1. Digital Forensics
Andrew Schierberg, Fort Mitchell Police, Schierberg LAw
Jay Downs, Kenton County Police

2. Overview
Definitions
Process
Common Issues, Strategy & Case Examples

3. Data Storage Bits, Bytes, Sectors, Clusters, and Slack Space1
Bits, Bytes, Sectors, Clusters, and Slack Space
Bit: Smallest unit of data on a computer (0 or 1)
Byte: 8 bits (A = )
Sector: A subdivision of the storage medium, commonly 512 bytes
Cluster: A group of sectors (commonly 8)

4. Simple example
A 2048 byte file (a text file with 2048 characters) would take up 4096 bytes of space because that is 1 cluster and a cluster is the smallest amount of data a computer can address
This means that the other 2048 bites of that cluster won’t be used and could contain data (called slack space)

5. Deleted files
When you delete a file, operating systems generally delete the reference to the file, but not the file itself.
The deleted file can remain on the storage device until the space it occupies is needed for new data.

6. Overwritten
Previously deleted file where operating system has written new data over some or all of the file.

7. Wipe/Secure Delete
Generally done for free space, intentionally overwrites data so that original data isn’t recoverable
Secure delete functions do this at the time of deleting
Can be used to infer intentional destruction of discovery
Generally files are overwritten with a specific character, commonly 0

8. file carving
Identification and extraction of files from unallocated space using file signatures

9. Partially Overwritten File
Active File
Deleted File
Wiped File 1 1 1

10. Trash/Recycle
Easily recoverable
Metadata probably still in tact
Unallocated Space
Data carving
Easily Recoverable
Metadata may be gone
Overwritten
May recover partial file if partially overwritten
Secure Delete/Wipe
File intentionally overwritten
Data gone and not recoverable

11. Forensic imaging/Forensic image
Non-destructive, verifiable, and repeatable exact bit-for-bit duplication of a storage device used for forensic examination.
Non-destructive – does not alter anything on the original device
Verifiable – uses hash values to confirm exact bit-for-bit match
Repeatable – subsequent forensic images will produce the same results

12. Forensic Process Identification Acquisition Preservation Analysis
Reporting

13. Identification
Use knowledge of case to identify or predict types of electronic devices involved, information each device may provide, and rank importance of devices

14. Acquisition Obtain original electronic items (if possible)
Create forensic images of devices (if possible)
Critical step because, if not done properly, data can be altered
First step in chain of custody

15. Forensic image vs backup
Bit-for-bit copy of drive
Entire drive
Captures deleted files
Non-destructive
Verifiable
Repeatable
Copy of active files
User-selected portions of drive
May capture files in trash
May alter metadata
Generally no verification
Results may vary with repetition

16. Preservation
Original evidence should be pulled and tagged to prevent changes
If parties agree, verified forensic image can be shared with all parties. This is generally done when servers are involved

17. Analysis Generally performed on forensic image, not on original disk
Uses forensically sound software
Should be a joint effort between forensic expert and attorney or investigator
Triage can help narrow the focus

18. Reporting
Reports include information to show that forensic copies are verified copies
Anything provided in report should be able to be replicated by another expert
Reporting, at least on the criminal side, is changing a bit (more on that later)

19. Common issues & Strategy

20. How long does this take?
Time it takes can cause speedy trial issues as well as cost issues
Factors influencing time:
Amount of data
Quality of storage devices
Quality of forensic devices
Scope of search
Priority of case

21. Triage & Preliminary reports
Triage is now commonly used to narrow focus of searches
Preliminary reports & products generated automatically by forensic tools can be used to negotiate a deal
Full reporting is only used when a trial will happen

22. Forensic Expert vs. IT Expert
Two different skill sets at play
Forensic experts don’t need to be IT experts and IT experts don’t need to be forensic experts
Forensics is an expensive field to enter, free file recovery tools from the Internet aren’t forensic tools
IT professionals aren’t commonly trained on evidentiary issues like chain of custody etc…

23. juries Forensic experts need to be able to speak to normal humans
Many times, the first part of testimony may be something like the beginning of this presentation
If two experts get into a battle of technical terms, the jury is guaranteed to get lost
An expert who can draw non-technical analogies is golden

24. Mobile devices Repeatable results? Why not?
Flash memory is a chip not a "disk". Limited life of hardware as memory is programmed and erased using electrical currents. Files written to blocks with defined space.
Garbage Collection - Background process of duplication of files and deletion of "dead" files maximizing space without user involvement.
Wear Leveling "rotating your tires" – User deletion will copy everything in that block to another block. Leaving duplicates behind until the space is needed. 

25. Wear leveling

26. The cloud
Phones, tablets, computers, appliances, smart home, fitness trackers, any "smart" technology.
APPLICATIONS – data is not local
The Cloud Act - PL (March 23, 2018)
Primarily the CLOUD Act amends the Stored Communications Act (SCA) of to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
Preservation orders and notification.
Volatile and available during preview.
Seize and seek authority to search?

27. On-site preview Useful and volatile data. ENCRYPTION RAM dump.
Known files.
Triage what to seize and what can be left behind.
Improve workload efficiency at forensic lab.
Assist in interview and investigation in real time.
Father / son example
Destruction of evidence?
Search Warrant issues.
One warrant or two?