Chapter 19: Computer Forensics

Welcome to Last Minute Lecture.

This free chapter overview is designed to help students review and understand key concepts.

These summaries supplement not replaced the original textbook and may not be redistributed or resold.

For complete coverage, always consult the official text.

Welcome to the Deep Dive, the place where we take complex, crucial source material and turn it into the essential knowledge you need without all the hours of reading.

Today, we are immersing ourselves in the digital world,

specifically the realm of computer forensics.

I mean, this is the invisible evidence that solves some of the most complex modern crimes.

It really is.

We're essentially giving you the secret blueprints for how digital evidence is built, where it hides,

and maybe most importantly, why it's so incredibly hard to truly erase.

And our journey has to start with a really chilling case that just perfectly illustrates why this field is so vital.

We're right here.

Right.

So picture this.

It's 2004 and Raider, who had been completely dormant since 1991, suddenly resurfaces.

He starts taunting the police again in Wichita, Kansas.

And he's sending letters, packages, taking credit for these past slayings.

He's including these disturbing, incredibly specific details that only the killer could know.

I mean, for over a decade, this guy was a total phantom.

But then came the breakthrough and it wasn't a fingerprint.

It wasn't DNA.

No, it was purely digital.

In December 2004,

BTK sent a message on a floppy disk to a local television station.

And Raider was operating under this really arrogant assumption.

Which was so common back then.

Exactly.

The assumption that if you deleted a file, it was just gone.

He actually thought he was being clever, technologically sophisticated by using a computer instead of just paper.

And that very arrogance, that technological confidence became his downfall.

It did.

Forensic computer specialists who were operating at the cutting edge of digital recovery, they were able to acquire and restore that so -called erased information.

The data was never really destroyed.

It left a trace.

A persistent digital trace.

And that trace was the key.

By recovering that hidden data, investigators could trace the disk's origin.

And where did it lead?

Well, the recovered data first pointed to the Christ Lutheran Church in Wichita.

And it turned out Raider was the council president there.

From that point, the connection was very quickly and definitively made to Dennis Raider himself.

So a single seemingly erased digital artifact brought a decades -long search for a serial killer to a stunning end.

And that case is so foundational for this entire field.

It establishes the central theme.

Right.

Whether it's a floppy disk from 2004 or a modern solid state drive or your smartphone, the digital footprint persists.

Back in the 90s, computer forensics was what?

An emerging specialty.

But today, electronic data is just, it's everywhere.

It permeate every aspect of life and crime.

Homicide, white collar fraud, domestic violence cases.

All of it.

So our goal for you, the listener, is to provide a kind of structured guide to understanding the physical and logical components that make up this digital evidence.

So let's start with a formal definition.

What exactly is computer forensics?

Formally, it's the preservation, acquisition, extraction, analysis, and interpretation of computer data.

And as you said, the scope is huge now.

It's not just the desktop PC anymore.

No, everything is a source.

Cell phones, PDAs, digital cameras, jump drives, smart cards.

This technological,

what the source calls cross -pollination, means the principles we're about to discuss apply pretty much everywhere.

Okay.

Let's unpack the anatomy of the digital crime scene.

We have to start with the basics of what makes a computer tick.

And that's the hardware.

Hardware is the easy part.

It's the physical components.

I mean, if you can see it, feel it, touch it, the computer chassis, the monitor, the keyboard, the hard disk drive, the RAM, the CPU,

it's hardware.

And software, conversely, is the compiled set of instructions or programs that perform a task.

So think of your operating system, Windows, Mac OS, Linux, or applications like Microsoft Word or Firefox.

And it's important to separate the from its container, right?

Oh, absolutely.

That's a vital point for forensic clarity.

A CD that has Microsoft Office on it is just external media.

The instructions it carries, that's the software itself.

Okay.

Let's delve into those key physical hardware components, starting with the box itself.

We need to be specific with our terms here for evidence.

We call the physical box the system unit.

That term covers the chassis plus all the internal boards inside.

And inside that box, what's the first thing we find?

The power supply.

And it's not a power source, it's a converter.

It changes the alternating current from your wall outlet into the low voltage direct current that the components can actually use.

Got it.

And the anchor of the whole system.

That would be the motherboard.

It's the main circuit board.

Think of it as the central hub that physically connects everything.

The CPU, the RAM, all the add -on cards for video, network, sound, it all plays into the motherboard.

And linking all of those components together is, you called it a complex highway.

Exactly.

The system bus.

It's this vast array of electrical wires etched right onto the motherboard and its job is to carry data, which is just ones and zeros or electrical impulses representing on or off from one component to another.

This is the heart of binary computing.

Okay.

So when you hit that power button, there has to be a specialized set of instructions that just instantly fires up the whole sequence.

Where does that live?

That's stored in the ROM or read -only memory.

These are chips that store firmware, which is used for the initial system configuration and the boot process.

Today, we mostly use flash ROM, which you'll often hear referred to as the BIOS.

The basic input output system.

Right.

And its main job is performing the routines that let the computer talk to its devices and startup.

But tell us again why the BIOS is so critical from a forensic standpoint.

Right.

Why does this one little chip matter so much to an investigator?

Because the BIOS allows the investigator to control the boot sequence.

This is huge.

If we were to just boot the computer normally directly to its own hard drive, the operating system would instantly start writing new data.

It would start changing things.

Immediately.

It would update log files, change last access timestamps on thousands of files, create new temporary files.

The integrity of the evidence would be compromised.

The BIOS gives the investigator the control to bypass that suspect drive entirely and boot the system from a secure, clean external source.

So the BIOS sets the rules, but the actual heavy lifting is done by the CPU.

The central processing unit.

Yep.

That's the processor, the brain.

It plugs into the motherboard and performs all the computational operations.

And while the CPU is working, it needs a sort of high -speed temporary scratch pad to work with.

That's the RAM, right?

That's random access memory, or as we call it, volatile memory.

You can visualize it as a huge, really fast spreadsheet of memory addresses.

It's necessary because the hard drive is actually pretty slow in comparison.

So programs and files get loaded into RAM for quick access.

But here's the key rule.

The key rule is that its contents are entirely lost once power is removed.

If you pull the plug, whatever was in those, say, four to eight gigabytes of memory is gone.

Forever.

This is why the timing of an acquisition at a crime scene is so critical.

And then rounding out the system, you have your input devices, like a keyboard or mouse, and output devices, like a monitor or printer.

But the real treasure chest, the repository of permanent digital evidence, is the hard disk drive, the HDD.

Yes.

The HDD is the primary component of permanent storage.

Unlike RAM, it holds onto the operating system, the programs, your user files, even after the power's off.

It connects to the system through a controller, historically things like IDE or SCSI, and more recently SATA.

And the drive itself has a very specific structure, a map.

It does.

The platters inside are logically mapped or formatted into a specific structure.

Imagine the surface of one of those spinning platters is divided into concentric circles.

Those are called tracks.

Okay.

The tracks are then divided into these tiny wedges called sectors, usually 512 bytes each.

And when you stack those tracks vertically across all the platters, you get what's called a cylinder.

This structure is fundamental because the operating system uses the numbering of all these sectors, tracks, and cylinders to create its final map of where everything is.

Okay.

Let's connect the dots for the listener.

Walk us through that sequence one more time.

Let's say I'm writing a document.

I click save.

What happens?

Okay.

So you're working at Microsoft Word, and all the new text you've typed is sitting in RAM, that volatile memory.

When you hit save, the CPU gets the request and processes it.

It then tells the HDD controller to write that data to an available, predefined location on the physical platters.

So the little arm moves and writes the data.

The read -write hit, yes.

Once the data is physically written, the final, absolutely crucial step happens.

The drive's file system table, its master map, is updated to track where that new data now lives.

Without that update, the OS would never even know the file exists.

And beyond the main drive, we have to acknowledge all the other places data can live.

Absolutely.

We deal with optical media CDs, DVDs, Blu -ray.

The main difference there is just capacity and the wavelength of the laser light they use.

Blu -ray uses a blue laser, which allows for higher density.

And then the stuff we use every day.

Solid -state storage, USB thumb -brows, smart media cards.

These are critical because they have no moving parts.

They have huge capacities, now 64 gigabytes or more.

And they're just ubiquitous in cameras and mobile devices.

You also mentioned an old workhorse.

Yes.

Tapes.

They can be a pain because they often require proprietary hardware and software to even read them.

But companies use them for long -term backups.

So their forensic potential, especially in white -collar crime, is massive.

And we can't forget the network interface card or NIC, which is what allows the computer to communicate, creating all sorts of crucial network logs.

That really sets the stage for the physical structure.

So now let's move to the logic of how that storage is organized.

If a hardware is the house, then the operating system is like the architect who lays out all the rooms and the filing cabinets.

That's a great way to put it.

The OS Windows, Linux, Mac OS is that critical bridge.

It provides your working environment.

And most importantly, it manages the file system, which dictates all the rules for how data is stored and found.

And before any of that can happen, the disk has to be prepped.

Right.

It's a three -step process.

First is low -level formatting, which is done by the manufacturer.

That's what physically divides the platters into those tracks and sectors we talked about.

Second is partitioning.

This logically divides the disk into contiguous blocks that the OS treats as independent drives.

So think of a giant filing cabinet that you decide to divide into two separate drawers.

Each drawer is a partition.

A single hard drive can have several partitions.

And the final step is what creates the actual map.

That's high -level formatting.

This initializes the disk and creates the file system structure, the map itself.

That's where you get things like FAT32 and TFS, which is common on modern Windows or ext23 for Linux.

They're all just different blueprints for mapping the data.

So let's really nail down the units of data that make up this map.

We went from the bit to the byte to the sector.

What's the next critical unit?

That would be the cluster.

Clusters are groups of sectors always in multiples of two.

And the cluster size is the absolute minimum amount of space that gets allocated to any file within that partition.

This number, the cluster size, is maybe one of the most forensically relevant numbers on the entire drive.

And how does the OS use that?

The OS uses a file system table like the FAT, the file allocation table, or the MFT in NTFS to track data.

It uses the numbering of all those tracks, sectors, and cylinders.

So let's go back to your analogy.

The partition is a room.

The clusters are the safe deposit boxes in that room.

And the file system table is the front desk.

It's the central database at the front desk, tracking which renter, which file has which boxes or clusters, and exactly where they are on the physical platter.

Wait, I have to jump in here with a common misconception.

We've all heard advice about securely wiping a hard drive.

But based on our analogy, if a user performs a standard reformat, maybe they just reinstall Windows.

What are they actually doing?

Are they really erasing the data?

That is a fantastic point, because it gets right to the biggest public misunderstanding about digital storage.

When you reformat a drive, you are simply wiping the map.

You're shredding the central database at the front desk.

You're firing the clerk.

Exactly.

But the property, the actual data, it's all still sitting physically inside those safe deposit boxes.

It is not gone.

So you're telling me that when a company says they've destroyed data by reformatting old servers, unless they're physically shredding them or using special software,

a forensic analyst could still potentially pull data fragments off those platters.

That's kind of terrifying.

That's absolutely correct.

That data stays on the physical platters until it is physically overwritten by a new file writing to that exact location.

And this inherent persistence is why electronic crime scene processing, which we can move into now, is so unique and so demanding.

All right.

Moving into processing the electronic crime scene.

The traditional rules still apply.

You need legal authority.

You need a detailed plan.

But the execution, the documentation, and acquisition has to address the unique fragility of digital evidence.

Meticulous is the word.

You need the standard floor plan sketch.

But if there's a network, you also need a detailed technical network sketch.

For photography, you need the overall layout, but also high -res closeups of any running monitor screens.

And crucially, closeups of every single connection going into the system unit.

Yes.

Think about figure 19 to 5 from the source.

It really reinforces this.

An investigator needs a crystal clear photo of the back of that computer showing every cable monitor, keyboard, network plugged into its specific port.

This is absolutely essential for reconstruction back in the lab.

And that detail leads us right to the core preservation dilemma, the live computer acquisition.

The old mantra was always pull the plug to stop anything from changing on the hard drive.

But that's often obsolete today, isn't it?

It's severely limited.

Modern systems, especially laptops, often use full disk encryption.

If you pull the power, the system shuts down.

The encryption key that's held in volatile memory is lost, and the data is instantly locked.

It's a brick.

So you have to keep it on.

You must keep it powered on if encryption is active.

And furthermore, if the key evidence exists only in RAM, which we know is volatile and gone, the second power is cut, you have no choice but to do a live acquisition.

This is why investigators have to think about the order of volatility.

The sequence of steps.

A sequence that dictates collecting the most temporary, the most fragile data first before it just vanishes.

Let's use the source's case example to walk through this.

An investigator finds a live laptop in a missing 14 -year -old girl's room.

On the screen is an IM conversation with a suspicious older man.

The evidence is volatile.

It's likely only in RAM.

What happens right now?

Urgency is everything.

Step one, photograph the entire screen immediately.

This documents what the user sees with the least amount of intrusion.

Step two, the investigator must acquire the RAM contents.

How do they do that?

You need to run a controlled, specialized application that grabs everything in volatile memory and writes that output only to a clean external media, like a brand new thumb drive.

You absolutely cannot write this data back onto the suspect's drive.

That would alter the evidence.

Okay, what's next?

Step three, they might copy and paste the text conversation itself to that external media.

And step four, and this is crucial, if encryption is suspected,

specialized tools must be used to image the entire hard drive while it is still decrypted and running live.

And that massive image file also has to be saved to external storage.

It's an incredibly precise process.

So once that intense acquisition is done, the physical system has to be secured.

And that labeling process you mentioned is critical here.

Yes.

The source really stresses this.

Every single cord gets labeled.

We use a numbering scheme, 1A on the cord, 1A on the port, 2B on the power cord, 2B on the socket.

This ensures that when the system gets to the lab, every physical connection can be perfectly reconstructed.

And this detailed documentation leads to the most important step for preserving that hidden evidence.

Forensic image acquisition.

The goal here is absolute, right?

The goal is to use the least inclusive method possible to get the data without altering a single bit.

Ideally, the investigator physically removes the HDD and puts it in a forensic lab computer.

And critically, that drive must be in a write blocked state.

What does that mean, write blocked?

It's a piece of hardware that acts like a one -way valve.

It lets data be read from the suspect drive, but it physically blocks any instruction from the computer that tries to write data to it.

It guarantees zero alteration.

Now, how does an investigator prove in court beyond any doubt that the massive forensic image they created is a perfect unaltered duplicate of the original?

That's where digital integrity verification comes in.

We use something called Message Digest 5, MD5, or the Secure Hash Algorithm, SHA.

They are complex mathematical algorithms.

You feed the entire contents of a drive every single bit into the algorithm.

And it spits out a code.

It generates a unique 32 -character alphanumeric fingerprint.

The procedure is rigorous.

You run the algorithm on the original drive before you image it, and then you run it again on the forensic image after you've created it.

If those two 32 -character strings match perfectly, integrity is proven.

If even one bit was changed, the entire string will change completely.

It's like a digital chain of custody.

And you stressed before that a forensic image is not the same as a standard backup.

It's not even close.

A forensic image is an exact duplicate of the entire drive, bit for bit, from the first byte to the last.

It captures everything, including the parts that look blank or unused to the operating system.

And that's to preserve latent data, the hidden goldmine we're about to get into.

A standard copy only grabs the files the OS knows about, and it misses all the good stuff.

Which brings us right to Section 4, analysis of electronic data,

distinguishing between the data we can easily see and the data that tells the real story.

Let's start with visible data.

The low -hanging fruit.

Right.

This is all the information the operating system is aware of, stuff that's readily accessible.

We're talking about data work, product files, documents, spreadsheets, financial records.

The source mentions counterfeiting operations, for instance, which rely on graphic design software.

Those files are critical evidence.

And slightly less obvious is the swap file data.

This is directly related to conserving RAM.

When an application is just sitting there inactive, the OS constantly swaps its data out of RAM and writes it to a designated file on the hard drive, often called pagefile .sys.

This keeps RAM from getting overloaded.

And that swapping leaves traces.

Constant traces.

It means that fragments of data, little snapshots of what was recently in volatile memory, can be left behind in that swap space.

An examiner with a hex editor can search that swap data for clues about recent user activity, even if a program was never saved.

We also look for temporary files.

These are created by programs as an automatic backup, right?

Updated every 10 minutes or so to prevent data loss if the power goes out?

Yes.

And forensically, they can let you recover unsaved work.

They also contain data from the print spool file.

When you print a big document, a temporary spool file is created so you can keep working.

We can often recover the entire content of that document from the spool file, even if the user never actually saved the final copy.

Okay, now we cross the threshold into the most rewarding territory for investigators.

Latent data.

This is the stuff that's hidden from the user's view, living in areas the OS doesn't even track.

And this is the whole reason we needed that bit -for -bit forensic image.

Exactly.

So if the OS map doesn't show this data, how do we even see it?

We use specialized utilities, often called hex editors.

Things like WinHex.

These tools let us read the data on the binary level.

The ones and zeros, completely independent of the OS file system app.

We're bypassing the front door.

And the most fertile ground for this is what we call slack space.

Okay, hold on.

Let's really break down the mechanics of slack space because this is where you have that aha moment about digital storage.

It all comes from cluster allocation.

Remember, the cluster is the minimum storage unit.

Let's say, for simplicity, a cluster is 1024 bytes.

If a user creates a tiny file that's only 100 bytes long, the hard drive still has to allocate the entire cluster, all 1024 bytes for that tiny file.

And the leftover is the slack space?

The remaining 924 bytes are slack space.

And this is physically divided into two types.

First, RAM slack.

That's the space from the end of your 100 byte file up to the end of the first sector.

In older systems, this space was often padded with whatever random data was just sitting in volatile RAM at the time, passwords, web page fragments, anything.

And the second type of slack space is where the deleted files are hiding.

Precisely.

The rest of the space in the cluster is file slack.

In our example, that's a whole 512 byte sector.

This space is extremely likely to contain orphan data from a previously deleted file that used to occupy that exact same cluster.

So if a 1000 byte file was deleted and then your new 100 byte file was saved here, the slack space is essentially a preserved fragment of that older deleted file.

So if slack space is the leftover bytes inside a used cluster, then unallocated space is the massive empty area of the drive that the OS sees is totally available for new files.

Right.

If you look at the entire drive map, this is the area not currently assigned to any active file.

And this space is critical because it contains huge amounts of data that's been orphaned by the constant manipulation of files.

What creates that orphaned data?

Three main things.

First, defragmenting.

When files get spread out across the drive, defragmenting pulls them back together.

But in the process of rewriting the file, fragments of the original scattered data often get left behind, orphaned in unallocated space.

Okay.

Second, swap file activity.

Like we said, the constant back and forth between RAM and the hard drive inevitably causes data fragments to get left behind.

And the biggest source, the one that makes you realize you never truly delete anything?

Deleted files.

When a file is deleted in, say, a FAT system, the OS just replaces the first character of the file name with a special symbol.

The OS now sees those clusters as available, but the data itself is physically untouched.

Even after you empty the recycle bin, the data is still there until a new file writes over that specific physical spot.

The digital footprints are indelible.

And speaking of footprints, let's move to section five, forensic analysis of internet and network activity.

Tracking the user online.

The trail starts with the internet cache.

We've all seen this.

Web browser store or cache, bits of visited pages on the hard drive to make them load faster next time.

And even if the user tries to clear that cache,

examiners can often reconstruct entire visited web pages.

Because they're just files on the drive, they are subject to all the same latent data recovery techniques we just talked about.

Then we have cookies.

These are small files placed on the hard drive by websites to track user info.

Cookies are basically the website's memory of you.

They track your history, what you buy, your passwords.

They're often just simple text files.

And they're crucial because they can corroborate a web visit, even if the user didn't mean to go there.

A pop -up ad can place a cookie, and that still provides evidence linking the computer to that site.

And the most obvious trail is the internet history, which is like the recent calls list on your phone.

Yes, and what's often overlooked, and what figure 1912 in the source shows so well, is that internet history is a misleading name.

The history often lists files accessed over a local network, or even on a thumb drive.

It's really a comprehensive access log of recent system activity, not just web browsing.

And for a simple psychological profile, investigators can just look at bookmarks and favorite places.

And all of this tracing relies on one fundamental rule.

Communication needs an address.

Every computer on the internet has to have an internet protocol IP address, like 66 .94 .234 .13.

And that IP address is the direct link to a real person.

So walk us through that process.

How do you take an IP address from an email header and connect it to a person?

It's a structured three -step process.

Step one, the investigator finds the originating IP address.

Step two, they research that IP using public services to find out which ISP, like Comcast or Verizon, is responsible for it.

Step three, the investigator issues a subpoena to that ISP, demanding to know which customer was using that exact IP address at that exact date and time.

That's the link.

And this applies to other communication too, like email and instant messaging.

For email, if you use a client like Outlook, your mail is stored in compound files right on your machine.

Forensic software can easily mount and view these, even recovering deleted mail.

For web -based email like Yahoo, you don't have those local files, but the content is often found fragmented in the internet cache.

What about chat and instant messaging?

We know those exist mostly in volatile RAM.

What happens when the computer is shut down?

Well, if the investigator missed the live acquisition, the full conversation is gone.

However, because of that constant memory swapping between RAM and the hard drive,

remnants of those conversations, though they're fragmented and disconnected, are often found hiding in the swap space or paging file during the hard drive analysis.

That gives us a really comprehensive picture of passive data acquisition.

Let's finish with section six, looking at the challenges of hacking and the modern complexities of mobile forensics.

Right, so when investigating hacking, or unauthorized computer intrusion, investigators focus on three specific dynamic locations to reconstruct what happened.

What are they?

First, log files.

These document the intruder's IP address on servers, routers, and especially on firewalls, which are designed to block unwanted traffic.

If you get the IP, you start the subpoena process.

Okay, second.

Second, volatile memory, RAM.

If an intrusion is detected while it's happening, acquiring the RAM can give you immediate clues about the attacker's methods, maybe even their passwords or the malware they're using.

And the third?

Third is network traffic itself.

Data travels in data packets, which contain source and destination IP addresses.

If a hacker is stealing data, capturing that traffic shows you exactly where the stolen info is being sent in real time.

Finally, we turn to mobile forensics.

The source rightly points out that these are not just fans anymore.

They're pocket computers, and they are everywhere.

And the evidentiary potential is just immense.

SMS, text messaging, links people during a crime.

MMS can transfer shocking video evidence, contact lists, calendars, and integrated GPS data can all document associations and test alibis.

But these devices present unique challenges, so it's a total Wild West, then.

Every phone is different.

It's arguably more difficult than traditional PCs.

The primary issue is the sheer lack of standardization.

Android and iOS operate very differently.

Memory structures are all over the place, split between internal memory and expansion cards.

So you have to seize everything.

You seize the device, the chargers, the cables,

because proprietary connectors are common.

And the risk of losing evidence is much higher.

Mobile devices are vulnerable to remote kill and clear capabilities.

So the suspect to just wipe it from afar.

So the preservation method is counterintuitive.

You do not shut the device off.

That clears RAM and locks the encryption.

The preferred method is to leave it running, but immediately block all communication.

How do you do that?

Use a Faraday Shield.

It can be a sophisticated forensic bag, or even just a simple metal paint can.

It creates an enclosure that stops the device from talking to the cell tower, while you maintain its power with an external battery pack.

This preserves volatile memory and prevents that remote wipe.

And once it's secure, the extraction is also specialized.

Very.

It requires a ton of different tools.

Physical extraction gives you the most data, a true bit -for -bit copy, but it can be incredibly hard to analyze.

Logical extraction, on the other hand, limits the data to what the OS is aware of, like messages and contacts, but it's much easier and faster to interpret.

So if we connect this all back and summarize the key takeaways, it seems like digital evidence really exists in three distinct layers.

It does.

First, there's visible data.

The obvious styles, the spreadsheets, the temporary files the user is aware of.

Those are the front door clues.

Second, the crucial hidden evidence, latent data.

The goldmine that persists in slack space, and unallocated space long after a user hits delete.

And the third layer connects them to the world.

Communication data.

The traceable records left behind via IP addresses, browser caches, and the volatile memory remnants from chat sessions that link the user's actions to the outside world.

What really stands out to me is that every single action you take on a computer, from typing a document to browsing a website or sending a text,

creates this multi -layered digital footprint that often defies deletion.

Knowing this, it fundamentally changes how you view the tech in your pocket and how safe you feel hitting delete.

Absolutely.

So here's a final provocative thought for you to consider.

We dedicated a lot of time today to the order of volatility, focusing on securing evidence from a local laptop before it vanishes.

How might the constant real -time synchronization of modern cloud services, which instantly mirror data offsite to a third -party server, further complicate that order of volatility for forensic examiners?

Does the concept of volatile memory in local RAM even matter as much anymore if the data is already non -volatile on Google servers?

Something to mull over.

Thank you for joining us for this deep dive into computer forensics.

We hope you feel thoroughly informed.