Week 1

Question 1

Digital forensics

Answer 1

application of
computer investigation and analysis
techniques to gather evidence suitable for
presentation in a court of law.

perform a structured
investigation while maintaining a
documented chain-of-evidence to find out
exactly what happened on a computer device
& who was responsible for any disputed
activity.

Question 2

Who governs Digital Forensic Best Practices

Answer 2

International Organization of Standards (ISO)
 American Society of Crime Lab Directors
(ASCLD)
 Scientific Working Group on Digital Evidence
(SWGDE)
▪ Selected SWGDE Best Practice Documents on
Canvas

Question 3

KB MB GB TB

Question 4

How is a Dig Forensic Investigation Performed?

Answer 4

▪ Identification Phase
▪ What Evidence is to be seized and by what means?
▪ Acquisition of Evidence
▪ Arguably the most important phase – creation of disk image
▪ Authentication of Evidence
▪ Is what we seized & acquired/copied an exact duplicate?
▪ Analysis Phase
▪ Relies on the training and competencies of the Examiner
▪ Presentation or Reporting Phase
▪ Effective presentation is key to successful outcomes

Question 5

The Three “A”s of Forensic Methodology:

Answer 5

1. Acquire the evidence without altering
   or damaging the source
2. Authenticate that you recovered
   evidence in the same as in the seized
   source
3. Analyze the data without altering
   it.**

Question 6

What do DigFrsc Examiners need to know?

Answer 6

laptop vs. phone

how data is stored differently in different drives

and differences between windows 7, 10, etc

and how data is allocated in different file systems

and how binary goes to hexadecminal to ASCII to logo

and purpose of servers and how to get and analyze evidence from them.

need to know

Knowledge of the law as it relates to what
you’re investigating
 Comprehension & application of Locard’s
Exchange Principle as it relates to DF
 Inquisitive nature
 Objectivity – Neutrality - Independent
thought
 “No stone unturned” mindset
 Thoroughness – Context matters

difference between android apple other phones

how different social media apps work

Question 7

Main incidents where computer forensics can
add value

Answer 7

Child Sexual Abuse Material (CSAM)
▪ Stalking
▪ Threats to do Harm
▪ Fraud & other financial crimes
▪ Domestic assault & child custody
▪ White collar crimes
▪ Any case involving email, web activity, social
media, etc.

Question 8

Where is the computer forensic evidence?

Answer 8

Windows Registry
▪ Is the main nerve center of Windows PC
▪ Logs user accounts and levels of security
▪ Logs connected devices (USB devices, cards, etc.)
▪ Logs certain network activity (IP addresses)
▪ Logs most recently used/viewed documents
▪ Puts evidence together in a timeline
▪ Keeps track of all software & hardware

Web browsers
▪ Log searches (Google, Yahoo!, etc.)
▪ Temporary internet files
▪ Downloads
▪ Social media activity
 Email
▪ Original email evidence
▪ Originating location & authorship information
▪ Attachments

Peer-to-Peer file sharing
▪ IP addresses
▪ Globally Unique Identifiers (GUIDs)
▪ Images & shared files
 Other types of evidence
▪ Document/File metadata
▪ Timeline analysis
▪ Image analysis
▪ Other system activity

Mobile Device Examples
▪ iPhone/iPad/iPod (Apple)
▪ All Android-Based Phones/Tablets
▪ Legacy/Feature Phones / “Drop” Phones
▪ GPS Devices (external)

Question 9

Where else can data be stored and used as evidence?

Answer 9

cloud, google drive, dropbox, gps

Question 10

Valuable Evidence on Mobile Devices

Answer 10

Social Media Activity
▪ Posts, check-ins, pictures & messaging
 Pictures & Video
▪ Often contain location metadata
 Map & location searches
 Google/Search engine searches
 Text (SMS) messages
▪ Can also contain pictures & video

App activity
▪ Location, time of connection, etc.
▪ Instant messages (Twitter, Facebook)
 Email
▪ Device & app-dependent
 Deleted items
▪ Device-dependent
 Information from device to provide to
wireless carrier

Question 11

Legal Seizure: Private Sector Investigations

Answer 11

Stored Communications Act
 Electronic Communications Privacy Act
(ECPA)
 Virginia Computer Crimes Act
 Others
▪ FRPA (education)
▪ GLBA (banking)

Corporate Investigations
▪ Company-issued v. BYOD
 Acceptable use policies
 Employment law
 Public employees & FOIA - freedom of information act
 Duty to preserve, spoliation

Question 12

What makes the difference in a digital forensic expert?

Answer 12

Quality of Examination
▪ Preview vs EXAMINATION
▪ Details matter!
▪ Quality comes with experience
▪ Proper exams are time & labor
intensive

Considerations…
▪ Professional Degrees & Certifications
▪ Professional affiliations
▪ Expert Witness Designation
▪ Digital Forensic article or book publications
▪ Number of examinations / amount of data
examined to date
▪ Understanding & explanation of forensic process

MOST IMPORTANTLY - can you explain it to judge and jury