Digital Forensics 101


Details
Digital Forensics in Law Enforcement 101
Digital Forensics defined
According to NIST
o The application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.
According to EC Council
o A branch of forensic science that focuses on the recovery and investigation of material found in digital devices related to cybercrime.
What is digital forensics as it relates to law enforcement?
Identification, collection, preservation, analysis, and reporting of evidence from digital sources (i.e. computer memory, hard drives, flash drives, mobile devices, memory cards, etc.)
Demonstration of acquisition of data from small flash drive using FTK imager
Brief discussion of necessity of write blockers (hardware or software) for this process
Brief discussion of evidence of USB device connection to Windows computer in registry (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR)
Brief discussion of chain of custody (COC), physical device, image files
o Image files are evidence
o Disposition orders for physical devices and for image files

Digital Forensics 101