Guide to Computer Forensics and Investigations, Fifth Edition 9-1
Chapter 9
Digital Forensics Analysis and Validation
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 9-2
Lecture Notes
Overview
Chapter 9 explains how to apply forensics skills and techniques to a digital
investigation. In this chapter, you learn more about using hashing algorithms in
Chapter Objectives
• Determine what data to analyze in a digital forensics investigation
• Explain tools used to validate data
• Explain common data-hiding techniques
Teaching Tips
Determining What Data to Collect and Analyze
1. Explain that examining and analyzing digital evidence will depend on the nature of the
2. Discuss the term scope creep, which is when an investigation expands beyond the
Approaching Digital Forensics Cases
1. Discuss the possible approaches for an e-mail harassment case based on whether the
2. Explain that an investigation of an employee suspected of industrial espionage can
3. Discuss the basic steps one should follow for all digital forensics investigations. Point
4. Emphasize the importance of refining the investigation plan as much as possible for
private sector cases. It is important to determine what the case requires so that the
.
Using OSForensics to Analyze Data
1. Point out that OSForensics can perform forensics analysis on the following file systems:
• Microsoft FAT12, FAT16, and FAT32
2. Explain that OSForensics can analyze data from several sources, including image files
from other vendors. Mention that its OSFMount utility can mount and examine
3. Have students follow the steps to see how to use the Index feature in OSForensics. Use
Figures 9-1 through 9-4 in your discussion.
Quick Quiz 1
1. Criminal investigations are limited to finding data defined in the _____, and civil
investigations are limited by court orders for discovery.
2. The result of an investigation expanding beyond its original description because the
discovery of unexpected evidence increases the amount of work required is known as
_____.
3. What OSForensics utility can access many formats, including raw, Expert Witness, and
Advanced Forensics Format (AFF)?
4. With OSForensics, you can import extracted NSRL reference hashes for both MD5 and
_____ into a hash database.
Validating Forensic Data
1. Discuss the importance of ensuring the integrity of data to be presented as evidence in
2. Explain that digital forensics tools have some limitations in performing hashing, so
using advanced hexadecimal editors is necessary to ensure data integrity.
Validating with Hexadecimal Editors
1. Mention that advanced hexadecimal editors offer many features not available in digital
2. Explain that sometimes investigators need the hash value of specific files or sectors to
validate whether data or fragments (sectors) match the contents of a known file.
4. Discuss the process of block-wise hashing, which builds a data set of hashes of sectors
5. Explain that AccessData has its own hashing database, Known File Filter (KFF).
Mention that KFF filters known program files (winword.exe) from view and contains
Guide to Computer Forensics and Investigations, Fifth Edition 9-5
Validating with Digital Forensics Tools
1. Discuss ProDiscover’s Auto Verify Image Checksum feature. Mention that if the Auto
2. Emphasize that in ProDiscover and other digital forensics tools, raw format image files
3. Explain that in AccessData FTK Imager, when you select the Expert Witness or
4. If possible, have students complete the steps outlined in the text to see how
ProDiscover’s built-in validation feature works.
Addressing Data-Hiding Techniques
2. Mention that common data-hiding techniques include:
• Hiding entire partitions
• Changing file extensions
Hiding Files by Using the OS
1. Discuss how a suspect wanting to hide an Excel spreadsheet could change its extension
2. Explain that an investigator who is trying to view files in File Explorer should select the
option to view hidden files, folders, and drives. Digital forensics tools can identify
Guide to Computer Forensics and Investigations, Fifth Edition 9-6
Hiding Partitions
1. Discuss how someone can use the Windows disk partition utility, diskpart, to hide
partitions.
2. Explain that to detect whether this technique has been used, an investigator should
3. Use Figure 9-11 to discuss how to view a hidden partition in ProDiscover.
Marking Bad Clusters
1. Explain that another data-hiding technique used in FAT file systems is placing
incriminating data in free or slack space on disk partition clusters.
2. Mention that this technique is no longer common, but can be accomplished by using old
Bit Shifting
1. Explain the process of bit-shifting, which changes data from readable code to data that
looks like binary executable code.
3. Mention that some advanced malware uses bit-shifting as a way to hide its malicious
Understanding Steganalysis Methods
1. Explain that one way to hide data is to use steganography tools to insert information
into a variety of files.
2. Discuss the following steganalysis methods:
• Stego-only attack
Guide to Computer Forensics and Investigations, Fifth Edition 9-7
Examining Encrypted Files
2. Discuss the technology known as “key escrow”, which is designed to recover encrypted
data if passphrases are forgotten or corrupted.
3. Emphasize that the resources needed to crack encryption schemes are usually beyond
Recovering Passwords
1. Explain that several password-cracking tools are available for handling password-
2. Mention that these stand-alone tools typically require extracting password files or
accessing a suspect’s disk or image file directly:
4. Point out that many of these programs allow you to build profiles of a suspect to help
determine his or her password.
5. Discuss a rainbow table, which is a file containing the hash values for every possible
password that can be generated from a computer’s keyboard. Explain that a new scheme
Guide to Computer Forensics and Investigations, Fifth Edition 9-8
Quick Quiz 2
1. Getting hash values with a full-featured _____ can be faster and easier than with a
digital forensics tool.
2. A process that builds a data set of hashes of sectors from the original file and then
compares them with sectors on the suspect’s drive is known as _____.
3. _____ changes data from readable code to data that looks like binary executable code.
4. The converted cover-media file that stores a hidden message is known as the _____.
5. A new technique used to protect passwords, which adds extra bits to a password and
then hashes it, is known as _____.
Class Discussion Topics
1. Based on the techniques discussed for hiding data on a computer, which method would
you use for the following:
2. Discuss why the validation process is so important when criminal investigators obtain a
Additional Projects
1. Scope creep has become more common due to the fact that criminal investigations now
2. Ask your students to compare available features on the following password recovery
tools:
Guide to Computer Forensics and Investigations, Fifth Edition 9-9
Additional Resources
2. National Software Reference Library:
4. Identification of Known Files on Computer Systems:
Key Terms
➢ bit-shifting — The process of shifting one or more digits in a binary number to the left
or right to produce a different value.
➢ block-wise hashing — The process of hashing all sectors of a file and then comparing
them with sectors on a suspect’s disk drive to determine whether there are any remnants
of the original file that couldn’t be recovered.
➢ cover-media — In steganalysis, the original file with no hidden message. See also
stego-media.
➢ key escrow — A technology designed to recover encrypted data if users forget their
passphrases or if the user key is corrupted after a system failure.
➢ Known File Filter (KFF) — An AccessData database containing the hash values of
known legitimate and suspicious files. It’s used to identify files for evidence or