an
examination?
 What is the minimum requirement for forensic software?
 Is specialized hardware or software required?

A risk analysis should also be included as part of the business case. The risk analysis will cover
how the legal issues are handled and kept to a minimum. Also included in the business case is
the product and competitive research to support the creation of a forensics lab and the benefit
to the organization.

biz case, Once the business case is approved and implementation plan is required that outlines, how and
to when the funding is spent and the timelines to complete the build along with hiring and training
implementation
personnel to get the lab full functional.
plan
to
Acceptance testing also needs planning to ensure successful project implementation. This
Acceptance
includes policy and procedure verification, facilities inspection and sign off, communications
testing
to
testing, hardware and software testing, and mock scenario to testing.
Corrective actions
Following the acceptance testing corrective action is required to fix any issues that arose during
the testing phase. This may include modifying policies and procedures, changing equipment and
facilities to meet requirements.
Summary
In this module we have explored:
 What is a Digital Forensics lab
 Certifications required for a forensics lab and personnel
 The physical requirements for a forensics lab
 Building a business case for a forensics lab

Knowledge Check
1. What does ASCLD acronym stand for?
2. Which item is included in a forensic lab business case?
a) Competitive analysis
b) Testing software
c) Budget
d) All of the above
3. What is one type of physical security for a forensics lab?
4. A forensics lab should have windows?
a) True
b) False
5. Forensics workstations should have an internet connection?
a) True
b) False

Answer Key
1. American Society of crime Laboratory Directors (ASCLD)
2. d. All of the above
3. Evidence container, or door locks
4. b) False
5. b) False

End of Module
You have completed Module 3 – Data Acquisition and Computer Forensics. Remember to check
the timeline before you proceed to the next module to ensure you have completed any
assignments as required. Check with your instructor if you have any questions.
ISN1803 Computer Forensics: Module 4 –
Processing Crime and Incident Scenes
Modes of Learning
 Assignments
 Readings

Introduction
In this module, we will discuss the practices and procedures to process digital evidence. This
will include how to prepare for a search and the seizing and storing of digital evidence.

Learning Outcomes
Upon completion of this module, you will be able to:
 Identify evidence for both the public and private sectors
 Explain storage formats for digital evidence
 Demonstrate best practices and methodologies for image acquisitions
 Use acquisition tools to process a crime and incident scene
 Analyze methods to validate acquisition
 Analyze methodologies in preparing for a search
 Outline methods for seizing and strong digital evidence
 Evaluate methods of reviewing a case

Key Terms and Concepts

List some important key terms and concepts within this module:
 Advanced Forensic Format (AFF)
 Live acquisition
 Static acquisition
 Raw format
 Cyclic Redundancy Check (CRC)
 Digital evidence
 Hash
 Keyed hash
 Secure Hash Algorithm version 1 (SHA-1)

Digital Evidence Storage Formats

Forensic tools stores collected data in image files, these are usually in open source or
proprietary formats. There are several formats available including raw or disk-to-image,
Advanced Forensic Format (AFF), and others. Each format has a unique set of features and
advantages and disadvantages.
The raw or disk-to-image format is a bit-to-bit copy of one disk to another. This is used to
preserve digital evidence. A variation on this is the writing bit stream data to files. This creates a
sequential flat file or the source drive, that resulting file is known as raw format.

Advantages of this format are:

 Fast data transfers
 Ability to ignore minor data errors on the source drive
 Universally readable by multiple forensic tools

Disadvantages include:
 The target drive needs to be the same size or larger than the source drive
 Some tools may not collect data written to bad sectors
 Read retries are lower than some commercial software
 Limited validation checks of data being written to target drive

Proprietary or commercial tools usually have their own formats that offer a specific feature set
defined by the software vendor. These features may include data compression when writing to
the target drive, the ability to split the image into smaller segment or over multiple drives, and
the ability to add meta data to the target image file.

One disadvantage of using proprietary software includes not being able to share the image
between other tools.

The Advanced Forensic Format was developed by Dr. Simon L. Garfinkel as an open source
format with no implementation restrictions.

Determining the Best Acquisition Method

There are two types of data acquisition methods: static and live acquisition.
 Static acquisition is the preferred method to collect digital evidence and is usually done
on a system seized during a police raid.
 A live acquisition is done if the password or passphrase is available. Here the system has
been powered up and logged on and by the suspect.

Both types of acquisitions can be collected with four methods:

 Create a disk-to-image file is a common bit-for-bit replication method of making a copy
of the source drive.
 Create a disk-to-disk copy is used when there are hardware or software errors and with
old drives.
 Create a logical disk-to-disk or disk-to-data file
 Creating a sparse copy of a folder or file

The method used depends on the circumstances of the investigation.

Collecting evidence from larger drives can take several hours. If time is limited then using a
logical or sparse acquisition data copy method is an option.

A logical acquisition captures only specific files or types of files related to the investigation. A
sparse acquisition is similar to a logical acquisition but also collects fragments of unallocated
(deleted) data and analyses of the entire drive is not required or gathering data from a RAID or
SAN.

When making a copy, consider:

 Size of the source disk
o Lossless compression might be useful
o Use digital signatures for verification
 An alternative, such as using tape backup systems, when working with large drives
 Whether you can retain the disk

Best practices for acquisition include:

 Create a duplicate copy of your evidence image file
 Make at least two images of digital evidence
 Use different tools or techniques
 Copy host protected area of a disk drive as well
 Consider using a hardware acquisition tool that can access the drive at the BIOS level
 Be prepared to deal with encrypted drives
 Remembering that Whole disk encryption feature in Windows called BitLocker makes
static acquisitions more difficult
 Know that you may require user to provide decryption key

Using Acquisition Tools

Many vendors develop tools that run in Windows that allow gathering evidence more
convenient.

There several advantages and disadvantages to these tools:

• Advantages
• Make acquiring evidence from a suspect drive more convenient
• Especially when used with hot-swappable devices
• Disadvantages
• Must protect acquired data with a well-tested write-blocking hardware device
• Tools can’t acquire data from a disk’s host protected area
• Some countries haven’t accepted the use of write-blocking devices for data
acquisitions
Accessing a systems disk drive may not be practical and require other methods to access the
data include Mini-WinFE Boot CDs and USB Drives which enables the investigator to build a
Windows forensic boot CD/DVD or USB drive so that connected drives are mounted as read-
only.

Linux has many digital forensic features for data acquisition. This includes the ability for Linux to
access a drive that isn’t mounted. Windows OSs and newer Linux automatically mount and
access a drive. A forensic Linux Live CD does not access media automatically and removes the
need for a write-blocker.

Using Linux Live CD Distributions is an ISO image of the OS burned to a DVD or USB boot
device. There are several Linux Live CDs built specifically for forensics. These are configured not
to mount, or to mount as read-only, any connected storage media including:
 Penguin Sleuth
 F.I.R.E
 CAINE
 Deft
 Kali Linux
 Knoppix
 SANS Investigative Toolkit

Current Linux distributions can create partitions for other operating systems such as Microsoft
FAT and NTFS partition tables. This is done with the fdisk command that lists, creates, deletes,
and verifies partitions in Linux. The mkfs.msdos command formats a FAT file system from Linux.

Linux has several forensic related commands. That include the dd (“data dump”) command.
Using dd permits read and write functions from media device and data file in a raw format most
computer forensics analysis tools can read. Dd is an advanced command that requires some
skills to use properly and down not compress data

The dd command is intended as a data management tool, not for forensics acquisitions. There
is however the dcfldd command which works similar to the dd command with some additional
functions such as:
 Specify hex patterns or text for clearing disk space
 Log errors to an output file for analysis and review
 Use several hashing options
 Refer to a status display indicating the progress of the acquisition in bytes
 Split data acquisitions into segmented volumes with numeric extensions
 Verify acquired data with original disk or media data

Validating Data Acquisition

One of the most critical steps to forensic investigation is validating the evidence. This is done
with a hashing algorithm utility designed to create a binary or hexadecimal number
representing the uniqueness of the dataset. This unique number is known as a digital
fingerprint. Validation of the datasets is done with CRC-32, MD5, and SHA-1 to SHA-512 hash
algorithms.

Validating data acquired with the dd command uses either the md5sum or sha1sum utilities.
These utilities are run on all investigation related disks and volumes or segmented volumes.
dcfldd command acquired data is validated using the hash option to designate a hashing
algorithm of MD5, SHA1, SHA256, SHA384, or SHA512. The hashlog option outputs results to a
text file that can be stored with the image files. The vf (verify file) option compares the image
file to the source.

Windows does not include any built-in hashing algorithm tools for computer forensics and
relies on third-party utilities. Each commercial forensics vendor has its own validation
technique.

Raw format image files don’t contain metadata and need manual validation.

Imaging a RAID system is not easy and you must address the following:
• How much storage is needed for the forensic image?
• What type of RAID is used?
• Are the tools available?
• Can the forensic tools read a RAID image?
• Can the forensic tool read split data?

Sometimes a RAID system is too large for a static acquisition. Then only the sparse or logical
acquisition methods are used for gathering relevant data.

Some forensic tools allow the ability to gather data remotely. Connecting to the suspect’s
system remotely to gather the relevant data. Remote acquisition tools vary in configurations
and capabilities with some specific drawbacks that include:

• Antivirus, antispyware, and firewall tools can be configured to ignore remote access
programs
• Suspects could easily install their own security tools that trigger an alarm to notify them
of remote access intrusions

Identifying Digital Evidence

Digital evidence is defined as any information stored or transmitted in digital form. In the U.S.
courts accept digital evidence as physical evidence.

General tasks investigators perform when working with digital evidence include:
• Identify digital information or artifacts that can be used as evidence
• Collect, preserve, and document evidence
 • Analyze, identify, and organize evidence
• Rebuild evidence or repeat a situation to verify that the results can be reproduced
reliably

Collecting digital devices and processing a criminal or incident scene is done systematically.
Only designated individuals or teams should gather evidence, following defined procedures and
standards. Remember to Comply with jurisdictional rules of evidence and keep current on the
latest rulings and directives on collecting, processing, storing, and admitting digital evidence.

Digital evidence, is unlike other evidence because it can be easily changed and detecting
changes can only be accomplished by comparing the original data with a duplicate.

Business-record exception allows “records of regularly conducted activity,” such as business

memos, reports, records, or data compilations and could be admissible if the records qualify as
a business record. These could be divided into computer-generated records and computer-
stored records. Digitally stored records must be shown to be authentic and trustworthy if the
program that created the output is functioning correctly.

Gathering evidence must be done according to the proper steps of evidence control helps
ensure that evidence is authentic. Digital evidence is usually challenged if the issue of records
have been altered or damaged. To prove the records are authentic is to demonstrate that a
specific person created the records such as the author of a Microsoft Word document identified
by using file metadata.

Collecting Evidence in Private Sector Incident Scenes

Private-sector organizations are small, medium, and large businesses. This includes ISPs and
other communication companies. In Canada, there is a long standing conversation which is if
requested should a business, mainly ISP or telecom, provide logs to law enforcement? This has
created some interesting and challenging issues for both sides.

Investigating and controlling computer incident scenes in the corporate environment is easier
due to businesses usually having and inventory of the systems and software deployed in the
environment. This assists in identifying the computer forensics tools needed to analyze a policy
violation.

Corporate policy statements about misuse of digital assets may allow corporate investigators to
conduct covert surveillance with little or no cause. However, this may not allow that evidence
to be used in court proceedings. Companies should display a warning banner and publish a
policy that states that they reserve the right to inspect computing assets owned by the
corporation. If there is no notification of the policy surrounding accessing certain digital assets
then the employee or user has an expectation of privacy.
Every organization must have a well-defined process describing when an investigation can be
initiated. If a corporate investigator finds that an employee is committing or has committed a
crime, the employer can file a criminal complaint with authorities. This is about enforcing
company policy, not prosecuting employees.

Corporate investigators are, therefore, primarily concerned with protecting company assets. If
evidence is discovered of a crime during a company policy investigation then a determination is
made whether the incident meets the elements of criminal law.

Preparing for a Search

Law enforcement can seize all digital systems and peripherals with search warrants in place.
Corporate investigations authority may only extend to make an image of the suspect’s drive.

Probably the most important step in computing investigations is determining what needs to be
reviewed. This includes asking questions such as:
 Is the entire system and peripherals needed for the investigation?
 How is the evidence to be protected during transport?
 What is the nature of the case and is it private or public sector? This dictates the types
of resources needed for the investigation.
 Is it possible to identify the OS or device and estimate the size of the drive on the
suspect’s computer?

Once the OSs and hardware are involved when determining if and when the digital evidence
can be removed from the scene, law enforcement investigators will need a warrant to remove
computers from a crime scene and transport them to a lab. In some cases when removing the
computers will irreparably harm a business then the work may be done onsite. Other
complications include files stored offsite that are accessed remotely. Is it possible to access this
remote storage?

When the systems can’t be remove from the scene and taken to the lab, then you need to
determine the resources you need to acquire digital evidence and which tools can speed data
acquisition. Get as much information as possible about the location of a digital crime.

Corporate computing investigations usually have only one person respond to an incident. If the
investigation is larger, then a team may be required that needed specialists in, Oss, RAID
servers, and databases. Finding these skillsets can be a challenging. As an investigator creating
an initial-response and extensive-response field kits includes all tools you may need in the field.

Before beginning a search, review the facts of the case, approach plans, and objectives with the
investigation with the assembled team. The main goal of scene processing is to collect and
secure digital evidence. As digital evidence is volatile a slow response can result in the loss of
evidence.
Seizing and Storing Digital Evidence
Since digital evidence is volatile, several guidelines should be followed to protect, store, retain,
and ensure the integrity of the evidence.

Here are some guidelines to consider:

• The investigator needs to keep a log or journal activities
• Secure the scene
o Be professional and courteous with onlookers
o Remove people who are not part of the investigation
• Take video and still recordings of the area around the computer
o Pay attention to details
• Sketch the incident or crime scene
• Check state of computers as soon as possible
• Don’t cut electrical power to a running system
• Save data from current applications as safely as possible
• Record all active windows or shell sessions
• Make notes of everything done when copying data from a live system
• Close applications and shut down the computer
• Bag and tag the evidence, following these steps:
o Assign one person to collect and log all evidence
o Tag all evidence collected with the current date and time, serial numbers or
unique features, make and model, and the name of the person who collected it
o Maintain two separate logs of collected evidence
o Maintain constant control of the collected evidence and the crime or incident
scene
• Look for information related to the investigation
o Passwords, passphrases, PINs, bank accounts
• Collect documentation and media related to the investigation
o Hardware, software, backup media, documentation, manuals
• Don’t rely on one media storage method to preserve your evidence. Make two copies
using different tools of every image to prevent data loss
• To help maintain the chain of custody for digital evidence and restrict access to lab and
evidence storage area, lab should have a sign-in roster for all visitors
• Evidence may need to be retained indefinitely, this will depend on the legal
requirements of the case

You will also need to verify data integrity by using Cyclic Redundancy Check (CRC) and Message
Digest 5 (MD5), Secure Hash Algorithm version 1 (SHA-1) hashes.
Here are three rules for forensic hashes:
• The hash value is not predictable for a file or device
• No two hashes are the same
• The hash changes when anything changes in the file or device
Most digital forensics hashing needs can be satisfied with a nonkeyed hash set that is a unique
number generated by a software tool. A Keyed hash set is an encrypted secret key is an
alternative to nonkeyed hash set

As an investigator there are several responsibilities that come with this position. The
investigator needs to know all aspects of the seized system. They should understand how to
handle sensitive material and help secure the scene. They must also assist in documenting the
planning strategy as well as conduct ad hoc trainings. Finally investigators document activities
and help conduct the search and seizure.

Record your activities and findings-maintain a journal to record the steps taken when
processing evidence. The goal is to reproduce the same results when another investigator
attempts to repeat the steps taken to collect the evidence. A journal is a reference that
documents the methods used to process digital evidence.

Reviewing the Case

Investigations can be wide ranging and require multiple people and methods. Once all the work
is complete the final requirement is a review of the case.
There are general tasks that are performed in any computer forensics case:
• Identify the case requirements
• Plan your investigation
• Conduct the investigation
• Complete the case report
• Critique the case

Summary
In this module we have explored:
• How forensics data acquisitions are stored
• Data acquisition methods
• Disk-to-image files
• Disk-to-disk copy
• Logical disk-to-disk or disk-to-data file
• Sparse data copy
• Planning digital evidence contingencies
• Write-blocking devices and utilities
• Preferred Linux acquisition tools
• Determining the type of RAID
• Altering digital evidence
• How to prepare for a case

Knowledge Check
1. A disk-to-image copy is what type of replication method?
2. State the two Linux commands used for data validation.
3. Raw data files are missing what information that requires manual validation?
4. True or False: are two hash values are the same?
5. List the three data integrity verification methods.

Answer Key
1. Bit-for-bit
2. Dd and dcfldd
3. Metadata
4. False
5. CRC, MD5, and SHA-1

End of Module
You have completed Module 4 – Processing Crime and Incident Scenes. Remember to check
the timeline before you proceed to the next module to ensure you have completed any
assignments as required. Check with your instructor if you have any questions.
ISN1803 Computer Forensics: Module 5 –
Computer Forensic Tools
Modes of Learning
 Assignments
 Readings

Introduction
In this module, we will discuss the forensic hardware and software tools used during a forensic
investigation. This module will also cover validating and testing forensics software.

Learning Outcomes
Upon completion of this module, you will be able to:
 Analyze the need for computer forensic tools
 Evaluate computer forensic hardware and software tools
 Validate and test forensics software

Key Terms and Concepts

List some important key terms and concepts within this module.
 Acquisition
 Brute-force attack
 Keyword search
 Reconstruction
 Validation
 Verification

The Need for Forensic Tools

Forensic tools are being developed, and updated on a regular basis. Before purchasing forensic
tools significant research is required to verify if the tool will meet your requirements and if
system upgrades are needed to run the software.

GUI based forensic tools can use significant resources and may compete with other
applications. This may force CPU and memory upgrades to run the forensic software effectively.
Another alternative to commercial software is open-source tools.

Open Source has great value compared to Commercial software. There are several questions to
ask when evaluating any set of tools:
 Which OS do the forensics tool run on?
 What file systems can the tool analyze?
  Can a scripting language be used with the tool to automate repetitive functions?
 Does it have automated features?
 What is the vendor’s reputation for providing support?
Hardware forensic tools range from single-purpose components to complete computer systems
and servers. There are multiple types of Software forensic tools that are grouped into
command-line and GUI applications. Forensic tools are commonly used to copy data from a
suspect’s drive to an image file.

One of the most common set of guidelines was developed by NIST’s Computer Forensics Tool
Testing (CFTT) program. Additionally the ISO standard 27037 states that Digital Evidence First
Responders (DEFRs) should use validated tools that categorize forensic tool functions into five
major categories:
 Acquisition
 Validation and verification
 Extraction
 Reconstruction
 Reporting

Acquisition
Once the investigation preparation is complete, the first step is the acquisition of the data
which makes a copy of the original drive.
This step has several sub-functions:
 Physical data copy
 Logical data copy
 Data acquisition format
 Command-line acquisition
 GUI acquisition
 Remote, live, and memory acquisitions

There are two types of data-copying methods used in software acquisitions: physical copying of
the entire drive, and logical copying of a disk partition. Formats will vary depending on the
vendor. Raw image files can be viewed with any hexadecimal editor. Creating smaller
segmented files is a typically available in commercial tools. Due to the geographic disbursement
of larger organizations remote acquisition of evidence is common.

Validation and Verification

Validation and verification work together. Validation confirms the tool is functioning as
required. Verification proves that two sets of data are identical by calculating the hash. In
addition, filtering, based on the hash value, is used to sort and search through investigation
findings to separate good data and suspicious data. There are a series of sub-functions related
to validation and verification, hashing, and CRC-32, MD5, SHA-1 (Secure Hash Algorithms).
Extraction
Extraction is the recovery task in a digital investigation and the most challenging of all tasks to
master. Recovering data is the first step in analyzing the data gather during an investigation.
There are several sub-functions related to extraction including:
 Data viewing
 Keyword searching
 Decompressing or uncompressing
 Carving
 Decrypting
 Bookmarking or tagging

Investigators use a keyword search to speed up analysis. This allows for a focused investigation.
Retrieving data from encrypted files and systems can be challenging. This requires additional
tools and skills to decrypt the necessary data. Many forensic tools will generate potential
password lists for a password dictionary attack. Since passwords are stored in hash this limits
the possibility of using an algorithm to break them. When the forensic tool will not break the
password using a dictionary attack, the next step is to run a brute-force attack on the encrypted
file.

Reconstruction
Reconstruction is the function of re-creating a suspect drive to show what happened during a
crime or an incident. This is also used to make a copy of a suspect drives. There are several
reconstruction methods available including:
 Disk-to-disk copy
 Partition-to-partition copy
 Image-to-disk copy
 Image-to-partition copy
 Rebuilding files from data runs and carving

The object of reconstruction is to re-create an image of a suspect drive by either copying an

image to another partition, drive, or a virtual machine using a disk-to-image copy with tools
such as:
 Linux dd command
 ProDiscover
 Voom Technologies Shadow Drive

Reporting
Once the forensic analysis and examination is complete then a report is generated. A report
should include all the relevant data to the investigation. This can include extracted evidence,
emails, and documents. Many applications can now produce documents in multiple formats for
including docx, html, pdf, and many others. The report also includes sub-functions such as
bookmarking or tagging, Log reports, and report generator.

The final report needs to include the investigators activities and steps taken during the
investigation. This information is also used for peer review of the investigation to verify the
steps taken and the final results.

Digital Software Tools

There are a variety of investigation tool options available and these can either be command-line
and GUI tools in both Windows and UNIX/Linux. The first tools that analyzed and extracted data
from floppy disks and hard disks were MS-DOS tools for IBM PC file systems.

Linux has become more popular in recent years in both the home and business end users.
Some of the tools available for Linux examination include:
 SMART is used to analyze Linux file systems and runs on multiple versions of Linux.
 Helix 3 loads as a Linux Boot device and can be loaded on a live Windows system
 Kali Linux is another Linux LiveCD that has a number of tools that are favoured by
security professionals and forensic investigators
 Autopsy and SleuthKit Linux forensics tool and Autopsy is the GUI browser interface for
Sleuth Kit’s tools

Windows or GUI based forensic tools that simplify forensic investigations are useful for the
junior or beginner investigator. These are usually a suite of tools that simplify use of the tools
and allow for multitasking. The disadvantages to GUI tools are that they can be very resource
intensive and product inconsistent results.

Digital Forensic Hardware Tools

Technology changes rapidly and necessitates that forensic testing workstations need to also be
updated on a periodic schedule. While determining your forensic workstation requirements
also understand the type of equipment needed. Is it stationary, or portable? What is your
purchasing budget? How long is the workstation expected to last?

Equipping a lab comes down to budget and for the workstations it’s a balance what you need
and what your budget and system can handle. Several configuration may be required to outfit
the lab properly to facilitate law enforcement and private investigation requests. Consider
keeping a hardware and software library that may be required to complete an investigation.

Building a forensic workstation is not difficult and comes down to planning.

There are both advantages and disadvantages to building a workstation.
 Advantages
o Customized to your needs
o Save money
  Disadvantages
o You become support for the system
o Parts may become obsolete or hard to find
o Can become expensive if careless

A write-blocker should be considered as an integral component of the forensic lab. A write-

blocker protects evidence disks by preventing data being written to the drive. These type of
write-blockers are useful for GUI environments.

Software-enabled blockers are another option these typically run in a shell mode (Windows CLI)
and changes interrupt 13 of the BIOS to disable writing to the specific drive.

When a write-blocker is in use in a Windows environment the drive is visible and can be access
the same as any other drive. When writing data it will show as successful but the write-blocker
will dumps the changes.

Validating and Testing Forensic Software

When the lab is setup, it is the time to ensure that the evidence recovered and analyzed can be
admitted in court. Testing must be completed to validate the software to prevent damaging the
evidence.

Several documents are published by NIST including articles, tools, and procedures for
testing/validating forensics software. NIST has created criteria for testing computer forensics
tools based on standard testing methods, and the ISO 17025 criteria for testing items that have
no current standards. NIST also sponsors the Computer Forensics Tool Testing (CFTT) project
which manages research on computer forensics tools.

The Computer Forensic Tool Testing Handbook can be found here.

As part of the ISO 17025 standard a forensic lab must meet the following criteria:
 Establish categories for digital forensics tools
 Identify forensics category requirements
 Develop test assertions
 Identify test cases
 Establish a test method
 Report test results

The ISO 5725 standard demands accuracy in the testing process and that the results must be
repeatable and reproducible

NIST also created the National Software Reference Library (NSRL) project which collects all
known hash values for commercial software applications and OS files.
Investigators must verifying testing results by performing the same tasks with other similar
forensics tools. This necessitates the use of at least two tools to retrieve, examine, and verify
the testing results.

Computer Forensics Examination Protocol

 Perform the investigation with a GUI tool
 Verify your results with a disk editor
 Compare hash values obtained with both tools

Digital Forensics Tool Upgrade Protocol

 Test all new releases and OS patches before upgrading the forensic workstation
 If you find a problem, do not use the forensics tool until the problem has been fixed
 Check vendor website for new editions, updates, patches, and validation tests for your
tools

Summary
During this module we have explored:
 The tools for acquisition, validation and verification, extraction, reconstruction, and
reporting
 The hardware and software used in a forensic investigation
 Building a custom forensic workstation
 Validation tests

Knowledge Check
1. A forensic lab must meet what ISO standard?
2. Name a Linux evaluation tool?
3. What is one of the evaluation sub functions?
4. What interrupt does a software blocker change in the BIOS?
5. What is one advantage of building a forensic workstation?

Answer Key
1. ISO 17025
2. SMART, HELIX 3, or Kali Linux
3. Data viewing, Keyword searching, Decompressing or uncompressing, Carving, Decrypting,
Bookmarking or tagging
4. Interrupt 13
5. Customization and lower cost
End of Module
You have completed Module 5 – Computer Forensic Tools. Remember to check the timeline
before you proceed to the next module to ensure you have completed any assignments as
required. Check with your instructor if you have any questions.
ISN1803 Computer Forensics: Module 6 –
File Systems and File Structures
Modes of Learning
 Assignments
 Readings

Introduction
In this module, we will discuss file systems and structures of various operating systems that
may be encountered during a forensic investigation.

Learning Outcomes
Upon completion of this module, you will be able to:
 Describe the characteristics of virtual machines and network forensics
 Explain the UNX (including Macintosh and Linux) file structures and boot processes
 Use network tools to collect network traffic data
 Outline Microsoft file systems, structures, and disks
 Examine NTFS Disks
 Outline standard procedures for network forensics

Key Terms and Concepts

List some important key terms and concepts within this module.
 FAT
 NTFS
 Macintosh
 Linux
 Live acquisition
 Network forensics
 Honeypot

File Systems
The file system shows the operating system where the data is stored in the disk. An investigator
will need to be familiar with the OS of a file system to effectively gather data from a suspect’s
computer.

To avoid contaminating evidence, a thorough understanding of the system components such as

Complementary Metal Oxide Semiconductor (CMOS), Basic Input/Output System (BIOS) or
Extensible Firmware Interface (EFI).
The CMOS stores system configuration and date and time information when the system is
powered off.

The BIOS contains programs that perform input and output at the hardware level allowing the
hardware and operating system to communicate

To reduce the possibility of contaminating evidence a suspect’s system must be booted with a
forensically configured media. This is accomplished by accessing the CMOS during the
Bootstrap process. The bootstrap process which is contained in ROM, tells the computer how to
proceed.

Understanding Disk Drives

Working with hard drives is a daily occurrence for an investigator. A thorough understanding of
disk drives is necessary to be effective in this type of role. Disk drives are made up of one or
more platters coated with magnetic material. There are several components to a disk drive that
include geometry, head, tracks, cylinders, sectors.

• Geometry refers to the logical structure of platters, tracks, and sectors on a disk.
• Head is the read and write device to a drive. There are two heads per platter to read and
write the top and bottom of the platter.
• Tracks are the concentric circles on the disk platter.
• Cylinders are a column of two or more disk platters.
Some other properties handled at the drive’s hardware or firmware level are zone bit recording
(ZBR), track density, areal density, head and cylinder skew.

• ZBR is how manufacturers deal with smaller circumference inner tracks of a disk.
• Track density is the space between each track
• Areal density is the number of bits in one square inch on a disk platter
• Head and cylinder skew are used to improve disk performance
Currently the more popular storage media is Solid-State Drive (SSD). These devices are a
challenge for investigators if deleted data isn’t recovered immediately due to a feature called
wear-leveling.

When data is deleted from a hard drive only the reference is removed and leaves the original
data in the unallocated disk space. Solid state devices are different is that memory cells shift
data at the physical level to other cells that have fewer continuous reads and writes. The
purpose of shifting data is to ensure the memory cell wear evenly.

When dealing with solid-state devices, make a full forensic copy as soon as possible. In case
data needs to be recovered from unallocated disk space. All solid state device have an internal
power for the memory cells to preserve the stored data. This means that the wearing level will
shift data to unallocated even if no new data is written to the device.

Microsoft File Systems

Microsoft Windows is one of the major operating systems and a thorough understanding of the
file system, FAT and NTFS, is necessary. Microsoft file structures and sectors are grouped to
form clusters. Clusters range from 512 bytes up to 32,000 bytes each and combining sectors
minimizes the overhead of writing or reading files to a disk. The first sector of all disks contains
a system area, the boot record, and a file structure database.

The operating systems assigns the sequential cluster numbers, called logical addresses whereas
sector numbers are called physical addresses. Clusters addresses are specific to a logical disk
drive, which is a disk partition.

Storage media such as hard drives and SSDs can be divided into sections or partitions which are
logical drives. Windows can have three primary partitions and an extended partition that can
contain one or more logical drives.

Hidden partitions can be created in unused space or voids between partitions called a partition
gap. Partitions can be created data added then references removed to hide the partition from
Windows.

The partition table is in the Master Boot Record (MBR) located at sector 0 of the disk drive. The
MBR stores information about partitions on a disk and their locations, size, and other important
items

The File Allocation Table (FAT) is a file structure that organizes files so that the OS can find the
files. There are three main versions of FAT16, FAT32, and exFAT (used by Xbox game systems).
Microsoft operating systems allocate disk space for files by clusters that results in drive slack
which is the unused space in a cluster between the end of an active file and the end of the
cluster. Drive slack also includes RAM slack and file slack. A large cluster size is an unintentional
side effect of FAT16. When the operating system allocates another cluster for your file this
creates more slack space on the disk. This means that as files grow and require more disk space,
assigned clusters are chained together and chains can be broken or fragmented. If the next
available cluster isn’t contiguous to the current cluster the file becomes fragmented.

In Microsoft OSs, when a file is deleted only the directory entry is marked as deleted and the
data in the file remains on the disk drive. The area of the disk where the deleted file resides
becomes unallocated disk space.

NTFS Disks
The NT File System (NTFS) has been around since the Windows NT days and is still current up to
Windows 10. NTFS provides more information about a file and control over files and folders. On
an NTFS formatted disk the first data set is the Partition Boot Sector and the next is Master File
Table (MFT). NTFS also uses Unicode international data format and uses 8-bit, 16-bit, or 32-bit
configuration which are known as UTF-8.
MFT contains information, called metadata, about all files on the disk and reserves the first 15
records for system files. Each of these records contain file or folder information. The record
field is referred to as an attribute ID. File or folder information is typically stored in one of two
ways in an MFT record, resident and nonresident. The MFT record provides cluster addresses
where the file is stored on the drive’s partition known as data runs.
When a disk is created as an NTFS file structure the operating system assigns logical clusters to
the entire disk partition. These assigned clusters are known as logical cluster numbers (LCNs)
are sequentially numbered at the beginning of the partition. When data is first written to
nonresident files, an LCN address is assigned to the file this LCN becomes the file’s virtual
cluster number (VCN).

Alternate data streams are ways data can be appended to existing files. These data streams can
obscure valuable data, intentionally or by coincidence. In NTFS, alternate data stream becomes
an additional file attribute which allows the file to be associated with different applications.

NTFS provides compression similar to FAT DriveSpace 3 (a Windows 98 compression utility).

Most computer forensics tools can uncompress and analyze compressed Windows data. The
Encrypting File System (EFS) uses a public key and private key method of encrypting files,
folders, or disk volumes. Only the user that encrypted the data can access the encrypted files. A
recovery certificate is a recovery mechanism used when there is an issue with the users private
key.

The recovery certificate is held by the administrator and allows for recovery in two ways
through Windows or from a MS-DOS command prompt using the cipher, copy, or efsrecvr (used
to decrypt EFS files) commands.

Microsoft introduced the Resilient File System (ReFS) in Windows Server 2012 and is designed
for large data storage needs, like cloud, or big data. ReFS provides maximized data availability,
improved data integrity, and scalability.

Whole Disk Encryption

As the world becomes connected 24/7 and we spend and share our lives online, the loss of As
the world becomes connected 24/7 and we spend and share our lives online, the loss of
Personal identity information (PII) is a major concern since access to this information allows
hackers to open credit card accounts, access banking information, and potential cause the
targeted user irreparable damage. Businesses are affected by industrial espionage, the theft of
trade secrets that can devastate a business and potentially close. The theft of laptop computers
and other handheld devices can potentially cause these issues if these devices are not
protected correctly. One method is to help prevent loss of information, software vendors now
provide whole disk encryption.

Whole disk encryption is one tool that encrypts each sector of a drive separately. The boot
sector is also encrypted and that prevents efforts to bypass the secured drive’s partition. Whole
disk encryption tools offer the following features:
 Preboot authentication, such a single sign-on or biometric access.
 Full or partial disk encryption with secure hibernation that requires a password to
activate
 Advanced encryption algorithms such as Advanced Encryption Standard (AES)
  Key management function that uses a challenge-and-response to reset passwords and
paraphrases

To examine an encrypted drive it must be decrypted it first by running vendor-specific programs

to decrypt the drive. One method is to use a bootable CD or USB drive that prompts for a one-
time passphrase. If the same system needs to be decrypted again another paraphrase is
required. Decrypting drives is time consuming and can take several hours or days to complete.

Microsoft introduced bitlocker to protect data drives. This tool is available Vista
Enterprise/Ultimate, Windows 7 and 8, Professional/Enterprise, and Server 08 and 12. There
are several third-party utilities for encrypting and decrypting drives on the market. Each one is
unique and requires research to ensure the product will meet the encryption requirements.

Windows Registry
The Windows registry is a database that stores hardware and software configuration
information, network connections, user preferences, and setup information. Working with the
registry should only be done by a seasoned professional that understands the impact of making
changes that may affect the whole system.

The Windows registry is organized into sections and sub sections that define how the system
will run. The registry has a specific terminology:
 Registry is the hierarchical database containing the system and user information
 Registry Editor (Regedit or Regedt32) is a utility that allows the user to view and modify
registry entries
 HKEY is the prefix for registry categories
 Key each HKEY contains folders for the keys
 Subkey is a key displayed under another key
 Branch is a key and contents, including subkeys
 Value is the names of a value in the key
 Default value is available in every key and may or may not hold data
  Hives are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE.

The registry reads a series of data files such as system.dat. The number of these files depends
on the Windows version. An extensive amount of information is stored in the registry allowing
the investigator to discovery specific information.

Windows Startup Tasks

As an investigator, a solid understanding of the startup process is necessary to preserve data on
a suspect’s system. Evidence is altered when a system is accessed after it was use for an illicit
purpose.

Microsoft has changed its approach to Operating Systems so that Windows 8 and subsequent
OSs are now multiplatform. Meaning that they can run on desktops, laptops, tablets, and
smartphones.

The boot process uses a boot configuration data (BCD) store this contains the boot loader that
initiates the system’s bootstrap process.

All NTFS computers perform the following steps when the computer is turned on:
 Power-on self test (POST)
 Initial startup
 Boot loader
 Hardware detection and configuration
 Kernel loading
 User logon

Virtual Machines
Virtualization is a standard part of most infrastructures in today’s IT environment.
Virtualization allows for multiple virtual servers to be installed and run on a single server or
host. A virtual machine is a series of files stored on the host server, limited only by the hosts
CPU, memory, and storage resources. Using virtual machines allows an investigator to create a
representation of another computer on an existing physical computer.

In digital forensics virtual machines make it possible to restore a suspect drive on your virtual
machine as well as run nonstandard software the suspect might have installed.

There are numerous virtualization solutions available with the most popular for creating virtual
machines are VMware Server, VMware Player and VMware Workstation, Oracle VM VirtualBox,
Microsoft Virtual PC, and Hyper-V.
UNIX, Linux and Macintosh
UNIX has been around since the early 1970’s to be a multiuser, multithreaded, secure operating
system. There are a number of UNIX flavours that includes Silicon Graphics, Inc. (SGI) IRIX, Santa
Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX.

Linux was develop by Linus Torvalds and released in the early 1990’s as a free or open source
model operating system. As a result there are a number of flavours that include: Ubuntu,
Debian, Red Hat, OpenSUSE, and Slackware. All UNIX and Linux operating systems has a kernel
as does windows.

UNIX and Linux commands are case sensitive. The wrong capitalization can mean your
commands are rejected as incorrect or interpreted as something different

Linux supports a number of file systems. The early standard was Second Extended File System
(Ext2), which was replaced by the Third Extended File System (Ext3). The Fourth Extended File
System (Ext4) was added and supports partitions larger than 16 TB. Which improves large file
management and more flexibility.

In UNIX/linux everything is a file including disk drives, monitors, and network interface cards.

There are four components to a Linux file system:

 Boot block is the disk allocation that includes the bootstrap information
 Superblock contains system information and is part of the metadata defining the disk
geometry, available space, and location of the first inode along with file system
management
 Inode blocks includes the first data after the superblock and is assigned to every file
allocation unit
 Data blocks is the location where the directories and files are stored. This location is
linked directly to inodes

Inodes contain file and directory metadata and linking data for data blocks. An assigned inode
contains the following:
 Mode and type of file or directory
 Number of links to a file or directory
 UID and GID of the file’s or directory’s owner
 Number of bytes in the file or directory
 File’s or directory’s last access time and last modified time
 Inode’s last file status change time
 Block address for the file data
 Indirect, double-indirect, and triple-indirect block addresses for the file data
 Current usage status of the inode
  Number of actual blocks assigned to a file
 File generation number of version number
 Continuation inode’s link

Hard link pointer provides access to the same file by difference filenames.
Each inode has a field called link count which specifies the number of hard links to a file.
Symbolic links, also called “soft links” or “symlinks” are pointers to other files and aren’t
included in the link. Symbolic links have an inode of their own which is different than the inode
of the item they are pointing to.

Macintosh File Systems

Macintosh operating systems moved from a RISC based to Intel based with the introduction of
OS X and became UNIX based. Before OS X the Hierarchical File System (HFS) was used which
stores files nested in directories. The Extended Format File System (HFS+) was introduced with
OS 8.1 which allows for one to 4 billion blocks where HPS only allows for 65,536 blocks. This
provides a greater use of disk space.

In Mac, a file consists of two parts: the data fork where the data is stored, and the resource
fork where the metadata and application information are stored. Each fork contains a resource
map, resource header information for each file, windows locations, and icons.

The data fork typically contains data the user creates. Applications also read and write to the
data fork.

A volume is any storage medium used to store files which is made up of allocation blocks and
logical blocks. Allocation blocks are a group of consecutive logical blocks. Logical blocks cannot
exceed 512 bytes.

HFS and HFS+ have two end of file descriptors. The logical EOF which is the actual size of the file
and the physical EOF which is the number of allocation blocks for that file. Fragmentation is
reduced by using clumps which are groups of contiguous allocation blocks.

Older Macintosh OSs use Master Directory Block (MDB) which stores all the volume information
or Volume Information Block (VIB) is temporary volume mount information written by the
MDB. The MDB is copied when catalog increases in size called the extents overflow file that
stores any file information not in the MDB or a VCB. The catalog is the listing of all files and
directories on the volume and used to maintain relationships between files and directories.

Forensic Procedures for Mac

While there are similarities between Linux and MAC operating systems, there are also some
major differences:
 Linux has the /home/username and /root directories
 In Mac, the folders are /users/username and /private/var/root
  The /home directory exists in the Mac OS but it is empty
 Mac users have limited access to other user accounts’ files and the guest account is
disabled

Knowing the file system components locations and how they are stored is a must for MAC OC X
forensics.
Application settings are in three formats: plaintext, plist files, and the SQLite database.
Plaintext files are viewable in any text editor. Plist files are preference files for installed
applications on a system and need a special editor.

 /System/Library/CoreServices/SystemVersion.plist stores the OS version

 /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist shows the existing
network interfaces
 .private/var/db/dslocal/nodes/Default/users shows the user plist files
 /private/var/db/shadow/hash contains account password.

FileVault is used to encrypt and decrypt a user’s /users directory. This has the master keys and
recovery keys. Keychains are used to manage passwords for applications, websites, and other
system files. The Mac application Keychain Access enables you to restore passwords.

Deleted files are in the trashes folder which is similar to the Windows recycle bin.

To examine a MAC system the process is similar by creating an image of the drive, using static
acquisition if possible, with some exceptions. The investigator will need to use a Macintosh-
compatible forensic boot CD to make an image.

Virtual Machine
Virtualization and Virtual machines are important in today’s networks. An investigator must
know how to analyze virtual machines and use them to analyze other suspect drives. Virtual
machines are used to offset hardware costs by sharing the resources of a server amongst
multiple virtual machines or virtual serves. The software that runs virtual machines is called a
“hypervisor”. There are two types of hypervisor, Type 1 which loads on physical hardware and
doesn’t require a separate OS, and Type 2 which rests on top of an existing OS.
Type 2 hypervisors are common and usually found loaded on a suspect machine. These can be
used on a system, such as a workstation or laptop, with an existing operating system such as
Windows. There are multiple Type 2 hypervisors available with the most common being:

 Parallels Desktop which was created for Macintosh users who also use Windows
applications. KVM (Kernel-based Virtual Machine) for Linux OS. Microsoft Virtual PC only
supports VMs that run Windows.
 VMware Workstation and Player which is one of the most flexible and can be installed
on almost any device, including tablets and supports most operating systems including
Microsoft Hyper-V Server.
 VirtualBox which supports all Windows and Linux OSs as well as Macintosh and Solaris.

Most Type 2 hypervisors come with templates for different operating systems. A hypervisor
template provides the optimum settings for that VMs operating systems, such as Ubuntu.

There are only slight difference when doing forensics on a VM from a standalone hard drive.
Begin by creating a forensic image of the host system and network logs by linking the VM’s IP
address to log files may show what Web sites the VM accessed. Discovering if a virtual machine
is on a host system is challenging. Initially review the Users or Documents folder (in Windows)
or user directories (in Linux), check the host’s Registry, HKEY_CLASSES_ROOT, for clues that
VMs have been installed or uninstalled, and look for the existence of a virtual network adapter;
USB drives also need consideration. Virtual machines can run almost anywhere including a USB
drive.

A procedure needs to be defined and documented to conduct an investigation. Best practices

for investigating virtual machines should include:
1. Image the host machine
2. Locate the virtualization software and VMs, using information learned about file extensions
and network adapters
3. Export from the host machine all files associated with VMs
4. Record the hash values of associated files
5. Open a VM as an image file in forensics software and create a forensic image or mount the
VM as a drive

Live acquisitions of VMs are often necessary because it will include all the snapshots. A
snapshot is an image of the state of a VM at a particular moment. Snapshots are useful for
versioning server changes, such as installing a software that fails. Rolling back to a previous
snapshot prior to the installation should bring the server back online in short order. A live
acquisition will provide access to all the system changes and not just the original VM.

Investigators can use VMs to either mount images or run forensics tools stored on removable
media. This allows the image to run as a live virtual machine or like a physical systems and run
standard forensic tools on the image.
The steps include:
1. Acquiring the image and make a copy
2. Verify the copy’s hash value
3. Document findings
4. Create a snapshot of the VM
5. Follow standard procedure to conduct the investigation.

While Type 1 hypervisors are typically loaded on servers or workstations with a lot of RAM and
storage. The virtualization software is installed directly on the host with the virtual machine
installed on top. The number of guest virtual machine is only limited by a host’s resources.
Common type 1 hypervisors include:
  VMware vSphere
 Microsoft Hyper-V 2012
 Citrix XenServer
 IBM PowerVM
 Parallels Bare Metal

Live Acquisitions
Live acquisitions are especially useful when dealing with active network intrusions or attacks.
Also, live acquisitions done before taking a system offline are also becoming a necessity since
these attacks might leave footprints only in running processes or memory.

Due to the potential changes that occur to a system through a live investigation, this makes
reproducing the investigation difficult. In this case live acquisitions don’t follow typical forensics
procedures.

One of the problems with live acquisitions is the Order of Volatility (OOV) which is the length of
time a piece of information lasts on a system.

Live acquisition procedures are as follows:

 Create or download a bootable forensic CD
 Keep a log of all actions taken
 Collect the data on network drive or removable media
 Copy the physical memory (RAM)
 Depending on the investigation scanning for rootkits may be required or other
potentially hidden malware.
 Be sure to get a forensic digital hash value of all files you recover during the live
acquisition

Capturing RAM is one of the main aspects of a live acquisition that needs specific tools such as
Mandiant Memoryze, Belkasoft RamCapturer, or Kali Linux.

GUI tools are easy to use but these can use a lot of system resources that could generate false
readings in Windows OSs. While command-line tools provide more control and flexibility to
gather the desired information.

Network Forensics
Network forensics is the collecting and analyzing raw network data and tracking network traffic
to determine how an attack was carried out or how an event occurred on a network.
Network intruders will leave a trail or breadcrumbs of what and how the network was accessed.
An investigator will need to understand a network’s typical traffic patterns to readily be able to
spot traffic variations that could be clue to the intrusion.

Network examination is a critical component of an investigation forensics standard procedures

must be established. This will assist with finding all comprised systems are discovered.
Procedures must be based on an organization’s needs and complement network infrastructure.
As a best practice guideline NIST created “Guide to Integrating Forensic Techniques into
Incident Response” to address these needs.

The NIST “Guide to Integrating Forensic Techniques into Incident Response” can be found here.

The main function of network forensics is determine how unauthorized access occurred. Before
a breach happens this is where a hardening of the network needs to take place. One such
strategy is a layered approach that protects and hides the most valuable data at the asset on
the network.

Testing a network and security is as important as testing servers. This type of testing will show
the gaps that need remediation to completely protect the environment. Hackers are continually
trying new techniques to infiltrate an environment. Hacking just doesn’t happen from the
outside into an environment, employees are also a potential threat that needs to be addressed.
Testing is an ongoing process, there is no once and done.

Small companies usually don’t view security as a priority so they may more susceptible to
internal hacking caused by employees revealing proprietary information

Network forensics can be a long, tedious process. This is why standard procedure are necessary
to ensure all aspects are reviewed, tested, and reported accordingly.

A standard process should include the following:

 Always use a standard installation image for systems on a network
 Fix any vulnerability after an attack
 Attempt to retrieve all volatile data
 Acquire all compromised drives
 Compare files on the forensic image to the original installation image

Digital forensics includes working from the image to find most of the deleted or hidden files and
partitions. Network forensics is working with restored drives to understand an attack in an
isolated system to prevent the infection from affecting the rest of the network.

Network logs record the activity of devices on the network such as servers, routers, and
firewalls. Reviewing logs is a tedious process and requires sifting through an immense amount
of data. Some tools used to ease this work effort are Tcpdump, Wireshark, packet analyzers,
and commercial network analysis tools that are used to identify patterns.

The Honeynet Project was developed to make information widely available in an attempt to
stop Internet and network hackers. The main objectives of the project are awareness,
information, and tools.

A Honeypot is a setup to look like another system on the network to lure attackers away from
the real assets and records what attackers are doing.

One way to attack a network us a Distributed denial-of-service (DDoS) attacks which use a
number of systems, also called zombies, to attack and overwhelm a network by generating so
much traffic it’s virtually impossible for the network to survive.

Summary
During this module we have explored:
• How a hard drive works
• Linux and Macintosh file systems and forensics
• The types of virtual machines and how they function
• Live acquisitions and the potential issues
• Network forensics and the process for collecting data

Knowledge Check
1. What is a Type 1 virtual system?
2. What type of system does a zero day attack use?
3. What are the names of the two windows registry editor tools?
4. What is a hard drive track?
5. What does an Encrypting File System (EFS) use for encryption of files and folders?

Answer Key
1. The operating system is installed directly on the host system.
2. Zombies
3. Regedit and regedt32
4. The concentric circle on a hard drive platter
5. Public and private key

End of Module
You have completed Module 6 – File Systems and File Structures. Remember to check the
timeline before you proceed to the next module to ensure that you have completed any
assignments as required. Check with your instructor if you have any questions.
ISN1803 Computer Forensics: Module 7 -
Data-hiding Techniques and Recovering
Graphic Files
Modes of Learning
 Assignments
 Readings

Introduction
In this module, we will discuss the methods used to hide data on a system and recovering
graphic files for analysis.

Learning Outcomes
Upon completion of this module, you will be able to:
 Outline data kidding techniques
 Distinguish relevant data to be collected and analyzed
 Validate forensic data collected
 Demonstrate methods to perform remote acquisition
 Examine graphic files and their characteristics
 Examine methods of locating and recovering graphic files

Key Terms and Concepts

List some important key terms and concepts within this module.
 Image file
 Steganoanalysis
 RAW
 Lossy and lossless compression
 Hidden data
 File header

File Systems
Examining and analyzing digital evidence is entirely defined by the investigation and amount of
data to process. Investigations have limitations based on the scope, warrant acquired or as
defined by the courts.

In this context scope creep where an investigation grows beyond the original requirements, can
happen in a corporate environment when the investigation one incident opens up other
unforeseen issues that also require examination. As with any project, this increases the time it
takes to gather the evidence. Scope creep is also an issue with criminal investigations have
become more in-depth as additional evidence is required to obtain a conviction.

As with any investigation a plan is created to ensure efforts are kept on track and within the
define parameters. These basic steps include defining the goal and scope of investigation,
materials needed, and the tasks to perform. However, the approach is modified for each
investigation.

As an example investigating email is reviewing the email, email servers, and the network logs.
Where a network penetration could include, network architecture review, reviewing firewall
and IPS logs, and device firmware.

These are the basic steps for all digital forensics investigations:
1. Recently wiped or reformatted and virus scanned media should be used as investigation
target drives
2. Inventory the suspect’s computer. Document everything about the system.
3. For static acquisitions remove original drive
4. Document how the data was acquired
5. Process drive’s contents methodically and logically
6. List all folders and files on the image or drive
7. Examine contents of all data files in all folders
8. Recover file contents for all password-protected files
9. Identify function of every executable file that doesn’t match hash values
10. Maintain control of all evidence and findings
11. Refining and Modifying the Investigation Plan

Plans are living documents and need to be modified as the investigation changes to follow the
evidence.

Validating Forensic Data

Once an investigation is complete the next major step, and possibly the most important, is
validating forensic data. This ensures the integrity of data collected and is essential for
presenting evidence. Most forensic tools offer hashing of image files. These tools run a hash
and compares the value with the original hash calculated when the image was first acquired.

Hexadecimal editors provide some interesting features such as hashing specific files or sectors.
These tools are used to review hash values and can be used to search for a suspicious file that
might have had its name changed to look like any another innocuous file. By validating with
these editors it is possible to determine if data has changed block-wise hashing. This builds a
data set of hashes of sectors from the original file and then examines the sectors for other
sectors that match. A matching has confirms the file was stored on the suspect’s drive.
Hash values can be used to discriminate between good and suspicious files. This feature is
included in several forensic tools.
Addressing Data Hiding Techniques
Data hiding is done when a file is changed or manipulated to conceal information. This could
include: hiding partitions, changing file extensions, changing file attributes, and password
protecting.

One of the first techniques to hide data may include changing the file extensions, such as .docx
to .gif. Forensics tools check file headers and perform a comparison against the file extension to
verify that it’s correct. If there’s a discrepancy, the file is flagged as possibly hidden.

One way to accomplish hiding a partition is by using the Windows diskpart remove letter
command. This command allows the user to unassign the partition’s letter which hides it from
view in File Explorer. Detecting a hidden partition the investigator will examine the drive to
account for all the disk space. If this accounting has a discrepancy, then the drive is further
analyzed to find the missing space.

The term steganography comes from the Greek word for “hidden writing”. This is defined as
hiding a message so that only the intended recipient knows is there. Steganalysis is a term for
detecting and analyzing steganography files.

Digital watermarking is a way to mark a file to protect ownership. This marking is sometimes
visible. Steganography watermarks are not usually visible and so that comparing two files
everything down to the file size is the same. One way to hide data is to use steganography
tools. This allows the user to insert information into a variety of files. As an example, if a user
encrypts a plaintext file with PGP and insert the encrypted text into a steganography file.
Cracking that encrypted message is extremely difficult.

Some Steganalysis methods include:

 Steg-only attack is used only when analyzing a stego file
 Known cover attack used when the cover-media and stego-media file is available for
analysis
 Known message attack used when the hidden message is revealed
 Chosen stego attack used when a stenography tool and stego-media were used to hide
the message
 Chosen message attack used to identify corresponding patterns.

To decode an encrypted file users provide a password or passphrase. However, many

encryption programs use technology called “key escrow” which is designed to recover
encrypted data if users forget their passphrases. Investigators also use “key escrow” to recover
encrypted data. Encryption can take time to crack and there is the potential to corrupt the data.

Password cracking is a common practice especially in forensics. There are several programs
available that will assist with password cracking. In most cases these tolls use a dictionary or
brute-force attack to crack the passwords. A brute-force attacks uses every combination of
letters, numbers, and characters. These program will also use common items in a suspect’s life
utilizing the theory that most people use something relatable or familiar to create a password.
Password, birthday, and street address are common password and easy to crack.

One other method is the rainbow table, a file containing the hash values for every possible
password that can be generated from a computer’s keyboard. This method is much faster.

Summary Examining and analyzing digital evidence depends on the nature of the investigation
and the amount of data to process.
General procedures are:
 Wipe and prepare target drives
 Document all hardware components on the suspect’s computer
 Check date and time values in the suspect’s computer’s CMOS
 Acquire data and document steps
 List all folders and files
 Attempt to open password-protected files
 Determine function of executable files, and document steps
Summary Advanced digital forensics tools have features such as indexing text data, making
keyword searches faster A critical aspect of digital forensics is validating digital evidence –
ensuring the integrity of data you collect is essential for presenting evidence in court.

Graphic Files
Graphic files are considered any form of digital image such as a digital photographs, line art,
three-dimensional images, or scanned replicas of printed pictures. These can be created, and
modified by any number of software applications, such as Photoshop, GIMP, and PAINT.net.

There are three types of graphic files, bitmap, vector, and metafile. A bitmap images are a
collection of dots or pixels in a grid format. A vector graphic is based on mathematical
instructions to create lines or curves that allow for a sharper image as it’s enlarged. A metafile
graphic is a combination of bitmap and vector.

Creating these images is done with graphics editors that create, modify, and save in multiple
formats. Image viewers are used to open and view image files. Bitmap images use a grid of
pixels to create an image. While raster images still use pixels that are stored in rows. Raster
images provide a better printing resolution.

Due to the wide range of imaging software on the market there are multiple image types as
well.

There are several standards that include:

 Portable Network Graphic (.png)
 Graphic Interchange Format (.gif)
  Joint Photographic Experts Group (.jpeg, .jpg)
 Tagged Image File Format (.tiff, .tif)
 Window Bitmap (.bmp)
 Standard vector file formats
o Hewlett Packard Graphics Language (.hpgl)
o Autocad (.dxf)
 Nonstandard graphics file formats
o Targa (.tga)
o Raster Transfer Language (.rtl)
o Adobe Photoshop (.psd) and Illustrator (.ai)
o Freehand (.fh9)
o Scalable Vector Graphics (.svg)
o Paintbrush (.pcx)

Digital Cameras
Due to the popularity of digital photos, an investigator needs to understand how they are
created and manipulated. Digital evidence is common in cases such as auto accidents which
lend credibility to the evidence.

A RAW file format is referred to as a digital negative. This means that no enhancement is
performed on the image. These are usually the best quality images. On disadvantage to a raw
format is that it’s proprietary and not viewable by all image viewers. Raw image can be
converted to another format which is known as to as demosaicing. Demosaicing is a digital
image process used to reconstruct a full colour image from the incomplete color samples
output from an image sensor overlaid with a color filter array (CFA). Most camera phones save
images in either jpg or RAW formats.

Most digital cameras use Examining the Exchangeable Image File format or (Exif) which is
commonly used to store digital pictures. When a photo is taken the camera information is also
stored in the file. This could include GPS information of the location where the photo was
taken. This metadata, stored at the beginning of the file, allow investigators to learn more
about the type of digital camera and the environment where the pictures were taken. Viewing
this metadata requires a program such as IrfanView.

Data Compression
Image formats such as GIF and JPEG, compress data to save space and reduce transmission
time. There are other formats like BMP that do not compress their data.

Data compression is the coding of data from a larger to a smaller form. Lossless compression
reduces the file size without removing data. GIF and PNG use this compression method.
Lossy compression is different from lossless compression by permanently discards bits of
information. When decompression takes place there is missing information which affects the
image quality. Vector quantization is another version and that discards vectors.

When reviewing images in a forensic case all the information gathered needs to be
corroborated. This is the case with images from mobile phones the clock can be modified which
could record the incorrect date and time.

Locating and Recovering Files

The first step is to locate and recover all the graphic files. This can be time consuming and need
standard procedures. These procedures will use the image headers to compare them with
good header samples and creates a baseline analysis.

Fragmented image files may need to be reconstructed includes rebuilt. This may include
rebuilding the image headers and identifying data patterns. This is known as carving or
salvaging. This is carved from file slack and free space that helps identify image files fragments
and put them together.

All graphics file has a unique header value as an example a JPEG file has the hexadecimal
header value FFD8, followed by the label JFIF for a standard JPEG or Exif file at offset 6.

Searching for and recovering digital photograph evidence means using forensic tools a search
string that looks for matches. This may generate several false hits known to as false positives.
This requires looking at each hit to verify if it’s authentic.

Before attempting to edit a recovered graphics file try to open the file with an image viewer
first. If the image doesn’t displayed, then an inspection and correction of the hexadecimal
header values manually is necessary.

Locate the non-contiguous clusters that make up a deleted file. This is done by locating and
exporting all clusters of the fragmented file. Finding the starting and ending cluster numbers for
each fragmented group of clusters and then copying each fragmented group of clusters in their
correct sequence to a recovery file. Finally, you must rebuild the file’s header and making it
readable in a graphics viewer.

Coming across unknown file formats during an investigation is always possible. These may be
new, older, or discontinued formats. Discovering the purpose of each format and how it stores
data is part of the investigation process. When running across an unknown format the easiest
way to analyze the file is with a hex editor and record the different hexadecimal values. This will
allow the investigator to build a custom header search string.
After recovering a graphics file open the file in an image viewer. Be sure to analyze, identify,
and inspect every unknown file on a drive

When opening and images there may not appear to be any information related to the
investigation. This may be caused by someone hiding that in the file using steganography which
hides information inside image files.

Two forms of steganography are insertion and substitution. Insertion places data from the
secret file into the host file. This way the hidden data is not displayed when viewing host file in
its associated program. The data structure needs careful analysis to fine the hidden data.

Substitution replaces bits in the host file with other bits of data. The bits are prioritized with the
most significant bit (MSB) of the left and the last bit on the right the LSBs (least significant bit).
Change the last two LSBs provide only small changes to the image.

As a standard practice steganalysis tools (a.k.a - steg tools) should be used to inspect all files for
evidence of steganography. Investigators should look for duplicate files with different hash
values, files with different hash values, and steganography programs installed on suspect’s
drive.

Steganalysis tools can be used to detect, decode, and record hidden data. These tools can
detect variations in images that could show hidden data embedded in the file. These tools have
also been used to protect copyrighted material by inserting a digital watermarks into a file.

Investigator need to be knowledgeable on copyright laws so digital investigators need to be

aware of copyright laws. There is no clear copyright law for the Internet and without any
international copyright law this leaves each country to determine this on their own. It’s up to
the investigator to review copyright requirements on a case-by-case basis and determine the
correct action.

Summary
During this module we have explored:
 The different image formats
 Data hiding techniques including image files
 Taking images with digital cameras
 Analyzing data with steganalysis

Knowledge Check
1. Name a tool used to validate forensic data?
2. What is Lossless compression?
3. What is the extension for Joint Photographic Experts Group?
4. What is demosaicing?
5. What is Steganalysis?

Answer Key
1. Hexadecimal editor
2. Reduces the file size without removing data
3. Jpg or jpeg
4. Is a digital image process used to reconstruct a full colour image from the incomplete colour
samples
5. The detection and analysis of steganography files

End of Module
You have completed Module 7 – Data Hiding Techniques and Recovering Graphic Files.
Remember to check the timeline before you proceed to the next module to ensure that you
have completed any assignments as required. Check with your instructor if you have any
questions.
ISN1803 – Computer Forensics: Module 8 -
Email, Cell Phone, and Mobile Device
Forensics
Modes of Learning
 Assignments
 Readings

Introduction
In this module, we will discuss the email clients, servers and how mobile device work and
mobile forensics.

Learning Outcomes
Upon completion of this module, you will be able to:
 Explain the role of email, client, and servers in investigations.
 Analyze methods of investigating email crimes and violations
 Examine the operations of email servers and specialized email forensics tools
 Outline methods of cell phone and mobile device forensic acquisition

Key Terms and Concepts

List some important key terms and concepts within this module.
 Email client
 Email server
 Outlook
 Gmail
 Postfix
 Sendmail
 Mobile
 Cloud

Email System and Investigations

Email has become a go to for digital investigations. There are any number of examples where
email has led to someone’s downfall. Phishing, spoofing, and spam email has been a favourite
method for attackers to target someone and steal their identity and ultimately their money.

Investigators need to know how to examine and interpret the unique content of e-mail
messages. There are multiple way a hacker attempts to trick the end user into revealing
personal information that includes:
  Phishing e-mails contain links to text on a Web page that may look almost exactly like a
site you visit regularly. The hacker attempts to get personal information from reader
 Pharming - DNS poisoning takes user to a fake site and attempts to steal end user
information
 Spoofing e-mail can be used to commit fraud

One method investigators can use is the Enhanced/Extended Simple Mail Transfer Protocol
(ESMTP) number in the message’s header to check for the legitimacy of email. This is a unique
number for each message transmitted by the email server.

E-mail can be sent and received in the Internet or via the Intranet. Email messages are sent to a
central server that a client connects to. This is called a client/server architecture. In this
architecture a server provides email services to client email programs. Email permissions
assigned to a traditional username and password. Email uses an mx record that allows the use
of standard naming conventions such as corporate: john.smith@somecompany.com, or public:
whatever@gmail.com. This makes tracing emails easier for investigators due to the standard
naming convention. Another corporate email solution is moving to the cloud or a hosted
solution such a Gmail, or hosted Exchange.

The goals of an investigation that includes email is to find who is behind the crime, collect the
evidence, present your findings, and build a case.

One other item an investigator needs to understand is the applicable privacy laws for your
jurisdiction which will depend on compliance requirements of sate/province, and country.

Once it has been determined email has been used in a crime. Investigators will need access
victim’s computer or mobile device to recover the evidence.
When starting an investigation a copy of the email and the crime or policy violation is required.
Then find and copy evidence from the email client including the headers. Headers contain
useful information such as the originating e-mail’s IP address, the date and time the message
was sent, filenames of any attachments, unique message number. Headers are available in all
email program and are available in different location some locations are as follows:

 Outlook uses .pst or .ost files

o Double-click the message and then click File, Properties
o Copy headers
o Paste them to any text editor
o Save the document
 Yahoo
o Click Inbox to view a list of messages
o Above the message window, click More and click View Full Header
o Copy and paste headers to a text file
 In Web-based e-mail such as Yahoo or Gmail.
o Messages are displayed and saved as Web pages in the browser’s cache folders
Email messages are copied to the client and a copy is left on the server. Determining message
origin for continued examination of the header is referred to as “tracing”. Tools on the Internet
can be used to find an email origin. This allows the investigator uses these tools to find the
server administrator. These services include
 www.arin.net
 www.internic.com
 www.google.com

As with any investigation, all findings need verifications by checking network e-mail logs against
e-mail addresses. These logs will include the source and destination IP addresses. Reviewing
network logs will include the router logs with the incoming and outgoing traffic, the email
related rules, firewall logs, and the rules that filter email traffic.

Email Servers
An email server is loaded with software that uses email protocols for its services and maintains
logs that can examined in an investigation. There needs to be an understanding of the how an
email server records and handles the received email.

Several email programs use databases or flat file systems. These email logs identify the email
messages an account received, the sending IP address, the receiving and reading date and time,
email content, and system-specific information. Email server administrators can disable logging
or changed from continuous logging to log rotation.

Email servers also have a copy of the client emails. Even when a client deletes an email it is not
deleted from the server which provides an options to retrieve suspect email.
To begin an investigation the e-mail administrator needs to be contacted as soon as possible to
confirm if the suspect emails are available or if recovery is required.

Linux/Unix email servers are common and mainly focus on Postfix and Sendmail.

Postfix is an open source Main Transfer Agent (MTA) and has two configuration files master.cf
and main.cf that are located in the /etc/postfix directory.

Sendmail is a general purpose email routing tool that uses Simple Network Management
Protocol (SMTP) and also has two configuration files sendmail.cf and syslog.cf located in the/etc
directory. Other useful file locations are /var/log/maillog which records SMTP, POP3, and
IMAP4 communications.

Microsoft Exchange Server (Exchange) uses an exchange database and is based on Microsoft
Extensible Storage Engine (ESE). Depending on the version of Exchange it uses the .edb
database files, checkpoint files, and temporary files. The *.edb holds the Messaging Application
Programming Interface (MAPI) information. MAPI is a Microsoft system that allows various
email applications to work together. A system log used for investigating the Exchange
environment is the troubleshooting log is the Windows Event Viewer to read the log.

Email Forensics Tools

Usually the email message files, headers, and server log are all that is necessary for an
investigation. In some cases access to an email server administrator is not possible. In these
cases other forensic tools are necessary to complete the investigation.

Tools that focus on email recovery that allow the investigator to find email database files,
personal email files, offline storage, and logs
include:
 DataNumen for Outlook and Outlook Express
 FINALeMAIL for Outlook Express and Eudora
 Sawmill for Novell GroupWise
 DBXtract for Outlook Express
 Fookes Aid4Mail and MailBag Assistant
 Paraben E-Mail Examiner
 AccessData FTK for Outlook and Outlook Express
 Ontrack Easy Recovery EmailRepair
 R-Tools R-Mail
 OfficeRecovery’s MailRecovery

A major advantage of using data recovery tools is no need to know how e-mail servers and
clients work to extract data. These tools allow evidence review on the computer. Once a
comparison is complete for the email logs with messages, the email account, message ID, IP
address, date and time stamp are needed to determine whether there’s enough evidence to
continue the investigation. It is important to document everything that is done.

Some recovery tools allow for the scanning of email database files, locate any deleted e-mails,
and restore them to their original state. Very few vendors have products for analyzing e-mail in
systems other than Microsoft. When email is stored in plaintext or mbox format this is where a
hexadecimal editor can be used. Microsoft uses unique Multipurpose Internet Mail Extensions
(MIME) format to store email and difficult to read with a hexidecimal editor.

In some cases the .pst or .ost file is corrupt and may need to be reconstructed. There are many
tools, such as scanpst.exe, that can complete this repair, recovery, and restore these files for
investigation.

Social Media Forensics

Social media sites known as Online Social Networks (OSNs) are used to conduct business, brag
about criminal activities, raise money, and have class discussions. These are also used to catch a
suspect unaware. People share a lot of information on social media that can be used as
evidence of cyberbullying, witness tampering, and intellectual property rights have been
violated. Social media records all activity and who posted what and when.

Gathering evidence from social media is challenging since OSNs involve multiple jurisdictions
that can cross-national boundaries. This requires law enforcement to obtain a warrant in the
jurisdiction of the offence to access the related social media accounts.

New tools and techniques are being developed to assist with social media forensics. This opens
up potential privacy issues and questions about how the information gathered is used in court.
Depending on the case using social media forensics software might also require the permission
of the people whose information is being examined.

Mobile Device Forensics

People store a wealth of information on mobile phones and don’t think about securing their
devices. Some of the items on a phone include incoming, outgoing, missed calls, email
accounts, pictures, video, music files, and calendars and address books.

When a phone is seized by law enforcement, depending on the jurisdiction, a search warrant
may be needed to examine the device. Due to universal standard investigating cell phones can
be one of the more challenging tasks.
The Basics of Mobile
Mobile phone technology has advanced rapidly since they first appeared. By the end of 2008,
mobile phones had gone through three generations analog, digital personal communications
service (PCS), and third-generation (3G).

The Fourth-generation (4G) was introduced in 2009. There are several digital networks used in
the mobile phone industry. These include Code Division Multiple Access (CDMA) networks that
conform to IS-95, and Global System for Mobile Communications (GSM) that uses the Time
Division Multiple Access (TDMA) technique, where multiple phones take turns sharing a
channel.

The 3G standard was developed by the International Telecommunications Union (ITU) and is
compatible with CDMA, GSM, and TDMA.
4G networks can use a wide range of technologies including:
 Orthogonal Frequency Division Multiplexing (OFDM) uses numerous carriers instead of a
single carrier
 Mobile WiMAX supports numerous transmission speeds up to 12 Mbps
 Long Term Evolution (LTE) supports transmission speeds up to 144Mbps

Geographic areas are divided into cells and compose three main components for
communication:
 Base transceiver station (BTS) is the radio transmission equipment that defines the cells
also known as the cell tower
 Base station controller (BSC) assigns the channels to the mobile switching center
 Mobile switching center (MSC) connects calls by routing digital packets.

Inside the a mobile devices is basically a small computer, also called smart phones and consists
of microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and
speaker, hardware interfaces, and an LCD display.

There are a number of mobile operating systems. The market is moving towards two main
vendors with Apple iOS and Google Android. The OS is stored in ROM.

Phones store system data in electronically erasable programmable read-only memory

(EEPROM). This enables service providers to reprogram phones without having to physically
access memory chips. Subscriber identity module (SIM) cards consist of a microprocessor and
internal memory. A SIM card is necessary for the mobile equipment to work and identifies the
subscriber to the network, and stores service-related information.

Mobile Data Acquisition

There are several concerns when working with mobile devices that include a loss of power,
synchronization with cloud services, and remote wiping. Lost power can cause the volatile
memory to be wiped which make data acquisition crucial. A device connected to a workstation
should be disconnected to prevent synchronization and data being overwritten.

A standard practice is to isolate the device from incoming signals by placing the device in
airplane mode, place the device in a paint can, use the Paraben Wireless StrongHold Bag, or
turn the device off. These isolating options puts the device into roaming mode and reducing the
battery life.

Another method for isolating a device depends on the state. That if device is on and unlocked -
isolate it from the network, disable the screen lock, remove the passcode. If device is on and
locked - what you can do varies depending on the type of device. If device is off - attempt a
physical static acquisition and turn the device on.

Another problem for investigators is remote wipe. This removes a user’s personal information
stored on a stolen device. This make isolating the device very important.

Due to the information stored on the SIM card it is vital to information retrieval and includes
service-related data, such as identifiers for the SIM card and the subscriber, such as call data,
numbers dialed, message information, and location information.

The speed of changes in the mobile market with new phones released every six months make it
a constant challenge for investigators to keep current.

Best practices for working with mobile devices include:

 Identify the mobile device
 Make sure you have installed the mobile device forensics software
 Attach the phone to power and connect cables
 Start the forensics software and download information

There are a variety of SIM card readers which are a hardware and software device used to
access the SIM card. As with all investigations documenting messages that haven’t been read
yet is critical and take pictures of each screen.

NIST guidelines list six types of mobile forensics methods:

 Manual extraction involves reviewing the devices content page by page
 Logical extraction is creating an image of the device when connected a forensic
workstation
 Hex dumping and Joint Test Action Group (JTAG) extraction modifies the bootloader to
access RAM
 Chip-off is the physical removal of the memory ships
 Micro read uses an electron microscope to view the logical gates
Just to show how popular social media has become, roughly half of Facebook users access their
accounts via mobile devices and are extremely active. Physical acquisition of iPhones requires
jailbreaking the phone which give root access to the phone and bypassing the provider’s codes.
Doing a logical acquisition followed by a physical acquisition, can yield solid evidence. Methods
and techniques will change as market changes

As the market changes and vendors continuing to bring new features to mobile devices such as
Type 2 hypervisors. Other forensics challenges is the implementation of the Internet of Things
(IoT), and wearable technology.

Cloud Forensics
The cloud as we know it has been around for a number of years now. Although the theory of
cloud is similar to old deployment methodologies as a subset of network forensics it does
provide unique challenges for investigators.

The National Institute of Standards and Technology (NIST) defines cloud computing as: A
computing storage system that provides on-demand network access for multiple users and can
allocate storage to users to keep up with changes in their needs.

Cloud is traditionally deployed in three main methods or service levels:

 Software as a service (SaaS) - Applications are delivered via the Internet
 Platform as a service (PaaS) - An OS, such as Linux or Windows, has been installed on a
cloud server
 Infrastructure as a service (IaaS) - Customers can rent hardware and install whatever
OSs and applications they need

These service levels are provided in different deployment methods:

 Public - Accessible to anyone
 Private - Can be accessed only by people who have the necessary credentials
 Community - A way to bring people together for a specific purpose
 Hybrid - Enables a company to keep some information private and designate other files
as public or community information

Cloud forensics has a wide scope and the situations will varying depending on the attack, policy
violation triggered while accessing the solution provided by the Cloud Service Provider (CSP).

When acquiring forensic data from the cloud the tools needed to handle:
 Forensic data collection - Must be able to identify, label, record, and acquire data from
the cloud
 Elastic, static, and live forensics - Must be able to expand and contract their storage
capabilities
 Evidence segregation - Different businesses and users share the same applications and
storage space
  Investigations in virtualized environments - Should have the capability to examine
virtual systems

Cloud Service Providers have obligations to their clients. This needs consideration when
extracting forensic data and includes:

 Service level agreements (SLAs) - A contract between a CSP and the customer that
describes what services are being provided and define the support level, penalties, and
system performance.

A CSP will have policies, standards, and guidelines, that state who is authorized to access data
and what limitations are in conducting acquisitions for an investigation.

Due to the nature of cloud and that the end user really does not know where their data is
sitting, law enforcement must consider the legal processes and how to adhere to the local legal
requirements. This isn’t just a matter of acquiring a search warrant in the local jurisdiction, this
effort could extend into the CSPs jurisdiction as well. End user privacy also becomes an issue
when dealing with cross-jurisdictional issues. There is the possibility of being held liable in cloud
investigations where laws such as privacy are breached.

When conducting cloud investigations there are a number of challenges including the CSP
architecture, how to collect the data, and cloud server logs. Analyzing digital evidence from a
cloud requires verifying the data with other data and logs and may include reconstructing the
data.
Encountering encryption during a cloud investigation is a strong possibility.

There are two ways data is encrypted in the cloud:

 Data at rest - Data that has been written to disk
 Data in motion - Data being transmitted over a network

Investigating cloud related incidents is no different than standard server based investigations. A
systematic approach is used to plan the investigation, search and recover the data, examine,
and report on the findings.

There are a number of online storage and file sharing solution such as Dropbox, Google Drive,
and OneDrive. These services are free for storage up to 2 GB for Dropbox and up to 15 GB for
Google Drive and OneDrive. There are a number of tools that will access and analyze stored
data on the cloud.

Summary
During this module we have explored:
 Email clients
 Email servers
  Mobile devices and how to extract forensic data

Knowledge Check
1. What is Orthogonal Frequency Division Multiplexing?
2. What is one website to find an email server administrator online?
3. What is a cell tower called?
4. What is one way to isolate a mobile device?
5. What technologies are going mobile?

Answer Key
1. Uses numerous carriers instead of single carrier
2. Arin.net
3. Base transceiver station
4. Airplane mode
5. Hypervisors and Internet of Things

End of Module
You have completed Module 8 - Email, Cell Phone, and Mobile Device Forensics. Remember to
check the timeline before you proceed to the next module to ensure that you have completed
any assignments as required. Check with your instructor if you have any questions.
Computer Forensics and Investigations:
Module 9 – Generate report findings with
forensic software tools and prepare for
court depositions and testifying in court
Modes of Learning
 Assignments
 Textbook Readings

Introduction
In this module, we will discuss the structure of and writing forensic reports, how to prepare for
and provide expert testimony, and professional ethics.

Learning Outcomes
Upon completion of this module, you will be able to:
 Examine the structure of report writing in high-tech investigations.
 Discuss how to prepare report findings using reports generated with forensic software
tools
 Examine methods to prepare for testimony and testifying in court
 Determine how to prepare depositions or hearings and how to explain forensics
evidence
 Review the role of an expert forensic examiner witness including the general code of
ethics

Key Terms and Concepts

Some important key terms and concepts within this module include:

 Federal Court Rules

 Report structure
 Curriculum vitae
 Testimony
 Ethics
 Code of ethics
Reports and their importance
A forensic report provide the detailed justification for gathering of evidence and the resulting
investigation. In the US Rule 26, Federal Rules of Civil Procedure and in In Canada, rule 52.2 of
the Federal Court Rules governs the criteria for the submission of expert’s written report.
Writing and supporting the conclusions in a report comes down to taking all the information
gathered into consideration while forming an opinion. The report is could be used as expert
option and admissible in court. Keep a copy of all documentation relating to the investigation
including any court related information. Reports to clients should start with the project
outcome.

There are multiple types of reports that could be formal that cover the investigation findings,
preliminary, verbal, or an examination plan. A written report may include an affidavit or
declaration and be limited to the details of the investigation and material to support the
findings. Preliminary and verbal reports are less formal and outline Addresses areas of
investigation yet to be completed the current status of the investigation and what still needs
completion. A preliminary report is considered a high-risk document. An examination plan is
outline by a lawyer and provides a guideline of the questions to expect when testifying. These
can also be used to clarify or define information and educate the lawyer on digital forensics.

Clearly defining the outcomes this reduces scope creep and ultimately costs and timeline. Write
the report to the audience. Take into consideration that the people reading the report may not
have the technical background of the investigator. Educating the reader on technical terms and
processes may need to be included in the report.

When creating the report remember that anything included in the report is subject to discovery
from the opposing counsel. A discovery is the process of opposing attorneys seeking
information from each other

Care needs to be taken not to destroy any reports prior to resolution of the case since this
could be considered destroying or concealing evidence.

Due to the potential of having opposing counsel using a report to discredit the investigators
testimony a preliminary report should include the same information as in verbal reports.

Reports have a very standard logical structure the builds the arguments one on the next and
usually includes the following items:
 Abstract (summary) provides the essential information in the report
 Table of contents
 Body of report includes the introduction and discussion sections
  Conclusion refers to the report’s purpose, the main points, the conclusions, and possibly
an opinion
 References and appendixes list the supporting material for the examination
 Glossary
 Acknowledgements
 Appendixes

The final report needs to be clear, concise, with very little jargon or industry specific terms.
Consider if the report is easy to read, the ideas are organized, and the grammar and
punctuation are correct. Use signposts to highlight specific investigation points.

Testimony
Lawyers ask experts hypothetical questions based on factual evidence. The expert provides
answers to these questions based on the factual evidence and experience. When a case goes to
trial an expert witness may testify as a fact witness or an expert witness. Fact witnesses only
provide facts to the investigation and present the evidence and detail how it was obtained. An
expert witness testifies to an opinion, or conclusion based on experience and reasoning. When
testifying in either capacity learn as much as possible about the case such as the lawyers, the
victim, the complainant, opposing experts or fact witnesses.

When preparing your testimony consider the following questions:

• What is the story of the case?

• What is the client’s overall theory of the case?

• How does my opinion support the case?

• What is the scope of the case? Have I gone too far?

• Have I identified the client’s needs for how my testimony fits into the overall theory of
the case?

As always make sure to document everything, steps taken, date and times the work was done,
and the successful results, related to an investigation or case and prove that it is repeatable.
Conduct a peer review and validate the tools used and verify evidence with hash algorithms to
ensure integrity. Also be sure to maintain chain of custody. A break in chain of custody can be
the difference between success and failure.

Expert are vetted by the court this will include providing a curriculum vitae (CV) or resume for
review that lists experience, training, published papers, qualifications to testify, and other
pertinent information.
Some court cases generate interest from the news media. As an expert this is best avoided so
comment made and potentially taken out of context don’t harm the case.

Trials are adversarial by nature where an expert if presented to the court as an expert. The
lawyer will lead the expert through the evidence and the opposing attorney will try to discredit
the expert during cross-examination. Experts needs to be prepared for trial and understand
that any questions is possible. When the information in the report is challenged in an attempt
to discredit stay calm and answer definitively. Be prepared to explain any aspect of the
investigation and even the technology used in the scope of the examination.

Ethics
Ethics are rules you internalize and use to measure your performance. Many professions have
codes of professional conduct, responsibility, or ethics. These are standards that must be
adhered to such as licensing bodies. People need ethics to help maintain their balance and self-
respect in difficult situations. There are currently no code ethics for forensic investigators.
Experts are bound by their own personal ethics and the ethics of their professional
organizations

As an expert witnesses should present unbiased, specialized, and technical evidence to a jury.
Expert witnesses testify in a significant number of cases. Digital forensics examiners have two
roles as either a fact witness or expert witness. Expert witness can testify even if they weren’t
present when the event occurred or didn’t handle the data storage device personally.

Experts can be disqualified by violating court rules. Opposing counsel might attempt to
disqualify the expert based on several factors, if discussions or material is deemed confidential,
any deviations from opinions provided in previous cases and many others.

An expert witness must avoid obvious ethical errors such as presenting false evidence, report
work that was not done, ignore available contradictory data, allowing the hiring lawyer to
influence the expert’s opinion, fail to report possible conflicts of interest.

Although there is no single source offers a definitive code of ethics for expert witnesses there
are several organizations that provide ethical guidance such as:

ISFCE code of ethics guidelines that outline the following:

• Maintain the utmost objectivity in all forensic examinations and present findings
accurately
• Conduct examinations based on established, validated principles
• Testify truthfully in all matters before any board, court, or proceeding
 • Avoid any action that would appear to be a conflict of interest
• Never misrepresent training, credentials, or association membership
• Never reveal any confidential matters or knowledge learned in an examination without
an order from a court of competent jurisdiction or the client’s express permission

Another organization is HTCIA core values include the following requirements related to
testifying:
• The HTCIA values the Truth uncovered within digital information and the effective
techniques used to uncover that Truth, so that no one is wrongfully convicted
• The HTCIA values the Integrity of its members and the evidence they expose through
common investigative and digital forensics best practices, including specialized
techniques used to gather digital evidence

The tools you use to recover, control, and track evidence are subject to review by opposing
parties. If the court deems them unreliable, the evidence recovered with those tools might not
be admitted. Investigator will build their own tools set. This tool set will need validation to
verify with the court that evidence gather is admissible.

Summary
During this module we have discussed the following:
 Expert witness rules in Canada and the US
 Discussed the forensics report structure
 Discussed preparation for a trial
 Discussed forensics expert roles during a court case.
 Discussed expert witness ethics
 Discussed the adversarial nature of court proceedings.

Knowledge Check
1. In Canada what rule from the Federal Court Rules applies for expert witnesses?
2. What part of the report is known as a summary?
3. How does a fact witness differ from expert witness?
4. A curriculum vitae should include?
5. What technologies are going mobile?

Answer Key
1. 52.2
2. Abstract
3. A fact witness only provides a fact based testimony
 4. Experience, education, and training
5. Hypervisors and Internet of Things

End of Module
Congratulations! You have completed Module 9 – Generate report findings with forensic
software tools and prepare for court depositions and testifying in court.
That’s all folks!!!