Digital Forensics Essentials
Digital Forensics Essentials
1
1. Fundamentals of digital forensics investigation
Scope Template
Number 1
Introduction The scope of this topic is introducing the history of digital forensics and explaining
the importance of electronic evidence for solving various problems. It also
explains the digital forensic terminology, goals of forensic analysis, the digital
forensics process, and challenges for digital forensics.
2
Content Template
Section Number 1.1
Section Title Digital Forensics: An Overview
Introduction In this section, we start our journey towards the fundamentals of the digital
forensics course by introducing some definitions, terminology and
fundamental concepts related to digital forensics and investigation. In the next
sections, we continue our study and introduce the digital forensics process,
goals of forensic analysis and shed light on some challenges that forensic
examiners face when preparing and processing crime scenes.
Content Historically, the Internet and its offered services are experiencing periods of
great progress and improvement. This achievement has created opportunities
for e-commerce, distance learning, education, research, entertainment, and
public discourse. Also, this worldwide connectivity has greatly improved the
way we live, work, and communicate by overcoming the key traditional
limitations of telecommunication systems. For example, the increased
automation of the printing process and the introduction of digital mass media
and storage greatly enhanced information sharing by increasing the
availability, integrity, and confidentiality of huge data sources.
3
processes that users have no direct control over, such as the allocation
and recycling of disk blocks, file ID numbers, memory pages or
process ID numbers”[2].
The digital forensic process encompasses several operations that obtain and
analyze digital data for the purpose of extracting digital evidence of a crime
scene. In general, these operations are almost the same as the traditional
criminal investigation process. Nevertheless, the investigation scene might be
different and it depends on the case under consideration.
In Section II, we list the main goals of forensic analysis. Section III overviews
the digital forensics process. In Section IV, we discuss the main challenges for
digital forensics investigation. We conclude and summarize in Section V.
4
Content Template
Section Number 1.2
Goals of Forensic Analysis
Section Title
This section discusses the main goals of any given forensic examination
Introduction
analysis.
Content It was stated that forensic analysis goals vary per case. The analysis phase
can be used to prove or disprove assumptions against individuals,
organizations, or entities, or it can be used to investigate information
security crimes locally on the existing system or globally over the Internet.
The main target of the digital forensic process is to extract facts that can
be used to re-create the truth of an event. This means that a set of actions
might be taken on a computing system that leave traces of that activity on
several locations on the system such as system logfiles, system registry,
and Cookies. More complex actions are likely to create longer-lasting
impressions on the system. The main entity in the digital forensic analysis
is the digital device related to the security crime under investigation. The
digital device can be computers, tablets, cellular phones or other data
storage devices that is either used to commit a crime, to target an attack,
or is a source of information for the analyst.
Furthermore, in many digital investigation cases, determining whether the
digital evidence under consideration is consistent or not is one of the
purposes of the examination. Digital investigators must be aware of all
processes and systems that are used to test this consistency.
Digital investigation involves several other goals such as:
5
Content Template
Section Number 1.3
The Digital Forensics Process
Section Title
In this section, we overview the generic process used by digital forensics
Introduction
investigators.
In enterprise network environments, security experts are divided into tightly
Content
coupled groups to secure enterprise networks and their assets. Some
experts analyze system vulnerabilities to mitigate incidents, others manage
Intrusion Prevention and/or Detection Systems (IPS/IDS), and others
conduct computer digital examinations. The latter is the main focus of this
chapter.
The process of digital forensics can be split into three main activities:
data acquisition, data analysis, and results presentation.
6
Content Template
Section Number 1.4
Challenges for digital forensics investigation
Section Title
In this section we give an overview of the major challenges and problems
Introduction
forensic examiners face when preparing and analyzing investigations,
including the main ideas and questions they must consider prior or during
the digital forensic process.
Nowadays, listing all the challenges faced by the forensic investigators and
Content
law enforcement is not an easy task. In fact, with the ever-growing
development of new technologies, a huge volume of stored data is exists
with heterogeneous forms and are accessible using various types of
communication technologies. Therefore, digital forensic examiners are
facing a critical set of challenges and problems. Among the most important
ones are:
7
6. Legal and ethical issues: Since every user owns his/her data and
digital device, forensic examiners face ethical and legal issues of
accessing and collecting the required information. Cases may occur
in which the required information owned by the suspect and stored
on his/her device cannot be accessed due to legal stiplulations.
8
Content Template
Section Number 1.5
Chapter Summary
Section Title
Introduction In this section, the main concepts outlined in the previous sections are
summarized.
In the first section of this chapter we introduced a brief overview of what
Content
we mean by digital forensics, some terminology, and concepts. In section
1.2, we discussed the main goals of any given forensic examination analysis.
In Section 1.3, we explained the generic process used by digital forensics
investigators. In the next section we looked at the main forensic challenges
and problems that forensic examiners face when preparing and analyzing a
case, including the main ideas and questions they must consider prior or
during the digital forensic process.
9
Activity Template
Number 1.1
Title Using Internet resources
Type Research
Aim LO.1 & LO.2
The aim of this activity is to teach students how to find well-known digital
forensic IT companies.
Description Use a Web search engine, such as Google, Bing or Yahoo!, and search for
companies specializing in computer forensics. Select three and write a two-to
three-page comparative summary of what each company does.
Timeline Internet search: 1 hr.
Writing report: 2 hrs.
Assessment Each student is required to submit his/her report and this will be evaluated
based on their contribution. Students will be discouraged from a cut and paste
exercise.
10
Activity Template
Number 1.2
Title Review scientific papers
Type Research & Reflection
Aim LO.3 & LO.4
The aim of this activity is teaching students how to find scientific papers
related to digital forensics and summarize, introducing their main findings.
Description Search the Internet for articles on computer crime prosecutions. Find at least
two. Write one to two pages summarizing the two articles and identify key
features of the decisions you find in your search.
Timeline Internet search: 1 hr.
Paper review: 4 hrs.
Assessment Each student is required to submit his/her review and then discuss his/her
findings in the class.
11
Activity Template
Number 1.3
Title Conduct internal computing investigations and forensics examinations
Type Reflection
Aim LO.3 to LO.6
In this activity, you work for a large corporation’s IT security company. Your
duties include conducting internal computing investigations and forensics examinations on
company computing systems.
Description This activity is adopted from Ref [1]. As an employee, you are asked by your company
manager to conduct a digital investigation scene. Your main task is to examine a USB
drive owned by a former employee who currently works in another competitive firm. The
company has some doubts that this former employee stole some confidential documents
that consist of 24 files with the text “data”.
1. Start ProDiscover à open project name C2Prj02 à save it in your work folder
(DigitalForensic\Activitites\Activity1).
2. Click Action à Add à ImageFile à C2Prj02.eve.
3. Click expand Content View à Expand Images à Click the pathname containing
the image file à Examine the files that are listed.
4. Open the search dialog box à Click the Content Search tab à Select the
Disk(s)/Image(s) à click the drive you’re searching à Click Content Search
Results to specify the type of search.
5. Open the Search dialog box again à click the Cluster Search tab à run the same
search à click Cluster Search Results à view the search results pane.
6. Once finished, write a one-page report to the company manager explaining what
you have found.
Timeline Understand project idea: 1 hr
Implement project steps: 1 hr
Assessment Each student will be assessed based on his/her successful implementations of the above
steps and his/her extracted information. As well as , each student is required to submit a
one-page answer report and then discuss it in the class as open session.
12
Activity Template
Number 1.4
Title Analyze Case Study
Type Reflection
Aim LO.1 to LO.6
In this activity, you will review a case study taken from a computer forensics firm. Write an
outline for how the firm should approach the case.
Description
As a digital investigative expert, you were hired by an insurance company to conduct a
forensic analysis for an arson investigative scene. The suspects have been arrested, but the
company wants to make sure that there are no victims. For the purpose of this activity, you
were given two files tow work with. The first one named CasePrj0201a.doc which is a small
letter from the police department, and the other file named CasePrj0201b.doc which is a
letter from the insurance company that explains what should be investigated. Your main
task is to review these two files to decide which course of actions that your company should
take. Write a one-page forensic report explaining how your company should handle this
case.
Timeline Understand case study: 1 hr.
Write a one-page report: 2 hrs.
Assessment Each student is required to submit a one-page answer report and then discuss it in the
class as open session. His/her answer will be evaluated based on the course of actions
suggested to handle the case.
13
Activity Template
Number 1.5
Title Write a one-page investigation report
Type Review & Reflection
Aim LO.1 to LO.6
In this activity, you will review a case study taken from a computer forensics firm. Write an
outline for how the firm should approach the case.
Description
You work in a specific firm as a digital forensic manager. Your company faces a forensic
case for one of its former employees who was fired from his/her job for inappropriate files
discovered on his/her desktop computer. He/she claimed that never accessing these files.
What steps should you follow to conduct this case? Write a one- to two-page report
describing this case besides other relevant resources that should be investigated.
Timeline Understand case study: 1 hr.
Write the report: 2 hrs.
Assessment Each student is required to submit an answer report and then discuss it in the class as
open session. His/her answer will be evaluated based on the correct course of actions
suggested to handle the case.
14
Think Template (MCQs)
Number 1.1
Title Fundamentals of digital forensics investigation
Type Choose correct answer
The triad of computing security includes which of the following?
15
Think Template (MCQs)
Number 1.2
Title Fundamentals of digital forensics investigation
Type True or False
Question Digital Forensics and data acquisition refer to the same concepts
(A) True
(B) False
Answers Answer: (B)
16
Think Template (MCQs)
Number 1.3
Title Fundamentals of digital forensics investigation
Type Fill in the blanks
Question List three common types of digital crime.
(A)______________________________
(B)______________________________
(C)______________________________
17
Think Template (MCQs)
Number 1.4
Title Fundamentals of digital forensics investigation
Type Fill in the blanks
What are some initial assessments you should make for a computing
Question
investigation?
(A)______________________________
(B)______________________________
Answers (A) Talk to others involved in the case about the incident.
(B) Was there any evidence seized by the law enforcement or security
officers?
18
Think Template (MCQs)
Number 1.5
Title Fundamentals of digital forensics investigation
Type Choose the correct answer
Question Laws and procedures for PDAs are which of the following?
(A) Well established
(B) Still being debated
(C) In the law books
(D) None of the above
19
Extra Template
Number 1.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
20
Extra Template
Number 1.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
21
2. Electronic data acquisition – legal compliance and requirements
Scope Template
Number 2
Reading Material
1. Ch. 3, Guide to Computer Forensics and Investigations (5th Edition). By
Bill Nelson, Amelia Phillips, Christopher Steuart, 2016.
2. Ch. 4, A Practical Guide to Computer Forensics Investigations (2nd
Edition). By Darren R. Hayes, 2019.
22
Content Template
Section Number 2.1
Section Title Understanding Storage Formats for Digital Evidence
In this section, we will talk about the data acquisition process. We will mainly
Introduction
discuss various formats for digital evidence storage and determine the best
acquisition method for each one of them. In the subsequent sections, we will
talk about how to carry out static acquisition using several tools and methods
and describe how to validate data acquisitions.
Content As previously mentioned in Chapter 1, the analysis of digital evidence poses
challenges to forensics investigators. Working with digital media and electronic
information is important for the successful implementation of case disposition.
In this regard, forensic data acquisition can be defined as the process of
collecting digital evidence from electronic media by making multiple copies of
data being investigated.
In general, there are two types of data acquisition methods: static acquisitions
and live acquisitions. Both methods and their data integrity requirements are
similar. In static acquisition, any data stored on digital media remains the same
regardless of the number of acquisitions being performed upon it. i.e., making
a second or third static acquisition for the preserved original media should
produce the same outcome. Whereas making multiple copies of live acquisition
while a computer is running will collect new data instances because of the
dynamic nature of the system. Therefore, by using live acquisition
investigators cannot carry out repeatable processes, and repeatability helps to
validate digital evidence.
There are three main generic formats being extensively used to store data on
a computer. Two of these formats are open source, known as raw and
Advanced Forensic Formats (AFF), and the third is proprietary which is based
on vendors’ unique features. In addition, a number of proprietary formats are
available nowadays, and most of computer forensics analysis tools can read
various types of them. In the following we will give more details on these three
formats, discuss some of their advantages, and limitations.
Raw format: This is the oldest version of data format that has beeen used.
It mainly makes a duplicate copy of the disk by performing bit by bit copying
from one disk to another. For practical purposes to preserve digital evidence,
software vendors modified this process with the ability to write bit-stream data
to files that creates simple sequential files of the media. The output of these
files is in raw format. Raw format outperforms other file formats (like AFF and
EWF) in terms of throughput, i.e., has high transfer data rate between media.
Some of its disadvantages are:
23
• It is inefficient in using storage capacity; it needs high storage
volumes on disk with a minimum capacity equaling the size of the
original media.
• It has some efficiency issues when dealing with unhealthy sectors on
the media. This means that, when applied on weak media it will have
a low level of threshold of retry reads of raw data on these bad media
spots.
• Many commercial forensic tools have a higher threshold value of retry
reads to verify that all relevant data is gathered in a proper way.
• They are vendor proprietary formats, which means that its unable to
share an image between different vendor computer forensics analysis
tools.
• They have some limitations in file size. Typically, forensic tools that
use proprietary formats can produce a segmented file having 2 GB
maximum segment size.
It is worth mentioning that the EWF format started as a proprietary format but
then was published and now many tools support it.
24
Table 1: The main differences between FAT32 and NTFS
Microsoft Windows file systems.
25
Content Template
Section Number 2.2
Acquisition Methods
Section Title
This section discusses the types of acquisition methods used in the digital
Introduction
investigation process and gives some guidelines on how to select among
them based on the investigation scenario under consideration.
Four methods are generally cited by the literature to acquire data they are:
Content
1) Disk-to-image file
2) Disk-to-disk copy
3) A logical disk-to-disk
4) A sparse copy of a folder or file
In the case that the extracted data is stored in a large drive, the data
capture process can take several hours. To overcome this issue, some
vendors suggest the use of sparse data acquisition that gathers only specific
types of files. In this case, the overall performance will be improved
especially when the process needs to examine only some parts of the
suspect’s disk drive.
Some compression methods can be used to reduce file size to fit with the
disk drive storage space. Common tools for archiving such as WinRAR,
PKZip and WinZip use lossless compression to reduce file size without
affecting the image quality.
One of the ways to test the data consistency of a file is to carry out a hashing
method such as MD5 or SHA-1. This should be done before and after
applying the compression. In this case, if the compression process is done
correctly, both copies should have the same hashing value, otherwise the
compressed file is corrupted. Another method of doing this is to use a
backup using tapes, such as Super Digital Linear Tape (SDLT) or Digital
Audio Tape/Digital Data Storage (DAT/DDS) especially when working with
large drives.
26
software tool, they can try to make the first copy using one tool and the
other one with another tool.
27
Content Template
Section Number 2.3
Section Title Computer Forensics Acquisition Tools
In this section, we discuss a number of artifacts that are unique and specific
Introduction
to three well-known operating systems (OS) they are: Microsoft Windows,
Linux, and MAC OS X. Then, we provide an overview of some of the well-
known acquisition tools that run on top of them.
Windows Systems
Content
Windows is the most popular OS and therefore occurs most frequently in
forensic examinations. As a result, it has many well-known artefacts. It
mainly supports two types of primary file systems: File Allocation Table
(FAT) and New Technology File Systems (NTFSs). FAT systems can be of
different flavors supported by a special type of OS. Some drivers are also
available that allow the NTFS volumes to be accessed by other operating
systems like Linux and Mac OS X.
File Allocation Table (FAT): This file structure is one of the simplest
systems and was totally supported by the family of Microsoft operating
systems, i.e.; MS-DOS and Windows. Its simplicity comes from the fact that
it possesses few data structures. It can be FAT16, FAT32, and exFAT. In
this system, the volume is divided into clusters with a specific size. For
example, for FAT16, the cluster size ranges from 512-bytes to 64 KB. It is
also supported by any removable storage devices such as thumb drives and
flash cards. Furthermore, as it’s an old and generic system, it is supported
by other operating systems, thus it makes it easy for investigators to move
it from one system like Linux to another one like Windows. For example, if
the investigator is conducting the analysis via a Linux system, he/she can
save the collected information to access them easily from a Windows system
later on. Despite the aforementioned advantages, FAT systems suffer from
security issues compared to other systems.
New Technology File System (NTFS): Currently, the NTFS system is the
most popular system used in Microsoft OS. This popularity comes from its
ability to set Access Control Lists (ACLs) on file objects and having built-in
file compression mechanisms. In this regard, the Master File Table (MFT) is
the richest source of information required by an investigator when working
with the NTFS file system. The size of each MFT entry is 1024 bytes, which
makes it straightforward to parse. Furthermore, each MFT record begins
with ASCII strings of either FILE or BAAD and followed by one or more
attributes, each with their own identifiers and structures.
- When using Windows OS they can easily corrupt the evidence drive,
investigators must apply well-tested write-blocking hardware
devices to protect them.
- Some Windows forensics tools face several challenges when trying
to acquire data from protected areas of the HDD.
- There are some legal and ethical issues in some countries of how
to use the write-blocking devices for the data acquisition process.
Linux systems
28
Over the past two decades, Linux has become a popular operating system
and found its way into a large number of applications and environments
such as networking devices and powerful supercomputing clusters. Some
versions of Linux OS have come a long way from their humble roots as a
free Unix-like system for personal computers. Most of them share a common
standard Linux file system, directory structure, system artefacts and user
activity. Most current Linux systems use the Ext4 file system and older
systems used Ext3 and Ext2.
In general, any Ext file system has two main components that make up its
layering structure they are the superblock and the group descriptor table.
The superblock is a data structure type that is located in the first 1024
Bytes of the Ext file system. It maintains information about the layout of
the file system, its block and inode allocation information, as well as
timestamps. Whereas, the group descriptor table is located after the
superblock and contains allocation status information for each block group
found on the file system.
In addition to the Ext family of file systems, others are found but are rarely
used in Linux file systems. None of these systems are currently supported
by The Sleuth Kit but can be tested logically using generic Linux file system
tools. These formats are: ReiserFS, XFS, JFS, YAFFS2 and JFFS2. Table 2
below lists the main differences between Linux file systems.
The core structure of the HFS+ contains the volume header that stores
information related to the file system, its allocation block size, volume
creation timestamp, and the location of special files that are necessary for
HFS+ operation, etc. As in the Linux system, the volume header is located
in the first 1024 Bytes and the backup copy is located at the end of the
volume.
29
HFS+ mainly uses allocation blocks as data units. The size of each allocation
block is initially identified in the volume header with 4KB. Furthermore,
allocation blocks can be grouped into smaller pieces called clumps that are
similar to the block allocation in the Linux Ext file systems. Here, file data
are addressed in terms of extents. It is simply a pointer of 4-byte size that
points to the starting allocation block and another 4-byte value that
indicates the length of the extent.
Also, HFS+ files contain several data streams called forks associated with
them. The two main forks are:the data fork and the resource fork.
Generally, the data fork contains the actual file content, while the resource
fork contains nonessential information about the file. Additional forks can
be created whenever needed based on the application specific purposes.
30
Content Template
Section Number 2.4
Validating Data Acquisitions
Section Title
Introduction In this section, we will talk about digital evidence validation methods and
list some of their weakness and advantages.
Content An important part of computer forensics is validating digital evidence. A
forensic hash is a standard approach that is commonly used for this
validation. It is a form of a checksum. A checksum uses a mathematical
formula that simply sum the assorted bits in a message to provide a value.
Hashing mechanisms generate a binary or hexadecimal digital fingerprint of
a file. They use more complex mathematical functions of checksum
algorithms.
In the context of digital forensics, a forensic hash is the process of applying
a mathematical function to the acquired data to produce a unique hash
value. Both MD5 (Message Digest 5) and SHA-1 (Secure Hash Algorithm 1)
are two common algorithms used in digital forensics. They were first
introduced to check the integrity of the downloaded files from the Internet,
i.e., two files with different filenames are considered identical if they have
similar hash values.
This hash process is normally applied during the acquisition of the evidence
to verify the integrity of the collected data and the forensic analysis
procedure. This way, if there is any intentional or unintentional attempt to
modify any part of a digital evidence, the hash algorithm will produce a
completely different hash value.
31
MD5 hash is compared to the image to verify whether the acquisition is
correct.
Regarding Linux and UNIX operating systems, things are different. Here,
there are several open source commands and functions that can be used to
validate data. For example, the two Linux shell commands dd and dcfldd
have several options that can be combined with other commands for doing
validation purposes. The dcfldd command has also additional options that
validate data collected from the acquisition process. Validating acquired
data with the dd command requires using other helpful shell commands.
Current Linux systems use two hashing algorithm utilities to validate data,
they are md5sum and sha1sum. Both utilities can compute hashes of a
single file, multiple files, individual or multiple disk partitions, or an entire
disk drive.
32
Content Template
Section Number 2.5
Chapter Summary
Section Title
Introduction In this section, we summarize the main concepts outlined in the previous
sections and shed light on the upcoming topic.
In this chapter we talked about the forensics data acquisitions process. We
Content
introduced three different digital storage formats: raw, proprietary, and
AFF. Next, we looked at the four methods of acquiring data for forensics
analysis which are disk-to-image file, disk-to-disk copy, logical disk-to-disk
or disk-to-data file, or sparse data copy of a folder or file. Then, we listed
some useful forensic tools run on Windows, Linux and Mac OS.
33
Activity Template
Number 2.1
Title Create a USB Drive using Linux Operating System
Type Reflection
Aim LO.1
In this activity, students will learn how to prepare a USB drive and create a
FAT32 disk partition using Linux systems.
Description For the purpose of this activity, students will need a Linux distribution CD
and a USB drive to work with. The main task is to format the disk drive as
FAT32 in Linux. Students may refer to the following Internet resource, or
any other relevant resources of their choice that contain the necessary steps
that must be followed.
https://www.garron.me/en/go2linux/format-usb-drive-fat32-file-system-
ubuntu-linux.html
34
Activity Template
Number 2.2
Title Acquire Data from a USB Partition using Linux commands
Type Reflection
Aim LO.1, LO.5 & LO.6
In this activity, students will learn how to use Linux operating system
commands to acquire data and validate it.
Description Students will use built-in Linux commands such as dd and md5sum to acquire
and validate data. For this activity, students need a Linux distribution CD and
a USB drive formatted with FAT32 (See Activity 1). The main tasks are to
perform the data acquisition using each one of the following commands: dd,
dcfldd, and dc3dd. After that, students will perform a validation of the acquired
image files using md5sum command. Students may refer to the following
Internet resources for more information.
http://www.cyber-forensics.ch/acquiring-data-with-dd-dcfldd-dc3dd/
https://www.howtoforge.com/linux-md5sum-command/
35
Activity Template
Number 2.3
Title Use data acquisition tools to analyze a given case study
Type Reflection
Aim LO.3, LO.4, & LO.5
The aim of this activity is to provide students with some practical skills on
how to use data acquisitions methods and tools studied in this topic to
analyze a given case study.
Description As a digital forensic expert, a business company has contracted with you to
conduct an internal fraud. The company has several TBs of data stored on the
network. The company manager has some doubts that one of the employees
illegally tried to steal some sensitive data to another competitive company.
Your main duties are to analyze this case -you can refer to system and network
admins for more information- and write a two-page report to the manager
explaining the problems you expect to face and how to rectify them. As well
as which acquisition method and strategies should you use?
Timeline Understand case study: 1 hr.
Write report: 3 hrs.
Assessment The student’s work is assessed based on his/her successful implementation of
the required steps.
36
Activity Template
Number 2.4
Title Analyze a computer forensic scene given as a case study
Type Reflection
Aim LO.2 to LO.5
In this activity, you will use the data acquisitions methods and tools that you have already
studied in this topic to review a case study taken from a computer forensics scene.
Description Your forensic firm is currently doing an investigation on a heinous murder in a residential
building. As a member of the investigative group, your manager assigned you a task of
having only a few minutes to acquire a several GBs of data on a suspect’s computer. Within
this time constrain, write a two-pages report that outlines the procedure and available
options that must be taken to preserve the data.
Timeline Understand case study: 1 hr.
Write report: 3 hrs.
Assessment The student’s work will be evaluated based on his/her submitted report, the course of
options suggested to handle the case, and report’s discussion in the class.
37
Activity Template
Number 2.5
Title Use Internet search engines to research of the well-known digital forensic tools
Type Search & Reflection
Aim LO. 4 and LO.6
In this activity, you will use Internet search engines and the vendors listed in this topic to
collect information about current data acquisitions tools.
Description For the purpose of this activity, students will use Internet resources to search for popular
forensics tools. For each chosen tool, students will collect the following relevant information:
- Vendor Website
- Tool Name
- License Type
- Supporting Platforms
- Developers
- Forensic model/s
- Other relevant features
• Supporting formats (Raw, AFF, Proprietary, etc.)
• Compressing Methods
• Remote network acquisition capabilities
• Validation methods (MD5, SHA-1, etc.)
Students should prepare spreadsheets that contain the above information of each tool.
Timeline Search through the Internet: 3 hr.
Prepare Spreadsheets : 3 hr.
Assessment The students will be divided into groups of three students at maximum. Each group is
required to submit the comparative spreadsheets and present it in the class as open
discussion session.
38
Think Template (MCQs)
Number 2.1
Title Electronic data acquisition – legal compliance and requirements
Type Choose the correct answer
With remote acquisition, what problems should you be aware of?
A. Data transfer speeds
Question B. Access permissions over the network
C. Antivirus, antispyware, and firewall programs
D. All of the above
Answers Answer: (D)
39
Think Template (MCQs)
Number 2.2
Title Electronic data acquisition – legal compliance and requirements
Type True or False
Question Computer forensics and data recovery refer to different activities.
(A) True
(B) False
Answers Answer: (A)
40
Think Template (MCQs)
Number 2.3
Title Electronic data acquisition – legal compliance and requirements
Type Fill in the blanks
Question What are two advantages and two disadvantages of the raw format?
(A)______________________________
(B)______________________________
(C)______________________________
(D)______________________________
41
Think Template (MCQs)
Number 2.4
Title Electronic data acquisition – legal compliance and requirements
Type Fill in the blanks
Name the three formats for computer forensics data acquisitions.
Question
(A)______________________________
(B)______________________________
(C)______________________________
42
Think Template (MCQs)
Number 2.5
Title Electronic data acquisition - legal compliance and requirements
Type True or False
In a Linux shell, what is the dcfldd command which is used to list the suspect
Question
drive as /dev/hda1?
___________________________________________
43
Think Template (MCQs)
Number 2.6
Title Electronic data acquisition - legal compliance and requirements
Type True or False
Digital investigators usually apply static data acquisition when the
Question
suspect’s computer operating system is write-protected and can't be
altered.
(A) True
(B) False
Answers Answer: (A)
44
Extra Template
Number 2.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
45
Extra Template
Number 2.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
46
3. Computer Processing Crime and Incident Scenes
Scope Template
Number 3
47
Content Template
Among the most important operations that digital evidence experts usually
carry out when handling the evidence of a digital crime are:
48
Content Template
For customer privacy issues, the private market requires special treatment
Content
when dealing with digital evidence and crime scenes. Normally, organizations
belonging to the private sector such as Internet Service Providers (ISPs) can
examine computer crimes and service abuse carried out by their employees
but not by customers. This is because ISPs have the responsibility to preserve
the privacy of any customer’s sensitive information they have, especially for
some sensitive applications such as email and Web.
Crimes in the private sector often take place at the workplace, e.g. an office
or manufacturing area. This way, all events triggered by computers that are
intended to violate the company’s security policy must be under a controlled
company management authority. Usually a business maintains a database of
its assets. This database makes it possible to find data and applications which
run on suspect devices. This could help in identifying the best forensics tools
and procedures that are required to conduct the analysis. As an example, ISP
companies deploy a common Web browser, such as Google Chrome for PCs
or Safari for smart phones. By figuring out the name of the browser,
investigators can conduct standard procedures to identify and retrieve digital
evidence.
49
Content Template
Content An important step in the digital investigation process is to prepare for evidence
search and seizure. Generally, before starting a digital forensic task, an
examiner will have to consult with or interview a number of people, including
the victim, managers, the police department, etc. In addition to that, he/she
can do the following tasks:
50
quickly, make the investigation plan, gather the needed resources
and information, and collect data from the crime scene.
51
Content Template
Digital investigators must also be aware of what they are doing and what they
are touching either physically or virtually. They should take steps to ensure
that no data is inadvertently modified before it has been forensically imaged.
Even booting a computer can modify hundreds of timestamps.
52
Content Template
Once the scene has been recorded, examiners should apply the following
steps to complete the process:
53
Finally, to finish the analysis and processing of evidence, examiners should
gather all documents and digital media related to the investigation. This
includes the flowing:
- Physical component
- Software component
- Digital media storage such as USB drive
- Handwritten notes
54
Content Template
For security purposes, data can be copied and stored in more than one
storage media to prevent data loss, and more than one forensic tool can be
also used to double check the verification process. For example, investigators
can apply the dd command in Linux to create the first image and another tool
like ProDiscover to create another image. Also, some hardware copiers can
easily create two copies of a disk at the same time. One approach is to create
two copies of a hard disk and then replace the hard disk with one of the copies
and then keep the original hard disk as the evidence and the second copy for
analysis.
55
Fig. 2: Storage media comparative table
[1] https://en.wikipedia.org/wiki/Digital_Linear_Tape
56
Content Template
57
Activity Template
Number 3.1
Title Use the investigation methods to analyze an incident scene
Type Reflection
Aim LO.1 to LO.5
The aim of this activity is to use the investigation methods and techniques to
analyze an incident scene.
Description
Consider the following case: You are working in a company as a digital forensic
examiner, the CEO has received an e-mail about a serious assault that violates
the company internal policy. He forwarded the email to you and asked for an
immediate action. Write a two-page report outlining the list of actions you
should do to handle this case.
Timeline Write report: 3 hrs.
Assessment The student’s work will be evaluated based on his/her submitted report and
the course of options suggested to handle the case.
58
Activity Template
Number 3.2
Title Use the investigation methods to analyze an incident scene
Type Reflection
Aim LO.1 to LO.5
The aim of this activity is to use the investigation methods and techniques to
analyze an incident scene.
Description As you are a Bitcoin forensics expert, you are conducting a digital forensic
examination on a suspect’s computer who may use the Bitcoin network to sell
illegal goods. Currently, his/her computer has some running Bitcoin software
and online sessions through a DSL connection. Write a two-page report
outlining the necessary information that you must gather to package the
evidence. Students may refer to the following Internet resource or to some
other resources for Bitcoin concepts and terminology.
https://bitcoin.org/en/
59
Activity Template
Number 3.3
Title Calculate hash values of given files
Type Reflection
Aim LO.6
The aim of this activity is to provide students with some practical skills on
how to calculate and compare the hash values of given files.
Description
This activity was adopted from Ref [1]. Students will have hands-on
experience of the FTK manager forensic tool. They will create files and
calculate their hash values. They will make some modifications to the content
of files and recalculate the hash values again to compare the files. To do this
activity, students need a Windows-running machine and a USB drive. Follow
the following steps:
60
Activity Template
Number 3.4
Title Analyze a case study of an incident scene
Type Reflection
Aim LO.7 & LO.8
In this activity, you will use the crime investigation methods and tools to review a case
study taken from a computer forensics scene.
Description
This activity was adopted from Ref [1]: Consider that you work as a digital investigator in a
police department in your town. Your department manager receives a bomb threat claim in
an anonymous e-mail for one of the local schools. Consequently, he/she sent you to conduct
the investigation having information from a subpoena about the last known ISP where the
anonymous e-mail originated, and that the message was sent from a residence in the
school’s neighborhood. Also, the school’s Web server has been under an attack by an
unknown computer attacker. The manager has got a warrant for the search and seizure of
a computer at the residence the ISP identified. Your main task is to prepare a list of items
that must be included in an initial-response field kit to ensure the preservation of computer
evidence when the warrant is carried out.
Timeline Understand the case study: 1 hr.
Outline the action plan: 2 hr.
Assessment The student’s work will be evaluated based on his/her submitted report, the course of
options suggested to handle the case, and report’s discussion in the class.
61
Activity Template
Number 3.5
Title Analyze a case study of a crime scene
Type Reflection
Aim LO.1 to LO.8
In this activity, you will use the crime investigation methods and tools that you have already
learnt in this topic to review a case study taken from a crime scene.
Description Consider the case that you are police officer conducting a murder investigation in a big
company in your town. Suppose that the primary suspect in a murder investigation (Person
X) works at a local company and is reported to have two computers at work in addition to
one at home. Write a two-page report stating what you would do if the company had its
own computer forensics and investigations department and what you would do if the
company did not.
Timeline Understand the case study: 1 hr.
Write a report: 2 hr.
Assessment The student’s work will be evaluated based on his/her submitted report, the course of
options suggested to handle the case, and report’s discussion in the class.
62
Think Template (MCQs)
Number 3.1
Title The CIA Model
Type Fill in the blanks
What are the three main components of the Triad model?
Question
(A)______________________________________________
(B)______________________________________________
(C)______________________________________________
63
Think Template (MCQs)
Number 3.2
Title Computer Processing Crimes and Incident Scenes
Type True or False
Question One of the main differences between private-sector and public-sector
investigations is that the former focuses on policy violations, whereas the
later involves criminal investigation agencies.
(A) True
(B) False
64
Think Template (MCQs)
Number 3.3
Title Computer Processing Crimes and Incident Scenes
Type Choose the correct answer
Which of the following techniques might be used in covert surveillance?
Question
(A) Keylogging
(B) Data sniffing
(C) Network logs
(D) All of the Above
65
Think Template (MCQs)
Number 3.4
Title Computer Processing Crimes and Incident Scenes
Type True or False
In some countries, if a company doesn’t distribute a computing use policy
Question
stating an employer’s right to inspect employees’ computers freely, including
e-mail and Web use, employees have an expectation of privacy.
A. True
B. False
Answers (A) True
66
Think Template (MCQs)
Number 3.5
Title Computer Processing Crimes and Incident Scenes
Type Fill in the blanks
List two hashing algorithms commonly used for forensic purposes.
Question
(A) ____________________
(B) ____________________
(A) MD5
Answers
(B) SHA-1
67
Extra Template
Number 3.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
68
Extra Template
Number 3.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
69
4. Fundamentals of File Systems
Scope Template
Number 4
Reading Material
1. Chs. 6 & 8, Guide to Computer Forensics and Investigations (5th Edition).
By Bill Nelson, Amelia Phillips, Christopher Stuart, 2016.
2. File System Forensic Analysis (1st Edition). By Brian Carrier, Addison-
Wesley Professional, ISBN: 0321268172, 2005.
70
Content Template
In brief, CMOS stores timing information when the device is offline. While, the
system BIOS, EFI, or UEFI contains system software that performs
input/output at the hardware level. The main difference between these
programs is that BIOS is used on older computers. When BIOS was designed,
x86 was the most modern system available.). In this regard, to easily locate
and load the OS into the RAM, MBR can be used that contains the necessary
information to active this purpose. UEFI replaces BIOS in newer computers.
It uses a so called Globally Unique Identifier (GUID) partition table which
replaces the Master Boot Record (MBR) partitioning scheme with more
advanced features.
System users can access the setup programs by using several methods. Many
BIOS manufacturers use the Del key to open the CMOS window; others use
Ctrl+Fl, F2, or F10. Each BIOS manufacturer’s screen has its own format.
Users may refer to devices commercial Web sites to get more information.
Investigators working in the digital forensics field should also be familiar with
the structure of the HDD, and how information is being stored and located on
them. Figure 1 shows the physical components of the HDD besides other
relevant low-level parts such as tracks, cylinders, and sectors. Students should
review all of these concepts before proceeding to the next topics.
71
Fig.1: Main components of a Hard Disk Drive (HDD).
A Solid-State Storage (SSD) device is another type of hard drive that is mainly
used in USBs, laptops, tablets, and cell phones. They have several key
advantages compared to the traditional HDD. Figure 2 summarizes the main
differences between SSD and HDD drive storing technology.
Fig. 2: Comparison of the key differences between HDD and SSD disk
drives.
It is worth noting that one of the main challenges that face digital forensic
examiners when dealing with SSD drives compared to the HDD is that, since
all SSD-based memory devices have a “wear-leveling” feature, deleted data
cannot be recovered immediately, it might be lost forever. But, recovering
data from HDD is easy. This is due to the fact that when data is deleted on a
HDD, only the references to it are removed, which leaves the original data in
unallocated disk space. Using an appropriate forensics tool, data can be
recovered easily. Therefore, when dealing with SSD, its highly recommended
that when recovering data from an unallocated disk drive making a full copy
72
of the data is very important. Without doing this, the wear-leveling feature
automatically overwrites the unallocated space.
The physical structure of the HDD is divided into a number of sectors, and
each sector is logically grouped into a number of clusters; each with size
ranges from 512 Byte to 32 Kbyte, i.e., sectors are a hardware concept
whereas clusters are usually defined by the file system. A Master Boot
Record (MBR) is a special type of boot sector that is normally located at the
very beginning. It holds file system area and boot record information as well
as it contains executable codes for loading the OS. For more information on
the structure of the HDD and the MBR, students may refer to Ref [3].
The FAT system is simply a file structure that is used by the OS to manage
files on volumes. It can be described as a map of all clusters that form the
data area. It writes each file’s data sequentially, i.e., it starts from cluster #1,
cluster #2, and so on. In this context, If the FAT system allocated two or
more clusters of a given file, then the FAT table entry will contain the address
of the second cluster, the second cluster entry points to the third, and so
forth. A FAT entry like this forms a linked list commonly called a cluster chain.
It is worth pointing out that the FAT system does store information about the
location of the first cluster that was allocated for a given file. This information
is normally stored in the directory. The directory entry for each file contains
a value called a cluster address. This is a pointer to the first entry in the FAT
for a given file. This FAT entry in turn points to the first cluster in the volume’s
data area that has been allocated to the file. Also, directory entry were used
to store additional metadata such as stored file passwords, access rights, and
owner IDs. Among other relevant information.
These include:
73
(1) with FAT, the data is stored in the directory entry, and the FAT, and the
data area, whereas in NTFS, just the MFT and data area are used. And with
small files, the data is stored in the MFT itself,
(2) NTFS gives more file details such as file credentials and other features,
(3) By using NTFS users will have more control over all system files and
directories,
(4) it is also a journaling file system that keeps tracking all of the transactions
and processing operations.
This will help the system to finish the ongoing transaction or return to the last
optimal settings when a power failure has happened.
In the NTFS, the boot sector starts at sector #0 and can expand to 16 sectors.
Then, it comes the Master File Table (MFT). NTFS stores all files and
directories in separate records of 1024 Bytes each, where each record
contains metadata about the file, the data of the file or links to these data.
There are mainly two methods to store information in an MFT record: resident
and non-resident. Small files, about 512 Bytes or less, are stored in the MFT
and referred to as resident files since their metadata is stored in the MFT
record. While, for larger files (greater than 512 Bytes) the system stores them
outside the MFT record and assigns logical addresses. It is referred to as non-
resident since the file’s data is preserved in a separate file outside the MFT
record. All MFT records start with header IDs that identify their states of
whether they are resident or non-resident attributes.
The header information also contains additional data that determines where
the first attribute ID starts. Also, each attribute ID has a length value in that
defines where it ends and where the next attribute starts. Please refer to the
following link that contains more detailed information on how the MFT is
configured, http://technet.microsoft.com/en-us/library/cc781134.aspx.
74
Microsoft Startup Tasks
In some crime scenes, investigators must keep digital information on the HDD
just as it was before. Also, in some scenarios, trying to incorrectly login to a
suspected device could corrupt the digital evidence. Fig. 3 illustrates the main
steps that Microsoft Windows will follow during the boot up process.
It is worth mentioning that, in Windows Vista and later, the boot process uses
a boot configuration data (BCD) store which is registry file in the Boot BCD
folder that is maintained to control the boot process. To access this file,
investigators use the BCD Editor. In Windows 8, the BCD contains the boot
loader that initiates the bootstrap process when Windows boots. In older
versions of Microsoft Windows like Windows XP, the Ntldr program replaced
other programs like bootmgr.exe, winload.exe, and winresume.exe.
[2]https://www.disk-partition.com/disk-partiton/create-hidden-partition-on-
usb-drive.html
[3] http://www.file-recovery.com/downloads/filerecovery.pdf
[4] https://docs.microsoft.com/en-us/windows/win32/fileio/file-encryption
75
Content Template
A wide range of file system standards are supported by Linux. The oldest one
was called Second Extended File System (Ext2) and then came Third Extended
File System (Ext3) which replaced Ext2 in most Linux distributions. The main
difference between them is that Ext3 was using a journaling file system having
built-in file recovery mechanisms. Nowadays, in all current Linux distributions,
the fourth Extended File System (Ext4) is considered the standard file system.
In addition to supporting all features of the former file systems, Ext4 has its
own main features. They are:
76
• The number of actual blocks assigned to a file
• File generation number and version number
• The continuation inode’s link
One of the main Linux features that is not found in Windows is that it keeps
track of bad sectors, which is referred to as the bad block inode. inode #2 is
the root inode, and the bad block inode is inode #1. Some forensics tools
might ignore inode #1 and might fail to restore useful information. The
badblocks command can be used to find bad blocks. mke2fs and e2fsck
commands can be also used to check the device for bad blocks. They have
other useful functions such as creating a file system and determining the block
size in Bytes.
A hard link is as a pointer that allows users to access the same file using
different filenames, all refer to the same inode and physical location on the
disk drive, i.e. users with different login information could access the same
physical file. If one user changed the file, the changes would be apparent
when another user opened the file again. Users can use the ln command to
create a hard link on Linux systems. But, to do that all files pointing to the
same inode have to be on the same physical drive, not on another volume.
Symbolic links are also pointers. But, unlike the hard links, they can point to
items on other disk drives or other parts of the network by using an absolute
path. They have their own inode that is different from the inode of the item
they point to. Furthermore, they are easier to identify on a running Linux
system than hard links are and identify their destination by name and path.
If both the name and path no longer exist, the symbolic link stops working.
77
Content Template
Content Mac OS X is the last family of OSs reviewed in this chapter. It is mainly built upon
a core system called Darwin with a BSD UNIX distribution. Mainly, there are two
file systems being used in Apple’s OS. They are: Hierarchical File System (HFS),
and Extended Format File System (HFS+). The main difference between them is
that HFS was limited to support 65,536 block - 512 Bytes/block, and HFS1
increased it to 4 Billion and more. Consequently, HFS1 supports smaller file sizes
on larger volumes, which enhances the disk usage.
Both file systems have two descriptors for the physical and logical End-of-a File
(EOF). The first one refers to the number of bytes allocated on the volume for a
file. The second one represents the actual ending of a file.
Both forks share common contents for all files like resource map, resource header
information for each file, window locations, and icons.
A volume is a storage medium for hard disks that is being utilized to store files
or directories. Each volume has both logical and allocation blocks. A logical block
is a collection of data with 512 Bytes maximum. Allocation block is a group of
consecutive logical blocks that is used to save a file. Depending on the file size,
one allocation block can include several logical blocks.
The HFS system uses a clumps technique to reduce file fragmentation, which are
groups of contiguous allocation blocks that are managed to be a minimum for
larger files. The first two logical blocks, namely 0 and 1, of this system are called
boot blocks that contain startup instructions for a given system.
Previous versions of Mac OSs used the Master Directory Block (MDB) for HFS,
where all the volume’s information is stored in the MDB and written to it when a
specific volume is initialized. When the OS mounts a volume, it writes some
information from the MDB to a Volume Control Block (VCB) and stores them in
system memory. When a user unmounts the volume, the VCB is automatically
removed. The MDB copy is continually updated when the extents overflow file or
catalog increases in its size. The extents overflow stores any file information not
found in the MDB or a VCB. The catalog maintains the relationships between files
and directories on a volume.
78
For digital forensics investigations in Mac OS X, examiners must know where
file system components are located and how both files and file components are
stored.
There are three applications formats used in the HFS system: plaintext, plist files
(XML and binary) and the SQLite database. Text editors can be used to work with
plaintext files. While, to view Plist files, users can use special editing programs
such as PlistEdit Pro. These files are mainly considered as preference files for
installed applications on a system which are stored in location
/Library/Preferences. Finally, to view the SQLite database, one can use the SQLite
Database Browser tools.
Among Mac OS files that might contain information useful for a digital forensics
analysis process are:
Several programs can be used inside the HFS system to encrypt and decrypt a
user’s directory such as FileVault. FileVault consists of two keys: master and
recovery. Version 2 is available that encrypts the whole disk drive using 128 Bit
AES encryption algorithms. Investigators can also find so called keychain files
that show what applications and files require passwords in a variety of places.
This information can be found following this path /System/Library/Keychains and
/Library/Keychains.
In Mac OS X, deleted files are stored in the trashes folder. However, if a file is
deleted using the Command Line Interface (CLI), it doesn’t show up in the
trash.
BlackBag Technologies have produced software to examine the Mac OS X file
system. This company provides acquisition tools for newer version of Mac OS like
OS 9 and OS X and have a forensic boot media named MacQuisition for making
an image of a Mac HDD. They have also written a guide for forensic examination
of Macs. For more information about the tools please refer to the following
company web site (https://www.blackbagtech.com/software-products.html)
Normally, the tool that examiners use depends on the format of the file image.
For example, if he/she used EnCase or FTK forensics to generate an Expert
Witness image, he/she should apply one of these programs to analyze the
content of the image. Otherwise, he/she can use any one of the following:
• X-Ways Forensics
• BlackBag Technologies Macintosh Forensic Software (OS X
only)
• Guidance Software EnCase
• SubRosaSoft MacForensicsLab (OS X only)
• AccessData FTK
Students should get hand-on experience with these tools and try to differentiate
between their functions and usage. As an example of their usage, BlackBag
79
Technologies Mac forensic software and SubRosaSoft MacForensicsLab have a
nice feature of enabling or disabling the automatic mounting when the HDD is
connected via an external USB or FireWire device. This feature will help users to
connect a suspect disk drive to a Mac without a write-blocking device.
80
Content Template
Section 2 overviewed the Linux file systems: Ext2, Ext3, and Ext4, and outline
the main differences among them. It also listed the main components defining
the file system: boot block, superblock, inode block, and data block. In
addition, it also talked about several core concepts of Linux such as inode,
hard links and symbolic links.
The last OS discussed in this chapter (in Section 3) was Mac OS. We
mentioned its two main file systems: HFS and HFS1 and outlined the main
difference among them. We also talked about the structure of a file which
consists of two parts: a data fork and a resource fork. In addition, we talked
about several main concepts of Mac OS such as clumps and Plist files.
Activity Template
Number 4.1
Title Compare contents of several files at the hexadecimal level
Type Reflection
Aim LO.1 & LO.2
The aim of this activity is to teach students how to become familiar with
different file types and compare various files to determine whether they are
different at the hexadecimal level or not.
Description
In this activity, students will compare files created in Microsoft Office to
determine whether the files are different at the hexadecimal level. Students
can use Windows and follow the following steps:
1. Create a Word document with some text à save it à and exit.
2. Create an Excel sheet with some numbers à save ità exit.
3. Download Hex Workshop (http://www.hexworkshop.com/)
4. Start the Hex Workshop à open the doc. file you created in Step
(1).
5. In Hex Workshop, navigate the Editor pane to find Offset, Hex, and
Text columns. In a separate document write the information you
captured in these columns.
81
6. Repeat Step (5) for the Excel sheet you created in (2)
7. Compare the printouts extracted from Steps (5 and 6) and describe
any differences you found in the MS Office header.
Timeline Understand the activity: 1hr.
Implement the above steps: 1hr.
Assessment Each student’s work will be evaluated based on the successful implementation
of the above steps.
82
Activity Template
Number 4.2
Title Explore the Master File Table (MFT)
Type Reflection
Aim LO.1 & LO.4
The aim of this activity is to introduce students with the necessary practical
skills on how to explore the Master File Table (MFT) of Microsoft Windows to
locate date and time values in the metadata of a file they create.
Description In this activity, students will explore the Master File Table (MFT) and learn
how to locate date and time values in the metadata of a file they create. To
implement this activity, students need the following components:
• ProDiscover Basic (Download it using the following link)
http://prodiscover-basic.freedownloadscenter.com/windows/
• WinHex Demo (Download it using the following link)
https://www.x-ways.net/winhex/
Follow the following steps:
1. Create a folder on your C Drive à Create .txt file with some random
text à save the file in your work folder.
2. Start ProDiscover Basic à Go to PhysicalDrive0 à Type c-drive à
Click to expand Content View, Disks, and PhysicalDrive0 à o to
Work area à Right-click $MFT à click Copy File à Navigate to your
work folder à Click Save.
Students may refer to this YouTube link to help them navigate the
tool (https://www.youtube.com/watch?v=f5czUMEeazo)
3. When the $MFT file has been copied to your work folder, exit
ProDiscover Basic, saving the project if prompted.
4. Start WinHex Demo à Click the Open toolbar button. à Navigate to
your work folder à Open $MFT file à Click Search à name of text
file created in (2) à Click the Format Code list arrow à click
Unicode. Students may refer to the following YouTube link to help
them navigate the tool)
(https://www.youtube.com/watch?v=AIeaSM0d_6M)
5. Data Interpreter window à click Options à Click the Win32
FILETIME (64 bit) à Go to WinHex window à Click at the beginning
of the record, on the letter F in FILE à Drag down till the counter
reaches 50, release the mouse button.
6. Move the cursor one position to the left and record the date and
time of the Data Interpreter’s FILETIME values.
7. Repeat Steps 5 and 6, using the offset positions plus 1 Byte to see
the values for the remaining date and time positions. Write down
these values. When you’re finished, exit WinHex and hand in the
date and time values you recorded.
Timeline Understand the activity: 1hr.
Implement the above steps: 1hr.
Assessment Each student’s work will be evaluated based on the successful implementation
of the above steps.
Activity Template
Number 4.3
Title Perform an OS X file system analysis
Type Reflection and Search
Aim LO.3 & LO.4
83
The aim of this activity is to introduce students with the necessary practical
skills on how to explore the OS X file system, its functions, and tools available
in BlackBag Technologies Macintosh Forensic Software.
Description This activity was adopted from Ref [1]. In this activity, students will perform
an OS X file system analysis to become familiar with the functions and tools
available in BlackBag Technologies Macintosh Forensic Software. To
successfully implement this activity, students need the following
components:
• Macintosh (OS X 10.2) (https://support.apple.com/downloads/mac-
os-x-10.2.2)
• BlackBag Technologies - Download Demo Version from here
(https://www.blackbagtech.com/)
To prepare for this activity, do the following:
A. Make sure the following files have been extracted to your work
folder: GCFI-OSX.001 through GCFI-OSX.007.
B. Rename each GCFI-OSX image file in the Macintosh Disk Image
format with .dmg and .dmgpart extensions.
C. Start Finder, and locate and double-click the first file, GCFI-OSX.dmg
(previously GCFI-OSX.001), to mount the disk image.
Follow these steps for the partition mapping data on this OS X drive:
1. Start BlackBag à click PDISKInfo on the BlackBag Forensic Suite
ToolBag à Click the Suspect Device list arrow à Click the .dmg file.
(https://www.youtube.com/watch?v=5nVShcqfO5I)
2. Click the Partition Map à Type the root password for your Macintosh
system à Save the PDISKInfo output by clicking Save Report à
Type GCFI-OSX-partrpt.txt à click Save.
3. In the Where drop-down list box, click the folder where you want to
save it. If the ReportSaved dialog box opens, click OK. When you’re
finished, exit PDISKInfo.
4. Repeat these steps, clicking the PMAPInfo and IORegInfo buttons on
the BlackBag Forensic Suite ToolBar, and save the report each utility
creates. For the IORegInfo utility, click All Information.
5. Continue the analysis of this drive to learn how the DirectoryScan,
File-Searcher, and VolumeExplorer utilities work. When you have
finished, write a short paper describing the results of each function.
Timeline Understand the activity: 1hr.
Implement the above steps: 2hr.
Assessment Each student’s work will be evaluated based on the successful implementation
of the above steps, and the short paper that will be submitted after completing
the activity.
84
Activity Template
Number 4.4
Title Analyze an image file with Sleuth Kit and Autopsy tools
Type Research
Aim LO.4, LO.4, & LO.5
The main purpose of this activity is to teach students how to become familiar with Sleuth
Kit and Autopsy tools. Students will convert an image file to a raw dd image, and then
analyze it with these two tools.
Description
This activity was adopted from Ref [1]. For this activity, students will convert the image file
GCFI-datacarve-FAT.eve to a raw dd image by using ProDiscover Basic, and then will
analyze it with Sleuth Kit and Autopsy tools. To successfully implement this activity, students
need the following:
• A PC running Windows with ProDiscover Basic installed
(https://prodiscover-basic.software.informer.com/8.2/)
• A Linux or UNIX system with Sleuth Kit and Autopsy installed
(https://www.sleuthkit.org/), (https://www.sleuthkit.org/autopsy/)
85
Activity Template
Number 4.5
Title Use online resources to research for popular tools that allow Linux to perform read and
write access to an NTFS-formatted drive.
Type Search
Aim LO.1, LO.3 to LO.5
The aim of this activity is to teach students on how to use online resources to research for
popular tools that allow Linux to mount and perform read and
write access to an NTFS-formatted drive.
Description The purpose of this activity is to provide students with more technical information on how
to mount NTFS partitions on the Linux operating system to perform read and write access.
To do that, students will use the Internet resources to gather information. After that, they
will write a two-page report outlining all the necessary steps, available drivers and software
that are needed to be installed in any Linux distribution. (Hint: See www.linux-ntfs.org or
http://sourceforge.net/projects/linux-ntfs/ to start your research.).
Timeline Search through the Internet: 1hr.
Write a report: 2hr.
Assessment The student’s work will be evaluated based on the submitted report and its alignment with
the activity’s objectives.
86
Think Template (MCQs)
Number 4.1
Title Fundamentals of file systems
Type Choose the correct answer
How many bytes does a disk drive sector typically contain?
(A) 256
(B) 512
Question (C) 1024
(D) 2048
87
Think Template (MCQs)
Number 4.2
Title Fundamentals of file systems
Type Choose the correct answer
Virtual machines have which of the following limitations when running on
a host computer?
(A) Internet connectivity is restricted to virtual web sites.
(B) Applications can be run on the virtual machine only if they’re resident
on the physical machine.
Question (C)In some case, the capability of a virtual machine is constrained by the
host computer’s peripheral configurations, such as mouse, keyboard,
CD/DVD drives, and other devices.
(D) Virtual machines can run only OSs that are older than the physical
machine’s OS.
Answers (C)
88
Think Template (MCQs)
Number 4.3
Title Fundamentals of file systems
Type True or False
Metadata of NTFS normally uses 16-bit Unicode for character code
Question
representation instead of the 8-bit configuration that ASCII uses.
(A) True
(B) False
Answers (A)
89
Think Template (MCQs)
Number 4.4
(B) ______________________________
(C) ______________________________
90
Think Template (MCQs)
Number 4.5
Title Fundamentals of file systems
Type Choose the correct answer
EFS can encrypt which of the following?
Question
(A) Files, folders, and volumes
(B) Certificates and private keys
(C)The global Registry
(D) Network servers
Answers (A)
91
Think Template (MCQs)
Number 4.6
Title Fundamentals of file systems
Type Choose the correct answer
How does Mac OS 9 reduce disk fragmentation?
Question
(A) Clumps are used to group contiguous allocated blocks.
(B) The MDB is reconfigured by File Manager.
(C)Data is written to the extents overflow file.
(D) Disk Arbitration is used to reorganize data on the volume.
Answers (A)
92
Think Template (MCQs)
Number 4.7
Title Fundamentals of file systems
Type Choose the correct answer
In UNIX OSs, drives, monitors, and NICs are treated as which of the
Question
following?
(A) Objects
(B) Tar devices
(C) Files
(D) Mount devices
Answers (C)
93
Think Template (MCQs)
Number 4.8
(B) ______________________________
(C) ______________________________
94
Extra Template
Number 4.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
95
Extra Template
Number 4.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
96
5. Overview of Common Tools for Digital Forensics
Scope Template
Number 5
Outcomes LO.1: Explain how to evaluate needs for computer forensics tools
LO.2: Describe available computer forensics software and hardware tools
LO.3: Apply forensics tools to analyze case studies
LO.4: List some considerations for computer forensics hardware tools
LO.5: Compare forensics tool functions
LO.6: Describe methods for validating and testing forensics tools
5.1 Main Functions of Computer Forensics Tools
Topics
5.2 Computer Forensics Software Tools
5.3 Computer Forensics hardware Tools
5.4 Forensics Software Validation Protocols
5.5 Chapter’s Summary
Study Guide Task Time
Preparation (Introduction and On-line Planning): 1 hr
Textbook Content: 6 hr
Thinking (On-line discussions, Review questions) 1 hr
Tutorial Work: 8 hr
Related Course Work: 2 hr
Total 18 hours
Reading Material
1. Chs. 6 & 7, Guide to Computer Forensics and Investigations (5th Edition).
By Bill Nelson, Amelia Phillips, Christopher Steuart, 2016.
2. Part II & Part III, The Art of Memory Forensics: Detecting Malware and
Threats in Windows, Linux, and Mac Memory (1st Edition). By Michael
Hale Ligh, Andrew Case, and Aaron Walters, 2014.
97
Content Template
Digital forensic utilities are mainly classified into those aimed at hardware or
Content
software. A hardware tool can be a simple one, for example set up for a single-
purpose component or a more complex one like those necessary for computer
systems and servers. An example of a single-purpose hardware tool is the Tableau
T35es-R2 SATA/IDE eSATA. It is used to access a SATA or an IDE disk drive with
one device. Expert systems and DIBS Advanced Forensic Workstations are some
examples of digital forensic hardware tools mainly deigned for complete systems.
Software forensic tools can be also sub-divided. There are command-line GUI
based tools, SafeBack is an example of a command-line disk acquisition tool that
was mainly designed for a specific task. Other tools are designed to perform
several different tasks like PassMark Software OSForensics, AccessData FTK,
Technology Pathways ProDiscover, X-Ways Forensics. Software forensic tools are
also commonly used for data copying purposes.
Hardware and software forensics tools share common specific functions. The
following set of functions are being used as guidelines to evaluate digital forensics
tools. As will be shown later, every function has several subfunctions specific to
data analysis, data recovery, and data quality assurance.
1. Data acquisition
One of the first tasks that digital forensic investigators should care about is how
to acquire data from a device and make sure to preserve the original disk drive.
This can be done by making a replica of the main HDD to save the digital evidence,
if there is any, from damage or corruption. Data acquisition has several
subfunctions they include the following:
Validation and verification are two main functions that are mainly used to for
testing purposes. Here, validation is specifically used to confirm that a tool is
functioning as expected without unexpected results, and verification assures that
any two datasets (the original drive with the image) are completely identical. This
process can be done with the help of hashing algorithms. The Scientific Working
98
Group on Digital Evidence (SWGDE) has some online datasets used as benchmarks
for testing digital forensics tools. As an example, consider the forensics tool
EnCase. This tool prompts the user to obtain the MD5 hash value of acquired data,
and FTK is used to validate the generated MD5 and SHA-1 hash sets during the
process of acquiring digital data. Also, some hardware acquisition tools have
facilities to simultaneously apply both the MD5 and CRC-32 hashing algorithms to
acquire the data. Examples of such tools are Image MASSte and Solo-4. It is highly
recommended to use the tool with built-in hashing function mechanisms for
verification purposes. The hashing mechanisms itself depends on the investigation
process. But, in most cases when it is being used it produces a unique hexadecimal
value for ensuring that the original data is unchanged. The National Software
Reference Library (NSRL) is a good resource that can be used by investigators to
get technical details about the best hashing values being used for various OSs,
and images that investigators can download from:
www.nsrl.nist.gov/Downloads.html.
3. Extraction
The extraction task is considered as the toughest among all tasks. It is responsible
for data recovery. Simple Carver Suite and DataLifter are examples of forensic
tools can be used for such an approach. They are mainly designed to work with
common datatypes that are taken from the unallocated HDD space. DataLifter
includes another interesting feature that enables users to add other header values
as needed. The extraction function is further divided into several subfunctions:
- Data viewing
- Keyword searching
- Decompressing or uncompressing
- Carving
- Decrypting
- Bookmarking or tagging
All these subfunctions can give digital investigators good flexibility in exploring the
data. Data analysis, recovery, and encrypting, or decrypting files are considered
major challenges that need special treatment by investigators.
From the point of view of a digital investigation, encrypted files and systems are
a big challenge. This is due to the fact that many password recovery tools are
freely available with built-in mechanisms to generate potential password lists
(Brute-force attack).
4. Reconstruction
The reconstruction function in some forensics tools can be used to regenerate the
HDD of the suspect machine
(1) to analyze the different activities that occurred during the crime scene, and
(2) to share the disk drive with other investigators who are working on the same
problem. This allows them to engage in more extensive testing and analysis of the
digital evidence,
(3) it is also done if a disk drive has been infected by malware or any malicious
software.
Investigators can use any of the following methods to reconstruct the original copy
of a disk drive:
• Disk-to-disk copy
• Partition-to-partition copy
• Image-to-disk copy
• Image-to-partition copy
99
• Disk-to-image copy
• Rebuilding files from data runs and carving
5. Reporting
- Bookmarking or tagging
- Log reports
- Report generator
100
Table 1: Comparisons of forensics tools functions [1].
When choosing the best tool, investigators need to develop an action plan to
justify their selection. The main goal is to help investigators to choose the
appropriate tool that satisfies as many attributes as possible. Among the common
features that will help them in their selection are:
- The type of OS
- The portability of the tool
- The format of the files
- The capability of the tool such as having built-in scripting codes to
automate repetitive tasks for reducing time.
- Tool vendor information
- Open-source or commercial tool
101
Also, it is highly recommended to refer to some nonprofit organizations’ websites
like NIST’s Computer Forensics Tool Testing (CFTT) program, and ASTM
International’s E2678 standard when working and testing digital forensics tools.
102
Content Template
Command line tools (CLI) are preferable in systems with limited resources
since they do not require a lot of system resources. Some command-line
forensic software is specific to Microsoft Windows systems. Others are
implemented for Linux platforms or Macintosh. Examples of Windows based
CLI tools are those created by private companies like NTI, Digital Intelligence,
DataLifter, and ByteBack. Linux has several built-in command-line tools like
dcfldd and dd programs.
Linux platforms are becoming more popular nowadays for both home and
business usage. This popularity is due to the fact that most Linux distributions
are open source and are popular in developing users applications and
services. However, these advantages put a burden on their users to obtain
more technical experience of the Linux terminal and its digital investigative
environment. In the following section we briefly list some of the well-known
Linux digital forensics tools and provide a description of their functions and
capabilities.
1. SMART
103
2. Helix 3
The unique feature of this tool is that it can be used on live data acquisitions.
This function can be done by inserting the Helix media into the suspect’s
computer to extract data while the system is running. Investigators might
need to retrieve active contents like the suspect’s user profile, from a
computer or server that can’t be turned off or seized. Thus, this tool can help
in achieving this task.
Autopsy and Sleuth Kit tools are considered as part of the Kali Linux kit. This
tool is one of the main tools extensively used by digital investigators when
working with Linux machines. Sleuth Kit is a forensics tool that is mainly
designed for Linux systems, and Autopsy is its GUI browser interface. Both
are accessed from Kali kit. Students will get hands on experience in the activity
part on how to use these tools to analyze given crime scenes.
104
Content Template
- Stationary workstation
- Portable workstation: A laptop with all input and output devices that
can be utilized as a stationary workstation
- Lightweight workstation: A laptop with a minimum set of peripherals
that can be easily carried out and used in crime locations.
There are several considerations investigators must care about when buying
an investigative workstation. The most important one is diversity of the
investigative environment. For example, some digital forensics operations
force the investigator to keep the workstation running all the time (24/7)
without slowdown periods. This case could happen when investigators must
analyze huge datasets coming from different locations and having different
formats and characteristics. To choose an appropriate workstation that
perfectly fits with this case, investigators must choose machines with enduring
hardware physical equipment.
Based on the above points, investigators must create a plan to balance their
needs and the suggested machine specifications. This way, they can save
time and money. It is also highly recommended for future plans that
investigators must use more than one hardware configuration as this will help
them facing any diverse investigations to streamline the workstation to
achieve the target needs.
If an investigator has the necessary technical hardware skills, then he/she can
build his/her own forensic workstation. Otherwise, investigators must ask
for help. Some hardware vendors offer a designed workstation for digital
forensics. Example like the Digital Intelligence or hardware mounts from
ForensicPC. Also, investigators are not forced to purchase all equipment from
one vendor, they can choose components from several vendors and match
them to get the hardware capabilities they need.
105
workstation. They intentionally prevent an OS from trying to write new data
to the blocked drive.
106
Content Template
ISO 5725 is another international standard that could be also used for testing
purposes. NIST has created the NSRL project that contains common hash
values for vendor property tools and OS files. The primary hash algorithm that
the NSRL used was SHA-1. It creates digital signatures called the Reference
Data Set (RDS). Investigators may also use more than one tool to verify their
obtained results or validate software or hardware upgrades. This is can be
done by performing the same tasks with two similar tools. One method that
can be followed to a tool is to use disk editing tools, such as WinHex, or Hex
Workshop. These tools have a nice interface that typically shows information
like files, slack, file headers, amongst other data. In the activity part, students
will work on hands-on projects that help them apply these concepts to validate
some digital forensics software tools.
Digital forensics examiners can also use the following testing steps to validate
the GUI forensics tool.
Finally, for all things to be consistent, investigators must keep the OS and the
digital forensics tools up to date. This requires installing all new system
releases and patches and keeping the OS in a healthy condition all the time,
and also checking the tools’ Web for new updated versions or patches.
107
Content Template
108
Activity Template
Number 5.1
Title Use the AccessData FTK forensics tool to analyze data stored in a USB drive
Type Reflection
Aim LO.1 to LO.4
The aim of this activity is to give students the practical skills of using some
forensics tools. For this activity, students will work on the AccessData FTK tool
to analyze the contents of a disk drive.
Description
In this activity, students will use Microsoft Word and Excel to create and delete
files on a USB drive. After that, they will use the AccessData FTK forensics tool
to analyze the drive. Students can download the FTK tool and other relevant
tutorials following this link
https://accessdata.com/products-services/forensic-toolkit-ftk
Follow the following steps:
109
Activity Template
Number 5.2
Title Use the SecureClean tool to remove all traces of data from the USB drive
Type Reflection
Aim LO.1 to LO.4
The aim of this activity is to give students the practical skills of using forensics
tools for crime investigation purposes. For this activity, students will work on
the AccessData FTK tool to analyze the contents of a disk drive.
Description
Students will use the SecureClean tool to erase the USB drive that has some
stored data. Students can refer to following link to install SecureClean tool
and download other relevant material.
www.whitecanyon.com/secureclean.php.
To remove all traces of data from your USB drive using the SecureClean
tool, follow the following steps:
110
Activity Template
Number 5.3
Title Use FTK and Hex Workshop tools to verify that a given USB drive contains
evidence.
Type Reflection
Aim LO. 1 to LO.4
The aim of this activity is to give students the practical skills of using forensics
tools to analyze a given data source to find crime evidence.
Description This activity was adopted from Ref [1]. In this activity, students will create a
test drive by planting evidence in the file slack space on a USB drive or small
disk partition. Then they will use FTK and Hex Workshop to verify that the
drive contains evidence. Follow these steps:
1. Format the USB Drive à Create a “Activity_5.3” folder on ità Create
a new Word and type “Testing for string Namibia” à Save the file as
“file1.doc”.
2. Create a new Word document à Type “Testing for string XYZX” à
Save the file as “file2.doc” à Exit.
3. Start Hex Workshop à Create a chart with two columns with Labels
“Item” and “Sector”.
4. In Hex Workshop à Open the USB drive à Open file1.doc à Scroll
down until you see “Testing for string Namibia.”
5. Click the tab corresponding to your USB or disk drive à Click at the
beginning of the right column à Click Edit à Find “Text String” à
Type “Namibia” à Click the Either option button à Click OK.
6. In the Item column, write file1.doc à In the Sector column, write the
sector number as shown on the Hex Workshop title bar à Scroll to
the bottom of the sector à Type Murder She Wrote near the end of
the sector in the right pane à Click the Save toolbar button.
7. Click the file1.doc tab à Click Edit à Type Murder in the Value text
box à Click OK à Click Edit à Click OK à Close the file. Write down
the information you found
8. Open file2.doc à Go to “Testing for string XYZX” à Click the tab for
your USB drive à Click at the beginning of the right column à Click
Edit à Type XYZX à Click OK. On your chart, write file2.doc as the
filename in the Item column, and in the Sector column.
9. In the tab for the USB drive, type I Spy near the end of the sector in
the right pane, in the slack space à Saveà Verify that “I Spy” doesn’t
appear as part of the file by clicking the file2.doc tab and searching
for this string twice. Close the file2.doc file and exit Hex Workshop.
Timeline Understand the activity: 1hr.
Implement the above steps: 1hr.
Assessment Each student’s work will be evaluated based on the successful implementation
of the above steps.
111
Activity Template
Number 5.4
Title Use Internet resources to search for popular forensics tools to make a comparative study
among their main features.
Type Research
Aim LO.4 to LO.6
The aim of this activity is to teach students how to use online resources to research for
popular forensics tools that are available for computing systems and compare their
features.
Description In this activity, students will use Internet resources to gather information about the
following 8 popular forensics tools available nowadays.
• The Sleuth Kit (+Autopsy)
• AccessData FTK
• Guidance Software EnCase
• ProDiscover Forensic
• Volatility Framework
• CAINE
• Xplico
• X-Ways Forensics
Your main task is to create a comparative table among all of them. You can include as many
comparative features as you can: This may include tool technical features, main strongest
points, main weakness points, supported files formats, supported platforms, either
commercial or open source, etc.
Timeline Search through the Internet: 2hr.
Create the table: 2hr.
Assessment The students will be divided into groups of three students at maximum. Each group is
required to submit the summary report and present it in the class at an open discussion
session.
112
Activity Template
Number 5.5
Title Write a procedure to verify a new forensics software package
Type Research
Aim LO.5 & LO.6
The aim of this activity is to teach students how to use online resources to search for popular
forensics software verification procedures.
Description Consider the following case: You work in the police department as a digital forensic expert.
Two days ago, the police department purchased a new forensic software tool. To make sure
it works very well, the department has assigned you the task of checking this tool to verify
its operation. Your main task is to provide the department with a structured procedure on
how to verify this newly purchased software package. Write a two-page report outlining the
procedure you plan to use to check this tool.
Timeline Search through the Internet: 2hr.
Write a report: 2hr.
Assessment The students will be divided into groups of three students at maximum. Each group is
required to submit the summary report and present it in the class at an open discussion
session.
113
Think Template (MCQs)
Number 5.1
Title Overview of Common Tools for Digital Forensics
Type Fill in the Blanks
The five major tasks performed by most computer forensics tools, both
hardware and software are:
A. ____________________
B. ____________________
Question
C. ____________________
D. ____________________
E. ____________________
Answers A. Acquisition
B. Validation
C. Extraction
D. Reconstruction
E. Reporting
114
Think Template (MCQs)
Number 5.2
Title Overview of Common Tools for Digital Forensics
Type Choose the correct answer
One of the following forensics organization has created criteria for testing
computer forensic tools
A. NIST
Question B. SANS
C. DFA
D. HTCIA
115
Think Template (MCQs)
Number 5.3
Title Overview of Common Tools for Digital Forensics
Type True or False
Question The standards for testing forensics tools are based on ISO 17025.
A. True
B. False
Answers Answer: (A)
116
Think Template (MCQs)
Number 5.4
Title Overview of Common Tools for Digital Forensics
Type Fill in the blanks
Forensic software tools are grouped into ____________ and
Question
_______________ applications.
117
Think Template (MCQs)
Number 5.5
Title Overview of Common Tools for Digital Forensics
Type Choose the correct answer
When considering new forensics software, you should do which of the
Question
following?
A. Uninstall other forensics software.
B. Reinstall the OS.
C. Test and validate the software.
D. None of the above.
118
Think Template (MCQs)
Number 5.6
Title Overview of Common Tools for Digital Forensics
Type True or False
Question
NIST testing procedures are valid only for government agencies.
A. True
B. False
119
Think Template (MCQs)
Number 5.7
Title Overview of Common Tools for Digital Forensics
Type Choose the correct answer
When validating the results of a forensics analysis, you should do which of
Question
the following?
120
Extra Template
Number 5.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
121
Extra Template
Number 5.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
122
6. Network Forensics Artefacts
Scope Template
Number 6
Reading Material
1. Ch. 12, Guide to Computer Forensics and Investigations (5th Edition).
By B. Nelson, A. Phillips, C. Steuart, 2016.
2. Ch. 8, A Practical Guide to Computer Forensics Investigations (1st
Edition). By Darren R. Hayes, 2014.
123
Content Template
Section Number 6.1
Section Title Networks Forensics Overview
In this section, we talk about network forensics. We mainly focus on shedding
Introduction
light on the importance of network traffic and its contents to defend against
network attacks and help in easy management of the system as well
Content With the recent increase in network attacks, viruses, trojans, and social media
attacks, digital forensics examiners should know how to deal with crime
scenarios which use computer networks. Here, we define the network
forensics process as a procedure of collecting, processing and analyzing raw
network traffic to help in tracking ongoing attacks and suggesting mitigation
plans. The collected information can be useful in analyzing system status to
help in determining how attackers are getting into the system and what type
of data was copied, modified, or deleted. To do that, well defined procedures
should be clearly stated for data acquisition before, during or after the
occurrence of the attack. The followed procedures must be based on two
things (1) the network infrastructure and design, and (2) the organization’s
requirements and functions.
124
5. Make a consistency check to ensure that the forensic image is a
copy of the original installation image. Of course, this can be done
by comparing hash values of common files.
Following the above steps, investigators can keep working with the image
copy to find the deleted or hidden files and partitions. They may also have to
restore the drive to easily work with some types of viruses and malware that
an attacker has installed on the system. As an example, consider the situation
where attackers might have intentionally sent a Trojan horse script that
allows them to login to systems and steal some sensitive files. After that, they
can use a rootkit software to perform reconnaissance tasks on the network
with the purpose of collecting system’s vulnerabilities that will help them to
attack the system again.
Several methods can be used to explore log files and interpret their
information. One such method is running the tcpdump program on Linux
system. Figure 1 shows a sample of a record taken from the Linux syslog
files. It shows the main fields and their meanings.
It's worth noting that the format of a logfile may differ from system to system
and application to application. Thus, when working with a specific application
or system, it is highly recommended to refer to the vendor’s Website to get
more information about the structure of the logfile it generates. Event
correlation methods such as filtering, aggregation, and clustering can be
applied to preprocess, analyze, merge data obtained from several logfiles to
extract useful patterns.
125
Examples of such tools are RegMon, FileMon, and PsTools. Some of these are
software kits that contain a group of tools for doing several tasks. For
example, network administrator can explore contents of the PsTools files to
check whether an employee accessed a file without authorization.
There are a large number of packets sniffing tools. Most of them can use the
Pcap (packet capture) generic format, such as tcpdump and Wireshark. Pcap
has two other versions: Libpcap (for Linux) and Winpcap (for Windows).
Therefore, to achieve the purpose of the investigations, investigators must
choose the appropriate tool. For example, consider the case of handling the
TCP SYN flooding attack. Here, attackers keep sending TCP requests asking
for the server to establish a new fake TCP connection. The aim of attackers
is to overload the server by sending many fake TCP connection requestss
rapidly to overload the sever and then stop the service. Although the server
can manage huge number of requests, it can deal with only a dedicated
number of established connections due to its limited resources. To mitigate
this attack, investigators must be interested in those packets having the SYN
flag set to 1 as response to a connection request process. To find these
packets, investigators can use several specialized packet sniffers such as
tcpdump and tethereal (a network protocol analyzer) having built-in
mechanisms to explore the TCP header to locate those packets having SYN
flag set.
Another major attack is the zero-day attacks. Here, attackers exploit new or
newly discovered system vulnerabilities before software vendors discover
them and patches will be available. Penetration tests can be applied here to
126
discover unseen vulnerabilities to predict the next steps of the ongoing
attack.
127
Content Template
Section Number 6.2
Section Title The TCP/IP Reference Model
To understand packets sniffing tools, students should first review the TCP/IP
Introduction
reference model, its layers, and its well-known protocols. Thus, in this
section we review the two common networking architectures: the ISO/OSI
and the TCP/IP reference models with more focus on the TCP/IP protocol
suite as it is the Internet model.
Content Network architecture is built using one of following two main reference
models: The International Standards Organization / Open Systems
Interconnection (ISO/OSI) and Transmission Control Protocol/ Internet
Protocol (TCP/IP) reference model. The design of these reference models
follows the hierarchical structure in such a way that each layer provides
services to the layer above it, and requests services from the layer below it
in the hierarchy. Figure 2 shows the number and name of layers of each
model. Both have link, network, transport, and application layers, but they
differ on the other layers.
Fig. 2: The difference between the ISO/OSI and the TCP/IP model
128
Fig. 3: The TCP/IP protocol suite
Figure 3 shows the TCP/IP protocol suite that shapes the Internet and its
common services. IP-based networks have a variety of protocols that
provide the different network services. Below is the list of common TCP/IP
protocols with their use:
129
ü ARP (Address Resolution Protocol): It’s a data link layer protocol
that is used convert an logical address (IP address) to a physical
address (MAC address).
1. It's worth noting that various packet analyzing tools work at layers 2 or 3
of the TCP/IP model, i.e., they analyze network packets (layer 3 PDU) or
network frames (layer 2 PDU). Next, we give some technical details about
each layer of the TCP/IP reference model.
Table 1 summarizes the main differences between the TCP and UDP
transport layer protocols.
Table 1: The main differences between the TCP and UDP protocols.
130
Content Template
Section Number 6.3
Section Title Virtual Machine Acquisition
Introduction This topic talks about the standard procedures of virtual machine forensics
analysis and types of hypervisors. It also explains how to work with virtual
machines installed on a different system.
Content Digital forensics investigators must know how to work with virtual machines
since they are now a standard part of any IT business company. This
importance comes from the fact that since computer hardware/software
need large budgets to meet the service needs, companies have to pay more
attention to making the best investments for IT infrastructures. Virtual
machines enable a well-equipped server to support a small to medium
company’s needs.
131
Table 2: Hypervisor Type 1 and Type 2 main performance differences.
132
Content Template
Section Number 6.4
Section Title Methods of Acquisition
This section gives an overview of the two methods of data acquisition:
Introduction
offline (or dead) and online (or live). We review the advantages and
disadvantages of both techniques. We then cover live acquisition as it is the
more standard approach.
Content As previously mentioned in Chapter 3, in most digital forensic examinations,
investigators need to work with an exact copy of the original data located
on the evidence hard disk. Two types of methods can be followed for
creating that image. They are: (i) Live acquisition, and (ii) Offline
acquisition. Investigators should use the most appropriate method for a
given situation. Indeed, in some circumstances it may make sense to use
both. With the help of specialized forensics tools, investigators can extract
volatile data from the suspect machine before shutting it down. Offline
acquisition is discussed in more detail in Chapter 3. Thus, in the following
we give more focus on the second method, live acquisition.
Live Acquisition
1) Use a bootable forensic media such as DVD or USB drive. Insert the
media into the suspect’s machine. If the machine is not on the local
network, it can be accessed remotely with the help of network
forensics tools.
133
2) Make sure to store all activities and actions to logfiles. A network
drive is an ideal place that can be used for this purpose.
3) Next, copy the contents of the primary memory (RAM) using one of
the digital forensic tools such as WindowsScope OSForensics, FTK
Imager.
4) Make sure to check system healthy status to see whether a rootkit
exists. This is also can be done by using special tools such as
RootKit Revealer.
5) Make sure to check the consistency of every recovered file during
the live acquisition by getting a digital hash value.
Many other tools are available for doing live acquisition, such as Mandiant
Memoryze which contains several functions such as listing all network
sockets, listing hidden sockets managed by rootkits software, etc., Kali
Linux contains password crackers, network sniffers, and freeware forensics
tools, and Sleuth Kit tool covers several hundreds of available command-
line tools.
134
Content Template
Section Number 6.5
Section Title Chapter’s Summary
Introduction In this section, we summarize the chapter by listing the main key points.
Content In Section 1, we defined network forensics as a process of collecting and
analyzing raw network data which enables network administrators to
determine how an attackers gained access to a network’s resources and
information, we discussed the network forensics procedures and how
network generated traffic can be useful for defending against known
network attacks, and for other management issues such as performance
improvement and management. Section 2 provided an overview of the two
common network standards: the ISO/OSI and the TCP/IP reference models
with more focus on the TCP/IP model.
Section 4 discussed the two Live acquisitions methods: online and off-line,
and explained the need to retain volatile contents that are stored in RAM or
generated by active processes. Investigators must be concerned with the
order of volatility (OOV), which determines how long a piece of information
lasts on a system.
The next topic will talk about mobile device forensic procedures. It mainly
covers the general guidelines being implemented being implemented to
acquire information from smartphones or other mobile devices.
135
Activity Template (Reference Book[1], Hands-On Project 10-1, Page 419)
Number 6.1
Title Mount a VM as a drive in the OSForensics tool
Type Reflection
Aim LO.1
In this activity, you learn how to mount a VM as a drive in OSForensics
Description
In this project, you mount a VM as a drive in OSForensics. First, you need to
create Ubuntuportable VM. The VM will be assigned the next available drive
letter on your system in read-only mode. To complete this activity, follow the
fooling steps:
1. Start the OSForensics. In the left pane, scroll down and click Mount
Drive Image to open the PassMark OSFMount utility.
2. In the lower-left corner, click Mount new to open the OSFMount –
Mount drive window.
3. Make sure Image file is selected and click the … button. Scroll to the
location of VMware VMs and double-click the Ubuntu-portable.vmdk
file.
4. In the “Select a partition in image” window, accept the default
option, use entire image file and click OK.
5. Accept the defaults and click OK. This process should take only a
few minutes. The .vmdk file should be displayed as a mounted drive.
6. Double-click the drive to display its contents and take a screenshot.
Make a note of the new drive letter and click Exit.
7. In the left pane, scroll up and click the Manage Case button. In the
right pane click any current case, and then click the Add Device
button.
8. In the “Select device to add” dialog box, click the Drive Letter list
arrow. The drive letter you noted in Step 5 is listed, and you can add
it to a case when you’re doing a standard static analysis. Click
Cancel.
9. Write a short report of your results and include the screenshots you
took.
Timeline Implement activity: 1 hr.
Assessment Each student is evaluated based on his/her implementation of the above steps.
136
Activity Template (Reference Book[1], Hands-On Project 10-5, Page 421)
Number 6.2
Title Explore the SANS SIFT tools
Type Reflection
Aim LO. 2 & LO. 3
In this activity, you will learn how to explore the SANS SIFT tools.
Description In this activity, you will explore the SANS SIFT tools.
137
Activity Template (Reference Book[1], Case Project 10-4, Page 422)
Number 6.3
Title Use Internet search engines to research for current acquisition tools
Type Search
Aim LO.1, LO. 2 & LO. 3
In this activity, you will use Internet search engines and the vendors listed in this topic to
collect information about current data acquisitions tools.
138
Activity Template (Reference Book[1], Hands on Projects 12-1 & 12-2, Page 477)
Number 6.4
Title Explore SIMcon mobile forensics software tool
Type Reflection
Aim LO. 4 & LO. 5
In this activity, you learn how to explore the SIMcon mobile forensics software tool that
can generate information for mobile device investigations
Description In this case, Sebastian and Nau are suspected of drug dealing, and their phones
were seized with the other digital evidence. One of your colleagues has a
licensed version of SIMcon. You were able to go to her forensics lab and examine
the SIM cards of both phones. In this project, you examine the exported
Excel files. To do this activity, follow the following steps.
139
Activity Template (Reference Book[1], Hands on Projects 12-4, Page 478)
Number 6.5
Title Use Oxygen Forensics to examine a BlackBerry device
Type Reflection
Aim LO. 4 & LO. 5
In this activity, you will learn how to you use Oxygen Forensics to examine a BlackBerry
Mobile device.
Description In this activity, you use Oxygen Forensics to examine a BlackBerry device. If you haven’t
already done so, go to www.oxygen-forensic.com and request a registration code for
downloading the demo version of Oxygen Forensics. (Keep in mind that getting the
registration code might take a few days, and plan accordingly.) When you get it, download
and install the software. To do this activity, follow the following steps.
140
Activity Template (Reference Book[1], Case Project 12-1, Page 479)
Number 6.6
Title Use Internet search engines to research for current mobile device forensics tools
Type Search
Aim LO.4 & LO. 5
In this activity, you will use Internet search engines and the NIST Mobile Device Forensics
Guidelines to classify mobile device forensics tools.
Description Download the most current version of the NIST Mobile Device Forensics Guidelines at
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 101r1.pdf. Page 17 lists
classifications of mobile device tools. For the tools covered in this chapter, determine what
type each one is based on these NIST guidelines. Write a one- to two-page paper explaining
the uses and limitations of each tool.
Timeline Search through the Internet: 1 hr.
Prepare report : 2 hr.
Assessment The student’s work will be evaluated based on the written report and its alignment with the
case study problem.
141
Think Template (MCQs)
Number 6.1
Title Network Forensic Artefacts
Type Choose the correct answer
You can expect to find a type 2 hypervisor on what type of device?
(Choose all that apply.)
(A) Desktop
Question (B) Smartphone
(C) Tablet
(D) Network server
142
Think Template (MCQs)
Number 6.2
Title Network Forensic Artefacts
Type True or False
Question Tcpslice can be used to retrieve specific timeframes of packet captures.
(A) True
(B) False
Answers (A)
143
Think Template (MCQs)
Number 6.3
Title Network Forensic Artefacts
Type Fill in the blanks
To find network adapters, you use the command ___________in Windows
Question
and the command ________________in Linux.
144
Think Template (MCQs)
Number 6.4
Title Network Forensic Artefacts
Type Choose correct answer
When do zero-day attacks occur? (Choose all that apply.)
145
Think Template (MCQs)
Number 6.5
Title Network Forensic Artefacts
Type Choose the correct answer
In VirtualBox, which file contains settings for virtual hard drives?
Question
(A) .vbox-prev
(B) .ovf
(C) .log
(D) .vbox
Answers (D)
146
Think Template (MCQs)
Number 6.6
Title Network Forensic Artefacts
Type Choose correct answer
Packet analyzers examine what layers of the OSI model?
(A) Layers 2 and 4
Question (B) Layers 4 through 7
(C) Layers 2 and 3
(D) All layers
Answers (C)
147
Extra Template
Number 6.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
148
Extra Template
Number 6.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
149
7. Mobile Device Forensics
Scope Template
Number 7
Reading Material
1. Ch. 12, Guide to Computer Forensics and Investigations (5th Edition).
By B. Nelson, A. Phillips, C. Steuart, 2016.
2. Ch. 9, A Practical Guide to Computer Forensics Investigations 1st
Edition). By Darren R. Hayes, 2014.
150
Content Template
Section Number 7.1
Section Title Understanding Mobile Device Forensics
This section references mobile device forensics. It mainly focuses on how
Introduction
to retrieve information from a cell phone, or another mobile device
Content Smart phone technology has developed far beyond what its inventors could
have imagined. Now, mobile devices have become one of the main parts of
our daily routine. People may store large amounts of information on phones
and users spend a lot of their time interacting with them. They can be easily
used to navigate the Internet, store images, video, log into bank accounts,
make deposits, using a wealth of information both personal and business.
Thus, smart phones contain sensitive information that must be kept protected
all the time. Most mobile models store the following user and application
information:
ü Incoming, outgoing, and missed calls
ü Multimedia and Short Message Service (MMS & SMS)
ü E-mail and Web services
ü Instant messaging (IM)
ü Pictures, videos, and music files
ü Calendars and address books
ü GPS data
ü Voice recordings and voicemail
Mobile communication systems have evolved from the first generation (1G)
to the current fifth generation (5G) and are evolving towards the sixth
generation (6G). Mobile standards have advanced approximately at the pace
of one generation every five years since the 2G. Fig. 5 depicts the evolution
of these standards with the main features.
The first three generations became obsolete with the appearance of the 4th
generation in 2008 when the International Telecommunication Union Radio
151
(ITU-R) created the necessary requirements for mobile carriers to be
considered as 4G. Nowadays, 4G networks can use the following
communication technologies:
Almost all mobile phones have some basic hardware and software
components. Among the software components are a proprietary OS (such as
Windows Mobile, Android, and Apple iOS) and users’ custom applications.
The hardware component consists of almost all of the components found in
personal computers with some specific features. The main hardware
components are CPU, ROM, RAM, a digital signal processor, a radio module,
a microphone and speaker, and other accessories like keypads, cameras, GPS
devices, LCD display, and network communication technologies like Bluetooth
and Wi-Fi.
152
A SIM card is like any memory card, it contains a microprocessor and internal
memory. It serves these additional purposes:
There are two types of SIM cards: micro SIM and nano SIM. By switching a
SIM card between compatible phones, users can move their provider usage
and other information to another phone automatically without having to
notify the service provider.
153
Content Template
Section Number 7.2
Section Title Mobile Device Operating Systems
Investigators should know how to work with various types of Operating
Systems (OS) including those designed for mobile devices. Thus, in this
Introduction section we summarize the common mobile OS by listing their main features,
their built-in hardware and software security mechanisms, and how the
data acquisition process is being carried out.
The purpose of an OS is to efficiently manage all available resources of a
Content
computer, mobile device, or any digital device. All OSs have almost the
same functions, but their file systems, and structures are proprietary. The
main problem that digital investigators face when working with mobile OS
is that mobile devices have a variety of OSs compared to legacy
workstations. In the following subsections, we give an overview of two main
mobile OS Android OS and Apple iOS.
Like any other digital device, devices running Android have two types of
memory: RAM , a volatile memory that stores running services and online
data, and NAND, a nonvolatile flash memory which stores system files and
other offline data. Also, since Android is based on the Linux kernel, it
supports a number of file systems that include Ext4, FAT32, and YAFFS2
(Yet Another Flash File System 2). The Ext4 file system is found on the
Google Nexus S. Whereas, YAFFS2 is an open source file system that was
specially developed to be used in NAND flash memory. Currently, apart from
the existing file systems, a digital forensic examiner must also review the
course code files of the YAFFS2 system. Also, Android OS supports Microsoft
FAT32 file system which is mainly found on microSD cards that are common
in many Android handsets. VFAT is the Linux file system driver for FAT32
system.
The SQLite database is often the most valuable digital evidence found on
an Android OS. It is an open source relational database that was designed
mainly for mobile devices. Now, the process of developing and managing
the SQLite is sponsored by the SQLite Consortium, which includes other
software vendors including Oracle, Nokia, Mozilla, Adobe, and Bloomberg.
Android OS Evidence
154
3. Joint Test Action Group (JTAG): It is an IEEE standard for
bypassing security and encryption on a smartphone to obtain a
physical dump of the phone data. A full dump of NAND memory
can be obtained.
4. Chip-off: This method can be used to access data on a chip
when the circuit board has been damaged.
Android OS Security
Mobile Android users can use any one of the following methods to secure
their smartphones:
155
During the mobile application development process, developers can
choose one of the following methods to store data generated by the
application:
[1] Preference
[2] Files
[3] SQLite Database
[4] Cloud System
156
ü Passcode: It is used to unlock the mobile device. It is typically four
numerical digits. iOS has six-digit passcodes with the option to
switch back to four or use an alphanumeric passcode.
ü Touch ID: It is a fingerprint scanner that can be used to unlock
the mobile device. Touch ID only temporarily stores the fingerprint
data in encrypted memory in the Secure Enclave.
In addition to the above security methods, iOS is designed so that all of its
core components are secured.
157
analyze active files using a built-in synchronization method. This
also will allow the investigators to collect digital evidence on call
logs, SMS, contacts, photos, etc.
[1] Acquisition via Physical Methods: This method has the
greatest potential for recovering artifacts of the presented methods.
This includes obtaining a bit by bit copy of the original media. Once
the physical image has been obtained, examiners can view it and
additional items such as deleted items in unallocated space.
[2] Acquisition via Jail Breaking: This method is mainly used to
replace the firmware partition with a hacked version. This way, an
investigator installs software tools that would not normally be on
the device. redSn0w is the most popular mechanism for jail
breaking. It has a simple wizard that will allow the iOS in a step-by-
step process to replace the firmware to begin the artifact extraction
process.
Finally, investigators working on the iOS device, can use the iPhoneAnalyzer
free tool which was created by Crypticbit to obtain data from an iOS backup.
This tool provides a way to access the file system from the iOS and also has
a simple viewer to preview files. On of the main features of the
iPhoneAnalyzer tool is the export all files. This feature converts the binary
files to their proper names and locations.
158
Content Template
Section
7.3
Number
Section Title Mobile Device Acquisition Procedures
This topic explores how to retrieve digital evidence from a mobile device, and
Introduction
how to conduct SIM card forensics.
Content Mobile device acquisition procedures are as important as procedures for personal
computers. But some new challenges need to be addressed here, such as:
1. Make sure to disconnect the suspect’s mobile device from the network as
soon as possible. This way the mobile device will not be able to
synchronize with applications on a user’s laptop.
2. Make sure to disconnect any personal computer or laptop that may have
an Internet access through the mobile device (A mobile device can be
used as a hotspot to share Internet access).
3. Collect all these devices to determine whether the hard drive contains any
transferred or deleted information.
4. Choose the appropriate time to search or seize the hard disk drive.
5. Make sure to turn off mobile device to save power or a planned attack.
6. Isolate the mobile device from incoming signals with one of the following
options:
To find the stored information, investigators should check the following locations:
Regarding the last point, in some cases investigators might need to get some
information about the suspect or victim from the ISP, such as timestamps, or
locations. However, this step is not always useful since service providers are now
using remote wiping to remove a user’s personal information stored on a device
to keep his/her data protected when the device is stolen. Remote wiping is
necessary in this case to remove an account and its details including contacts,
calendar, and other personal information for security purposes.
159
Technically, investigators can also retrieve some information from SIM cards.
The type and amount of retrieved information mainly depends on the service
carrier infrastructure. But, in general the following information can be retrieved
from the SIM card:
160
Content Template
Section Number 7.4
Section Title Chapter Summary
Introduction In this section, we summarize the chapter by listing the key points.
Content Mobile forensics has become extremely important for digital forensic
investigations. This is due to the fact that they can contains a wealth of
evidence that will be more important than the evidence obtained from a
traditional workstation, since mobile devices are always with users.
The next topic shed light on the importance of digital forensics reports, and
describes guidelines for writing reports, as well as how to use forensics tools
to generate reports.
161
Activity Template (Reference Book[1], Hands-On Projects 12-1, Page 477)
Number 7.1
Title Explore SIMcon mobile forensics software tool
Type Reflection
Aim LO. 2, LO. 4 & LO. 5
In this activity, you will learn how to explore the SIMcon mobile forensics software tool
that can generate information for mobile device investigations
Description In this case, Sebastian and Nau are suspected of drug dealing, and their phones
were seized with the other digital evidence. One of your colleagues has a
licensed version of SIMcon. You were able to go to her forensics lab and examine
the SIM cards of both phones. In this project, you examine the exported
Excel files. To do this activity, follow the following steps.
162
Activity Template (Reference Book[1], Hands on Projects 12-4, Page 478)
Number 7.2
Title Use Oxygen forensics to examine a BlackBerry device
Type Reflection
Aim LO.3, LO. 4 & LO. 5
In this activity, you will learn how to you use Oxygen Forensics to examine a BlackBerry
mobile device.
Description Go to www.oxygen-forensic.com and request a registration code for downloading the demo
version of Oxygen Forensics. (Keep in mind that getting the registration code might take a
few days, and plan accordingly.) When you get it, download and install the software. To do
this activity, follow the following steps.
163
Activity Template (Reference Book[1], Case Project 12-1, Page 479)
Number 7.3
Title Use Internet search engines to research for current mobile device forensics tools
Type Search
Aim LO.4 & LO. 5
In this activity, you will use Internet search engines and the NIST Mobile Device Forensics
Guidelines to classify mobile device forensics tools.
Description Download the most current version of the NIST Mobile Device Forensics Guidelines at
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 101r1.pdf. Page 17 lists
a classification of mobile device tools. For the tools covered in this chapter, determine what
type each one is based on these NIST guidelines. Write a one- to two-page paper explaining
the uses and limitations of each tool.
Timeline Internet Search: 1 hr.
Prepare report : 2 hr.
Assessment The student’s work will be evaluated based on the written report and its alignment with the
case.
164
Activity Template
Number 7.4
Title Write an essay describing the differences in examining two different cellphones
Type Search and Reflection
Aim LO. 2, LO. 3 & LO.5
The aim of this activity is to let students learn how to use Internet resources to write an
essay describing the differences in examining two different cellphones.
Description Write an essay describing the differences between an examination of a CDMA cellphone and
a GSM cellphone.
Timeline Internet search: 1 hr.
Write essay: 4 hrs.
Assessment The student’s work will be evaluated based on the written essay and its alignment with
case.
165
Activity Template
Number 7.5
Title Write standard operating procedures for examining a cellphone
Type Search and Reflection
Aim LO.1 to LO.5
The aim of this activity is to let students learn how to use Internet resources to write a
standard operating procedure for examining a cellphone.
Description Find a smartphone and then write standard operating procedures for examining that
cellphone. Include in your essay forensic tools that will work with that particular model.
Timeline Internet search: 1 hr.
Write essay : 4 hrs.
Assessment The student’s work will be evaluated based on the written essay and its alignment with the
case.
166
Think Template (MCQs)
Number 7.1
Title Mobile Device Forensics
Type Choose correct answer
Which of the following best describes the role of the Base Station
Question
Controller?
167
Think Template (MCQs)
Number 7.2
Title Mobile Device Forensics
Type True or False
A Mobile Switching Center is responsible for switching data packets from
Question
one network path to another on a cellular network.
(A) True
(B) False
Answers Answer: (A)
168
Think Template (MCQs)
Number 7.3
Title Mobile Device Forensics
Type Choose correct answer
Which of the following mobile operating systems is an open source
operating system based on the Linux 2.6 kernel and is owned by Google?
169
Think Template (MCQs)
Number 7.4
Title Mobile Device Forensics
Type True or False
When acquiring a mobile device at an investigation scene, you should
Question
leave it connected to a laptop or tablet so that you can observe
synchronization as it takes place.
(A) True
(B) False
Answers Answer: (B)
170
Think Template (MCQs)
Number 7.5
Title Mobile Device Forensics
Type Choose correct answer
Remote wiping of a mobile device can result in which of the following?
(Choose all that apply.)
171
Think Template (MCQs)
Number 7.6
Title Mobile Device Forensics
Type Fill in the blanks
List two ways you can isolate a mobile device from incoming signals.
Question
(A) _______________________________
(B) _______________________________
172
Extra Template
Number 7.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
173
Extra Template
Number 7.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
174
8. Digital Forensics Writing Reports
Scope Template
Number 8
Reading Material
1. Ch. 14, Guide to Computer Forensics and Investigations (5th Edition). By
Bill Nelson, Amelia Phillips, Christopher Steuart, 2016.
2. Ch. 12, Computer Forensics and Cyber Crime: An Introduction (3rd
Edition). By Marjie T. Britz, 2013.
175
Content Template
Section Number 8.1
Section Title Why Writing Forensic Reports is Important?
In this topic we will explain the importance of writing reports during the
Introduction
digital forensic investigation process, and the set of rules that an
investigator must follow to write reports.
A digital forensic report is the most important outcome that can be compiled
Content
after completing the forensic examination test. Once done, investigators can
benefit from it in several ways, such as:
ü Jurisdiction
ü Style of the case
ü Format of court documents
ü Cause number
ü Date and location of the deposition
ü Name of the deponent (expert witness)
176
Since the written report is sworn to under oath, investigators should give
more attentions to carefully determining what they write.
177
Content Template
Section Number 8.2
Writing Reports Guidelines
Section Title
This section describes guidelines on writing reports of the main findings in
Introduction
digital forensics investigations.
A written preliminary forensic report is considered a high-risk document
Content
because opposing counsel can find inconsistencies, i.e., if the presented
report states something contrary to what an investigator states in his/her
final report, they should expect opposing counsel to try to discredit the
testimony by using the written report. Below are some guidelines to
overcome this issue and make the written report more consistent.
o Report title: Each report should have a title indicating the case
under investigation.
178
- Conclusion: The conclusion starts by referring to the report
purpose, states the main points and draws conclusions.
- References: It lists the supporting material to which your
work refers.
- Glossary: It is a comprehensive list of definitions for non-
obvious terms and phrases mentioned in the report.
- Acknowledgments: They enable you to thank all those who
have helped in carrying out the investigation.
- Appendixes: They contain supplementary material that is not
an essential part of the text itself, but which may be helpful in
providing a more comprehensive understanding of
the investigation.
Typically, investigators use one of the two available numbering systems: (i)
decimal numbering or (ii) legal-sequential numbering.
179
Decimal numbering system is widely used in writing scientific reports. It
divides the report material into sections. It gives each section a unique
number, and restarts numbering with each main section. With this system,
interested readers can look at the headings to get an overview of how the
various parts are related to each other.
Supporting Material
Report Results
The core part of the report is the results and their analysis. In this part,
investigators should describe what they actually found, not what they were
looking for. These findings must be stated clearly and consistently. When
discussing results, they can use subheadings to divide the whole section
into sequential logical parts and make comments on results as they are
presented. To make things easer for readers, the discussion can be linked
with figures, tables, and equations. In addition, keep the conclusion very
short and to the point, it should summarize your findings with clear, concise
statements.
180
List of References
Appendixes
181
Content Template
Section Number 8.3
Extracting Reports from Software Tools
Section Title
In this section, students will learn how investigators can integrate forensic
Introduction
software-generated reports into the official investigation report that they
present to the attorney or client.
During the activities, students will work on several forensic tools such
ProDiscover and OSForensics to generate reports that will be used for
further examination. As you will noticed, some forensic tools have unique
features that aren’t available in other tools.
182
Content Template
Section Number 8.4
Chapter Summary
Section Title
In this section we will summarize the main concepts presented in the
Introduction
previous sections.
Nowadays, all courts worldwide require investigators to submit written
Content
reports. The reports must include investigator opinions along with the basis
for the opinions. They should also answer the questions investigators were
retained to answer and keep information that doesn’t support specific
questions to the minimum.
183
Activity Template
Number 8.1
Title Write a report to outline the resources needed for a given scene
Type Reflection
Aim LO.1 & LO.2
The aim of this activity is for students to learn how to conduct internal
computing investigations to gather data that helps with the evidence collection
process.
Description The county prosecutor has hired you to investigate a case in which the county
treasurer has been accused of embezzlement. What additional resources, such
as other experts, might you need to collect data for this investigation? Write
a one-page paper outlining what resources you should consider helping you
with the evidence collection process.
Timeline Write a report: 2 hrs.
Assessment Each student is required to submit his/her report and evaluations
184
Activity Template (Reference Book[1], Hands-On Project 14-1, Page 531)
Number 8.2
Title Conduct internal forensics investigations for a crime scene
Type Reflection
Aim LO.1, LO.2 & LO.3
In this activity, you work as an forensic investigator for to help in analyzing an incident.
Description The general counsel for Superior Bicycles, Ileen Johnson, has asked you to locate a file
that might contain information about the construction of a new bicycle frame. She tells
you that the file she’s interested in recovering is named “Materials,” but she doesn’t know
the file extension. Follow these steps:
1. Start OSForensics. Click Search Index in the left pane of OSForensics. In the Enter
Search Words text box, type Materials. Click the Index to Search list arrow,
navigate to and click the drive where you mounted the image, and then click
Search.
2. In the Search Index Results window, click the Files tab, and examine the search
hits to find any files with the name Materials.
3. Next, click the Emails tab. Right-click each message and click Open to examine its
contents. For messages with a file named Materials attached, right-click the
filename in the lower pane and click Add Attachment(s) to Case. In the Please
Enter Case Export Details window, type File named Materials.rtf in the Export Title
input box, and then click Add.
4. Double-click the e-mail with the subject line “Documentation for future plans”
containing the Materials.rtf file. In the Documentation for future plans window,
click View, Headers. In the lower pane, select the header contents. Right-click this
highlighted material and click Copy. Close the Documentation for future plans and
the E-mail Viewer windows.
5. In the Manage Case window, click Add Note. Type Header information -
Documentation for future plans in the Name text box. In the lower pane, right-
click and click Paste to paste the e-mail header information. Click Save.
6. Click Start in the left pane, and then click Generate Report in the right pane. In
the Export Report window, click the Copy files to report location option button.
Click Browse, navigate to and click your work folder, and then click OK twice.
7. Review the report in your Web browser, and then print it. Turn it in to your
instructor, and then exit your Web browser and OSForensics.
Timeline Understand project idea: 1 hr.
Implement project steps: 1 hr.
Assessment The student’s work will be evaluated based on the projects’ implementation steps and the
extracted information.
185
Activity Template (Reference Book[1], Hands-On Project 14-2, Page 532)
Number 8.3
Title Locate and extract files using a given formats and generate a report
Type Reflection
Aim LO.1, OL.2 & LO.3
In this activity, you will review a case study. Your main tasks are to locate, and extract
files using specific formats and generate a report.
Description In this continuation of Activity 1.2, Ileen Johnson has sent you another image file collected
from employee Chris Murphy’s computer, which uses a different file system than Denise
Robinson’s computer uses. She’s conducting a follow-up investigation of a case that’s
several years old and deals with some very old file formats. You need to locate, and extract
files using these file formats and generate a report for Ileen. For this activity, you use the
GCFI-NTFS.dd image file. You need to look for spreadsheet accounting information created
with OpenOffice Calc (files with .ods and .sxc extensions) and e-mail correspondence
created with Outlook Express (.dbx and .pst extensions). When you find any files with these
extensions, add them to the case in OSForensics.
1. Start OSForensics, and create a new case named HOP14-2. Use OSFMount to select
the drive for the image file GCFI-NTFS.dd.
2. Click Create Index in the left pane. In the Step 1 of 5 window, click the Use Pre-
defined File Types option button, click the Emails, Attachments, Office + PDF
Documents, Zip Files, Images, and Plain Text Files check boxes, and then click Next.
In the Step 2 of 5 window, click Add. In the Add Start Location dialog box, click the
Whole Drive option button, click the list arrow, click the drive letter where GCFI-
NTFS.dd is mounted, and click OK. Click Next, and in the Step 3 of 5 window, click
Start Indexing.
3. When the indexing has finished, click OK, if necessary, in the message box
informing you that errors reading some files might have occurred in the indexing
process.
4. Next, click File Name Search in the left pane. In the Search String text box, type
*.ods;*.sxc;*.dbx;*.pst, click the … button next to the Start Folder text box, click
the drive where you mounted GCFI-NTFS.dd, click OK, and then click Search.
5. When the search is finished, click the Sorting list arrow, and then click Type.
6. Right-click Inbox.dbx and click View with Internal Viewer. In the E-mail Viewer
window, click the Paperclip toolbar icon to sort all messages containing
attachments.
7. In the E-mail Viewer window, examine each message. Right-click any message with
an .ods or .sxc file attached and click Add Email to Case. In the Please Enter Case
Export Details window, type Spreadsheet file found in message in the Export Title
text box, and then click Add.
8. Right-click the spreadsheet file in the message header and click Add Attachment(s)
to Case. In the Please Enter Case Export Details window, type Found spreadsheet
in the Export Title text box, and then click Add. Close the E-mail Viewer window.
9. Click File Name Search in the left pane. If the File List window is blank, move the
scrollbar up or down to display the contents. Examine the other .dbx files to
determine whether there are more messages with attached spreadsheets. If you
find other spreadsheets, repeat Steps 6 through 8.
10. Click File Name Search in the left pane, if necessary. Double-click the first file with
an .ods or .sxc extension in the search results to open it. If a file contains
spreadsheet data, right-click the file, point to Add to Case, and click File(s). In the
Please Enter Case Export Details window, type Spreadsheet not attached to e-mail
in the Export Title text box and click Add.
11. Repeat Step 10 for all other spreadsheet files in the search results window. When
you’re finished, exit OSForensics.
186
Timeline Understand project idea: 1 hr.
Implement project steps: 1 hr.
Assessment The student’s work will be evaluated based on the projects’ implementation steps and the
extracted information.
187
Activity Template (Reference Book[1], Hands-On Project 14-4, Page 534)
Number 8.4
Title Write a two-page investigation report.
Type Reflection
Aim LO.1, LO.2 & LO.3
In this activity, you will review a case study taken from a computer forensics firm. Write an
outline for how the firm should approach the case.
Description For this activity, print all e-mails and spreadsheets from the case you processed In Activities
1.2 & 1.3. Then write a one- to two-page report addressed to Ileen Johnson that explains
the steps you have taken and the evidence you found in your examination. In the
conclusion, state your opinion about the nature of the correspondence, based on the e-
mails you collected and compared for these cases. Include any supporting materials as
appendixes.
Timeline Write report: 2 hr.
Assessment The student’s work will be evaluated based on the written report and its alignment with
the case study problem.
188
Activity Template (Reference Book[1], Case Project 14-3, Page 534)
Number 8.5
Title Recommend a writing guide that examiners can use for all official written reports.
Type Search
Aim The aim of this activity is to learn student how Conduct research on the Internet to find
information about style manuals and technical and legal writing guides.
Description Your manager has asked you to research and recommend a writing guide that examiners
in your digital forensics company can use for all official written reports. Conduct research
on the Internet to find information about style manuals and technical and legal writing
guides. You should also research writing guides from professional associations, such as the
IEEE. Write a two- to three-page report recommending a style manual or technical/legal
writing guide for your company to use and explain the reasons for your recommendations.
You might want to combine guidelines from different sources in coming up with
recommendations for digital forensics reports.
Timeline Internet search: 1 hr.
Writing report: 2 hrs.
Assessment Each student is required to submit his/her report and evaluated based on its implications.
189
Think Template (MCQs)
Number 8.1
Title Digital Forensics - Writing Reports
Type Choose correct answer
Which of the following is an example of a written report?
(A) A search warrant
Question (B) An affidavit
(C ) Voir dire
(D) Any of the above
Answers Answer: (B)
190
Think Template (MCQs)
Number 8.2
Title Digital Forensics Writing Reports
Type True or False
Question Consistency is the most important aspect of formatting that should be
considered when writing a report.
(A) True
(B) False
Answers Answer: (A)
191
Think Template (MCQs)
Number 8.3
Title Digital Forensics Writing Reports
Type Fill in the blanks
What is a major advantage of automated forensics tools in report writing?
Question
______________________________________________
Answers Investigators can incorporate the log files and reports these tools generate
into the written reports.
192
Think Template (MCQs)
Number 8.4
Title Digital Forensics Writing Reports
Type Choose the correct answer
Automated tools help an investigator collect and report evidence, but
Question
he/she is responsible for doing which of the following?
(A) Explaining your formatting choices
(B) Explaining in detail how the software works
(C) Explaining the significance of the evidence
(D) All of the above
193
Think Template (MCQs)
Number 8.5
Title Digital Forensics Writing Reports
Type Fill in the blanks
List three items that can be included in report appendixes?
Question
(A) _____________________________
(B) _____________________________
(C) _____________________________
194
Extra Template
Number 8.1
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
195
Extra Template
Number 8.2
Title The title of the extra resource identified.
Topic Link to the corresponding section and topic.
Type Could include:
• Book/Chapter (ISBN)
• Offline content (Full reference required)
• Online content (URL)
196