This module introduces a student to the world of digital forensics. It includes basic vocabulary, cyber crime descriptions, and provides an overview of the digital forensics process.
Module one introduced students to the basic definitions of digital forensics. Module two expands on this definition by elaborating on what digital evidence actually is from a physical/logical point of view. We will also explore digital evidence search and seizure.
Module three marks the end of the review material and begins our more advanced topics. Understanding digital evidence is understanding binary data, the base system used by all digital devices. This section will seek to instill a deep understanding of this system so you can carry that knowledge forward to future modules.
Understanding digital evidence is understanding basic computer storage, and this module concentrates on enhancing that understanding. This module will explore the very basics of computer storage including how binary is used to store useful information.
In digital forensic examinations the original evidence is typically not subjected to examination. Digital evidence is ephemeral and very fragile. Thus, the suspect’s devices are accessed as few times as possible, and a clone of the evidence is examined instead of the original. This module will examine this process and explain how it fits into the digital forensics process as a whole.
In previous modules you have learned the true meaning of binary, how it is stored on digital media, and how it can be translated into useful information.This module will continue the exploration of this process by examining how binary information is organized into useful information inside of computer files. It will also explore a side effect of this formation called file metadata that is commonly used in digital investigations to ensure a more complete understanding of digital file storage.
The last phase of digital forensics is presentation. This phase is perhaps the most vital. A digital examiner’s results are useless unless they can be presented in a manner that can easily be understood by all parties involved. The module will introduce the student to a digital forensic report format that can be used for clear presentation of evidence.
We have now explored the physical storage of bits. We have examined how those bits can form different types of information. We took a break from the highly technical and discussed how these bits are imaged and authenticated for use in court. A previous module then explored how these bits are organized on volumes for the storage of files. This module will go into more detail about basic disk layout, describe a side effect of bit storage called slack space, and present a few file systems to demonstrate real world examples.
Data recovery is part of the digital examiner’s job, but digital forensics is so much more. This module will, however, be focusing on data recovery. Data recovery is important to understand when determining the admissibility of evidence. It is also important to understand when explaining how you sanitize media before using it to image digital evidence. (Disk sanitation being the opposite of data recovery. )