adam's notes

Introduction to Forensics

What is Computer Forensics

Forensics is the use of science and technology to investigate and establish facts in criminal or civil courts of law.

  • according to the American Heritage Dictionary

Quote

Computer forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts… Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from finger-prints left on a window to DNA evidence recovered from bloodstains to the files on a hard drive.”

— US-CERT

  • computer forensics is a science
  • presents analysis via:
    • expert report
      • formal document that lists what tests were conducted, what was found, and the conclusion
      • includes CV at the start
      • can only testify about subjects in your report
    • expert testimony
      • given in two scenarios:
        • a deposition
          • testimony taken from a witness or party to a case before a trial
          • less formal
          • typically held in an attorney’s office
          • still a sworn testimony
        • a trial
    • US Federal Rule 702 defines what an expert and expert testimony is
      • “A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
        • the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
        • the testimony is based on sufficient facts or data;
        • the testimony is the product of reliable principles and methods; and
        • the expert has reliably applied the principles and methods to the facts of the case.”
    • US Federal Rule 703: Bases of an expert
      • expert may base an opinion on facts or data
      • if the facts or data would be inadmissible,
        • then the opinion may be disclosed if the probative value of the opinion substantially outweighs the prejudicial effect
          • the weight carried in reaching a valid judgement
    • US Federal Rule 704: Opinion on ultimate issue
      • opinion is not objectionable just because it embraces an ultimate issue
    • US Federal Rule 705: Disclosing the facts or data underlying an expert
      • expert may state opinion without first testifying to the underlying facts or data
      • but is required to disclose the facts or data upon cross-examination
    • US Federal Rule 706: Court-appointed expert witness
      • covers the appointment of neutral experts to advise in court
    • US Federal Rule 401: Test for relevant evidence
      • evidence is relevant if:
        • it has any tendency to make a fact more or less probable that it would be without the evidence
        • and the fact is of consequence in determining the action

Understanding the Field of Digital Forensics

Digital evidence is information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination.

Chain of custody is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.

  • 4 types of evidence:
    • Real
      • is a physical object that someone can touch, hold, or directly observe
      • e.g., laptop with suspect’s fingerprints, hard drive, handwritten notes, etc.
    • Documentary
      • is data stored as written matter, on paper, or in electronic files
      • includes memory-resident data and computer files
      • e.g., messages, logs, databases, photographs, telephone call-detail records
      • must authenticate documentary evidence
    • Testimonial
      • is information that forensic specialists use to support or interpret real or documentary evidence
    • Demonstrative
      • is information that helps explain other evidence

Types of Digital System Forensics Analysis

  • Disk forensics is the process of acquiring and analyzing information stored on physical storage media
  • Email forensics is the study of the source and content of email as evidence
  • Network forensics is the process of examining network traffic, including transaction logs and real-time monitoring using sniffers and tracing
  • Internet forensics is the process of piecing together where and when a user has been on the internet
    • e.g., determining whether inappropriate content access and downloading were accidental
  • Software forensics is the process of examining malicious computer code
    • aka malware forensics
  • Live system forensics is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse
  • Cell-phone forensics is the process of searching the contents of cell phones

Knowledge Needed for Computer Forensics Analysis

Hardware

Random Access Memory

  • sequentially from older to newer technologies:
    • Extended data out dynamic random access memory (EDO DRAM)
      • single-cycle EDO has the ability to carry out a complete memory transaction in one clock cycle
      • otherwise, each sequential RAM access within the same page takes two clock cycles instead of three, once the page has been selected
    • Burst EDO (BEDO) DRAM
      • An evolution of the EDO, burst EDO DRAM can process four memory addresses in one burst
    • Asynchronous dynamic random access memory (ADRAM)
      • is not synchronized to the CPU clock
    • Synchronous dynamic random access memory (SDRAM)
      • is a replacement for EDO
    • Double data rate (DDR) SDRAM
      • was a later development of SDRAM
  • another way to look at RAM is the level of volatility:
    • Random access memory
      • is very volatile
      • data is gone when power is discontinued
    • Read-only memory (ROM)
      • not volatile
      • cannot be changed
      • used for instructions embedded in chips
      • controls how the computer, option cards, peripherals, and other devices operate
    • Programmable read-only memory (PRAM)
      • can be programmed only once
      • data is not lost when power is removed
    • Erasable programmable read-only memory (EPRAM)
      • data is not lost when power is removed
      • is a technique for storing instructions on chips
    • Electronically erasable programmable read-only memory (EEPRAM)
      • this form is how the instructions in your computer’s basing input/output system (BIOS) are stored

Hard Drives

  • connectors:
    • small computer system interface (SCSI)
      • common in high-end servers
      • SCSI devices must have a terminator at the end of the chain of devices to work
      • limited to 16 chained devices
    • Integrated Drive Electronics (IDE)
      • old standard
      • uses a 40 pin connector
    • Enhanced IDE (EIDE)
      • extension of IDE
    • Parallel advanced technology attachment (PATA)
    • Serial Advanced Technology Attachment (SATA)
    • Serial SCSI
    • Solid-state drive (SSD)

The Daubert Standard

The Daubert standard is a standard used by a trial judge to make a preliminary assessment of whether an expert’s scientific testimony is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at issue.

  • factors that may be considered to determine validity:
    • whether the theory or technique in question can be and has been tested;
    • whether it has been subjected to peer review and publication;
    • its known or potential error rate;
    • the existence and maintenance of standards controlling its operation; and
    • whether it has attracted widespread acceptance within a relevant scientific community
  • according to The Cornell University Law School
  • cannot use new tests or procedures, must use generally accepted methods
  • Daubert challenge is a motion to exclude all or part of a testimony due to it failing to meet the Daubert standard
    • common in civil cases
    • not common in criminal court

US Laws Affecting Digital Forensics

Graph View

Backlinks