CYSE 407

Digital Forensics

This course introduces the basic concepts and technologies of digital forensics. Students will learn the fundamental techniques and tools utilized for collecting, processing, and preserving digital evidence on computers, mobile devices, networks, and cloud computing environments. Students will also engage in oral and written communication to report digital forensic findings and prepare court presentation materials.

At the end of this course students will be able to:

  1. Recognize the duties of a digital forensic investigator and the requirements of a lab environment.
  2. Utilize data collection tools and methods necessary for recovering and identifying different digital forensic artifacts left by attacks.
  3. Utilize appropriate methods to preserve the integrity of digital evidence and acquire a forensically sound image.
  4. Analyze different types of digital evidence to extract the related information important to a case under investigation.
  5. Prepare evidence, findings and results of analysis in a digital forensic report.

Course Material

Discussion 1- Day in the Life

      A day in the life of a computer forensic investigator is long, especially since computer forensic investigators can put in more than 40 hours a week depending on their deadlines and how many projects they have on their caseload (Munday, Day 2023).   Since the Cyberworld is in a constant state of motion even changing overnight, it would make sense for a computer forensic investigator to start and end their day by catching up on any new updates in the cyber world, especially in case those changes have a potential impact on their caseload.  Next one would need to check and follow up on any correspondence for outcomes on cases, meetings, information in regards to pending work, and potentially adding to their workload.  If there were any updates to a case, then the investigator would then add that to their case report.  If that were the end of the case, the investigator would be able to close out the case and send it to the main contact for the information to be used either in a court of law or however the contact sees fit.  Computer forensic investigators could be employed privately, on a government level, or even in the private or government sector.  They can deal with cases ranging from national security, civil litigation, and criminal investigation (What is computer forensics? 2024).  If handling a case such as national security, the investigator would most likely be part of the team and would have daily meetings with team members, and weekly meetings with higher-ups to discuss the team’s findings in a collaborative effort, as well as potentially suggesting which measures the client should utilize in the future to prevent a situation from occurring again in the future.  

References

Munday, R. (2023, April 19). Day to day of a computer forensics investigator: Main responsibilities. ComputerScience.org.

 https://www.computerscience.org/careers/computer-forensics-investigator/day-in-the-         life/#:~:text=The%20Day%2Dto%2DDay%20of,in%20long%20hours%2C%20including%20weekends.

What is computer forensics?. IBM. (2024, March 19). https://www.ibm.com/topics/computer-

  forensics#:~:text=Criminal%20investigations%3A%20Law%20enfo

Discussion 2- Evidence

While doing some research for what could hamper evidence collection in digital forensic collection, I came upon an interesting article about emoji’s in messaging and how they are impacting digital forensic cases today.  The point that the article brought up is that emoticons are not a valid form of written language, it is more of an encryption.  When relating this to everyday life, Screenshot 2024-05-14 at 1.13.39 AM.png this emoji has been the point of topic for many of my friend’s conversations as we are all trying to figure out what it means.  The same conversation could be held in court if there is an incriminating text message but unfortunately, the message is mostly in emojis.  The article goes on to describe a time when this situation has occurred, “Emoji usually represent what the predator wants to do to their victim; or in a drug or human trafficking case, what they’re selling (Focus, Can your investigation interpret emoji? 2020).  The best way for investigators to interpret emoticons is with context clues.

If a device is damaged and one needs to retrieve evidence from it there are special tools and softwares an investigator can utilize.  One such software is Magnet Forensics.  Magnet AXIOM is able to recover analyze and report data from, mobile devices, computers, and digital clouds.

Works Cited

Focus, F. (2020, May 12). Can your investigation interpret emoji?. Forensic Focus. https://www.forensicfocus.com/articles/can-your-investigation

     interpret-emoji/

Introduction to magnet axiom. Magnet Forensics. (2022, December 2). https://www.magnetforensics.com/resources/introduction-to-magnet-

    axiom-webinar-nov-30/#:~:text=Magnet%20AXIOM%20is%20a%20complete,easily%20see%20the%20entire%20story.

Discussion 3 – Digital Forensic Investigations

When looking at how one obtains analyzes and stores evidence, it is important to keep the integrity of the evidence.  Meaning that it must be “admissible as evidence in a court of law” (Computer Forensics 2008).  One way that this integrity can be ensured is by keeping up-to-date documentation for the chain of custody over the evidence.  If it seems there the evidence has been tampered with in any way, or if the integrity of the information is called into question, investigators can call upon the documented chain to see when and if the information has been changed.  When handling government investigations due to the complexity of the government, those under investigation are still awarded their constitutional rights, like those under investigation for a private matter.  Unlike private organizations, the government has many departments with guidelines that each department must adhere to.  Private Investigations must continue to follow laws and constitutional rights, but they would not have to follow specific departmental guidelines.  

Resources

Practical Mobile Forensics. (n.d.). https://subscription.packtpub.com/book/security/9781783288311/1/ch01lvl1sec12/rules-of-evidence#:~:text=However%2C%20there%20are%20five%20general,complete%2C%20reliable%2C%20and%20believable. US-CERT. (2008). Computer Forensics.

Discussion 4 – Forensic Tools

When doing an investigation I believe that the registry hive is the most forensically interesting, this is due to its ability to store a system’s usage history.  Just by logging in a registry hive is able to monitor and collect data on a user profile hive just by the user logging into the system.  This hive is able to keep track of the “user’s application settings, desktop, environment, network connections, and printers” (Stevewhims, Registry hives – win32 apps 2021).  Another important part about this hive is that it updates itself each time the user logs into the system. The tools that this system uses to be able to keep track of all the information are extensions.  Each extension means something different, for example, .log is a log that keeps track of all the changes to the key and value entries in the specific hive.  If there is no extension then it is a complete list of the data found in the hive.

References

Stevewhims. (2021). Registry hives – win32 apps. Win32 apps | Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-hives

Discussion 5 – File Systems

The File that I found most forensically interesting is the UserData file.  This is due to the fact that it keeps track of any data that the user in question creates.  The log that I found most forensically interesting was the Event Log, especially since this log specifically can help create a timeline of who logged into the system and what they did while in the system.  The event log is also able to keep track of a system failure or a hack/ breach.  in the event that files are offloaded, all one needs to do is utilize tools, like log patterns to find those offline logs.  

References

Log management. Logz.io. (2024, May 21). https://logz.io/platform/log-management/?utm_medium=cpc&utm_source=google&utm_campaign=&utm_content=2Tier_log_analyzer_bmm&utm_term=log%2Banalyzer&ad_id=701762234626&campaign_id=17331060691&adgroup_id=135503160205&gad_source=1&gclid=Cj0KCQjw4MSzBhC8ARIsAPFOuyWzUM7o7EcoHuldkauKWSNQu3vMjDl2h6eIt8LkGr-59DXGI3T0_T0aAuQNEALw_wcB

Lucideus. (2018, October 26). Introduction to event log analysis part 1 - windows forensics manual 2018. Medium. https://medium.com/@lucideus/introduction-to-event-log-analysis-part-1-windows-forensics-manual-2018-b936a1a35d8a#:~:text=In%20an%20event%20of%20a,information%20and%20the%20discovered%20artifacts.