Advertisement
Tips
Subscribe to Tips

The Lead

At first glance, it would seem that the most logical and obvious way to increase storage capacity would be to add more platters to a hard drive. However, this raises a number of inherent problems, such as having to increase the size beyond the current for

More Bits about Areal Density

December 12, 2014 11:55 am | Articles | Comments

At first glance, it would seem that the most logical and obvious way to increase storage capacity would be to add more platters to a hard drive. However, this raises a number of inherent problems, such as having to increase the size beyond the current form factors (3.5”, 2.5”, etc.), escalating the cost per hard drive, having to have more read/write heads per hard drive, and so forth.

Hard Drives 'Spin' into the Future

December 5, 2014 9:14 am | Articles | Comments

To increase hard drive storage capacity, manufacturers have been able to decrease the size of...

The Importance of Forensic Analysis Training

November 25, 2014 7:00 am | by Heather Mahalik | Articles | Comments

The mobile device industry is evolving very quickly. To stay current on the latest devices...

Growth of Digital Forensic Workflow

November 14, 2014 12:05 pm | Articles | Comments

As digital devices continue to proliferate, digital storage capacities are approximately...

View Sample

SUBSCRIBE TO FREE DFI News EMAIL NEWSLETTER

Do you ever feel overwhelmed as a manager? Being overburdened by the responsibility of having to figure out what others want and need of you is a familiar feeling shared among leaders. Fortunately, there is a “best practice” for obtaining just the kind of

What Every Employee Wants in a Leader

November 7, 2014 8:47 am | by DeEtta Jones | Articles | Comments

Do you ever feel overwhelmed as a manager? Being overburdened by the responsibility of having to figure out what others want and need of you is a familiar feeling shared among leaders. Fortunately, there is a “best practice” for obtaining just the kind of information needed to increase your leadership effectiveness — ask them what they want. 

Boot loaders are currently considered the most forensically sound physical extraction method. While they do involve loading a piece of code onto the device, this happens before the forensic tool accesses any evidentiary data. That’s because they replace t

Accurate Data, Forensic Soundness

October 31, 2014 8:23 am | by Ronen Engler and Christa M. Miller | Cellebrite USA, Inc. | Articles | Comments

Boot loaders are currently considered the most forensically sound physical extraction method. While they do involve loading a piece of code onto the device, this happens before the forensic tool accesses any evidentiary data. That’s because they replace the device’s normal boot loader, or the first set of operations that kick off the phone’s startup process and hand off to the main controlling program, like the operating system.

Cloud Computing Presents a Unique Forensic Challenge

October 23, 2014 8:00 pm | Articles | Comments

Cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis. Further forensic issues concern the potential effect the cloud services could have on the digital data itself and how the forensic examiner can explain all these indiscretions to the court.

Advertisement

How to Collect Internet Evidence

October 22, 2014 8:00 pm | Articles | Comments

The courts have generally accepted evidence collected from the Internet as long as its authenticity can be established. Commonly accepted digital forensic methodologies can all be used to identify a three-pronged approach to Internet forensics.

Investigator Turns Eyewitness

October 20, 2014 8:21 pm | by Benjamin Wright | Articles | Comments

In today’s world of social media, investigators are taking on a new role; they are becoming a form of eyewitness. As the eyewitness, an investigator observes evidence that might not be visible to any other available investigator. The investigator is wise to create a record of what he or she sees at any particular point in time, including print outs of screenshots.  

Who? What? When? Why? Where? And How?

October 17, 2014 8:13 am | by Brett Shavers | Articles | Comments

A key factor in placing any person at the scene of a crime is obtaining evidence that can place an identified suspect as it relates to the scene of the crime. Previously discussed methods of physical surveillance and obtaining records are usually the best evidence of placing a suspect at a specific place and at a specific time, but as most investigations involve reacting to incidents, this may not be always possible.

String-Centered Analysis Techniques

October 10, 2014 8:27 am | by Michael Barr | Articles | Comments

A surprisingly powerful and less costly binary analysis technique, which does not require reverse engineering, is a review of the character strings contained in the executable. These strings might include, in an ATM machine, words like “Please enter your 4-digit PIN."

Should You Say "I Don’t Know" on the Witness Stand?

September 26, 2014 8:17 am | by Elaine M. Pagliaro | Articles | Comments

It goes without saying that the expert will understand the scientific basis of the testing that was done. However, even the most educated and experienced persons have gaps in their knowledge and experience. In most cases, what you don’t know will have no effect on the outcome of a trial.

Advertisement

Legal Aspects and Tool Reliability

September 23, 2014 8:13 am | by Gary C. Kessler and Matt Fasulo | Articles | Comments

Because of the newness of network forensic activity, network examiners are often left to use existing and emerging tools that have not yet faced the challenge of being proven valid in court. In some respects, the presentation phase of a digital investigation is the most critical; regardless of what has been found, it is worthless if the information cannot be convincingly conveyed to a judge and jury.

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and

Retrieving Obscured Files

September 19, 2014 10:00 am | Articles | Comments

One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and history files. 

First responders must use caution when they seize electronic devices. Improperly accessing data stored on electronic devices may violate Federal laws, including the Electronic Communications Privacy Act of 1986 and the Privacy Protection Act of 1980. Firs

First Responder Electronic Crime Scene Investigation

September 12, 2014 8:50 am | by NIJ | Articles | Comments

First responders must use caution when they seize electronic devices. Improperly accessing data stored on electronic devices may violate Federal laws, including the Electronic Communications Privacy Act of 1986 and the Privacy Protection Act of 1980. First responders may need to obtain additional legal authority before they proceed. 

Over the years, cookies have been overlooked in forensic examinations. For the most part, cookies were used to show that a user account had accessed a website. Since no set structure for cookies existed, determining the content’s meaning was problematic.

Finding Good Cookies

September 5, 2014 12:14 pm | Articles | Comments

Over the years, cookies have been overlooked in forensic examinations. For the most part, cookies were used to show that a user account had accessed a website. Since no set structure for cookies existed, determining the content’s meaning was problematic. With the advent of Google Analytics (GA) cookies, that has changed.

One important basic concept to grasp is working with character classes, or sets. A character class performs a search and matches only one character out of a choice of several.

Data Search Character Classes

August 21, 2014 4:01 pm | Articles | Comments

One important basic concept to grasp is working with character classes, or sets. A character class performs a search and matches only one character out of a choice of several.                     

Advertisement
Triaging a computer can be a methodology to avoid many issues inherent with “pulling the plug.” For instance, capturing the system volatile information can very quickly provide investigators valuable information.

When Not to 'Pull the Plug'

August 15, 2014 8:52 am | Articles | Comments

Triaging a computer can be a methodology to avoid many issues inherent with “pulling the plug.” For instance, capturing the system volatile information can very quickly provide investigators valuable information.           

Digital forensic science is not a matter of recovering a file that proves   somebody’s guilt; it is about wading through hundreds of thousands, possibly   millions, of a wide variety of digital artifacts and making very pointed   critical judgments about

Find the Context

July 30, 2014 3:50 pm | Articles | Comments

Digital forensic science is not a matter of recovering a file that proves somebody’s guilt; it is about wading through hundreds of thousands, possibly millions, of a wide variety of digital artifacts and making very pointed critical judgments about which provide some sort of inculpatory or exculpatory evidence relevant to the case.

Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral.

Limitations of Volatile Memory Analysis

July 25, 2014 8:51 am | Articles | Comments

Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral. While information about running processes will not disappear until they are finished, remnants of recent chats, communications, and other user activities may be overwritten with other content any moment the operating system demands yet another memory block.

The Switch to Private Sector Digital Forensics

July 18, 2014 9:05 am | Articles | Comments

There is clearly a difference in the type of investigations and examinations being performed versus what are encountered in the public sector. The private sector examiner can be expected to provide evidence to private attorneys, corporations, private investigators, and corporate security departments.

Flasher Box or No Flasher Box?

July 11, 2014 9:27 am | Articles | Comments

Let’s be very clear before we go down the flasher box path, there is no replacement or substitute for the automated forensic tools produced by mobile forensic manufacturers. Unfortunately, with growing consumer demand for newer and more technologically advanced mobile phones, these automated and safe solutions do not meet some investigative requirements.

SSD drives employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.

SSD Evidence Issues

June 27, 2014 8:55 am | Articles | Comments

Solid-state drives represent a new storage technology. They operate much faster compared to traditional hard drives. SSD drives employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.

Network investigations can be far more difficult than a typical computer examination

Network Investigations

June 19, 2014 12:16 pm | by Gary C. Kessler and Matt Fasulo | Articles | Comments

Network investigations can be far more difficult than a typical computer examination, even for an experienced digital forensics examiner, because there are many more events to assemble in order to understand the case and the tools do not do as much work for the examiner as traditional computer forensics tools.

Tool Validation

June 13, 2014 8:25 am | Articles | Comments

The premise that an effective digital forensic examiner must be able to validate all of the tools that he or she uses is universally accepted in the digital forensic community. I have seen some less-educated members of the community champion a particularly insidious, and I will argue, invalid method of tool validation, often referred to as the two-tool validation method.

Do You Know Where Your Data Is?

June 6, 2014 8:12 am | by Gary Torgersen | Articles | Comments

The Bring Your Own Device (BYOD) phenomenon is affecting forensic data acquisition because it creates crossover between data that is controlled by an individual versus by a company. People are using their personal devices for work-related tasks because it can seem easier than trying to use typical work resources. 

Unsupported Smartphone Extractions

June 3, 2014 8:53 am | Articles | Comments

What happens when a smartphone is locked and unsupported by forensic tools? Flasher box, JTAG, or chip-off extraction methods become necessary. All three enable physical extraction — a logical examination cannot be performed on an unsupported locked device. However, even this capability can be limited.

Boot Loaders Produce Forensic Soundness

May 30, 2014 8:34 am | Articles | Comments

Boot loaders are currently considered the most forensically sound physical extraction method. While they do involve loading a piece of code onto the device, this happens before the forensic tool accesses any evidentiary data.       

Evidence: Get It While You Can

May 23, 2014 8:46 am | Articles | Comments

For the digital crimes of today, specialists need to examine a much more complex environment. Investigators need to image digital media of a multitude of types: magnetic, solid-state, or optical, for example.            

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading