Chapter 19: Computer Forensics & Digital Evidence

The text establishes a fundamental distinction between hardware components—such as the central processing unit (CPU), motherboard, read-only memory (ROM), and the volatile random-access memory (RAM)—and the software or operating systems that manage them. A significant portion of the discussion focuses on the physical and logical structure of hard disk drives (HDD), explaining how data is mapped across sectors, clusters, tracks, and cylinders, and how forensic examiners must navigate file systems to recover information. The summary outlines critical protocols for processing electronic crime scenes, emphasizing the "order of volatility" when deciding whether to perform a live acquisition to capture temporary RAM data or to disconnect power to freeze the hard drive state. The process of creating forensic images is described, highlighting the use of write-blockers to prevent data alteration and the application of algorithms like Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) to verify the integrity of the evidence. Furthermore, the chapter differentiates between visible data, such as temporary files, swap space, and print spools, and latent data hidden in unallocated space, file slack, and RAM slack. The analysis extends to internet forensics, covering the investigative value of web browser caches, cookies, history files, and the role of Internet Protocol (IP) addresses in tracing emails and instant messages. Finally, the text addresses the unique challenges of mobile device forensics, including the use of Faraday shields to block network signals, and techniques for investigating unauthorized network intrusions or hacking through the examination of log files and network traffic.