Digital Forensics Fundamentals v1 | 2023

Digital forensics is an element of cybersecurity that focuses on the acquisition, recovery, investigation and analysis of digital material found on electronic devices, computer networks, cloud resources and mobile devices.

There are four primary types of digital forensics which includes computer forensics, mobile forensics, network forensics and cloud forensics.

Digital forensics is commonly used in law enforcement but it is also used in military, government and business environments. Here you will learn about the various purposes for digital forensics in each type of organization.

Within the field of information security there is a concept known as the CIA Triad which stands for Confidentiality, Integrity and Availability. Confidentiality ensures that information is only viewed by those who are supposed to have access to it. Integrity ensures that the information that is transferred is intact and remains unmodified. Availability ensures that data is readily available to those who are authorized to access it. Different elements of the CIA Triad will be of more interest to different groups depending on what threat actor is being discussed.

Cyber warfare, attacks and intrusions have been around since the 1980’s when computers and the internet were still in their infancy. As information technology has proliferated around the world so have the inherent vulnerabilities that come with it. As more individuals, groups and nation states gain access to this technology they naturally learn how to exploit computers for military, intelligence and criminal applications.

This section provides extensive detail about a recent cyber attack launched by Russia against Ukraine.

The most common type of image acquisition is called “bit stream disk to image”. This type of acquisition involves creating an exact replica or clone of the original drive. You will learn how to do this later in the course.

Operating Systems allow the user to manage all the programs and applications on a computer or device. Without an operating system a computer would not be able to function in the way we are commonly used to. The operating system is used for essential tasks such as booting, memory management, loading, executing programs, disk management and the the user interface.

Cryptography is a method of securing information whether it is at rest or in transit. Without cryptography hackers would be able to see all of your information in what is called plain text. This means that your usernames, passwords and other important information would be clearly visible if someone could access your network or device. You will learn how to view these plain text messages in the tutorials on network forensics.

The digital forensics process is a systematic tool that can be used by investigators to safely and effectively conduct digital forensics tasks from start to finish.

Computer forensics in this section is to be understood as hardware data forensics and the extraction techniques associated with these technologies. This is what is commonly referred to when discussing digital forensics although by now you have learned that the field is much more dynamic.

Digital forensics on mobile devices and cell phones has been a growing field over the last two decades. In many cases mobile devices carry much more useful evidence that can be used especially in the case of law enforcement. Mobile devices are filled with valuable information such as contacts, text messages, GPS data, photos & videos, meta data, network data, application data and other personally identifiable information that can be used for analysis.

Network forensics is the aspect of digital forensics that involves investigating computer network traffic and network data to form assessments and draw conclusions about criminal behavior, cybersecurity events and to gather information. Through network forensics investigators can view file transfers, messages, emails, web traffic, credentials and much more.

Cloud computing is a service that users are able to interact with over a computer network. It allows users to access software, media and digital infrastructure without having to install services on a local device or server. This allows for the virtualization of software, services, platforms and infrastructure over the internet.

This tutorial covers an open source digital forensics platform used by law enforcement, military, business and academic clients. This tool is a feature rich platform that allows for multiple add-ons for each specific industry. The tool comes equipped with the capability to allow the examiner to easily investigate computer hardware and mobile devices. Features include email analysis, meta data extraction, robust file system analysis, timeline analysis and registry analysis.

This tool is a network protocol analyzer which is a tool that allows the user to monitor, track and analyze activity on a network. It is the industry standard for government, corporate and law enforcement clients around the world. This tool provides a feature rich platform that enables the user to capture live network traffic from a variety of sources. It is equipped with dozens of features such as VoIP analysis, protocol decryption, multiple search filters and an easy to use graphical user interface.

This tool is another highly useful open source tool for digital forensics. It is a Network Forensics Analysis Tool that is used to capture packet captures and other valuable network data for an investigation. This tool functions as a passive network sniffer or packet capturing tool in order to detect operating systems, sessions, hostnames, open ports and more.

This tool is a free open source data preview and imaging software use for digital forensics. This tool allows the user to copy image files of devices in order to examine the data without making changes to the original evidence. This is important for both data preservation and chain of custody reasons in an investigation.

This tool is a free software tool that you can use to quickly copy a physical drive. It is a very simple tool with less functionality than the previous tools but offers great value by allowing the user the ability to conduct their capture in a fast and low profile manner.

A free software tool for quickly capturing mobile disk images for iOS, Android and other removable media sources. The software combines computer and mobile data acquisition allowing you to use one centralized tool for various types of data acquisition. The software offers several options for quick capture or for full disk capture and has the ability to root devices as needed.

This is a free software tool designed to collect forensic data from various mobile devices on the market. This tool creates a read only forensic acquisition of mobile device data and offers several features such as password cracking for various password types, application decoders and communication data. It is an easy to use software that provides a simple and straight forward graphical user interface to quickly extract data from a mobile device.

This tool allows the user to extract all of the browsing history on a device from multiple internet browsers. The tool extracts all data related to browsing history and displays it in one area where it can easily be viewed and analyzed. The most common browsers that are extracted are Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge but the tool will extract data from others.

This tool allows the investigator to discover the last known resources that were being used on a specific information system. This can include applications that were running, files and folders that were opened, deleted files and folders, utilities being used, network and connection data, system errors and much more.

Network forensics tool that is ideal for those who are not familiar with using the command line interface.

This tool is a digital forensics software that allows you to discover USB and external drive artifacts that may be hidden from plain view. Whenever you use a USB drive there are dozens of digital artifacts that are left behind. These artifacts can be used to determine if a specific device was used and what activity it was involved in.

This tool is different from the other forensics tools in that it is a web based tool used to gather information about websites and IP addresses. Sometimes digital forensics involves investigating websites, IP addresses and other network devices that are connected through the internet. Finding information about these digital assets may prove to be difficult if you are not able to reach the owner or administrator of the website. Internet facing websites may also be used for criminal activity which can create a need to gather more information about the site such as what internet service provider it uses, the physical location of the servers and domain registration information.