Intro to Computer Forensics

Questions and Answers

Which activity is NOT considered a primary task within the scientific discipline of computer forensics?

• Presenting digital evidence in legal proceedings
• Collecting digital evidence
• Developing new computer hardware (correct)
• Analyzing digital traces

Which scenario exemplifies the use of computer forensics in a corporate investigation?

• Analyzing a network for malware after a ransomware attack
• Tracing the source of a phishing email targeting company employees
• Investigating an employee suspected of stealing confidential company data (correct)
• Presenting evidence in court for a hacking case

What is the main objective of computer forensics when seeking to 'Identify' in an investigation?

• To recover any stolen information
• To determine the extent of data loss
• To determine who is responsible for the crime (correct)
• To discover the methods used in the cybercrime

Which U.S. Constitutional Amendment is most relevant to the legal considerations surrounding digital forensics?

Fourth Amendment (B)

In digital forensics, why is it essential for investigators to maintain confidentiality?

To protect the privacy of individuals involved and maintain trust (D)

Which type of digital evidence would provide the most direct record of websites visited by a suspect?

Browsing history (D)

Why is maintaining an unbroken chain of custody critical in digital forensics?

It establishes a credible link between the evidence and the crime, ensuring its admissibility in court. (B)

Which cybercrime involves unauthorized access to computer systems or networks with malicious intent?

Hacking (D)

Why is a live acquisition of digital evidence considered essential in certain computer-related crime investigations?

It allows investigators to capture volatile data that could be lost when a system is shut down. (B)

Which type of volatile data is MOST likely to provide real-time insight into a cyberattack?

Open network connections (D)

What is the primary purpose of performing process tracing during live acquisition?

To identify suspicious activity by analyzing the actions of running processes (B)

Which tool is commonly employed to monitor and capture network communication in real-time during live acquisition?

Wireshark (B)

Which step is crucial when preserving volatile data to maintain its integrity as evidence?

Avoiding actions that would alter any data on the system (C)

What is the fundamental principle behind static acquisition in digital forensics?

Creating an exact, bit-by-bit copy of a storage device (D)

Why is hashing a crucial step in the static acquisition process?

To verify the integrity of the forensic image and ensure it matches the original data (B)

Which hashing algorithm is considered less secure due to its vulnerability to collisions?

MD5 (A)

What is the primary goal of file system analysis in data recovery and reconstruction?

To examine the structure and organization of data on a storage device (B)

When a file is 'deleted' in most operating systems, what typically happens to the actual file data?

It remains on the disk until overwritten, but the space is marked as available. (D)

What technique involves recovering deleted files by searching for specific headers and footers within the raw disk data?

Data carving (A)

Which factor presents a significant challenge when recovering data from damaged storage devices?

Physical or logical damage to the device (C)

What is the primary focus of email forensics?

Examining email messages and related metadata (D)

Which element of an email provides information about the origin, destination, and routing of the message?

Email headers (B)

What technique involves disguising an email's origin to appear as if it came from a legitimate source?

Spoofing (D)

In internet forensics, what type of data can reveal a user's online interests and activities?

Browsing history (A)

What is the main goal of network forensics?

Examining network traffic to identify cybercrime or security incidents (D)

Which tool is commonly used to capture, filter, and analyze network traffic?

Wireshark (A)

What might sudden spikes or drops in network traffic volume indicate?

Malicious activity or network problems (C)

What is the primary purpose of analyzing protocol headers in network forensics?

To identify the sender, receiver, and data type (B)

What is the general definition of malware?

Any software designed to harm or disrupt computer systems (B)

Which type of malware replicates itself and spreads across networks without human intervention?

Worm (A)

When analyzing malware, what is a sandbox used for?

To run and observe malware safely in an isolated environment (A)

What is the main goal of static analysis when examining a malware sample?

To analyze the malware code without executing it (C)

What is the purpose of using hashing algorithms in digital forensics?

To generate a unique fingerprint of data for integrity verification (C)

Which property of hash functions ensures that the same input always produces the same hash value?

Deterministic (A)

What security measure is provided by digital signatures that confirms the sender cannot deny sending the document.

Non-repudiation (D)

What is the primary goal of steganography?

Hiding the very existence of secret data (B)

Which mobile device forensic acquisition method extracts data accessible to the user such as call logs?

Logical Acquisition (C)

What is a significant challenge of cloud forensics related to data storage environments?

Shared Infrastructure (A)

What is the first major key component in the incident response planning?

Incident Identification (A)

Which of the following laws protects the privacy of electronic communications, including text messages and phone calls?

Electronic Communications Privacy Act (ECPA) (C)

Flashcards

Computer Forensics

The scientific discipline of collecting, preserving, analyzing, and presenting digital evidence for legal proceedings.

Cybercrime Investigation

Investigating crimes like hacking, malware attacks, fraud, and online scams.

Corporate Investigations

Businesses use this type of expertise to investigate employee misconduct, data breaches, or intellectual property theft.

Civil Litigation

Computer forensics used to gather evidence for lawsuits related to contracts, intellectual property, or other disputes.

Accident and Incident Reconstruction

Computer forensics used to investigate accidents involving technology, such as car crashes.

Fourth Amendment

Protects people from unreasonable searches and seizures, requiring a warrant or probable cause.

Electronic Communications Privacy Act (ECPA)

Regulates how law enforcement can access electronic communications like emails, texts, and phone calls.

Computer Fraud and Abuse Act (CFAA)

Makes it illegal to access computer systems without authorization.

Digital Millennium Copyright Act (DMCA)

Protects copyrighted materials from being copied or distributed illegally.

Integrity (Forensic investigators)

They must preserve evidence and ensure it's not tampered with.

Objectivity (Forensic investigators)

They must be impartial and unbiased in their investigations.

Confidentiality (Forensic investigators)

They must keep information confidential and not share it with unauthorized individuals.

Transparency (Forensic investigators)

They must document everything they do, and their methods should be clear and understandable.

Respect for Privacy (Forensic investigators)

They must be respectful of people's privacy rights and avoid violating those rights during investigations.

Files (Digital Evidence)

Most common types of evidence, including documents, spreadsheets, presentations, images, videos, and more.

Emails (Digital Evidence)

Sent and received emails, including any attachments.

Browsing History

Record of the websites you've visited, the searches you've done, and the cookies stored on your computer.

System Logs

Records of what's happened on a computer, such as events, errors, and security information.

Network Traffic

Data that flows over a network, including IP addresses, ports, and communication protocols.

Chain of Custody - Who

Who collected, handled, or analyzed the evidence

Chain of Custody - When

Date and time of each action taken with the evidence

Chain of Custody - Where

Location of the evidence at each stage of its journey

Chain of Custody - What

Any changes made to the evidence

Hacking

Unauthorized access to computer systems and networks

Malware

Malicious software designed to damage, steal, or disrupt computer systems

Fraud

Using computers to commit financial crimes, like identity theft or online scams

Identity Theft

Stealing someone's personal information to impersonate them and commit fraud

Live Acquisition

Process of capturing data from a running computer system, including volatile data.

Why is Live Acquisition Necessary?

Essential to preserve volatile data, which is data that can disappear quickly.

RAM Contents

This includes running processes, open files, and other information loaded into the computer's memory.

Running Processes

The list of programs currently running on the system.

Open Network Connections

Information about the network connections the system is currently using.

Registry Settings

Configuration settings that control the behavior of the operating system.

Memory Dumps

Capturing the contents of the system's RAM to preserve running processes, open files, and other volatile data.

Process Tracing

Analyzing the actions and behavior of running processes to identify suspicious activity.

Network Traffic Analysis

Monitoring and capturing network communication to identify suspicious connections and data transfer.

Live Disk Imaging

Creating a snapshot of the entire running system, including volatile data.

Static Acquisition

Creating a bit-by-bit copy of a powered-down system or storage device.

EnCase

Commercial forensics software suite widely used for disk imaging, data analysis, and reporting.

dd (Command Line Utility)

Versatile command-line tool, available on most Linux and Unix-based systems, allows for creating bit-by-bit copies of disk drives.

Study Notes

Lecture 1: Introduction to Computer Forensics

• Computer forensics is the gathering, preservation, analysis, and presentation of digital evidence for legal purposes.
• Digital forensics examines digital traces on computers, phones, and networks, like clicks, emails, and file downloads.
• Computer forensics experts require training to find, interpret, and present digital evidence for court use.

Scope of Computer Forensics

• Cybercrime includes investigating hacking, malware attacks, fraud, and online scams, such as identity theft.
• Corporate investigations cover employee misconduct, data breaches, and intellectual property theft.
• Civil litigation extracts evidence related to contracts and intellectual property for lawsuits.
• Accident and incident reconstruction investigates technology-related accidents using computer systems.

Purpose of Computer Forensics

• Computer forensics aims to identify crime perpetrators.
• Computer forensics retrieves stolen information.
• Computer forensics helps prevent recurrence.
• Computer forensics builds a prosecutable case to bring criminals to justice.

Legal and Ethical Considerations

• The Fourth Amendment protects against unreasonable searches and seizures, requiring a warrant for computer searches.
• Electronic Communications Privacy Act (ECPA) regulates law enforcement's access to electronic communications.

Other Relevant Laws

• Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computer systems.
• Digital Millennium Copyright Act (DMCA) protects copyrighted materials from illegal copying or distribution.
• Child Protection Act bans producing, distributing, and possessing child pornography.

Ethical Guidelines for Forensic Investigators

• Integrity requires preserving evidence without tampering.
• Objectivity mandates impartiality and unbiased investigations.
• Confidentiality means keeping information private and not sharing it with unauthorized individuals.
• Transparency involves documenting actions clearly.
• Respect for privacy protects people's rights during investigations.

Types of Digital Evidence

• Files are common evidence, including documents, spreadsheets, presentations, images, and videos.
• Emails, including attachments, are a type of digital evidence.
• Browsing history records websites visited and cookies.
• System logs document events, errors, and security information.
• Network traffic is data flowing over a network, including IP addresses and ports.
• Other digital evidence types include chat logs and social media activity.

Chain of Custody

• Chain of custody is a diary of evidence's journey, recording who handled the evidence.
• The chain of custody records the date, time, and location of each action, along with any alterations.

Importance of Chain of Custody

• The chain of custody helps prove authenticity, verifying it is real and untampered.
• The chain of custody establishes a clear link between evidence and the crime or suspect.
• A broken chain of custody can be challenged to question evidence validity.

Common Cybercrimes

• Hacking results in unauthorized access to systems, stealing data or disrupting services.
• Malware is designed to damage, steal, or disrupt systems.
• Fraud involves using computers to perform identity theft or online scams.
• Identity theft involves stealing personal information to impersonate someone.
• Child pornography involves producing, distributing, or possessing sexually explicit images of children.

Lecture 2: Digital Evidence Collection & Preservation: Live Acquisition

• Live acquisition captures data from a running computer system and is crucial to preserve volatile data and prevent tampering.

Live Acquisition Basics

• Live acquisition captures volatile data that could be lost if the system is off.
• Live acquisition is useful to preserve data like RAM contents, including running processes and open files.
• Live acquisition is useful to preserve data about open network connections and registry settings.
• Live acquisition prevents suspects from deleting or modifying data before investigation.
• Analyzing a live system can reveal real-time activity and cyberattack activity.

Tools and Techniques

• Memory dumps capture RAM contents for running processes using tools like Volatility and WinDbg.
• Process tracing analyzes actions and behavior of running processes by examining process lists and memory usage.
• Analyzing network traffic involves monitoring and capturing network communication to identify suspicious connections, often using Wireshark.
• Live disk imaging creates a snapshot of the running system, preserving the system's state and all data.

Preserving Volatile Data

• Volatile data is easily lost or altered.
• Failure to capture volatile data can result in a loss of critical evidence.
• Memory dumps capture RAM using Volatility or WinDbg to look for malware.
• Process dumps capture specific processes in memory to examine activity.
• Memory analysis tools like Volatility and WinDbg identify malware and recover deleted files.

Hands-on: Live Acquisition using a Virtual Machine or a Practice Environment

• One can gain experience with live acquisition using a virtual machine.
• Steps involve setting up a virtual machine and using tools for live acquisition tasks.
• Practicing capturing memory dumps, analyzing running processes, or monitoring network traffic is useful.
• Analyze and document live acquisition results.

Key Takeaways

• Live acquisition preserves volatile data, preventing tampering and gaining real-time insights.
• Live acquisition is essential for computer forensic investigators.
• Experience using virtual machines is crucial for developing these skills.

Lecture 3: Digital Evidence Collection & Preservation: Static Acquisition

• Static acquisition preserves evidence by creating a pristine copy of a storage device.

Static Acquisition Basics

• Static acquisition creates a bit-by-bit copy of a powered-down system or storage device.
• Static acquisition creates a forensic image, ensuring its integrity and authenticity.

Importance of Static Acquisition

• Static acquisition protects original evidence by creating a separate copy.
• The forensic image can be analyzed without compromising the original device.
• Creating a forensic image is a critical step in the chain of custody.

Tools for Static Acquisition

• EnCase is a commercial forensics software suite for disk imaging, data analysis, and reporting.
• FTK(Forensic Toolkit) is another commercial forensics tool for disk imaging, data recovery, and file analysis.
• dd (Command Line Utility) creates bit-by-bit copies of disk drives and is a powerful tool for forensic imaging.

Hashing: A Fingerprint for Digital Evidence

• Hashing is a cryptographic process that generates a unique, fixed-length string of characters known as a hash value.
• A hash value serves as a fingerprint for the data.

Importance of Hashing in Forensics

• Hashing verifies image integrity to make sure the image integrity by comparing the hash value of the original data with the hash value of the forensic image.
• It establishes authenticity, verifying that evidence has not been altered during handling.
• Chain of custody documentation of hash values provides proof of data integrity.

Hashing Algorithms

• MD5 is widely used but less secure due to collision potential.
• SHA-1 is another popular hashing algorithm but has security concerns.
• SHA-256 is a more secure hashing algorithm widely used for digital signatures.
• SHA-512, a stronger version of SHA-256, gives greater security against collisions.

Hands-on: Disk Imaging and Hashing using Forensics Tools

• Gain hands-on experience with disk imaging and hashing techniques.
• There are steps to creating a forensics image by setting up a practice environment using a virtual machine.
• Choose a forensics imaging tool to create a forensic image of a hard drive or other storage device.
• Calculate hash values and compare hash values of the original data, verifying it is an exact copy.

Key Takeaways

• Static acquisition is a fundamental technique for preserving digital evidence, ensuring its integrity.
• Hashing verifies digital images for chain of custody.
• Using imaging tools is essential for proficiency in computer forensics.

Lecture 4: Data Recovery and Reconstruction

• The lecture delves into recovering and reconstructing data from damaged/deleted files.

File System Analysis

• File system analysis examines the structure and organization of data on a storage device.
• Metadata provides information on file names, sizes, locations, timestamps, and attributes.

Understanding File System Structures and Metadata

• Common file systems include NTFS (Windows), FAT32 (older Windows), and ext2/ext3/ext4 (Linux).
• Metadata provides information without containing the file content.
• File system structure includes the allocation of disk space.

Identifying Deleted Files and Hidden Data

• Deleted files still exist on the storage device
• Instead, the file system marks that location as available.
• Hidden data is concealed using file system permissions, attributes, or software.
• Forensic tools can examine file system structures, identify deleted files and recover hidden data.

File Carving

• File carving recovers deleted files by searching for headers and footers within the raw disk data.

How File Carving Works

• Files have unique file headers and footers.
• Forensic tools scan raw disk data for these file signatures.
• Tools reconstruct deleted files between the header and footer.

Hands-on: Using Forensics Tools for File Carving

• Set up a virtual machine containing deleted files.
• Use forensic tools with file carving capabilities like EnCase, FTK or Sleuth Kit.
• Perform file carving to recover deleted files based on their signatures.

Data Recovery from Damaged Devices

• Data recovery is challenging because of factors such as physical damage.
• Factors also include logical damage.
• Factors include data corruption due to power failures and malware.

Techniques for Recovering Data from Corrupted Storage Devices

• Use specialized data recovery software.
• Creating a forensic image makes the device anable to have file carving techiniques to extract files.

Data Reconstruction: Putting the Pieces Back Together

• Data reconstruction pieces together fragmented data to restore a file, for damaged devices.

Techniques for Data Reconstruction

• File system analysis and metadata identify fragmented data.
• File carving identify and reconstruct files.
• Data recovery software reconstructs data from fragmented or corrupted files.

Lecture 5: Email and Internet Analysis

• Email and internet forensics analyze data like email headers, browsing history, and cookies in forensics
• Email and Internet forensics aims to uncover criminal activity or misconduct as related to cybercrime.

Definition

• Forensic email examination examines email messages and relates metadata to find evidence of a criminal act and misconduct
• Forensic email examination focuses on analyze email attachments, content, timestamps, sends, and recipients

Examining Email Headers, Attachments, and Content

• Email headers provide the origin of the email message that contains details.
• Email headers contain details for the recipients address, time stamps, server information, and the emails origin.
• Email attachments contain evidence such as malware, malicious documents, and stolen data that can be used to track suspicious content and file types.
• Forensic email analyses reveal the intention, suspicious language and the content of email content.

Identifying Email Spoofing and Phishing

• Email spoofing disguises emails from a legitimate source to deceive recipients to reveal sensitive information.
• A form of social engineering, phishing, uses tricks that deceive recipients into revealing creditentials and financial information to senders
• Indicators of spoofing include mismatched headers, attachments, urgent language, and unusual links.

Internet Forensics

• Internet forensics examines digital footprints behind on the browsing history, cookies, and browser-cached data to reconstruct online activities.
• Cookies and cached data can be implemented to to reconstruct online activity and find evidence of cyber crime or in internet-based acts online misconduct.
• The analysis of browser history, cookies and cache help reveal activities on the internet after having been cleared.

Understanding Online Activity Related to Cybercrimes

• Webistes known for distributing malware or attempts to visit suspicious links are analyzed through browsing history .
• Online communications and patterns related to potential instances of cyber crime analyzed through chat logs.

Lecture 6: Network Forensics

• Network forensics investigates cybercrime and security incidents, uncovering evidence.
• Analyzing and interpreting network traffic to understand online crime is beneficial.

Network Traffic Analysis

• Network forensics examines network traffic to identify cybercrime, network intrusions, or security incidents.
• it captures and analyzes network packets to understand the communication flow from malicious activity.

Analyzing Network Traffic using Packet Analyzers

• Software programs that capture and analyze network packets (packet analyzers) supply information about packet content, source, address, timestamp, and protocols.
• A packer analyzer called "Wireshark" is known for its comprehensive features and user-friendly interface.
• Network traffic capture can be used to capture network traffic for network interfaces.
• Traffic analysis allows allows for filtering and searching to detect anomalies or a malicious activities.

Identifying Suspicious Activity Patterns

• Unexpected changes in traffic volumes can indicate malware activity.
• Nonstandard protocols can indicate suspicious activities.
• Unknown origins, suspicious ip addresses, and malicious connections can infere potential intrusion
• Patterns or nonstandard ports can be used to bypass security measures.

How Network Protocols Provide Forensic Evidence

• They can provide an origin, destination, and nature of network communications through protocol Headers,
• Can reveal patterns of communication and identify potential vulnerabilities through Protocol Interactions
• Potential malicious activities, deviations from standards, anomalies, can be known from Protocol Anomalies.

Lecture 7: Malware Analysis

• Malware refers to software that is designed to harm or disrupt computer systems or steal sensitive data.
• Understanding malware helps protect our systems and protect from harmful effects.

Common Types of Malware

• Viruses that attack, replicate and crash systems due to corruption, deletion or system crashes.
• Worms exploit vulnerabilities without human intention that propogate themselves through the system.
• Trojans steal data or grant attackers from performing malicious actions and remote system access.
• Ransomware encrypts data and forces ransom of the data,
• Spyware collects user data and transmits it to attackers.
• Rootkits manipulate system files, bypass security measures, and control the system remotely to gives attackers access and hide the presence.

How Malware Operates

• Through Email attachments, websites, software, or infected files
• The payload is the actions of malware after it infects a system, such as Stealing data and encrypting or disabling security measures.
• The communication channels can happen through command servers, peer to peer networks and systems.

Malware Analysis Techniques

• Examining the code structure without executing it that identifies the softwares capabilities and intentions
• Converting machine coe into assembly language that identifies the function and structures with disassemblers.
• Step by step executions to analyze its behaviors/actions with debuggers.
• Identifying clues through strings or malware codes in data for targets and communications channels.
• By safely executing its environment to observe its networks, interactions and monitor activities; this is dynamic analysis
• Observing system notifications, malware actions, modifications, and registry changes help observe system monitoring effects.

Lecture 8: Hashing, Digital Signatures, and Steganography

• These all help ensure the authenticity, integrity, and confidentiality of information.

Hashing Algorithms

• Hashing encrypts data of any size to ensure the hash is a unique imprint of the original data, used for security and encryption.

Properties of Hash Functions

• The ability to easy compute in one way and unable to reverse to get the original value again.
• Every deterministically generated set of inputs produce the set hash value that allows for data integrity.
• Collision resistance creates extreme difficulty to match differing input that produces the same hash value.

Uses of Hashing Algorithms

• Can be used to verify after its original creation.
• Storing passwords as hash values secures data for attacker attempts by obtaining access of data.
• Digital signatures verify the authorized integrity of digital documents with algorithms.

Digital Signature Verification

• A digital signature verifies the authenticity and integrity as a cyber security technique
• Hash creates with a specific hashing algorithm to generate a hash value of documents.

Technique in Signing Digitally

• Encryption to hide from sender/receivers
• Encypt data so it cannot be hacked.
• Verify identity, integrit, non-depudation

Benefits of Digital Signatures

• Authenticity ensures a document is claimed senders and is guaranteed throughout transition stages
• This provides document integrity throughout the entire time to prevent others from denying sensitive documents and contents.

Steganography

• Steganography practices concealing information within files. Striving to hide the existence of the secret data.
• LSB ensures a medium of encoding with data hidden in visual-audio with text enconding and spectrum techniques

Uses of Steganography

• Covering communications
• Securing sensitive information
• Watermarking copyright

Lecture 9: Mobile Device Forensics

• Mobile device forsenics involves identifying evidence and insights on cyber crime.

Defintion

• Digital evidence can be retrieved through digital media as well with tablets, watches and smartphones,

Challenges of Mobile Device Forensics

• Data Volatillity refers to data on various devices that is difficult to use for encryption or authoization.
• Devices are susceptible to becoming out dated that make identifying specific data from them.
• Deletion of all data to fully comprometise evidence

Methods to Mobile Forensics

• Tools like UFED specialize in mobile and encrypted forensics
• Tools like greykey allow iPhones to retrieve data
• Tools like A.D.B are open sourcing to capture device data

Acquisition Methods

• Involves connecting physically from devices
• Retracting various data or data that an end user of accounts from different softwares has access too
• Using file acquisition which helps acquire any file structure that has been previously deleted

Methods and Forensics

• Data can be analyzed and acquired during the entire process to identify evidence such as browsing history, and multimedia. With data usage and data transfer as techniques to extract insight effectively.

Lecture 10: Cloud Computing Forensics

• Cloud forensics help deal unique challenges where digital forensics can take place to solve cybersecurity incidents.

Definition

• Cloud forensics involves collecting and preserving what has been used from data during civil disputes, criminal investigations, or security incidents.

Challenges of Cloud Forensics

• Cloud infrastructure share resources with users.
• Cloud environments are dynamic, constantly altering and deleting evidence.
• Data can get sprawl from services that are hard to acquire relevant information from.
• Access to data is limited to coordinate with access on cloud providers.
• Security operations can raise complexities in access, disclosure and jurisdicitons

Techiques in Logs & Metadata

• AWS providers similar services for application, traffic and metrics.
• Logging services can monitor and help give resources to security and system operations.

Lecture 11: Incident Response & Digital Investigations

• Digital forensic skills are essential to diminish damage from cyber attacks and data breaches
• To follow up on potential threats, you must investigate responses and plan methodologies behind digital investigations.

Planning & Responses

• In developing/ implementing planning, this allows all security incidents and breaches to properly follow/ensure the business integrity,

Key components

• Identifies events via clear, structured criteria to determine if its as breach.
• Incident reporting, where anyone whom determines a breach report it.
• Response team, where trained teams assemble to prepare for the incidents
• Response procedures, in following specific types of incidents
• Following communication where all entities whom are connected to the events properly notified
• Proper and detailed documentation

Responsibilities

• Handling events, communicating events and following specific steps
• Proper Analysis, collection and perservation
• Proper security analysts, and identifying vunerablilities
• Having all legal entities on board and approving all information.

Investigation methodology

• Defintion and systematic process for collection, analysis and preservation for evidence.

Technique

• Proper identification of sources
• Securing/Preserving Data
• Collection of relevant files and traffic from network Proper Examination for data/info
• Proper interpretation for conclusions and building evidence.
• Proper notification for remediating future incidents

Lecture 12: Legal & Ethical Considerations & Advanced Topics in Digital Forensics

• Having a proper lawful and ethical approach on presenting all forensics/digetal evidence.

Understanding the Code

• There legal frameworks that must identify, preserve and transfer different type of sensitive files that can be used for investigations and further forensics.
• There are considerations to use for having any sort of private file on display, where balancing the need for evidence and private right is critical. Understanding the General Data Protection Regulations ensures security for these issues.

Testifying Witness

• Demonstrate expertise
• Admissiblility
• Presenting all evidence while maintaing all ethics and lawful code
• Proper understanding from devices such as clouds and networks.
• Always understand privacy in any environment.