Forensic Computer Science is an emerging discipline

- Critical to the successful disposition of computer-related cases
- Accountability of actions is necessary in our society
- Provides a mechanism for the investigation of computer-related offenses
- Must abide by Constitutional mandates

1. Maintaining the "Chain of Custody"
2. By ensuring that viruses are not introduced to a suspect's machine during analysis
3. By ensuring that evidence, or potential evidence remains in an unaltered state (not destroyed, damaged, or otherwise manipulated during the investigatory process)

It establishes procedures for the recovery, preservation, and analysis of digital evidence.

- Protects it from possible alterations
- Protects it from data corruption
- Protects it from infection
- Protects it from carelessness of individuals
- Provides mechanisms for data duplication
- Creates forensically sound images useful for data analysis
- It prevents allegations of corruption or misconduct on the part of investigators, all but guaranteeing evidentiary introduction in court

Overt Files: Things which are NOT hidden, deleted, encrypted, or intentionally covert.

Hidden: Files which are manipulated to cover the contents of the original file.

Password Protected: Files which are protected from unauthorized users with password programs.

Slack Space: Is the area of the hard disk drive that is located between the end of the current file data, and the end of the last assigned disk cluster of that file.

Swap File: Those files which are temporarily placed on the computer when applications run out of space.

Deleted Files: (Free or Unallocated Space) Space on the hard disk drive that the computer has not overwritten yet. (Repository of Previous Data)

- Prosecutors
- Civil Litigators
- Insurance Companies
- Corporations
- Law Enforcement Officials
- Individuals

1. Always work from an image, leaving the original intact.
2. Document everything no matter how useless you think it is.
3. Maintain the "Chain of Custody".

Tracks, Cylinders, & Sectors

Primary Storage Devices:
Data in RAM
Other "Built In" Storage Devices

Secondary Storage Devices:
Floppy Disks or Diskettes
CD-ROM's
CD-RW's
Hard/Fixed Disks
External Storage Devices

Physical Drives: Refers to devices and data at the electronic or machine level. Actual amount of space that a file occupies on a disk.

Logical Drives: Are allocated parts of a physical drive that are designated and managed as independent units (Most important in computer forensic investigations) Exact size of the file in bytes

Sectors: smallest physical unit on a disk, and are arc-shaped portions of the disk tracks.

Clusters: Also known as File Allocation Units. Are comprised of one or more adjacent sectors & represent the basic allocation units of magnetic disk storage.

Partition: Portions of fixed disks that an operating system identifies as a single unit with a maximum of four. Letter designations are given to these entities at the format process and instillation of the operating system.

Partition Table: Located in the Master Boot Record on the hard disk drive and is created during partitioning.

FAT 12
FAT 16
FAT 32
NTFS

Cyclical Redundancy Check (CRC):
- How files are identified & are computer generated
- Important in order to validate & compare imaged files
- Involves data transmission & computer calculation
- Maintains the validity of digital evidence
MD5 Hash:
- Verification tool that needs to be employed in computer forensic investigations
- Developed by RSA and consists of a 128 Bit number identifier and is equal to Digital DNA
- States that the odds of two different files with the same value are 2/128 power
HashKeeper:
- Developed by the National Drug Intelligence Center in order to keep listings of various known files.

Lab

md5("I am going to hack into the governments computer's)="39a7d233c528b5c1b8979ec7e912c2c2"

md5("I am going to hack into the governments computers")="9a068b98b36dd49dc223151140ad1b8d"

Why do these two MD5 Hashes have a different value?

Standard Operating Procedures (SOP):
These procedures endures that personnel, training, equipment, and procedures continue to be appropriate and effective.

Appropriate Tools (May Vary According to Situation)
- Type of Suspect's Device
- Type of Suspect's Operating System
- Type of Software on the Suspect's Device
- Type of Hardware on the Suspect's Device
- Application of Appropriate Domestic and International Law
- Potential Negative Repercussions (Liability)

Software Requirements:
1. Data preservation, duplication, and verification tools
2. Data recovery/extraction tools
3. Data analysis tools
4. Data reporting tools
5. Network utilities

Methods of Extraction
1. Keyword Searching
2. File Carving
3. Extraction of the partition table and unused space on the physical drive

May include active files, deleted files, file slack, and files found in unallocated space

- Indexing
- Text Searching
- File Viewers (Graphics)
- Time and Date Stamps
- Applications Analysis
- Reporting Software
- Miscellaneous Software
- "Real Victims"

Maresware: set of command line programs that can be used for computer forensics, data analysis, secure wiping, and imaging hard drives

Guidance Software: fully-automated program which includes mechanized imaging, verification, and analysis capabilities all within a unique graphical interface

Ultimate Toolkit (FTK): graphical user interface which runs automated and bundles a variety of stand-alone programs

Includes: Forensic Toolkit, FTK Imager, Registry Viewer, Password Recovery Toolkit, Distributed Network Attack (Cracks Encryption), & WipeDrive.

Imaging & Verification
A. ByteBack
B. SafeBack
C. Wiping Programs
D. Unix
E. Data Dumper
F. Grep
G. The Coroner's Toolkit

"We are given the tools in order to conduct computer forensic investigations, now is the time to better society and combat computer crime"