Digital Forensics

This course introduces the basic concepts and technologies of digital forensics. I learned the fundamental techniques and tools utilized for collecting, processing, and preserving digital evidence on computers, mobile devices, networks, and cloud computing environments. We also engaged in written communication to report digital forensic findings and prepare court presentation materials. I was able to learn a lot through the discussion board posts in which we had to do research and answer the prompts. I have provided the discussion boards below for a look at what I learned. 

Course Material

 Discussion Board 1: Day in the life

Do some online research and come up with a “Day in the life of a computer forensic investigator”.

In a typical day, a computer forensic investigator engages in a role centered around the collection and analysis of digital evidence from various devices like computers and cellphones. Their day may start with evaluating new case assignments and gathering digital evidence. Once evidence is collected, investigators very meticulously analyze data and determine its relevance and implications for their case. Additionally, their responsibilities include drafting detailed reports articulating their findings as well as even potentially testifying in court cases. Furthermore, as cyber threats are constantly evolving an investigators day would include assessing organizational cybersecurity measures weaknesses and coming up with solutions. Their day to day responsibilities vary from day to day as well as the workloads. 

Discussion Board 2: Evidence

• What are some of the “gotchas” when attempting to acquire evidence? (What could hamper evidence collection)
• How can we get evidence from damaged systems/media?

There are a couple of “gotchas” when attempting to acquire evidence. The first “gotcha” is data encryption. Encryption scrambles data and requires specialized tools and expertise to handle encrypted data. The next “gotcha” is the chain of custody.  Forensic investigators have to maintain a documented chain of custody as it is crucial to ensure the authenticity and integrity of evidence as if not properly handled it can be thrown out in court. The third “gotcha” is user obfuscation. Malicious hackers could destroy or hide evidence and investigators have to try to preserve that data. We can get evidence from damaged systems in a couple of different ways. Investigators can use specialized hardware such as write blockers and data recovery tools. There are also data recovery software tools like Recuva, R-Studio, or EnCase which can be used to recover files from damaged or corrupted media. Forensic imaging creating a Bit-by-Bit image may also still be possible, allowing forensic analysts to work from a copy of the data rather than the original media.

Discussion Board 3: Digital Forensic Investigations

• What rules and regulations to we have to follow for getting, analyzing, and storing evidence?
• Do the same rules apply to government investigations as for private organizations?

In digital forensic investigations, several key rules and regulations must be followed when getting, analyzing, and storing evidence. One of these rules is chain of custody. This is vital for maintaining the integrity of evidence. Documenting every person who handles the evidence, along with the time and date of access, ensures accountability and traceability. Next is legal compliance as investigators must adhere to relevant laws, such as the Fourth Amendment regarding search and seizure, as well as data protection regulations like GDPR and HIPAA when applicable. Another rule is the preservation of evidence. Investigators must ensure that evidence remains unaltered is critical. Using write blockers and creating forensic images of storage devices is a standard practice to maintain data integrity. 

The same rules don’t apply to government investigations as for private investigations. Government investigations are subject to have more strict regulations including additional oversight, specific protocols, and compliance with pubic accountability standards. Government agencies and private organizations might also have private policies and internal regulations which may establish their own procedures to follow.

Discussion Board 4: File Systems

Windows, apple and linux all have different file systems. How does each of them work?

What files and logs are forensically interesting when doing an investigation?

In digital forensics, understanding the various file systems across Windows, macOS, and Linux is essential, as each operates differently and presents unique forensic artifacts

 Windows primarily uses the NTFS (New Technology File System). NTFS is robust, supporting large file sizes, security permissions, and features like journaling, which helps recover data after crashes. As for forensically interesting files, artifacts include the $MFT (Master File Table), which contains metadata about all files and directories. The $LogFile is valuable for understanding recent operations, and other files like RecentDocs and Thumbnail Cache can provide insights into user activity.

Apple (macOS) utilizes HFS+ (Hierarchical File System Plus) and the newer APFS (Apple File System). APFS is optimized for solid-state drives and includes features such as cloning, snapshots, and encryption.

Linux typically uses ext4 (Fourth Extended File System), known for its stability and efficiency with journaling features. Other file systems like Btrfs and XFS are also used, depending on specific use cases.

Discussion Board 5: Metadata

What metadata can we get from various files?

How can it help in an investigation?

Metadata obtained from various files provides valuable insights that can be crucial for investigations. This includes information about file origins, properties, usage, and modifications. Different file types, such as images and documents, contain unique metadata that reveals in-depth details about themselves. For document files, key metadata elements include creation and modification dates, editing history, and evidence of any tampering. In image files, metadata can reveal GPS coordinates indicating where a photo was taken, precise timestamps for when the image was captured, and specifications about the camera used. While there are many types of files with useful metadata, those mentioned are particularly significant in forensic investigations. The specific metadata required may vary depending on the investigation, but the overall richness and utility of metadata remain invaluable, offering insights that might not be uncovered through the file content alone.

Discussion Board 6: Analysis and Validation

What techniques might criminals use to hide data or activities?

In the digital landscape, criminals employ a variety of techniques to safeguard their data and engage in unlawful activities. One primary method is encryption, which allows them to protect their files from unauthorized access. Additionally, they often use obfuscation to disguise these files, making them appear as normal data while concealing actual criminal information. Virtual Private Networks (VPNs) are another commonly utilized tool, enabling criminals to mask their activities and obscure their IP addresses. Despite these efforts, forensic specialists possess a range of tools and expertise to recover and uncover such criminal activities, illustrating the ongoing battle between illicit actors and those dedicated to upholding cybersecurity.

Discussion Board 7: Expert Witness

What qualifies a person to be an expert witness?

An expert witness is someone who possesses specialized knowledge, training, or experience in a particular field that is pertinent to a case. Their expertise should exceed the general understanding of the average person and can be acquired through education, professional certifications, or extensive hands-on experience. For instance, a computer forensics expert may hold a degree in cybersecurity, have certifications like Certified Computer Examiner (CCE), and practical experience in investigating cybercrimes. The court relies on these experts to break down complex or technical information so judges and juries can comprehend it.

To qualify as an expert witness, an individual must prove their credentials to the court. This typically involves submitting a resume that outlines their relevant training, education, and professional experience. Attorneys from both sides may challenge the person’s qualifications to assess the reliability and relevance of their expertise. Once recognized as an expert, they are expected to provide opinions or explanations grounded in facts and evidence, maintaining objectivity and concentrating on their specific area of knowledge. Their primary purpose is to illuminate the truth rather than advocate for either party involved in the case.