What Is Forensic Science?

• Forensic Science = using scientific methods to collect and examine facts about past events so they hold up in court.
• “Forensic” means legal or related to law.
• Examples of forensic disciplines: Pathology (injuries), Biology (blood), Jurisprudence (law theory), and Computer Forensics.

What Is Computer Forensics?

• A branch of forensic science focused on finding and analyzing digital information (files, logs, emails) as evidence in legal or corporate cases.

• Main tasks:

  • Recover hidden or deleted data.
  • Prove who did what, when, and how on a computer or storage device.
  • Produce evidence that can incriminate (blame) or exonerate (clear) someone.

Related Fields

• Network Forensics

  • Examines network logs to see how and when someone accessed a network, which websites they visited, and what changes they made.

• Data Recovery

  • Retrieves lost or accidentally deleted files (e.g., after a crash). You usually know exactly what file you’re looking for.

The Investigation Triad

Digital security in a company uses three main areas:

1. Vulnerability Assessment & Risk Management

   • Test systems for known weaknesses (e.g., unpatched software).
   • People in this team launch controlled attacks to find and fix holes.

2. Network Intrusion Detection & Incident Response

   • Monitor for attacks or misuse.
   • When an intrusion happens, block it, track the attacker’s methods, and shut down their access.

3. Computer Investigations

   • Handle incidents that already happened.
   • Steps: Identify what devices and data are involved → Analyze to extract evidence → Report findings.

Challenges in Computer Forensics

• Data may be encrypted or deliberately hidden.
• Evidence can live on many types of media (hard drives, SSDs, CDs, virtual machines, phones).
• Technology and hiding techniques evolve constantly.

Key Terminology

• Litigation: Legal process of proving someone’s guilt or liability in court.

• Evidence: Facts or data showing whether something is true.

  • Inculpatory = incriminating.
  • Exculpatory = clears the suspect.

• Affidavit: A sworn statement of facts submitted to a judge (often to obtain a search warrant).

• Case Law: Decisions from earlier court cases used when no specific statute exists.

• Chain of Custody: Complete history of who handled a piece of evidence, from seizure to courtroom. If broken, evidence may be thrown out.

• Integrity: Assurance that evidence hasn’t been tampered with.

• Investigation: Systematic process of gathering facts to prove guilt or innocence.

• Methodology: A standard, step-by-step procedure investigators follow so they don’t miss anything or spoil the evidence.

Common Forensic Methodologies

Several formal models exist, for example:

• DOJ Model (U.S. Department of Justice)
• DFRW (Digital Forensics Research Workshop)
• ADFM (Abstract Digital Forensics Model)
• IDIP (Integrated Digital Investigation Process)
• EDIP (Enhanced Digital Investigation Process)

All share similar phases: Preparation → Collection → Examination → Analysis → Reporting.

Types of Investigations

• Public (Legal) Investigations

  • Run by law-enforcement or government agencies under criminal law.
  • Example: A hacker steals money from a bank.

• Private (Corporate) Investigations

  • Run by companies under internal policy, not always involving police.
  • Example: An employee uses company email to harass a colleague.

Public-Case Workflow

1. Complaint: Someone reports an illegal act.
2. Investigation: Forensic team gathers and analyzes evidence.
3. Prosecution: Findings (with the investigator’s affidavit) are used to build a court case.

The Forensic Investigator’s Role

• Level 1 (Police Officer): Seizes digital evidence at the scene.
• Level 2 (Detective): Manages the case, interviews suspects.
• Level 3 (Forensic Expert): Has deep technical training to handle, recover, and analyze digital evidence end-to-end.

Investigator Expertise & Conduct

• Must know multiple platforms (Windows, macOS, Linux, plus older systems and mobile devices).

• Should keep growing their technical skills and network with other experts.

• Professional conduct demands:

  • Objectivity (no bias)
  • Integrity (honesty)
  • Credibility (trust)
  • Confidentiality (keep case details private)

Certifications & Laws

• Popular certifications: GCFE/GCFA (SANS), CCE (ISFCE), CHFI (EC-Council), EnCE (EnCase), ACE (AccessData).
• Cyber laws vary by country and evolve rapidly—investigators must stay up to date with local regulations.

What Is Digital Forensics?

• Science using proven methods to preserve, collect, validate, identify, analyze, interpret, document, and present digital evidence.

Overview of a Computer Crime

• Police find computers and storage media at a crime scene.
• Always bag and tag each item (seal in evidence bags, label them).
• Lead detective tasks a forensic examiner to organize data that may prove the crime.

Core Forensic Process Phases

1. Acquisition – make a forensically sound copy of the evidence (e.g. hard disk).
2. Identification – find relevant digital pieces (files, pictures, logs).
3. Evaluation – decide which items are true evidence.
4. Admission – present evidence in court.

Common Methodology Examples

• DFRWS (2001):

1. Identification of incident
2. Preservation of integrity & Chain of Custody
3. Collection of data
4. Examination (deep technical search)
5. Analysis (draw conclusions)
6. Presentation (report and testify)

• GCFIM (2011):

1. Pre-Process (permissions, lab setup)
2. Acquisition & Preservation
3. Analysis (main evidence work)
4. Presentation (document findings)
5. Post-Process (archive or return evidence, review process)

Proper Procedure & Chain of Custody

• Follow a standard procedure every time.
• Chain of Custody form logs who handled evidence, when, and what was done.
• Use single-evidence or multi-evidence forms to track all actions.
• A broken chain invalidates evidence.

Systematic Investigation Steps (12-Point Checklist)

1. Assess case type.
2. Design preliminary approach.
3. Create detailed checklist.
4. Identify needed resources.
5. Obtain and copy evidence drive.
6. Identify risks.
7. Mitigate risks.
8. Test your design.
9. Analyze and recover data.
10. Investigate recovered data.
11. Complete case report.
12. Critique the case (lessons learned).

Handling a Case

• Stay objective and unbiased.
• Evidence may be exculpatory (proving innocence).
• Plan thoroughly and be systematic.

Assessing Case Requirements

• Define:

  • Nature of case (e.g., employee abuse).
  • Evidence types (OS, disk format, mobile devices).
  • Location of each item.

• Determine tools and special OS or file-system knowledge needed.

Planning Your Investigation

1. Acquire suspect hard drive.
2. Complete evidence form, establish CoC.
3. Transport to secure lab.
4. Lock in fireproof cabinet.
5. Prepare forensic workstation.
6. Retrieve for copying.
7. Make forensic (bit-stream) copy.
8. Return original to secure storage.
9. Process the forensic copy with tools.

Preserving & Securing Evidence

• Never tamper or contaminate evidence.
• Use padded, labeled containers or large evidence bags for bulky items.
• Record who recovered and who retrieved evidence, with dates, times, and locations.

Real-World Raid Example

• Officers bagged a suspect’s PC, USB drives, and cell phone.
• They photographed open windows (Explorer view) before moving anything.
• They noted the OS (e.g., Windows XP) and running applications.

“Dead Box” vs. “Live Box”

• Dead Box (powered off):

  • Copy disk later with hardware imager (HardCopy 3P) or at scene (Shadow) without altering evidence.

• Live Box (powered on):

  • Capture volatile data (RAM, passwords) with tools like CaptureGUARD, then shut down safely.

Forensic Investigator’s Role

• Receive documented items and media list.
• Analyze each item in the lab.
• Recover hidden, deleted, or encrypted data.
• Organize findings for report and testimony.

High-Tech & Corporate Investigations

• Use formal procedures and checklists for:

  • Employee termination (data theft, harassment).
  • Internet abuse (proxy logs, URL searches).
  • Email abuse (Outlook .pst/.ost, server logs, message headers).
  • Media leaks (e-mail, message boards, proxy logs).
  • Industrial espionage (sensitive documents, access logs).

What to Look For

• Internet Abuse: compare browser history to proxy logs; extract URLs and downloads.
• Email Abuse: examine headers; copy .pst/.ost; get server or web-mail data.
• Media Leaks: find outgoing attachments, emails to reporters, forum posts.
• Espionage: track copies of proprietary files, USB usage, network transfers.

Interviews vs. Interrogations

• Interview: gather facts from witnesses or suspects.
• Interrogation: attempt to get a confession from a suspect.

Bit-Stream Copy (Disk Image)

• Exact, sector-by-sector duplicate of the entire drive.
• Captures deleted files, fragments, slack space—unlike regular backups.
• Image file contains full data for complete analysis.

Computer Forensics Lab

• Where investigations happen, evidence is stored, and equipment resides.
• Labs should follow guidelines for management, certification, and auditing.

Physical Requirements

• Must be in a fully enclosed room with locked door.
• Provide secure environment to protect evidence.
• Keep inventory of all hardware and software.

Lab Security Needs

• Enclosed room (floor-to-ceiling walls).
• Locking door access.
• Secure containers (lockers).
• Visitor log.
• Security policy.

Evidence Containers

• Use secure evidence lockers in restricted area.
• Limit authorized access, keep records of access.
• Keep containers locked when not in use.
• Use high-quality locks; manage duplicates carefully.

Combination Locks

• Protect combinations as securely as contents.
• Destroy old combinations when changed.
• Change combinations every six months.
• Only authorized personnel can change combination.

Keyed Padlocks

• Appoint key custodian.
• Stamp keys with sequential numbers.
• Maintain registry of key assignments.
• Audit keys monthly; store in lockable container.
• Change locks and keys annually.

Physical Security Policy

• Create and enforce a formal security policy.
• Use visitor sign-in logs; escort all visitors.
• Provide visitor badges.
• Install intrusion alarms.
• Consider security guard.

Auditing the Lab

• Inspect ceiling, walls, doors, and locks monthly.
• Review visitor logs and container logs.
• Secure evidence at end of day if not actively processing.

Lab Floor Plans

• Configure workspace based on budget, space, and caseload.
• Small labs: one workstation can handle 2–3 cases per month.
• Ensure at least two exits.

Forensic Workstation Selection

• Use basic workstations for routine tasks.
• Use high-end multipurpose workstations for advanced analysis.

Hardware Peripherals Stock

• SCSI/IDE cables, floppy ribbon cables.
• SCSI cards (ultra-wide).
• PCI and AGP graphics cards.
• Power cords.
• Spare hard drives with IDE/SATA adapters.
• Hand tools.

OS and Software Inventory

• Maintain licensed copies of Office suites, finance apps, programming languages.
• Keep viewers (QuickView, ACDSee, IrfanView).
• Include OpenOffice, Peachtree, etc.

Forensics Workstation Components

• Write-blocker device.
• Acquisition tool.
• Analysis tool.
• Target drive for suspect data.
• Spare PATA/SATA/USB ports.

Disaster Recovery Plan

• Prepare for disk crashes, power outages, lightning.
• Maintain on-site and off-site backups.
• Use configuration management to log workstation updates.

Course Tools (Software)

• ProDiscover, FTK, Imager, Registry Viewer, PRTK.

Course Tools (Hardware)

• HardCopy 3P, Shadow 3, DriveWiper.

HardCopy 3P

• Forensic duplicator: copies source drive to one or two destinations with source write-blocked.

Shadow 3

• Portable forensic lab: examine suspect drive in field; redirects writes to internal drive, keeping original unchanged.

DriveWiper

• Portable hard-drive sanitizer: wipes drives to government standards.

Forensic Procedures

1. Seize, tag, and bag all original media
2. Data Acquisition: make a bit-for-bit copy of the media
3. Data Analysis: work only on the copy, never on the original

What Is Data Acquisition?

• First step in any digital investigation
• Process of obtaining a bit-stream copy (exact clone) of storage (HDD, USB, etc.)
• Analysts always work from copies to protect originals

Acquisition & Verification

• Must verify that the copy is identical to the original
• Verification and acquisition are key to keeping evidence legally valid

Disk Image & Fingerprints

• A disk image is a file containing every sector of a storage device
• Created via sector-by-sector copy so structure and contents match exactly
• Use a unique digital fingerprint (hash) before and after imaging to prove integrity

Storage Formats

1. Raw (dd)

   • Bit-for-bit copy with no extras
   • Pros: Fast, widely readable
   • Cons: Same size as original, may skip bad sectors

2. Proprietary (e.g., .E01, .eve)

   • Can compress and split images, embed metadata
   • Cons: Not always tool-compatible, size limits on segments

3. Advanced Forensics Format (AFF)

   • Open, extensible, supports compression and metadata, no size limit

Acquisition Methods

1. Bit-stream disk→image file (most common; tools: EnCase, FTK, ProDiscover)
2. Bit-stream disk→disk (when file output not possible; tools: SafeBack)
3. Logical acquisition (copies only files/folders of interest)
4. Sparse acquisition (captures logical files plus deleted-space fragments)

What to Consider

• Disk size: use compression or alternate storage (tape backup)
• Disk geometry & HPA: hardware tools may be needed to copy hidden areas
• Encryption: be ready to handle full-disk encryption

Contingency Planning

• Always make two independent copies using different tools
• Ensure Host Protected Area (HPA) is imaged via BIOS-level hardware tools
• Have procedures for encrypted drives

Acquisition Tools

• Windows tools (FTK Imager, ProDiscover) are convenient with USB docks

  • Must use a write-blocker to prevent altering source media
  • Cannot always access HPA

• Linux Live CD (read-only boot): no write-blocker needed, tools include FTK Imager

Validating Acquisitions

• Use hashing algorithms: CRC-32, MD5, SHA-1 to SHA-512
• Three forensic hash rules:

1. You cannot predict a hash value before computing it
2. No two different files/devices have the same hash
3. Any change in data produces a different hash

RAID Acquisitions

• RAID = multiple disks working together (levels 0, 1, etc.) for performance or redundancy
• Concerns: total data size, RAID level, correct tool to read combined or split images

Remote Network Acquisition

• Copy data over the network from a live system
• Benefits: no physical access needed
• Drawbacks: slower speeds, network permissions, heavy traffic issues

Digital Hash & Hash Functions

• A hash is a fixed-length “fingerprint” of data (disk image or file)
• Common functions: MD5, SHA-1
• Hashing confirms data identity and that no changes occurred

Computer Forensics

• Computer forensics means collecting and examining digital information to find out exactly what happened on a computer and who did it.
• Its goal is to run a step-by-step investigation and produce reliable evidence.

Computer Crime

• Any crime that uses a computer or attacks a computer.
• Two main types:

1. Computer as a tool: using a computer to commit fraud, send threatening emails, share illegal files, etc.
2. Computer as a target: hacking into systems, Denial-of-Service attacks, spreading viruses or worms.

Digital Evidence

• Any data stored or sent in digital form that can be used in court.
• Every action on a system leaves a trace.
• To be valid in court, evidence must be admissible, authentic, and have a clear reason for collection.

Forensic Disciplines vs Related Fields

• Network forensics: shows how an attacker entered or moved through a network.
• Data recovery: retrieves files lost by accident or system crash when you know what you’re looking for.
• Disaster recovery: uses similar techniques to recover lost data after floods, fires, or hardware failures.

Key Case Study (American Express)

• Amex lost a case because they couldn’t prove their electronic records hadn’t been tampered with.
• Lesson: keep clear access controls, log every change, back up data properly, and use trusted timestamps.

Who Uses Computer Forensics

• Criminal prosecutors in court.
• Civil lawyers in divorce, fraud, discrimination cases.
• Insurance companies to fight fraud.
• Private companies investigating employee misconduct.
• Police for search warrants and investigations.
• Individuals hiring experts for wrongful termination or harassment claims.

Cybercrime Overview & History

• Cybercrime uses computers or the internet to steal data, money, or harm systems.
• First spam: 1978. First PC virus: 1982.
• Category 1 – Computer as target: hacking, worms, DoS.
• Category 2 – Computer as weapon: online fraud, cyber terrorism, child pornography.

Types of Cybercrime

• Hacking: illegal access to systems.
• DoS attacks: overwhelm resources to block legitimate users.
• Malware: viruses, Trojans, worms.
• Vandalism: destroying or corrupting data.
• Piracy: illegal copying of software.
• Fraud & Extortion: phishing, ransomware, net extortion.
• Phishing: tricking users into revealing private data.
• Cyber terrorism: attacks on critical infrastructure.

Identity Theft & Fraud

• Identity theft is stealing someone’s personal info to use without permission.
• Signs: bills for debts you didn’t incur, missing statements, calls about someone else’s accounts.
• How it happens: stealing mail, tricking you into giving info, stealing wallets.
• Risk reduction: shred documents, use strong passwords, update security software, watch bank statements.
• If stolen: place fraud alert on your credit report, check all three credit bureaus, file an FTC report, file a police report.

Types of Cyber Forensics

• Military forensics: rapidly find evidence, estimate impact, and identify attackers in defense systems.
• Law enforcement forensics: collect and analyze evidence so it holds up in court.
• Business forensics: monitor computers remotely, recover stolen software, track insider threats.

Common Forensic Services

• Locating stolen files and recovering deleted data.
• Setting up honeypots to catch intruders.
• Comparing data against known patterns.
• Converting file formats, searching keywords, decrypting passwords.

Incident Response (IR)

• IR handles events that threaten confidentiality, integrity, or availability (CIA).
• Phases of IR:

1. Preparation: create policies, build a response toolkit, train the team.
2. Detection: use intrusion-detection systems and log monitoring.
3. Containment: isolate affected systems, change firewall rules, disable bad accounts.
4. Eradication: remove malware and fix vulnerabilities (with specific steps for UNIX or Windows).
5. Recovery: rebuild systems, restore data from backups, install patches.
6. Follow-up: conduct a post-mortem, update procedures, learn from mistakes.

IR Architecture & Policies

• A clear policy states what users and admins may or may not do and outlines penalties for violations.
• IR capability must be an official part of the organization’s security plan.

IR Risk Analysis

• Assess risks by estimating financial cost, operational impact, public relations fallout, and legal issues.
• Common risk types: break-in, DoS, virus, spoofing, session hijacking.
• Data sources: internal logs, CERT, public vulnerability reports.

IR Team Organization

• In-house team: knows company culture and handles sensitive data.
• Outsourced team: specialized skills and tools.
• Teams liaise with law enforcement, media, and other IR groups.
• Success metrics: number of incidents, response time, money saved, user feedback, external recognition.

Incident Handling Lifecycle

Preparation → Identification → Forensic Analysis → Containment → Eradication → Recovery → Lesson Learned

This cycle repeats and is updated after each incident to improve future response.

• Reporting: share findings with stakeholders and law enforcement if necessary.
• Preparation: create policies, build a response toolkit, train the team.
• Identification: use intrusion-detection systems and log monitoring.
• Forensic Analysis: collect and analyze evidence.
• Containment: isolate affected systems, change firewall rules, disable bad accounts.
• Eradication: remove malware and fix vulnerabilities (with specific steps for UNIX or Windows).
• Recovery: rebuild systems, restore data from backups, install patches.
• Lesson Learned: conduct a post-mortem, update procedures, learn from mistakes.
• Post-Incident Review: analyze the incident, identify weaknesses, and improve policies.
• Documentation: keep detailed records of the incident, actions taken, and lessons learned.
• Reporting: share findings with stakeholders and law enforcement if necessary.
• Follow-up Actions: implement recommendations and monitor for future incidents.
• Training and Awareness: educate employees about security policies and procedures.
• Continuous Improvement: regularly review and update incident response plans based on new threats and technologies.