Digital Forensics

Chapter 1. Introduction to Digital Forensics

Chapter 2. Essential Technical Concepts

Chapter 3. Computer Forensic Lab Requirements

Chapter 4. Acquiring Digital Evidence

Chapter 5. Analyzing Digital Evidence

Chapter 6. Windows OS Forensic Analysis

Chapter 7. Web Browser & Email Forensics

Chapter 8. Gathering evidence from OSINT

Chapter 9. Anti-Forensic Techniques

Chapter 10. Digital Forensic Reports

 Chapter 3. Computer Forensic Lab Requirements

Software and hardware tools you need to begin your investigation

With the increased number of cybercrime attacks that hit both the public and the private sector,
the need for computer forensics lab to capture and analyze digital evidence with high accuracy
increases. You may think that computer forensics labs are limited to law enforcement agencies.
However, this is not true: many corporations in the United States maintain digital forensics labs
with advanced investigation capabilities that exceed those of many police labs.

As we talked about in Chapter 1, digital forensic investigations can be broadly segmented into two
types, public and private investigation. Obviously, law enforcement agencies and security services
are the pioneer in establishing digital forensics labs; however, with the advance of computing
technology and the widespread use of smartphones and wearable devices, most typical crimes have
now become associated with a type of digital evidence. This crowds police labs with long waiting
lists of digital evidence from various legal cases that need to be investigated. The long waiting
lists—which may sometimes last for months or years—encourage large and even mid-sized
corporations to have their own in-house lab to investigate cybercrime issues related to their work
and property.

Today’s banks, tech companies, retailers (such as Amazon and Walmart), and utility providers are
using their own digital forensics labs to speed the investigation process and to reduce the various
costs associated with digital investigations. Compared with police labs, private corporations have
more flexibility in terms of procuring the latest software (including upgrades) and hardware needed
for supplying their labs, while some police labs may still use old software versions because of
budget limitations and the lack of trained professionals.

In-house digital forensics analysts usually work closely with law enforcement agencies to solve
cases related to their businesses. For instance, once someone finds evidence of or witnesses an
illegal activity (e.g., violation of polices, industrial sabotage, leaking secrets, or other related
crimes), the reporting company’s digital forensic investigators or the e-discovery team will contact
law enforcement and work with them hand in hand to capture and analyze acquired evidence and
to move the case to a court of law.

Having an in-house digital forensics lab in today’s digital age is a great investment for any
company which values its data assets; however, this comes with a cost. For instance, assuming that
just one forensic analyst is hired and one forensic workstation is supplied with the main necessary
tools to do the job (both hardware and software), even the smallest lab will have an annual
expenditure of no less than $150,000! Small companies may not be willing to pay for this extra
expense if they face few incidents. Many small and medium-sized corporations outsource their
digital forensics work to an accredited third-party digital forensics laboratory to save costs.
an acknowledgement of a person's responsibility for or achievement of something
Accrediting digital forensics lab is a key issue to consider, whether you are planning to establish
an in-house lab for your organization or you think to outsource your digital forensics work to a
third-party provider. Accreditation ensures that your laboratory—or the one whose services you
want to use—meets the established standards of the authoritative body in terms of using reliable
methods, appropriate tools (in terms of hardware and software), and competent personnel to
perform its duties. Digital forensics labs can come in different sizes: of course, the budget plays a
crucial role when planning for the lab, but the expected tasks (work scope) required for this lab
will be the cornerstone in determining the needed equipment and software tools.

For instance, large corporations are investing in creating advanced labs that handle all types of
computing devices and cases like malware, external breaches, network, GPS, and mobile forensics.
These labs have well-trained professionals and contain the latest versions of forensic software in
addition to different specialized hardware tools.

No matter the size of your forensics lab, it must contain the minimum tools to capture, preserve,
analyze, and present digital evidence in a forensically sound manner. A small digital forensics lab
is the most prevalent: only a small budget is needed and it can initiate quickly. Such labs are usually
run by one to five people and focus on handling one type of device (e.g., mobile forensic or
Windows OS forensic). It does not need pricey equipment like the networking infrastructure and
security solutions needed by the big labs; however, it still needs to have the appropriate digital
forensic software to analyze evidence in addition to essential hardware like a hardware write
blocker (some are incorporated into the forensic workstation itself), cables, appropriate storage
solutions, and other electrical devices like UPS and digital cameras, in addition to a dedicated
forensic computer to do the analysis.

Before listing the software and hardware equipment necessary for the forensic lab, it is essential
to discuss the physical facility requirements of this lab. Maintaining the security and integrity of
the digital evidence in addition to that of the lab’s equipment should be a top priority, especially
since these labs might become a target of cybercriminals in order to stop or interrupt investigations.

Lab Physical Facility Requirements

The following basic physical requirements are highly preferable to have in any digital forensic lab:
1. Must have one entrance door.
2. Preferable to have no windows in the lab.
3. Lab must be soundproof, meaning no one can eavesdrop on the conversations happening within
the lab. This can be achieved by using soundproofing material on the ceiling and walls, and using
carpet on the floor.
4. Must have an alarm system at the entrance in addition to a biometric system to handle access to
the lab. The access biometric system must record each visit to the lab; this log must remain backed
up for many years to come for auditing purposes.
5. Surveillance cameras should cover the entire lab, especially the main entrance and digital
evidence room. The video recorder of the surveillance system (where video recording files are
stored) should be stored in the most secure room in the lab, which is the “evidence storage room.”
6. Must have fire suppression systems.
Environment Controls

The lab environment must be strictly controlled to avoid damaging forensic equipment and seized
digital devices. The following environment controls must be in place.
1. Air cooling system to absorb heat generated from workstations. This is very important, as
forensic workstations can remain operational for a number of days during evidence analysis (e.g.
cracking a password) and this will produce heat, especially in small spaces.
2. The lab must be well organized and clean. It must have healthy climate in terms of temperature,
low humidity, and pure air.
3. Good lighting in the entire lab and in each individual forensic workstation room.
4. Electricity organizer equipment to avoid a sudden drop in power, and UPS units for the complete
lab and especially for forensic workstations, storage server, and surveillance cameras.

Equipment related to digital forensics work

The following hardware equipment is needed for the forensic lab, grouped into three categories:

Hardware Equipment

1. Licensing server (this is required by some digital forensics suites).

2. Storage server configured for the standard removable hard drives (used to store digital evidence
images and data processed and extracted from those images); this server must never get connected
to the Internet.
3. Forensic workstation(s) (covered in the section “Forensic Workstation”).
4. Portable forensic laptop (used outside lab to capture evidence and for doing some analysis).
5. Dedicated computer(s) for accessing the Internet/intranet.
6. Administrative computer for log management and other issues.
7. Hardware write blocker. This is a hardware piece that connects the media that contains digital
evidence (like HDD) to a forensic workstation; the purpose of this device is to prevent any
modifications to the data on the evidence drive during the acquisition process.
8. Portable CD/DVD drive.
9. USB reader.
10. HDD and SSD enclosure with USB 3.0 interface.
11. SD card reader.
12. External hard drives and USB thumbs (USB 2.0 and USB 3.0) of different sizes.
13. Tape drives for long-term data archiving.
14. Data cables and connectors: Ethernet cables, RJ-45, BNC, modular adapters, ribbon cables,
DIN split cables, VGA split cable, USB cables, audio cables, cable extenders, HDMI cables,
FireWire (IEEE 1394), DVI cables, S video cables, DVI-to-DVI cables, serial cables, custom serial
cables, SATA cables (mSATA and SATA Express), optical fiber cable, serial attached SCSI.
15. Other tools like screwdrivers, multi-meter, flashlight.
Office electrical equipment

1. Uninterrupted power supply (UPS) for each workstation/server and networking device.
2. Projection device (in conference room).
3. Printer.
4. Scanner.
5. Photocopier.
6. Paper shredder.
7. Digital cameras, including video cameras, and accessories.
8. Telephone (preferably wireless).
9. Wi-Fi access point.
10. Headset.
11. Symmetrical power supply.

Networking devices

1. Router & switch device to connect forensic workstations with the storage server within the lab.
2. Internet network; should be separated from the lab’s internal network. You need a firewall, a
switch, and a router (the three components can be combined in one device).
3. Networking cables.

Please note, there should be an isolated network within the lab that connects forensic workstations
and the storage server used to store digital evidence image copies. The server must be placed in
the evidence room to restrict access to it. No Internet access is allowed for this lab-specific
network. Forensic examiners may need to research online for more information about their
findings or to collaborate with peers, so an Internet connection should be available within the lab
through a direct line to the intended computer(s) only.

Forensic Workstation

The latest version of Windows OS (64-bit version) is recommended for the forensic workstations.
The following Windows 10 editions are recommended because of their support for high-end
hardware and intensive computing tasks:
• Pro for Workstations—very recommended.
• Windows 10 Enterprise.

Both editions support up to 6 TB RAM and four processors; however, compared with modern
Windows Server editions (Windows Server 2016 Standard edition supports 24 TB of RAM
memory), those two editions are less expensive in terms of the license, as they belong to the
Windows desktop product line.

Now, let us discuss needed hardware for the forensic workstations. Obviously, when working with
digital evidence, a powerful computer is needed to process and search within image files. Forensic
computers require high levels of processing power and large amounts of RAM memory; they also
need a lot of storage and many expansion slots to attach different types of devices. Building a
forensic workstation is expensive; however, it is still considered a cost-effective solution for small
companies compared to purchasing a ready-made computer forensic workstation, which costs
much more.

The following are the recommended hardware specifications when building a basic forensic
workstation from the ground up:
1. RAM memory: At least 24 GB (DDR4). More is great!
2. CPU: At least two physical CPUs (Intel i9 8th-generation processor has 10 cores and 20 threads)
for each workstation.
3. Motherboard: One that can accommodate the required number of processors and amounts of
RAM, along with the video controller card.
4. Hard drives: A combination of SSD and HDD—at least 512 GB of SSD and 4 TB of HDD.
5. Video controller: Nvidia Geforce, latest version is recommended with at least 8 GB of GDDR5X
memory.
6. Triple burner (Blu-ray, DVD, CD).
7. External hard drive enclosure with USB 3.0 interface.
8. Write-protection: You can purchase this piece individually or you can purchase one that can be
integrated into your workstation. The hardware write blocker must support data acquisitions from
SATA, SAS, IDE, USB, FireWire, and PCIe storage devices. Some manufacturers include
UltraBlock (https://digitalintelligence.com/products/ultrablock) and Tableau Forensic Universal
Bridge, which can be integrated into your machine
(www.guidancesoftware.com/tableau/hardware//
t356789iu).
9. Advanced cooling system: It is preferred to use liquid CPU cooling system with—at least—dual
fans.
10. LCD panel with high resolution (full HD IPS display), at least 22 inches for better display.
11. Ports
• USB 3.0 ports
• Thunderbolt 3
• Microphone and headphone jack.
• Integrated LAN controller to access the lab’s LAN network.

These are the preferred hardware pieces for building a forensic workstation; please keep in mind
that your lab needs to have at least one portable digital forensic laptop workstation for acquiring
and performing some analysis on data outside the lab. For instance, it is preferable to purchase one
forensic laptop from a vendor which specializes in offering such ready solutions.

Commercial Ready-Made Digital Forensic Workstation

There are many vendors who specialize in building ready-made forensic workstations; these
workstations tend to be powerful in terms of processing power and storage and have integrated
hardware equipment for digital forensic work like a hardware write blocker and a hard drive
duplicator.

The following are two vendors offering ready-made workstations:

1. Tri-Tech Forensics (www.tritechforensics.com/Digital-Forensics/DF-workstations). Prices
begin from $5800 for the workstation and $2300 for the digital forensic laptop workstation.
2. Digital Intelligence (https://digitalintelligence.com/store).

Forensic Software

The type of forensic software needed for your lab will depend on your work scope; for instance,
the type of operating system (Windows, Linux, or Mac) and the file system you are going to
examine will determine your required forensic tools.
Most popular computer forensic suites are built for Windows OS; the open source counterpart is
mainly geared toward Linux with some being also ported into Windows OS. Let us begin with the
commercial tools.

Commercial Forensics Tools

Digital forensic software tends to be costly, so it is advisable to research well before purchasing a
forensic suite. Ask other forensic examiners and try to install a trial copy of the software you are
intending to purchase. The following are the most popular commercial computer forensic suites:
check each web site for tool price/license.
1. EnCase (www.guidancesoftware.com)
2. Belkasoft Evidence Center (https://belkasoft.com)
3. FTK (https://accessdata.com/products-services/forensictoolkit-ftk)
4. X-Ways Forensics (www.x-ways.net/forensics)

Free and Open Source Forensic Tools

There are many free and open source code digital forensics tools; a few come with rich features
similar to the commercial suites, while the majority are small tools built to perform a specific
function (e.g., retrieve browser history or extract e-mail header information). In this section, we
will list the most popular free and open source digital forensic tools.

1. The Sleuth Kit (www.sleuthkit.org): Supports both Linux and Windows.

2. Autopsy: Graphical interface to The Sleuth Kit & other tools (www.sleuthkit.org/autopsy).
3. dd for Windows (www.chrysocome.net/dd): A forensic imaging tool for Windows systems.
4. Magnet RAM Capture: Capture RAM memory (www.magnetforensics.com/free-tool-magnet-
ram-capture).
5. Belkasoft Live RAM Capturer (https://belkasoft.com/ramcapturer).
6. Volatility: Analyzes RAM (volatile memory) images (www.volatilityfoundation.org).
7. Memoryze: Captures and analyzes memory images and on live systems. Can include the
Windows Paging file in its analysis (www.fireeye.com/services/freeware/memoryze.html).
8. Mandiant Redline: Live memory analysis; includes Memoryze tool within it
(www.fireeye.com/services/freeware/redline.html)
9. Bulk Extractor: Scan an acquired hard drive digital image and extract useful information from
it such as e-mail addresses, credit card numbers, URLs, and other types of information (http://
downloads.digitalcorpora.org/downloads/bulk_extractor).
10. Encrypted Disk Detector: Check for encrypted volumes on a computer system during incident
response (www.magnetforensics.com/free-tool-encrypted-disk-detector).

Linux Distribution for Digital Forensics

These are specialized Linux distributions preconfigured for digital forensic works. They contain a
live operating system—usually Linux based—which is bootable from a CD/DVD or a USB thumb
drive and contains a plethora of tools for digital forensics.

1. CAINE (www.caine-live.net).
2. DEFT (www.deftlinux.net).
3. Helix3 Free version (https://e-fenseinc.sharefile.com/d/sda4309a624d48b88).
4. SANS Investigative Forensics Toolkit (SIFT)
(http://digitalforensics.sans.org/community/downloads); Vmware appliance.
5. Santoku Linux for Mobile Forensics (https://santoku-linux.com).
6. Kali Linux Forensics Mode (www.kali.org/downloads).

Virtualization Technology

Virtualization technology allows examiners to install more than one operating system on the same
workstation; this proves useful when conducting malware analysis (to avoid infecting the forensic
workstation) or when testing forensic tools before using them officially. The virtual machine will
run in a sandbox isolated entirely from its host machine’s operating system. Popular virtual
machines include VirtualBox (www.virtualbox.org) and Vmware Workstation Player
(www.vmware.com/products/player/playerpro-evaluation.html).

Laboratory Information Management System (LIMS)

A content management system is needed in the lab to organize the reception, tracking, handling,
and return of evidence in the digital forensic laboratory. You can use an open source content
management system for this task: Drupal (www.drupal.org/home) and Moodle
(https://moodle.org) are examples.

Other Software

During your analysis of the digital evidence, additional software will be needed like digital file
metadata viewers, MS Office suite or the free alternative Open Office, compressed file (ZIP, RAR)
extractor, data recovery tools, antivirus software for the Internet/intranet PCs, different operating
systems including legacy OS like Windows XP and 2000, different file type viewers, and different
programming languages (in order for some tools to work).

Lab Policies and Procedures

Lab policies and procedures define the internal rules that must be followed by lab workers during
their work in the lab. The lab policy includes rules for the following work areas, and more may be
needed:
1. Lab physical security policy (e.g., security measures that need to be followed to access the lab
area).
2. Accessing top restricted area policy: Who is authorized to access the evidence storage room?
3. Handling digital evidence (e.g., a write blocker should be attached to the suspect hard drive
when acquiring it).
4. Evidence seized at response scene.
5. Evidence analysis (e.g., steps and tools to handle each piece of evidence).
6. Evidence chain of custody (e.g., documenting who has accessed digital evidence since its arrival
to the lab, and also when and why).
7. Evidence disposition (e.g., how sensitive materials should be disposed of securely: a paper
shredder for paper files, destruction equipment to safely destroy [physically] hard drives and other
storage media).
8. Digital forensic report writing (e.g., the standard layout for reporting case analysis results).
9. Expert testimony evaluation.
10. Backup policy.
11. Training polices.
12. Quality standards.

The lab has specific preprinted forms for each type of work conducted within it or in the field; for
instance, the evidence acquisition form (which record descriptions of evidence) and the chain of
custody form are the most two important forms used in labs. Other work stages will also have their
own form that detail what happened during this stage.

Documentation

Adhering to policies and procedures mentioned in the previous section is important for smooth
and accurate work in the digital forensic lab. Each piece of work during the investigation process
needs to be supplemented by paper/electronic forms, and examiner notes are also very important
and need to be documented in detail during the investigation process. This allows another examiner
to continue working on the specified case and allows the lab’s quality assurance staff to repeat the
process again to ensure that the exact same results are produced every time.

Documentation is an integral part of digital forensic investigations; it begins in the field before
obtaining the seized computing device and continues in the lab till reaching testimony. Litigation
processes in the courts may span for months and years, and without this documentation, an
examiner—who may be required to testify in court—may forget key facts from his/her case
investigation, and this may result in weakening his/her testimony to the judge and jury.

Lab Accreditation Requirements

Accreditation ensures that your digital forensic lab is following a set of recognized standards
imposed by the authoritative body. The accredited body will check your lab to see whether it is
using reliable investigation methods, court-accepted hardware and software, and trained personnel,
and if your lab’s physical layout meets established standards. The accreditation is very important
for any digital forensics lab, and we are going to briefly discuss the steps needed for any
organization to start the accreditation press.
 Practical Labs

Refer to the labs documents for this chapter to perform hands-on practical tasks as listed below.

• Steganography
•

File Carving: This involves recovering files from disk images without knowing the file system.

Memory Forensics: Analyzing the volatile memory (RAM) of a system to extract information such as running
processes, network connections, and passwords.

Network Forensics: Analyzing network traffic to detect and investigate security incidents, such as packet
capture analysis.

Mobile Device Forensics: Extracting and analyzing data from mobile devices, including smartphones and
tablets, which can involve recovering deleted messages, call logs, and application data.

Timeline Analysis: Creating a timeline of events based on artifacts found on a system or network to
reconstruct the sequence of activities.

Metadata Analysis: Examining metadata associated with files, emails, or other digital artifacts to gather
information about their creation, modification, and transmission.

Hashing and Verification: Using cryptographic hashing algorithms to verify the integrity of files and ensure
they have not been tampered with.

Live System Analysis: Analyzing a live system to gather evidence while it is running, which may involve
capturing volatile data, monitoring system activity, and identifying suspicious behavior.

Malware Analysis: Studying malicious software to understand its functionality, behavior, and impact on a
system or network.

Data Recovery: Attempting to recover deleted or lost data from storage devices, such as hard drives and
flash drives, using specialized tools and techniques.

Digital Steganography: Identifying hidden messages or files concealed within digital media, such as images,
audio files, or documents.

Social Media Forensics: Investigating social media platforms to gather evidence related to cybercrimes,
harassment, fraud, or other illicit activities.
Chapter Summary

A computer forensic laboratory is where you conduct your investigations, store your acquired
digital evidence, and do much of your forensics work. Labs contain different sets of hardware and
software tools that help examiners to acquire and analyze digital evidence and finally present their
findings in a formal report.

In this chapter, we covered the essential equipment needed to create a digital forensic lab. We
talked about the characteristics of the physical facility that is going to house the lab; we listed
needed electrical equipment, lab furniture, and hardware devices related to digital investigation
work; and we covered the minimum technical requirements of the forensic workstation responsible
for analyzing digital evidence. We discussed the design and security requirements of the lab
network, and then we talked about forensic software. There are different types of this: some are
commercial while others are either closed source or free or open source.

It is recommended for the forensic software to be validated by a credible body before using it in
investigation; in-house developed tools or ones that are not externally validated must undergo a
verification process internally before being used officially in investigations.