Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
28 views5 pages

CF Studies

The document outlines key terms and tools related to digital forensics, including definitions of digital evidence, chain of custody, and various data types. It also lists essential forensic tools and commands used for analysis and recovery of data. The information is crucial for understanding the processes involved in forensic investigations and incident response.

Uploaded by

emeryaevans
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views5 pages

CF Studies

The document outlines key terms and tools related to digital forensics, including definitions of digital evidence, chain of custody, and various data types. It also lists essential forensic tools and commands used for analysis and recovery of data. The information is crucial for understanding the processes involved in forensic investigations and incident response.

Uploaded by

emeryaevans
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Terms

●​ Digital Evidence - Any data stored or transmitted in digital form that


can be used in court. Core of all forensic investigations.

●​ Chain of custody - Documentation showing the who, what, when,


and where of evidence handling. Maintains credibility of evidence.

●​ Imaging (Disk Image) - A bit-by-bit copy of a storage device (like a


hard drive). Used to preserve evidence for analysis.

●​ Hash Value (MD5, SHA-1) - A digital fingerprint of a file or disk


image. Proves a file hasn’t been tampered with.

●​ Cross-referencing - Comparing multiple data sources to confirm


accuracy or find patterns. Key in building strong, reliable cases.

●​ Metadata - Data about data (file creation, time, author, location).


Helps reconstruct actions and timelines.

●​ Timeline Analysis - Arranging events in chronological order based


on logs, files, etc. Reconstructs what happened and when.

●​ Volatile Data - Data that exists only while a system is running


(Random Access Memory, current processes). Must be captured
quickly before power loss.

●​ Non-volatile Data - Data stored permanently, like hard drives, USBs,


etc. Can be retrieved even after shutdown.

●​ Data Carving - Recovering files without file system metadata


(example: deleted files). Helps recover evidence even if it’s hidden.
●​ Steganography - Hiding data inside other files, such as an image or
audio file. Common technique to hide illicit content.

●​ File Carving - Recovering files based on headers/footers, not


filenames.

●​ Thumbnail Cache - OS-generated preview images (can be


forensically examined).

●​ Keyword Search - Searching a drive/image for specific words or


strings. Can locate incriminating documents or messages.

●​ Journal - Stores a log of recent write operations (recovery aid).

●​ Slack Space - Unused space in a disk cluster that might contain


remnants of deleted data. Can reveal hidden or deleted evidence.

●​ Malware Analysis - Studying malicious software to understand its


behavior. Essential for incident response cases.

●​ Forensic Toolkit (FTK) - A suite of tools for forensic analysis.


Industry standard for deep system examination.

●​ Lossy vs Lossless: JPEG is lossy (compressed); PNG is lossless


(retains full quality)

●​ Write Blocker - Hardware/software that prevents accidental changes


to evidence. Protects integrity during analysis.

●​ Incident Response (IR) - Actions taken after a cyber incident


(breach, attack, etc.) You may be part of IR teams solving real cases.

●​ Public-Sector Investigations - Government agencies, U.S. Fourth


Amendment (x) Search and Seizure rules
●​ Private-Sector Investigations - Private organizations, company
violations, litigation disputes.

●​ SIEM - Security Information and Event Management. A centralized


system that collects, correlates, and analyzes security logs and
events from multiple sources. Used to detect threats, investigate
incidents, and support forensic analysis by creating a searchable
timeline of network and user activity.

●​ Digital Forensics Lab - Where you conduct investigations, store


evidence, house your equipment, hardware, and software.

Tools
●​ Autopsy - GUI-based disk image analysis. Sleuthkit is also a
forensics tool.

●​ PhotoRec - Deep file recovery, ignores file system.

●​ Scalpel - File carver based on header/footer patterns.

●​ FTK Imager - Disk imaging and preview.

●​ Volatility - RAM analysis (Python-based)

●​ VirusTotal - Can reveal hash strings.

●​ Wireshark - Packet capture and network analysis.

●​ Forensic software - Command lines, GUI (Graphic User Interface).


A visual interface in forensic tools that allows investigators to interact
with evidence using buttons, windows, tabs, charts, file browsers, and
charts instead of typing commands. Useful for easier navigation,
especially in tools like Autopsy or FTK.
●​ Forcepoint threat protection - Linux memory analysis tool, can
perform both onsite and remote memory acquisitions.

●​ ExifTool - Metadata extraction from images/docs

●​ Linux acquisition tool - dcfldd

●​ Kali Linux - Includes a variety of tools and has an easy to use KDE
interface.

●​ Linux Live CD Distributions - Forensic linux live CDs contain


additional utilities

●​ Data in a forensics acquisition tool is stored as an image file,


three formats - Raw format, proprietary format, advanced forensics
format (AFF)

●​ Raw format - Possible to transfer bit-stream data to files. Raw format


image files do not contain metadata. Tools for raw format images
consist of: Blackbag Technologies MacIntosh Forensic Software,
SubRosaSoft MacForensicsLab, Guidance Software EnCase, Recon
Mac OS X Forensics with Palladin, AccessData FTK.

●​ Proprietary format - Most forensic tools have their own formats, the
Expert Witness Compression format is unofficial standard

●​ Advanced Forensics Format - Developed by Dr. Simson L.


Garfinkel as an open source acquisition format. File extensions
include .afd for segmented image files, and .afm for AFF metadata.
AFF is open source.

Commands
●​ Linux Command: .bash_history - Shell command history, very useful
in investigations.

●​ Linux Command: /var/log/ - Stores logs like auth.log, syslog,


messages. This is critical for events.

●​ Linux Command (root): badblocks - Finds badblocks on a Linux


computer.

●​ Linux Command: mke2fs and e2fsck - Implements safeguards that


prevent badblocks from overwriting important information.

You might also like