Chapter 1: Types of Computer-Based Investigations

Welcome to Last Minute Lecture.

This free chapter overview is designed to help students review and understand key concepts.

These summaries supplement not replaced the original textbook and may not be redistributed or resold.

For complete coverage, always consult the official text.

Welcome to the Deep Dive.

We're jumping straight into an incredibly useful resource one of you shared.

It's a really deep exploration of a chapter from Learn Computer Forensics, the second edition by William Odinger.

Yeah, it's a great one.

Think of this as your your shortcut to understanding the essentials,

you know, searching, analyzing, getting and keeping digital evidence secure.

That's pretty much the promise on the cover.

It really lays out the whole foundation, doesn't it?

From finding the evidence right through to maybe ending up in court to solid overview.

Absolutely.

And the author, William Odinger, he's got some serious experience, retired from Las Vegas, Metro PD, Marine Corps Special Agent.

Yeah, over 20 years, right?

20 years doing law enforcement and IET stuff.

Plus, he's involved with IACIS, the International Association of Computer Investigative Specialists.

Yeah, shows he's really dedicated.

And that mix of backgrounds, you know, the different kinds of police work, the military side, IT,

it gives the whole thing a very practical feet on the ground feel.

He's this stuff in action.

So our mission today really is just to pull out the key insights from this whole chapter for you.

We'll cover everything.

Grabbing the evidence cleanly, the legal stuff, best practices, all the crucial bits, and we'll try to explain it so it clicks, you know, whether you're deep into tech or just curious about how digital clues actually get uncovered.

We'll definitely focus on why these steps matter and like real investigations.

What are the things that can really make or break a case?

Now, I know digital forensics can sound, well, technical, maybe a bit intimidating if it's not your world.

It can seem that way.

But don't worry, we're going to break it down, make it clear, and show you the fascinating real world side of it all.

Okay, so first things first.

Acquiring the evidence.

Why is getting that initial step right so absolutely vital?

Well, it's because digital data is just incredibly fragile.

Anything you do can potentially change it or even wipe it out completely.

So that first step is all about preservation.

Keeping the evidence exactly as it was found so it could be analyzed properly and, you know, hold up legally.

Like a crime scene, you coordinate off first.

Yeah, you wouldn't want someone trampling through.

Yeah.

So this forensic examination environment the book mentions, what's that about?

It's basically a controlled space,

physically controlled, digitally controlled,

where the analysis happens.

This control helps make sure the findings are reliable.

And a huge part of that is using validated tools,

hardware, software,

stuff that's been tested to make sure it works correctly and doesn't mess with the evidence.

Ah, so you can trust the tools you're using.

Exactly.

That validation is key if it ever goes to court.

Makes sense.

Then there's sterile media.

Sounds almost medical.

Yeah, it just means preparing clean storage, like external hard drives, USBs,

whatever you're going to pop the evidence onto.

Okay.

You need to be sure there's no leftover data on your drive that could somehow get mixed up with the evidence.

You need a totally blank slate.

Got it.

Start fresh.

Now, write blocking.

That sounds pretty self -explanatory, like it stops writing.

Precisely.

A write blocker is a device, or sometimes software, that lets you read data from a drive but physically stops anything from being written to it.

Essential, I guess.

Absolutely non -negotiable for preserving the original.

The book talks about hardware blockers, physical gadgets that sit between the evidence drive in your computer, and software blockers.

Hardware is generally preferred.

Scene is more reliable.

It's like a one -way valve for data.

Look, but don't touch.

Great analogy.

Okay, so we can look safely.

Then we get to forensic imaging.

How is that different from me just copying files to my backup drive?

Oh, it's totally different.

Forensic imaging is way more thorough.

It's a bit -for -bit deleted files.

Stuff lingering in the empty, unallocated space, even tiny bits in slack space at the end of files.

Simple copying just grabs the files the operating system currently sees.

An image gets it all.

The book mentions DD Images.

That's a raw, sector -by -sector clone and the in -case format, which adds extra info and allows compression.

And it notes you need special considerations for SSDs, solid -state drives, because they work differently.

So it's like a perfect digital clone of the entire drive, not just the visible stuff.

Exactly, a digital twin.

Okay, the chapter mentions specific imaging tools.

FTK Imager comes up first.

Right, FTK Imager.

It's super popular, partly because it's free, which is amazing.

It does a lot.

Creates those forensic images, both DD and in -case formats.

It calculates hash values.

Think of those as unique digital fingerprints, like MD5 or SHA1.

Ah, to prove it's an exact copy.

Precisely.

You hash the original, hash the image.

If they match, you know the copy is identical.

FTK Imager also lets you preview files without changing anything, and it can even grab the computer's RAM content, which is really useful.

That does sound powerful for a free tool.

What about Paladin?

Sounds kind of epic.

It's definitely a strong tool.

Paladin is different.

It's a bootable Linux system on a USB or DVD.

It's made by Sumerai, founded by Steve Whalen, who actually reviewed this book.

Oh, interesting connection.

Yeah.

It's designed to be user -friendly, graphical interface.

It bundles a bunch of open -source forensic tools for imaging, analysis, quick checks.

And being bootable means?

It means you can start the suspect computer using Paladin instead of its own operating system.

So you never risk changing anything on the computer's hard drive just by turning it on.

It's a safe way to start the examination.

Okay, so we've got our perfect copy.

Now we need to understand the system itself.

Chapter moves to computer systems.

Where do we start?

Right at the beginning.

The boot process.

How the computer actually starts up.

Understanding that can reveal things about installed OSes, security bypass attempts.

And that ties into forensic boot media again.

Booting from your own clean USB lets you poke around without touching the internal drives data.

Examining the scene without leaving footprints.

Got it.

Then it gets into hard drives and geometry sectors, tracks, cylinders.

How deep do we need to go there?

Well, it can get technical, but the core idea is just understanding the physical layout on older magnetic drives.

Okay.

Modern tools handle a lot of this low -level stuff, but a basic grasp can help sometimes, especially with data recovery.

And then partitions.

MBR, GPT.

I've seen those terms.

Why do they matter?

Partitioning is just dividing the physical drive into logical ones, like C drive, D drive.

MBR is the old way.

Limited number of main partitions.

Extended partitions were a workaround.

GPT is the modern standard.

Supports huge drives, more robust.

For forensics, you have to understand the partitioning to see the drive structure correctly and make sure you're not missing all sections of data.

And these hidden areas, host protected area HPA and device configuration overlay, DCO.

Yeah.

Those are sections of the drive hidden from the normal OS and bios.

Manufacturers use them sometimes.

But they could hide data.

Exactly.

They can be used to hide data.

So an examiner needs to know they exist and have tools to check them, like looking for a secret compartment.

Always look beyond the obvious.

Okay.

Next.

File systems.

FAT and NTFS, the filing systems for the data.

Pretty much how the OS organizes files.

FAT is older, simpler.

The chapter mentions its basic parts, how it handles long file names, and recovering deleted stuff from it, including slack space.

Slack space.

The leftover bits.

Right.

The unused space at the features like journaling, which helps in timelines.

This chapter doesn't go super deep into NTFS specifics, but knowing the difference is key.

Okay.

So they organize files differently.

After getting the image and understanding the system, we move to the computer investigation process.

The book stresses it's not just finding stuff, but analyzing context.

Absolutely.

It's about piecing together the story.

Timeline analysis is huge here.

How does that work?

You collect timestamps from everywhere.

File creations, logins, web history, registry keys,

and put them in order.

It builds a picture of what happened when.

Like a digital storyboard.

Exactly.

The book mentions tools like X -Ways, commercial one, and Plaso that's open source for pulling all these timestamps together.

What else?

What other analysis methods?

There's media analysis looking at images, videos, audio.

String searching is fundamental looking for specific text like keywords or names anywhere on the drive, even in deleted space.

Like a super powered find command.

Pretty much.

And recovering deleted data.

Just because it's deleted doesn't mean it's gone.

Traces often remain and specialized tools can try to pull them back.

Digital archeology.

Okay.

Focusing on Windows now.

Windows artifact analysis.

Makes sense.

Windows is everywhere.

User profiles and the registry.

Why are they ground zero?

User profiles tell you who was doing what their settings, their files, the registry.

Well, it's this massive database holding configuration settings for Windows itself and tons of applications.

The central nervous system, kind of?

Yeah, that's a good way to put it.

It tracks so much activity.

User preferences.

It's incredibly rich for investigators.

What about tracking account usage?

Like who logged in when?

The registry holds that too.

Last login times, last password change dates helps confirm who was active and when.

And figuring out what files someone interacted with.

Determining file knowledge.

Windows leaves tons of clues or artifacts.

Thumb cache stores image thumbnails even if the original is deleted.

Browser history, cookies, cache.

Huge for web activity.

Right.

Then you've got MRU lists.

Most recently used files and apps.

The recycle bin.

LNK file shortcuts.

They hold info about the original file even if it's gone.

Jumplists show files used by specific apps.

Shellbags track folder view settings.

Prefetch program launches to speed them up.

Wow, it tracks everything.

Almost.

Each artifact tells a small part of the user interaction story.

Okay, what about physical location?

Can digital clues point to where someone was?

Sometimes.

System time zone settings give a hint.

Network history logs show connected networks.

The WEDAN event logs specifically tracks Wi -Fi connections, including network names, which can sometimes be mapped to locations.

Interesting.

And seeing which programs were run.

Program execution.

Yeah, user assist in the registry tracks app launches.

And shim cache, or application compatibility cache, also logs executed programs while helping older apps run.

Both are good indicators of software usage.

And finally, USB devices.

Tracking external drives.

Yep.

Windows logs when USBs and other external devices are connected, often including serial numbers and who was logged in.

Crucial for seeing if data was moved off the system.

Okay, deep dive into Windows, done.

Now RAM memory forensic analysis.

RAM is temporary, right?

So why look at it?

Because while it's volatile, gone, when the power's off, it holds what was happening right then.

A snapshot in time.

Exactly.

Running processes, network connections, maybe decrypted data that's encrypted on the disk, fragments of recently accessed stuff.

It's the live state.

Where does this memory live?

Physically, it's in the RAM sticks, the modules plugged into the motherboard.

And how do you capture this fleeting data?

You need to capture RAM before shutdown.

Usually means preparing a clean USB drive with capture tools.

The chapter mentions dump it simple, creates a raw memory dump.

And FTK imager, again, it can capture RAM too.

So same tool potentially for disk and RAM.

Once you have the dump, how do you analyze it?

You use RAM analyzing cools.

Bulk extractors mentioned, it scans the dump for specific data types like emails, URLs, credit card numbers, just pulls them out.

Like sifting for gold.

Kind of.

And it mentions, like SETI, probably an older version of the volatility framework, which is the standard now.

Volatility is incredibly powerful for dissecting memory dumps, finding processes, network info, commands typed, all sorts of things.

Okay.

From temporary RAM to something more permanent, email forensics, still a huge source of evidence, I imagine.

Oh, absolutely.

Personal, business, email is central.

Understanding the basic protocols is the first step.

SMTP for sending, POP and IMAP for receiving, how webmail differs.

Knowing how it travels helps trace it.

And decoding it.

It's not just the message text.

No, you've got the headers full of technical details about the path it took, sender info, servers, really important metadata.

Then the message body and attachments, of course.

Decoding means pulling all that apart and interpreting it.

What's the difference analyzing client -based email, like Outlook versus webmail, like Gmail?

Client -based email usually stores data locally on the computer.

Outlook uses PST or OST files.

Others use different formats.

So once you image the drive, you potentially have the email data.

Webmail mostly lives on the provider, servers, Google, Microsoft, whoever.

Getting that usually requires legal process, like a warrant or a subpoena.

Much harder to access directly.

Local filing cabinet versus records held elsewhere.

Got it.

Moving on to internet artifacts.

Browsers leave trails everywhere, right?

Huge trails.

The chapter covers Chrome, IE Edge, Firefox.

Looking at bookmarks, history, cookies, cache, saved passwords.

Each browser stores this stuff slightly differently, so you need to know where to look.

What about social media and file sharing?

Social media, like Facebook, Twitter,

generates tons of evidence.

The chapter just touches on it.

P2P file sharing areas.

Email leaves traces of what files were shared or downloaded.

And the cloud.

So much lives there now.

The chapter briefly mentions cloud computing.

Documents, photos, emails, and cloud storage.

Major evidence source.

But again, like webmail, access usually involves legal requests to the provider.

Makes sense.

Okay, switching gears to more proactive stuff.

Online investigations.

Right.

This is about actively investigating online.

Using undercover personas.

Building an online platform for that.

Also covers background checks using OSIN open source intelligence.

Basically public information online.

And crucially, how to preserve online evidence, like chats or posts.

Using screenshots and archiving tools before they disappear.

Being a digital detective online.

Then, networking basics.

Why does a forensics person need to know about OSI models and TCPIP?

Because so much evidence involves network communication.

Understanding how data moves helps interpret logs, trace connections, understand malware behavior.

The chapter gives a simple overview of the OSI models layers and encapsulation.

Then TCPIP, IP addresses, IPv4, IPv6, port numbers, common protocols like HTTP for web, SMTP for email, TCP UDP for transport, IP for routing.

It provides context for network related evidence.

Got the basics.

After all this digging, you need a report.

Report writing.

What makes a good one?

Good notes to the foundation.

Take meticulous notes during the whole process.

The report itself needs key sections.

What evidence was analyzed, how it was acquired, what analysis was done, and what was found.

Plus exhibits or technical details.

The main goal is clarity.

Explain technical stuff simply.

Even for non -techie readers.

And finally, expert witness ethics.

This sounds critical.

Hugely critical.

Examiners often testify in court.

You need to understand the legal context.

Criminal versus civil.

Prepare thoroughly.

Your CV establishes your expertise.

You need to understand how testimony works.

But above all, ethics are paramount.

Objectivity, truthfulness, diligence.

Your work can have massive consequences.

To tie it all together, the chapter has case studies.

Let's hit the highlights.

Dennis Rader, BTK.

How did digital evidence catch him?

Amazing story.

He sent a floppy disk to the media.

Forensics recovered a deleted word document from it.

Wow.

The metadata in that document had Christ Lutheran Church and the user Dennis.

A quick search linked Dennis Rader to the church.

That tiny digital clue broke a decades old case.

Incredible.

What about Silk Road, the online marketplace?

Complex case.

Lots of digital tracing IP addresses, forum posts, a username Altoid linked to Robert Ulbricht's Google account, intercepted fake IDs, seized servers in Iceland, decrypted data, undercover agents.

When they arrested Ulbricht, his laptop was open, full of incriminating evidence.

A multi -pronged digital attack.

And the San Bernardino iPhone case.

That highlighted the clash between investigation and privacy.

FBI couldn't unlock the iPhone 5C, asked Apple for help, Apple refused citing security risks.

Big public debate.

Huge.

Eventually the FBI paid a third party likely celibate or somewhat similar to unlock it.

There was also an early mistake where the iCloud password got reset, hindering cloud access.

Really showed the challenges with encryption and device security.

And the last one, theft of intellectual property shows it's not just crime.

Exactly.

Civil case.

Scientist accused of stealing IP.

Initial expert pointed to OST file timestamps as proof of email theft.

What?

But a correct analysis showed OST files were modified automatically by outlook connecting to exchange.

The timestamps were normal activity, not theft.

The first expert was wrong.

Case dismissed.

Employer had to pay legal fees.

Shows how vital accurate understanding is.

Wow.

Yeah.

Getting it right matters.

Okay.

Throughout all this, there are practice tips.

What are the big takeaways?

Stand of custody.

Document everything.

Be unbiased.

Look for evidence that helps and hurts your case.

Keep learning tech changes constantly.

Understand the law, jurisdictional differences,

and explain things clearly.

Simple language for complex ideas.

Right.

And the chapter also mentions proactive security for organizations, trying to prevent these things.

Well, we really have covered a lot ground here.

That whole chapter from Learn Computer Forensics, second edition, from grabbing evidence carefully right through to ethics and court.

Yeah.

Acquisition, imaging, analysis tools, legal rules, security,

those case studies,

the works.

We hit the technical stuff, saw how it applies in the real world, touched on the legal side.

And understanding these fundamentals, well, it's essential.

Whether you're doing investigations, working in cybersecurity, or honestly just curious about how this digital world impacts law and For sure.

And those cases really show the power and sometimes the subtlety of digital evidence in all sorts of situations.

Which kind of leads to a final thought for you, the listener.

Technology keeps changing faster and faster.

So how does computer forensics keep up?

What challenges are coming next?

Think about privacy, security,

and just finding the truth in this incredibly complex digital society we're building.

What does the future hold?