Bruce Nikkel 1_2_overview_of_digital_forensics.pdf

Basic forensic process for digital evidence:

1. Evidence collection/acquisition
2. Preservation, integrity, chain-of-custody
3. Analysis, interpretation
4. Presentation, reporting

• Admissible in court of law
• Usable for internal disciplinary hearings
• Supporting data for internal incident reports
• Assisting/furthering other investigations
• Helps reconstrucht past events or activity (timelines)
• Shows possession / handling of digital data
• Show use/abuse of IT infrastructure & services
• Shows evidence of policy violation or illegar activity

• Computer forensics (disks, removable media, flash chips ...)
• Network forensics (network intrusion, abuse ...)
• Software forensics (examining malicious code, malware ...)
• Live system forensics (compormied hosts, memory dumps ...)

• Mobile forensics (smart phones, tablets)
• IoT forensics (internet connected toasters, tiny devices ...)
• Vehicle forensics (automobiles, drones)
• Cloud and Social Media forensics

Easy to destroy

• bootin a PC updates timestamps and modifies files
• attaching external drives can modify file system timestamps, create files, overwrite deleted data
• volatile memory is lost when a machine is powered off

Hard to get

• network traffic only exists on the wire for milliseconds
• intrusions and attacks may be cleverly hidden (steg, obfuscation, crypto)
• anti-forensic activity may prevent collection
• proprietary devices of file formats
• over-providioned ares on flash drives
• service ares on disks
• encrypted drives and files

• acquisition vs analysis
• evidence vs intelligence
• private vs public sectors
• victioms vs perpetrators (ebanking, CP)
• limitations vs requierments (technical, policy, legal, ehtical)

• Academic papers and conferences
• DF (data forensic) tools and platforms
  • sleuth kit + autopsy
  • forensic focus
  • kali linux
  • my forensics page