Setting Up

• If you haven't previously had a class with me which has used VMware or Linux, this will help you get started.

Overview of Forensic Science

• Forensic science is the application of scientific and engineering principles to a legal setting. In this module we discuss forensic sciences in general (there are a number of applications), and how digital forensics is applied in a legal setting. 

• Civil and Criminal Procedure
• Courtroom Testimony
• Intellectual Property
• Laws
• Legal Compliance 

Procedure

Report Writing

• Guest lecturer Professor Pollitt, FBI (retired), will describe the report writing process from a law enforcement viewpoint.

Seizing and Imaging

• In these three lectures I discuss important concepts related to seizing digital evidence, creating a forensic copy of the evidence, and verifying that you made an accurate copy.  The associated labs involves creating a forensic copy of a flash drive using Linux. 

Project 1: Demonstrate an Understanding of Forensic Imaging and Verification

Hierarchy of Access

• Media can be accessed at varying levels, from the purely physical to the logical. The concept of hierarchy of access is explained.

File Systems

• In order to understand digital forensics first and foremost you must understand file systems. A file system is the organizational structure by which files are organized on a disk. There are dozens of different file systems, but will start with the simplest, the FAT file system.

Physical Analysis

• Physical analysis looks at the contents of the media from a raw perspective.  So instead of viewing files in allocated space (logically), we can also view system space (e.g., root directory, FAT, Master File Table, etc.), and also recover unallocated and slack space. 

Project 2: Demonstrate an Understanding of the FAT File System and File Recovery

Forensic Tool Validation

• It is crucial, and required by case law, that forensic tools be validated prior to their use.  In this lecture we discuss the concept of validation. 

Drives and Partitions

• In this section we discuss drives and their geometry, and physical characteristics

Date and Time Stamps

• Every file has multiple date and time stamps.  These can be useful in a forensic examination. 

Forensic Tool Kit

FTK Imager

• FTK Imager is a small Windows-based utility that can fit on a USB that allows a forensic examiner to create a forensic image and conduct a basic preview of evidence. It's absolutely free to download and use so it might be something to include in your own toolkit.  While our version of FTK 6.1 requires a VPN, FTK Imager does not (thus, why you can put it on a USB stick!).

Setting up VPN Access

• In order to run FTK you will need to setup VPN access to the FTK dongle which resides on a server at DSC. 

Installing and Configuring FTK

• FTK is a full-fledged commercial digital forensics application.  You will use FTK for the remaining two assignments.  

Overview of the FTK Interface

• FTK is complicated so we'll need to review the interface and its capabilities in multiple videos. In this video walkthrough I cover the Explore, Overview, and Email tabs/functionality.

Graphics, Video, Internet, Bookmarks, and Filters

• In this video walkthrough I cover the Graphics, Video, Internet, Bookmarks, and Filters capabilities. 

Manual Carving and Indexed Search

• In this video lecture I cover how to add new evidence to your case, how to use manual carving to recover deleted files from unallocated space, and how to use the powerful indexed search to identify keywords in your case. 

Creating a Report

• The purpose of a forensic examination is to identify evidence, or lack thereof, and produce a forensic report. In this video lecture I discuss how to add new evidence and bookmarks to case, and how to create a report in multiple formats.

Project 3: The Forensic Tool Kit (FTK)

Password Recovery Toolkit

• Password Recovery Toolkit (PRTK) is an add-on product to FTK that allows an examiner to breaker all different types of passwords. 

Windows Registry Analysis

• The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components and for applications. As such it contain a wealth of information regarding applications installed and used, last files opened, devices mounted, etc.

Project 4: Password Recovery Tool Kit (PRTK)