Digital Forensics 101

Digital Forensics in Law Enforcement 101

Digital Forensics defined

According to NIST
o The application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.

According to EC Council
o A branch of forensic science that focuses on the recovery and investigation of material found in digital devices related to cybercrime.

What is digital forensics as it relates to law enforcement?

Identification, collection, preservation, analysis, and reporting of evidence from digital sources (i.e. computer memory, hard drives, flash drives, mobile devices, memory cards, etc.)

Demonstration of acquisition of data from small flash drive using FTK imager

Brief discussion of necessity of write blockers (hardware or software) for this process

Brief discussion of evidence of USB device connection to Windows computer in registry (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR)

Brief discussion of chain of custody (COC), physical device, image files
o Image files are evidence
o Disposition orders for physical devices and for image files