Digital Forensics

11. Interpreting & Reporting Conclusions


Forensic Tools

This unit has introduced many new concepts revolving around the capture, preservation and examination of digital evidence. Along the way there have been opportunities to practise and use forensic tools appropriate to each stage of the investigation.

While using these tools, their relative strengths and weaknesses were highlighted. It was emphasised that choice of tool was a balance between ease of use, purpose and the context of the investigation

  • Capturing and preserving of the evidence. Guymager was the first tool introduced to capture exact copies of digital evidence from storage devices. Other tools used included dd and dc3dd
  • Examining and analysing the evidence. Quite a range of tools were introduced for this. Sleuth and Autopsy for looking at disk images. Recoverjpeg, Foremost, Photorec and Scalpel were used for finding and recovering deleted and hidden files.

    While the tools above were intended for capturing evidence stored on physical storage devices, LiME (Linux Memory Extraction) and Volatility were introduced as tools for capturing the contents of RAM. This is useful for devices recovered by investigators in a switched on state.

  • All the tools used are available for all the various methods of analysis including Time-frame, Data Hiding, Ownership and Possessions and Application and File analysis.

Forensic Methods

The use of forensic tools was set against a background of forensic principals, all geared to produce sound and fair evidence. The aim is to use methods that others could follow and arrive at the same conclusions. These included:-

  • Following the legal requirements in the searching for and seizing equipment and data in line with the alleged crime and permissions granted by search warrants under the appropriate sections of the law.
  • Acquiring and storing the evidence in a forensically clean way without altering the contents of the data.
  • Documenting and reporting evidence in a sufficiently detailed way that would allow others to follow and repeat the same actions to arrive at the same conclusions. This include careful maintenance of the chain of evidence and explanation of decisions taken during the investigation so that others could understand why some tools were used rather than others. Essentially the record is to explain what was done to which evidence and why along with what was found.
Assessment continued:

Time to finish the assessment and the unit.

  1. Download and save the final standard pro Forma on Analysis. This is for recording results and conclusions. If you have additional documents as evidence make sure they are attached to this form matched with an appropriate case number and name. Once the form is completed, you are ready to submit, but before then:-
  2. Download and save Forensic Checklist. Complete this form, checking that everything is in a suitably named folder that includes your initials. Anything missing from the check list needs to be added. As before, ensure and additional documents are completed with a case id and name.
  3. Copy your folder containing everything to a drop folder which your teacher will assign to you. Good Luck
Check List

The End

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee